1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-27 07:22:31 +03:00
Commit Graph

967 Commits

Author SHA1 Message Date
Lennart Poettering
c7fb922d62 units: switch on ProtectSystem=strict for our long running services
Let's step up the protection a notch
2017-02-09 16:12:03 +01:00
Lennart Poettering
3c19d0b46b units: restrict namespace for a good number of our own services
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"
2017-02-09 16:12:03 +01:00
Lennart Poettering
7f396e5f66 units: set SystemCallArchitectures=native on all our long-running services 2017-02-09 16:12:03 +01:00
Zbigniew Jędrzejewski-Szmek
750e550eba units: restore Before dependencies for systemd-vconsole-setup.service
When the service is run in the initramfs, it is possible for it to get started
and not be fast enough to exit before the root switch happens. It is started
multiple times (depending on the consoles being detected), and runs
asynchronously, so this is quite likely. It'll then get killed by killall(),
and systemd will consider the service failed. To avoid all this, just wait
for the service to terminate on it's own.

Before=initrd-switch-root.target should be good for the initramfs, and
Before=shutdown.tuarget should be good for the real system, although it's
unlikely to make any difference there.
2017-01-31 01:34:40 -05:00
Zbigniew Jędrzejewski-Szmek
0af9a194ca units: drop KillMode= from initrd-switch-root.service
The service already has DefaultDeps disabled, so systemd should not try to stop
it. And if it *does* get stopped, we don't want the zombie process around.
KillMode=none does not change anything in the killall() phase, and we already
use argv[0][0] = '@' to protect against that anyway. KillMode=none should not
be useful in normal operation, so let's leave it out.
2017-01-31 01:34:40 -05:00
Zbigniew Jędrzejewski-Szmek
6b3d378331 Merge pull request #4879 from poettering/systemd 2017-01-14 21:29:27 -05:00
Lennart Poettering
73c729d768 units: fix condition for systemd-journal-catalog-update.service (#4990)
The service is supposed to regenerate the catalog index whenever /usr is
updated, but /var is not. Hence the ConditionNeedsUpdate= line should
actually reference /var, as that's where the index file is located.
2016-12-29 10:38:52 +01:00
Lennart Poettering
91214a37ef fstab-generator: add support for volatile boots
This adds support for a new kernel command line option "systemd.volatile=" that
provides the same functionality that systemd-nspawn's --volatile= switch
provides, but for host systems (i.e. systems booting with a kernel).

It takes the same parameter and has the same effect.

In order to implement systemd.volatile=yes a new service
systemd-volatile-root.service is introduced that only runs in the initrd and
rearranges the root directory as needed to become a tmpfs instance. Note that
systemd.volatile=state is implemented different: it simply generates a
var.mount unit file that is part of the normal boot and has no effect on the
initrd execution.

The way this is implemented ensures that other explicit configuration for /var
can always override the effect of these options.  Specifically, the var.mount
unit is generated in the "late" generator directory, so that it only is in
effect if nothing else overrides it.
2016-12-21 19:09:29 +01:00
Lennart Poettering
6f4e2f97d7 units: drop --fail parameter from "systemctl switch-root" invocation
This parameter has no effect on switch root hence we shouldn't specify it.
2016-12-20 20:00:09 +01:00
Zbigniew Jędrzejewski-Szmek
953bf4604f units: add system-update-cleanup.service to guard against offline-update loops
Note: the name is "system-update-cleanup.service" rather than
"system-update-done.service", because it should not run normally, and also
because there's already "systemd-update-done.service", and having them named
so similarly would be confusing.

In https://bugzilla.redhat.com/show_bug.cgi?id=1395686 the system repeatedly
entered system-update.target on boot. Because of a packaging issue, the tool
that created the /system-update symlink could be installed without the service
unit that was supposed to perform the upgrade (and remove the symlink). In
fact, if there are no units in system-update.target, and /system-update symlink
is created, systemd always "hangs" in system-update.target. This is confusing
for users, because there's no feedback what is happening, and fixing this
requires starting an emergency shell somehow, and also knowing that the symlink
must be removed. We should be more resilient in this case, and remove the
symlink automatically ourselves, if there are no upgrade service to handle it.

This adds a service which is started after system-update.target is reached and
the symlink still exists. It nukes the symlink and reboots the machine. It
should subsequently boot into the default default.target.

