1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00
Commit Graph

6573 Commits

Author SHA1 Message Date
Lennart Poettering
16d41892c3
Merge pull request #20609 from DaanDeMeyer/recursive-template
core: Try to prevent infinite recursive template instantiation
2021-10-28 19:23:17 +02:00
Andreas Valder
c0c8f71800 nspawn: add filesystem id mapping support to --bind and --bind-ro 2021-10-28 19:19:22 +02:00
Benjamin Herrenschmidt
d6eda677b3 udev: net_id: introduce predictable names for xen-netfront
Those devices show up as /sys/devices/vif-N, let's use that number
to name them enXN.

Without this, all schemes fail and they keep the kernel names, which can
be racy.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2021-10-28 13:09:00 +02:00
Daan De Meyer
88022148c4 core: Try to prevent infinite recursive template instantiation
To prevent situations like in #17602 from happening, let's drop
direct recursive template dependencies. These will almost certainly
lead to infinite recursion so let's drop them immediately to avoid
instantiating potentially thousands of irrelevant units.

Example of a template that would lead to infinite recursion which
is caught by this check:

notify@.service:

```
[Unit]
Wants=notify@%n.service
```
2021-10-28 11:42:21 +01:00
Luca Boccassi
211a3d87fb core: add [State|Runtime|Cache|Logs]Directory symlink as second parameter
When combined with a tmpfs on /run or /var/lib, allows to create
arbitrary and ephemeral symlinks for StateDirectory or RuntimeDirectory.
This is especially useful when sharing these directories between
different services, to make the same state/runtime directory 'backend'
appear as different names to each service, so that they can be added/removed
to a sharing agreement transparently, without code changes.

An example (simplified, but real) use case:

foo.service:
StateDirectory=foo

bar.service:
StateDirectory=bar

foo.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:foo

bar.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:bar

foo and bar use respectively /var/lib/foo and /var/lib/bar. Then
the orchestration layer decides to stop this sharing, the drop-in
can be removed. The services won't need any update and will keep
working and being able to store state, transparently.

To keep backward compatibility, new DBUS messages are added.
2021-10-28 10:47:46 +01:00
Lennart Poettering
c896eb7ad6 man: document that daemons can close fds they receive via sd_listen_fds() if they like
Fixes: #18872
2021-10-28 11:05:22 +02:00
Lennart Poettering
1d69754988 man: document how nss-resolve and systemd-resolved communicate
Fixes: #20925
2021-10-28 10:53:55 +02:00
Lennart Poettering
7ea5e82f6a man: clarify the situation of unit templates regarding "systemctl list-units" + "systemctl list-unit-files"
Fixes: #21075
2021-10-28 10:45:02 +02:00
Lennart Poettering
4c2ee5c7f2 homework: allow specifying explicit additional mount options when using CIFS backend
This is useful since certain shares can only be mounted with additional
mount flags. For example the SMB share in modern AVM Fritz!Boxes
requires "noserverino" to be set to work from Linux.
2021-10-27 22:46:46 +02:00
Lennart Poettering
bf15879b39 homework: allow specifying a dir component in CIFS services
Allow specifying CIFS services in the format //host/service/subdir/… to
allow multiple homedirs on the same share, and not in the main dir of
the share.

All other backends allow placing the data store at arbitrary places,
let's allow this too for the CIFS backend. This is particularly useful
for testing.
2021-10-27 22:37:56 +02:00
Yu Watanabe
c9e2c2dae3 network: radv: shorten default lifetime of prefix, route prefix, DNS, and domains
See draft-ietf-6man-slaac-renum-02 section 4.1.1.
2021-10-27 23:58:35 +09:00
Yu Watanabe
4f1ac4a38d network: radv: refuse invalid router lifetime in conf parser 2021-10-27 19:29:05 +09:00
Yu Watanabe
149cda85bf man: adjust the explanations related to the DHCPv6 client starting mode 2021-10-27 00:33:44 +09:00
Yu Watanabe
483566e5ba network: deprecate ForceDHCPv6PDOtherInformation= setting
The setting is completely meaningless, as WithoutRA= and UseDelegatedPrefix=
in [DHCPv6] section, and DHCPv6Client= in [IPv6AcceptRA] section control
the behavior.
2021-10-27 00:33:44 +09:00
Yu Watanabe
dc5cae6c9d network: dhcp6: introduce UplinkInterface= for DHCP6 prefix delegation 2021-10-26 20:43:10 +09:00
Yu Watanabe
0f5ef9b62a network: dhcp6: introduce UseDelegatedPrefix= setting and enable by default
Previously, the prefix delegation is enabled when at least one
downstream interfaces request it. But, when the DHCPv6 client on the
upstream interface is configured, some downstream interfaces may not
exist yet, nor have .network file assigned.

Also, if a system has thousands of interfaces, then the previous logic
introduce O(n^2) search.

This makes the prefix delegation is always enabled, except when it is
explicitly disabled. Hopefully, that should not break anything, as the
DHCPv6 server should ignore the prefix delegation request if the server
do not have any prefix to delegate.
2021-10-26 20:29:08 +09:00
Jan Janssen
e6cab77eca sd-boot: Add keys to reboot into firmware interface
This is useful if the auto-firmware setting has been disabled. The
keys used here are based on what the majority of firmware employ in
the wild.
This also ensures there's a chance for the user to discover this in
case they were too slow during POST or simply used the wrong ones.
2021-10-22 19:12:55 +02:00
Yu Watanabe
241167e68a
Merge pull request #21051 from poettering/nspawn-no-sync
nspawn: add --suppress-sync=yes mode for turning sync() and friends i…
2021-10-20 22:42:43 +09:00
Luca Boccassi
b78524f48d
Merge pull request #21055 from yuwata/network-dhcp6-pd-route-lifetime-metric
network: dhcp6pd: set lifetime and route metric
2021-10-20 14:38:03 +01:00
Dimitri Papadopoulos
ba669952b2 Typos found by codespell 2021-10-20 22:20:18 +09:00
Lennart Poettering
4a4654e024 nspawn: add --suppress-sync=yes mode for turning sync() and friends into NOPs via seccomp
This is supposed to be used by package/image builders such as mkosi to
speed up building, since it allows us to suppress sync() inside a
container.

This does what Debian's eatmydata tool does, but for a container, and
via seccomp (instead of LD_PRELOAD).
2021-10-20 11:35:15 +02:00
Yu Watanabe
d0619f2c2b network: dhcp6pd: set default metric 256 for delegated prefix
When Assign= in [DHCPv6PrefixDelegation] is enabled, then the kernel
will create the prefix route for the assigned address with metric 256.
When Assign= is disabled, then the kernel will create the route with
metric 1024.

