1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

136 Commits

Author SHA1 Message Date
Daan De Meyer
bbfb25f4b9 creds: Add ImportCredential=
ImportCredential= takes a credential name and searches for a matching
credential in all the credential stores we know about it. It supports
globs which are expanded so that all matching credentials are loaded.
2023-06-08 14:09:18 +02:00
Stefan Roesch
85614c6e2f add support for KSM
This adds support for KSM (kernel samepage merging). It adds a new
boolean parameter called MemoryKSM to enable the feature. The feature
can only be enabled with newer kernels.
2023-06-05 11:22:43 +02:00
Lennart Poettering
4de665812a man: document the soft reboot operation 2023-06-02 18:43:10 +02:00
Luca Boccassi
d936595672 manager: restrict Dump*() to privileged callers or ratelimit
Dump*() methods can take quite some time due to the amount of data to
serialize, so they can potentially stall the manager. Make them
privileged, as they are debugging tools anyway. Use a new 'dump'
capability for polkit, and the 'reload' capability for SELinux, as
that's also non-destructive but slow.

If the caller is not privileged, allow it but rate limited to 10 calls
every 10 minutes.
2023-05-19 15:18:23 +01:00
Mike Yuan
e9f17fa8dd
core: rename RestartSecMax to RestartMaxDelaySec 2023-05-18 00:23:49 +08:00
Zbigniew Jędrzejewski-Szmek
8fb350049b man: fixes for assorted issues reported by the manpage-l10n project
Fixes #26761.
2023-05-17 12:25:01 +02:00
Miao Wang
4fad639a13 doc: remove legacy DefaultControlGroup from dbus properties
DefaultControlGroup does not exist any more.
2023-05-08 22:23:00 +09:00
Lennart Poettering
a8b993dc11 core: add DelegateSubgroup= setting
This implements a minimal subset of #24961, but in a lot more
restrictive way: we only allow one level of subcgroup (as that's enough
to address the no-processes in inner cgroups rule), and does not change
anything about threaded cgroup logic or similar, or make any of this new
behaviour mandatory.

All this does is this: all non-control processes we invoke for a unit
we'll invoke in a subgroup by the specified name.

We'll later port all our current services that use cgroup delegation
over to this, i.e. user@.service, systemd-nspawn@.service and
systemd-udevd.service.
2023-04-27 12:18:32 +02:00
Lennart Poettering
b9c1883a9c service: add ability to pin fd store
Oftentimes it is useful to allow the per-service fd store to survive
longer than for a restart. This is useful in various scenarios:

1. An fd to some security relevant object needs to be stashed somewhere,
   that should not be cleaned automatically, because the security
   enforcement would be dropped then.

2. A user namespace fd should be allocated on first invocation and be
   kept around until the user logs out (i.e. systemd --user ends), á la
   #16328 (This does not implement what #16318 asks for, but should
   solve the use-case discussed there.)

3. There's interest in allow a concept of "userspace reboots" where the
   kernel stays running, and userspace is swapped out (i.e. all services
   exit, and the rootfs transitioned into a new version of it) while
   keeping some select resources pinned, very similar to how we
   implement a switch root. Thus it is useful to allow services to exit,
   while leaving their fds around till the very end.

This is exposed through a new FileDescriptorStorePreserve= setting that
is closely modelled after RuntimeDirectoryPreserve= (in fact it reused
the same internal type), since we want similar behaviour in the end, and
quite often they probably want to be used together.
2023-04-13 06:44:27 +02:00
Lennart Poettering
3af48a86d9
Merge pull request #25608 from poettering/dissect-moar
dissect: add dissection policies
2023-04-12 13:46:08 +02:00
Colin Walters
4e1ac54e1c tree-wide: A few more uses of "unmet" for conditions
This is a followup to
413e8650b7
> tree-wide: Use "unmet" for condition checks, not "failed"

Since I noticed when running `systemctl status` on a recent
systemd still seeing
`Condition: start condition failed`

To recap the original rationale here for "unmet" is that it's
normal for some units to be conditional, so the term "failure"
here is too strong.
2023-04-11 12:36:53 +09:00
Lennart Poettering
84be0c710d tree-wide: hook up image dissection policy logic everywhere 2023-04-05 20:45:30 +02:00
Mike Yuan
5171356eee core: always calculate the next restart interval
Follow-up for #26902 and #26971

Let's always calculate the next restart interval
since that's more useful.

