1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-26 03:22:00 +03:00
Commit Graph

29622 Commits

Author SHA1 Message Date
Alan Jenkins
858beb391b units/console-getty.service: comment reason for ConditionPathExists
Currently we have 4 getty services.  1 has a BindsTo dependency on a
device unit.  3 have ConditionPathExists, but the reason is different in
every single one.

* Add comment to console-getty@.service (see commit 1b41981d)
* getty@.service is already commented
* container-getty.service is not strictly correct, as I realized while
  trying to compose a comment.  Reported as #6584.
2017-08-09 18:51:46 +01:00
Alan Jenkins
8522ee7975 man/systemd-getty-generator fix/update
* Containers don't use serial-getty@console.service,
  they use console-getty.service instead, and suppress
  scanning for kernel or virtualizer consoles.

* Nowadays gettys are started on *all* configured kernel consoles.

* except for the line printer console, because that's not a tty.
  (Seriously.  Search CONFIG_LP_CONSOLE).
2017-08-09 15:53:55 +01:00
Alan Jenkins
54194afb99 getty-generator: shift relevant comment to above tty_is_vc()
Comments typically go immediately above the code to implement the
described behaviour.  Putting it below confused me for a moment.
2017-08-07 17:23:41 +01:00
Benjamin Robin
c23c34bcba build-sys: Fix Makefile wrapper for install target (#6548) 2017-08-07 11:29:20 +02:00
Jouke Witteveen
15d167f8a3 core: propagate reload from RELOADING=1 notification (#6550) 2017-08-07 11:27:24 +02:00
Evgeny Vereshchagin
ca992ecf07 tests: use ninja-build if ninja is not available (#6544)
This makes the tests work on CentOS, which currently has ninja-build
only.
2017-08-07 11:06:07 +02:00
Yu Watanabe
2d35b79cdc man: DynamicUser= does not imply PrivateDevices= (#6510)
Follow-up for effbd6d2ea.
2017-08-07 11:02:47 +02:00
Lennart Poettering
b5338ddcfd Merge pull request #6549 from yuwata/pedantic-checks
journal-remote: remove MHD_USE_PEDANTIC_CHECKS from the default flags
2017-08-07 10:52:27 +02:00
Yu Watanabe
e2e8683e6b microhttpd-util: add comment 2017-08-07 10:35:05 +09:00
Zbigniew Jędrzejewski-Szmek
5f346ee7fc Merge pull request #6536 from yuwata/fix-warning
Core: cleanups
2017-08-06 16:19:49 -04:00
Yu Watanabe
837df14040 core: do not ignore returned values 2017-08-06 23:34:55 +09:00
Yu Watanabe
a77e00a5dc journal-remote: remove MHD_USE_PEDANTIC_CHECKS from the default flags
Follow-up for 0105858734.
2017-08-06 23:26:46 +09:00
Luca Bruno
28dd66ecfc core: evaluate presets after generators have run (#6526)
This commit moves the first-boot system preset-settings evaluation out
of main and into the manager startup logic itself. Notably, it reverses
the order between generators and presets evaluation, so that any changes
performed by first-boot generators are taken into the account by presets
logic.

After this change, units created by a generator can be enabled as part
of a preset.
2017-08-06 09:24:24 -04:00
Yu Watanabe
70d54d9072 core: replace strcmp() == 0 with streq() 2017-08-06 13:08:40 +09:00
Yu Watanabe
e940c1ef1d core: fix typo 2017-08-06 13:08:37 +09:00
Yu Watanabe
ecfbc84f1c core: define variables only when they are required
Follow-up for 7f18ef0a55.
2017-08-06 13:08:34 +09:00
Yu Watanabe
21771f338d bus-util: do not print (uint64_t) -1 as is (#6522)
Closes #4295 and #6511.
2017-08-05 20:37:25 -04:00
Alan Jenkins
ecaa5ad89f test-condition: fix test_condition_test_group() (#6531)
I hit a test failure with the `max_gid+1` test.  Problem is that we loop
over 0..r, but set `r` again within the loop (to 1).  So max_gid is only
set based on the first supplementary GID.

