IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This text was written a long time ago, when we mostly talked about "service
files". Strictly speaking, we don't need a "file", because the service might
be just an instance of a template, or an alias to another service. So let's use
the more modern parlance of "service units".
https://bugzilla.redhat.com/show_bug.cgi?id=1623781#c21
To access a shell on a disk image, the man page on Fedora-29 says to
run: `systemd-nspawn -M Fedora-Cloud-Base-28-1.1.x86_64.raw`. Let's
try.
List existing images:
$> machinectl list-images | awk '{print $1,$2}';
NAME TYPE
Fedora-Cloud-Base-30… raw
1 images
Now invoke `systemd-nspawn` as noted in the man page:
$> systemd-nspawn -M Fedora-Cloud-Base-30-1.2.x86_64.raw
No image for machine 'Fedora-Cloud-Base-30-1.2.x86_64.raw'.
Removing the ".raw" extension launches the image and gives a shell.
Update the man page to reflect that.
Frantisek Sumsal on #systemd (Freenode) noted the reason: "In older
versions systemd -M accepted both image-name.raw and image-name as a
valid image names, however, on Fedora 29 (systemd-239) with all the
BTRFS stuff around it accepts only -M image-name (without the
extension)"
- - -
While at it, update the fedora_{latest_version, cloud_release}
variables.
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
We had 'calendar' and 'timespan', but the third one was missing.
Also consistently order the verbs as calendar/timestamp/timespan in help.
The output from 'timespan' is highlighted more.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1711065.
This patch adds netdev ipvtap that is based on the
IP-VLAN network interface, called ipvtap. An ipvtap device can be created
in the same way as an ipvlan device, using 'kind ipvtap', and then accessed
using the tap user space interface.
The comment in udev-builtin-net_id.c (removed in grandparent commit) showed the
property without the prefix. I assume that was always the intent, because it
doesn't make much sense to concatenate anything to an arbitrary user-specified
field.
I decided to make this a separate man page because it is freakin' long.
This content could equally well go in systemd-udevd.service(8), systemd.link(5),
or a new man page for the net_id builtin.
v2:
- rename to systemd.net-naming-scheme
- add udevadm test-builtin net_id example
Man page generation is generally very slow. I prefer to use -Dman=false when
developing systemd, and only build specific pages when introducing changes.
Those two little helper tools make it easy:
$ build/man/man systemd.link
$ build/man/html systemd.link
will show systemd.link.8 and systemd.link.html from the build directory build/.
Allow users to set the IPv4 DF bit in outgoing packets, or to inherit its
value from the IPv4 inner header. If the encapsulated protocol is IPv6 and
DF is configured to be inherited, always set it.
When VXLAN destination port is unset and GPE is set
then assign 4790 to destination port. Kernel does the same as
well as iproute.
IANA VXLAN-GPE port is 4790
It makes more sense to call VXLAN ID as
1. the VXLAN Network Identifier (VNI) (or VXLAN Segment ID)
2. test-network: rename VXLAN Id to VNI
3. fuzzer: Add VXLAN VNI directive to fuzzer
When systemd is started, it detects initrd by checking for that file
The usage of that file is not documented anywhere, so mention it early
in the most relevant man-page I could find.
https://github.com/systemd/systemd/issues/7153#issuecomment-485252308
Apparently this is still confusing for people.
Longer-term, I think we should just make BindMount= automatically "upgrade"
(or "downgrade", depending on how you look at this), any InaccessiblePath=
mountpoints to "tmpfs". I don't see much point in forcing users to remember
this interaction. But let's at least document the status quo, we can always
update the docs if the code changes.
A service might be able to detect errors by itself that may require the
system to take the same action as if the service locked up. Add a
WATCHDOG=trigger state change notification to sd_notify() to let the
service manager know about the self-detected misery and instantly
trigger the configured watchdog behaviour.
The interface provided by those two functions is huge, so this text could
probably be made two or three times as long if all details were described.
But I think it's a good start.
This wraps the call to org.freedesktop.DBus.Introspectable.Introspect.
Using "busctl call" directly is inconvenient because busctl escapes the
string before printing.
