1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00
Commit Graph

490 Commits

Author SHA1 Message Date
Maanya Goenka
dfbda8799c systemd-analyze: add new 'security' option to compare unit's overall exposure level with
--threshold option added to work with security verb and with the --offline option so that
users can determine what qualifies as a security threat. The threshold set by the user is
compared with the overall exposure level assigned to a unit file and if the exposure is
higher than the threshold, 'security' will return a non-zero exit status. The default value
of the --threshold option is 100.

Example Run:

1. testcase.service is a unit file created for testing the --threshold option

    maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service

    > [Service]
    > ExecStart = echo hello
    > EOF

    For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings.

    maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
    /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
    process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
    Support for KillMode=none is deprecated and will eventually be removed.
    /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
    unit file, and consider removing the setting altogether.
    /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
    /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

      NAME                                        DESCRIPTION                                                       EXPOSURE
    ✗ PrivateNetwork=                             Service has access to the host's network                          0.5
    ✗ User=/DynamicUser=                          Service runs as root user                                         0.4

    → Overall exposure level for testcase.service: 9.6 UNSAFE 😨

    maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0

2. Next, we use the same testcase.service file but add an additional --threshold=60 parameter. We would expect 'security' to exit
   with a non-zero status because the overall exposure level (= 96) is higher than the set threshold (= 60).

    maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service
    /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
    process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
    Support for KillMode=none is deprecated and will eventually be removed.
    /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
    unit file, and consider removing the setting altogether.
    /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
    /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

      NAME                                        DESCRIPTION                                                       EXPOSURE
    ✗ PrivateNetwork=                             Service has access to the host's network                          0.5
    ✗ User=/DynamicUser=                          Service runs as root user                                         0.4

    → Overall exposure level for testcase.service: 9.6 UNSAFE 😨

    maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
2021-08-20 10:59:13 -07:00
Maanya Goenka
bb43d85319 systemd-analyze: 'security' option to perform offline reviews of the specified unit file(s)
New option --offline which works with the 'security' command and takes in a boolean value. When set to true,
it performs an offline security review of the specified unit file(s). It does not rely on PID 1 to acquire
security information for the files like 'security' when used by itself does. It makes use of the refactored
security_info struct instead (commit #8cd669d3d3cf1b5e8667acc46ba290a9e8a8e529). This means that --offline can be
used with --image and --root as well. When used with --threshold, if a unit's overall exposure level is above
that set by the user, the default value being 100, --offline returns a non-zero exit status.

Example Run:

1. testcase.service is a unit file created for testing the --offline option

maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service

> [Service]
> ExecStart = echo hello
> EOF

For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings.

maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

  NAME                                        DESCRIPTION                                                       EXPOSURE
✗ PrivateNetwork=                             Service has access to the host's network                          0.5
✗ User=/DynamicUser=                          Service runs as root user                                         0.4

→ Overall exposure level for testcase.service: 9.6 UNSAFE 😨

maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0

2. The testcase.service unit file is modified to set PrivateNetwork to "yes". This reduces the exposure level from 9.6 to 9.1.

maanya-goenka@debian:~/systemd (systemd-security)$ nano testcase.service

> [Service]
> ExecStart = echo hello
> PrivateNetwork = yes
> EOF

maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

  NAME                                        DESCRIPTION                                                       EXPOSURE
✓ PrivateNetwork=                             Service has access to the host's network
✗ User=/DynamicUser=                          Service runs as root user                                         0.4

→ Overall exposure level for testcase.service: 9.1 UNSAFE 😨

maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0

3. Next, we use the same testcase.service unit file but add the additional --threshold=60 option to see how --threshold works with
--offline. Since the overall exposure level is 91 which is greater than the threshold value set by the user (= 60), we can expect
a non-zero exit status.

maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

  NAME                                        DESCRIPTION                                                       EXPOSURE
✓ PrivateNetwork=                             Service has access to the host's network
✗ User=/DynamicUser=                          Service runs as root user                                         0.4

