1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 06:25:37 +03:00
Commit Graph

7005 Commits

Author SHA1 Message Date
codefiles
5e81e84c86 man: Fix typo 2022-07-23 11:18:23 +09:00
Yu Watanabe
c9fbe0bd10
Merge pull request #24074 from yuwata/network-dhcp6-rapid-commit
network: dhcp6: re-introduce RapidCommit= setting
2022-07-23 08:10:01 +09:00
Zbigniew Jędrzejewski-Szmek
6ce4de290f man: make bootup charts narrower
docbook already indents diagrams, so there is no need to leave whitespace on
the left. Also, make the charts a bit narrower to fit better on a terminal.
2022-07-22 22:34:20 +02:00
Luca Boccassi
aafcc8601b
Merge pull request #24084 from pothos/mask-sysext-docs
man: Sysext docs improvements
2022-07-22 20:02:07 +01:00
Kai Lueke
0ad7b7b809 man: Use correct target type for sysupdate entry
While Type=file works because it seems to be the default, the line gets
ignored as printed on the stderr output.
Use the correct value "regular-file" for the target type.
2022-07-22 20:00:08 +01:00
Kai Lueke
519c2f0d6b man: Document mask workaround for sysext images
A read-only /usr may ship a sysext image by default and the user wants
to opt out. Currently it's not clear how to do this.
Document that a /dev/null symlink in /etc/extensions/ works to "mask" a
sysext image in a folder with lower precedence.
2022-07-22 15:09:21 +02:00
Kai Lueke
566e4b3a19 man: Do not recommend to overlay files with sysext even if possible
While overlaying files with a sysext can be useful, it may lead to
unexpected problems depending on when a process got started and which
version of the file it gets.
Call out that overlaying files is possible but don't recommend to make
use of it.
2022-07-22 15:03:12 +02:00
Yu Watanabe
50ee1fec3a network: dhcp6: re-introduce RapidCommit= setting
Previous implementation of disabling rapid commit was broken, and
dropped by 308d01f3c4.

Let's re-introduce the option in the correct way, as some servers seem
to return borked message when the solicit message contain the rapid
commit option.

Closes #24065.
2022-07-22 21:28:20 +09:00
Ulrich Ölmann
aa386add67 man: document udevadm lock's exit code 2022-07-22 20:04:14 +09:00
Luca Boccassi
8d0c34f367
Merge pull request #24014 from poettering/tmpfiles-extra-creds
tmpfiles: accept additional tmpfiles lines via credential
2022-07-21 11:55:43 +01:00
Lennart Poettering
67ff6b3031 man: split out "Type Modifiers" section from "Types" section in tmpfiles.d docs
I had trouble finding the right paragraphs, so I guess others might have
too. Hence let's add a tiny bit more structure by separating these two
parts out.
2022-07-20 23:53:22 +02:00
Lennart Poettering
e52f6f6358 tmpfiles: add ^ line modifier for loading file contents from specific credential 2022-07-20 23:53:22 +02:00
Lennart Poettering
1d77721f30 tmpfiles: accept additional tmpfiles lines via credential 2022-07-20 23:53:22 +02:00
Lennart Poettering
23e9a7dde5 core: cache unit file selinux label, and make decisions based on that
Do not go back to disk on each selinux access, but instead cache the
label off the inode we are actually reading. That way unit file contents
and unit file label we use for access checks are always in sync.

Based on discussions here:

https://github.com/systemd/systemd/pull/10023#issuecomment-1179835586

Replaces:

https://github.com/systemd/systemd/pull/23910

This changes behaviour a bit, because we'll reach and cache the label at
the moment of loading the unit (i.e. usually on boot and reload), but
not after relabelling. Thus, users must refresh the cache explicitly via
a "systemctl daemon-reload" if they relabelled things.

This makes the SELinux story a bit more debuggable, as it adds an
AccessSELinuxContext bus property to units that will report the label we are
using for a unit (or the empty string if not known).