For the default value, we should choose a smaller value (higher priority)
than 1024, as the unreachable routes for delegated prefix will be
configured with 1024.
2021-10-20 02:36:20 +09:00
Lennart Poettering
59bcac0b1a watchdog: always prefer /dev/watchdog0 over /dev/watchdog 2021-10-18 11:27:39 +02:00
Lennart Poettering
e00324d092
Merge pull request #21013 from mxre/feature/stub-dtb
[sd-stub] add support for embedding devicetree
2021-10-17 11:27:03 +02:00
Max Resch
111c9ba6c2 [st-stub] documenting the .dtb section 2021-10-16 13:26:21 +02:00
Tony Asleson
1f1a2243c0 Add stand-alone dm-integrity support
This adds support for dm integrity targets and an associated
/etc/integritytab file which is required as the dm integrity device
super block doesn't include all of the required metadata to bring up
the device correctly.  See integritytab man page for details.
2021-10-15 10:19:54 -05:00
Tony Asleson
9a2a6ec4e3 dm-verity: Remove usage of integrity
There is a difference between dm-verity and dm-integrity.  Remove
usage of integrity from verity documentation in man pages and
target files.
2021-10-14 12:17:02 -05:00
Lennart Poettering
9c5ea4b143 man: document new systemd.watchdog_sec= kernel cmdline option
Follow-up for: b3aa73e4de
2021-10-13 13:10:34 +02:00
Lennart Poettering
5254d15896 man: document new "off" setting for systemd-system.conf watchdog settings 2021-10-13 13:10:34 +02:00
Lennart Poettering
b6e44cd934
Merge pull request #20787 from fbuihuu/watchdog-more-rework
Watchdog more rework
2021-10-13 12:56:44 +02:00
Franck Bui
8a85c5b616 watchdog: rename special string "infinity" taken by the watchdog timeout options to "default" 2021-10-13 08:58:36 +02:00
Franck Bui
807938e7ec watchdog: update the documentation
While at it, split the watchdog section into a few paragraphs to make it easier
to read as it becomes lengthy.
2021-10-13 08:58:36 +02:00
Zbigniew Jędrzejewski-Szmek
df618f259a
Merge pull request #20987 from yuwata/sd-dhcp6-enum-cleanups
sd-dhcp6-client: enum cleanups
2021-10-13 08:25:37 +02:00
Yu Watanabe
308d01f3c4 network: do not request RAPID_COMMIT option
The option must not be included in OPTION_REQUEST option.
See the "Client ORO" field in
https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2

This deprecates RapidCommit= setting. Note that sd-dhcp6-client always
sets the RAPID_COMMIT option in the solicit message.
2021-10-13 02:46:24 +09:00
наб
7d449b5618 systemd-machine-id-setup(1): "machine[d] ID" typo 2021-10-13 02:21:44 +09:00
Zbigniew Jędrzejewski-Szmek
78ae9d3100
Merge pull request #20853 from yuwata/network-radv-set-default-timeouts
network: RADV: set default timeouts
2021-10-12 10:49:03 +02:00
Lennart Poettering
de3ef2524e
Merge pull request #20968 from poettering/homed-pin
homed: pin+lock homes while logged in + keep trying to unmount on logging out + optionally drop caches on logging out
2021-10-11 23:11:03 +02:00
Lennart Poettering
5c791053e3
Merge pull request #20776 from medhefgo/boot-timeout
sd-boot: Allow disabling timeout
2021-10-11 23:05:37 +02:00
Yu Watanabe
9fa25e0791 network: radv: set non-zero lifetime for DNS servers and domains by default
Closes #20850.
2021-10-12 03:10:30 +09:00
Lennart Poettering
86019efa44 homed: optionally, drop caches on logout
Fixes: #20857
2021-10-11 16:00:34 +02:00
Lennart Poettering
2c7ec8203e man: document new token-timeout= setting 2021-10-11 11:12:29 +02:00
Jan Janssen
39ddc32a86 bootctl: Add set-timeout verb
Fixes: #18766
2021-10-08 15:32:50 +02:00
Jan Janssen
52b6b35643 sd-boot: Allow disabling timeout 2021-10-08 15:26:55 +02:00
Daan De Meyer
d888ef68d1 coredump: Add --all option
This option has coredumpctl look at all journals instead of only the
local ones. This allows coredumpctl to show information about remote
coredumps if the coredumps are made available in /var/lib/systemd/coredump
and the corresponding journals are made available in /var/log/journal.

This is already possible using the --directory option but --all makes it
more user friendly since users don't have to enter the journal directory
anymore as long as it's available under /var/log/journal.
2021-10-07 22:13:12 +02:00
Yu Watanabe
6830c3a553
Merge pull request #20778 from yuwata/network-ipv6-token
network: rework IPv6 address generation mode
2021-10-07 23:24:00 +09:00
Lennart Poettering
bd3bfc8856 man: document the two new switches for systemd-cgls 2021-10-07 11:50:52 +02:00
Luca Boccassi
0cf250022c
Merge pull request #20926 from yuwata/udev-net-wol-sopass
udev/net: introduce WakeOnLanPassword=
2021-10-06 23:36:05 +01:00
Yu Watanabe
d3867133f0 udev/net: introduce WakeOnLanPassword=
Closes #20913.
2021-10-07 01:50:37 +09:00
Yu Watanabe
e609cd0694 network: introduce Token= setting in [IPv6Prefix]
Closes #20149.
2021-10-07 01:24:50 +09:00
Yu Watanabe
f5960e0ab5 network: extend Token= setting in [DHCPv6PrefixDelegation]
Now the setting supports the same syntax as the one in the [IPv6AcceptRA]
section.
2021-10-07 01:24:12 +09:00
Yu Watanabe
140bf8dacc network: introduce Token=eui64
So, now user can explicitly request EUI-64 algorithm to generate addresses.
2021-10-07 01:16:36 +09:00
Yu Watanabe
a73628e647 network: rename IPv6Token= in [Network] -> Token= in [IPv6AcceptRA]
The token is only used by received prefixes through RA.
2021-10-07 01:16:36 +09:00
Lennart Poettering
9a1ddc8dee
Merge pull request #18145 from kinvolk/iaguis/lsm-bpf
Add RestrictFileSystems= property using LSM BPF
2021-10-06 16:23:27 +02:00
Zbigniew Jędrzejewski-Szmek
e5f093bf99 man: add discussion of read-only filesystem support in daemons
This is inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1853293.  Let's
mention that applications should be prepared for /var being read-only.
2021-10-06 09:54:17 +01:00
Iago López Galeiras
20080622de man: document systemd-analyze filesystems 2021-10-06 10:52:15 +02:00
Iago López Galeiras
d6d6f55d8e man: document EXIT_BPF status 2021-10-06 10:52:14 +02:00
Iago López Galeiras
a6826f6b8e man: add RestrictFileSystems= documentation 2021-10-06 10:52:14 +02:00
Iago López Galeiras
cc86a278de core: add dbus RestrictFileSystems= properties 2021-10-06 10:52:14 +02:00
Lennart Poettering
643006f62b man: document the new DefaultOOMScoreAdjust= setting 2021-10-04 16:27:11 +02:00
Lennart Poettering
d4a402e4f6 core: add a new setting DefaultOOMScoreAdjust= and set it to 100 above service manager's by default
Let's make our service managers slightly less likely to be killed by the
OOM killer by adjusting our services' OOM score adjustment to 100 above
ours. Do this conservatively, i.e. only for regular user sessions.
2021-10-04 16:27:10 +02:00
Luca Boccassi
9d0ad242b8 man/glib-event-glue example: relicense to CC0-1.0
All other examples were relicensed to CC0-1.0 since they are intended
to be copied and pasted anywhere without any restrictions.
Relicense the last one too.
2021-10-04 11:05:22 +02:00
Luca Boccassi
f4d74c6105 man: add licenses to all files that lack one
Documentation is licensed under LGPL-2.1-or-later.
Scripts are MIT to facilitate reuse.
Examples are relicensed to CC0-1.0 to maximise copy-and-paste
for users, with permission from authors.
2021-10-01 17:27:34 +01:00
Zbigniew Jędrzejewski-Szmek
8f5bcd615b licensing: add forgotten spdx headers
Those are all "our" files, but we forgot to add the headers,
most likely because of non-standard file extensions.
2021-10-01 14:45:00 +02:00
alexlzhu
fab79a85af docs: Fixing typo in systemd.device man page and README.
systemd-udevd.service listens to kernel uevents and is needed for device
units to be available.

systemd-udevd.service is misspelled as systemd-udev.service in a couple places.