→ Overall exposure level for testcase.service: 9.1 UNSAFE 😨

maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
2021-08-20 10:59:13 -07:00
Yu Watanabe
7ce05a8d66 udevadm: introduce -a|--action option for test-builtin command
As net_setup_link builtin requires that a device action is set for the
sd_device object.
2021-08-18 00:08:08 +09:00
Yu Watanabe
74614801f6 shell-completion: add missing uevent actions for udevadm 2021-08-17 23:22:26 +09:00
Maanya Goenka
3cc3dc7736 systemd-analyze: option to exit with an error when 'verify' fails
The commit introduces a callback invoked from log_syntax_internal.
Use it from systemd-analyze to gather a list of units that contain
syntax warnings. A new command line option is added to make use of this.

The new option --recursive-errors takes in three possible modes:

1. yes - which is the default. systemd-analyze exits with an error when syntax warnings arise during verification of the
	 specified units or any of their dependencies.
3. no - systemd-analyze exits with an error when syntax warnings arise during verification of only the selected unit.
	Analyzing and loading any dependencies will be skipped.
4. one - systemd-analyze exits with an error when syntax warnings arise during verification
	 of only the selected units and their direct dependencies.

Below are two service unit files that I created for the purposes of testing:

1. First, we run the commands on a unit that does not have dependencies but has a non-existing key-value setting (i.e. foo = bar).

> cat <<EOF>testcase.service

[Unit]
foo = bar

[Service]
ExecStart = echo hello
EOF

OUTPUT:

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=yes testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=no testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=one testcase.service
/home/maanya-goenka/systemd/testcase.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

2. Next, we run the commands on a unit that is syntactically valid but has a non-existing dependency (i.e. foo2.service)

> cat <<EOF>foobar.service

[Unit]
Requires = foo2.service

[Service]
ExecStart = echo hello
EOF

OUTPUT:

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify foobar.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
foobar.service: Failed to create foobar.service/start: Unit foo2.service not found.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=yes foobar.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
foobar.service: Failed to create foobar.service/start: Unit foo2.service not found.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=no foobar.service
maanya-goenka@debian:~/systemd (log-error)$ echo $?
0

maanya-goenka@debian:~/systemd (log-error)$ sudo build/systemd-analyze verify --recursive-errors=one foobar.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
foobar.service: Failed to create foobar.service/start: Unit foo2.service not found.
maanya-goenka@debian:~/systemd (log-error)$ echo $?
1
2021-08-12 07:22:15 -07:00
Maanya Goenka
e5ea5c3a17 systemd-analyze: support discrete images for 'verify' verb
Adding --image parameter for verify verb using the dissect image functionality

-----------------------------------------------------------------------------------
Example Run:

I created a unit service file testrun.service with an invalid key-value pairing
(foo = bar) and a squashfs image run.raw to test the code.

maanya-goenka@debian:~/systemd (img-support)$ cat <<EOF>img/usr/lib/systemd/system/testrun.service
> [Unit]
> foo = bar
>
> [Service]
> ExecStart = /opt/script0.sh
> EOF

maanya-goenka@debian:~/systemd (img-support)$ mksquashfs img/ run.raw
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on run.raw, block size 131072.
[==============================================================================================================================|] 6/6 100%

Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, compressed xattrs
        duplicates are removed
Filesystem size 0.60 Kbytes (0.00 Mbytes)
        52.32% of uncompressed filesystem size (1.14 Kbytes)
Inode table size 166 bytes (0.16 Kbytes)
        43.01% of uncompressed inode table size (386 bytes)
Directory table size 153 bytes (0.15 Kbytes)
        58.40% of uncompressed directory table size (262 bytes)
Number of duplicate files found 1
Number of inodes 12
Number of files 6
Number of fragments 1
Number of symbolic links  0
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 6
Number of ids (unique uids + gids) 1
Number of uids 1
        maanya-goenka (1000)
Number of gids 1
        maanya-goenka (1000)
maanya-goenka@debian:~/systemd (img-support)$ sudo build/systemd-analyze verify --image=run.raw testrun.service
/tmp/.#systemd-analyzec71c7297a936b91c/usr/lib/systemd/system/testrun.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
testrun.service: Failed to create testrun.service/start: Unit sysinit.target not found.