This also drops using the "source" path of a unit as label source. if
there's value in it, then generators should manually copy the selinux
label from the source files onto the generated unit files, so that the
rule that "access labels are read when we read the definition files" is
upheld. But I am not convinced this is really a necessary, good idea.
2022-07-20 19:08:28 +02:00
Luca Boccassi
74c1cf6267
Merge pull request #23640 from cerebro1/week1
Estimate battery level
2022-07-20 18:07:22 +01:00
Sonali Srivastava
91ea7ebcdf sleep: store battery discharge rate/hour with hash
Estimated battery discharge rate per hour is stored in :
/var/lib/systemd/sleep/battery_discharge_percentage_rate_per_hour

This value is used to determine the initial suspend interval. In case
this file is not available or value is invalid, HibernateDelaySec
interval is used.
After wakeup from initial suspend, this value is again estimated and
written to file if value is in range of 1-199.

Logs for reference : HibernateDelaySec=15min
- Updated in /etc/systemd/sleep.conf

Jul 14 19:17:58 localhost systemd-sleep[567]: Current battery charge
percentage: 100%
Jul 14 19:17:58 localhost systemd-sleep[567]: Failed to read discharge
rate from /var/lib/systemd/sleep/batt
ery_discharge_percentage_rate_per_hour: No such file or directory
Jul 14 19:17:58 localhost systemd-sleep[567]: Set timerfd wake alarm
for 15min
Jul 14 19:33:00 localhost systemd-sleep[567]: Current battery charge
percentage after wakeup: 90%
Jul 14 19:33:00 localhost systemd-sleep[567]: Attempting to estimate
battery discharge rate after wakeup from 15min sleep
Jul 14 19:33:00 localhost systemd-sleep[567]: product_id does not
exist: No such file or directory
Jul 14 19:33:00 localhost systemd-sleep[567]: Estimated discharge rate
39 successfully updated to
/var/lib/systemd/sleep/battery_discharge_percentage_rate_per_hour
Jul 14 19:33:00 localhost systemd-sleep[567]: Current battery charge
percentage: 90%
Jul 14 19:33:00 localhost systemd-sleep[567]: product_id does not
exist: No such file or directory
Jul 14 19:33:00 localhost systemd-sleep[567]: Set timerfd wake alarm
for 1h 48min 27s
Jul 14 21:21:30 localhost systemd-sleep[567]: Current battery charge
percentage after wakeup: 90%
Jul 14 21:21:30 localhost systemd-sleep[567]: Battery was not
discharged during suspension
2022-07-20 17:39:07 +05:30
Yu Watanabe
e1b45a756f tree-wide: fix typo 2022-07-20 13:15:37 +09:00
Jan Janssen
6a1d8f1161 man: Miscellaneous fixes
Fixes: #24056
2022-07-19 10:41:13 +01:00
Ansgar Burchardt
34aee208b5 man/system-or-user-ns.xml: explicitly refer to PrivateUsers= option
It is not clear what "unprivileged user namespaces are available" means.
It could mean either that they are only usable, that is, enabled in the kernel,
or they have been enabled for the specific service. Referring to the
`PrivateUsers=` options makes it clear that the latter is meant.
2022-07-18 13:54:51 +01:00
Vito Caputo
729d2df806 man: fix grammatical error in --cursor-file description
Just a minor cleanup to fix unparseable wording
2022-07-16 11:35:46 +09:00
Yu Watanabe
59159aee20
Merge pull request #24018 from keszybz/generator-cleanups
Make generators easier to test, fix various corner issues
2022-07-16 05:11:49 +09:00
Lennart Poettering
3acb6edef3 sysusers: allow defining additional sysusers lines via credentials 2022-07-16 00:47:22 +09:00
lastkrick
69a7d10832
man: fix typo in systemd.network documentation in IPv6RoutePrefix section (#24030) 2022-07-16 00:45:56 +09:00
Zbigniew Jędrzejewski-Szmek
99e3d47679 fstab-generator: allow overriding path to /sysroot/etc/fstab too
This adds $SYSTEMD_SYSROOT_FSTAB analoguous to $SYSTEMD_FSTAB.
2022-07-15 15:48:05 +02:00
Lennart Poettering
9fbb7df7bc
Merge pull request #24011 from poettering/condition-cred
pid1: add new condition type "ConditionCredential=" for checking for credentials passed into the system
2022-07-15 15:03:49 +02:00
Zbigniew Jędrzejewski-Szmek
17021368fc generators: accept one or three args, do not write to /tmp
Since the general generator logic was established in the rewrite in
07719a21b6, generators would always write to /tmp
by default. I think this not a good default at all, because generators write a
bunch of files and would create a mess in /tmp. And for debugging, one
generally needs to remove all the files in the output directory, because
generators will complain in the output paths are already present. Thus the
approach of disabling console logging and writing many files to /tmp when
invoked with no arguments is not nice, so let's disallow operation with no
args.