This is a more general fix for
https://bugzilla.redhat.com/show_bug.cgi?id=1395686 (the packaging issue was
already fixed).
2016-11-29 01:40:34 -05:00
Zbigniew Jędrzejewski-Szmek
2b656050b6 man: update the description of offline updates
- use "service" instead of "script", because various offline updaters that we have
  aren't really scripts, e.g. dnf-plugin-system-upgrade, packagekit-offline-update,
 fwupd-offline-update.
- strongly recommend After=sysinit.target, Wants=sysinit.target
- clarify a bit what should happen when multiple update services are started
- replace links to the wiki with refs to the man page that replaced it.
2016-11-29 01:40:34 -05:00
Franck Bui
acc28e2e30 core: make sure initrd-switch-root command survives PID1's killing spree (#4730)
This is a different way to implement the fix proposed by commit
a4021390fe suggested by Lennart Poettering.

In this patch we instruct PID1 to not kill "systemctl switch-root" command
started by initrd-switch-root service using the "argv[0][0]='@'" trick.

See: https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/ for
more details.

We had to backup argv[0] because argv is modified by dispatch_verb().
2016-11-24 18:52:04 +01:00
Lennart Poettering
bbe16abb61 Merge pull request #4710 from martinpitt/networkd-dbus
networkd: allow networkd to start in early boot
2016-11-24 01:58:33 +01:00
Martin Pitt
5f004d1e32 networkd: allow networkd to start in early boot
With the previous improvements, networkd.service's "After=dbus.service" can now
be dropped. That ordering effectively forced networkd.service to run in late
boot only (dbus.service was rejected to run in early boot in
https://bugs.freedesktop.org/show_bug.cgi?id=98254).

Fixes #4504
2016-11-23 17:05:11 +01:00
Franck Bui
a4021390fe core: consider SIGTERM as a clean exit status for initrd-switch-root.service (#4713)
Since commit 1f0958f640, systemd considers SIGTERM for short-running
services (aka Type=oneshot) as a failure.

This can be an issue with initrd-switch-root.service as the command run by this
service (in order to switch to the new rootfs) may still be running when
systemd does the switch.

However PID1 sends SIGTERM to all remaining processes right before
switching and initrd-switch-root.service can be one of those.

After systemd is reexecuted and its previous state is deserialized, systemd
notices that initrd-switch-root.service was killed with SIGTERM and considers
this as a failure which leads to the emergency shell.

To prevent this, this patch teaches systemd to consider a SIGTERM exit as a
clean one for this service.

It also removes "KillMode=none" since this is pretty useless as the service is
never stopped by systemd but it either exits normally or it's killed by a
SIGTERM as described previously.
2016-11-23 16:31:24 +01:00
Zbigniew Jędrzejewski-Szmek
b878b618ad units: disable /sys/fs/fuse/connections in private user namespaces (#4592)
The mount fails, even though CAP_SYS_ADMIN is granted.

Only file systems with FU_USERNS_MOUNT in .fs_flags may be mounted in userns,
and the patch to add that fusectl was rejected [1]. It would be nice if we
could check if the kernel has FU_USERNS_MOUNT for a given fs type, since this
could change over time, but this information doesn't seem to be exported.
So let's just skip this mount in userns to avoid an error during boot.

[1] https://patchwork.kernel.org/patch/2828269/
2016-11-11 19:00:33 +01:00
Evgeny Vereshchagin
492466c1b5 Merge pull request #4442 from keszybz/detect-virt-userns
detect-virt: add --private-users switch to check if a userns is active; add Condition=private-users
2016-10-27 13:16:16 +03:00
Zbigniew Jędrzejewski-Szmek
4bb30aeaf8 units: disable /dev/hugepages in private user namespaces
The mount fails, even though CAP_SYS_ADMIN is granted.
2016-10-26 20:12:52 -04:00
Lennart Poettering
828d92acbc core: drop -.slice from shipped units
Since this unit is synthesized anyway there's no point in actually shipping it
on disk. This also has the benefit that "cd /usr/lib/systemd/system ; ls *"
won't be confused by the leading dash of the file name anymore.
2016-10-24 20:49:48 +02:00
Lennart Poettering
411e869f49 sysctl: run sysctl service if /proc/sys/net is writable (#4425)
This simply changes this line:

    ConditionPathIsReadWrite=/proc/sys/

to this:

     ConditionPathIsReadWrite=/proc/sys/net/

The background for this is that the latter is namespaced through network
namespacing usually and hence frequently set as writable in containers, even
though the former is kept read-only. If /proc/sys is read-only but
/proc/sys/net is writable we should run the sysctl service, as useful settings
may be made in this case.

