summaryrefslogtreecommitdiffstats
path: root/docs (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* user-record: Add blobDirectory and blobManifestAdrian Vovk2024-02-192-5/+21
| | | | | | These fields are used to connect a JSON user record to its blob directory, and to include the directory's contents in the record's signature
* Document blob directory behaviorAdrian Vovk2024-02-192-0/+131
| | | | | We're documenting the behavior of blob directories here. These docs refer to things that aren't yet implemented at the time of the commit, but will be later in the same PR.
* Merge pull request #31320 from DaanDeMeyer/versioningDaan De Meyer2024-02-151-14/+16
|\ | | | | meson: Start adding devel and rc suffixes to the project version
| * meson: Start adding devel and rc suffixes to the project versionDaan De Meyer2024-02-141-14/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's make sure that versions generated by meson-vcs-tag.sh always sort higher than official and stable releases. We achieve this by immediately updating the meson version in meson.build after a new release. To make sure this version always sorts lower than future rcs, we suffix it with "~devel" which will sort lower than "~rcX". The new release workflow is to update the version in meson.build for each rc and the official release and to also update the version number after a new release to the next development version. The full version is exposed as PROJECT_VERSION_FULL and used where it makes sense over PROJECT_VERSION. We also switch to reading the version from a meson.version file in the repo instead of hardcoding it in meson.build. This makes it easier to access both inside and outside of the project. The meson-vcs-tag.sh script is rewritten to query the version from meson.version instead of passing it in via the command line. This makes it easier to use outside of systemd since users don't have to query the version themselves first.
| * docs: Use v255~rc1 instead of v255-rc1Daan De Meyer2024-02-141-1/+1
| | | | | | | | | | This gets the point across better that we want the rc to sort lower than the official release.
* | user-record: add fields for a fallback home dir + shellLennart Poettering2024-02-141-0/+14
|/ | | | | | | | | | | | | | | | This adds fields to the user record logic to allow a "fallback" home directory and shell to be set as part of the "status" section of the user record, i.e. supplied by the manager of the user record. The idea is that if the fallback homedir/shell is set it will take precedence over the real one in most ways. Usecase: let's try to make ssh logins into homed directories work. systemd-homed would set a fallback shell/homedir for inactive home dirs. Thus, when ssh logins take place via key auth, we can allow them, and these fallback session params would be used because the real home cannot be activated just yet becasue we cannot acquire any password for it from the user.
* user-record: Add languages fieldAdrian Vovk2024-02-131-5/+16
| | | | | | | | | | | | | | | | This field is like preferredLanguage, but takes a priority list of languages instead. If an app isn't translated into a user's primary language, it can fall back to one of the other languages in the list thus making the app more accessible to the user. For instance: in my experience, many Ukrainians are fluent in Russian, often significantly better than English (especially if they are of a generation that grew up during the USSR). Such a person might set this new variable to ["uk_UA.UTF-8", "ru_UA.UTF-8"] so that software that lacks Ukrainian translations will first try Russian translations before defaulting to English. Fixes #31290
* Use tilde for rc tag versioningDaan De Meyer2024-02-131-1/+1
| | | | | | | | | | | | | | | tilde sorts lower in the version comparison spec: https://uapi-group.org/specifications/specs/version_format_specification/ ➜ systemd git:(strip) systemd-analyze compare-versions 249\~rc1 249 249\~rc1 < 249 ➜ systemd git:(strip) systemd-analyze compare-versions 249-rc1 249 249-rc1 > 249 Also update tools/meson-vcs-tag.sh to use carets instead of hyphens for the git part of the version as carets are allowed to be part of a version by pacman while hyphens are not and both sort higher than a version without the git part.