But when debugging, one generally does not care about the separate output dirs
(most generators use only one). Thus the general pattern I use is something
like:
  rm -rf /tmp/x && mkdir /tmp/x && build/some-generator /tmp/{x,x,x}
This commit allows only one directory to be specified and simplifies this to:
  rm -rf /tmp/x && mkdir /tmp/x && build/some-generator /tmp/x
2022-07-15 13:10:39 +02:00
Lennart Poettering
708daf42d8 tmpfiles: optionally, decode string to write to files with base64
This is useful to use "f" or "w" to write arbitrary binary files to
disk, or files with newlines and similar (for example to provision SSH
host keys and similar).
2022-07-15 11:55:03 +02:00
Lennart Poettering
462511c8c6 man: fix copy/paste typo 2022-07-15 10:53:45 +02:00
Lennart Poettering
4f80cfca5e pid1: add mechanism for conditionalizing units/network/netdev/link based on credentials passed in
This is useful when provisioning systems via nspawn/qemu and running
specific services only if specific data is passed into the system.
2022-07-15 10:53:45 +02:00
Lennart Poettering
8de7de462b pid1: import creds from SMBIOS too, not just qemu's fw_cfg
This imports credentials also via SMBIOS' "OEM vendor string" section,
similar to the existing import logic from fw_cfg.

Functionality-wise this is very similar to the existing fw_cfg logic,
both of which are easily settable on the qemu command line.

Pros and cons of each:

SMBIOS OEM vendor strings:
   - pro: fast, because memory mapped
   - pro: somewhat VMM independent, at least in theory
   - pro: qemu upstream sees this as the future
   - pro: no additional kernel module needed
   - con: strings only, thus binary data is base64 encoded

