1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00
Commit Graph

6031 Commits

Author SHA1 Message Date
Lennart Poettering
fd2f6f7248
Merge pull request #19096 from poettering/repart-features
repart: four new features: CopyBlocks=auto + --image= + ReadOnly=/Flags= + MakeDirectories=
2021-04-20 10:20:22 +02:00
Lennart Poettering
e73309c532 repart: add new ReadOnly= and Flags= settings for repart dropins
Let's make the GPT partition flags configurable when creating new
partitions. This is primarily useful for the read-only flag (which we
want to set for verity enabled partitions).

This adds two settings for this: Flags= and ReadOnly=, which strictly
speaking are redundant. The main reason to have both is that usually the
ReadOnly= setting is the one wants to control, and it' more generic.
Moreover we might later on introduce inherting of flags from CopyBlocks=
partitions, where one might want to control most flags as is except for
the RO flag and similar, hence let's keep them separate.
2021-04-19 23:16:02 +02:00
Lennart Poettering
5c08da586f repart: add CopyBlocks=auto support
When using systemd-repart as an installer that replicates the install
medium on another medium it is useful to reference the root
partition/usr partition or verity data that is currently booted, in
particular in A/B scenarios where we have two copies and want to
reference the one we currently use. Let's add a CopyBlocks=auto for this
case: for a partition that uses that we'll copy a suitable partition
from the host.

CopyBlocks=auto finds the partition to copy like this: based on the
configured partition type uuid we determine the usual mount point (i.e.
for the /usr partition type we determine /usr/, and so on). We then
figure out the block device behind that path, through dm-verity and
dm-crypt if necessary. Finally, we compare the partition type uuid of
the partition found that way with the one we are supposed to fill and
only use it if it matches (the latter is primarily important on
dm-verity setups where a volume is likely backed by two partitions and
we need to find the right one).

This is particularly fun to use in conjunction with --image= (where
we'll restrict the device search onto the specify device, for security
reasons), as this allows "duplicating" an image like this:

    # systemd-repart --image=source.raw --empty=create --size=auto target.raw

If the right repart data is embedded into "source.raw" this will be able
to create and initialize a partition table on target.raw that carrries
all needed partitions, and will stream the source's file systems onto it
as configured.
2021-04-19 23:16:02 +02:00
Lennart Poettering
d83d804863 repart: add high-level setting for creating dirs in formatted file systems
So far we already had the CopyFiles= option in systemd-repart drop-in
files, as a mechanism for populating freshly formatted file systems with
files and directories. This adds MakeDirectories= in similar style, and
creates simple directories as listed. The option is of course entirely
redundant, since the same can be done with CopyFiles= simply by copying
in a directory. It's kinda nice to encode the dirs to create directly in
the drop-in files however, instead of providing a directory subtree to
copy in somehere, to make the files more self-contained — since often
just creating dirs is entirely sufficient.

The main usecase for this are GPT OS images that carry only a /usr/
tree, and for which a root file system is only formatted on first boot
via repart.  Without any additional CopyFiles=/MakeDirectories=
configuration these root file systems are entirely empty of course
initially. To mount in the /usr/ tree, a directory inode for /usr/ to
mount over needs to be created.  systemd-nspawn will do so automatically
when booting up the image, as will the initrd during boot. However, this
requires the image to be writable – which is OK for npawn and
initrd-based boots, but there are plenty tools where read-only operation
is desirable after repart ran, before the image was booted for the first
time. Specifically, "systemd-dissect" opens the image in read-only to
inspect its contents, and this will only work of /usr/ can be properly
mounted. Moreover systemd-dissect --mount --read-only won't succeed
either if the fs is read-only.

Via MakeDirectories= we now provide a way that ensures that the image
can be mounted/inspected in a fully read-only way immediately after
systemd-repart completed. Specifically, let's consider a GPT disk image
shipping with a file usr/lib/repart.d/50-root.conf:

       [Partition]
       Type=root
       Format=btrfs
       MakeDirectories=/usr
       MakeDirectories=/efi

With this in place systemd-repart will create a root partition when run,
and add /usr and /efi into it as directory inods. This ensures that the
whole image can then be mounted truly read-only anf /usr and /efi can be
overmounted by the /usr partition and the ESP.
2021-04-19 23:16:02 +02:00
Lennart Poettering
252d626711 repart: add --image= switch
This is similar to the --image= switch in the other tools, like
systemd-sysusers or systemd-tmpfiles, i.e. it apply the configuration
from the image to the image.