* openssl: add helper to load key from provider/engineLuca Boccassi2024-02-091-0/+8
| | | | | It's not the literal private key, but EVP_PKEY becomes a reference to the engine/provider that OpenSSL knows how to use later
* Merge pull request #30847 from keszybz/some-docs-updatesLennart Poettering2024-01-311-16/+16
|\ | | | | Some docs updates
| * docs/UID-GIDS: use the modern spellings of pkg-config variablesZbigniew Jędrzejewski-Szmek2024-01-241-5/+5
| |
| * docs/UID-GIDS: mention that ranges are actually configurableZbigniew Jędrzejewski-Szmek2024-01-241-11/+11
| | | | | | | | | | | | | | | | | | It silly for our docs to say that they aren't when we added support for this a few years ago. Also, drop some mentions of "runtime". This implied that those values can be changed almost at will, but actually, they can only be meaningfully changed _before_ the allocations are made.
* | core: add SYSTEMD_VERITY_SHARING env var for local developmentLuca Boccassi2024-01-261-0/+3
| | | | | | | | | | | | When running an image that cannot be mounted (e.g.: key missing intentionally for development purposes), there's a retry loop that takes some time and slows development down. Add an env var to disable it.
* | Remove a few references to dracutDaan De Meyer2024-01-242-7/+4
| | | | | | | | | | Let's remove some explicit references to dracut as we prefer initrds built with mkosi these days.
* | docs: Fix typo in USER_RECORDAdrian Vovk2024-01-191-1/+1
| |
* | varlink: also honour new env var $SYSTEMD_VARLINK_LISTEN in ↵Lennart Poettering2024-01-161-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | varlink_server_listen_auto() varlink_server_listen_auto() is supposed to be the one-stop solution for turning simple command line tools into IPC services. They aren't easy to test/debug however, since you have to invoke them through a service manager. Let's make this easier: if the SYSTEMD_VARLINK_LISTEN env var is set, let's listen on the socket specified therein. This makes things easier to gdb: just run the service from the cmdline.
* | mkosi: Build a directory image by defaultDaan De Meyer2024-01-121-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Both building and booting a directory image is much faster than building or booting a disk image so let's default to a directory image. In CI, we stick to a disk image to make sure that keeps working as well. The only extra dependency this introduces is virtiofsd which is packaged in all distributions except Debian stable. For users hacking on systemd on Debian stable, a disk image can be built by writing the following to mkosi.local.conf: ``` [Output] Format=disk ```
* | doc: document new /run/host/ inodes in container interface docLennart Poettering2024-01-111-0/+24
|/
* sd-bus: also intrepret $SYSTEMD_SSH env varLennart Poettering2024-01-081-1/+2
| | | | | | To make things symmetric to the $SYSTEMD_SSH logic that the varlink transport supports, let's also honour such a variable in sd-bus when picking ssh transport.
* varlink: add "ssh:" transportLennart Poettering2024-01-081-0/+5
| | | | | | | | | | | | | | | | | | This uses openssh 9.4's -W support for AF_UNIX. Unfortunately older versions don't work with this, and I couldn#t figure a way that would work for older versions too, would not be racy and where we'd still could keep track of the forked off ssh process. Unfortunately, on older versions -W will just hang (because it tries to resolve the AF_UNIX path as regular host name), which sucks, but hopefully this issue will go away sooner or later on its own, as distributions update. Fedora is still stuck at 9.3 at the time of posting this (even on Fedora), even though 9.4, 9.5, 9.6 have all already been released by now. Example: varlinkctl call -j ssh:root@somehost:/run/systemd/io.systemd.Credentials io.systemd.Credentials.Encrypt '{"text":"foobar"}'
* udev: add upper bound of 5 hours to SYSTEMD_UDEV_EXTRA_TIMEOUT_SEC=Luca Boccassi2024-01-041-1/+2
| | | | | | Follow-up for b16c6076cb334c9da9602d4bafbf60381d6d630e CID#1533111
* udev: wait for an extra time before the manager kills workersYu Watanabe2024-01-021-0/+6
| | | | | | | | | | Otherwise, udev workers cannot detect slow programs invoked by IMPORT{program}=, PROGRAM=, or RUN=, and whole worker process may be killed. Fixes #30436. Co-authored-by: sushmbha <sushmita.bhattacharya@oracle.com>
* Add $SYSTEMD_HWDB_UPDATE_BYPASS (#30463)Daan De Meyer2023-12-141-0/+8
| | | | | | Same as $KERNEL_INSTALL_BYPASS, but for hwdb. This will speed up cross architecture image builds in mkosi as I can disable package managers from running the costly hwdb update stuff in qemu user mode and run it myself with a native systemd-hwdb with --root=.