The 'Unit sysinit.target not found' error that we see here is due to recursive dependency searching during
unit loading and has been addressed in a different PR:
systemd-analyze: add option to return an error value when unit verification fails #20233
2021-08-10 02:41:12 -07:00
Maanya Goenka
2a7cf953e1 systemd-analyze: add --root option for 'verify' verb and allow path parsing
-------------------------------------------------------------------------------
Example Run:

foobar.service created below is a service unit file that has a non-existing key-value
pairing (foo = bar) and is thus, syntactically invalid.

maanya-goenka@debian:~/systemd (img-support)$ cat <<EOF>img/usr/lib/systemd/system/foobar.service
> [Unit]
> foo = bar
>
> [Service]
> ExecStart = /opt/script0.sh
> EOF

The failure to create foobar.service because of the recursive dependency searching and verification has been addressed
in a different PR: systemd-analyze: add option to return an error value when unit verification fails #20233

maanya-goenka@debian:~/systemd (img-support)$ sudo build/systemd-analyze verify --root=img/ foobar.service
/home/maanya-goenka/systemd/img/usr/lib/systemd/system/foobar.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
foobar.service: Failed to create foobar.service/start: Unit sysinit.target not found.
2021-08-10 02:41:12 -07:00
Zbigniew Jędrzejewski-Szmek
fce9abb227 meson: use a/b instead of join_paths(a,b)
It is nicer and shorter.
2021-07-27 19:32:35 +02:00
duament
3f49d1faf5 shell-completion/zsh/_systemd-run: Fix completion of command names and arguments 2021-07-17 22:55:40 +01:00
Zbigniew Jędrzejewski-Szmek
abaf5edd08 Revert "Introduce ExitType"
This reverts commit cb0e818f7c.

After this was merged, some design and implementation issues were discovered,
see the discussion in #18782 and #19385. They certainly can be fixed, but so
far nobody has stepped up, and we're nearing a release. Hopefully, this feature
can be merged again after a rework.

Fixes #19345.
2021-06-30 21:56:47 +02:00
Yu Watanabe
387f695526 tree-wide: "a" -> "an" 2021-06-30 23:33:00 +09:00
Luca Boccassi
36ec026830 completion: fix 'unbound variables' errors
Fixes https://github.com/systemd/systemd/issues/19987
2021-06-22 14:56:47 +01:00
Luca Boccassi
6a0667d2b6 completion/systemd-delta,-resolve: autocomplete with parameters 2021-06-22 14:56:47 +01:00
Luca Boccassi
df7ca94009 completion/hostnamectl: do not dereference non-existing OPTS[ARGUNKNOWN] 2021-06-22 14:56:47 +01:00
Eric Cook
682e043c42 shell-completion: revert c1072f6473
fixing https://github.com/systemd/systemd/issues/19689
2021-06-17 14:42:46 +02:00
nerdopolis
3c3335c714 Clarify help information for --global 2021-06-10 07:23:05 +02:00
Yu Watanabe
efe76b273a shell-completion: udevadm: support --uuid option
Follow-up for 730b9c1e14.
2021-06-04 15:00:11 +02:00
Zbigniew Jędrzejewski-Szmek
5908656c57 meson: use jinja2 in shell-completion/ 2021-05-19 10:25:26 +09:00
Yu Watanabe
f8cd3f610f shell-completion: support --json option for hostnamectl 2021-05-14 09:18:29 +09:00
Yu Watanabe
bfc2b05e59 networkctl: introduce --json option for "status" and "list" commands
When `--json` option is specified, "status" and "list" commands gives
the same information, as originally "list" just gives partial
information of "status" in different format.
2021-05-14 09:18:29 +09:00
Lennart Poettering
ac31f59680 bash: update shell completion for new nspawn option 2021-05-07 22:44:35 +02:00
Jakub Warczarek
572c55ee3c hostnamectl: deprecate set-* methods and expose getters by only using nouns in commands 2021-05-03 20:19:19 +02:00
Peter Hutterer
7a4afd3a15 shell-completion: use base.lst, not xorg.lst
Since 2005 xorg.lst has been the legacy symlink to the real file base.lst.
2021-04-20 10:19:41 +02:00
Sibo Dong
f34173a048 bash-completion: localize words and cword variables
The words and cword variables are not localized in all Bash completion
scripts that call _init_completion.