Fixes: #4370
2016-10-20 19:36:28 +02:00
Lennart Poettering
2fa4f10835 units: extend stop timeout for user@.service to 120s (#4426)
By default all user and all system services get stop timeouts for 90s. This is
problematic as the user manager of course is run as system service. Thus, if
the default time-out is hit for any user service, then it will also be hit for
user@.service as a whole, thus making the whole concept useless for user
services.

This patch extends the stop timeout to 120s for user@.service hence, so that
that the user service manager has ample time to process user services timing
out.

(The other option would have been to shorten the default user service timeout,
but I think a user service should get the same timeout by default as a system
service)

Fixes: #4206
2016-10-20 17:45:27 +02:00
Yu Watanabe
3f2a3726d0 units: journal-upload Wants= and After=network-online.target (#4354)
To upload journal entries to a remote server, it is required that
the network is online.
2016-10-12 11:13:13 +02:00
Yu Watanabe
a8cb1dc3e0 units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345)
`systemctl isolate initrd-switch-root.target` called by initrd-cleanup.service
kills initrd-cleanup.service itself. Then, initrd-cleanup.service failed and
system goes to emergency shell.
To prevent this problem, this commit adds `Wants=initrd-cleanup.service` to
initrd-switch-root.target.

fixes: #4343.
2016-10-11 14:36:14 +02:00
Franck Bui
84a69ca9ba unit: drop console-shell.service (#4298) (#4325)
console-shell.service was supposed to be useful for normal clean boots
(i.e. multi-user.target or so), as a replacement for logind/getty@.service for
simpler use cases.

But due to the lack of documentation and sanity check one can easily be
confused and enable this service in // with getty@.service.

In this case we end up with both services sharing the same tty which ends up in
strange results.

Even worse, console-shell.service might be failing while getty@.service tries
to acquire the terminal which ends up in the system to poweroff since
console-shell.service uses:

  "ExecStopPost=-/usr/bin/systemctl poweroff".

Another issue: this service doesn't work well if plymouth is also used since it
lets the splash screen program run and mess the tty (at least a "plymouth quit"
is missing).

So let's kill it for now.
2016-10-10 12:06:26 +02:00
Yu Watanabe
94f42fe3a6 units: systemd-udevd: add AF_INET and AF_INET6 to RestrictAddressFamilies= (#4296)
The udev builtin command `net_setup_link` requires AF_INET and AF_INET6.

Fixes #4293.
2016-10-06 15:40:53 +02:00
Lennart Poettering
0c28d51ac8 units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.

Specifically:

- Turn on RestrictRealtime=yes for all of them

- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
  them

- Turn on RestrictAddressFamilies= for all of them, but different sets of
  address families for each

Also, always order settings in the unit files, that the various sandboxing
features are close together.

Add a couple of missing, older settings for a numbre of unit files.

Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
2016-09-25 10:52:57 +02:00
Lennart Poettering
f6eb19a474 units: permit importd to mount stuff
Fixes #3996
2016-09-25 10:52:57 +02:00
Michal Sekletar
51bce29f8e units: remove udev control socket when systemd stops the socket unit (#4039)
Mere presence of the socket in the filesystem makes
udev_queue_get_udev_is_active() return that udev is running. Note that,
udev on exit doesn't unlink control socket nor does systemd. Thus socket
stays around even when both daemon and socket are stopped. This causes
problems for cryptsetup because when it detects running udev it launches
synchronous operations that *really* require udev. This in turn may
cause blocking and subsequent timeout in systemd-cryptsetup on reboot
while machine is in a state that udev and its control socket units are
stopped, e.g. emergency mode.

