1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00
Commit Graph

51328 Commits

Author SHA1 Message Date
Lennart Poettering
a06c9ac277 man: document new nspawn --bind-user= feature 2021-05-19 17:46:59 +02:00
Lennart Poettering
2f89304490 nspawn: add new --bind-user= option for binding a host user into the container
This new option does three things for a host user specified via
--bind-user=:

1. Bind mount the home directory from the host directory into
   /run/host/home/<username>

2. Install an additional user namepace UID/GID mapping mapping the host
   UID/GID of the host user to an unused one from the container in the range
   60514…60577.

3. Synthesize a user/group record for the user/group under the same name
   as on the host, with minimized information, and the UID/GID set to
   the mapped UID/GID. This data is written to /run/host/userdb/ where
   nss-system will pick it up.

This should make sharing users and home directories from host into the
container pretty seamless, under some conditions:

1. User namespacing must be used.

2. The host UID/GID of the user/group cannot be in the range assigned to
   the container (kernel already refuses this, as this would mean two
   host UIDs/GIDs might end up being mapped to the same continer
   UID/GID.

3. There's a free UID/GID in the aforementioned range in the container,
   and the name of the user/group is not used in the container.

4. Container payload is new enough to include an nss-systemd version
   that picks up records from /run/host/userdb/
2021-05-19 17:46:59 +02:00
Lennart Poettering
91181e075b nspawn: export userns_mkdir() + userns_lchown() so that it can be used elsewhere in nspawn 2021-05-19 17:33:25 +02:00
Lennart Poettering
1a298a206c user-record: optionally, allow parsing empty user record JSON objects 2021-05-19 17:33:25 +02:00
Lennart Poettering
871a3a33bb
Merge pull request #19608 from keszybz/resolved-pahole
Pahole optimization for resolved's DnsQuery
2021-05-19 16:35:16 +02:00
Yu Watanabe
6db7b533c6
Merge pull request #19163 from sipraga/online-if-required
network: introduce an online state that respects RequiredForOnline=
2021-05-19 23:08:18 +09:00
Luca Boccassi
a9833ed01d
Merge pull request #19659 from keszybz/mkosi-naming-adjustment
Mkosi dependency naming adjustment
2021-05-19 14:33:56 +01:00
Frantisek Sumsal
943edd04b5
Merge pull request #19661 from keszybz/restore-liquid-compatibility
Restore liquid compatibility
2021-05-19 13:58:35 +02:00
Zbigniew Jędrzejewski-Szmek
ba777d019f docs: prettify two external links 2021-05-19 13:53:51 +02:00
Zbigniew Jędrzejewski-Szmek
c9d311c787 docs: use {% raw %} to wrap jinja2 tags in documentation
As reported by @mrc0mmand:
> Since 89f52a780e (diff-b842e6ab4a95a695d9449d106f091e6a134d9eac8d2aee1cd8b169fcb6b3a98bR109)
> the GH pages fail to build, since they use the Liquid templating language,
> which coincidentally uses a very similar tags as jinja:
> https://shopify.github.io/liquid/tags/control-flow/
>
>> The tag elif on line 112 in HACKING.md is not a recognized Liquid tag.
2021-05-19 13:53:51 +02:00
Frantisek Sumsal
31db4c20ea test: reintroduce m4 dependency for TEST-06-SELINUX
m4 is required to build the test SELinux module:

```
[   31.321789] sh[483]: /bin/sh: line 1: m4: command not found
[   31.882668] sh[488]: Compiling targeted systemd_test module
[   32.120862] sh[492]: /bin/sh: line 1: m4: command not found
[   32.159897] sh[458]: make: *** [/usr/share/selinux/devel/include/Makefile:156: tmp/systemd_test.mod] Error 127
```
2021-05-19 13:01:07 +02:00
Zbigniew Jędrzejewski-Szmek
c648c176bc mkosi: stop pulling in vi
We have 'nano' everywhere, and it's enough for a casual edit.
2021-05-19 10:55:03 +02:00
Zbigniew Jędrzejewski-Szmek
6c72b0b737 mkosi/fedora: use pkgconfig virtual provides to refer to packages
... and /usr/bin/ path for a library package which provides an executable we
care about (libxslt).

This way the mkosi dependency list corresponds directly to the names which are
used in the dependency() and find_program() lines in meson.build. It also makes
the thing more resilient to package splits and renames.
2021-05-19 10:54:08 +02:00
Zbigniew Jędrzejewski-Szmek
ded2e247e2 mkosi/fedora: drop python3-devel req
I think it was only used for building the python wrappers.

C.f. ec9ca01d16.
2021-05-19 10:54:04 +02:00
Alvin Šipraga
7e59cfe951 man: describe overall online status in networkctl(1) 2021-05-19 10:34:06 +09:00
Alvin Šipraga
1940b3a7cd networkd-test: support online state in networkctl status output
networkctl status now outputs an online state. Fix up the tests to
account for this.
2021-05-19 10:34:06 +09:00
Alvin Šipraga
4a481ec4ae network: show online state in networkctl status output
In case the link online state is invalid, networkctl will print
"unknown", which is sufficiently neutral. The same goes for the overall
manager online state if there are no managed links, or if
RequiredForOnline=no for all managed links.