Fixing typo.
2021-09-29 22:18:38 +01:00
Yu Watanabe
bfcc0fedd0
Merge pull request #20871 from mrc0mmand/udevadm-property-value
udev: teach udevadm --property=NAME and --value options
2021-09-30 00:05:02 +09:00
Marcel Menzel
3e90ded70c
doc: network: Move "Independent=" flag to the VXLAN section (#20881) 2021-09-29 23:19:20 +09:00
Lennart Poettering
e30a3ba16a core: drop "const" from NeedsDaemonReload unit dbus property
It's not "const", it can change any time if people change the fs, and we
don#t send out notifications for it. Hence don't claim it was const.
(Otherwise clients might cache it, but they should not)

Prompted-by: #20792
2021-09-29 14:37:07 +02:00
Frantisek Sumsal
6c1482b28d udev: teach udevadm --property=NAME and --value options
which allows limiting the properties listed by the `--query=property` option
(and optionally listing only the respective values).
2021-09-29 13:32:25 +02:00
Albert Brox
5918a93355 core: implement RuntimeMaxDeltaSec directive 2021-09-28 16:46:20 +02:00
alexlzhu
8c35c10d20 core: Add ExecSearchPath parameter to specify the directory relative to which binaries executed by Exec*= should be found
Currently there does not exist a way to specify a path relative to which
all binaries executed by Exec should be found. The only way is to
specify the absolute path.

This change implements the functionality to specify a path relative to which
binaries executed by Exec*= can be found.

Closes #6308
2021-09-28 14:52:27 +01:00
Lennart Poettering
49e9218ae3
Merge pull request #20768 from pdmorrow/shutdown_cgroup_ctrl
cgroups: apply StartupAllowedCPUs= and StartupAllowedMemoryNodes= during shutdown
2021-09-27 13:44:54 +02:00
Zbigniew Jędrzejewski-Szmek
66a0e22293
Merge pull request #20849 from keszybz/man-page-tags-and-links
Add license tags to doc pages, fixups and more internal links in man pages
2021-09-27 12:09:48 +02:00
Zbigniew Jędrzejewski-Szmek
d8e1613ed2 man: mention pages with more settings at end of each option list
For some unit types we have hundreds of options, and the reader may easily miss
that more options are described in other pages. We already mentioned this in
the introduction and then at the top of the option list, but it can't hurt to
repeat the information.

Also, add an (almost empty) Options section for the unit types which don't have
any custom options. It is nicer to have the same page structure in all cases,
so people can jump between pages for different types more easily.
2021-09-27 09:19:02 +02:00
Zbigniew Jędrzejewski-Szmek
18c7a1eb6c man: refresh description of sysvinit compat for services
The existing text must have been written before systemd-sysv-generator was
created. We don't create the wrappers dynamically since a long time.

Also add more links and make the description conditional on "if compat
is enabled".
2021-09-27 09:19:02 +02:00
Zbigniew Jędrzejewski-Szmek
880e1e0729 man: minor grammar fixups in systemd-cryptenroll 2021-09-27 09:19:02 +02:00
Zbigniew Jędrzejewski-Szmek
a14e028e86 man: cross-reference DeviceAllow= and PrivateDevices=
They are somewhat similar, but not easy to discover, esp. considering that
they are described in different pages.

For PrivateDevices=, split out the first paragraph that gives the high-level
overview. (The giant second paragraph could also use some heavy editing to break
it up into more digestible chunks, alas.)
2021-09-27 09:19:02 +02:00
Anssi Hannula
9376b2aab3 man: fix a reference in timedatectl man page
timedatectl(1) says the synchronization service list generation is
described "below", but in reality it is documented in
systemd-timedated.service(8).

Fix the sentence to reference the correct man page.
2021-09-24 18:35:42 +01:00
Peter Morrow
058a2d8f13 man: Startup* updates for systemd.resource-control
All Startup*= directives now also apply to the shutdown phase as well as
boot phase.
2021-09-24 15:09:54 +01:00
Anita Zhang
2b33e41aaf link: connect 5 more properties to ethtool features
Sets up the follow properties and their corresponding ethtool feature:
- ReceiveVLANCTAGHardwareAcceleration == rx-vlan-hw-parse (or rxvlan)
- TransmitVLANCTAGHardwareAcceleration == tx-vlan-hw-insert (or txvlan)
- ReceiveVLANCTAGFilter == rx-vlan-filter
- TransmitVLANSTAGHardwareAcceleration == tx-vlan-stag-hw-insert
- NTupleFilter == rx-ntuple-filter (or ntuple)
2021-09-24 20:40:23 +09:00
Lennart Poettering
99d51ed939 man: document the new systemd-boot drop-in driver dir logic 2021-09-23 17:24:28 +02:00
Lennart Poettering
b8cdb66279 man: the sd-boot menu is probably more "textual" then "graphical", hence don't lie
(also, most communication happens between boot loader and OS, only
seldom stuff goes the other way, hence mention that the boot loader
first)
2021-09-23 17:24:28 +02:00
Lennart Poettering
3f9a615dcf man: add man page for the systemd UEFI stub
Fixes: #17215
2021-09-23 17:24:28 +02:00
Yu Watanabe
3346eb1800
Merge pull request #20652 from OnkelUlla/fix_systemd.netdev_manpage
Some Fixes for SYSTEMD.NETDEV(5)
2021-09-22 15:34:21 +09:00
Zbigniew Jędrzejewski-Szmek
a7052c6e5c meson: fix creation of man pages indices
Fixes #20795. Bug introduced in f12c5d36a9.
2021-09-21 15:36:46 +01:00
Lennart Poettering
28078aa5cc
Merge pull request #20483 from medhefgo/boot
sd-boot: Add support for changing console mode at runtime
2021-09-16 00:03:41 +02:00
Jan Janssen
1b965abc66 sd-boot: Add support for changing console mode at runtime 2021-09-15 16:32:18 +02:00
Peter Morrow
c93a7d4ad3 docs: update docs with StartupAllowedCPUs and StartupAllowedMemoryNodes details
Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
2021-09-15 09:52:12 +01:00
Lennart Poettering
9a89ab26d6 man: extend documentation about TPM2 PCRs
This is an effort to compile a somewhat complete list how PCRs are
actually used on Linux systems these days. It contains data from: the
UEFI PC spec, the shim, the IMA, grub documentation.

I validated these PCRs to some level in the sources.

The grub specific stuff I only added in comments, since I was too lazy
too validate it (also, meh, grub).

It also gives people a hint on which PCR to bind to (and maybe kind of
an explanation of our default choice).
2021-09-14 17:37:06 +02:00
Yu Watanabe
e47bcb7d0b network: do not use RouteTable= in [DHCPv4] section for DHCPv6 routes
We forgot to add RouteTable= in [DHCPv6] section when we split [DHCP]
into two.
2021-09-14 17:51:19 +09:00
Lennart Poettering
215e19eb27 id128: clarify that the "well-known" IDs are about GPT partition types
At least for now they are all GPT partition types, and we should mention
that.
2021-09-10 13:39:16 +02:00
Ulrich Ölmann
489f01f806 man/systemd.netdev: adjust documentation of MAC addresses for bridges
In the past bridge devices used to be created with a generated MAC address
thwarting the inheritance of the first slave's MAC address. This has been
changed by commit [1] some time ago. Reflect that behavioral change in the
documentation.