Fixes #2477
2016-08-26 00:07:58 +02:00
Lennart Poettering
a457bd26cc Merge pull request #3955 from keszybz/fix-preset-all
Fix preset-all
2016-08-19 19:10:30 +02:00
Zbigniew Jędrzejewski-Szmek
de78fa9ba0 units: install user units as real files, not symlinks to ../system/
This was causing preset-all --global to create symlinks:

$ systemctl preset-all --global --root=/var/tmp/inst1
Created symlink /var/tmp/inst1/etc/systemd/user/shutdown.target → /usr/lib/systemd/user/../system/shutdown.target.
Created symlink /var/tmp/inst1/etc/systemd/user/sockets.target → /usr/lib/systemd/user/../system/sockets.target.
Created symlink /var/tmp/inst1/etc/systemd/user/timers.target → /usr/lib/systemd/user/../system/timers.target.
Created symlink /var/tmp/inst1/etc/systemd/user/paths.target → /usr/lib/systemd/user/../system/paths.target.
Created symlink /var/tmp/inst1/etc/systemd/user/bluetooth.target → /usr/lib/systemd/user/../system/bluetooth.target.
Created symlink /var/tmp/inst1/etc/systemd/user/printer.target → /usr/lib/systemd/user/../system/printer.target.
Created symlink /var/tmp/inst1/etc/systemd/user/sound.target → /usr/lib/systemd/user/../system/sound.target.
Created symlink /var/tmp/inst1/etc/systemd/user/smartcard.target → /usr/lib/systemd/user/../system/smartcard.target.
Created symlink /var/tmp/inst1/etc/systemd/user/busnames.target → /usr/lib/systemd/user/../system/busnames.target.

It is better to create units in a state that completely matches the presets, i.e.
preset-all should do nothing when invoked immediately after installation.

I'm sure it was confusing to users too, suggesting that system and user units
may somehow alias each other.
2016-08-19 09:55:55 -04:00
Zbigniew Jędrzejewski-Szmek
04d0f7e9f9 units: do not start load-random-seed in containers (#3941)
Random numbers are provided by the host kernel, we don't need to do anything.

https://bugzilla.redhat.com/show_bug.cgi?id=1329124
2016-08-13 17:15:19 +02:00
Martin Pitt
98d2d46876 units: add graphical-session-pre.target user unit (#3848)
This complements graphical-session.target for services which set up the
environment (e. g. dbus-update-activation-environment) and need to run before
the actual graphical session.
2016-08-02 08:56:45 -04:00
tblume
7633f8ef37 systemd-ask-password: make sure directory watch is started before cryptsetup (#3850)
The password directory watch should get ordered before cryptsetup to make sure
that the password for unlocking the crypt device gets prompted.
2016-08-02 08:55:25 -04:00
Zbigniew Jędrzejewski-Szmek
0fbd465f41 Merge pull request #3742 from msoltyspl/vconfix2
vconsole-setup: updates & fixes V2
2016-07-28 23:59:06 -04:00
Michal Soltys
8125e8d38e vconsole: Don't do static installation under sysinit.target
Udev rules cover all the necessary initializations.

As the service now is neither installed, nor installable - we can
remove explicit dependencies and RemainAfterExit=yes option.
2016-07-27 00:57:01 +02:00
Martin Pitt
c92fcc4f43 units: add graphical-session.target user unit (#3678)
This unit acts as a dynamic "alias" target for any concrete graphical user
session like gnome-session.target; these should declare
"BindsTo=graphical-session.target" so that both targets stop and start at the
same time.

This allows services that run in a particular graphical user session (e. g.
gnome-settings-daemon.service) to declare "PartOf=graphical-session.target"
without having to know or get updated for all/new session types. This will
ensure that stopping the graphical session will stop all services which are
associated to it.
2016-07-25 22:01:35 +02:00
Michal Soltys
5ed020d8d1 getty@.service.m4: add Conflicts=/Before= against rescue.service (#3792)
If user isolates rescue target from multi-user or graphical target (or just
starts the service), IgnoreOnIsolate will cause issues with sulogin which is
directly started on current virtual console. This patch adds necessary
Conflicts= and Before= against rescue.service.