For that, we add 1 to s->n_restarts unconditionally,
and change RestartUSecCurrent property to RestartUSecNext.
2023-03-31 01:22:58 +01:00
Lennart Poettering
2ea24611b9 pid1: add DumpFileDescriptorStore() bus call that returns fdstore content info 2023-03-29 18:53:20 +02:00
Mike Yuan
57b33e0ce7
core/dbus-service: add RestartUSecCurrent property
This new property shows how much time we actually
waits before restarting.
2023-03-27 19:31:12 +08:00
Mike Yuan
be1adc27fc
core: add RestartSteps= and RestartSecMax= for exponentially increasing
interval between restarts

RestartSteps= accepts a positive integer as the number of steps
to take to increase the interval between auto-restarts from
RestartSec= to RestartSecMax=, or 0 to disable it.

Closes #6129
2023-03-27 19:31:12 +08:00
Mike Yuan
19dff6914d
core: support overriding NOTIFYACCESS= through sd-notify during runtime
Closes #25963
2023-03-22 06:33:12 +08:00
Lennart Poettering
6bb0084204 pid1: add unit file settings to control memory pressure logic 2023-03-01 09:43:23 +01:00
Yu Watanabe
60c5bd7759 tree-wide: fix typo 2023-02-22 14:46:19 +09:00
Lennart Poettering
a721cd0016 pid1: add a new D-Bus method for enquing POSIX signals with values to unit processes
This augments the existing KillUnit() + Kill() methods with
QueueSignalUnit() + QueueSignal(), which are what sigqueue() is to
kill().

This is useful for sending our new SIGRTMIN+18 control signals to system
services.
2023-02-17 09:55:35 +01:00
Luca Boccassi
53fda560dc core: add support for Startup memory limits
We support separate Startup configurations for CPU and I/O, so
add it for memory too. Only cover cgroupsv2 settings.
2023-02-15 20:01:16 +00:00
Luca Boccassi
e0e7bc8223 core: add GetUnitByPIDFD method and use it in systemctl
A pid can be recycled, but a pidfd is pinned. Add a new method that is safer
as it takes a pidfd as input.
Return not only the D-Bus object path, but also the unit id and the last
recorded invocation id, as they are both useful (especially the id, as
converting from a path object to a unit id from a script requires another
round-trip via D-Bus).

Note that the manager still tracks processes by pid, so theorethically this
is not fully error-proof, but on the other hand the method response is
synchronous and the manager is single-threaded, so once a call is being
processed the unit database will not change anyway. Once the manager
switches to use pidfds everywhere, this can be further hardened.
2023-01-18 10:58:46 +01:00
Lennart Poettering
3bd28bf721 pid1: add new Type=notify-reload service type
Fixes: #6162
2023-01-10 18:28:38 +01:00
Richard Phibel
cd48e23f6a core: add OpenFile setting 2023-01-10 15:16:26 +01:00
Quentin Deslandes
523ea1237a journal: log filtering options support in PID1
Define new unit parameter (LogFilterPatterns) to filter logs processed by
journald.

This option is used to store a regular expression which is carried from
PID1 to systemd-journald through a cgroup xattrs:
`user.journald_log_filter_patterns`.
2022-12-15 09:57:39 +00:00
Zbigniew Jędrzejewski-Szmek
8608fef36c
Merge pull request #25437 from YHNdnzj/systemctl-disable-warn-statically-enabled-services
systemctl: warn if trying to disable a unit with no install info
2022-12-05 10:27:24 +01:00
Mike Yuan
bf1bea43f1
systemctl: warn if trying to disable a unit with no install info
Trying to disable a unit with no install info is mostly useless, so
adding a warning like we do for enable (with the new dbus method
'DisableUnitFilesWithFlagsAndInstallInfo()'). Note that it would
still find and remove symlinks to the unit in /etc, regardless of
whether it has install info or not, just like before. And if there are
actually files to remove, we suppress the warning.