[1] deb2cfa4c6 ("networkd: do not generate MAC for bridge device.")
2021-09-06 22:10:30 +02:00
Ulrich Ölmann
5c3e7c4a3b man/systemd.netdev: fix typos
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
2021-09-06 22:08:12 +02:00
Maanya Goenka
4b4a8ef741 systemd-analyze: add new option to generate JSON output of security analysis table
The new option --json= works with the 'security' verb and takes in one of three format flags.
These are off which is the default, pretty and short which use JSON format flags for output.
When set to true, it generates a JSON formatted output of the security analysis table. The
format is a JSON array with objects containing the following fields: set which indicates if
the id has been set or not, name which is what is used to refer to the id, json_field
which is the equivalent JSON formatted id name only used for JSON outputs, description which
is an outline of the id state, and exposure which is an unsigned integer in the range 0.0..10.0,
where a higher value corresponds to a higher security threat. The JSON version of the table is
printed on the standard output file.

Example Run:

The unit file testfile.service was created to test the --json= option

maanya-goenka@debian:~/systemd (json-security)$ cat <<EOF >testfile.service

> [Service]
> ExecStart = echo hello
> PrivateNetwork = yes
> PrivateMounts = yes
> PrivateDevices = yes
> EOF

Both the JSON output and the security analysis table below have been truncated to increase readability.
1. Testing for when --json=off

maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=off --root= --offline=true
testfile.service --no-pager

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.

    NAME                                                      DESCRIPTION                                                       EXPOSURE
✓   PrivateNetwork=                                           Service has no access to the host's network
✗   User=/DynamicUser=                                        Service runs as root user                                              0.4
✗   CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)              Service may change UID/GID identities/capabilities                     0.3
✗   CapabilityBoundingSet=~CAP_NET_ADMIN                      Service has administrator privileges                                   0.3

→ Overall exposure level for testfile.service: 8.3 EXPOSED 🙁

2. Testing for when --json=pretty

maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=pretty --root= --offline=true
testfile.service

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.

[
        {
                "set" : true,
                "name" : "PrivateNetwork=",
		"json-field" : "PrivateNetwork",
                "description" : "Service has no access to the host's network",
                "exposure" : null
        },
        {
                "set" : false,
                "name" : "User=/DynamicUser=",
		"json-field" : "UserOrDynamicUser",
                "decsription" : "Service runs as root user",
                "exposure" : "0.4"
        },
        {
                "set" : false,
                "name" : "CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)",
		"json_field" : "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP",
                "description" : "Service may change UID/GID identities/capabilities",
                "exposure" : "0.3"
        },
        {
                "set" : false,
                "name" : "CapabilityBoundingSet=~CAP_NET_ADMIN",
		"json_field" : "CapabilityBoundingSet_CAP_NET_ADMIN",
                "description" : "Service has administrator privileges",
                "exposure" : "0.3"
        },
        ...
]

3. Testing for when --json=short

maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=short --root= --offline=true
testfile.service

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.

[{"set":true,"name":"PrivateNetwork=", "json_field":"PrivateNetwork", "description":"Service has no access to the host's network","exposure":null}, ...]
2021-09-06 19:55:27 +01:00
Kyle Laker
c1e6f21556
systemd-analyze: use config value in RestrictNamespaces id (#20645)
For most fields, the text shown by `.id` is the value that should be set
in the unit file; however, for RestrictNamespaces, it is not. Changing
this to show the actual text makes it more clear to a user what the
actual change that needs to be made to the unit file is.
2021-09-06 17:33:16 +02:00
Yu Watanabe
57aef9d737 network: introduce KeepMaster= setting
Closes #20624.
2021-09-04 00:23:20 +09:00
Yu Watanabe
a94ed9bd62 man: drop unnecessary white space 2021-09-04 00:20:36 +09:00
Daan De Meyer
8de7929de5 mkosi: Add zsh to Arch packages
Useful for testing zsh completion changes.
2021-09-01 10:01:18 +02:00
Maanya Goenka
ecfd082b71 systemd-analyze: add new 'security' option to allow user to choose custom requirements
A new option --security-policy= is added to work with the 'security' verb in order to enable
users to create and pass in a JSON file consisting of user defined requirements
against which to compare the specified unit file(s). These requirements then serve
as the measure of security threats for the file instead of the initial hard coded set of
requirements that the 'security' verb of systemd-analyze relied on.

Example Run:

A snapshot of the user defined testfile.json file is shown below instead of the complete file
for readability purposes.

{
"PrivateDevices":
    {"description_good": "Service has no access to hardware devices",
    "description_bad": "Service potentially has access to hardware devices",
    "weight": 1000,
    "range": 1
    },
"PrivateMounts":
    {"description_good": "Service cannot install system mounts",
    "description_bad": "Service may install system mounts",
    "weight": 1000,
    "range": 1
    },
"PrivateNetwork":
    {"description_good": "Service has no access to the host's network",
    "description_bad": "Service has access to the host's network",
    "weight": 2500,
    "range": 1
    },
"PrivateTmp":
    {"description_good": "Service has no access to other software's temporary files",
    "description_bad": "Service has access to other software's temporary files",
    "weight": 1000,
    "range": 1
    },
"PrivateUsers":
    {"description_good": "Service does not have access to other users",
    "description_bad": "Service has access to other users",
    "weight": 1000,
    "range": 1
    }
}

1. I created the jsontest.service file in order to test the --security-policy= option as follows:

maanya-goenka@debian:~/systemd (custom-security)$ cat<<EOF>jsontest.service
> [Service]
> ExecStart = echo hello
> PrivateNetwork = yes
> PrivateDevices = yes
> PrivateMounts = yes
> EOF

The security analysis table outputted below has been truncated to include only the first few lines for readability.

maanya-goenka@debian:~/systemd (custom-security)$ sudo build/systemd-analyze security --root= --offline=true
--security-policy=src/analyze/testfile.json jsontest.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

  NAME                                                         DESCRIPTION
✓ PrivateNetwork                                               Service has no access to the host's network
✗ UserOrDynamicUser                                            Service runs as root user
✗ CapabilityBoundingSet_CAP_SET_UID_GID_PCAP                   Service may change UID/GID identities/capabilities
✓ PrivateMounts                                                Service cannot install system mounts
✓ PrivateDevices                                               Service has no access to hardware devices

→ Overall exposure level for jsontest.service: 8.3 EXPOSED 🙁

maanya-goenka@debian:~/systemd (custom-security)$ echo $? 0

2. In order to ensure that the JSON data was actually being correctly parsed, I made some changes to the JSON
file, specifically to the id "PrivateNetwork" as follows:

Before:
--------

"PrivateNetwork":
    {"description_good": "Service has no access to the host's network",
    "description_bad": "Service has access to the host's network",
    "weight": 2500,
    "range": 1
    }

After:
--------

"PrivateNetwork":
    {"description_good": "Service runs without access to host network",
    "description_bad": "Service has access to the host's network",
    "weight": 6000,
    "range": 1
    }

As expected, the new description for the description_good field of the Private Network id was updated in
the analysis table outputted below and the overall exposure level of the unit file decreased because
the weight assigned to 'Private Network' (which is set to yes) increased from 2500 to 6000.

maanya-goenka@debian:~/systemd (custom-security)$ sudo build/systemd-analyze security --root= --offline=true
--security-policy=src/analyze/testfile.json jsontest.service

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

  NAME                                                         DESCRIPTION
✓ PrivateNetwork                                               Service runs without access to the host's network
✗ UserOrDynamicUser                                            Service runs as root user
✗ CapabilityBoundingSet_CAP_SET_UID_GID_PCAP                   Service may change UID/GID identities/capabilities
✓ PrivateMounts                                                Service cannot install system mounts
✓ PrivateDevices                                               Service has no access to hardware devices

→ Overall exposure level for jsontest.service: 7.8 EXPOSED 🙁

maanya-goenka@debian:~/systemd (custom-security)$ echo $? 0

3. When paired with security's --threshold= option, systemd-analyze exits with a non-zero error status indicating
that the overall exposure level for the unit file (=78) is greater than the set threshold (=70). The same
jsontest.service file is used for the demo run below:

maanya-goenka@debian:~/systemd (custom-security)$ sudo build/systemd-analyze security --root= --offline=true
--security-policy=src/analyze/testfile.json --threshold=70 jsontest.service