ConditionGroup=1000 → 1
ConditionGroup=4 → 1
ConditionGroup=adm → 1
ConditionGroup=1001 → 1
Assertion 'r == 0' failed at ../src/test/test-condition.c:462, function
test_condition_test_group(). Aborting.

$ id
uid=1000(alan-sysop) gid=1000(alan-sysop) groups=1000(alan-sysop),4(adm),
10(wheel),1001(sshlogin)
2017-08-05 19:25:19 -04:00
dkg
d7cefe8b2b man: document socket requirement for systemd-socket-proxyd (#6535)
Without this requirement, if proxy-to-nginx.socket was down, and the sysadmin
were to do:

    systemctl start proxy-to-nginx.service

then the service would come up without a configured socket, which doesn't make
sense.  Normally this isn't how we expect a socket-activated service to start,
but it's possible for an admin to do this (if the .socket were already running,
the systemd-socket-proxyd process will start effectively idle).  But the
.service shouldn't end up in a broken state if the .socket isn't already
listening.

Adding the explicit Requires: should ensure that an admin with this
configuration state can't accidentally break their system.
2017-08-05 19:19:09 -04:00
Mike Gilbert
8f968c7321 Revert "README: document that gperf 3.1 is required for building now" (#6541)
This reverts commit 4f5e972279.

Building with gperf 3.0 works just fine; we had an autoconf check to
determine the correct data types, and this check was ported to meson.
2017-08-05 18:30:37 -04:00
Martin Pitt
054ee249a2 test: Factorize common integration test functions (#6540)
All test/TEST* but TEST-02-CRYPTSETUP share the same check_result_qemu()
and test_cleanup(), so move them into test_functions and only override
them in TEST-02-CRYPTSETUP.

Also provide a common test_run() which by default assumes that both QEMU
and nspawn tests are run. Particular tests which don't support either
need to explicitly opt out by setting $TEST_NO_{QEMU,NSPAWN}. Do it this
way around to avoid accidentally forgetting to opt in, and to encourage
test authors to at least always support nspawn.
2017-08-04 15:34:14 +03:00
Evgeny Vereshchagin
a93e2f65eb Merge pull request #6518 from joukewitteveen/process-rename
process-util: update the end pointer of the process name on rename
2017-08-04 14:54:47 +03:00
Jouke Witteveen
049c884a3b test-process-util: test multiple invocations of rename_process 2017-08-04 11:25:57 +02:00
Jouke Witteveen
01f989c662 process-util: update the end pointer of the process name on rename (#6492)
We only updated the end pointer when allocating new memory, i.e. on the first
call to rename_process.
2017-08-04 11:25:49 +02:00
Jakub Wilk
785889e56d man: fix typos (#6532) 2017-08-03 17:36:21 -04:00
Yu Watanabe
ad6fc5bbae meson: fix modprobedir (#6523)
Follow-up for 582faeb461.
2017-08-03 08:01:38 -04:00
Lennart Poettering
0d44940773 Revert "units: set ConditionVirtualization=!private-users on journald audit socket" (#6513)
* Revert "modprobe.d: ship drop-in to set bonding max_bonds to 0 (#6448)"

This reverts commit 582faeb461.

* Revert "units: set ConditionVirtualization=!private-users on journald audit socket (#6508)"

This reverts commit d2a1ba103b.
2017-08-02 16:39:54 +02:00
Dimitri John Ledkov
582faeb461 modprobe.d: ship drop-in to set bonding max_bonds to 0 (#6448)
This allows networkd to correctly manage bond0 using networkd, when requested
by the user.

Fixes #5971 #6184
2017-08-02 08:41:18 -04:00
Dimitri John Ledkov
d2a1ba103b units: set ConditionVirtualization=!private-users on journald audit socket (#6508)
It fails to start in an unprivileged container as audit is not namespace aware.
2017-08-02 10:15:26 +02:00
Jan Synacek
ebc6f34a0b scsi_id: add missing options to getopt_long() (#6501) 2017-08-02 10:12:33 +02:00
Susant Sahani
2959fb07cb networkd: add scope to address section (#6449)
This work allows to configure address Scope to

host | link | global or a number.

