IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
- introduce or rename usual enum values _MAX and _INVALID,
- introduce and use string table lookup functions,
- split out implementation of get_color_mode() to _impl(),
- add tests for get_color_mode().
read() returns ssize_t (i.e. 64bit typically). We assigned it to int
variables in some cases (i.e. 32bit typically). Let's not be so sloppy,
and not accidentally drop 32bit on the floor.
(of course, this is not an issue IRL since we'll not have allocations
above 2^32 ever we could read into, but still, let's clean this up)
This mimics what we do in nspawn: if registration is enabled we'll let
machined allocate a scope unit for us. When --keep-unit is used we'll
register without creating a new scope.
This brings behaviour more inline with what nspawn does, exposing the
same sets of options.
On dbus we have two apis: one for registering a new machne when the
client already has a cgroup (RegisterMachine()) and one where it doesn't
and machined shall create it (CreateMachine()).
Let's add the same for the varlink api. To simplify things we just
implement it via a boolean flag to the existign RegisterMachine()
varlink call, since the differences are mostly minor otherwise.
Now that we have a concept of unprivileged VMs and containers, let's
allow unprivileged clients to register with machined too – subject to
Polkit permissions.
As discussed in https://github.com/systemd/systemd/pull/32724#discussion_r1638963071
I don't find the opposite reasoning particularly convincing.
We have ProtectHome=tmpfs and friends, and those can be
pretty much trivially implemented through TemporaryFileSystem=
too. The new logic brings many benefits, and is completely generic,
hence I see no reason not to expose it. We can even get more tests
for the code path if we make it public.
We so far collected most unexpected errors from install_changes_add()
and propagated them – but for some invocations we forgot to do that. Add
that, and take care we only propagated unexpected errors (i.e. ENOMEM
and such), but treat expected errors as before.
Follow-up for 5163c9b1e5
Most container managers will block open_by_handle_at with seccomp to
mitigate a container escape attack. LXD in particular returns ENOSYS
rather than e.g. EPERM like nspawn. Skip this test if we get ENOSYS
from open_by_handle_at via cg_cgroupid_open.
During cross-compilation of systemd, the compiler used to build the bpf's needs
to be pointed at the correct include searchpath. Which can be done by passing
the corresponding directory in through the cflags; for example in yocto/bitbake
this would work: CFLAGS += "--sysroot=${STAGING_DIR_TARGET}"
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
If we have a pidfd, we might as well track the machine's leader PID's
lifetime, and enqueue the machine for a GC run.
(This is similar to what we are already doing for logind's session
leaders)
One major omission in machine's logic so far was that the GC was only
run at startup and on the check-idle timeout, which is really slow.
Let's make this more like the GC logic in homed or logind: make sure we
run it in a close-by event loop cycle.
varlinkctl has this nice feature that it sends the varlink error it gets
via sd_notify() to the caller. With previous commits this information
is collected and exposed in "systemctl status".
Let's make sure we can provide the same in busctl: also propagate errors
the same way.
With this we can comprehensively close#6073