Fixes #17689
2022-12-03 20:26:14 +08:00
Lennart Poettering
0461375326
Merge pull request #25385 from drvink/main
systemd: Support OOMPolicy in scope units
2022-11-29 14:40:18 +01:00
Mark Laws
5fa098357e systemd: Support OOMPolicy in scope units
Closes #25376.
2022-11-24 19:41:28 +09:00
Pasha Vorobyev
d7fe0a6723 MemoryZSwapMax directive to configure new memory.zswap.max cgroup file 2022-11-15 21:15:37 +01:00
Frantisek Sumsal
1ca1bb03de man: use the correct 'Markers' property name for marking units
Follow-up to c9615f7352 and 70666e28a1.
2022-11-02 14:36:51 +01:00
Zbigniew Jędrzejewski-Szmek
9e11abe817
Merge pull request #25007 from keszybz/rename-dbus-dump
manager: rename dbus method
2022-10-18 11:34:16 +02:00
Zbigniew Jędrzejewski-Szmek
f6cce15bb3 manager: add DumpUnitsMatchingPatternsByFileDescriptor() 2022-10-17 15:00:53 +02:00
Zbigniew Jędrzejewski-Szmek
e2d4456f43 man: fix method name 2022-10-17 13:50:17 +02:00
Zbigniew Jędrzejewski-Szmek
293b9aa3eb manager: rename dbus method
Fixes #24989.
2022-10-14 18:31:33 +02:00
Franck Bui
d1d8786c5b analyze: extend the dump command to accept patterns
The new function DumpPatterns() can be used to limit (drastically) the size of
the data returned by PID1. Hence the optimization of serializing data into a
file descriptor should be less relevant than having the possibility to limit
the data when communicating with the service manager remotely.

NB: when passing patterns, the dump command omits the version of the manager as
well as the features and the timestamps.
2022-10-13 07:47:42 +09:00
Lennart Poettering
0df8512124 man: document the Dump() calls of the PID 1 D-Bus interface, and what they are 2022-09-30 11:32:24 +02:00
Lennart Poettering
4d0d34b4e7
Merge pull request #24709 from keszybz/partition-table-constants
Expose various GPT UUIDs as public contants and link them up in docs
2022-09-21 20:07:21 +02:00
Zbigniew Jędrzejewski-Szmek
b66a6e1a58 man: "the initial RAM disk" → "the initrd"
In many places we spelled out the phrase behind "initrd" in full, but this
isn't terribly useful. In fact, no "RAM disk" is used, so emphasizing this
is just confusing to the reader. Let's just say "initrd" everywhere, people
understand what this refers to, and that it's in fact an initramfs image.

Also, s/i.e./e.g./ where appropriate.

Also, don't say "in RAM", when in fact it's virtual memory, whose pages
may or may not be loaded in page frames in RAM, and we have no control over
this.

Also, add <filename></filename> and other minor cleanups.
2022-09-20 16:48:50 +02:00
Yu Watanabe
3e911a0d0e pid1: drop redundant DBus properties
Follow-up for 10f3f4ed01.

We already have RuntimeWatchdogUSec or friends. Let's not introduce
redundant properties.

Also, drop the const qualifier for WatchdogLastPingTimestamp, as they
are actually not constant.
2022-09-16 21:53:28 +09:00
Yu Watanabe
10f3f4ed01 pid1: introduce dbus properties WatchdogDevice and friends
Closes #24665.
2022-09-14 13:13:59 +01:00
Luca Boccassi
48b92b37ac core: add basic infrastructure to record unit activation information
Not wired in by any unit type yet, just the basic to allocate,
ref, deref and plug in to other unit types.
Includes recording the trigger unit name and passing it to the
triggered unit as TRIGGER_UNIT= env var.
2022-08-23 20:38:08 +01:00
Lennart Poettering
d096265708
Merge pull request #24044 from dtardon/default-device-timeout
Add a configuration option for setting default device timeout
2022-08-08 15:32:55 +02:00
David Tardon
141332ab55 man: update dbus docs 2022-08-05 15:56:23 +02:00
Lennart Poettering
23e9a7dde5 core: cache unit file selinux label, and make decisions based on that
Do not go back to disk on each selinux access, but instead cache the
label off the inode we are actually reading. That way unit file contents
and unit file label we use for access checks are always in sync.