* docs/CREDENTIALS: Don't write authorized_keys with executable bitsColin Walters2023-12-141-1/+1
| | | | No reason to make this file executable.
* RELEASE: mark a few items for the final stepLuca Boccassi2023-12-061-2/+2
| | | | | Doesn't make much sense to push RCs to the stable repository, just do that in the final tag push
* mkosi: Drop building custom kernel logicDaan De Meyer2023-11-291-20/+0
| | | | | | | | Now that mkosi-kernel is a thing, this logic in systemd is just mostly bitrotting since I just use mkosi-kernel these days. If I ever need to hack on systemd and the kernel in tandem, I'll just add support for building systemd to mkosi-kernel instead, so let's drop the support for building a custom kernel in systemd's mkosi configuration.
* Merge pull request #30236 from DaanDeMeyer/mkosiDaan De Meyer2023-11-282-7/+6
|\ | | | | Update to mkosi v19
| * Update to mkosi v19Daan De Meyer2023-11-282-7/+6
| | | | | | | | | | | | | | | | - Use mkosi.images/ instead of mkosi.presets/ - Use the .chroot suffix to run scripts in the image - Use BuildSources= match for the kernel build - Move 10-systemd.conf to mkosi.conf and rely on mkosi.local.conf for local configuration
* | shared/cryptsetup-util: build problematic code only in developer modeZbigniew Jędrzejewski-Szmek2023-11-281-1/+2
|/ | | | | | | | | | | | | | This code doesn't link when gcc+lld is used: $ LDFLAGS=-fuse-ld=lld meson setup build-lld && ninja -C build-lld udevadm ... ld.lld: error: src/shared/libsystemd-shared-255.a(libsystemd-shared-255.a.p/cryptsetup-util.c.o): symbol crypt_token_external_path@@ has undefined version collect2: error: ld returned 1 exit status As a work-around, restrict it to developer mode. Closes https://github.com/systemd/systemd/issues/30218.
* docs/RELEASE.md: retain systemd.io in IRC topic updateLuca Boccassi2023-11-141-1/+1
|
* doc: some trivial cleanups to MEMORY_PRESSURE.mdVito Caputo2023-11-141-30/+28
|
* storagetm: expose more useful metadata for nvme block devicesLennart Poettering2023-11-131-0/+11
| | | | | | don't let the devices to be announced just as model "Linux". Let's instead propagate the underlying block device's model. Also do something reasonably smart for the serial and firmware version fields.
* Fix some typos in RESOLVED-VPNS.mdJeremy Fleischman2023-11-121-5/+5
|
* man,doc: document some aspects of user record management/homed a bit betterLennart Poettering2023-11-081-14/+26
| | | | Fixes: #29759
* tree-wide: s/life-cycle/lifecycle/gZbigniew Jędrzejewski-Szmek2023-11-061-1/+1
|
* docs: fix title levels, remove unneded wordsZbigniew Jędrzejewski-Szmek2023-11-063-9/+9
| | | | | The title applies to the whole page, not just the first section. And there should be just one title ('# foo') in a given document.
* portable: add support for confextMaanya Goenka2023-11-031-7/+9
| | | | Support confexts for portable services
* nspawn: allow disabling os-release checkFrantisek Sumsal2023-11-031-0/+4
| | | | | | | | Introduce a new env variable $SYSTEMD_NSPAWN_CHECK_OS_RELEASE, that can be used to disable the os-release check for bootable OS trees. Useful when trying to boot a container with empty /etc/ and bind-mounted /usr/. Resolves: #29185
* firewall: allow selecting firewall backend via env varLennart Poettering2023-11-031-0/+6
|
* crytsetup: allow overriding the token .so library path via an env varLennart Poettering2023-11-021-0/+5
| | | | | | | | | | | | I tried to get something similar upstream: https://gitlab.com/cryptsetup/cryptsetup/-/issues/846 But no luck, it was suggested I use ELF interposition instead. Hence, let's do so (but not via ugly LD_PRELOAD, but simply by overriding the relevant symbol natively in our own code). This makes debugging tokens a ton easier.
