1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-27 07:22:31 +03:00
Commit Graph

15402 Commits

Author SHA1 Message Date
Lennart Poettering
fb69d7096d socket-proxyd: port to asynchronous name resolution using sd-resolve 2014-06-05 16:12:48 +02:00
Lennart Poettering
9b476fabd2 update TODO 2014-06-05 13:53:44 +02:00
Lennart Poettering
b27adf354a bus: make use of sd_bus_try_close() in exit-on-idle services 2014-06-05 13:50:35 +02:00
Lennart Poettering
eec6022cf0 sd-event: restore correct timeout behaviour 2014-06-05 13:50:35 +02:00
Lennart Poettering
945933e331 update TODO 2014-06-05 13:09:46 +02:00
Lennart Poettering
a4152e3fe2 kdbus: when uploading bus name policy, resolve users/groups out-of-process
It's not safe invoking NSS from PID 1, hence fork off worker processes
that upload the policy into the kernel for busnames.
2014-06-05 13:09:46 +02:00
Lennart Poettering
5331194c12 core: don't include /boot in effect of ProtectSystem=
This would otherwise unconditionally trigger any /boot autofs mount,
which we probably should avoid.

ProtectSystem= will now only cover /usr and (optionally) /etc, both of
which cannot be autofs anyway.

ProtectHome will continue to cover /run/user and /home. The former
cannot be autofs either. /home could be, however is frequently enough
used (unlikey /boot) so that it isn't too problematic to simply trigger
it unconditionally via ProtectHome=.
2014-06-05 10:03:26 +02:00
Lennart Poettering
3900e5fdff socket: add SocketUser= and SocketGroup= for chown()ing sockets in the file system
This is relatively complex, as we cannot invoke NSS from PID 1, and thus
need to fork a helper process temporarily.
2014-06-05 09:55:53 +02:00
Lennart Poettering
a8330cd118 core: make sure we properly parse ProtectHome= and ProtectSystem= 2014-06-04 23:04:34 +02:00
Dave Reisner
d0069261a7 ycm: update flag blacklist
-Wdate-time isn't known to clang, and it seems to cause errors in
syntastic.
2014-06-04 15:41:10 -04:00
Tom Gundersen
512922f8b4 networkd: link - intialize mac address
Otherwise .netwrok matching on MAC address will not work.

Based on patch by Dave Reisner, and bug originally reported by Max Pray.
2014-06-04 21:29:25 +02:00
Lennart Poettering
f598ac3e28 update TODO 2014-06-04 18:58:05 +02:00
Lennart Poettering
1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
2014-06-04 18:12:55 +02:00
Kay Sievers
4c02dd7153 hwdb: fix case-sensitive match 2014-06-04 17:55:14 +02:00
John
235c6e6281 build-sys: accommodate gcc-4.9.0 link-time optimization (LTO) changes
systemd fails to build (symbols not found/resolved during cgls link step)
under gcc-4.9.0 due to link-time optimization (lto) changes, in particular
from gcc-4.9.0/NEWS:

  + When using a linker plugin, compiling with the -flto option
    now generates slim objects files (.o) which only contain
    intermediate language representation for LTO. Use
    -ffat-lto-objects to create files which contain additionally
    the object code. To generate static libraries suitable for LTO
    processing, use gcc-ar and gcc-ranlib; to list symbols from a
    slim object file use gcc-nm. (Requires that ar, ranlib and nm
    have been compiled with plugin support.)

Both -flto and -ffat-lto-objects are now needed when building and linking
against static libs w/LTO.
2014-06-04 17:47:20 +02:00
Lennart Poettering
c221efb2de update TODO 2014-06-04 17:31:31 +02:00
Lennart Poettering
e06b6479a5 core: provide /dev/ptmx as symlink in PrivateDevices= execution environments 2014-06-04 17:21:18 +02:00
Lennart Poettering
82d252404a core: make sure PrivateDevices= makes /dev/log available
Now that we moved the actual syslog socket to
/run/systemd/journal/dev-log we can actually make /dev/log a symlink to
it, when PrivateDevices= is used, thus making syslog available to
services using PrivateDevices=.
2014-06-04 16:59:13 +02:00
Lennart Poettering
7e9f159ca7 initctl: move /dev/initctl fifo into /run, replace it by symlink
With this change we have no fifos/sockets remaining in /dev.
2014-06-04 16:53:58 +02:00
Lennart Poettering
03ee5c38cb journald: move /dev/log socket to /run
This way we can make the socket also available for sandboxed apps that
have their own private /dev. They can now simply symlink the socket from
/dev.
2014-06-04 16:53:58 +02:00
Kay Sievers
02ba8fb335 udev: guard REREADPT by exclusive lock instead of O_EXCL 2014-06-04 16:28:03 +02:00
Lennart Poettering
811ba7a0e2 socket: add new Symlinks= option for socket units
With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO
nodes in the file system, with the same lifecycle as the socket itself.

