summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ask-password: Allow configuring the keyring timeout via an environment variableDaan De Meyer2024-10-302-4/+37
| | | | | | | | | | | | | | | | In mkosi, we want an easy way to set the keyring timeout for every tool we invoke that might use systemd-ask-password to query for a password which is then stored in the kernel keyring. Let's make this possible via a new $SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC environment variable. Using an environment variable means we don't have to modify every separate tool to add a CLI option allowing to specify the timeout. In mkosi specifically, we'll set up a new session keyring for the mkosi process linked to the user keyring so that any pins in the user keyring are used if available, and otherwise we'll query for and store password in mkosi's session keyring with a zero timeout so that they stay in the keyring until the mkosi process exits at which point they're removed from the keyring.
* logind: add BlockWeakInhibited propertyLuca Boccassi2024-10-304-10/+21
| | | | | Fixes https://github.com/systemd/systemd/issues/34091 Follow-up for 804874d26ac73e0af07c4c5d7165c95372f03f6d
* core: make mount(8) and swapon(8) inherit SMACK label from systemdŁukasz Stelmach2024-10-302-0/+6
| | | | | | | | | By default mount(8), umount(8), swapon(8) and swapoff(8) should run with with the SMACK label inherited from systemd rather than the default one meant for services. Fixes: aa5ae9711ef3cd0c69b7fcfbd65bca05fb704a8a Follow-up-for: 20bbf5ee4c6c80599a91e7a4b7474e931a27db4a
* coredump: AccessContainer= bunch of followups (#34333)Luca Boccassi2024-10-306-85/+150
|\ | | | | Fixes #34130
| * test: add test coverage for EnterNamespace=Michal Sekletar2024-10-302-1/+33
| |
| * coredump: return correct error variableMichal Sekletár2024-10-301-1/+1
| |
| * coredump: rename AccessContainer= to EnterNamespace=Michal Sekletar2024-10-303-9/+11
| |
| * coredump: rework gather_pid_mount_tree_fd()Michal Sekletar2024-10-301-17/+29
| |
| * coredump: use FORK_WAITMichal Sekletar2024-10-301-8/+2
| |
| * coredump: store actual fd in appropriate variableMichal Sekletar2024-10-301-3/+3
| |
| * coredump: use FORK_LOG to get more precise loggingMichal Sekletar2024-10-301-2/+2
| |
| * coredump: fix coding styleMichal Sekletar2024-10-301-1/+11
| |
| * coredump: get rid of redundant double spaceMichal Sekletar2024-10-301-1/+1
| |
| * coredump: use more appropriate return codeMichal Sekletar2024-10-301-3/+3
| |
| * coredump: check for and close unexpected FDsMichal Sekletar2024-10-301-13/+38
| |
| * coredump: fix line spacingMichal Sekletar2024-10-301-0/+1
| |
| * coredump: merge variable definitionsMichal Sekletar2024-10-301-2/+1
| |
| * coredump: rework attaching container mount treesMichal Sekletar2024-10-301-19/+18
| |
| * analyze: don't use Yoda conditionsMichal Sekletar2024-10-291-1/+1
| |
| * analyze: modernize opening ELF binary a bitMichal Sekletar2024-10-291-13/+4
| |
* | NEWS: remove duplicated entryZbigniew Jędrzejewski-Szmek2024-10-301-16/+6
| | | | | | | | | | | | | | The same item is described below. Also reflow some paragraphs (presumably indented with emacs, which does this wrong).
* | core: add EXEC_DIRECTORY_TYPE_SHALL_CHOWN() helperLennart Poettering2024-10-303-5/+12
| | | | | | | | | | | | Let's make ConfigurationDirectory= a bit less "special-casey", by hiding the fact that it's the only per-service dir we do not do chown()ing for inside of a new EXEC_DIRECTORY_TYPE_SHALL_CHOWN() helper.
* | docs: Update instructions for building distribution packages in HACKING.md ↵Lennart Poettering2024-10-301-9/+12
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | (#34941) When building distribution packages without building an image, the distribution packages will only be located in mkosi.builddir/ now and not in mkosi.output/, so update the documentation to reflect that. Also add installation instructions for distributions other than CentOS/Fedora while we're at it.
| * | docs: Update instructions for building distribution packages in HACKING.mdDaan De Meyer2024-10-301-6/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | When building distribution packages without building an image, the distribution packages will only be located in mkosi.builddir/ now and not in mkosi.output/, so update the documentation to reflect that. Also add installation instructions for distributions other than CentOS/Fedora while we're at it.
| * | docs: Align some comments in HACKING.mdDaan De Meyer2024-10-301-3/+3
| | |
* | | analyze: Add times in seconds for Activating and Activated in tooltiphugo3032024-10-301-1/+3
| | | | | | | | | | | | | | | | | | Print the times in seconds in the tooltip to remove the need to count and trying to follow the lines in the svg diagram in order to see at what times these events happen.
* | | network/tunnel: allow Local=/Remote=any for all tunnel typesYu Watanabe2024-10-301-21/+14
| | | | | | | | | | | | | | | | | | It seems there is no restriction for local and remote addresses. Fixes #34930.
* | | sd-netlink,network: do not set NLM_F_CREATE and NLM_F_EXCL flags if an ↵Yu Watanabe2024-10-305-17/+1
| | | | | | | | | | | | | | | | | | | | | | | | interface index is specified If an ifindex is specified, we are modifying the existing interface. Hence, these flags should not be set. Otherwise, the request will be refused with -EEXIST.