Based on discussions here:

https://github.com/systemd/systemd/pull/10023#issuecomment-1179835586

Replaces:

https://github.com/systemd/systemd/pull/23910

This changes behaviour a bit, because we'll reach and cache the label at
the moment of loading the unit (i.e. usually on boot and reload), but
not after relabelling. Thus, users must refresh the cache explicitly via
a "systemctl daemon-reload" if they relabelled things.

This makes the SELinux story a bit more debuggable, as it adds an
AccessSELinuxContext bus property to units that will report the label we are
using for a unit (or the empty string if not known).

This also drops using the "source" path of a unit as label source. if
there's value in it, then generators should manually copy the selinux
label from the source files onto the generated unit files, so that the
rule that "access labels are read when we read the definition files" is
upheld. But I am not convinced this is really a necessary, good idea.
2022-07-20 19:08:28 +02:00
Zbigniew Jędrzejewski-Szmek
4bd035153b manager: add taint flag "support-ended"
In the welcome line, use NAME= as the fallback for PRETTY_NAME=.
PRETTY_NAME= doesn't have to be set, but NAME= should.

Example output:
---
Welcome to Fedora Linux 37 (Rawhide Prerelease)!

[  !!  ] This OS version (Fedora Linux 37 (Rawhide Prerelease)) is past its end-of-support date (1999-01-01)
Queued start job for default target graphical.target.
[  OK  ] Created slice system-getty.slice.
---
2022-07-10 14:33:52 +02:00
Zbigniew Jędrzejewski-Szmek
8bf9eb7e6b man: update the description of taint flags
We had a description in README, and an outdated list in the man page.
I think we should keep a reference-style list in the man page. The description
in README is more free-form.
2022-07-09 19:18:14 +02:00
Yu Watanabe
b48ed70c79 Revert NFTSet feature
This reverts PR #22587 and its follow-up commit. More specifically,
2299b1cae3 (partially),
e176f85527,
ceb46a31a0, and
51bb9076ab.

The PR was merged without final approval, and has several issues:
- OSS fuzz reported issues in the conf parser,
- It calls synchrnous netlink call, it should not be especially in PID1,
- The importance of NFTSet for CGroup and DynamicUser may be
  questionable, at least, there was no justification PID1 should support
  it.
- For networkd, it should be implemented with Request object,
- There is no test for the feature.

Fixes #23711.
Fixes #23717.
Fixes #23719.
Fixes #23720.
Fixes #23721.
Fixes #23759.
2022-06-22 22:23:58 +09:00
Topi Miettinen
46c3b1ff88 core: firewall integration with DynamicUserNFTSet=
New directive `DynamicUserNFTSet=` provides a method for integrating
configuration of dynamic users into firewall rules with NFT sets.

Example:
```
table inet filter {
        set u {
                typeof meta skuid
        }

        chain service_output {
                meta skuid != @u drop
                accept
        }
}
```

```
/etc/systemd/system/dunft.service
[Service]
DynamicUser=yes
DynamicUserNFTSet=inet:filter:u
ExecStart=/bin/sleep 1000

[Install]
WantedBy=multi-user.target
```

```
$ sudo nft list set inet filter u
table inet filter {
        set u {
                typeof meta skuid
                elements = { 64864 }
        }
}
$ ps -n --format user,group,pid,command -p `pgrep sleep`
    USER    GROUP     PID COMMAND
   64864    64864   55158 /bin/sleep 1000
```
2022-06-08 16:12:25 +00:00
Topi Miettinen
c0548df0a2 core: firewall integration with ControlGroupNFTSet=
New directive `ControlGroupNFTSet=` provides a method for integrating services
into firewall rules with NFT sets.

Example:

```
table inet filter {
...
        set timesyncd {
                type cgroupsv2
        }

        chain ntp_output {
                socket cgroupv2 != @timesyncd counter drop
                accept
        }
...
}
```

/etc/systemd/system/systemd-timesyncd.service.d/override.conf
```
[Service]
ControlGroupNFTSet=inet:filter:timesyncd
```

```
$ sudo nft list set inet filter timesyncd
table inet filter {
        set timesyncd {
                type cgroupsv2
                elements = { "system.slice/systemd-timesyncd.service" }
        }
}
```
2022-06-08 16:12:25 +00:00