Note that this is not needed for emergency target, as implicit Requires= and
After= against sysinit.target is in effect for this service
(DefaultDependencies=yes).
2016-07-25 16:18:00 +02:00
Alessandro Puccetti
54cd6556b3 nspawn: set DevicesPolicy closed and clean up duplicated devices 2016-07-22 16:08:26 +02:00
Martin Pitt
5c3c778014 Merge pull request #3764 from poettering/assorted-stuff-2
Assorted fixes
2016-07-22 09:10:04 +02:00
Alessandro Puccetti
31d28eabc1 nspawn: enable major=0/minor=0 devices inside the container (#3773)
https://github.com/systemd/systemd/pull/3685 introduced
/run/systemd/inaccessible/{chr,blk} to map inacessible devices,
this patch allows systemd running inside a nspawn container to create
/run/systemd/inaccessible/{chr,blk}.
2016-07-21 17:39:38 +02:00
Lennart Poettering
8d36b53a2d units: fix TasksMax=16384 for systemd-nspawn@.service
When a container scope is allocated via machined it gets 16K set already since
cf7d1a30e4. Make sure when a container is run as
system service it gets the same values.
2016-07-20 14:53:15 +02:00
Martin Pitt
bed48d6655 Merge pull request #3572 from poettering/machinectl-shell-fix
machinectl: interpret options placed between "shell" verb and machine name
2016-06-26 17:46:23 +02:00
Tom Gundersen
a2c28c6451 Merge pull request #3549 from poettering/resolved-more
resolved: more fixes, among them "systemctl-resolve --status" to see DNS configuration in effect, and a local DNS stub listener on 127.0.0.53
2016-06-24 01:26:25 +02:00
Franck Bui
de2edc008a udev: bump TasksMax to inifinity (#3593)
udevd already limits its number of workers/children: the max number is actually
twice the number of CPUs the system is using.

(The limit can also be raised with udev.children-max= kernel command line
option BTW).

On some servers, this limit can easily exceed the maximum number of tasks that
systemd put on all services, which is 512 by default.

Since udevd has already its limitation logic, simply disable the static
limitation done by TasksMax.
2016-06-23 22:31:01 +02:00
Martin Pitt
2f9df7c96a units: add nosuid and nodev options to tmp.mount (#3575)
This makes privilege escalation attacks harder by putting traps and exploits
into /tmp.

https://bugs.debian.org/826377
2016-06-22 12:32:59 +02:00
Lennart Poettering
5b566d2475 units: machined needs mount-related syscalls for its namespacing operations
Specifically "machinectl shell" (or its OpenShell() bus call) is implemented by
entering the file system namespace of the container  and opening a TTY there.
In order to enter the file system namespace, chroot() is required, which is
filtered by SystemCallFilter='s @mount group. Hence, let's make this work again
and drop @mount from the filter list.
2016-06-21 21:32:17 +02:00
Lennart Poettering
6f696ca30c emergency.service: Don't say "Welcome" when it's an emergency (#3569)
Quoting @cgwalters:

        Just uploading this as an RFC.  Now I know reading the code that systemd says
        `Welcome to $OS` as a generic thing, but my initial impression on seeing this
        was that it was almost sarcastic =)

        Let's say "You are in emergency mode" as a more neutral/less excited phrase.

This patch is based on #3556, but makes the same change for rescue mode.
2016-06-21 16:09:47 +02:00
Lennart Poettering
b30bf55d5c resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.

Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.

The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).

Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.

In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.

This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.

In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.

resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.

This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 14:15:23 +02:00
Lennart Poettering
4e069746fe units: tighten system call filters a bit
Take away kernel keyring access, CPU emulation system calls and various debug
system calls from the various daemons we have.
2016-06-13 16:25:54 +02:00
Topi Miettinen
40093ce5dd units: add a basic SystemCallFilter (#3471)
Add a line
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
for daemons shipped by systemd. As an exception, systemd-timesyncd
needs @clock system calls and systemd-localed is not privileged.
ptrace(2) is blocked to prevent seccomp escapes.
2016-06-09 09:32:04 +02:00
Topi Miettinen
40652ca479 units: enable MemoryDenyWriteExecute (#3459)
Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute.

Closes: #3459
2016-06-08 14:23:37 +02:00
Franck Bui
ce3eb7790c units: wait for plymouth to shut down in rescue.sevice (#3367)
In the same vein as commit ac59f0c12c which added
the --wait option to the emergency service, this patch makes sure that plymouth
has exited before entering into the rescue mode.
2016-06-01 11:52:35 +02:00
Lennart Poettering
0525107594 units: restore ConditionNeesUpdate=/etc in ldconfig.service (#3311)
In order to support stateless systems that support offline /usr updates
properly, let's restore the ConditionNeesUpdate=/etc line that makes sure we
are run when /usr is updated and this update needs to be propagated to the
/etc/ld.so.conf file stored in /etc.

This reverts part of #2859, which snuck this change in, but really shouldn't
have.
2016-05-21 17:09:18 -04:00
Daniel Drake
7163e1ca11 Create initrd-root-device.target synchronization point (#3239)
Add a synchronization point so that custom initramfs units can run
after the root device becomes available, before it is fsck'd and
mounted.

