1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00
Commit Graph

51125 Commits

Author SHA1 Message Date
Lennart Poettering
71b5738030 man: update nss-systemd documentation with new features 2021-05-10 14:58:44 +02:00
Lennart Poettering
8fbb1941f1 userdbd: also listen on a varlink socket io.systemd.DropIn
Let's explicitly support looking things up via dropin as a varlink
service.
2021-05-10 14:58:39 +02:00
Lennart Poettering
85f088abe8 userdb: optionally read user/group/membership "dropins", too 2021-05-10 14:58:07 +02:00
Zbigniew Jędrzejewski-Szmek
2d0b71b6f6
Merge pull request #19542 from yuwata/unit-after-socket
network, timesync, resolve: check bus is ready before emitting property change or signal
2021-05-10 14:44:15 +02:00
Zbigniew Jędrzejewski-Szmek
8808d3289e
Merge pull request #19556 from lucasrangit/network-wifi-interface-type-typos
network: update documentation and examples to use correct interface type and lookup command
2021-05-10 13:55:07 +02:00
Lucas Magasweran
2480ca95ba man: network: use networkctl list instead of status to list network interface type
To determine the network interface type for use in the `Type=` directive, it is more concise to use the `list` command. Whereas, the `status` command requires an interface parameter.

For example, on a RaspberryPi 4 the following shows that the `wlan0` interface type `wlan` is more coveniently listed by the `list` command.

```
root@raspberrypi4-64:~# networkctl list
IDX LINK  TYPE     OPERATIONAL SETUP
  1 lo    loopback carrier     unmanaged
  2 eth0  ether    routable    configured
  3 wlan0 wlan     off         unmanaged

3 links listed.
```

Whereas the `networkctl status` command doesn't include this information.

```
root@raspberrypi4-64:~# networkctl status
●   State: routable
  Address: 192.168.1.141 on eth0
           fd8b:8779:b7a4::f43 on eth0
           fd8b:8779:b7a4:0:dea6:32ff:febe:d1ce on eth0
           fe80::dea6:32ff:febe:d1ce on eth0
  Gateway: 192.168.1.1 (CZ.NIC, z.s.p.o.) on eth0
      DNS: 192.168.1.1

May 07 14:17:18 raspberrypi4-64 systemd-networkd[212]: eth0: Gained carrier
May 07 14:17:19 raspberrypi4-64 systemd-networkd[212]: eth0: Gained IPv6LL
May 07 14:17:19 raspberrypi4-64 systemd-networkd[212]: eth0: DHCPv6 address fd8b:8779:b7a4::f43/128 timeout preferred -1 valid -1
May 07 14:17:21 raspberrypi4-64 systemd-networkd[212]: eth0: DHCPv4 address 192.168.1.141/24 via 192.168.1.1
```

To get the interface type using the `status` command you need to specify an additional argument.

```
root@raspberrypi4-64:~# networkctl status wlan0
● 3: wlan0
                     Link File: /lib/systemd/network/99-default.link
                  Network File: n/a
                          Type: wlan
                         State: off (unmanaged)
                          Path: platform-fe300000.mmcnr
                        Driver: brcmfmac
                    HW Address: dc:a6:32:be:d1:cf (Raspberry Pi Trading Ltd)
                           MTU: 1500 (min: 68, max: 1500)
                         QDisc: noop
  IPv6 Address Generation Mode: eui64
          Queue Length (Tx/Rx): 1/1
```
2021-05-10 13:40:33 +02:00
Roman Beranek
ee3713b71d resolve: remove RRs from zones before an update
During an update of RRs, the records of each DNS-SD service are
replaced with new ones. However the old RRs can only be removed from
the mDNS scopes as long as they remain accessible from the DnssdService
structures, otherwise they remain stuck there.