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

  NAME                                                         DESCRIPTION
✓ PrivateNetwork                                               Service runs without access to host network
✗ UserOrDynamicUser                                            Service runs as root user
✗ CapabilityBoundingSet_CAP_SET_UID_GID_PCAP                   Service may change UID/GID identities/capabilities
✓ PrivateMounts                                                Service cannot install system mounts
✓ PrivateDevices                                               Service has no access to hardware devices

→ Overall exposure level for jsontest.service: 7.8 EXPOSED 🙁

maanya-goenka@debian:~/systemd (custom-security)$ echo $? 1

new option
2021-08-31 08:02:08 -07:00
Kristian Klausen
b00651cf43 gpt-auto-generator: Use volatile-root by default and automatic logic as fallback
Previously volatile-root was only checked if "/" wasn't backed by a
block device, but the block device isn't necessarily original root block
device (ex: if the rootfs is copied to a ext4 fs backed by zram in the
initramfs), so we always want volatile-root checked.

So shuffle the code around so volatile-root is checked first and
fallback to the automatic logic.

Fix #20557
2021-08-31 13:52:52 +09:00
Thomas Mühlbacher
fee1863c83 man: Don't leak memory in path-documents example
The `sd_path_lookup(3)` man page states that the returned string shall be
`free(3)`'d but then doesn't do so in the example code.

Also add basic error handling as well.
2021-08-31 13:44:49 +09:00
Tom Yan
c918b70a4d network: default LinkLocalAddresssing= to no for link stacked with a passthru mode MACVLAN/MACVTAP
For similar reason to the case of a bridge slave: we don't want any IP configuration for it.
2021-08-26 06:11:41 +09:00
Zbigniew Jędrzejewski-Szmek
c8cab396a0 man: adjust the description of extension-release.* 2021-08-24 15:39:17 +02:00
Zbigniew Jędrzejewski-Szmek
6a15846d10 man: fix minor grammar issue
The usual: "searched" vs. "searched for".
2021-08-24 14:53:26 +02:00
Yu Watanabe
c995fa02b1 network: dhcp4,ndisc: make addresses in Allow/DenyList= optionally take prefix length
Closes #20505.
2021-08-23 20:36:09 +09:00
Yu Watanabe
d4e30ad1fb tree-wide: fix typo 2021-08-22 09:46:22 +01:00
Yu Watanabe
cc97ef5627
Merge pull request #20494 from bluca/snprintf_voidify
tree-wide: voidify unchecked snprintf calls or use snprintf_ok
2021-08-21 06:45:58 +09:00
Yu Watanabe
0e0e57a484
Merge pull request #20484 from DaanDeMeyer/rx-gro-hw
Add rx-gro-hw support
2021-08-21 06:43:49 +09:00
Maanya Goenka
dfbda8799c systemd-analyze: add new 'security' option to compare unit's overall exposure level with
--threshold option added to work with security verb and with the --offline option so that
users can determine what qualifies as a security threat. The threshold set by the user is
compared with the overall exposure level assigned to a unit file and if the exposure is
higher than the threshold, 'security' will return a non-zero exit status. The default value
of the --threshold option is 100.

Example Run:

1. testcase.service is a unit file created for testing the --threshold option

    maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service

    > [Service]
    > ExecStart = echo hello
    > EOF

    For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings.

    maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
    /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
    process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
    Support for KillMode=none is deprecated and will eventually be removed.
    /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
    unit file, and consider removing the setting altogether.
    /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
    /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

      NAME                                        DESCRIPTION                                                       EXPOSURE
    ✗ PrivateNetwork=                             Service has access to the host's network                          0.5
    ✗ User=/DynamicUser=                          Service runs as root user                                         0.4

    → Overall exposure level for testcase.service: 9.6 UNSAFE 😨

    maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0

2. Next, we use the same testcase.service file but add an additional --threshold=60 parameter. We would expect 'security' to exit
   with a non-zero status because the overall exposure level (= 96) is higher than the set threshold (= 60).

    maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service
    /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
    process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
    Support for KillMode=none is deprecated and will eventually be removed.
    /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
    unit file, and consider removing the setting altogether.
    /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
    /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

      NAME                                        DESCRIPTION                                                       EXPOSURE
    ✗ PrivateNetwork=                             Service has access to the host's network                          0.5
    ✗ User=/DynamicUser=                          Service runs as root user                                         0.4

    → Overall exposure level for testcase.service: 9.6 UNSAFE 😨

    maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
2021-08-20 10:59:13 -07:00
Maanya Goenka
bb43d85319 systemd-analyze: 'security' option to perform offline reviews of the specified unit file(s)
New option --offline which works with the 'security' command and takes in a boolean value. When set to true,
it performs an offline security review of the specified unit file(s). It does not rely on PID 1 to acquire
security information for the files like 'security' when used by itself does. It makes use of the refactored
security_info struct instead (commit #8cd669d3d3cf1b5e8667acc46ba290a9e8a8e529). This means that --offline can be
used with --image and --root as well. When used with --threshold, if a unit's overall exposure level is above
that set by the user, the default value being 100, --offline returns a non-zero exit status.

Example Run:

1. testcase.service is a unit file created for testing the --offline option

maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service

> [Service]
> ExecStart = echo hello
> EOF

For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings.

maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

  NAME                                        DESCRIPTION                                                       EXPOSURE
✗ PrivateNetwork=                             Service has access to the host's network                          0.5
✗ User=/DynamicUser=                          Service runs as root user                                         0.4

→ Overall exposure level for testcase.service: 9.6 UNSAFE 😨

maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0

2. The testcase.service unit file is modified to set PrivateNetwork to "yes". This reduces the exposure level from 9.6 to 9.1.

maanya-goenka@debian:~/systemd (systemd-security)$ nano testcase.service

> [Service]
> ExecStart = echo hello
> PrivateNetwork = yes
> EOF

maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

  NAME                                        DESCRIPTION                                                       EXPOSURE
✓ PrivateNetwork=                             Service has access to the host's network
✗ User=/DynamicUser=                          Service runs as root user                                         0.4

→ Overall exposure level for testcase.service: 9.1 UNSAFE 😨

maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0

3. Next, we use the same testcase.service unit file but add the additional --threshold=60 option to see how --threshold works with
--offline. Since the overall exposure level is 91 which is greater than the threshold value set by the user (= 60), we can expect
a non-zero exit status.

maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

  NAME                                        DESCRIPTION                                                       EXPOSURE
✓ PrivateNetwork=                             Service has access to the host's network
✗ User=/DynamicUser=                          Service runs as root user                                         0.4

→ Overall exposure level for testcase.service: 9.1 UNSAFE 😨

maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
2021-08-20 10:59:13 -07:00
Luca Boccassi
e4193309c4 hwdb-usb-device: use xsprintf 2021-08-20 18:29:30 +01:00
Lennart Poettering
c970388b22 sd-id128: add compound literal love to sd_id128_to_string() + id128_to_uuid_string() 2021-08-20 11:09:48 +02:00
Lennart Poettering
f3ce631bbc man: reference getrandom(2) instead of urandom from sd_id128_randomize() page
It's 2021, /dev/urandom is mostly a thing of the past now.
2021-08-20 11:09:48 +02:00
Lennart Poettering
7f3c90ed79 man: document SD_ID128_ALLF 2021-08-20 11:09:47 +02:00
Lennart Poettering
f47234b6e6 man: re-run ninja -C update-man-rules 2021-08-20 11:09:47 +02:00
Daan De Meyer
8f821d90bf link: Add support for rx-gro-hw nic feature 2021-08-20 09:15:02 +01:00
Daan De Meyer
f20710c74c link: Stop prefixing features with "the" 2021-08-20 09:14:14 +01:00
Yu Watanabe
7d93b92f31 network: add UseMTU= in [IPv6AcceptRA]
Note that kernel has similar knob in sysctl: accept_ra_mtu.

