1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-31 16:21:26 +03:00
Commit Graph

1300 Commits

Author SHA1 Message Date
Lennart Poettering
19483c60bb logind: make sure the service gets access to the linger directory
Fixes: #12401
2019-05-24 15:05:27 +02:00
Lennart Poettering
727a1a0607 service: tweak capitalization of unit description 2019-05-24 10:48:28 +02:00
Michael Biebl
4450894653 Drop support for /usr/sbin/halt.local
/usr/sbin/halt.local is a Fedora/Red Hat anachronism from pre-systemd
times.
2019-05-23 10:19:01 +02:00
Lennart Poettering
1e187d2dd5 units: automatically revert to /run logging on shutdown if necessary
Fixes: #867
2019-05-09 14:26:42 -04:00
Lennart Poettering
6dc14d7366 units: drop reference to sushell man page
sushell was a Fedoraism, and has been removed since. Hence our upstream
unit files shouldn't reference it either.
2019-04-29 17:06:52 +02:00
Zbigniew Jędrzejewski-Szmek
cc5549ca12 scripts: use 4 space indentation
We had all kinds of indentation: 2 sp, 3 sp, 4 sp, 8 sp, and mixed.
4 sp was the most common, in particular the majority of scripts under test/
used that. Let's standarize on 4 sp, because many commandlines are long and
there's a lot of nesting, and with 8sp indentation less stuff fits. 4 sp
also seems to be the default indentation, so this will make it less likely
that people will mess up if they don't load the editor config. (I think people
often use vi, and vi has no support to load project-wide configuration
automatically. We distribute a .vimrc file, but it is not loaded by default,
and even the instructions in it seem to discourage its use for security
reasons.)

Also remove the few vim config lines that were left. We should either have them
on all files, or none.

Also remove some strange stuff like '#!/bin/env bash', yikes.
2019-04-12 08:30:31 +02:00
Zbigniew Jędrzejewski-Szmek
18a3882250 man: add a page for systemd-udev-settle.service 2019-04-10 10:12:43 +02:00
Peter A. Bigot
4ea0f675ae units: add time-set.target
time-sync.target is supposed to indicate system clock is synchronized
with a remote clock, but as used through 241 it only provided a system
clock that was updated based on a locally-maintained timestamp.  Systems
that are powered off for extended periods would not come up with
accurate time.

Retain the existing behavior using a new time-set.target leaving
time-sync.target for cases where accuracy is required.

Closes #8861
2019-04-08 14:34:05 +02:00
Lennart Poettering
bf65b7e0c9 core: imply NNP and SUID/SGID restriction for DynamicUser=yes service
Let's be safe, rather than sorry. This way DynamicUser=yes services can
neither take benefit of, nor create SUID/SGID binaries.

Given that DynamicUser= is a recent addition only we should be able to
get away with turning this on, even though this is strictly speaking a
binary compatibility breakage.
2019-04-02 16:56:48 +02:00
Lennart Poettering
62aa29247c units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-04-02 16:56:48 +02:00
Zbigniew Jędrzejewski-Szmek
01d2041e41 meson: stop creating enablement symlinks in /etc during installation
This patch was initially prompted by a report on a Fedora update [1], that the
upgrade causes systemd-resolved.service and systemd-networkd.service to be
re-enabled. We generally want to preserve the enablement of all services during
upgrades, so a reset like this is not expected.

Both services declare two symlinks in their [Install] sections, for their dbus
names and for multi-user.target.wants/.  It turns out that both services were
only partially enabled, because their dbus unit symlinks
/etc/systemd/system/dbus-org.freedesktop.{resolve1,network1}.service were
created, by the symlinks in /etc/systemd/system/multi-user.target.wants/ were
not. This means that the units could be activated by dbus, but not in usual
fashion using systemctl start. Our tools make it rather hard to figure out when
something like this happens, and it is definitely an area for improvement on its
own. The symlink in .wants/ was filtered out by during packaging, but the dbus
symlink was left in (I assume by mistake).

Let's simplify things by not creating the symlinks statically during 'ninja
install'. This means that the units shipped by systemd have to be enabled in
the usual fashion, which in turns means that [Install] section and presets
become the "single source of truth" and we don't have two sets of conflicting
configuration.

Let's consider a few cases:
- developer: a developer installs systemd from git on a running system, and they
  don't want the installation to reset enablement of anything. So this change is
  either positive for them, or has no effect (if they have everything at
  defaults).

- package creation: we want to create symlinks using 'preset-all' and 'preset'
  on upgraded packages, we don't want to have any static symlinks. This change
  will remove the need to filter out symlinks in packaging and of course fix
  the original report.

- installation of systemd from scratch: this change means that without
  'preset-all' the system will not be functional. This case could be affected
  negatively by this change, but I think it's enough of a corner case to accept
  this. In practice I expect people to build a package, not installl directly
  into the file system, so this might not even matter in practice.

Creating those symlinks was probably the right thing in the beginning, but
nowadays the preset system is very well established and people expect it to
be honoured. Ignoring the presets and doing static configuration is not welcome
anymore.

Note: during package installation, either 'preset-all' or 'preset getty@.service
machines.target remote-cryptsetup.target remote-fs.target
systemd-networkd.service systemd-resolved.service
systemd-networkd-wait-online.service systemd-timesyncd.service' should be called.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2019-616045ca76
2019-04-01 14:24:44 +02:00
Zbigniew Jędrzejewski-Szmek
709b423f2f meson: indentation 2019-04-01 14:23:29 +02:00
Lennart Poettering
5cb02182fd units: set nodev,nosuid,noexec flags for various secondary API VFS
A couple of API VFS we mount via .mount units. Let's set the three flags
for those too, just in case.

This is just paranoia, nothing else, but shouldn't hurt.
2019-03-25 19:39:00 +01:00
Zbigniew Jędrzejewski-Szmek
11dce8e29b Revert "Revert "units: lock down logind with fs namespacing options""
This reverts commit 28f38a7634.

The revert was done because Ubuntu CI was completely broken with it. Let's see
if it fares better now.
2019-03-19 10:58:49 +01:00
Lennart Poettering
928df2c251 units: turn off keyring handling for user@.service
This service uses PAM anyway, hence let pam_keyring set things up for
us. Moreover, this way we ensure that the invocation ID is not set for
this service as key, and thus can't confuse the user service's
invocation ID.

Fixes: #11649
2019-03-19 10:58:20 +01:00
Zbigniew Jędrzejewski-Szmek
827f62c3f2 man,units: document what user "default.target" is a bit 2019-03-15 13:55:24 +01:00
Jonathan Lebon
8e729d511e units: update catalog after systemd-tmpfiles runs
`systemd-journal-catalog-update.service` writes to `/var`. However, it's
not explicitly ordered wrt `systemd-tmpfiles-setup.service`, which means
that it may run before or after.

This is an issue for Fedora CoreOS, which uses Ignition. We want to be
able to prepare `/var` on first boot from the initrd, where the SELinux
policy is not loaded yet. This means that the hierarchy under `/var` is
not correctly labeled. We add a `Z /var - - -` tmpfiles entry so that it
gets relabeled once `/var` gets mounted post-switchroot.

So any service that tries to access `/var` before `systemd-tmpfiles`
relabels it is likely to hit `EACCES`.

Fix this by simply ordering `systemd-journal-catalog-update.service`
after `systemd-tmpfiles-setup.service`. This is also clearer since the
tmpfiles entries are the canonical source of how `/var` should be
populated.

For more context on this, see:
https://github.com/coreos/ignition/issues/635#issuecomment-446620297
2019-03-14 11:28:19 +01:00
Lennart Poettering
a18449b5bd units: turn of ProtectHostname= again for services hat need to know about system hostname changes
ProtectHostname= turns off hostname change propagation from host to
service. This means for services that care about the hostname and need
to be able to notice changes to it it's not suitable (though it is
useful for most other cases still).

Let's turn it off hence for journald (which logs the current hostname)
for networkd (which optionally sends the current hostname to dhcp
servers) and resolved (which announces the current hostname via
llmnr/mdns).
2019-03-08 15:49:10 +01:00
Michael Biebl
faab72d16b units: fix systemd.special man page reference in system-update-cleanup.service 2019-03-07 14:42:43 +01:00
Lennart Poettering
31b221cf5e logind: add support for booting into the boot menu or a specific boot menu entry
This behaves similar to the "boot into firmware" logic, and also allows
either direct EFI operation (which sd-boot supports and others might
support eventually too) or override through env var.
2019-03-05 16:52:46 +01:00
Martin Pitt
95a32e9750
units: re-drop ProtectHostname from systemd-hostnamed.service (#11792)
This was an overzealous setting from commit 99894b867f. Without this,
`hostnamectl set-hostname` fails with

    Could not set property: Access denied

as `sethostname()` fails with `EPERM`.
2019-02-22 08:04:37 +01:00
Lennart Poettering
25f77a4ba2 man,units: link up new documentation about temporary directories 2019-02-20 18:31:18 +01:00
Lennart Poettering
eb5149ba74
Merge pull request #11682 from topimiettinen/private-utsname
core: ProtectHostname feature
2019-02-20 14:12:15 +01:00
Topi Miettinen
99894b867f units: enable ProtectHostname=yes 2019-02-20 10:50:44 +02:00
Lennart Poettering
4d422d1f9e
Merge pull request #11226 from keszybz/enable-remount-fs-dynamically
Enable systemd-remount-fs.service dynamically
2019-02-18 12:46:31 +01:00
Andrzej Pietrasiewicz
2c633a821e units: add usb-gadget target
Linux can be run on a device meant to act as a USB peripheral. In order
for a machine to act as such a USB device it has to be equipped with
a UDC - USB Device Controller.