Closes #6446
2017-08-01 09:44:08 +02:00
Lennart Poettering
f19ca6105e Merge pull request #6420 from keszybz/gateway-name
Rename "gateway" to "_gateway" and other resolved changes
2017-08-01 09:43:41 +02:00
Fabio Kung
7f18ef0a55 core: check which MACs to use before a new mount ns is created (#6498)
/sys is not guaranteed to exist when a new mount namespace is created.
It is only mounted under conditions specified by
`namespace_info_mount_apivfs`.

Checking if the three available MAC LSMs are enabled requires a sysfs
mounted at /sys, so the checks are moved to before a new mount ns is
created.
2017-08-01 09:15:18 +02:00
Zbigniew Jędrzejewski-Szmek
d5da77077d resolved: add debug message about stub listener 2017-07-31 14:42:10 -04:00
Zbigniew Jędrzejewski-Szmek
5248e7e1f1 resolved,nss-myhostname: use _gateway for the gateway
This changes the symbolic name for the default gateway from "gateway" to
"_gateway". A new configuration option -Dcompat-gateway-hostname=true|false
is added. If it is set, the old name is also supported, but the new name
is used as the canonical name in either case. This is intended as a temporary
measure to make the transition easier, and the option should be removed
after a few releases, at which point only the new name will be used.

The old "gateway" name mostly works OK, but hasn't gained widespread acceptance
because of the following (potential) conflicts:
- it is completely legal to have a host called "gateway"
- there is no guarantee that "gateway" will not be registered as a TLD, even
  though this currently seems unlikely. (Even then, there would be no
  conflict except for the case when the top-level domain itself was being resolved.
  The "gateway" or "_gateway" labels have only special meaning when the
  whole name consists of a single label, so resolution of any subdomain
  of the hypothetical gateway. TLD would still work OK. )
Moving to "_gateway" avoids those issues because underscores are not allowed
in host names (RFC 1123, §2.1) and avoids potential conflicts with local or
global names.

v2:
- simplify the logic to hardcode "_gateway" and allow
  -Dcompat-gateway-hostname=true as a temporary measure.
2017-07-31 14:41:56 -04:00
Lennart Poettering
6b43d079a2 Merge pull request #6392 from poettering/journal-cache
add limited metadata caching to journald and other journal improvements
2017-07-31 20:01:05 +02:00
Lennart Poettering
22e3a02b9d journald: add minimal client metadata caching
Cache client metadata, in order to be improve runtime behaviour under
pressure.

This is inspired by @vcaputo's work, specifically:

https://github.com/systemd/systemd/pull/2280

That code implements related but different semantics.

For a longer explanation what this change implements please have a look
at the long source comment this patch adds to journald-context.c.

After this commit:

        # time bash -c 'dd bs=$((1024*1024)) count=$((1*1024)) if=/dev/urandom | systemd-cat'
        1024+0 records in
        1024+0 records out
        1073741824 bytes (1.1 GB, 1.0 GiB) copied, 11.2783 s, 95.2 MB/s

        real	0m11.283s
        user	0m0.007s
        sys	0m6.216s

Before this commit:

        # time bash -c 'dd bs=$((1024*1024)) count=$((1*1024)) if=/dev/urandom | systemd-cat'
        1024+0 records in
        1024+0 records out
        1073741824 bytes (1.1 GB, 1.0 GiB) copied, 52.0788 s, 20.6 MB/s