fw_cfg:
   - pro: has been supported for longer in qemu
   - pro: supports binary data
   - con: slow, because IO port based
   - con: only qemu
   - con: requires qemu_fw_cfg.ko kernel module
   - con: qemu upstream sees this as legacy
2022-07-15 08:31:34 +09:00
Yu Watanabe
08894b568f
Merge pull request #24021 from poettering/man-rlimit-comments
man: elaborate on the usefulness (and not-so-usefulness) of various process resource limits
2022-07-15 08:28:53 +09:00
Yu Watanabe
3f5ef8aeac
Merge pull request #24019 from yuwata/network-ipv4ll
network: refuse 169.254.0.0/24 and 169.254.255.0/24
2022-07-15 07:59:13 +09:00
Lennart Poettering
8c88895772 man: explain why various resource limits don't make sense and should not be used. 2022-07-14 23:53:51 +02:00
Yu Watanabe
dfeb5a076a
Merge pull request #24016 from poettering/sysctl-cred-extra
sysctl: also process sysctl requests via the "sysctl.extra" credential
2022-07-15 04:20:35 +09:00
Yu Watanabe
d3efcd2def network: refuse 169.254.0.0/24 and 169.254.255.0/24 for IPv4LLStartAddress=
Follow-up for #23927.
2022-07-15 03:37:09 +09:00
Yu Watanabe
c1dd250f18
Merge pull request #23927 from AndreKalb/feature/ipv4-link-local-start-address
network: Feature IPv4 link-local start address
2022-07-15 03:21:26 +09:00
Zbigniew Jędrzejewski-Szmek
9cfc294fe0 man: fix formatting of "BARRIER=1"
Whitespace inside of the <varname> field was propagated to the displayed form,
causing strange indentation.
2022-07-14 19:25:15 +02:00
Lennart Poettering
3840b14781 man: drop misplaced ',' 2022-07-14 18:04:01 +02:00
Lennart Poettering
39f0d1d2e7 sysctl: also process sysctl requests via the "sysctl.extra" credential 2022-07-14 18:02:58 +02:00
Andre Kalb
1df6201882 man/network: ServerAddress= drop "literal" from IP address ranges 2022-07-14 14:35:42 +02:00
Andre Kalb
34b63c9e45 network: Add support to select an IPv4 link-local start address 2022-07-13 23:57:18 +02:00
Zbigniew Jędrzejewski-Szmek
9e6df03412 man: lift pam_systemd_homed description to Summary
Also change the title to describe the module more comprehensively.
Follow-up for 90bc309aa2. Suggested
in https://bugzilla.redhat.com/show_bug.cgi?id=2085485#c5.
2022-07-13 14:00:54 +01:00
Yu Watanabe
0925c79c9e
Merge pull request #23881 from keszybz/kernel-install-strikes-yet-again
kernel-install: fix invocation as installkernel, add tests, tweak documentation
2022-07-13 02:44:50 +02:00
Łukasz Stelmach
aa5ae9711e smack: Add DefaultSmackProcessLabel to user.conf and system.conf
DefaultSmackProcessLabel tells systemd what label to assign to its child
process in case SmackProcessLabel is not set in the service file. By
default, when DefaultSmackProcessLabel is not set child processes inherit
label from systemd.

If DefaultSmackProcessLabel is set to "/" (which is an invalid character
for a SMACK label) the DEFAULT_SMACK_PROCESS_LABEL set during compilation
is ignored and systemd act as if the option was unset.
2022-07-12 22:47:32 +01:00
Luca Boccassi
768456e8e6
Merge pull request #23979 from DaanDeMeyer/nspawn-relative-paths
nspawn: Support relative paths for --bind and --overlay
2022-07-12 22:41:10 +01:00
Daan De Meyer
448f737730 nspawn: Support relative source paths for --bind and --overlay 2022-07-12 13:14:11 +02:00
Zbigniew Jędrzejewski-Szmek
6755285ccb kernel-install: allow overriding the plugin list too
The use of IFS=<newline> is dropped. Let's just iterate over the list, using
any whitespace as separator.
2022-07-12 09:22:09 +02:00
Lennart Poettering
90bc309aa2 man: explain why pam_systemd_home wants to be in all four stacks
Suggested here:

https://bugzilla.redhat.com/show_bug.cgi?id=2085485#c5
2022-07-11 21:03:58 +01:00
Daan De Meyer
f075e32ca1 nspawn: Rewrap --overlay docs 2022-07-11 21:43:41 +02:00
Zbigniew Jędrzejewski-Szmek
4bd035153b manager: add taint flag "support-ended"
In the welcome line, use NAME= as the fallback for PRETTY_NAME=.
PRETTY_NAME= doesn't have to be set, but NAME= should.

Example output:
---
Welcome to Fedora Linux 37 (Rawhide Prerelease)!

