1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 09:21:26 +03:00
Commit Graph

27885 Commits

Author SHA1 Message Date
Lennart Poettering
68cf43c315 nspawn: use chase_symlinks() on all paths specified via --tmpfs=, --bind= and so on
Fixes: #2860
2016-12-01 00:25:51 +01:00
Lennart Poettering
fc4b68e557 fs-util: add chase_symlinks_prefix() and extend comments
chase_symlinks() currently expects a fully qualified, absolute path, relative
to the host's root as first argument. Which is useful in many ways, and similar
to the paths unlink(), rename(), open(), … expect. Sometimes it's however
useful to first prefix the specified path with the specified root directory.
Add a new call chase_symlinks_prefix() for this, that is a simple wrapper.
2016-12-01 00:25:51 +01:00
Lennart Poettering
4da92e5857 nspawn: coding style: don't mix variable declarations and function calls 2016-12-01 00:25:51 +01:00
Lennart Poettering
5639193139 nspawn: use realloc_multiply() where it makes sense 2016-12-01 00:25:51 +01:00
Lennart Poettering
8cd328d82e nspawn: accept --ephemeral --template= as alternative for --ephemeral --directory=
As suggested in PR #3667.

This PR simply ensures that --template= can be used as alternative to
--directory= when --ephemeral is used, following the logic that for ephemeral
options the source directory is actually a template.

This does not deprecate usage of --directory= with --ephemeral, as I am not
convinced the old logic wouldn't make sense.

Fixes: #3667
2016-12-01 00:25:51 +01:00
Lennart Poettering
3f342ec4b0 nspawn: properly handle image/directory paths that are symlinks
This resolves any paths specified on --directory=, --template=, and --image=
before using them. This makes sure nspawn can be used correctly on symlinked
images and directory trees.

Fixes: #2001
2016-12-01 00:25:51 +01:00
Lennart Poettering
e187369587 tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead
Let's use chase_symlinks() everywhere, and stop using GNU
canonicalize_file_name() everywhere. For most cases this should not change
behaviour, however increase exposure of our function to get better tested. Most
importantly in a few cases (most notably nspawn) it can take the correct root
directory into account when chasing symlinks.
2016-12-01 00:25:51 +01:00
Lennart Poettering
c9d5c9c0e1 core: make unit_free() accept NULL pointers
We generally try to make our destructors robust regarding NULL pointers, much
in the same way as glibc's free(). Do this also for unit_free().

Follow-up for #4748.
2016-12-01 00:25:51 +01:00
AsciiWolf
dc68fed25d l10n: update line numbers in Czech translation (#4776) 2016-11-30 15:59:19 -05:00
Zbigniew Jędrzejewski-Szmek
dc17ee3d6e man: describe overriding of entries in hwdb files 2016-11-30 15:51:13 -05:00
Zbigniew Jędrzejewski-Szmek
ca0e88efbb hwdb: rename err to r and use _cleanup_ in two more places 2016-11-30 15:51:13 -05:00
Zbigniew Jędrzejewski-Szmek
d702dcdfef hwdb: simplify error handling in trie_store
fclose() can also set errno, so the attempts to protect errno that the
code made were not successful. Simplify things by immediately saving
errno to r.
2016-11-30 15:51:13 -05:00
Zbigniew Jędrzejewski-Szmek
1cd592b916 sd-hwdb: drop caching of search string
We have only two callers, and for neither this "optimization" is useful.
So let's drop it an save some code and a malloc.
2016-11-30 15:51:08 -05:00
Zbigniew Jędrzejewski-Szmek
d8646d0572 hwdb, sd-hwdb: rework priority comparison when loading properties
We cannot compare filenames directly, because paths are not sortable
lexicographically, e.g. /etc/udev is "later" (has higher priority)
than /usr/lib/udev.

The on-disk format is changed to have a separate field for "file priority",
which is stored when writing the binary file, and then loaded and used in
comparisons. For data in the previous format (as generated by systemd 232),
this information is not available, and we use a trick where the offset into the
string table is used as a proxy for priority. Most of the time strings are
stored in the order in which the files were processed. This is not entirely
reliable, but is good enough to properly order /usr/lib and /etc/, which are
the two most common cases. This hack is included because it allows proper
parsing of files until the binary hwdb is regenerated.