cur, prev, words, and cword (and split if using the -s flag) are all
variables that should be localized in Bash completion scripts before
calling _init_completion (even if they don't otherwise appear in the
calling script). This is done for cur and prev, but not for words and
cword. Letting words and cword remain unlocalized may clobber variables
the user is using for other purposes, which is bad.

This issue can be resolved by declaring words and cword as local
variables.

Resolves #19188.
2021-04-06 16:15:13 +02:00
Henri Chain
cb0e818f7c Introduce ExitType 2021-03-31 10:26:07 +02:00
Yu Watanabe
c23bb96b38 shell-completion: systemd-run: add missing options
Closes #19044.
2021-03-22 21:20:17 +01:00
Yu Watanabe
6c99c26500 udevadm-trigger: introduce --quiet option
This may be useful to invoke the command by non-privileged users.
2021-02-21 04:40:23 +09:00
Zbigniew Jędrzejewski-Szmek
d60bd2ffb7 shell-completion: complete --legend=no for resolvectl and systemctl
I don't think it makes sense to complete --legend=yes. It is the default, and
it would be only used very rarely (and then it is easy enough to just remove
the '=no' part from the suggested string).
2021-02-17 21:09:14 +01:00
Luca Boccassi
e26fe5f911 portable: add 'reattach' verb and DBUS interface
Add 'reattach' verb to portablectl, and corresponding DBUS interface
to systemd-portabled.
Takes the same parameters as 'attach', but it will do a 'detach' (and
it will refuse to proceed if it cannot be done) first, matching on
the unversioned prefix of the new image. Eg:

portablectl reattach /tmp/foo_2.raw

will cause foo_1.raw to be detached, and foo_2.raw to be attached.

The key difference with a manual 'detach old' plus 'attach new' is that
the running units are not disturbed until after the attach completed,
and if --now is passed they are then restarted.
A 'detach' is not allowed normally if the units are running.

By using a restart-after-deploy method, 'reattach' allows for minimal
interruption of service and also for features that only work on restart
(eg: file descriptor store) to work as intended.

The DBUS interface returns two lists: first the removals from the detach
that were not immediately re-added in the attach, so that the caller
can stop the relevant units, and then the list of additions that are
either new or updates, so that the caller can restart/enable the
relevant units. portablectl already implements this with the existing
--now/--enable switches.
2021-02-10 19:07:36 +00:00
Yu Watanabe
aba1c9c85b bash-completion: loginctl: add -P option 2021-02-11 02:51:00 +09:00
Yu Watanabe
e56aa17084 bash-completion: coredumpctl: add --json and -n options 2021-02-11 02:50:54 +09:00
Luca Boccassi
6faecbd353 systemctl: add new option to mount image inside a running service namespace
Use the new DBUS method and follow the same pattern as the
systemctl bind command.
2021-01-21 19:08:40 +00:00
Luca Boccassi
5e8deb94c6 core: add DBUS method to bind mount new nodes without service restart
Allow to setup new bind mounts for a service at runtime (via either
DBUS or a new 'systemctl bind' verb) with a new helper that forks into
the unit's mount namespace.
Add a new integration test to cover this.

Useful for zero-downtime addition to services that are running inside
mount namespaces, especially when using RootImage/RootDirectory.