[  !!  ] This OS version (Fedora Linux 37 (Rawhide Prerelease)) is past its end-of-support date (1999-01-01)
Queued start job for default target graphical.target.
[  OK  ] Created slice system-getty.slice.
---
2022-07-10 14:33:52 +02:00
Zbigniew Jędrzejewski-Szmek
8bf9eb7e6b man: update the description of taint flags
We had a description in README, and an outdated list in the man page.
I think we should keep a reference-style list in the man page. The description
in README is more free-form.
2022-07-09 19:18:14 +02:00
Zbigniew Jędrzejewski-Szmek
caa779abb6 man: redefine SUPPORT_END= to mean one day earlier
I thought it would be nice to specify the last day of support, because I
thought it'd seem more natural. But in practice this doesn't work well, because
such a truncated timestamp is usually taken to mean midnight that starts the
given date. I.e. 2011-12-13 is a shorthand for 2011-12-13 00:00:00 and not
2011-12-13 23:59:59.999999999999. Let's instead specify that the given date is
the first unsupported day, which is meaningful for humans, and let the computer
treat it as midnight, which gives consistent interpratation.
2022-07-09 18:02:34 +02:00
Luca Boccassi
89f119b654
Merge pull request #23731 from bluca/bootctl_image
bootctl: add --root and --image
2022-07-08 21:59:16 +01:00
Luca Boccassi
02d06ba180 bootctl: add --install-source=auto|image|host
When using --root=/--image= the binaries to install/update will be
picked from the directory/image. Add an option to let the caller
choose.
By default (auto) the image is tried first, and if nothing is found
then the host. The other options allow to strictly try the image
or host and ignore the other.
2022-07-08 16:58:51 +01:00
Luca Boccassi
80a2381d5c bootctl: add --root and --image
Operate on image/directory, and also take files to install from it
2022-07-08 16:58:15 +01:00
Frank Dana
1f7eed4c35 resolvectl man page: Word correction 2022-07-07 13:02:06 +02:00
Zbigniew Jędrzejewski-Szmek
2615c1f17a os-release: define SUPPORT_END=
Fixes #21764.

I think is very simple, but flexible. The date may be set early, for distros
that have a fixed schedule, but it doesn't have to. So for example Debian could
push out an update that sets a few months before the release goes EOL. And
various tools, in particular graphical desktops, can start nagging people to
upgrade a few weeks before the date.

As discussed in the bug, we don't need granularity higher than a day. And this
means that we can use a simple human- and machine-readable format.
I was considering other names, e.g. something with "EOL", but I think that
"SUPPORT_END" is better because it doesn't imply that the machine will somehow
stop working. This is supposed to be an advisory, nothing more.
2022-07-07 07:35:17 +09:00
Zbigniew Jędrzejewski-Szmek
132b63bd31
Merge pull request #15205 from jlebon/pr/preset-all-firstboot
manager: optionally, do a full preset on first boot
2022-07-06 19:11:01 +02:00
Zbigniew Jędrzejewski-Szmek
91199185b1 kernel-install: allow overriding the path to config files
It's pretty hard to write tests without this. I started out by adding separate
variables for each of the files we read, but there's a bunch, and in practice
it's good enough to just override the directory.
2022-07-06 16:33:11 +02:00
Zbigniew Jędrzejewski-Szmek
f5f5047ff1 man: rework documentation of kernel-install config
Variables read by kernel-install and those exported by it were described
without any clear separation. So in particular it was pretty hard to answer
a question like "what variables can be set in install.conf". The in- and
out-variables are now split into two separate subsections.
2022-07-06 16:33:09 +02:00
Lennart Poettering
0c772b1cc1 man: "enabled commands are started at boot" is rubbish
it's enabled units, and they might be started by various forms of
activation, not just "at boot".

Fix that.
2022-07-06 15:56:53 +02:00
Yu Watanabe
917c6bb4b3
Merge pull request #23916 from keszybz/assorted-patches
Assorted patches
2022-07-06 14:15:50 +09:00
Lennart Poettering
e07ed99dd7 docs: normalize uppercasing of titles of network doc 2022-07-05 22:12:08 +02:00
Zbigniew Jędrzejewski-Szmek
6f52e1c63b man: fix link to glob(3) 2022-07-05 21:49:12 +02:00
nl6720
0e68582323 tree-wide: link to docs.kernel.org for kernel documentation
https://www.kernel.org/ links to https://docs.kernel.org/ for the documentation.
See https://git.kernel.org/pub/scm/docs/kernel/website.git/commit/?id=ebc1c372850f249dd143c6d942e66c88ec610520