Instead of adding a new field, I reduced the size of line_number from 64 to 32
bits, and added a 16 bit priority field, and 16 bits of padding. Adding a new
field of 16 bytes would significantly screw up alignment and increase file
size, and line number realistically don't need more than ~20 bits.

Fixes #4750.
2016-11-30 15:49:14 -05:00
Zbigniew Jędrzejewski-Szmek
389be927b4 hwdb: remove path comparison which broke overriding of properties
Partial fix for #4750.

We would compare strings like "/usr/lib/udev/hwdb.d/something.hwdb" and
"/etc/udev/hwdb.db/something.hwdb" and conclude that the first has higher
priority. Since we process files in order (higher priority later), no
comparison is necessary when loading.

This partially undoes 3a04b789c6
(not in spirit, but in the implementation).
2016-11-30 15:48:11 -05:00
Franck Bui
c5024cd05c systemctl: fix 'is-enabled' exit status on failure when executed in chroot (#4773) 2016-11-30 18:27:42 +01:00
Susant Sahani
730389b6dc As per use case we should allow ForwardDelaySec to be set as 0 (#4765)
So let's set ForwardDelaySec to USEC_INFINITY .

Reference:
https://wiki.linuxfoundation.org/networking/bridge#does-dhcp-work-overthrough-a-bridge
2016-11-30 11:54:42 +01:00
Martin Pitt
cd108a83d9 Merge pull request #4772 from martinpitt/hwdb
parse_hwdb: fix to work with pyparsing 2.1.10
2016-11-30 10:25:09 +01:00
Martin Pitt
aeceb3901a hwdb/parse_hwdb.py: open files with UTF-8 mode
pyparsing uses the system locale by default, which in the case of 'C' (in lots
of build environment) will fail with a UnicodeDecodeError. Explicitly open it
with UTF-8 encoding to guard against this.
2016-11-30 09:25:09 +01:00
Martin Pitt
f644a6da7a parse_hwdb: fix to work with pyparsing 2.1.10
pyparsing 2.1.10 fixed the handling of LineStart to really just apply to line
starts and not ignore whitespace and comments any more. Adjust EMPTYLINE to
this.

Many thanks to Paul McGuire for pointing this out!
2016-11-30 09:20:15 +01:00
Martin Pitt
2926b130b6 test: retry checking for transient hostname in hostnamectl (#4769)
Sometimes setting the transient hostname does not happen synchronously, so
retry up to five times. It is not yet clear whether this is legitimate
behaviour or an underlying bug, but this will at least show whether the wrong
transient hostname is just a race condition or permanently wrong.

Fixes #4753
2016-11-30 08:02:49 +01:00
Zbigniew Jędrzejewski-Szmek
0f2e01a503 Two small cleanups 2016-11-29 20:34:08 -05:00
Evgeny Vereshchagin
97506e85e2 Merge pull request #4745 from joukewitteveen/notify
Improvements for notify services (including #4212)
2016-11-30 03:22:07 +03:00
Jouke Witteveen
6375bd2007 service: new NotifyAccess= value for control processes (#4212)
Setting NotifyAccess=exec allows notifications coming directly from any
control process.
2016-11-29 23:20:04 +01:00
Jouke Witteveen
8e458bfe4e NEWS: mention more aggressive failing of notify services 2016-11-29 23:20:04 +01:00
Jouke Witteveen
7ed0a4c537 bus-util: add protocol error type explanation 2016-11-29 23:19:52 +01:00
Dongsu Park
e7330dfe14 cgroup: support prefix "-" in cgroups whitelisting entries (#4687)
So far systemd-nspawn container has been creating files under
/run/systemd/inaccessible, no matter whether it's running in user
namespace or not. That's fine for regular files, dirs, socks, fifos.
However, it's not for block and character devices, because kernel
doesn't allow them to be created under user namespace. It results
in warnings at booting like that:

====
  Couldn't stat device /run/systemd/inaccessible/chr
  Couldn't stat device /run/systemd/inaccessible/blk
====