This has two benefits: first, this allows us to remove /dev/log and
/dev/initctl from /dev, thus leaving only symlinks, device nodes and
directories in the /dev tree. More importantly however, this allows us
to move /dev/log out of /dev, while still making it accessible there, so
that PrivateDevices= can provide /dev/log too.
2014-06-04 16:21:17 +02:00
Kay Sievers
e9fc29f4ec udev: make sure we always get "change" for the disk
The kernel will return 0 for REREADPT when no partition table
is found, we have to send out "change" ourselves.
2014-06-04 15:17:15 +02:00
Kay Sievers
10fab50a30 udev: guard REREADP logic with open(O_ECXL) 2014-06-04 14:09:31 +02:00
Kay Sievers
ede344452a udev: try first re-reading the partition table
mounted partitions:
  # dd if=/dev/zero of=/dev/sda bs=1 count=1
  UDEV  [4157.369250] change   .../0:0:0:0/block/sda (block)
  UDEV  [4157.375059] change   .../0:0:0:0/block/sda/sda1 (block)
  UDEV  [4157.397088] change   .../0:0:0:0/block/sda/sda2 (block)
  UDEV  [4157.404842] change   .../0:0:0:0/block/sda/sda4 (block)

unmounted partitions:
  # dd if=/dev/zero of=/dev/sdb bs=1 count=1
  UDEV  [4163.450217] remove   .../target6:0:0/6:0:0:0/block/sdb/sdb1 (block)
  UDEV  [4163.593167] change   .../target6:0:0/6:0:0:0/block/sdb (block)
  UDEV  [4163.713982] add      .../target6:0:0/6:0:0:0/block/sdb/sdb1 (block)
2014-06-04 13:35:02 +02:00
Lennart Poettering
bd1fe7c79d socket: optionally remove sockets/FIFOs in the file system after use 2014-06-04 13:12:34 +02:00
Tom Gundersen
edf029b7fd udev: link-config - fix mem leak
Reported by Kay.
2014-06-04 12:55:23 +02:00
Kay Sievers
f3a740a5da udev: synthesize "change' events for partitions when tools change the disk
This should make sure that fdisk-like programs will automatically
cause an update of all partitions, just like mkfs-like programs cause
an update of the partition.
2014-06-04 12:21:44 +02:00
Lennart Poettering
323a2f0b4b README: mention new required user systemd-bus-proxy 2014-06-04 11:24:12 +02:00
Kay Sievers
c343be283b fsck: disable "-l" option for now
https://bugs.freedesktop.org/show_bug.cgi?id=79576#c5
2014-06-04 11:16:30 +02:00
Kay Sievers
edd32000c8 udevd: inotify - modernizations 2014-06-04 11:16:30 +02:00
Lennart Poettering
6a010ac9e5 bus-proxy: drop priviliges if we can
Either become uid/gid of the client we have been forked for, or become
the "systemd-bus-proxy" user if the client was root. We retain
CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
2014-06-04 11:13:08 +02:00
Kay Sievers
72543b361d remove ReadOnlySystem and ProtectedHome from udevd and logind
logind needs access to /run/user/, udevd fails during early boot
with these settings
2014-06-04 01:41:15 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
2014-06-03 23:57:51 +02:00
Tom Gundersen
85b5673b33 networkd: split runtime config dir from state dir
Configuration will be in

root:root /run/systemd/network

and state will be in

systemd-network:systemd-network /run/systemd/netif

This matches what we do for logind's seat/session state.
2014-06-03 18:58:00 +02:00
Kay Sievers
e918a1b5a9 udev: exclude device-mapper from block device ownership event locking 2014-06-03 16:49:38 +02:00
Tom Gundersen
e5999b4679 shared: capability - don't loop over the cap bits if they are all unset 2014-06-03 11:46:25 +02:00
Tom Gundersen
ed617ec211 shared: allow drop_priviliges to drop all privs 2014-06-03 11:35:29 +02:00
Kay Sievers
3d06f41834 udev: always close lock file descriptor
https://bugs.freedesktop.org/show_bug.cgi?id=79576
2014-06-03 11:06:43 +02:00
Camilo Aguilar
63a070415d sd-dhcp-client: allways request broadcast
On systems which cannot receive unicast packets until its IP stack has been configured
we need to request broadcast packets. We are currently not able to reliably detect when
this is necessary, so set it unconditionally for now.