If a service runs with a read-only root, a tmpfs is added on /run
to ensure we can create the airlock directory for incoming mounts
under /run/host/incoming.
2021-01-18 17:24:05 +00:00
Felix Stupp
4327574fc1 Added option --check-inhibitors for non-tty usage
As described in #2680, systemctl did ignore inhibitors if it is not
attached to a tty to allow scripts to ignore inhibitors automatically.
This pull request preserves this behavior but allows scripts to
explicit check inhibitors if required.

The new parameter '--check-inhibitors=yes' enables this feature.
The old parameter '-i'/'--ignore-inhibitors' was deprecated in favor
of '--check-inhibitors=no', the default behaviour can be specified
with '--check-inhibitors=auto'.
The new parameter is also described in the documentations and shell
completions found here.
2021-01-13 16:07:36 +01:00
Zbigniew Jędrzejewski-Szmek
341992081b shell-completion: fix systemctl set/unset/import-environment
unset-environment is completed with variable names in the environment block.
set-environment the same, but suffixed with "=".
import-environment is completed with variable names in the client environment.
2021-01-08 20:01:40 +01:00
Michal Fabik
a2be8be2cf coredumpctl: Add --debugger-args= option
This commit adds the possibility to pass command line options to the
debugger invoked with coredumpctl debug.

Resolves: #9905
2020-12-16 12:42:53 +09:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
Lucas Werkmeister
7c57a030e0 shell-completion: add missing completions to meson.build
Completions for systemd-id128 and homectl have been available for a
while, but weren’t being installed.
2020-10-05 08:05:41 +02:00
Ronan Pigott
0fb8f02506 zsh: loginctl: complete alias 'self' 2020-09-30 09:24:03 +02:00
Ronan Pigott
cf18af825a zsh: add systemd-path completions 2020-09-23 10:07:14 +02:00
Yu Watanabe
3605aae161 bash-completion: resolvectl: support 'log-level' command 2020-09-04 17:03:28 +09:00
Olivier Le Moal
50574ed1ac add "list" verb to autocompleted commands 2020-08-27 10:01:36 +02:00
Olivier Le Moal
6ff45bc1a1 shell-completion/zsh: add missing verbs for networkctl 2020-08-26 16:03:35 +02:00
Ronan Pigott
45b156c155 zsh: correct journalctl command completion parsing 2020-08-25 09:29:13 +02:00
Luca Boccassi
46ad9c5378 systemctl: add --timestamp to change timestamp print format
Timestamps for unit start/stop are recorded with microsecond granularity,
but status and show truncate to second granularity by default.
Add a --timestamp=pretty|us|utc option to allow including the microseconds
or to use the UTC TZ to all timestamps printed by systemctl.
2020-08-19 15:30:13 +01:00
Lennart Poettering
caf6bd166f homed: default to "btrfs" as fs type in the LUKS backend
Apparently both Fedora and suse default to btrfs now, it should hence be
good enough for us too.

This enables a bunch of really nice things for us, most importanly we
can resize home directories freely (i.e. both grow *and* shrink) while
online. It also allows us to add nice subvolume based home directory
snapshotting later on.

Also, whenever we mention the three supported types, alaways mention
them in alphabetical order, which is also our new order of preference.
2020-08-19 15:46:07 +02:00
Yu Watanabe
e4f8d5e01f shell-completion: add missing verbs for networkctl 2020-06-30 08:56:36 +02:00
Luca Boccassi
c2923fdcd7 dissect/nspawn: add support for dm-verity root hash signature
Since cryptsetup 2.3.0 a new API to verify dm-verity volumes by a
pkcs7 signature, with the public key in the kernel keyring,
is available. Use it if libcryptsetup supports it.
2020-06-25 08:45:21 +01:00
Zbigniew Jędrzejewski-Szmek
3a9692dd05 shell-completion: add homectl for bash
The difference between verbs that take one user and multiple users is not
handled. I don't know how to do this.
2020-06-05 16:34:18 +02:00
Zbigniew Jędrzejewski-Szmek
8f0a346a29 shell-completions: update bootctl
Entries in the completion lists are reordered to follow --help output:
this makes it much easier to see what is missing.
2020-05-30 16:04:43 +02:00