Thus we need to have the cgroups whitelisting handler to silently ignore
a file, when the device path is prefixed with "-". That's exactly the
same convention used in directives like ReadOnlyPaths=. Also insert the
prefix "-" to inaccessible entries.
2016-11-29 20:16:55 +01:00
Gabriel Rauter
a9d2d40dba networkctl: install zsh completion from #3062 (#4767)
zsh autocompletion provided by #3062 will be installed when networkd is
enabled.
2016-11-29 13:00:38 -05:00
Stefan Berger
e8e42b31c5 ima: Write the policy filename into IMA's sysfs policy file (#4766)
IMA validates file signatures based on the security.ima xattr. As of
Linux-4.7, instead of copying the IMA policy into the securityfs policy,
the IMA policy pathname can be written, allowing the IMA policy file
signature to be validated.

This patch modifies the existing code to first attempt to write the
pathname, but on failure falls back to copying the IMA policy contents.
2016-11-29 10:47:20 -05:00
Lennart Poettering
70fc4f5790 sd-id128: add new sd_id128_get_machine_app_specific() API
This adds an API for retrieving an app-specific machine ID to sd-id128.
Internally it calculates HMAC-SHA256 with an 128bit app-specific ID as payload
and the machine ID as key.

(An alternative would have been to use siphash for this, which is also
cryptographically strong. However, as it only generates 64bit hashes it's not
an obvious choice for generating 128bit IDs.)

Fixes: #4667
2016-11-29 15:13:00 +01:00
Lennart Poettering
0fe5f3c5d7 core: add "khash" API to src/basic/ (as wrapper around kernel AF_ALG)
Let's take inspiration from bluez's ELL library, and let's move our
cryptographic primitives away from libgcrypt and towards the kernel's AF_ALG
cryptographic userspace API.

In the long run we should try to remove the dependency on libgcrypt, in favour
of using only the kernel's own primitives, however this is unlikely to happen
anytime soon, as the kernel does not provide Elliptic Curve APIs to userspace
at this time, and we need them for the DNSSEC cryptographic.

This commit only covers hashing for now, symmetric encryption/decryption or
even asymetric encryption/decryption is not available for now.

"khash" is little more than a lightweight wrapper around the kernel's AF_ALG
socket API.
2016-11-29 15:13:00 +01:00
Lennart Poettering
664e7984f8 Merge pull request #4763 from keszybz/offline-update-loop
A fix for offline update loop
2016-11-29 14:14:43 +01:00
Jouke Witteveen
3c9512c71d service: prevent registering control pids as the main pid
We assume a process can be only one of the two in service_sigchld_event.
2016-11-29 10:34:33 +01:00
Jouke Witteveen
71e529fcf1 service: only fail notify services on empty cgroup during start
We stay in the SERVICE_START while no READY=1 notification message has
been received. When we are in the SERVICE_START_POST state, we have
already received a ready notification. Hence we should not fail when the
cgroup becomes empty in that state.
2016-11-29 10:34:33 +01:00
Zbigniew Jędrzejewski-Szmek
953bf4604f units: add system-update-cleanup.service to guard against offline-update loops
Note: the name is "system-update-cleanup.service" rather than
"system-update-done.service", because it should not run normally, and also
because there's already "systemd-update-done.service", and having them named
so similarly would be confusing.

In https://bugzilla.redhat.com/show_bug.cgi?id=1395686 the system repeatedly
entered system-update.target on boot. Because of a packaging issue, the tool
that created the /system-update symlink could be installed without the service
unit that was supposed to perform the upgrade (and remove the symlink). In
fact, if there are no units in system-update.target, and /system-update symlink
is created, systemd always "hangs" in system-update.target. This is confusing
for users, because there's no feedback what is happening, and fixing this
requires starting an emergency shell somehow, and also knowing that the symlink
must be removed. We should be more resilient in this case, and remove the
symlink automatically ourselves, if there are no upgrade service to handle it.

This adds a service which is started after system-update.target is reached and
the symlink still exists. It nukes the symlink and reboots the machine. It
should subsequently boot into the default default.target.