Closes #18868.
2021-08-20 17:14:08 +09:00
Lennart Poettering
dc131951b5
Merge pull request #18385 from kinvolk/mauricio/restrict-network-interfaces
Add RestrictNetworkInterfaces=
2021-08-20 03:41:11 +02:00
Daan De Meyer
6c35ea5ef0 udev: Add support for configuring nic coalescing settings
These are configured via the corresponding ethtool ioctl.
2021-08-20 00:32:28 +01:00
Mauricio Vásquez
795ccb03e0 man: add RestrictNetworkInterfaces= documentation
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
2021-08-18 15:55:54 -05:00
Mauricio Vásquez
57585d5999 Document RestrictNetworkInterfaces dbus properties
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
2021-08-18 15:55:53 -05:00
Yu Watanabe
0d341eccef udev: make RxChannels= or friends also accept "max"
Follow-up for 406041b7de.

Also, this makes
- the settings accept an empty string,
- if the specified value is too large, also use the advertised maximum
  value.
- mention the range of the value in the man page.
2021-08-18 16:55:03 +02:00
Yu Watanabe
bdbb61f69f tree-wide: fix typo 2021-08-18 13:36:14 +02:00
Vladimir Panteleev
ecfcf0244a Fix typo in dbus property name ("OnSuccesJobMode") 2021-08-18 16:00:05 +09:00
Yu Watanabe
21ee8eda50
Merge pull request #20460 from yuwata/udevadm-test-builtin-introduce-action
udevadm: introduce --action option for test-builtin
2021-08-18 15:59:40 +09:00
Daan De Meyer
406041b7de
udev: Support "max" string for BufferSize options (#20458)
"max" indicates the hardware advertised maximum queue buffer size
should be used.

The max sizes can be checked by running `ethtool -g <dev>` (Preset maximums).
Since the buffer sizes can't be set to 0 by users, internally we use 0 to
indicate that the hardware advertised maximum should be used.
2021-08-18 15:59:13 +09:00
Yu Watanabe
91546abf9e
Merge pull request #20456 from tomty89/man
Adding a few notes in the systemd.network man page
2021-08-18 15:58:06 +09:00
Yu Watanabe
c4f7a34756 network: do not assume the highest priority when Priority= is unspecified
Previously, when Priority= is unspecified, networkd configured the rule with
the highest (=0) priority. This commit makes networkd distinguish the case
the setting is unspecified and one explicitly specified as Priority=0.

Note.
1) If the priority is unspecified on configure, then kernel dynamically picks
   a priority for the rule.
2) The new behavior is consistent with 'ip rule' command.

Replaces #15606.
2021-08-18 15:57:45 +09:00
Yu Watanabe
7ce05a8d66 udevadm: introduce -a|--action option for test-builtin command
As net_setup_link builtin requires that a device action is set for the
sd_device object.
2021-08-18 00:08:08 +09:00
Tom Yan
5cf9069f08 man: network: mention that RouteMetric= in [DHCPv4] is also applied to the prefix route 2021-08-17 22:53:49 +08:00
Tom Yan
5ea859ef01 man: network: mention that Promiscuous= can be used to set nopromisc for passthru MACV{LAN,TAP} 2021-08-17 22:53:29 +08:00
Lennart Poettering
f6e40037a0
Merge pull request #20448 from medhefgo/boot
sd-boot: UI improvements
2021-08-17 16:26:25 +02:00
Luca Boccassi
9c8b6eaa46 man: further document extension-release 2021-08-17 13:15:13 +01:00
Jan Janssen
8a8e5666ce sd-boot: Improve key bindings
Making keys case insensitive should help if caps lock is on.
We are not advertising them at runtime or in the manual to
reduce the noise.

This also hides the quit and version commands from the help
string. They are mostly for devs and otherwise have little
to no use to normal users. The latter overlaps with print
status which is still advertised.
2021-08-17 13:57:21 +02:00
Yu Watanabe
7c58ee5f8c
Merge pull request #20443 from yuwata/network-conf-parser-cleanups
network: conf parser cleanups
2021-08-17 02:42:27 +09:00
Yu Watanabe
aa10fa8d3a
Merge pull request #20442 from yuwata/network-can-introduce-many-settings
network: introduce several CAN interface related settings
2021-08-17 02:40:32 +09:00
Maxime de Roucy
d419ef0243 network: add address label on dhcpv4
Fixes: #13967
2021-08-17 02:40:18 +09:00
Yu Watanabe
80e41a68d6 man: address label can be set only for IPv4 addresses 2021-08-16 22:56:30 +09:00
Jan Janssen
64bb56e58b sd-boot: Allow automatic entries to be default 2021-08-16 15:52:15 +02:00
Yu Watanabe
b164b570b4 network: can: allow to specify bit-timing with TimeQuantaNSec= and friends
Closes #19424 and #20435.
2021-08-16 22:30:38 +09:00
Yu Watanabe
817561cc60 network: SamplePoint= should be specified only when BitRate= is specified
See can_get_bittiming() in drivers/net/can/dev/bittiming.c of kernel.
2021-08-16 18:54:01 +09:00
Yu Watanabe
239f91f71c network: can: make Termination= optionally take a raw resistor value
Note that this slightly breaks backward compatibility when
Termination=1. Previously, this is handled as boolean true, then 120 ohm
was used. But now with this commit, it is handled as 1 ohm.
2021-08-16 18:52:24 +09:00
Yu Watanabe
6dd84c9e86 network: can: add missing control modes 2021-08-16 18:42:48 +09:00
Lennart Poettering
d8151fb949
Merge pull request #20233 from maanyagoenka/log-error
systemd-analyze: add option to return an error value when unit verification fails
2021-08-13 09:22:48 +02:00
Lennart Poettering
2c3735d6ba
Merge pull request #20350 from medhefgo/boot
Grab bag of sd-boot improvements
2021-08-13 09:22:12 +02:00
Maanya Goenka
3cc3dc7736 systemd-analyze: option to exit with an error when 'verify' fails
The commit introduces a callback invoked from log_syntax_internal.
Use it from systemd-analyze to gather a list of units that contain
syntax warnings. A new command line option is added to make use of this.

The new option --recursive-errors takes in three possible modes:

1. yes - which is the default. systemd-analyze exits with an error when syntax warnings arise during verification of the
	 specified units or any of their dependencies.
3. no - systemd-analyze exits with an error when syntax warnings arise during verification of only the selected unit.
	Analyzing and loading any dependencies will be skipped.
4. one - systemd-analyze exits with an error when syntax warnings arise during verification
	 of only the selected units and their direct dependencies.

Below are two service unit files that I created for the purposes of testing:

1. First, we run the commands on a unit that does not have dependencies but has a non-existing key-value setting (i.e. foo = bar).