This is useful for custom initramfs units that may modify the
root disk partition table, where the root device is not known in
advance (it's dynamically selected by the generators).
2016-05-12 18:42:39 +02:00
tblume
2a44df950f units: make sure that fsck is executed before quotacheck
fsck determines wheter an automatic quotacheck should be executed.
Hence fsck service needs to run before quotacheck service.
2016-05-10 14:10:17 +02:00
Martin Pitt
3136ec90ad Stop syslog.socket when entering emergency mode (#3130)
When enabling ForwardToSyslog=yes, the syslog.socket is active when entering
emergency mode. Any log message then triggers the start of rsyslog.service (or
other implementation) along with its dependencies such as local-fs.target and
sysinit.target. As these might fail themselves (e. g. faulty /etc/fstab), this
breaks the emergency mode.

This causes syslog.socket to fail with "Failed to queue service startup job:
Transition is destructive".

Add Conflicts=syslog.socket to emergency.service to make sure the socket is
stopped when emergency.service is started.

Fixes #266
2016-04-27 10:34:24 +02:00
Lennart Poettering
d7fe83bbc2 Merge pull request #3093 from poettering/nspawn-userns-magic
nspawn automatic user namespaces
2016-04-26 14:57:04 +02:00
Lennart Poettering
c34b73d050 machined: add CAP_MKNOD to capabilities to run with (#3116)
Container images from Debian or suchlike contain device nodes in /dev. Let's
make sure we can clone them properly, hence pass CAP_MKNOD to machined.

Fixes: #2867 #465
2016-04-25 15:38:56 -04:00
Lennart Poettering
af88764ff8 units: turn on user namespace by default in systemd-nspawn@.service
Now that user namespacing is supported in a pretty automatic way, actually turn
it on by default if the systemd-nspawn@.service template is used.
2016-04-25 12:16:03 +02:00
Lennart Poettering
8c85680478 units: order systemd-user-sessions.service after network.target
That way we can be sure that local users are logged out before the network is
shut down when the system goes down, so that SSH session should be ending
cleanly before the system goes down.

Fixes: #2390
2016-04-22 16:17:00 +02:00
frankheckenbach
a11fe93e04 tmp.mount.hm4: After swap.target (#3087)
fix issue #2930
2016-04-22 14:21:30 +02:00
Calvin Owens
7797fd2470 units: Add "GuessMainPID=no" to compatibility unit for rc-local (#3018)
With the current "Type=forking", systemd tries to guess the PID it
should wait on at reboot (because we have no "PIDFile="). Depending on
how wrong the guess is, we can end up hanging forever at reboot.

Asking it not to do that eliminates the problem.
2016-04-21 19:16:28 +02:00
Michal Sekletar
f66a1c48cf units: run ldconfig.service after we have mounted all local file systems
Also drop ConditionNeedsUpdate=|/etc. Regardless if system is updated
online or offline, updating dynamic loader cache should always be
responsibility of packaging tools/scripts.
2016-03-17 14:41:26 +01:00
Elias Probst
7a8c9e4457
Don't escape the name of the container in instances of
When using `%I` for instances of `systemd-nspawn@.service`, the result
will be `systemd-nspawn` trying to launch a container named e.g.
`fedora/23` instead of `fedora-23`.
Using `%i` instead prevents escaping `-` in a container name and uses
the unmodified container name from the machine store.
2016-02-26 20:39:10 +01:00
Lennart Poettering
c550f7a9b8 Merge pull request #2664 from zonque/bootchart-removal
Remove systemd-bootchart
2016-02-23 20:27:59 +01:00
Lennart Poettering
45bd485454 man: link some unit files to their online bus API documentation 2016-02-23 16:24:01 +01:00
Daniel Mack
232c84b2d2 Remove systemd-bootchart
This commit rips out systemd-bootchart. It will be given a new home, outside
of the systemd repository. The code itself isn't actually specific to
systemd and can be used without systemd even, so let's put it somewhere
else.
2016-02-23 13:30:09 +01:00
Daniel Mack
798c486fbc remove bus-proxyd
As kdbus won't land in the anticipated way, the bus-proxy is not needed in
its current form. It can be resurrected at any time thanks to the history,
but for now, let's remove it from the sources. If we'll have a similar tool
in the future, it will look quite differently anyway.