This is a more general fix for
https://bugzilla.redhat.com/show_bug.cgi?id=1395686 (the packaging issue was
already fixed).
2016-11-29 01:40:34 -05:00
Zbigniew Jędrzejewski-Szmek
2b656050b6 man: update the description of offline updates
- use "service" instead of "script", because various offline updaters that we have
  aren't really scripts, e.g. dnf-plugin-system-upgrade, packagekit-offline-update,
 fwupd-offline-update.
- strongly recommend After=sysinit.target, Wants=sysinit.target
- clarify a bit what should happen when multiple update services are started
- replace links to the wiki with refs to the man page that replaced it.
2016-11-29 01:40:34 -05:00
Martin Pitt
920ec31b5f Merge pull request #4761 from fsateler/python3
Explicitly use python3 everywhere
2016-11-28 21:10:57 +01:00
Tom Gundersen
b76d99d9e6 networkd: move event loop handling out of the manager (#4723)
This will allow us to have several managers sharing an event loop
and running in parallel, as if they were running in separate processes.

The long term-aim is to allow networkd to be split into separate
processes, so restructure the code to make this simpler.

For now we drop the exit-on-idle logic, as this was anyway severely
restricted at the moment. Once split, we will revisit this as it may
then make more sense again.
2016-11-28 20:42:40 +01:00
Felipe Sateler
b95f5528cc Use python3 explicitly in all python scripts 2016-11-28 15:00:20 -03:00
Felipe Sateler
a381e2b5fd build-sys: explicitly require python3
Otherwise python programs might be run with python2
2016-11-28 15:00:20 -03:00
(GalaxyMaster)
dc3b8afb93 socket-proxyd: Introduced dynamic connection limit via an option. (#4749) 2016-11-28 18:25:11 +01:00
Daniel Wagner
a92cf7840f udevd: check correct return value of fcntl() (#4758)
This looks like a copy&paste error from the code block above.
2016-11-28 18:24:26 +01:00
Martin Pitt
fd0cec0366 test: make transient hostname tests fail verbosely (#4754)
This test fails sometimes but it is hard to reproduce, so we need more
information what happens. Set journal log level to "debug" for the entirety of
networkd-test.py, and show networkd's and hostnamed's journals and the DHCP
server log on failure of the two test_transient_hostname* tests. Also sync the
journal before querying it to get more precise output.

This should help with tracking down issue #4753.
2016-11-28 14:35:49 +03:00
Dave Reisner
d112eae7da device: Avoid calling unit_free(NULL) in device setup logic (#4748)
Since a581e45ae8, there's a few function calls to
unit_new_for_name which will unit_free on failure. Prior to this commit,
a failure would result in calling unit_free with a NULL unit, and hit an
assertion failure, seen at least via device_setup_unit:

Assertion 'u' failed at src/core/unit.c:519, function unit_free().  Aborting.

Fixes #4747
https://bugs.archlinux.org/task/51950
2016-11-27 23:05:39 +01:00
Djalal Harouni
a748a0169a Merge pull request #4736 from dobyrch/calendar-cleanup
calendarspec: miscellaneous parsing and formatting fixes
2016-11-27 11:43:26 +01:00
Douglas Christman
7c2503218e calendarspec: refactor format_chain()
Factor out repeated references to usec and remove nested ifs.
2016-11-25 11:21:21 -05:00
Waldemar Brodkorb
9bab3b65b0 fix journald startup problem when code is compiled with -DNDEBUG (#4735)
Similar to this patch from here:
http://systemd-devel.freedesktop.narkive.com/AvfCbi6c/patch-0-3-using-assert-se-on-actions-with-side-effects-on-test-cases

If the code is compiled with -DNDEBUG which is the default for
some embedded buildsystems, systemd-journald does not startup
and silently fails.
2016-11-25 11:24:58 +01:00
Martin Pitt
2f08ccc32e Revert "hwdb/parse_hwdb.py: open files with UTF-8 mode"
"encoding" is not a valid Python 2 keyword, and despite the hashbang this
script can be called with Python 2.

This reverts commit 115a10c58d.
2016-11-25 07:59:37 +01:00
Douglas Christman
c58b1b3abf calendarspec: rename "eom" to "end_of_month" 2016-11-24 18:40:14 -05:00
Douglas Christman
9904dc00e7 calendarspec: make specifications with ranges reversible
"*-*-01..03" is now formatted as "*-*-01..03" instead of "*-*-01,02,03"
2016-11-24 18:40:14 -05:00