This patch adds a target reached when UDC becomes available. It can be used
for activating e.g. a service unit which composes a USB gadget with
configfs and activates it.
2019-02-15 18:16:27 +01:00
Franck Bui
e2c7c94ea3 units: make sure initrd-cleanup.service terminates before switching to rootfs
A follow-up for commit a8cb1dc3e0.

Commit a8cb1dc3e0 made sure that initrd-cleanup.service won't be stopped
when initrd-switch-root.target is isolated.

However even with this change, it might happen that initrd-cleanup.service
survives the switch to rootfs (since it has no ordering constraints against
initrd-switch-root.target) and is stopped right after when default.target is
isolated. This led to initrd-cleanup.service entering in failed state as it
happens when oneshot services are stopped.

This patch along with a8cb1dc3e0 should fix issue #4343.

Fixes: #4343
2019-01-28 13:41:28 +01:00
Lennart Poettering
e4bbc5fb74 units: drop conditionalization of systemd-tmpfiles-setup-dev.service
Currently, tmpfiles runs in two separate services at boot. /dev is
populated by systemd-tmpfiles-setup-dev.service and everything else by
systemd-tmpfiles-setup.service. The former was so far conditionalized by
CAP_SYS_MODULES. The reasoning was that the primary purpose of
populating /dev was to create device nodes based on the static device
node info exported in kernel modules through MODALIAS. And without the
privs to load kernel modules doing so is unnecessary. That thinking is
incomplete however, as there might be reason to create stuff in /dev
outside of the static modalias usecase. Thus, let's drop the
conditionalization to ensure that tmpfiles.d rules are always executed
at least once under all conditions.

Fixes: #11544
2019-01-26 13:55:18 +01:00
Zbigniew Jędrzejewski-Szmek
9b69569d2c Pull in systemd-remount-fs.service only when required
Instead of enabling it unconditionally and then using ConditionPathExists=/etc/fstab,
and possibly masking this condition if it should be enabled for auto gpt stuff,
just pull it in explicitly when required.
2019-01-03 15:30:28 +01:00
Zbigniew Jędrzejewski-Szmek
634cc94f47 units: replace symlinks in units/user/ by real files
We already *install* those as real files since de78fa9ba0.
Meson will start to copy symlinks as-is, so we would get dangling symlinks in
/usr/lib/systemd/user/.

I considered the layout in our sources to match the layout in the installation
filesystem (i.e. creating units/system/ and moving all files from units/ to
units/system/), but that seems overkill. By using normal files for both we get
some duplication, but those files change rarely, so it's not a big downside in
practice.

Fixes #9906.
2018-12-13 20:23:43 +01:00
Zbigniew Jędrzejewski-Szmek
df13444339 units: drop units/user/busnames.target
It seems this was missed in 0ba8987337.
2018-12-13 20:23:43 +01:00
Zbigniew Jędrzejewski-Szmek
401faa3533
Merge pull request #10357 from poettering/import-fs
machinectl import-fs command and other fixes
2018-11-29 16:38:46 +01:00
Lennart Poettering
ff9bf8d012 units: make fsck/grows/makefs/makeswap units conflict against shutdown.target
They are the only units we shipped/generated where this was missing really. Let's fix these.

Follow-up for: #10933
2018-11-26 22:18:16 +01:00
Lennart Poettering
5f7ecd610c import: drop logic of setting up /var/lib/machines as btrfs loopback mount
Let's simplify things and drop the logic that /var/lib/machines is setup
as auto-growing btrfs loopback file /var/lib/machines.raw.

THis was done in order to make quota available for machine management,
but quite frankly never really worked properly, as we couldn't grow the
file system in sync with its use properly. Moreover philosophically it's
problematic overriding the admin's choice of file system like this.

Let's hence drop this, and simplify things. Deleting code is a good
feeling.

Now that regular file systems provide project quota we could probably
add per-machine quota support based on that, hence the btrfs quota
argument is not that interesting anymore (though btrfs quota is a bit
more powerful as it allows recursive quota, i.e. that the machine pool
gets an overall quota in addition to per-machine quota).
2018-11-26 18:09:01 +01:00
Lennart Poettering
7af002f71d units: order systemd-rfkill.socket after /var/lib/systemd/rfkill (#10904)
Otherwise we might install the socket unit early, but the service
backing it late, and then end up in strange loops when we enter rescue
mode, because we saw an event on /dev/rfkill but really can't dispatch
it nor flush it.

Fixes: #9171
2018-11-24 23:59:37 +09:00
Lennart Poettering
3f547ca5a6 units: fix Description= of systemd-exit.service
This file was probably copied from the --user version, let's use some
more appropriate wording for the --system version.
2018-11-16 12:25:35 +01:00
Lennart Poettering
9f782b3e1b units: use correct command to exit
Otherwise we'll end a cyclic loop.
2018-11-16 12:25:35 +01:00
Lennart Poettering
1795457f50 units: add the same ordering deps for systemd-exit.service as for systemd-poweroff.service and friends
This stuff runs in containers, and should really behave the same
everywhere.
2018-11-16 12:25:35 +01:00
Zbigniew Jędrzejewski-Szmek
28f38a7634 Revert "units: lock down logind with fs namespacing options" 2018-11-15 17:48:01 +03:00
Lennart Poettering
53a3e8fc7a
Merge pull request #10744 from poettering/logind-lock-down
units: lock down logind with fs namespacing options
2018-11-13 10:38:47 +01:00
Lennart Poettering
99cd001d4c units: also change portabled's syscall filter to a whitelist 2018-11-13 10:38:17 +01:00
Lennart Poettering
45ae3f6117 units: lock down systemd-logind.service with various fs namespacing options
now that logind doesn't mount $XDG_RUNTIME_DIR anymore we can lock down
the service using fs namespacing (as we don't need the mount to
propagate to the host namespace anymore).
2018-11-12 19:14:33 +01:00
Lennart Poettering
1bded6b28f logind: drop CAP_KILL from caps bounding set
logind doesn't kill any processes anymore, hence let's drop the
capability.
2018-11-12 19:05:36 +01:00
Lennart Poettering
3ca9940cb9 units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

An while we are at it: sort the settings in the unit files this touches.
This might increase the size of the change in this case, but hopefully
should result in stabler patches later on.

Fixes: #1219
2018-11-12 19:02:55 +01:00
Alan Jenkins
0ba8987337 units: remove unused busnames.target
I found zero references to busnames.target, using git grep "busnames".
(And we do not install using a wildcard units/*.*.  There is no
busnames.target installed on my Fedora 28 system).
2018-10-31 11:44:03 +01:00
Lennart Poettering
73f19ce1ae units: drop systemd-user-sessions.service ordering dep on systemd-journal-flush.service (#10502)
THis dep existed since the unit was introduced, but I cannot see what
good it would do. Hence in the interest of simplifying things, let's
drop it. If breakages appear later we can certainly revert this again.

Fixes: #10469
2018-10-25 04:41:02 +09:00
Lennart Poettering
f876f53789 units: add simple boot check unit
This is might be useful in some cases, but it's primarily an example for
a boot check service that can be plugged before boot-complete.target.

It's disabled by default.