Note that stdio-bridge is still available. It was restored from a version
prior to f252ff17, and refactored to make use of the current APIs.
2016-02-12 19:10:01 +01:00
Lennart Poettering
b8eefa012d Merge pull request #2581 from evverx/dev-mqueue-cond
units: don't try to mount the mqueue fs if we lack the privileges for it
2016-02-11 13:55:59 +01:00
Evgeny Vereshchagin
6cfc79632f units: don't try to mount the mqueue fs if we lack the privileges for it
See https://github.com/systemd/systemd/pull/2576#discussion-diff-52592680
2016-02-11 02:45:11 +00:00
Lennart Poettering
03a7868805 units: don't try to mount the FUSE fs if we lack the privileges for it
See:

https://lists.freedesktop.org/archives/systemd-devel/2016-February/035740.html
2016-02-10 23:42:39 +01:00
Lennart Poettering
3c171f0b1e coredump: rework coredumping logic
This reworks the coredumping logic so that the coredump handler invoked from the kernel only collects runtime data
about the crashed process, and then submits it for processing to a socket-activate coredump service, which extracts a
stacktrace and writes the coredump to disk.

This has a number of benefits: the disk IO and stack trace generation may take a substantial amount of resources, and
hence should better be managed by PID 1, so that resource management applies. This patch uses RuntimeMaxSec=, Nice=, OOMScoreAdjust=
and various sandboxing settings to ensure that the coredump handler doesn't take away unbounded resources from normally
priorized processes.

This logic is also nice since this makes sure the coredump processing and storage is delayed correctly until
/var/systemd/coredump is mounted and writable.

Fixes: #2286
2016-02-10 16:08:32 +01:00
Zbigniew Jędrzejewski-Szmek
9c6d5a179e Merge pull request #2565 from poettering/fix-2315 2016-02-09 19:13:15 -05:00
Lennart Poettering
8222cf9145 units: downgrade dependency on /tmp in basic.target to Wants=
Now that requiring of a masked unit results in failure again, downgrade the dependency on /tmp to Wants= again, so that
our suggested way to disable /tmp-on-tmpfs by masking doesn't result in a failing boot.

References: #2315
2016-02-09 20:34:27 +01:00
Indrajit Raychaudhuri
5e41590b70 Fix typo in rescue shell 2016-02-05 11:28:53 +05:30
Daniel Mack
efda7e594e Merge pull request #2331 from yuwata/journal-remote-unit-v2
journal-remote: add SupplementaryGroups to systemd-journal-upload.service
2016-01-22 09:56:54 +01:00
Lennart Poettering
cde3d68750 units: don't fail if /root doesn't exist for shell units
As discussed on the ML:

http://lists.freedesktop.org/archives/systemd-devel/2016-January/035594.html
2016-01-17 20:47:46 +01:00
Yu Watanabe
d70698b7e6 journal-remote: add SupplementaryGroups to systemd-journal-upload.service 2016-01-15 15:25:36 +09:00
Martin Pitt
6233c794b2 kmod-static-nodes: don't run if module list is empty
With this kmod commit, modules.devname will be empty by default instead of
containing just a comment:

  https://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/?id=4c30a11d5f

Refine the startup condition of kmod-static-nodes.service to not run needlessly
if the list is empty.
2016-01-11 16:26:17 +01:00
Yu Watanabe
c9d493281d journal-remote: add documents in the unit files 2015-12-15 10:51:12 +09:00
Jan Alexander Steffens (heftig)
8c277ddd27 Set user@.service TasksMax=infinity
The user manager is still limited by its parent slice user-UID.slice,
which defaults to 4096 tasks. However, it no longer has an additional
limit of 512 tasks.

Fixes #1955.
2015-11-22 23:05:23 +01:00
Lennart Poettering
541ec33075 nspawn: set TasksMax= for containers to 8192 by default 2015-11-16 11:58:04 +01:00
Lennart Poettering
2a2e1b36a0 core: remove SmackFileSystemRootLabel= again
Apparently, util-linux' mount command implicitly drops the smack-related
options anyway before passing them to the kernel, if the kernel doesn't
know SMACK, hence there's no point in duplicating this in systemd.