This is particularly useful for downloading minimized GPT image, and
then extending it to the desired size via:

   # systemd-repart --image=foo.image --size=5G
2021-04-19 23:16:02 +02:00
Jason Francis
941c5275ea
sd-login: fix wrong constructor used in sd_login_monitor manpage example 2021-04-19 12:20:29 -04:00
Yu Watanabe
4e6c50a5d4 core: add RestrictAddressFamilies=none to deny all address families
Closes #15753.
2021-04-19 11:47:08 +01:00
Zbigniew Jędrzejewski-Szmek
b7c3447a2f
Merge pull request #19310 from yuwata/network-dhcp-anonymize
network: dhcp4: several fixes and cleanups for Anonymize=
2021-04-16 11:12:22 +02:00
Anita Zhang
169be51f94 man: correct requirements for systemd-oomd.service
Fixes: #19331
2021-04-16 09:50:44 +01:00
Yu Watanabe
a2b1572ce4
Merge pull request #19287 from yuwata/network-manage-foreign-routing-policy-rule-19106
network: add ManageForeignRoutingPolicyRules= boolean setting
2021-04-14 19:01:41 +09:00
Yu Watanabe
86d58c8625 man: update explanation for Anonymize= 2021-04-14 14:15:15 +09:00
LetzteInstanz
6dc4531d16 wait-online: wait for address family
This introduce -4 and -6 commandline options.
2021-04-14 09:00:08 +09:00
LetzteInstanz
8430841b5e network: save IPv4/IPv6 address states into state file
This also introduces RequiredFamilyForOnline= setting to .network file,
and IPv4AddressState/IPv6AddressState DBus properties.
2021-04-14 08:51:02 +09:00
Yegor Alexeyev
21b6b87eb3 dhcp: Implemented BindToInterface= configuration option 2021-04-14 07:30:40 +09:00
Yu Watanabe
f1a5c566c1 man: fix typo 2021-04-13 12:52:56 +09:00
Yu Watanabe
3fe23a96d6 man: update description for ManageForeignRoutes= 2021-04-13 12:23:59 +09:00
Yu Watanabe
d94dfe7053 network: introduce ManageForeignRoutingPolicyRules= boolean setting in networkd.conf
The commit 0b81225e57 makes that networkd
remove all foreign rules except those with "proto kernel".

But, in some situation, people may want to manage routing policy rules
with other tools, e.g. 'ip' command. To support such the situation,
this introduce ManageForeignRoutingPolicyRules= boolean setting.

Closes #19106.
2021-04-13 12:22:42 +09:00
Zbigniew Jędrzejewski-Szmek
7c5fd25119 meson: do not fail if rsync is not installed with meson 0.57.2
https://github.com/mesonbuild/meson/issues/8641

Our CI started to fail. Even if the change is reverted in meson,
we need a quick workaround here.
2021-04-12 21:28:23 +01:00
Zbigniew Jędrzejewski-Szmek
839eb4a458
Merge pull request #13496 from wat-ze-hex/custom-bpf-progs-parameterized-3
bpf: extend bpf cgroup program support
2021-04-12 14:31:42 +02:00
gaoyi
45f5efdea7 man: fix discriptions for --exec-delay
There are two ambiguity in the original description:
1. It will delay all RUN instructions, include builtin.
2. It will delay before running RUN, not each of RUN{program} instructions.
2021-04-12 13:03:26 +02:00
Yu Watanabe
37b7a716d3
Merge pull request #19164 from mmatsuya/main
tmpfiles: use a entry in hashmap as ItemArray in read_config_file()
2021-04-11 16:46:25 +09:00
Julia Kartseva
9e009a145d dbus-cgroup: add BPFProgram= dbus support
- Handle BPFProgram= property in string format
"<bpf_attach_type>:<bpffs_path>", e.g. egress:/sys/fs/bpf/egress-hook.
- Add dbus getter to list foreign bpf programs attached to a cgroup.
2021-04-09 20:28:47 -07:00
Julia Kartseva
ee08909059 man: add BPFProgram= documentation 2021-04-09 20:28:47 -07:00
Zbigniew Jędrzejewski-Szmek
5c91fdf3f8 man: document system-systemd\x2dcryptsetup.slice
As discussed in
1dc85eff1d (r606821495),
follow-up for commit 1dc85eff1d.
2021-04-09 10:38:09 +02:00
Zbigniew Jędrzejewski-Szmek
708b299203
Merge pull request #19254 from poettering/native-journal-proto-doc
document native journal protocol
2021-04-09 08:13:21 +02:00
Zbigniew Jędrzejewski-Szmek
8649ec4725
Merge pull request #19248 from keszybz/make-tests-test
Make tests test
2021-04-09 07:56:04 +02:00
Lennart Poettering
8ee62e53e8 man: link up new journal protocol docs 2021-04-08 22:16:58 +02:00
Zbigniew Jędrzejewski-Szmek
b9bfa250f2 homectl,TEST-46: fix test and fix homectl return value, update docs
The usual: the test wasn't testing, so we didn't notice that the
command wasn't returning as expected.
2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
b88ba6c761 tmpfiles: make handling of existing-but-different targets more consistent
create_fifo() was added in a2fc2f8dd3, and
would always ignore failure. The test was trying to fail in this case, but
we actually don't fail, which seems to be correct. We didn't notice before
because the test was ineffective.