All it does is check whether the failed unit count is zero
2018-10-19 22:34:50 +02:00
Lennart Poettering
36695e880a add new systemd-bless-boot.service that marks boots as successful
This is the counterpiece to the boot counting implemented in
systemd-boot: if a boot is detected as successful we mark drop the
counter again from the booted snippet or kernel image.
2018-10-19 22:34:50 +02:00
Lennart Poettering
329d20db3c units: add generic boot-complete.target 2018-10-19 22:34:50 +02:00
Lennart Poettering
a42984dbc7
Merge pull request #10428 from keszybz/failure-actions
Implement manager status changes using SuccessAction=
2018-10-17 21:29:10 +02:00
Zbigniew Jędrzejewski-Szmek
a400bd8c2a units: allow and use SuccessAction=exit-force in system systemd-exit.service
C.f. 287419c119: 'systemctl exit 42' can be
used to set an exit value and pulls in exit.target, which pulls in systemd-exit.service,
which calls org.fdo.Manager.Exit, which calls method_exit(), which sets the objective
to MANAGER_EXIT. Allow the same to happen through SuccessAction=exit.

v2: update for 'exit' and 'exit-force'
2018-10-17 19:32:07 +02:00
Zbigniew Jędrzejewski-Szmek
afa6206583 units: use SuccessAction=poweroff-force in systemd-poweroff.service
Explicit systemctl calls remain in systemd-halt.service and the system
systemd-exit.service. To convert systemd-halt, we'd need to add
SuccessAction=halt-force. Halting doesn't make much sense, so let's just
leave that is. systemd-exit.service will be converted in the next commit.
2018-10-17 19:31:50 +02:00
Zbigniew Jędrzejewski-Szmek
d85515edcf units: use SuccessAction=reboot-force in systemd-reboot.service 2018-10-17 19:31:50 +02:00
Zbigniew Jędrzejewski-Szmek
631c9b7bf2 units: use SuccessAction=exit-force in systemd-exit.service
Fixes #10414.

v2:
- rename .service.in to .service
- rename 'exit' to 'exit-force'
2018-10-17 19:31:50 +02:00
Zbigniew Jędrzejewski-Szmek
c02b6ee496 meson: define @HIGH_RLIMIT_NOFILE@ and use it everywhere 2018-10-17 14:54:48 +02:00
Lennart Poettering
c35ee02c61 units: bump the RLIMIT_NOFILE soft limit for all services that access the journal
This updates the unit files of all our serviecs that deal with journal
stuff to use a higher RLIMIT_NOFILE soft limit by default. The new value
is the same as used for the new HIGH_RLIMIT_NOFILE we just added.

With this we ensure all code that access the journal has higher
RLIMIT_NOFILE. The code that runs as daemon via the unit files, the code
that is run from the user's command line via C code internal to the
relevant tools. In some cases this means we'll redundantly bump the
limits as there are tools run both from the command line and as service.
2018-10-16 16:33:55 +02:00
Lennart Poettering
2d6718bf3d units: use =yes rather than =true everywhere
So far we always used "yes" instead of "true" in all our unit files,
except for one outlier. Let's do this here too. No change in behaviour
whatsoever, except that it looks prettier ;-)
2018-10-13 12:59:29 +02:00
Lennart Poettering
07ee5adb35 logind: change user-runtime-dir to query runtime dir size from logind via the bus
I think this is a slightly cleaner approach than parsing the
configuration file at multiple places, as this way there's only a single
reload cycle for logind.conf, and that's systemd-logind.service's
runtime.

This means that logind and dbus become a requirement of
user-runtime-dir, but given that XDG_RUNTIME_DIR is not set anyway
without logind and dbus around this isn't really any limitation.

This also simplifies linking a bit as this means user-runtime-dir
doesn't have to link against any code of logind itself.
2018-10-13 12:59:29 +02:00
Lennart Poettering
14df094a51 units: improve Description= string a bit
Let's not use the word "wrapper", as it's not clear what that is, and in
some way any unit file is a "wrapper"... let's simply say that it's
about the runtime directory.
2018-10-13 12:59:29 +02:00
Lennart Poettering
1007473b49 units: set StopWhenUnneeded= for the user slice units too
We'd like them to go away, just like the user-runtime-dir@.service when
they aren't needed anymore.
2018-10-13 12:59:29 +02:00
Lennart Poettering
dacd723620
Merge pull request #10117 from keszybz/undynamicify
Set DynamicUser=no for networkd, resolved, timesyncd
2018-10-05 17:41:56 +02:00
Franck Bui
4885626b56 emergency: make sure console password agents don't interfere with the emergency shell
If for any reason local-fs.target fails at startup while a password is
requested by systemd-cryptsetup@.service, we end up with the emergency shell
competing with systemd-ask-password-console.service for the console.

This patch makes sure that:

 - systemd-ask-password-console.service is stopped before entering in emergency
   mode so it won't make any access to the console while the emergency shell is
   running.

 - systemd-ask-password-console.path is also stopped so any attempts to restart
   systemd-cryptsetup in the emergency shell won't restart
   systemd-ask-password-console.service and kill the emergency shell.

 - systemd-ask-password-wall.path is stopped so
   systemd-ask-password-wall.service won't be started as this service pulls
   the default dependencies in.

Fixes: #10131
2018-09-26 18:13:32 +02:00
Zbigniew Jędrzejewski-Szmek
696fc8360d Revert "network: set DynamicUser= to systemd-networkd.service"
This reverts commit d4e9e574ea.
(systemd.conf.m4 part was already reverted in 5b5d82615011b9827466b7cd5756da35627a1608.)

Together those reverts should "fix" #10025 and #10011. ("fix" is in quotes
because this doesn't really fix the underlying issue, which is combining
DynamicUser= with strict container sandbox, but it avoids the problem by not
using that feature in our default installation.)

Dynamic users don't work well if the service requires matching configuration in
other places, for example dbus policy. This is true for those three services.
In effect, distros create the user statically [1, 2]. Dynamic users make more
sense for "add-on" services where not creating the user, or more precisely,
creating the user lazily, can save resources. For "basic" services, if we are
going to create the user on package installation anyway, setting DynamicUser=
just creates unneeded confusion. The only case where it is actually used is
when somebody forgets to do system configuration. But it's better to have the
service fail cleanly in this case too. If we want to turn on some side-effect
of DynamicUser=yes for those services, we should just do that directly through
fine-grained options. By not using DynamicUser= we also avoid the need to
restart dbus.

[1] bd9bf30727
[2] 48ac1cebde/f/systemd.spec (_473)
(Fedora does not create systemd-timesync user.)
2018-09-20 16:52:02 +02:00
Zbigniew Jędrzejewski-Szmek
62fb7e80fc Revert "resolve: enable DynamicUser= for systemd-resolved.service"
This reverts commit 0187368cad.
(systemd.conf.m4 part was already reverted in 5b5d82615011b9827466b7cd5756da35627a1608.)
2018-09-20 16:52:02 +02:00
João Paulo Rechi Vita
5c86583cf8 tmpfiles: Order tmpfiles-setup after journald
systemd-tmpfiles-setup.service needs to be ordered after
systemd-journald.service, so entries in /run/log/journal are already
created when systemd-tmpfiles tries to adjust its permissions.

This is specially problematic for setups using a volatile journal where
the initrd does not ship a machine-id (i.e. OSTree-based systems), where
logs from the initrd will be inaccessible for users in the
systemd-journal group. It also has a side effect of `journalctl --user`
failing with "No journal files were opened due to insufficient
permissions".

Fixes #10128.
2018-09-20 13:20:41 +02:00
Zbigniew Jędrzejewski-Szmek
3f491cccef meson: fix dirname/basename confusion in meson-and-wants.sh install helper (#10126)
We would create a useless empty directory under build/.
It seems we were lucky and all symlinks were installed into directories
which were alredy created because we installed something into the same
location earlier.

While at it, also add '-v' to 'mkdir -p'. This will print the names of
directories as they are created (just once), making it easier to see all of
what the install script is doing.
2018-09-20 16:01:58 +09:00
Zbigniew Jędrzejewski-Szmek
162e0b75f9 Revert "timesyncd: enable DynamicUser="
This reverts commit 48d3e88c18.

I kept the follow-symlink=false → follow-symlink=true change instact, since
we're likely to have existing installations with a symlink now.
2018-09-19 10:00:09 +02:00
Zbigniew Jędrzejewski-Szmek
89be857a41 Revert "unit: drop After=systemd-sysusers.service from timesyncd"
This reverts commit be80154827.
2018-09-19 09:56:36 +02:00
Alan Jenkins
473b9c683a user-runtime-dir@.service: don't stop on runlevel switch (#10079)
Followup to commit 13cf422e04 ("user@.service: don't kill user manager at runlevel switch")

I think there's a general rule that units with `StopWhenUnneeded=yes` need
`IgnoreOnIsolate=yes`...  But it doesn't apply to `suspend.target` and friends.
`printer.target` and friends break on isolate even if we apply the rule[1].
That just leaves `graphical-session.target`, which is a user service.
"isolate" is *mostly* a weird attempt to emulate runlevels, so I decided
not to worry about it for user services.

[1] https://github.com/systemd/systemd/issues/6505#issuecomment-320644819
2018-09-14 12:11:57 +09:00
Thomas Blume
8c1f04352b user@.service: don't kill user manager at runlevel switch
Loggin in as root user and then switching the runlevel results in a
stop of the user manager, even though the user ist still logged in.
That leaves a broken user session.