* | | network: skip processing netdev if it is already detached (#34935)Daan De Meyer2024-10-3010-4/+65
|\ \ \ | | | | | | | | split-out of #34909.
| * | | network/netdev: skip processing netdev if it is already detachedYu Watanabe2024-10-2910-0/+55
| | | | | | | | | | | | | | | | | | | | | | | | No functional change, as currently networkd detaches NetDev objects only on stop (or invalid .netdev file is loaded). Preparation for later commits.
| * | | network/netdev: split out netdev_attach_name_full()Yu Watanabe2024-10-291-4/+10
| | | | | | | | | | | | | | | | No functional change, preparation for later commits.
* | | | pretty-print: add format-string version of draw_progress_bar() (#34939)Daan De Meyer2024-10-309-72/+74
|\ \ \ \ | |_|/ / |/| | | | | | | We often format the prefix string via asprintf() before, let's hence add a helper for that.
| * | | pretty-print: add format-string version of draw_progress_bar()Lennart Poettering2024-10-298-58/+61
| | | | | | | | | | | | | | | | | | | | We often format the prefix string via asprintf() before, let's hence add a helper for that.
| * | | pretty-print: rename draw_progress_bar_impl()→draw_progress_bar_unbuffered()Lennart Poettering2024-10-293-14/+13
| | | |
* | | | update NEWSLennart Poettering2024-10-301-9/+52
| | | |
* | | | update TODOLennart Poettering2024-10-301-0/+11
| | | |
* | | | core/service: support sd_notify() MAINPIDFD=1 and MAINPIDFDID= (#34932)Lennart Poettering2024-10-306-79/+183
|\ \ \ \
| * | | | TEST-80-NOTIFYACCESS: don't specify --pid= if MAINPID= is provided explicitlyMike Yuan2024-10-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Otherwise, with recent additions, the MAINPIDFDID= generated by systemd-notify would mismatch with overridden MAINPID=.
| * | | | notify: send MAINPIDFDID= for --pid= too if availableMike Yuan2024-10-291-26/+48
| | | | |
| * | | | core/service: support sd_notify() MAINPIDFD=1 and MAINPIDFDID=Mike Yuan2024-10-293-31/+115
| | | | | | | | | | | | | | | | | | | | These serve as race-free alternatives for MAINPID= notification.
| * | | | shared/fdset: minor modernizationMike Yuan2024-10-291-21/+19
| | |/ / | |/| |
* | | | network: add missing else in dhcp_lease_load (#34927)Lennart Poettering2024-10-304-1/+18
|\ \ \ \ | |_|/ / |/| | | | | | | | | | | | | | | | | | | Fixes: 3fd6708cde0f (network: Serialize DNR servers) --- Fixes: #34926
| * | | network: Restrict the valid charset of DNR namesRonan Pigott2024-10-293-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Not all possible DNS names will survive serialization. Restrict the set of valid dns names to LDH encoded names. Fixes: 25c33e350042 (network: parse RFC9463 DHCPv4 DNR option, 2024-01-16) Fixes: a07e83cc58f6 (network: Parse RFC9463 DHCPv6 DNR option, 2024-01-17) Fixes: 0c90d1d2f243 (ndisc: Parse RFC9463 encrypted DNS (DNR) option, 2024-01-19)
| * | | network: add missing else in dhcp_lease_loadRonan Pigott2024-10-292-1/+2
| | | | | | | | | | | | | | | | Fixes: 3fd6708cde0f (network: Serialize DNR servers)
* | | | busctl: minor tweak to help text for --limit-messages=Lennart Poettering2024-10-291-2/+2
| | | |
* | | | import: Draw progress barsDaan De Meyer2024-10-294-4/+69
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently every progress update results in a new progress message which is extremely verbose. Instead, let's use the progress bar infra to draw a proper progress bar similar to what we do in systemd-repart now.
* | | | progress-bar: issue Windows Terminal progress indicating ANSI sequences (#34929)Lennart Poettering2024-10-292-3/+13
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This generates the Windows Terminal OSC sequences indicating progress. This let's the terminal know that we are doing a slow operation, and how we are progressing. Windows Terminal uses this in two ways: it shows a circle in the tab that completes, and it highlights the progress in the task bar. I found no Linux terminal that currently supports it, but also none that didn't like it. Thankfully most terminals correctly ignore unrecognized OSC sequences. I think we should just merge this, and see if this trips up too many people, but I have reason to believe this shouldn't be too bad. And yes, I do work from Windows Terminal sometimes, ssh into my Linux build systems, and it is really cute seeing the progress animation there.
| * | | | meson.build: do not mark test-progress-bar as manualLennart Poettering2024-10-291-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | It will finish on its own always and cleanly, and running it always should increase test coverage.
| * | | | progress-bar: issue Windows Terminal progress indicating ANSI sequencesLennart Poettering2024-10-291-2/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This generates the Windows Terminal OSC sequences indicating progress. This let's the terminal know that we are doing a slow operation, and how we are progressing. Windows Terminal uses this in two ways: it shows a circle in the tab that completes, and it highlights the progress in the task bar. I found no Linux terminal that currently supports it, but also none that didn't like it. Thankfully most terminals correctly ignore unrecognized OSC sequences. I think we should just merge this, and see if this trips up too many people, but I have reason to believe this shouldn't be too bad. And yes, I do work from Windows Terminal sometimes, ssh into my Linux build systems, and it is really cute seeing the progress animation there.
* | | | | sysusers: optionally create fully locked accounts (#34876)Luca Boccassi2024-10-2911-16/+55
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's ramp up security for system user accounts, at least where possible, by creating them fully locked (instead of just with an invalid password). This matters when taking non-password (i.e. SSH) logins into account. Fixes: #13522
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-11 22:35:45 +0100