Example output:

  $ networkctl status
  ●        State: routable
    Online state: partial
         Address: 172.22.0.130 on wlan0
  ...

  $ networkctl status wlan0
  ● 3: wlan0
               Link File: /lib/systemd/network/99-default.link
            Network File: /etc/systemd/network/50-wlan0.network
                    Type: wlan
                   State: routable (configured)
            Online state: online
  ...
2021-05-19 10:34:06 +09:00
Alvin Šipraga
553022c4af man: clarify RequiredFamilyForOnline= behaviour for online state
With new "online state" semantics in networkd, make the description of
RequiredFamilyForOnline= a little more broad. Some rewording has been
done to make the passage easier to understand.
2021-05-19 10:34:06 +09:00
Alvin Šipraga
6c95e09388 man: clarify RequiredForOnline= behaviour for online state
With new "online state" semantics in networkd, make the description of
RequiredForOnline= a little more broad.
2021-05-19 10:34:06 +09:00
Alvin Šipraga
84a257ab65 network: use the overall online state in network_is_online()
Since networkd advertises a reliable online state, use it in
network_is_online(). If for some reason networkd does not know the
online state (e.g. it does not manage any of the network interfaces),
fall back to the original best-guess logic.
2021-05-19 10:34:06 +09:00
Alvin Šipraga
bcdcc59648 network: add an online state for links and manager
Add a new state of type LinkOnlineState which indicates whether a link
is online or not. The state is also used by networkd's manager to expose
the overall online state of the system.

The possible states are:

  offline  the link (or system) is offline
  partial  at least one required link is online (see below)
  online   all required links are online

For links, a link is defined to be "online" if:
  - it is managed; and
  - its operational state is within the range defined by
    RequiredForOnline=; and
  - it has an IPv4 address if RequiredFamilyForOnline=ipv4 or =both; and
  - it has an IPv6 address if RequiredFamilyForOnline=ipv6 or =both.

A link is defined to be "offline" if:
  - it is managed; and
  - it is not online, i.e. its operational state is not within the range
    defined by RequiredForOnline=, and/or it is missing an IP address in
    a required address family.

Otherwise, the link online state is undefined (represented internally as
_LINK_ONLINE_STATUS_INVALID or -EINVAL). Put another way, networkd will
only offer a meaningful online state for managed links where
RequiredForOnline=yes.

For the manager, the online state is a function of the online state of
all links which are requried for online, i.e. RequiredForOnline=yes. If
all required links are online, then the manager online state is defined
to be "online". If at least one of the required links is online, then
the manager online state is defined to be "partial". If none of
the required links are online, then the manager online state is defined
to be "offline". If there are no managed links, or RequiredForOnline=no
for all managed links, then the manager online state is undefined as
above.

The purpose of the "partial" state is analogous to the --any switch in
systemd-networkd-wait-online.service(8). For example, a required link
which lacks a carrier on boot will not force the overall (manager)
online state to "offline" if there is an alternative link available.
2021-05-19 10:33:55 +09:00
Yu Watanabe
e7901aba14
Merge pull request #19611 from yuwata/network-dhcp-server-introduce-server-address
network: dhcp-server: introduce ServerAddress= setting
2021-05-19 10:29:43 +09:00
Yu Watanabe
734b3115d6
Merge pull request #19631 from yuwata/network-fix-reference-counting-issues
network: fix reference counting issues
2021-05-19 10:29:16 +09:00
Yu Watanabe
6b87254ad1
Merge pull request #19630 from keszybz/jinja2
Use jinja2 for templating
2021-05-19 10:27:21 +09:00
Zbigniew Jędrzejewski-Szmek
89f52a780e docs/HACKING: add note about template engines 2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
17a2017f69 meson: add workaround for old meson
Recent meson versions include the directory name in the target name,
so there is no conflict for files with the same name in different
directories. But at least with meson-0.49.2 in buster we have conflict
with sysusers.d/systemd.conf.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
392ed18542 ci: drop py2 lxml, pull in jinja2 2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
71ae5ce544 units: generate ReadWritePaths= in the template 2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
491bf10c80 meson: sort conf paths alphabetically
The order was a complete mess. Let's make it a bit more tidy.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
23b8071d47 man: use readable names for entities
Let's use the same names as in the jinja2 substitutions.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
fd3a3e31b3 meson: drop "_YES_NO" variables
We can generate the right string in the template directly.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
46c4f8dc8a meson: use jinja2 also for custom-entities.ent
This doesn't matter too much, but makes things a bit more consistent.
A minor advantage is that the file is not a configuration file for meson
anymore, so:
 a) It is not built unless pulled in by another target. Since
    we don't usually build man pages by default, this saves a tiny
    amount of work.
 b) When the .in file is updated, meson does not reconfigure everything,
    but just rebuilds the dependent targets.