Adding "IgnoreOnIsolate=true" to user@.service fixes this.
2018-09-13 12:18:27 +02:00
Lennart Poettering
1193c11a04 units: assign user-runtime-dir@.service to user-%i.slice
This service won't use much resources, but it's certainly nicer to see
it attached th the user's slice along with user@.service, so that
everything we run for a specific user is properly bound into one unit.
2018-08-03 10:45:31 +02:00
Lennart Poettering
eb748aef4f units: order user-runtime-dir@.service after systemd-user-sessions.service
We use systemd-user-sessions.service as barrier when to allow login
sessions. With this patch user@.service is ordered after that too, so
that any login related code (which user-runtime-dir@.service is) is
guaranteed to run after the barrier, and never before.
2018-08-03 10:42:09 +02:00
Lennart Poettering
d06e8fbce3 units: make sure user-runtime-dir@.service is Type=oneshot
We order user@.service after it, hence we need to properly know when it
finished starting up.
2018-08-03 10:38:49 +02:00
Lennart Poettering
e5b3ace969 units: make sure user@.service runs with dbus still up
Fixes: #9565
2018-07-25 14:12:09 +02:00
Zbigniew Jędrzejewski-Szmek
a99655b052 man: add a description of user@.service, user-runtime-dir@.service, user-*.slice
Fixes #9590.
2018-07-20 16:57:50 +02:00
Lennart Poettering
6133af6030 units: let's use two ExecStart= lines instead of ; 2018-06-20 23:59:29 +02:00
Zbigniew Jędrzejewski-Szmek
5ce2212a72 units: fix typo in After=
Followup for c7668c1ce0.
2018-06-20 18:14:43 +02:00
Lennart Poettering
c7668c1ce0 units: make system-update-pre.target a passive unit (#9349)
This is an additional synchronization point normally not needed. Hence,
let's make it passive, i.e. pull it in from the unit which wants to be
ordered before the update service rather than by the update service
itself.
2018-06-20 12:46:18 +02:00
Hans de Goede
520741d08e units: Add new system-update-pre.target
systemd offline-updates allows dropping multiple system update units
to be added to system-update.target.wants.

As documented in systemd.offline-updates(7) only 1 of these units
should actually be active (based on the /system-update symlink) and
when that unit is done it should reboot the system.

In some cases it is desirable to run a unit whenever booting in
offline-updates mode indepedent of which update unit is going to
handle the update. One example of this is integration with bootloader
code which checks if the previous boot was succesful.

Since the active unit will reboot the system when it is done, there
is no guarantee that adding such a unit to system-update.target.wants
will get it executed always.

This commit adds a system-update-pre.target which can be used for
units which should always run when booting in offline-updates mode.
2018-06-19 13:42:19 +02:00
Lennart Poettering
ee8f26180d units: switch from system call blacklist to whitelist
This is generally the safer approach, and is what container managers
(including nspawn) do, hence let's move to this too for our own
services. This is particularly useful as this this means the new
@system-service system call filter group will get serious real-life
testing quickly.

This also switches from firing SIGSYS on unexpected syscalls to
returning EPERM. This would have probably been a better default anyway,
but it's hard to change that these days. When whitelisting system calls
SIGSYS is highly problematic as system calls that are newly introduced
to Linux become minefields for services otherwise.

Note that this enables a system call filter for udev for the first time,
and will block @clock, @mount and @swap from it. Some downstream
distributions might want to revert this locally if they want to permit
unsafe operations on udev rules, but in general this shiuld be mostly
safe, as we already set MountFlags=shared for udevd, hence at least
@mount won't change anything.
2018-06-14 17:44:20 +02:00
Zbigniew Jędrzejewski-Szmek
0cd41d4dff Drop my copyright headers
perl -i -0pe 's/\s*Copyright © .... Zbigniew Jędrzejewski.*?\n/\n/gms' man/*xml
git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/(#\n)?# +Copyright © [0-9, -]+ Zbigniew Jędrzejewski.*?\n//gms'
git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s*\/\*\*\*\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*?\s*\*\*\*\/\s*/\n\n/gms'
git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*//gms'
2018-06-14 13:03:20 +02:00
Lennart Poettering
96b2fb93c5 tree-wide: beautify remaining copyright statements
Let's unify an beautify our remaining copyright statements, with a
unicode ©. This means our copyright statements are now always formatted
the same way. Yay.
2018-06-14 10:20:21 +02:00
Lennart Poettering
b2e8ae7380 units: switch udev service to use PrivateMounts=yes
Given that PrivateMounts=yes is the "successor" to MountFlags=slave in
unit files, let's make use of it for udevd.
2018-06-12 16:27:37 +02:00
Lennart Poettering
61d0578b07 add new portable service framework
This adds a small service "systemd-portabled" and a matching client
"portablectl", which implement the "portable service" concept.

The daemon implements the actual operations, is PolicyKit-enabled and is
activated on demand with exit-on-idle.

Both the daemon and the client are an optional build artifact, enabled
by default rhough.
2018-05-24 17:01:57 +02:00
Yu Watanabe
d4e9e574ea network: set DynamicUser= to systemd-networkd.service 2018-05-22 22:37:34 +09:00
Yu Watanabe
0187368cad resolve: enable DynamicUser= for systemd-resolved.service 2018-05-22 22:32:25 +09:00
Yu Watanabe
be80154827 unit: drop After=systemd-sysusers.service from timesyncd
After=systemd-sysusers.service is not necessary, as timesyncd
already enables DynamicUser=.
2018-05-22 22:20:17 +09:00
Yu Watanabe
46657f637c units: set RestrictNamespaces=yes to networkd and resolved
Closes #8949.
2018-05-10 22:50:31 -07:00
Yu Watanabe
348b44372f meson: generate m4 preprocessor from config.h (#8914) 2018-05-07 11:17:35 +02:00
Yu Watanabe
e7dd394767 timesync: expose manager properties on bus 2018-05-03 18:05:14 +09:00
Yu Watanabe
dea6363533 unit: tighten sandboxing for logind 2018-04-27 18:11:29 +09:00
Zbigniew Jędrzejewski-Szmek
a9f0f5e501 logind: split %t directory creation to a helper unit
Unfortunately this needs a new binary to do the mount because there's just
too many special steps to outsource this to systemd-mount:
- EPERM needs to be treated specially
- UserRuntimeDir= setting must be obeyed
- SELinux label must be adjusted

This allows user@.service to be started independently of logind.
So 'systemctl start user@nnn' will start the user manager for user nnn.
Logind will start it too when the user logs in, and will stop it (unless
lingering is enabled) when the user logs out.

Fixes #7339.
2018-04-25 16:20:28 +02:00
Zbigniew Jędrzejewski-Szmek
2841493927 Use a dash-truncated drop-in for user-%j.slice configuration
This removes the UserTasksMax= setting in logind.conf. Instead, the generic
TasksMax= setting on the slice should be used. Instead of a transient unit we
use a drop-in to tweak the default definition of a .slice. It's better to use
the normal unit mechanisms instead of creating units on the fly. This will also
make it easier to start user@.service independently of logind, or set
additional settings like MemoryMax= for user slices.

The setting in logind is removed, because otherwise we would have two sources
of "truth": the slice on disk and the logind config. Instead of trying to
coordinate those two sources of configuration (and maintainer overrides to
both), let's just convert to the new one fully.

Right now now automatic transition mechanism is provided. logind will emit a
hint when it encounters the setting, but otherwise it will be ignored.

Fixes #2556.
2018-04-25 16:18:45 +02:00
Yu Watanabe
edac2c4716 unit,meson: drop .in suffix if no substitution is required (#8740) 2018-04-17 19:49:10 +02:00
Peter A. Bigot
2dd79846dd time-wait-sync: use watchfile to coordinate with timesyncd
Systems that have an accurate real-time clock may have an initial
unsynchronized time that is close enough to the synchronized time that
the final adjustment doesn't trigger a waking "clock set" event.  Have
timesyncd touch a file in its runtime directory as a secondary signal
for synchronization.  Continue to support the timerfd-based trigger as a
sufficient condition when the watchfile is not present.

Closes issue #8683
2018-04-14 09:52:40 -05:00
Peter A. Bigot
006ffa6421 units: leave systemd-time-wait-sync disabled by default
Also mark its presence conditional on ENABLE_TIMESYNCD.
2018-04-14 09:52:40 -05:00
guixxx
de03b29512 fix url for binfmt documentation (#8720)
this file went unnoticed in PR #6223
2018-04-14 15:15:19 +02:00
Zbigniew Jędrzejewski-Szmek
11a1589223 tree-wide: drop license boilerplate
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.

I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
2018-04-06 18:58:55 +02:00
Lennart Poettering
6064de2de8
Merge pull request #8617 from keszybz/tmpfiles-relax
Do not exit with error when systemd-tmpfiles --boot fails
2018-04-05 11:54:02 +02:00
Zbigniew Jędrzejewski-Szmek
c79b89e6eb tmpfiles: ignore "operational" errors during setup
We still get the errors logged, but we don't fail the service. This
is better for users because rerunning tmpfiles-setup.service a second
time is dangerous (c.f. cd9f5b68ce).
Note that this only touches sd-tmpfiles-setup.service and
sd-tmpfiles-setup-dev.service. sd-tmpfiles-clean.service is as before.

https://bugzilla.redhat.com/show_bug.cgi?id=1539341
2018-04-05 08:13:53 +02:00
Filipe Brandenburger
add384dd4d units: use systemctl exit to kill the user manager (#8648)
Use `systemctl --user --force exit` to implement the systemd-exit
user service.