        real	0m52.099s
        user	0m0.014s
        sys	0m7.170s

As side effect, this corrects the journal's rate limiter feature: we now
always use the unit name as key for the ratelimiter.
2017-07-31 18:21:21 +02:00
Lennart Poettering
47b33c7d52 string-util: optimize strshorten() a bit
There's no reason to determine the full length of the string, it's
sufficient to know whether it is larger than the intended size...
2017-07-31 18:20:28 +02:00
Lennart Poettering
c165d97d16 alloc-util: add new helpers memdup_suffix0() and newdup_suffix0()
These are similar to memdup() and newdup(), but reserve one extra NUL
byte at the end of the new allocation and initialize it. It's useful
when copying out data from fixed size character arrays where NUL
termination can't be assumed.
2017-07-31 18:20:28 +02:00
Lennart Poettering
7bf7ce28b5 string-util: add strlen_ptr() helper
strlen_ptr() is to strlen() what streq_ptr() is to streq(): i.e. it
handles NULL strings in a smart way.
2017-07-31 18:20:28 +02:00
Lennart Poettering
6f8cbcdb27 process-util: slightly optimize querying of our own process metadata
When we are checking our own data, we can optimize things a bit.
2017-07-31 18:20:28 +02:00
Lennart Poettering
7a1f1aaa78 journald: only accept valid unit names for log streams
Let's be a bit stricter in what we end up logging: ignore invalid unit
name specifications. Let's validate all input!

As we ignore unit names passed in from unprivileged clients anyway the
effect of this additional check is minimal.

(Also, no need to initialize the identifier/unit_id fields of stream
objects to NULL if empty strings are passed, the default is NULL
anyway...)
2017-07-31 18:20:28 +02:00
Lennart Poettering
ec6fe7c86a journald: add comment explaining journal rate limit return codes
This is not obvious, hence let's add a comment.
2017-07-31 18:20:28 +02:00
Lennart Poettering
c867611e0a execute: don't pass unit ID in --user mode to journald for stream logging
When we create a log stream connection to journald, we pass along the
unit ID. With this change we do this only when we run as system
instance, not as user instance, to remove the ambiguity whether a user
or system unit is specified. The effect of this change is minor:
journald ignores the field anyway from clients with UID != 0. This patch
hence only fixes the unit attribution for the --user instance of the
root user.
2017-07-31 18:01:42 +02:00
Lennart Poettering
92a17af991 execute: make some code shorter
Let's simplify some lines to make it shorter.
2017-07-31 18:01:42 +02:00
Lennart Poettering
54191eb3e7 parse-util: introduce pid_is_valid()
Checking for validity of a PID is relatively easy, but let's add a
helper cal for this too, in order to make things more readable and more
similar to uid_is_valid(), gid_is_valid() and friends.
2017-07-31 18:01:42 +02:00
Lennart Poettering
cad93f2996 core, sd-bus, logind: make use of uid_is_valid() in more places 2017-07-31 18:01:42 +02:00
Lennart Poettering
3a87a86e33 audit: introduce audit_session_is_valid() and make use of it everywhere
Let's add a proper validation function, since validation isn't entirely
trivial. Make use of it where applicable. Also make use of
AUDIT_SESSION_INVALID where we need a marker for an invalid audit
session.
2017-07-31 18:01:42 +02:00
Lennart Poettering
ab7e3ef561 escape: fix systemd-escape description text
The long man page paragraph got it right: the tool is for escaping systemd unit
names, not just system unit names. Also fix the short man page paragraph
and the --help text.

Follow-up for 303608c1bc
2017-07-31 18:01:42 +02:00
Nicolas Iooss
3a0bf6d6aa namespace: keep selinuxfs mounted read-write with ProtectKernelTunables (#5741)
When a service unit uses "ProtectKernelTunables=yes", it currently
remounts /sys/fs/selinux read-only. This makes libselinux report SELinux
state as "disabled", because most SELinux features are not usable. For
example it is not possible to validate security contexts (with
security_check_context_raw() or /sys/fs/selinux/context). This behavior
of libselinux has been described in
http://danwalsh.livejournal.com/73099.html and confirmed in a recent
email, https://marc.info/?l=selinux&m=149220233032594&w=2 .

Since commit 0c28d51ac8 ("units: further lock down our long-running
services"), systemd-localed unit uses ProtectKernelTunables=yes.
Nevertheless this service needs to use libselinux API in order to create
/etc/vconsole.conf, /etc/locale.conf... with the right SELinux contexts.
This is broken when /sys/fs/selinux is mounted read-only in the mount
namespace of the service.

Make SELinux-aware systemd services work again when they are using
ProtectKernelTunables=yes by keeping selinuxfs mounted read-write.
2017-07-31 17:45:33 +02:00