Therefore the removal must take place before the update.
2021-05-10 12:29:48 +02:00
Samuel BF
c362a432af Wider range of options for selecting entries for systemd-journal-gatewayd
Introducing --user, --system, --merge and --file flags, like for journalctl
and systemd-journal-upload.
2021-05-10 12:20:27 +02:00
Lucas Magasweran
b419e8776b network: examples: use wlan for Type instead of wifi 2021-05-10 11:28:52 +02:00
Harsh Barsaiyan
2c324dd161 hwdb: Add Asus TP550LA 2021-05-10 11:25:15 +02:00
Dimitri John Ledkov
67f7244928
Merge pull request #19436 from xnox/sbat
boot: add optional EFI SBAT support
2021-05-10 09:30:16 +01:00
Lennart Poettering
2baec39665
Merge pull request #19545 from poettering/nss-systemd-shadow
nss-systemd: also expose shadow/gshadow entries from userdb records
2021-05-10 09:46:49 +02:00
Luca Boccassi
63225fe159
Merge pull request #19298 from bluca/cryptsetup_nopass
cryptsetup: add 'headless' parameter to skip password/pin query, allow pin-less enroll on FIDO2, support user presence/verification flags
2021-05-09 13:49:55 +01:00
Luca Boccassi
84b5f40821
Merge pull request #19552 from yuwata/fix-typo-and-coverty-issues
Fix typo and coverity issues
2021-05-09 13:36:17 +01:00
Yu Watanabe
19cc6d5e54 tree-wide: fix typo 2021-05-09 14:36:19 +09:00
Yu Watanabe
6ac6549251 userdb: shorten code a bit
Hopefully fixes CID#1452937.
2021-05-09 14:34:23 +09:00
Yu Watanabe
fedd793cea test: add one more assertion to make Coverty happy
Fixes CID#1452934.
2021-05-09 14:33:59 +09:00
Jörg Deckert
dd568427fb
networkd: correct batman-adv setting name (GatewayBandwidth) (#19539)
Co-authored-by: Jörg Deckert <jdeckert@unitas-network.de>
2021-05-08 14:39:32 +02:00
Lennart Poettering
f43a19ecd6 nss-systemd: synthesize NSS shadow/gshadow records from userdb, as well
This ensures we not only synthesize regular paswd/group records of
userdb records, but shadow records as well. This should make sure that
userdb can be used as comprehensive superset of the classic
passwd/group/shadow/gshadow functionality.
2021-05-08 14:35:28 +02:00
Lennart Poettering
09001dbdc8 nss-systemd: set USERDB_SUPPRESS_SHADOW flag when looking up user records
Setting the flags means we won#t try to read the data from /etc/shadow
when reading a user record, thus slightly making conversion quicker and
reducing the chance of generating MAC faults, because we needlessly
access a privileged resource. Previously, passing the flag didn't
matter, when converting our JSON records to NSS since the flag only had
an effect on whether to use NSS getspnam() and related calls or not. But
given that we turn off NSS anyway as backend for this conversion (since
we want to avoid NSS loops, where we turn NSS data to our JSON user
records, and then to NSS forever and ever) it was unnecessary to pass
it.

This changed in one of the previous commits however, where we added
support for reading user definitions from drop-in files, with separate
drop-in files for the shadow data.
2021-05-08 14:25:24 +02:00
Yu Watanabe
3d56acef7f string-util: explicitly cast character to unsigned
This also adds comment why we cast to unsigned.

Follow-up for 7971f9030a.