This removes our dependence on an external `kill` binary and the
concerns about whether they recognize SIGRTMIN+n by name or what their
interpretation of SIGRTMIN is.

Tested: `systemctl --user start systemd-exit.service` kills the
  `systemd --user` instance for my user.
2018-04-04 11:14:37 +02:00
Mike Gilbert
4d8c7c1b3a units: initctl: move the fifo to /run/initctl to match sysvinit
The fifo location was moved in sysvinit-2.89.

http://git.savannah.nongnu.org/cgit/sysvinit.git/commit/?id=80dbcf3de3c1b83aeaa713a8fe5b8d35d8649af2
2018-03-30 16:52:14 -04:00
Mario Limonciello
ca037d1e08 Fix description on suspend-then-hibernate units.
Suspend; Idle into hibernate didn't make sense.
2018-03-28 15:26:18 -05:00
Mario Limonciello
e68c79db91 Rename suspend-to-hibernate to suspend-then-hibernate
Per some discussion with Gnome folks, they would prefer this name
as it's more descriptive of what's happening.
2018-03-28 15:11:10 -05:00
Lennart Poettering
c5beecca19 units: document why systemd-time-wait-sync.service conditions on CAP_SYS_TIME (#8555)
As requested by @evverx in https://github.com/systemd/systemd/pull/8537#issuecomment-375122615
2018-03-22 23:41:54 +03:00
Peter A. Bigot
1d0b60c481 units: disable systemd-time-sync-wait inside containers (#8537)
Fixes #8535
2018-03-22 05:27:27 +03:00
Peter A. Bigot
5c3376efcd time-sync-wait: add service (#8494)
This one-shot service waits until the kernel time has been set to
synchronized.
2018-03-21 12:42:04 +01:00
Karol Augustin
94a1d03e27 units: Fix SuccessAction that belongs to [Unit] section not [Service] section (#8478) 2018-03-18 19:40:07 +09:00
Mario Limonciello
c58493c00a Introduce suspend-to-hibernate (#8274)
Suspend to Hibernate is a new sleep method that invokes suspend
for a predefined period of time before automatically waking up
and hibernating the system.

It's similar to HybridSleep however there isn't a performance
impact on every suspend cycle.

It's intended to use with systems that may have a higher power
drain in their supported suspend states to prevent battery and
data loss over an extended suspend cycle.

Signed-off-by: Mario Limonciello <mario.limonciello@dell.com>
2018-03-08 14:17:33 +01:00
Lennart Poettering
7ddcdb6072
units: use SuccessAction=reboot where appropriate (#8335)
We should really use our own native concepts for rebooting.
2018-03-02 15:41:36 +01:00
Franck Bui
acc8059129 units: delegate "memory" instead of "cpu" by default for user instances (#8320)
CPU accounting has a too bad impact on performance to be enabled by
default. Therefore we should not delegate "cpu" for now.

OTOH since commit e0c46a7364, memory accounting
has been turned on for all units by default so it makes sense to delegate this
controller by default.
2018-03-01 10:58:03 +01:00
Alan Jenkins
d8e5a93382 slice: system.slice should be perpetual like -.mount
`-.mount` is placed in `system.slice`, and hence depends on it.
`-.mount` is always active and can never be stopped.  Therefore the same
should be true of `system.slice`.

Synthesize it as perpetual (unless systemd is running as a user manager).
Notice we also drop `Before=slices.target` as unnecessary.

AFAICS the justification for `perpetual` is to provide extra protection
against unintentionally stopping every single service.  So adding
system.slice to the perpetual units is perfectly consistent.

I don't expect this will (or can) fix any other problem.  And the
`perpetual` protection probably isn't formal enough to spend much time
thinking about.  I've just noticed this a couple of times, as something
that looks strange.

Might be a bit surprising that we have user.slice on-disk but not
system.slice, but I think it's ok. `systemctl status system.slice` will
still point you towards `man systemd.special`.  The only detail is that the
system slice disables `DefaultDependencies`.  If you're worrying about how
system shutdown works when you read `man systemd.slice`, I think it is not
too hard to guess that system.slice might do this:

> Only slice units involved with early boot
> or late system shutdown should disable this option

(Docs are great. I really appreciate the systemd ones).
2018-02-04 22:51:34 +00:00
Dimitri John Ledkov
1f1580139e resolved.service: set DefaultDependencies=no
On systems that only use resolved for name resolution, there are usecases that
require resolved to be started before sysinit target, such that network name
resolution is available before network-online/sysinit targets. For example,
cloud-init for some datasources hooks into the boot process ahead of sysinit
target and may need network name resolution at that point already.

systemd-resolved already starts pretty early in the process, thus starting it
slightly earlier should not have negative side effects.

However, this depends on resolved ability to connect to system DBus once that
is up.
2018-01-11 12:40:44 +01:00
Lennart Poettering
9b873d1c79 units: link up debug-generator documentation from debug-shell.service 2017-12-26 12:13:51 +01:00
Lennart Poettering
245992a0c0 man: add a systemd-rc-local-generator(8) man page
Most importantly, let's highlight the differences to the rc-local
behaviour in SysV.

Fixes: #7703
2017-12-26 12:13:51 +01:00
bleep_blop
7629744a3d separate flags from shebang 2017-12-25 19:48:49 +01:00
Lennart Poettering
8fd010bb1b nspawn: turn on watchdog logic for nspawn too
It's a long-running daemon, and it's easy to enable, hence do it.
2017-12-07 12:34:46 +01:00
Lennart Poettering
5dfcaaaf11 units: delegate only "cpu" and "pids" controllers by default (#7564)
Now that we can configure which controllers to delegate precisely, let's
limit wht we delegate to the user session: only "cpu" and "pids" as a
minimal baseline.

Fixes: #1715
2017-12-07 08:48:08 +01:00
Zbigniew Jędrzejewski-Szmek
cfdda37c9f Hook up systemd-tmpfiles as user units
An explicit --user switch is necessary because for the user@0.service instance
systemd-tmpfiles is running as root, and we need to distinguish that from
systemd-tmpfiles running in systemd-tmpfiles*.service.

Fixes #2208.

v2:
- restore "systemd-" prefix
- add systemd-tmpfiles-clean.{service,timer}, systemd-setup.service to
  systemd-tmpfiles(8)
2017-12-06 10:19:35 +01:00
Zbigniew Jędrzejewski-Szmek
cd9f5b68ce units: use SuccessExitStatus to ignore syntax errors in tmpfiles
This makes sense from the point of view of the whole distribution:
if there are some specific files that have syntax problems, or unknown
users or groups, or use unsupported features, failing the whole service
is not useful.

In particular, services with tmpfiles --boot should not be started after boot.
The premise of --boot is that there are actions which are only safe to do once
during boot, because the state evolves later through other means and re-running
the boot-time setup would destroy it. If services with --boot fail in the
initial transaction, they would be re-run later on when a unit which
(indirectly) depends on them is started, causing problems.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1507501.

(If we had a mode where a service would at most run once, and would not be
started in subsequent transactions, that'd be a good additional safeguard.
Using ExecStart=-... is a bit like that, but it causes all failure to be
ignored, which is too big of a hammer.)
2017-12-01 18:58:54 +01:00
Zbigniew Jędrzejewski-Szmek
3a726fcd08 Add license headers and SPDX identifiers to meson.build files
So far I avoided adding license headers to meson files, but they are pretty
big and important and should carry license headers like everything else.
I added my own copyright, even though other people modified those files too.
But this is mostly symbolic, so I hope that's OK.
2017-11-19 19:08:15 +01:00
Zbigniew Jędrzejewski-Szmek
a7df2d1e43 Add SPDX license headers to unit files 2017-11-19 19:08:15 +01:00
Lennart Poettering
3e3852b3c6 core: make "tmpfs" dependencies on swapfs a "default" dep, not an "implicit"
There should be a way to turn this logic of, and DefaultDependencies=
appears to be the right option for that, hence let's downgrade this
dependency type from "implicit" to "default, and thus honour
DefaultDependencies=.

This also drops mount_get_fstype() as we only have a single user needing
this now.

A follow-up for #7076.
2017-11-10 19:52:41 +01:00
Yu Watanabe
3bd469546b meson: do not create systemd-user-sessions.service if PAM is disabled
Fixes #7227.
2017-10-31 17:12:36 +09:00
Lennart Poettering
b5487fa0b6 Merge pull request #7078 from keszybz/cryptsetup-netdev-fixes
Cryptsetup _netdev fixes
2017-10-18 21:15:29 +08:00
Zbigniew Jędrzejewski-Szmek
a0e030f53b units: make remote-cryptsetup.target also after cryptsetup-pre.target
This way people can order units before cryptsetup-pre.target and
have them run before any cryptsetup-related stuff.
2017-10-18 15:14:46 +02:00
Zbigniew Jędrzejewski-Szmek
a0dd209763 units: replace remote-cryptsetup-pre.target with remote-fs-pre.target
remote-cryptsetup-pre.target was designed as an active unit (that pulls in
network-online.target), the opposite of remote-fs-pre.target (a passive unit,
with individual provider services ordering itself before it and pulling it in,
for example iscsi.service and nfs-client.target).

