IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Request with Range header like 'entries=<cursor>:' (with a colon at the end,
invalid syntax per the doc), is now rejected with error 400 Bad Request.
fix#4883
This adds a new ProtectSystem= setting that mirrors the option of the
same of services, but in a more restrictive way. If enabled will remount
/usr/ to read-only, very early at boot. Takes a special value "auto"
(which is the default) which is equivalent to true in the initrd, and
false otherwise.
Unlike the per-service option we don't support full/strict modes, but
the door is open to eventually support that too if it makes sense. It's
not entirely trivial though as we have very little mounted this early,
and hence the mechanism might not apply 1:1. Hence in this PR is a
conservative first step.
My primary goal with this is to lock down initrds a bit, since they
conceptually are mostly immutable, but they are unpacked into a mutable
tmpfs. let's tighten the screws a bit on that, and at least make /usr/
immutable.
This is particularly nice on USIs (i.e. Unified System Images, that pack
a whole OS into a UKI without transitioning out of it), such as
diskomator.
I see myself frequently typing in "journalctl --file=…". That's a lot to
type. Let's add a short switch too. Unfortunately, "-f" and "-F" are
already taken, hence let's pick "-i".
The header and keyfile are necessary only for opening the device, not
for closing, so it is not necessary to deactivate the generated
cryptsetup unit when the header or keyfile backing store are removed.
This is especially useful in the case of softreboot, when the new
mount root is setup under /run/nextroot/ but we don't want to close
the cryptsetup devices for encrypted /var/ or so, and we simply
mount it directly on /run/nextroot/var/ before the soft-reboot.
This is the equivalent of RequiresMountsFor=, but adds Wants= instead
of Requires=. It will be useful for example for the autogenerated
systemd-cryptsetup units.
Fixes https://github.com/systemd/systemd/issues/11646
Let's put the section name at the beginning of each sentence. This way we
can avoid awkward constructs like "kernel is looked for in the .linux section".
Also, since the paragraph above says that this is a list of "PE sections", we
can just say "section". In other places, it is often useful to say "PE section"
to avoid ambiguity.
Also fix the off-by-one in the count of sections.
The only reason to recommend this would be if people had multiple commands
with the same name in the search path. This probably was never the best idea,
and it happens rarely anyway. Since the patch that dropped requirement for full
paths was introduced, we have dropped support for unmerged-usr and we're planning
to drop support for split-bin at some point too. Many people effectively have just
one directory in the search path, so there is even less reason to use an absolute
path. So let's recommend just using the command name, which makes the unit file
shorter and nicer to read.
An event loop is not "synchronous". So we shouldn't say that the client must
"synchrounusly poll" if we recommend an event loop. Let's just say it should
poll, and say that "sd_bus_wait()" is blocking, which is clearer and more
correct than "synchronous".
AllowList= and DenyList= filter only DHCPOFFER messages. So, if
RapidCommit= is enabled, then networkd unconditionally accepts a rapid
ACK message even if its sender is filtered out by the lists.
As AllowList=/DenyList= implemented earlier than RapidCommit=, so
enabling RapidCommit= unconditionally by default may break existing
setups that use AllowList=/DenyList=.
Let's disable RapidCommit= by default when AllowList=/DenyList= is
enabled. Still the setting can be enabled by setting explicitly even
AllowList=/DenyList= is also specified.
This footgun should at least be documented, if there's not going
to be a shortcut setting to establish the async `journalctl
--follow` equivalent.
Fixes: https://github.com/systemd/systemd/issues/2815
With the introduction of SetDisplay() method in 4885d7490b2 the Display
property emits a "properties changed" message every time the display is
changed using this method, so mark it appropriately.
Caught by systemd/systemd#30029:
systemd-logind[1366]: Got message type=method_call sender=:1.165 destination=org.freedesktop.login1 path=/org/freedesktop/login1/session/_310 interface=org.freedesktop.login1.Session member=SetDisplay cookie=8 reply_cookie=0 signature=s error-name=n/a error-message=n/a
systemd-logind[1366]: Assertion 'v->vtable->flags & SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE || v->vtable->flags & SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION' failed at src/libsystemd/sd-bus/bus-objects.c:2141, function emit_properties_changed_on_interface(). Ignoring.
Follow-up to 4885d7490b2.
This seems to work as expected. In the issue, doubts were raised whether it
works fine with daemon-reload/daemon-reexec, and it seems to work fine.
(The property cannot be set via set-property, the dbus property is 'const'.
We could relax this, but that'd be a separate feature.)
Closes#29574.
When an interface is being reconfigured with different bridge vlan
settings, this makes old vlan IDs on the interface removed.
This also makes the PVID= setting support negative boolean value, e.g. "no",
in which case, the currently assigned PVID (typically, assigned by the
kernel when an interface is joined to a bridge) is dropped.
This feature is requested by #15291.
Note, if a .network file has no settings about bridge vlan, networkd
keeps the currently assigned vlan IDs. That's intended, to make not
break existing setups.
When a .network file has only PVID=no line in [BridgeVLAN] section, then
all assigned vlan IDs are removed.
Fixes#29975.
Closes#15291.
In systemctl-show we only show current swap if ever swapped or non-zero. This
reduces the noise on swapless systems, that would otherwise always show a swap
value that never has the chance to become non-zero. It further reduces the
noise for services that never swapped.
This is pretty low-level functionality, hence placed in systemd-analyze.
This is useful for working with systemd-cryptenroll --tpm2-device-key=,
as it acquires the SRK without requiring the full tpm2-tss tool set.
We already save it in PEM format, also store it TPM2_PUBLIC format next
to it. This is useful for usage with systemd-cryptenroll's
--tpm2-device-key= switch.