> cat <<EOF>testcase.service

[Unit]
foo = bar

[Service]
ExecStart = echo hello
EOF

OUTPUT:

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=yes testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=no testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=one testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

2. Next, we run the commands on a unit that is syntactically valid but has a non-existing dependency (i.e. foo2.service)

> cat <<EOF>foobar.service

[Unit]
Requires = foo2.service

[Service]
ExecStart = echo hello
EOF

OUTPUT:

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify foobar.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
foobar.service: Failed to create foobar.service/start: Unit foo2.service not found.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=yes foobar.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
foobar.service: Failed to create foobar.service/start: Unit foo2.service not found.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=no foobar.service
maanya-goenka@debian:~/systemd (log-error)$ echo $?
0

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=one foobar.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
foobar.service: Failed to create foobar.service/start: Unit foo2.service not found.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1
2021-08-12 07:22:15 -07:00
Jan Janssen
dba0c9832b sd-boot: Allow on/off and t/f for booleans too 2021-08-12 16:10:06 +02:00
Lennart Poettering
a0c5a3f0c0
Merge pull request #20419 from keszybz/setenv-no-value
Allow --setenv=FOO in various programs
2021-08-11 17:47:45 +02:00
Zbigniew Jędrzejewski-Szmek
89bf86e015 machinectl: allow --setenv=FOO 2021-08-11 09:34:45 +02:00
Zbigniew Jędrzejewski-Szmek
0337b3d51c run: allow --setenv=FOO 2021-08-11 09:34:45 +02:00
Zbigniew Jędrzejewski-Szmek
4bbafcc359 homectl: allow --setenv=FOO 2021-08-11 09:34:45 +02:00
Zbigniew Jędrzejewski-Szmek
0d2a017986 nspawn: allow --setenv=FOO as equivalent to --setenv=FOO=$FOO
systemd-socket-activate has supported such a mode since
5e65c93a43. '--setenv=FOO=$FOO' is a fairly
common use in scripts, and it's nicer to do this automatically without worrying
about quoting and whatnot.

https://github.com/systemd/mkosi/pull/765 added the same to 'mkosi --environment='.
2021-08-11 09:34:45 +02:00
Maanya Goenka
e5ea5c3a17 systemd-analyze: support discrete images for 'verify' verb
Adding --image parameter for verify verb using the dissect image functionality

-----------------------------------------------------------------------------------
Example Run:

I created a unit service file testrun.service with an invalid key-value pairing
(foo = bar) and a squashfs image run.raw to test the code.

maanya-goenka@debian:~/systemd (img-support)$ cat <<EOF>img/usr/lib/systemd/system/testrun.service
> [Unit]
> foo = bar
>
> [Service]
> ExecStart = /opt/script0.sh
> EOF

maanya-goenka@debian:~/systemd (img-support)$ mksquashfs img/ run.raw
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on run.raw, block size 131072.
[==============================================================================================================================|] 6/6 100%

Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, compressed xattrs
        duplicates are removed
Filesystem size 0.60 Kbytes (0.00 Mbytes)
        52.32% of uncompressed filesystem size (1.14 Kbytes)
Inode table size 166 bytes (0.16 Kbytes)
        43.01% of uncompressed inode table size (386 bytes)
Directory table size 153 bytes (0.15 Kbytes)
        58.40% of uncompressed directory table size (262 bytes)
Number of duplicate files found 1
Number of inodes 12
Number of files 6
Number of fragments 1
Number of symbolic links  0
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 6
Number of ids (unique uids + gids) 1
Number of uids 1
        maanya-goenka (1000)
Number of gids 1
        maanya-goenka (1000)
maanya-goenka@debian:~/systemd (img-support)$ sudo build/systemd-analyze verify --image=run.raw testrun.service
/tmp/.#systemd-analyzec71c7297a936b91c/usr/lib/systemd/system/testrun.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
testrun.service: Failed to create testrun.service/start: Unit sysinit.target not found.

The 'Unit sysinit.target not found' error that we see here is due to recursive dependency searching during
unit loading and has been addressed in a different PR:
systemd-analyze: add option to return an error value when unit verification fails #20233
2021-08-10 02:41:12 -07:00
Maanya Goenka
2a7cf953e1 systemd-analyze: add --root option for 'verify' verb and allow path parsing
-------------------------------------------------------------------------------
Example Run:

foobar.service created below is a service unit file that has a non-existing key-value
pairing (foo = bar) and is thus, syntactically invalid.

maanya-goenka@debian:~/systemd (img-support)$ cat <<EOF>img/usr/lib/systemd/system/foobar.service
> [Unit]
> foo = bar
>
> [Service]
> ExecStart = /opt/script0.sh
> EOF

The failure to create foobar.service because of the recursive dependency searching and verification has been addressed
in a different PR: systemd-analyze: add option to return an error value when unit verification fails #20233

maanya-goenka@debian:~/systemd (img-support)$ sudo build/systemd-analyze verify --root=img/ foobar.service
/home/maanya-goenka/systemd/img/usr/lib/systemd/system/foobar.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
foobar.service: Failed to create foobar.service/start: Unit sysinit.target not found.
2021-08-10 02:41:12 -07:00
Yegor Alexeyev
836fb00f21 units: added factory-reset.target 2021-08-10 17:08:00 +02:00
Dimitry Ishenko
33e82f3ef3 timesync: add option to periodically save time 2021-08-09 21:06:28 +02:00
GnunuX
c5f62204ee man systemd-sysusers: fix password to passwd 2021-08-09 10:17:05 +02:00
Yu Watanabe
63295b42ae network: introduce UplinkInterface= in [IPv6SendRA] 2021-08-04 22:20:56 +09:00
Yu Watanabe
2b24292692 network: update comment and man page 2021-08-04 22:19:14 +09:00
Zbigniew Jędrzejewski-Szmek
d53285d551 man: describe veritysetup command syntax
It makes it easier to diagnose what the generated units actually do.
2021-08-03 16:02:55 +02:00
Lennart Poettering
e5a8b4b593 bootctl: tweak "bootctl update" to be a NOP when boot loader is already current and --graceful is given
Previously, the "bootctl update" logic would refrain from downrgading a
boot loader, but if the boot loader that is installed already matched
the version we could install we'd install it anyway, under the
assumption this was effectively without effect. This behaviour was handy
while developing boot loaders, since installing a modified boot loader
didn't require a version bump.

However, outside of the systems of boot loader developers I don't think
this behaviour makes much sense: we should always emphasize doing
minimal changes to the ESP, hence when an update is supposedly not
necessary, then don't do it. Only update if it really makes sense, to
minimize writes to the ESP. Updating the boot loader is a good thing
after all, but doing so redundantly is not.

Also, downgrade the message about this to LOG_NOTICE, given this
shouldn't be a reason to log.

Finally, exit cleanly in this cases (or if another boot loader is
detected)
2021-07-30 16:48:24 +02:00
Franck Bui
463aef23a7 manager: reexecute on SIGRTMIN+25, user instances only
Before this patch, there was no way to request all running user instances for
reexecuting. However this can be useful especially during package updates
otherwise user instances are never updated and keep running a potentially very
old version of the binaries.

Now assuming that we have enough priviledge, it's possible to request
reexecution of all user instances:

  systemctl kill --signal=SIGRTMIN+25 "user@*.service"

Note that this request is obviously asynchronous as it relies on a
signal. Keeping "systemctl kill" as the only interface should be good enough to
make this obvious and that's the reason why another interface, such as
"systemctl --global daemon-reexec" has not been considered.

PID1 already uses SIGTERM for reexecuting hence sending it SIGRTMIN+25 is a
nop.
2021-07-28 18:50:30 +02:00
Luca Boccassi
a8d1a8e96d
Merge pull request #20326 from keszybz/meson-0.53.2
Use some more new meson features
2021-07-28 13:30:37 +01:00
Zbigniew Jędrzejewski-Szmek
e04eae5e1c man/systemctl: rework descriptions of bind and mount-image
The text used "unit's view" to mean mount namespace. But we talk about
mount namespaces in the later part of the paragraph anyway, so trying to
use an "approachable term" only makes the whole thing harder to understand.
Let's use the precise term.