These URLs are shorter and nicer looking.
2022-07-04 19:56:53 +02:00
Zbigniew Jędrzejewski-Szmek
f217f9a8b3 man/network: fix wording and syntax
Follow-up for 0bcc6557fb. Docbook doesn't
know <variable>.
2022-07-02 13:40:49 +02:00
Zbigniew Jędrzejewski-Szmek
2f8211c64a tree-wide: use html links for kernel docs
Instead of using "*.txt" as reference name, use the actual destination title.
2022-07-02 12:13:00 +02:00
Zbigniew Jędrzejewski-Szmek
628f7b1e70 sd-bus: use assert_return() in public function sd_bus_message_dump
Also, document that NULL is allowed.
2022-06-30 10:55:39 +02:00
Zbigniew Jędrzejewski-Szmek
7e922b0584 sd-event: let sd_event_source_set_enabled accept NULL
Same story as before: disabling a non-existent event source shouldn't
need to be guarded by an if. I retained the wrapper so that that we don't
have to say SD_EVENT_OFF in the many places where this is called.
2022-06-30 10:35:27 +02:00
Zbigniew Jędrzejewski-Szmek
71193c0b62 sd-event: allow sd_event_source_is_enabled() to return false for NULL
This is a natural use case, and instead of defining a wrapper to do this
for us, let's just make this part of the API. Calling with NULL was not
allowed, so this is not a breaking change to the interface.

(After sd_event_source_is_enabled was originally added, we introduced
sd_event_source_disable_unref() and other similar functions which accept
NULL. So not accepting NULL here is likely to confuse people. Let's just
make the API usable with minimal fuss.)
2022-06-30 10:35:27 +02:00
Zbigniew Jędrzejewski-Szmek
85f8afb706 man: document sd_bus_message_read_strv_extend() 2022-06-30 10:35:27 +02:00
Zbigniew Jędrzejewski-Szmek
944c124330 man: document sd_id128_string_equal() 2022-06-30 10:35:27 +02:00
Zbigniew Jędrzejewski-Szmek
d13f105165 man: rework the text in sd-id128
In places the text was overly formal, e.g. "an 128-bit ID" was repeated, even
though it is clear from the context that we're talking about this type of ID.
OTOH, in other places the text was informal, e.g. "You can use …".
Also, "you may use f() to frob" → "f() frobs". The text without all the
flourishes is easier to read.

sd_id128_in_set_sentinel() was described only in passing when taking about
sd_id128_in_set(), now it gets is own brief paragraph.

The synopsis was missing.
2022-06-30 10:35:27 +02:00
Zbigniew Jędrzejewski-Szmek
870c2aaf8c man: document sd_bus_error_setfv()
The description for sd_bus_error_set_errnof/sd_bus_error_set_errnofv are
adjusted to use the same pattern.
2022-06-30 10:35:27 +02:00
Zbigniew Jędrzejewski-Szmek
4e116dd4fc meson: update man-generation rules for sd_hwdb_new_from_path
Forgotten in 60f0ba7556.
2022-06-30 10:35:27 +02:00
Michael Biebl
e2285c5735 Use https for man7.org 2022-06-28 16:05:31 +02:00
Michael Biebl
41d6f3bf4d Use https for freedesktop.org
grep -l -r http:// | xargs sed -E -i s'#http://(.*).freedesktop.org#https://\1.freedesktop.org#'
2022-06-28 13:10:05 +02:00
David Tardon
4885d7490b logind-session-dbus: allow to set display name via dbus
Currently, the only way to set display name of a graphical session is to
pass it to CreateSession(). But modern display managers like gdm start
the display server as part of the user session, which means that the
display name isn't known yet when the session is being created. Hence,
let's make it possible to set it later.
2022-06-22 22:34:29 +02:00
Yu Watanabe
46355675f7
Merge pull request #23774 from yuwata/netlabel-nftset-follow-ups
network, core: revert NFTSet and NetLabel features
2022-06-23 01:33:19 +09:00
Zbigniew Jędrzejewski-Szmek
a7b2aa658f
Merge pull request #23806 from keszybz/udevadm-info-pager
Pager for udevadm info
2022-06-22 16:50:53 +02:00
Yu Watanabe
a32badc5a6 Revert "networkd: NetLabel integration"
This reverts PR #23269 and its follow-up commit. Especially,
2299b1cae3 (partially), and
3cf63830ac.