To make things consistent, generally log at warning level, but don't propagate
the error. For symlinks, log at debug level, as before.

For 'e', failure is not propagated now. The test is adjusted to match.

I think warning is appropriate in most cases: we do not expect a device node to
be replaced by a different device node or even a non-device file. This would
most likely be an error somewhere. An exception is made for symlinks, which are
mismatched on purpose, for example /etc/resolv.conf. With this patch, we don't
get any warnings with the any of the 74 tmpfiles.d files, which suggests that
increasing the warning levels will not cause too many unexpected warnings. If
it turns out that there are valid cases where people have expected mismatches
for non-symlink types, we can always decrease the log levels again.
2021-04-08 20:16:37 +02:00
Zbigniew Jędrzejewski-Szmek
3bbb76f621 sd-bus: make sd_bus_is_{ready,open} accept NULL
We didn't document this behaviour one way or another, so I think it's
OK to change. All callers do the NULL check before callling this to avoid
the assert warning, so it seems reasonable to do it internally.

sd_bus_can_send() is similar, but there we expressly say that an
error is returned on NULL, so I didn't change it.
2021-04-08 14:59:10 +02:00
Zbigniew Jędrzejewski-Szmek
3dd61ee5be man: fix quickhelp listing in tmpfiles.d(5)
Unlike many other small/big letter combos, this one has the recursive
version attached to the lowercase letter.
2021-04-08 11:01:29 +02:00
Luca Boccassi
671769c932 coredump: rename COREDUMP_PKGMETA_ fields to COREDUMP_PACKAGE_
Follow-up for c546154a44
2021-04-07 14:02:38 +01:00
Morten Linderud
29d898cc7b man/systemd-cryptenroll: Fix sd-boot manvolnum from 8 to 7
Off-by-one error in the documentation index. The volume number for
systemd-boot/sd-boot is 7.

Signed-off-by: Morten Linderud <morten@linderud.pw>
2021-04-07 13:57:33 +02:00
Luca Boccassi
c546154a44 coredump: parse and append package metadata to journal message
Append 'package' and 'packageVersion' to the journal as discrete fields
COREDUMP_PKGMETA_PACKAGE and COREDUMP_PKGMETA_PACKAGEVERSION respectively,
and the full json blurb as COREDUMP_PKGMETA_JSON.
2021-04-06 23:12:51 +01:00
Zbigniew Jędrzejewski-Szmek
9d5ae3a121
Merge pull request #19126 from anitazha/oomdimprovements
systemd-oomd post-test week improvements
2021-04-06 07:59:59 +02:00
Anita Zhang
685b0985f0 oomd: threshold swap kill candidates to usages of more than 5%
In some instances, particularly with swap on zram, swap used will be high
while there is still a lot of memory available. FB OOMD handles this by
thresholding kills to X% of total swap usage. Let's do the same thing here.

Anecdotally with these thresholds and my laptop which is exclusively swap
on zram I can sit at 0K / 4G swap free with most of memory free and
systemd-oomd doesn't kill anything.

Partially addresses aggressive kill behavior from
https://bugzilla.redhat.com/show_bug.cgi?id=1941170
2021-04-05 02:04:49 -07:00
Viktor Mihajlovski
a496a238e8 udev: fix slot based network names on s390
The s390 PCI driver assigns the hotplug slot name from the
function_id attribute of the PCI device using a 8 char hexadecimal
format to match the underlying firmware/hypervisor notation.

Further, there's always a one-to-one mapping between a PCI
function and a hotplug slot, as individual functions can
hot plugged even for multi-function devices.

As the generic matching code will always try to parse the slot
name in /sys/bus/pci/slots as a positive decimal number, either
a wrong value might be produced for ID_NET_NAME_SLOT if
the slot name consists of decimal numbers only, or none at all
if a character in the range from 'a' to 'f' is encountered.