Some paragraph-breaking and re-indentation is done too.
2021-07-28 10:21:21 +02:00
Zbigniew Jędrzejewski-Szmek
f12c5d36a9 meson: use alias_target for doc update commands
This undoes part of 4c890ad3cc: the
implementations of update-dbus-docs and update-man-rules are moved back to
man/meson.build, and alias_target() is used to keep the visible target names
unchanged.

The rules for man pages are reworked so that it's possible to invoke the
targets even if xstlproc is not available. After all, xsltproc is only needed
for the final formatted output, and not other processing.
2021-07-27 20:34:40 +02:00
Zbigniew Jędrzejewski-Szmek
fce9abb227 meson: use a/b instead of join_paths(a,b)
It is nicer and shorter.
2021-07-27 19:32:35 +02:00
Zbigniew Jędrzejewski-Szmek
dab1fe1a8e man/tmpfiles.d: rewrite the description of age-by 2021-07-27 09:43:29 +02:00
Zbigniew Jędrzejewski-Szmek
d6029680df man: use title of docs/ pages when referring to them
There is some inconsistency, partially caused by the awkward naming
of the docs/ pages. But let's be consistent and use the "official" title.
If we ever change plural↔singular, we should use the same form everywhere.
2021-07-27 09:43:29 +02:00
Zbigniew Jędrzejewski-Szmek
be0d27ee0c man: fix assorted issues reported by the manpage-l10n project
Fixes #20297.
2021-07-27 09:43:29 +02:00
ratijas
d2e84b6018 man: Fix incorrect EFI vendor UUID (last missing nibble) 2021-07-23 14:20:29 +02:00
Zbigniew Jędrzejewski-Szmek
becbc6dfa8
Merge pull request #20103 from flokli/nsswitch-nss-myhostname
man: stop recommending putting myhostname after dns
2021-07-23 09:44:26 +02:00
Florian Klink
946f7ce32c man: document nss-{resolve,myhostname} resolving in the other direction, too 2021-07-23 01:56:07 +02:00
Florian Klink
ce266330fc man: stop recommending putting myhostname after dns
nss-resolve also looks in /etc/hosts, and has the same local hostname
resolving logic as nss-myhostname. We shouldn't recommend another order
than nss-resolve uses internally.

When nss-resolve is used, there's no possibility to override
nss-myhostname hosts via DNS *anyway*.

On top of that, it's not a good idea to allow DNS to override local
hostnames as all - at least not something we should advertise in the
docs.

Followup of f918c67d38 /
https://github.com/systemd/systemd/pull/16754.
2021-07-23 01:53:07 +02:00
hikigaya58
d844b033a4 Typo correction on systemd.unit man page 2021-07-22 19:05:30 +02:00
WANG Xuerui
4e76715489
gpt: support LoongArch 64-bit 2021-07-20 17:32:59 +08:00
rene
b838bc1126
Minor typo (#20254)
Correct resoulution with resolution.
2021-07-20 14:45:04 +09:00
Raul Tambre
534b5abce1 man/systemd.network: Fix duplicate Xfrm description
It's already listed along with others (Tunnel, VLAN, etc.) and its description matches those. The duplication was introduced by commit c3006a485c.
2021-07-14 21:48:48 +09:00
Luca BRUNO
c68c87d023 man/dnssec-trust-anchors: fix an XML syntax typo
This fixes an XML syntax typo in the 'dnssec-trust-anchors'
documentation.
2021-07-12 12:09:20 +01:00
Carl Lei
9de0c7f4ae man: fix RFC number
#19947 didn't fix both.
2021-07-12 14:10:32 +09:00
Ben Stockett
4226dfafba Updated manpage for sd_bus_set_property
Updated manpage for sd_bus_set_property and sd_bus_set_propertyv. In the old manpage, these functions included the parameter sd_bus_message **reply when the actual function had no such argument.
2021-07-10 13:19:50 +01:00
nassir90
a814eae728
Fixed typo (#20187)
* Fixed typo

Before, the file claimed that some systemd units are created "from other
configuration". It should have read "from other configuration files".

Co-authored-by: Nozz <nozolo90@gmail.com>
2021-07-09 21:16:02 +01:00
nl6720
250db1bf02 docs: improve wording when mentioning the acronym "ESP"
"ESP" is "EFI system partition", so "ESP partition" is redundant.
2021-07-09 13:41:00 +02:00
Yegor Alexeyev
a520bb6654 logind: allow binding different operation to reboot key long presses 2021-07-08 13:08:20 +02:00
Lennart Poettering
c860665ef3
Merge pull request #20163 from poettering/repart-root-fix
repart: drop duplicate handling of /sysroot/ prefix
2021-07-08 13:06:41 +02:00
Lennart Poettering
e2e13bddcf repart: drop spurious whitespace 2021-07-08 10:10:39 +02:00
Lennart Poettering
8a6a781b58 man: document the new (Load|Set)CredentialEncrypted= settings 2021-07-08 09:31:43 +02:00
Lennart Poettering
c1017f6b7b man: add man page for "systemd-creds" 2021-07-08 09:31:18 +02:00
Lennart Poettering
43144be4a1 pid1: add support for encrypted credentials 2021-07-08 09:30:56 +02:00
Zbigniew Jędrzejewski-Szmek
682047f834
Merge pull request #20145 from bluca/prep
Preparations for v249
2021-07-07 15:28:15 +02:00
Lennart Poettering
fc20b9b598 Revert "Add systemd-resolve backwards compatibility section to resolvectl docs"
This reverts commit 9fcfc0470d.
2021-07-07 15:27:28 +02:00
Luca Boccassi
67828e0856 man: fix systemd-sleep.conf.xml whitespace
Follow-up for 33f899bd47
2021-07-07 10:36:04 +01:00
Hamish Moffatt
33f899bd47 Clarify the behaviour of suspend-then-sleep mode in the manual pages.
Fixes #20125.
2021-07-07 11:08:21 +02:00
Luca Boccassi
48e5ef14af man: correct return value of sd_bus_open_with_description
Since f4b2933ee7
if a description is not set, sd_bus_open_with_description returns -ENXIO, but the
documnetation stated that it returned successfully with a NULL string.
2021-07-06 15:18:35 +02:00
Michal Sekletar
49590d67c9 selinux: support infering SELinux label also from socket not connected to stdin
Fixes #19918
2021-07-02 09:26:22 +02:00
Zbigniew Jędrzejewski-Szmek
cc03890a9d
Merge pull request #20058 from keszybz/status-format
Implement StatusUnitFormat=combined and prettify Descriptions
2021-07-01 08:58:14 +02:00
Zbigniew Jędrzejewski-Szmek
dc9880d475
Merge pull request #20020 from anitazha/oomd_with_mem
oomd: check that memory use also exceeds threshold before doing a swap kill
2021-06-30 21:59:34 +02:00
Zbigniew Jędrzejewski-Szmek
abaf5edd08 Revert "Introduce ExitType"
This reverts commit cb0e818f7c.

After this was merged, some design and implementation issues were discovered,
see the discussion in #18782 and #19385. They certainly can be fixed, but so
far nobody has stepped up, and we're nearing a release. Hopefully, this feature
can be merged again after a rework.

Fixes #19345.
2021-06-30 21:56:47 +02:00
Zbigniew Jędrzejewski-Szmek
58551e6ebc
Merge pull request #20074 from yuwata/fix-typo
tree-wide: fix typo
2021-06-30 17:26:51 +02:00
Yu Watanabe
387f695526 tree-wide: "a" -> "an" 2021-06-30 23:33:00 +09:00
Yu Watanabe
3d62af7d23 tree-wide: fix "the the" and "a a" 2021-06-30 23:32:43 +09:00