The PR was merged without final approval, and has several issues:
- The NetLabel for static addresses are not assigned, as labels are
  stored in the Address objects managed by Network, instead of Link.
- If NetLabel is specified for a static address, then the address
  section will be invalid and the address will not be configured,
- It should be implemented with Request object,
- There is no test about the feature.
2022-06-22 22:34:26 +09:00
Yu Watanabe
b48ed70c79 Revert NFTSet feature
This reverts PR #22587 and its follow-up commit. More specifically,
2299b1cae3 (partially),
e176f85527,
ceb46a31a0, and
51bb9076ab.

The PR was merged without final approval, and has several issues:
- OSS fuzz reported issues in the conf parser,
- It calls synchrnous netlink call, it should not be especially in PID1,
- The importance of NFTSet for CGroup and DynamicUser may be
  questionable, at least, there was no justification PID1 should support
  it.
- For networkd, it should be implemented with Request object,
- There is no test for the feature.

Fixes #23711.
Fixes #23717.
Fixes #23719.
Fixes #23720.
Fixes #23721.
Fixes #23759.
2022-06-22 22:23:58 +09:00
Zbigniew Jędrzejewski-Szmek
b6ec23a01a udevadm info: implement --no-pager 2022-06-22 14:31:42 +02:00
Foster Snowhill
1132f004b3 cryptenroll: fix typo in manpage 2022-06-18 10:42:13 +09:00
Yu Watanabe
172cbcdc8b tree-wide: fix typo 2022-06-15 14:50:34 +09:00
adrian5
b105d41304 man: Add some punctuation; remove double spaces. 2022-06-15 03:22:15 +09:00
Jan Janssen
23742af522 boot: Drop use of MetaiMatch
A future commit will add support for unicode collation protocol that
allows case folding and comparing strings with locale awareness. But it
only operates on whole strings, so fnmatch cannot use those without a
heavy cost. Instead we just case fold the patterns instead (the IDs we
try to match are already lower case).
2022-06-09 12:50:13 +02:00
Topi Miettinen
46c3b1ff88 core: firewall integration with DynamicUserNFTSet=
New directive `DynamicUserNFTSet=` provides a method for integrating
configuration of dynamic users into firewall rules with NFT sets.

Example:
```
table inet filter {
        set u {
                typeof meta skuid
        }

        chain service_output {
                meta skuid != @u drop
                accept
        }
}
```

```
/etc/systemd/system/dunft.service
[Service]
DynamicUser=yes
DynamicUserNFTSet=inet:filter:u
ExecStart=/bin/sleep 1000

[Install]
WantedBy=multi-user.target
```

```
$ sudo nft list set inet filter u
table inet filter {
        set u {
                typeof meta skuid
                elements = { 64864 }
        }
}
$ ps -n --format user,group,pid,command -p `pgrep sleep`
    USER    GROUP     PID COMMAND
   64864    64864   55158 /bin/sleep 1000
```
2022-06-08 16:12:25 +00:00
Topi Miettinen
c0548df0a2 core: firewall integration with ControlGroupNFTSet=
New directive `ControlGroupNFTSet=` provides a method for integrating services
into firewall rules with NFT sets.