To make remote-cryptsetup-pre.target really work, those services should be
ordered before it too. But this would require updates to all those services,
not just changes from systemd side.

But the requirements for remote-fs-pre.target and remote-cryptset-pre.target
are fairly similar (e.g. iscsi devices can certainly be used for both), so
let's reuse remote-fs-pre.target also for remote cryptsetup units. This loses
a bit of flexibility, but does away with the requirement for various provider
services to know about remote-cryptsetup-pre.target.
2017-10-17 19:15:58 +02:00
Michal Sekletar
fab35afabf mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076)
In the past we introduced this property just for tmp.mount. However on
todays systems usually there are many more tmpfs mounts. Most notably
mounts backing XDG_RUNTIME_DIR for each user.

Let's generalize what we already have for tmp.mount and implement the
ordering After=swap.target for all tmpfs based mounts.
2017-10-16 16:15:05 +02:00
Zbigniew Jędrzejewski-Szmek
8f462b074e units: add [Install] section to remote-cryptsetup.target
This makes this target the same as remote-fs.target in this regard. In practice
it probably doesn't make that much difference, because all encrypted devices
that are part of remote-fs.target (marked with _netdev) will be used for mount
points, so they will be pulled in anyway individually, but with this change any
such device will be configured, even if it is not pulled by any other unit.
2017-10-13 08:03:16 +02:00
Yu Watanabe
941afc4b90 unit: enable DynamicUser= for journal-upload 2017-10-06 16:06:21 +09:00
Yu Watanabe
48d3e88c18 timesyncd: enable DynamicUser= 2017-10-06 16:05:20 +09:00
Lennart Poettering
fdb6343484 Merge pull request #6909 from sourcejedi/units
Unit dependency fixes (and cleanups)
2017-10-05 18:26:02 +02:00
Lennart Poettering
c74cdb5cc3 units: restore User=systemd-journal-gateway in systemd-journal-gatewayd.service (#7005)
After the discussions around #7003 I think we should restore the
User=systemd-journal-gateway line for systemd-journal-gatewayd.service,
too, so that we continue to use the state user if it exists, and create
it as dynamic user only when it does not.

Note that undoes part of a change made after 234, i.e. a never released
change.
2017-10-05 15:05:02 +02:00
Lennart Poettering
4aa1d31c89 Merge pull request #6974 from keszybz/clean-up-defines
Clean up define definitions
2017-10-04 19:25:30 +02:00
Lennart Poettering
0a9b166b43 units: prohibit all IP traffic on all our long-running services (#6921)
Let's lock things down further.
2017-10-04 14:16:28 +02:00
Zbigniew Jędrzejewski-Szmek
1ec57f3394 build-sys: s/ENABLE_RESOLVED/ENABLE_RESOLVE/
The configuration option was called -Dresolve, but the internal define
was …RESOLVED. This options governs more than just resolved itself, so
let's settle on the version without "d".
2017-10-04 12:09:51 +02:00
Zbigniew Jędrzejewski-Szmek
3211da4bcb build-sys: s/HAVE_UTMP/ENABLE_UTMP/
"Have" should be about the external environment and dependencies. Anything
which is a pure yes/no choice should be "enable".
2017-10-04 12:09:50 +02:00
Zbigniew Jędrzejewski-Szmek
349cc4a507 build-sys: use #if Y instead of #ifdef Y everywhere
The advantage is that is the name is mispellt, cpp will warn us.

$ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/"
$ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;'
$ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g'
$ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g'
+ manual changes to meson.build

squash! build-sys: use #if Y instead of #ifdef Y everywhere

v2:
- fix incorrect setting of HAVE_LIBIDN2
2017-10-04 12:09:29 +02:00
Alan Jenkins
2d4b910383 units: DefaultDependencies already implies conflict with shutdown.target
(and system-update.target does not have DefaultDependencies=no)
2017-09-30 22:02:05 +01:00
Alan Jenkins
0b9ad5bf2e units: add missing Before=shutdown.target for units which it Conflicts
There's a few services missing this ordering.

Also remove a duplicate Conflicts=shutdown.target from
systemd-volatile-root.service.
2017-09-30 22:01:42 +01:00
Alan Jenkins
6f6d1a8a6a units: add missing ordering deps for Conflicts= of emergency.service
1. If we exited emergency mode immediately, we don't want to have an
   irreversible stop job still running for syslog.socket.  I _suspect_ that
   can't happen, but let's not waste effort working out exactly why it's
   impossible and not just very improbable.

2. Similarly, it seems undesirable to have rescue.service and
   emergency.service both running with an open FD of /dev/console, for
   however short a period.
2017-09-29 17:35:44 +01:00
Alan Jenkins
950d8fcdd9 units: express Conflict in syslog.socket instead of emergency.service
Note this commit only changes how the code is expressed; it does not change
the existence of any dependency.

The `Conflicts=` was added in 3136ec90, "Stop syslog.socket when entering
emergency mode".  The discussion in the issue #266 raised concerns that
this might be needed for other units, but failed to point out why
syslog.socket is special.  The reason is that syslog.socket has
DefaultDepedencies=no, so it does not get Requires=sysinit.target like
other socket units do.  But syslog.service does require sysinit.target,
among other things.

We don't have many socket, path, or timer units with
DefaultDependencies=no, and I don't think any of the triggered services
have such additional hard dependencies as syslog.service does.

It is much less confusing if we keep this `Conflicts=` in the same file as
the `DefaultDependencies=no` which made it necessary.
2017-09-29 17:34:55 +01:00
Alan Jenkins
a3b22cc596 units: do not kill rescue shell when machines.target is started
The original aim of this commit is that starting machines.target from the
rescue shell would not kill the rescue shell and lock you out of the
system.

This is similar to commit 6579a622, for the conflict between
sysinit.target and the _emergency_ shell.  That particular commit
introduced an ordering cycle and will need to be reverted and/or
fixed.  This one does not, because it does not need to introduce any new
dependencies.

The reason why this commit is allowable also has it's own merit:

machines.target was not marked as AllowIsolate.  Also, the point of
containers is to not escape them...  I don't think we want to promote
machines.target as a default target or similar; you would generally want
some system service to allow you to shut down the machine, for example.  I
don't see this approach used in CoreOS, nor in Fedora Atomic Host; we are
missing any positive examples of its utility.

Requires=basic.target / After=basic.target can be removed for the same
reason.
2017-09-29 17:32:14 +01:00
Alan Jenkins
0d18f808a4 Revert "units: don't kill the emergency shell when sysinit.target is triggered (#6765)" (#6904)
This reverts commit f1e24a259c.  Oops.

# systemctl emergency
Failed to start emergency.target: Transaction order is cyclic. See syste...
See system logs and 'systemctl status emergency.target' for details.
# systemctl status emergency.target
● emergency.target - Emergency Mode
   Loaded: loaded (/usr/lib/systemd/system/emergency.target; static; vendor preset: disabled)
   Active: inactive (dead) since Mon 2017-09-25 10:43:02 BST; 2h 42min ago
     Docs: man:systemd.special(7)

systemd[1]: sysinit.target: Found dependency on sysinit.target/stop
sysinit.target: Unable to break cycle starting with sysinit.target/stop
network.target: Found ordering cycle on wpa_supplicant.service/stop
network.target: Found dependency on sysinit.target/stop
network.target: Found dependency on emergency.target/start
network.target: Found dependency on emergency.service/start
network.target: Found dependency on serial-getty@ttyS0.service/stop
network.target: Found dependency on systemd-user-sessions.service/stop
network.target: Found dependency on network.target/stop
network.target: Unable to break cycle starting with network.target/stop


IMO #6509 is ugly enough that we should aim to answer it.  But it could
take some time to investigate, so let's re-open the issue as a first step.
2017-09-26 19:47:50 +02:00
Alan Jenkins
f1e24a259c units: don't kill the emergency shell when sysinit.target is triggered (#6765)
Why
---

The advantage of this is that starting sysinit.target from the emergency
shell will no longer kill the emergency shell and lock you out of the
system.  Our docs already claimed that emergency.target was useful for
"starting individual units in order to continue the boot process in steps".
This resolves #6509 for my purposes.

Remaining limitation
--------------------

Starting getty.target will still kill the shell, and if you don't have a
root password you will then be locked out at that point.  This is relevant
to distributions which patch the sulogin system to permit logins when the
root password is locked.  Both Debian and RedHat used to follow this
behaviour!  Debian have been discussing what they could replace it with at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806852

So this doesn't quite achieve perfection, but I think it's a worthwhile
change.  It should be easier to understand the logic now it doesn't have
such a big hole in it.  Repairing the sysinit stage of the boot is the main
reason we have emergency.target.  And as discussed in the issue,
sysinit.target gets pulled in implicitly as soon as any DefaultDependencies
service is activated.