Addresses the comment https://github.com/systemd/systemd/pull/19544#discussion_r628472794.
2021-05-08 14:24:51 +02:00
Yegor Alexeyev
11c38d3e51 rfc3046 implementation 2021-05-08 15:59:29 +09:00
Yu Watanabe
b8d6689a7f resolve: check that bus is ready before emitting signal or property change 2021-05-08 15:12:31 +09:00
Yu Watanabe
933e95d716 timesync: check that bus is ready before emitting property change 2021-05-08 15:12:31 +09:00
Yu Watanabe
706875f165 network: check that bus is ready at one more place 2021-05-08 15:12:31 +09:00
Yu Watanabe
098d42b67e local-addresses: wrap long comment
Follow-up for 54e6f97bc9.
2021-05-08 15:12:19 +09:00
Lennart Poettering
ebf940e1e9
Merge pull request #19438 from poettering/nspawn-uidmap
nspawn: add support for kernel 5.12 ID mapping mounts
2021-05-08 00:12:20 +02:00
Lennart Poettering
d799bd47d8
Merge pull request #19538 from poettering/userdbd-simplify-nss-listing
userdbd: refactoring to simplify NSS user listing
2021-05-08 00:12:01 +02:00
Lennart Poettering
31892e8d40 update TODO 2021-05-07 22:44:39 +02:00
Lennart Poettering
ac31f59680 bash: update shell completion for new nspawn option 2021-05-07 22:44:35 +02:00
Lennart Poettering
22326f15a6 man: document new nspawn ID mapping mounts features 2021-05-07 22:44:17 +02:00
Lennart Poettering
f61c7f88d0 nspawn: introduce --private-users-ownership=map|auto
This adds a two new values to --private-users-ownership=: "map" and
"auto".

"map" exposes the kernel 5.12 idmap feature pretty much 1:1. It fails if
the kernel or used file system doesn't support ID mapping.

"auto" is a bit smarter: if we can make ID mapping work, we'll use it,
otherwise revert back to classic chown()ing. We'll also use chown()ing
if we detect that an image is already ID shifted, both to increase
compatibility with the status quo ante, and to simplify our codepaths,
since the mappings become a lot simpler if we only have to map from zero
to something else, instead of from anything to anything else.

The short -U switch, and --private-users=pick will now imply
--private-users-ownership=auto instead of
--private-users-ownership=chown, since the new logic should be the much
better choice.
2021-05-07 22:44:13 +02:00
Lennart Poettering
993da6d461 nspawn: drop an unnecessary local variable 2021-05-07 22:44:10 +02:00
Lennart Poettering
21b61b1dd2 dissect-image: add support for optionally mounting images with idmapping on 2021-05-07 22:44:05 +02:00
Lennart Poettering
35fd355842 mount-util: add a helper that can add an idmap to an existing mount
This makes use of the new kernel 5.12 APIs to add an idmap to a mount
point. It does so by cloning the mountpoint, changing it, and then
unmounting the old mountpoint, replacing it later with the new one.
2021-05-07 22:43:52 +02:00
Lennart Poettering
58e13de539 nspawn: tighten userns UID shift/range checks
Let's add a helper that ensures the UID shift/range parameters actually
fit together.
2021-05-07 22:43:48 +02:00
Lennart Poettering
5f9687363a process-util: add option for cloning with CLONE_NEWUSER
This is useful for allocating a userns fd later on for use in idmapped
mounts.
2021-05-07 22:43:42 +02:00
Lennart Poettering
14a25e1fae mount-util: add helper that ensures something is a mount point 2021-05-07 22:43:29 +02:00
Lennart Poettering
6c045a9998 nspawn: replace boolean --private-user-chown by enum
This replaces --private-user-chown by an enum value
--private-user-ownership=off|chown. Changes otherwise very little.

This is mostly preparation for a follow-up commit adding a new "map"
mode, using kernel 5.12 UID mapping mounts.

Note that this does alter codeflow a bit: the new enum already knows
three different values instead of the old true/false pair. Besides "off"
and "chown" it knows -EINVAL, i.e. whenever the value wsn't set
explicitly. This value is changed to "off" or "chown" before use, thus
retaining compat to the status quo before, except it won't override
explicit configuration anymore. Thus, if you explicitly request
--private-user=pick you can now combine it wiht an explicit
--private-user-ownership=off if you like, which will give you a
container that runs under its own UID set, but the files will be owned
by the original image. Makes not much sense besids maybe debugging, but
if requested explicitly I think it's OK to implement.
2021-05-07 22:43:25 +02:00
Lennart Poettering
33eac552ab nspawn: add high-level option for identity userns mapping
userns identity 1:1 mapping is a pretty useful concept since it isolates
capability sets between containers and hosts, even if it doesn't map
any uid ranges. Let's support it with an explicit concept.