Example:
$ busctl introspect --xml org.freedesktop.systemd1 /org/freedesktop/systemd1 | pygmentize -lxml | less -RF
When shooting down a service with SIGABRT the user might want to have a
much longer stop timeout than on regular stops/shutdowns. Especially in
the face of short stop timeouts the time might not be sufficient to
write huge core dumps before the service is killed.
This commit adds a dedicated (Default)TimeoutAbortSec= timer that is
used when stopping a service via SIGABRT. In all other cases the
existing TimeoutStopSec= is used. The timer value is unset by default
to skip the special handling and use TimeoutStopSec= for state
'stop-watchdog' to keep the old behaviour.
If the service is in state 'stop-watchdog' and the service should be
stopped explicitly we still go to 'stop-sigterm' and re-apply the usual
TimeoutStopSec= timeout.
In cgroup v2 we have protection tunables -- currently MemoryLow and
MemoryMin (there will be more in future for other resources, too). The
design of these protection tunables requires not only intermediate
cgroups to propagate protections, but also the units at the leaf of that
resource's operation to accept it (by setting MemoryLow or MemoryMin).
This makes sense from an low-level API design perspective, but it's a
good idea to also have a higher-level abstraction that can, by default,
propagate these resources to children recursively. In this patch, this
happens by having descendants set memory.low to N if their ancestor has
DefaultMemoryLow=N -- assuming they don't set a separate MemoryLow
value.
Any affected unit can opt out of this propagation by manually setting
`MemoryLow` to some value in its unit configuration. A unit can also
stop further propagation by setting `DefaultMemoryLow=` with no
argument. This removes further propagation in the subtree, but has no
effect on the unit itself (for that, use `MemoryLow=0`).
Our use case in production is simplifying the configuration of machines
which heavily rely on memory protection tunables, but currently require
tweaking a huge number of unit files to make that a reality. This
directive makes that significantly less fragile, and decreases the risk
of misconfiguration.
After this patch is merged, I will implement DefaultMemoryMin= using the
same principles.
We had all kinds of indentation: 2 sp, 3 sp, 4 sp, 8 sp, and mixed.
4 sp was the most common, in particular the majority of scripts under test/
used that. Let's standarize on 4 sp, because many commandlines are long and
there's a lot of nesting, and with 8sp indentation less stuff fits. 4 sp
also seems to be the default indentation, so this will make it less likely
that people will mess up if they don't load the editor config. (I think people
often use vi, and vi has no support to load project-wide configuration
automatically. We distribute a .vimrc file, but it is not loaded by default,
and even the instructions in it seem to discourage its use for security
reasons.)
Also remove the few vim config lines that were left. We should either have them
on all files, or none.
Also remove some strange stuff like '#!/bin/env bash', yikes.
Media Access Control Security (MACsec) is an 802.1AE IEEE
industry-standard security technology that provides secure
communication for all traffic on Ethernet links.
MACsec provides point-to-point security on Ethernet links between
directly connected nodes and is capable of identifying and preventing
most security threats, including denial of service, intrusion,
man-in-the-middle, masquerading, passive wiretapping, and playback attacks.
Closes#5754
* Use more secure https://www.uefi.orghttp://www.uefi.org directs to https://uefi.org/, so this saves one
redirect.
$ curl -I http://www.uefi.org
HTTP/1.1 302 Found
Server: nginx
Date: Tue, 09 Apr 2019 14:54:46 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
X-Content-Type-Options: nosniff
Location: https://uefi.org/
Cache-Control: max-age=1209600
Expires: Tue, 23 Apr 2019 14:54:46 GMT
Run the command below to update all occurrences.
git grep -l http://www.uefi.org | xargs sed -i 's,http://www.uefi.org,https://www.uefi.org,'
* Use https://uefi.org to save redirect
Save one redirect by using the target location.
$ curl -I https://www.uefi.org
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 09 Apr 2019 14:55:42 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
X-Content-Type-Options: nosniff
Location: https://uefi.org/
Cache-Control: max-age=1209600
Expires: Tue, 23 Apr 2019 14:55:42 GMT
Run the command below to update all occurrences.
git grep -l https://www.uefi.org | xargs sed -i 's,https://www.uefi.org,https://uefi.org,'
The description of NamePolicy= implied this, but didn't spell it out. It's a
very common use case, so let's add a bit of explanation and ehance the example
a bit.
Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1695894.