How
---

sysinit.target only needs to conflict with emergency.target.  It didn't
need to conflict with emergency.service as well.  In theory the conflicts
are pointless, we could just change the dependency of sysinit.target on
local-fs.target from Wants to Requires.  However, doing so would mean that
when local-fs fails, the screen is flooded with yellow [DEPEND] failures.
That would hinder the poor unfortunate admin, so let's not do that.

There is no additional ordering requirement against emergency.  If the
failure happens, the job for sysinit will be cancelled instantly.  We don't
need to worry about when sysinit.target and its dependents would be
stopped, because sysinit waits for local-fs before it starts.

emergency.target is still necessarily stopped once we reach sysinit
(you can't express a one-way conflict in pure unit directives).
This is largely cosmetic... though perhaps it symbolizes that you're no
longer in Emergency Mode if System Initialization is successful ;-).

As a secondary advantage, the getty's which conflict on rescue.service now
need to conflict on emergency.service as well.  This makes the system more
uniform and simpler to understand.

The only other effect this should have is that
`systemctl start emergency.target` is now practically the same as
`systemctl start rescue.target`.  The only units this command will stop are
the conflicting getty units.  Neither of those commands should ever be
used.  E.g. they will not stop the gdm.service unit on Fedora 26.
2017-09-14 21:43:43 +02:00
Zbigniew Jędrzejewski-Szmek
6579a622ec Merge pull request #6790 from poettering/unit-unsetenv
add UnsetEnvironment= unit file setting, in order to fix #6407
2017-09-14 19:46:55 +02:00
Lennart Poettering
bff8f2543b units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
2017-09-14 19:45:40 +02:00
Lennart Poettering
82f93439af units: properly unset the l10n environment variables where we need to
Now that we have UnsetEnvironment=, let's make proper use of it for
unsetting l10n settings for console gettys.

Fixes: #6407
2017-09-14 15:17:40 +02:00
John Lin
c13ee7cc8b units: remove unnecessary Requires= and After= in system.slice (#6794) 2017-09-11 10:35:51 +02:00
Felipe Sateler
912a0f21d9 sulogin-shell: switch from shell implementation to a C implementation (#6698) 2017-09-08 18:21:37 +02:00
Lennart Poettering
6dd0e05c77 Merge pull request #6748 from msekletar/console-container-getty-pre-after
units: order container and console getty units after getty-pre.target
2017-09-05 19:45:39 +02:00
Michal Sekletar
45e2753297 units: order container and console getty units after getty-pre.target 2017-09-05 14:53:25 +02:00
Zbigniew Jędrzejewski-Szmek
889128b8b2 units: add remote-cryptsetup.target and remote-cryptsetup-pre.target
The pair is similar to remote-fs.target and remote-fs-pre.target. Any
cryptsetup devices which require network shall be ordered after
remote-cryptsetup-pre.target and before remote-cryptsetup.target.
2017-09-05 12:06:30 +02:00
Zbigniew Jędrzejewski-Szmek
947d21171b units: order cryptsetup-pre.target before cryptsetup.target
Normally this happens automatically, but if it happened that both targets were
pulled in, even though there were no cryptsetup units, they could be started
in reverse order, which would be somewhat confusing. Add an explicit ordering
to avoid this potential issue.
2017-09-05 12:06:30 +02:00
Zbigniew Jędrzejewski-Szmek
8a12256c9c Merge pull request #6580 from poettering/nspawn-dm-deviceallow
add DM devices to DeviceAllow for systemd-nspawn@.service
2017-09-04 17:12:17 +03:00
Alan Jenkins
f480777623 units: do not install rescue.target for alt-↑
rescue.target does not work well for this.  It is not meant to be started,
only isolated.

Fixes #6493
2017-08-31 16:17:41 +01:00
Lennart Poettering
d7542c46d6 Merge pull request #6709 from yuwata/imply-requires-mounts
core: StateDirectory= and friends imply RequiresMountsFor=
2017-08-31 13:30:26 +02:00
Yu Watanabe
181b4f56e7 unit: use StateDirectory= instead of RequiresMountsFor= 2017-08-31 18:37:11 +09:00
Yu Watanabe
96f9f6aca7 unit: drop redundant options 2017-08-31 18:29:41 +09:00
Michal Sekletar
1759025418 units: introduce getty-pre.target (#6667)
This new target is a passive unit, hence it is supposed to be pulled in
to the transaction by the service that wants to block login on the
console (e.g. text version of initial-setup). Now both getty and
serial-getty are ordered after this target.

https://lists.freedesktop.org/archives/systemd-devel/2015-July/033754.html
2017-08-31 11:20:14 +02:00
Alan Jenkins
64a36ae4b1 units: starting suspend.target should not fail when suspend is successful (#6678)
and the same for hibernate.target and hybrid-sleep.target.

Tested with both sucessful and unsuccessful suspends.  The result of the
start job was correct in both cases.  Closes #6419 (a regression in v233
and v234).

> suspend is unsual for a target, because it has to stop itself once it's
> started. Otherwise you couldn't start it again, so you could only suspend
> once! Currently that's implemented using BindsTo=systemd-sleep.service.
> Meaning it pulls in systemd-sleep.service to do the actual suspend, and
> then de-activates afterwards. But the behaviour of BindsTo was changed
> recently (not without some issues during development) - maybe this bug
> is caused by poettering/systemd@631b676 which I think was added in
> release v233.
>
> sleep.target (see man systemd.special) has the same need, but it
> implements it differently. It simply has StopWhenUnneeded=yes.

This commit switches suspend.target etc. to the approach used by
sleep.target.
2017-08-30 18:20:23 +02:00
Lennart Poettering
0e614814b7 Merge pull request #6617 from sourcejedi/udev-unit-deps
udev service dependency nitpicks
2017-08-30 17:33:07 +02:00
Lennart Poettering
6d405b6909 Merge pull request #6672 from yuwata/drop-priv
use !! prefix in networkd and timesyncd
2017-08-30 10:45:24 +02:00
Yu Watanabe
53d133ea1b timesync: move stamp file to /var/lib/systemd/timesync/clock 2017-08-30 15:59:57 +09:00
Lennart Poettering
7123a951d0 Merge pull request #6670 from fsateler/disable-networkd
build-sys: don't build networkctl if networkd is disabled
2017-08-29 17:28:06 +02:00
Lennart Poettering
3982becc92 units: include DM devices in DeviceAllow fpor systemd-nspawn@.service
We need it to make LUKS devices work.

Fixes: #6525
2017-08-29 16:01:19 +02:00
Felipe Sateler
a174f618eb networkd: do not install the socket when networkd is not enabled 2017-08-27 10:49:10 -03:00
Yu Watanabe
87a85e25a2 units: make use of !! ExecStart= prefix in systemd-timesyncd.service
Let's make use of !! to run timesyncd with ambient capabilities on
systems supporting them.
2017-08-27 01:41:12 +09:00
Yu Watanabe
c61f302d3c units: make use of !! ExecStart= prefix in systemd-networkd.service
Let's make use of !! to run networkd with ambient capabilities on
systems supporting them.
2017-08-27 01:40:47 +09:00
Alan Jenkins
1d422b153b units: order service(s) before udevd, not udev-trigger (coldplug)
Since hotplugs happen as soon as udevd is started, there is not much sense
in giving udev-trigger an After= dependency on any service.  The device
could be hotplugged before coldplug starts.

This is intended to avoid the race window where we create the hwdb with
the wrong selinux context (then fix it up afterwards).
https://github.com/systemd/systemd/issues/3458#issuecomment-322444107
2017-08-15 14:22:44 +01:00
Alan Jenkins
3533b49e74 units: Sockets= already implies Wants= and After= (systemd-udevd.service)
I grepped for other `After=` on a socket unit as well.  This was the only
instance.
2017-08-15 14:11:23 +01:00
Lennart Poettering
635f3df5dc units: make use of the new !! ExecStart= prefix in systemd-resolved.service
Let's make use of !! to run resolved with ambient capabilities on
systems supporting them.
2017-08-10 15:04:32 +02:00
Lennart Poettering
4f41b69cd9 Merge pull request #6579 from sourcejedi/getty
getty nitpicks
2017-08-10 12:05:21 +02:00
Lennart Poettering
97f7e3663e Merge pull request #6467 from yuwata/journal-remote-units
units: use {State,Logs}Directory= if they are applicable
2017-08-09 21:09:13 +02:00
Alan Jenkins
ae805c89ef units: console-getty.service: use the default RestartSec
> Note that console-getty.service as more uses than just containers. The
> idea is that it may be used as alternative to the whole VC/logind stuff,
> if all you need is a console on /dev/console, even on physical devices.