(Note that this is identical to --private-users=0:65536 (which in turn
is identical to --private-users=0), but I think it makes to emphasize
this concept as a high-level one that makes sense to support.)
2021-05-07 22:43:05 +02:00
Luca Boccassi
8f214355c6 FIDO2: if defined, check for FIDO_ERR_UV_BLOCKED
Newer libfido versions added this error, so check for it since it
can help the user with a more specific message
2021-05-07 21:36:27 +01:00
Luca Boccassi
896cc0da98 FIDO2: ask and record whether user verification was used to lock the volume
Some tokens support authorization via fingerprint or other biometric
ID. Add support for "user verification" to cryptenroll and cryptsetup.
Disable by default, as it is still quite uncommon.
2021-05-07 21:36:27 +01:00
Luca Boccassi
06f087192d FIDO2: ask and record whether user presence was used to lock the volume
In some cases user presence might not be required to get _a_
secret out of a FIDO2 device, but it might be required to
the get actual secret that was used to lock the volume.
Record whether we used it in the LUKS header JSON metadata.
Let the cryptenroll user ask for the feature, but bail out if it is
required by the token and the user disabled it.
Enabled by default.
2021-05-07 21:36:27 +01:00
Luca Boccassi
cde2f8605e FIDO2: support pin-less LUKS enroll/unlock
Closes: https://github.com/systemd/systemd/issues/19246

Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
2021-05-07 21:36:27 +01:00
Luca Boccassi
cd5f57bda7 cryptsetup: add 'headless' parameter to skip password/pin query
On headless setups, in case other methods fail, asking for a password/pin
is not useful as there are no users on the terminal, and generates
unwanted noise. Add a parameter to /etc/crypttab to skip it.
2021-05-07 21:36:27 +01:00
Lennart Poettering
134ff8f4d1 userdbd: simplify logic for generating NSS listings
So far we basically had two ways to iterate through NSS records: one via
the varlink IPC and one via the userdb.[ch] infra, with slightly
different implementations.

Let's clean this up, and always use userdb.[ch] also when resolving via
userdbd. The different codepaths for the NameServiceSwitch and the
Multiplexer varlink service now differ only in the different flags
passed to the userdb lookup.

Behaviour shouldn't change by this. This is mostly refactoring, reducing
redundant codepaths.
2021-05-07 22:19:41 +02:00
Lennart Poettering
b214825433 userdb: add new flag for excluding varlink data in lookups
This is useful to later-on use the userdb infra for only some sources.
2021-05-07 22:19:37 +02:00
Lennart Poettering
80d88a8267 userdb: rename userdb lookup flags a bit
Let's use "exclude" for flags that really exclude records from our
lookup. Let's use "avoid" referring to concepts that when flag is set
we'll not use but we have a fallback path for that should yield the same
result. Let' use "suppress" for suppressing partial info, even if we
return the record otherwise.

So far we used "avoid" for all these cases, which was confusing.

Whiel we are at it, let's reassign the bits a bit, leaving some space
for bits follow-up commits are going to add.
2021-05-07 22:19:07 +02:00
Marco Antonio Mauro
0cd70d43a3
Added Teclast X4 ACCEL_MOUNT_MATRIX (#19540) 2021-05-07 22:17:25 +02:00
Yu Watanabe
7971f9030a string-util: fix build error on aarch64
This fixes the following error:
```
In file included from ../src/basic/af-list.h:6,
                 from ../src/basic/af-list.c:7:
../src/basic/string-util.h: In function 'char_is_cc':
../src/basic/string-util.h:133:19: error: comparison is always true due to limited range of data type [-Werror=type-limits]
  133 |         return (p >= 0 && p < ' ') || p == 127;
      |                   ^~
cc1: all warnings being treated as errors
```

Fixes #19543.
2021-05-07 21:55:55 +02:00