This is set on all packets, but the DHCP server will only broadcast the packets that are
necessary, and unicast the rest.

For more information please refer to this thread in CoreOS: https://github.com/coreos/bugs/issues/12

[tomegun: rephrased commit message]
2014-06-03 10:55:46 +02:00
Tom Gundersen
682265d5e2 resolved: run as unpriviliged "systemd-resolve" user
This service is not yet network facing, but let's prepare nonetheless.
Currently all caps are dropped, but some may need to be kept in the
future.
2014-06-03 10:40:28 +02:00
Tom Gundersen
0bbea466dc configure: networkd no longer requires kmod
Reported by Samuli Suominen.
2014-06-03 01:05:13 +02:00
Tom Gundersen
bddfc8afd3 networkd: drop CAP_SYS_MODULE
Rely on modules being built-in or autoloaded on-demand.

As networkd is a network facing service, we want to limits its capabilities,
as much as possible. Also, we may not have CAP_SYS_MODULE in a container,
and we want networkd to work the same there.

Module autoloading does not always work, but should be fixed by the kernel
patch f98f89a0104454f35a: 'net: tunnels - enable module autoloading', which
is currently in net-next and which people may consider backporting if they
want tunneling support without compiling in the modules.

Early adopters may also use a module-load.d snippet and order
systemd-modules-load.service before networkd to force the module
loading of tunneling modules.

This sholud fix the various build issues people have reported.
2014-06-03 00:40:23 +02:00
Susant Sahani
a613382bbf networkd: introduce vti tunnel
This patch enables vti tunnel support.

example conf:

file : vti.netdev
[NetDev]
Name=vti-tun
Kind=vti
MTUBytes=1480

[Tunnel]
Local=X.X.X.X
Remote=X.X.X.X

file: vti.network
[Match]
Name=em1

[Network]
Tunnel=vti-tun

TODO:

Add more attributes for vti tunnel
IFLA_VTI_IKEY
IFLA_VTI_OKEY
2014-06-02 16:20:44 +02:00
Susant Sahani
a9f434cf00 networkd: sit-tunnel add support for pmtudisc
This patch adds path of mtu discovery for sit tunnel.
To enable/disable DiscoverPathMTU is introduced.

Example configuration

file: sit.netdev
[NetDev]
Name=sit-tun
Kind=sit
MTUBytes=1480

[Tunnel]
DiscoverPathMTU=1
Local=X.X.X.X
Remote=X.X.X.X

By default pmtudisc is turned on , if DiscoverPathMTU
is missing from the config. To turn it off
DiscoverPathMTU=0 needs to be set.
2014-06-02 16:16:02 +02:00
Susant Sahani
8bb088c5d4 networkd: introduce gre tunnel
This patch enables gre tunnel support.

example conf:

file : gre.netdev
[NetDev]
Name=gre-tun
Kind=gre
MTUBytes=1480

[Tunnel]
Local=X.X.X.X
Remote=X.X.X.X

file: gre.network
[Match]
Name=em1

[Network]
Tunnel=gre-tun

TODO:

Add more attributes for gre tunnel
IFLA_GRE_IFLAGS
IFLA_GRE_IFLAGS
IFLA_GRE_IKEY
IFLA_GRE_OKEY
2014-06-02 16:13:00 +02:00
Susant Sahani
4d7ec9fc36 networkd-netdev: fix white space 2014-06-02 16:09:46 +02:00
Susant Sahani
10142d75cc networkd: introduce veth device support
This patch adds veth device support to networkd.

Example conf:

File: veth.netdev

[NetDev]
Name=veth-test
Kind=veth

[Peer]
Name=veth-peer
2014-06-02 16:09:40 +02:00
Tom Gundersen
b686acb27e resolved: move resolv.conf to resolved's runtime dir 2014-06-02 15:14:32 +02:00
Tom Gundersen
01501939d5 tmpfiles: systemd.conf - fix ownership of network directories 2014-06-02 15:06:32 +02:00