This means we want to remove RestartSec=0, for serial systems.
See 4bf0432 "units/serial-getty@.service: use the default RestartSec".
2017-08-09 18:56:26 +01:00
Alan Jenkins
d32465fb41 units: add Conflicts=rescue.service to container-getty@.service
The traditional runlevel 1 is "single user mode", and shuts down all but
the main console.  In systemd, rescue.target provides runlevel1.target.
But it did not shut down logins on secondary consoles... if systemd was
running in a container.

I don't think we strictly need to change this.  But when you look at both
container-getty@.service and getty@.service, you see that both have
IgnoreOnIsolate, but only the latter has Conflicts=rescue.service.

This also makes rescue.target in a container consistent with
emergency.target.  In the latter case, the gettys were already stopped,
because they have a Requires dependency on sysinit.target.
2017-08-09 18:52:05 +01:00
Alan Jenkins
858beb391b units/console-getty.service: comment reason for ConditionPathExists
Currently we have 4 getty services.  1 has a BindsTo dependency on a
device unit.  3 have ConditionPathExists, but the reason is different in
every single one.

* Add comment to console-getty@.service (see commit 1b41981d)
* getty@.service is already commented
* container-getty.service is not strictly correct, as I realized while
  trying to compose a comment.  Reported as #6584.
2017-08-09 18:51:46 +01:00
Alan Jenkins
8522ee7975 man/systemd-getty-generator fix/update
* Containers don't use serial-getty@console.service,
  they use console-getty.service instead, and suppress
  scanning for kernel or virtualizer consoles.

* Nowadays gettys are started on *all* configured kernel consoles.

* except for the line printer console, because that's not a tty.
  (Seriously.  Search CONFIG_LP_CONSOLE).
2017-08-09 15:53:55 +01:00
Yu Watanabe
4429c69f8d units: do not perform m4 if not necessary (#6575) 2017-08-09 09:13:41 -04:00
Yu Watanabe
debe5d2376 unit: remove redundant options 2017-08-08 12:17:12 +09:00
Yu Watanabe
d0e62ae0f6 units: use {State,Logs}Directory= if they are applicable 2017-08-08 12:17:01 +09:00
Lennart Poettering
0d44940773 Revert "units: set ConditionVirtualization=!private-users on journald audit socket" (#6513)
* Revert "modprobe.d: ship drop-in to set bonding max_bonds to 0 (#6448)"

This reverts commit 582faeb461.

* Revert "units: set ConditionVirtualization=!private-users on journald audit socket (#6508)"

This reverts commit d2a1ba103b.
2017-08-02 16:39:54 +02:00
Dimitri John Ledkov
d2a1ba103b units: set ConditionVirtualization=!private-users on journald audit socket (#6508)
It fails to start in an unprivileged container as audit is not namespace aware.
2017-08-02 10:15:26 +02:00
Lennart Poettering
e362b5a77f Merge pull request #6472 from yuwata/journal-gateway-fix
Some journal-gateway and journal-remote related fixes
2017-07-31 12:11:48 +02:00
Yu Watanabe
b7f2d0ba24 units,sysusers: use DynamicUser= for journal-gatewayd and drop user systemd-journal-gateway from sysusers 2017-07-28 13:37:10 +09:00
Zbigniew Jędrzejewski-Szmek
a132bef023 Drop kdbus bits
Some kdbus_flag and memfd related parts are left behind, because they
are entangled with the "legacy" dbus support.

test-bus-benchmark is switched to "manual". It was already broken before
(in the non-kdbus mode) but apparently nobody noticed. Hopefully it can
be fixed later.
2017-07-23 12:01:54 -04:00
Zbigniew Jędrzejewski-Szmek
4bc5d27b94 Drop busname unit type
Since busname units are only useful with kdbus, they weren't actively
used. This was dead code, only compile-tested. If busname units are
ever added back, it'll be cleaner to start from scratch (possibly reverting
parts of this patch).
2017-07-23 09:29:02 -04:00
Zbigniew Jędrzejewski-Szmek
e5f752082e build-sys: drop gitignore patterns for in-tree builds
... and other autotools-generated files.
2017-07-18 10:05:06 -04:00
Zbigniew Jędrzejewski-Szmek
72cdb3e783 build-sys: drop automake support
v2:
- also mention m4
2017-07-18 10:04:44 -04:00
Michal Sekletar
3c978aca69 journald: make sure we retain all stream fds across restarts (#6348)
Currently we set 4096 as maximum for number of stream connections that
we accept. However maximum number of file descriptors that systemd is
willing to accept from us is just 1024. This means we can't retain all
stream connections that we accepted. Hence bump the limit of fds in a
unit file so that systemd holds open all stream fds while we are
restarted.

New limit is set to 4224 (4096 + 128).
2017-07-17 10:04:37 +02:00
Nikolai Kondrashov
db6aedab92 units: Tell login to preserve environment (#6023)
Make agetty started by *getty* units pass '-p' option to "login", so it
doesn't clear the environment and passes whatever was setup by systemd
to shells. This is needed especially for programs which are specified as
user shells, but won't read locale settings from anywhere but
environment.

[zj: cherry-pick just the second patch from the series, see discussion
on the pull request.]
2017-07-09 10:53:31 -04:00
Zbigniew Jędrzejewski-Szmek
9db307820e units: use Requires in systemd-networkd-wait-online.service (#6065)
In the initial design, foobar-wait-online.service would have
Requisite=foobar.service, so that foobar-wait-online.service could be enabled
unconditionally, irrespective of whether foobar.service itself is enabled.
Unfortunately this doesn't work too well:

1. the message about foobar-wait-online.service being skipped because of a
   "missing dependency" *looks* like an is problem. This is mostly cosmetic,
   but it also quite confusing. We generally don't want any messages of this
   type during default boot.

2. it is impossible to start and wait for the network in an
   implementation-agnostic way: systemctl start network-online.target, or
   Wants/After=network-online.target in a unit don't work because pulling in
   network-online.target pulls in foobar-wait-online.service, but it in turn
   does not pull in foobar.service. During startup, foobar.service is pulled in
   by multi-user.target, but not in a smaller transaction which does not
   include multi-user.target.

This change means that *-wait-online.service should be installed through
presets, so that it can be enabled/disabled at will by the administrator.
Our own systemd-networkd-wait-online.service does this already, and
similar change has been requested for NetworkManager-wait-online.service
(https://bugzilla.redhat.com/show_bug.cgi?id=1455704).

This change should by mostly backwards-compatible, unless somebody has some
wait-online.service enabled, without having the corresponding network
implementation enabled, and they are relying on it not being started.  I think
that's relatively unlikely because of issue 1. above, and I'm not aware of this
being the default in any distro. And being able to start the network in an
implementation-agnostic way is pretty important, see
https://bugzilla.redhat.com/show_bug.cgi?id=1452866.
2017-07-03 17:05:20 +02:00
AsciiWolf
16a5d4128f units: use https for the freedesktop url (#6227) 2017-06-28 22:54:12 -04:00
Stefan Schweter
56892b0b36 man: update reference for binfmt documentation (#6223) 2017-06-28 13:18:37 -04:00
Zbigniew Jędrzejewski-Szmek
7e867138f5 Merge pull request #5600 from fbuihuu/make-logind-restartable
Make logind restartable.
2017-06-24 18:58:36 -04:00
Felipe Sateler
2221c17afb machined: add RequiresMountsFor=/var/lib/machines
Since any part of the path could be remote mounted, make sure they are
before starting machined
2017-06-21 16:20:11 -04:00
Felipe Sateler
78d1039d6b nspawn: hook var-lib-machines.mount to machines.target and remote-fs.target
/var can be on a remote filesystem, thus hooking it to local-fs.target is not correct.

Also, only install the mount unit when machined is enabled, because
machined is the one managing the underlying device, and thus makes no
sense without machined.

Fixes #1175
2017-06-21 16:19:20 -04:00
Franck Bui
aed24c4cd7 logind: save/restore session devices and their respective file descriptors
This patch ensures that session devices are saved for each session.

In order to make the revokation logic work when logind is restarted, the
session devices are now saved in the session state files and their respective
file descriptors sent to PID1's fdstore in order to keep them open accross
restart.

This is mandatory in order to keep the revokation logic working. Indeed in case
of input-devices, the same file descriptors must be shared by logind and a
given session controller in order EVIOCREVOKE to work otherwise multiple
sessions can have device access in parallel.

This should be the only remaining and missing piece for making logind fully
restartable.

Fixes: #1163
2017-06-08 16:21:36 +02:00
Josef Gajdusek
be5bd2ec62 systemd-nspawn@.service: start after /var/lib/machines is mounted (#6079)
This fixes a race condition during boot, where an nspawn container would start
before /var/lib/machines got mounted resulting in a failure.
2017-06-06 11:18:22 -04:00
Zbigniew Jędrzejewski-Szmek
9a4eeb4a0c units: make descriptions of api filesystems less generic (#5914)
All those names were very generic. Fixes #5911.
2017-05-10 13:09:52 +02:00