* doc: document explicitly when we require specific top-level mounts to be ↵Lennart Poettering2023-10-301-0/+72
| | | | established
* nspawn: allow user-specified MAC address on container sideRaul Cheleguini2023-10-251-0/+6
| | | | | Introduce the environment variable SYSTEMD_NSPAWN_NETWORK_MAC to allow user-specified MAC address on container side.
* man,docs: suffix directories with /Mike Yuan2023-10-211-1/+1
|
* Merge pull request #29630 from DaanDeMeyer/manager-jsonDaan De Meyer2023-10-201-8/+5
|\ | | | | Various refactoring in preparation for adding JSON dump to pid 1
| * mkosi: Use RuntimeTrees= to mount sourcesDaan De Meyer2023-10-201-8/+5
| | | | | | | | | | | | | | Instead of using ExtraTrees=, let's use the new RuntimeTrees= option to mount the full repository into the VM/container. Let's also store the sources under /usr/src/systemd and update the gdbinit file and vscode HACKING guide section to match the new location.
* | Merge pull request #29626 from bluca/auto_soft_rebootLuca Boccassi2023-10-201-0/+7
|\ \ | | | | | | systemctl: automatically softreboot/kexec if set up on reboot
| * | systemctl: automatically softreboot/kexec if set up on rebootLuca Boccassi2023-10-201-0/+7
| |/ | | | | | | | | | | | | | | | | Automatically softreboot if the nextroot has been set up with an OS tree, or automatically kexec if a kernel has been loaded with kexec --load. Add SYSTEMCTL_SKIP_AUTO_KEXEC and SYSTEMCTL_SKIP_AUTO_SOFT_REBOOT to skip the automated switchover.
* / credentials: document that their path is stable for system servicesJoerg Behrmann2023-10-201-1/+6
|/
* sd-boot: add way to disable the 100ms delay when timeout=0Emil Velikov2023-10-171-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we have a 100ms delay which allows for people to enter/show the boot menu even when timeout is set to zero. In a handful of cases, that may not be needed - both in terms of access policy, as well as latency. For example: the option to provide the boot menu may be hidden behind an "expert only" UX in the OS, to avoid end users from accidentally entering it. In addition, the current 100ms input polling may cause unexpected additional delays in the boot. Some example numbers from my SteamDeck: - boot counting/rename/flush doubles 300us -> 600us - seed/hash setup doubles 900us -> 1800us - kernel/image load gets ~40% slower 107ms -> 167ms It's not entirely clear why the UEFI calls gets slower, nevertheless the information in itself proves useful. This commit introduces a new option "menu-disabled", which omits the 100ms delay. The option is documented throughout the manual pages as well as the Boot Loader Specification. v2: - use STR_IN_SET v3: - drop erroneous whitespace v4: - add a new LoaderFeature bit, - don't change ABI keep TIMEOUT_* tokens the same - move new token in the 64bit range, update API and storage for it - change inc/dec behaviour to TIMEOUT_MIN : TIMEOUT_MENU_FORCE - user cannot opt-in from sd-boot itself, add assert_not_reached() v5: - s/Menu disablement control/Menu can be disabled/ - rewrap comments to 109 - use SYNTHETIC_ERRNO(EOPNOTSUPP) Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
* docs/BOOT_LOADER_INTERFACE: mention that menu-* options are stringsEmil Velikov2023-10-171-1/+2
| | | | | | | | | | | | | To be on the safe side, explicitly mention that apart from the numerical entries we can allow string ones. Implementation-wise, bootctl will use internal numerical values that match sd-boot's ABI. The latter also accepts the string options. Going forward we'd like to avoid adding more internal magic and be more explicit. Signed-off-by: Emil Velikov <emil.velikov@collabora.com>