Fixes #1696
2015-11-12 12:50:59 +01:00
Lennart Poettering
85ae4be4f1 units: fix system.slice to require -.slice, instead of just want it 2015-11-11 16:04:16 +01:00
Lennart Poettering
119e9655dc journal: restore watchdog support 2015-11-03 17:45:12 +01:00
Daniel Mack
4084052911 Merge pull request #1726 from teg/networkd-2
networkd: (de)serialize more state and support expiring routes
2015-11-03 15:03:50 +01:00
Lennart Poettering
e22aa3d328 journald: never block when sending messages on NOTIFY_SOCKET socket
Otherwise we might run into deadlocks, when journald blocks on the
notify socket on PID 1, and PID 1 blocks on IPC to dbus-daemon and
dbus-daemon blocks on logging to journald. Break this cycle by making
sure that journald never ever blocks on PID 1.

Note that this change disables support for event loop watchdog support,
as these messages are sent in blocking style by sd-event. That should
not be a big loss though, as people reported frequent problems with the
watchdog hitting journald on excessively slow IO.

Fixes: #1505.
2015-11-01 22:12:29 +01:00
Tom Gundersen
1c8e710c2b networkd: route - track routes 2015-10-30 12:32:48 +01:00
Lennart Poettering
7cb48925dc core: rename SmackFileSystemRoot= to SmackFileSystemRootLabel=
That way it's in sync with the other SMACK label settings.

https://github.com/systemd/systemd/pull/1664#issuecomment-150891270
2015-10-26 01:24:39 +01:00
Sangjung Woo
5dfcb8d200 units: add 'SmackFileSystemRoot=*' option into tmp.mount
If SMACK is enabled, 'smackfsroot=*' option should be specified when
/tmp is mounted since many non-root processes use /tmp for temporary
usage. If not, /tmp is labeled as '_' and smack denial occurs when
writing.

In order to do that, 'SmackFileSystemRoot=*' is newly added into
tmp.mount.
2015-10-24 20:54:21 +09:00
Lennart Poettering
a2c90f05f1 units: also whitelist "blkext" block devices for nspawn service
/dev/loop*p* block devices are of the "blkext" subsystem, not of loop,
hence whitelist this too.

Fixes #1446
2015-10-22 01:59:25 +02:00
Kay Sievers
29a3f0d4c5 Revert "units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled"
This reverts commit 409c2a13fd.

It breaks the bootup of systems which enable smack at compile time, but have no
smack enabled in the kernel. This needs a different solution.
2015-10-18 12:21:21 +02:00
Tom Gundersen
8ee07361d0 units: .gitignore: units - ignore tmp.mount
This is a follow-up to 409c2a13fd.
2015-10-15 19:28:07 +02:00
Lennart Poettering
2ac3f19a51 Merge pull request #1572 from again4you/devel/tmp-smack
units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled
2015-10-15 13:09:57 +02:00
Sangjung Woo
409c2a13fd units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled
If SMACK is enabled, 'smackfsroot=*' option should be specified in
tmp.mount file since many non-root processes use /tmp for temporary
usage. If not, /tmp is labeled as '_' and smack denial occurs when
writing.
2015-10-15 14:02:44 +09:00
Lennart Poettering
be3270ebd3 unit: remove [Install] section from the user exit.target unit
There's no concept of ctrl-alt-del for user systemd instances, hence
don't suggest it woud make sense to symlink the unit to it.

Fixes #1525.
2015-10-14 16:25:23 +02:00
Tom Gundersen
e1719ef19d Merge pull request #1468 from poettering/fdnames
Add support for naming fds for socket activation and more
2015-10-06 12:06:56 +02:00
Lennart Poettering
df9d6993b6 unit: give systemd-networkd.socket a better description
Usually we try to properly uppercase first characters in the
description, do so here, too. Also, keep it close to the string used in
systemd-networkd.service.
2015-10-06 11:52:48 +02:00
Lennart Poettering
988a479642 nspawn: fix --image= when nspawn is run as service
nspawn needs access to /dev/loop to implement --image=, hence grant that
in the service file.

Fixes #1446.
2015-10-03 11:23:52 +02:00
Lennart Poettering
d35c1bb1f4 rfkill: rework and make it listen on /dev/rfkill
With this rework we introduce systemd-rfkill.service as singleton that
is activated via systemd-rfkill.socket that listens on /dev/rfkill. That
way, we get notified each time a new rfkill device shows up or changes
state, in which case we restore and save its current setting to disk.

This is nicer than the previous logic, as this means we save/restore
state even of rfkill devices that are around only intermittently, and
save/restore the state even if the system is shutdown abruptly instead
of cleanly.

This implements what I suggested in #1019 and obsoletes it.
2015-10-01 16:21:09 +02:00