Example:

```
table inet filter {
...
        set timesyncd {
                type cgroupsv2
        }

        chain ntp_output {
                socket cgroupv2 != @timesyncd counter drop
                accept
        }
...
}
```

/etc/systemd/system/systemd-timesyncd.service.d/override.conf
```
[Service]
ControlGroupNFTSet=inet:filter:timesyncd
```

```
$ sudo nft list set inet filter timesyncd
table inet filter {
        set timesyncd {
                type cgroupsv2
                elements = { "system.slice/systemd-timesyncd.service" }
        }
}
```
2022-06-08 16:12:25 +00:00
Topi Miettinen
ab51fd9dbd network: firewall integration with NFT sets
New directives `NFTSet=`, `IPv4NFTSet=` and `IPv6NFTSet=` provide a method for
integrating configuration of dynamic networks into firewall rules with NFT
sets.

/etc/systemd/network/eth.network
```
[DHCPv4]
...
NFTSet=netdev:filter:eth_ipv4_address
```

```
table netdev filter {
        set eth_ipv4_address {
                type ipv4_addr
                flags interval
        }
        chain eth_ingress {
                type filter hook ingress device "eth0" priority filter; policy drop;
                ip saddr != @eth_ipv4_address drop
                accept
        }
}
```
```
sudo nft list set netdev filter eth_ipv4_address
table netdev filter {
        set eth_ipv4_address {
                type ipv4_addr
                flags interval
                elements = { 10.0.0.0/24 }
        }
}
```
2022-06-08 16:12:25 +00:00
Topi Miettinen
3cf63830ac networkd: NetLabel integration
New directive `NetLabel=` provides a method for integrating dynamic network
configuration into Linux NetLabel subsystem rules, used by Linux security
modules (LSMs) for network access control. The option expects a whitespace
separated list of NetLabel labels. The labels must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses,
the addresses and subnetwork masks will be appended to the NetLabel Fallback
Peer Labeling rules. They will be removed when the interface is
deconfigured. Failures to manage the labels will be ignored.

Example:
```
[DHCP]
NetLabel=system_u:object_r:localnet_peer_t:s0
```

With the above rules for interface `eth0`, when the interface is configured with
an IPv4 address of 10.0.0.0/8, `systemd-networkd` performs the equivalent of
`netlabelctl` operation

```
$ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
```

Result:
```
$ sudo netlabelctl -p unlbl list
...
 interface: eth0
   address: 10.0.0.0/8
    label: "system_u:object_r:localnet_peer_t:s0"
...
```
2022-06-06 18:24:10 +00:00
Zbigniew Jędrzejewski-Szmek
6a9f3cef8c
Merge pull request #23576 from yuwata/network-erspan-version
network: support erspan version 0 and 2
2022-06-02 16:58:55 +02:00
Antonio Alvarez Feijoo
5ad0109cd8 man: add missing arguments to systemd-creds synopsis 2022-06-02 16:35:36 +02:00
Steve Ramage
39a742888b
Documents the AssertCPUFeature= flag (#23594)
Fixes #23593
2022-06-02 13:16:48 +09:00
Zbigniew Jędrzejewski-Szmek
14c811ff4a
Merge pull request #23575 from keszybz/logind-wall-message-cleanup
Cleanup wall messages emitted by logind and systemctl
2022-06-01 16:26:29 +02:00
Zbigniew Jędrzejewski-Szmek
5b69a7c540 man/systemctl: improve grammar in description of --check-inhibitors 2022-06-01 09:23:55 +02:00
Yu Watanabe
98406eda8a network/erspan: support erspan version 0 and 2
This also makes networkd accepts erspan index 0.

Closes #23570.
2022-06-01 04:02:48 +09:00
Benjamin Franzke
926f2a04fc man/nspawn: os-release is only checked for booted containers
/etc/os-release existence is only enforced in --boot mode,
therefore the term "starting" (which also applies to chroot-like mode)
is substituted with "booting" in this context.
2022-05-30 20:26:44 +02:00
Benjamin Franzke
3a9d9f2a23 man/nspawn: add a sentence-connecting adverb to machinectl note
The recommendation to use machinectl login/shell instead of
trying to combine two distinct container instances seemed a
litte bit out of context and is now combined via "rather".
2022-05-30 20:21:27 +02:00
Benjamin Franzke
b47013fd77 man/nspawn: fix boot-option related wording 2022-05-30 20:21:27 +02:00