Now that the conversion is finished, time for benchmarking:
a full build with default settings (and -Dstandalonebinaries=true), yields

before this pull request: 1687 targets, 148.13s user 35.17s system 317% cpu 57.697 total
with the full pull request: 1714 targets, 143.07s user 27.87s system 314% cpu 54.369 total

The difference doesn't seem significant. Partial rebuilds might be faster as
mentioned before.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
b1ac8498ac meson: drop "substs"
We had two big 'configuration_data' objects in meson config. (There are in fact
more. On is added in this series, and there's one for efi… But those others
have a handful variables only for specific purposes and don't matter). The two
sets are 'conf' and 'substs', and were inherited from the original autotools
system. In the past there was even a third set ('m4_defines'), but @yuwata
removed it in 348b44372f. And those two/three
systems had very similar data, but with different variable names, because of
historical reasons. They also used subtly different quoting (.set()
vs. .set10() vs. .set_quoted()), which was required because the templating
engines were not flexible enough. This meants we had more work when changing
things, and we needed to search for different variable names, etc.

With a more flexible templating engine we can do with just one
configuration_data object.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
5908656c57 meson: use jinja2 in shell-completion/ 2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
8f127e161e efi: use meson object directly instead of going through 'substs' 2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
8e6c71bc19 meson: use jinja2 in src/journal-remote
One stanza had "if install_sysconfdir_samples", while the other
"if install_sysconfdir", which looks like a mistake.
install_sysconfdir_samples is now used for both.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
d34593570a meson: use jinja2 in src/libsystemd/ 2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
e11a25cadb meson: use jinja2 for various files in src/core/ 2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
ba29ee4cc0 meson: use jinja2 for src/libudev/ 2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
411d1f4c3a meson: use jinja2 for src/resolve/ 2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
835cf75aef meson: use jinja2 for rpm templates
The naming of variables is very inconsistent. I tried to use more
modern style naming (UNDERSCORED_TITLE_CASE), but I didn't change existing
names too much. Only SYSTEM_DATA_UNIT_PATH is renamed to SYSTEM_DATA_UNIT_DIR
to match SYSTEM_CONFIG_UNIT_DIR.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
d0f8006993 rpm: use %_bindir not @bindir@
We were using both in various places. To keep things simple, let
rpm do the substitution.
2021-05-19 10:25:26 +09:00
Zbigniew Jędrzejewski-Szmek
54e6c7624f meson: use jinja2 in src/timesync/ 2021-05-19 10:25:12 +09:00
Zbigniew Jędrzejewski-Szmek
94e41ec098 meson: use jinja2 in src/udev 2021-05-19 10:24:43 +09:00
Zbigniew Jędrzejewski-Szmek
1d587e04b9 meson: use jinja2 in src/vconsole 2021-05-19 10:24:43 +09:00
Zbigniew Jędrzejewski-Szmek
2ad498fec0 meson: use jinja2 in sysctl.d/ 2021-05-19 10:24:43 +09:00
Zbigniew Jędrzejewski-Szmek
097c072d83 meson: use conf configuration_data object to generate test-sysusers.sh
I wanted to use jinja2 templating here too, but it's hard to get right:
custom_target() strips the executable bit by default (unlike configure_file
apparently). custom_target() has install_mode setting, but it was only added
in meson-0.47, so it can't be used while we support 0.46. And without the
executable bit the test is not invoked properly. For example, "root-unittests"
in the debian package calls test-* after installation, so the executable bit
there is necessary. It would be possible to adjust the file mode after the
fact, but it would make things more complicated.

So let's use the native meson substitutions here. We don't need anything more
fancy.
2021-05-19 10:24:43 +09:00
Zbigniew Jędrzejewski-Szmek
8feaea5e3d meson: use jinja2 for rules.d templates 2021-05-19 10:24:43 +09:00
Zbigniew Jędrzejewski-Szmek
195a8a9327 meson: use custom configuration_data() object for man/man and man/html helpers
I want to stop using 'substs'. But in this case, configure_file() is nicer
than custom_target(), because it causes meson to immediately generate the
helpers after configuration, so it's possible to do
'meson build && build/man/man ...', without building anything first.

We only substitute one variable here, so let's use a custom configuration_data()
object.
2021-05-19 10:24:43 +09:00
Zbigniew Jędrzejewski-Szmek
44ff8df777 Drop dependency on m4
m4 was hugely popular in the past, because autotools, automake, flex, bison and
many other things used it. But nowadays it much less popular, and might not even
be installed in the buildroot. (m4 is small, so it doesn't make a big difference.)

(FWIW, Fedora dropped make from the buildroot now,
https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot. I think it's
reasonable to assume that m4 will be dropped at some point too.)

The main reason to drop m4 is that the syntax is not very nice, and we should
minimize the number of different syntaxes that we use. We still have two
(configure_file() with @FOO@ and jinja2 templates with {{foo}} and the
pythonesque conditional expressions), but at least we don't need m4 (with
m4_dnl and `quotes').
2021-05-19 10:24:43 +09:00