Additionally, the generic code assumes that two interfaces
share a hotplug slot, if they differ only in the function part
of the PCI address. E.g., for an interface with the PCI address
dddd:bb:aa.f, it will match the device to the first slot with
an address dddd:bb:aa. As more than one slot may have this address
for the s390 PCI driver, the wrong slot may be selected.

To resolve this we're adding a new naming schema version with the
flag NAMING_SLOT_FUNCTION_ID, which enables the correct matching
of hotplug slots if the device has an attribute named function_id.
The ID_NET_NAME_SLOT property will only be produced if there's
a file /sys/bus/pci/slots/<slotname> where <slotname> matches
the value of /sys/bus/pci/devices/.../function_id in 8 char
hex notation.

Fixes #19016
See also #19078
2021-04-02 18:08:23 +02:00
Carlo Teubner
6d3831cee5 docs: use current spelling "macOS" not "OS X" etc. 2021-04-02 10:53:26 +01:00
Anita Zhang
a858355e4a oomd: force DefaultMemoryPressureDurationSec= to be greater than or equal 1 sec 2021-04-01 19:53:42 -07:00
Zbigniew Jędrzejewski-Szmek
af46237ea1 man: split the description of sd_bus_error_set()
It was one giant all of text in pseudo-random order. Let's split it into
paragraphs talk about one subject each.

And unfortunately, the description of what happens when the error is not
set was not correct. In general, various functions treat 0/NULL as
not-an-error, and return 0.
2021-03-31 18:24:53 +02:00
Luca Boccassi
907952bbc9 portabled: add --extension parameter for layered images support
Add an --extension parameter to portablectl, and new DBUS methods
to attach/detach/reattach/inspect.
Allows to append separate images on top of the root directory (os-release
will be searched in there) and mount the images using an overlay-like
setup (unit files will be searched in there) using the new ExtensionImages
service option.
2021-03-31 09:56:44 +01:00
Deepak Rawat
0d96caa5c0 logind: Add new flag for kexec reboot
Add new flag to allow kexec reboot if kernel is already loaded.
2021-03-31 10:48:48 +02:00
Lennart Poettering
9a515f0a55 shared: add new IMAGE_VERSION=/IMAGE_ID= field to /etc/os-release
This specifes two new optional fields for /etc/os-release:
IMAGE_VERSION= and IMAGE_ID= that are supposed to identify the image of
the current booted system by name and version.

This is inspired by the versioning stuff in
https://github.com/systemd/mkosi/pull/683.

In environments where pre-built images are installed and updated as a
whole the existing os-release version/distro identifier are not
sufficient to describe the system's version, as they describe only the
distro an image is built from, but not the image itself, even if that
image is deployed many times on many systems, and even if that image
contains more resources than just the RPMs/DEBs.

In particular, "mkosi" is a tool for building disk images based on
distro RPMs with additional resources dropped in. The combination of all
of these together with their versions should also carry an identifier
and version, and that's what IMAGE_VERSION= and IMAGE_ID= is supposed to
be.
2021-03-31 10:46:22 +02:00
Zbigniew Jędrzejewski-Szmek
a2dc3adef2
Merge pull request #18990 from yuwata/network-dhcpv6-use-domains
network: also introduce UseDomains= for [DHCPv6] section
2021-03-31 10:38:37 +02:00
Lennart Poettering
e0b4bc239f machine-id-setup: support --image= mode 2021-03-31 10:35:31 +02:00
Lennart Poettering
f9d8325e69
Merge pull request #18971 from poettering/sysusers-creds
let's read LoadCredentials=/SetCredentials= style cred in sysusers/firstboot and when asking for passwords
2021-03-31 10:35:17 +02:00
Henri Chain
cb0e818f7c Introduce ExitType 2021-03-31 10:26:07 +02:00
Lennart Poettering
8806bb4bc7 ask-password: when querying for a password, try to read from credential store first
This adds generic support for the SetCredential=/LoadCredential= logic
to our password querying infrastructure: if a password is requested by a
program that has a credential store configured via
$CREDENTIALS_DIRECTORY we'll look in it for a password.

The "systemd-ask-password" tool is updated with an option to specify the
credential to look for.
2021-03-26 12:21:56 +01:00
Lennart Poettering
f6ab6199a2 man: document in nspawn docs how to make use of the new firstboot/sysusers features 2021-03-26 12:21:37 +01:00
Lennart Poettering
416f7b3a11 firstboot: allow provisioning of firstboot params via creds too 2021-03-26 12:21:18 +01:00