| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |\
| |
| | |
New capsule@.service feature
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
This new passive target is supposed to be pulled in by SSH
implementations and should be reached when remote SSH access is
possible. The idea is that this target can be used as indicator for
other components to determine if and when SSH access is possible.
One specific usecase for this is the new sd_notify() logic in PID 1 that
sends its own supervisor notifications whenever target units are
reached. This can be used to precisely schedule SSH connections from
host to VM/container, or just to identify systems where SSH is even
available.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Distributions apparently only compile a subset of TPM2 drivers into the
kernel. For those not compiled it but provided as kmod we need a
synchronization point: we must wait before the first TPM2 interaction
until the driver is available and accessible.
This adds a tpm2.target unit as such a synchronization point. It's
ordered after /dev/tpmrm0, and is pulled in by a generator whenever we
detect that the kernel reported a TPM2 to exist but we have no device
for it yet.
This should solve the issue, but might create problems: if there are TPM
devices supported by firmware that we don't have Linux drivers for we'll
hang for a bit. Hence let's add a kernel cmdline switch to disable (or
alternatively force) this logic.
Fixes: #30164
|
| | |
|
| |
|
|
|
| |
This is just a slight markup improvement; there should be no difference
in rendering.
|
| | |
|
| |
|
|
|
|
|
|
| |
As I noticed a lot of missing information when trying to implement checking
for missing info. I reimplemented the version information script to be more
robust, and here is the result.
Follow up to ec07c3c80b2b1bfa6788500202006ff85f5ae4f4
|
| |
|
|
|
|
|
|
| |
This tries to add information about when each option was added. It goes
back to version 183.
The version info is included from a separate file to allow generating it,
which would allow more control on the formatting of the final output.
|
| |
|
|
|
| |
This will be used by the next commit to add version information to the
nodes.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This is required when / is immutable and cannot be written at runtime.
Co-authored-by: Richard Hughes <richard@hughsie.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In most cases we refernced the concept as "initrd". Let's convert most
remaining uses of "initramfs" to "initrd" too, to stay internally
consistent.
This leaves "initramfs" only where it's relevant to explain historical
concepts or where "initramfs" is part of the API (i.e. in
/run/initramfs).
Follow-up for: b66a6e1a5838b874b789820c090dd6850cf10513
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
All wiki pages that contain a deprecation banner
pointing to systemd.io or manpages are updated to
point to their replacements directly.
Helpful command for identification of available links:
git grep freedesktop.org/wiki | \
sed "s#.*\(https://www.freedesktop.org/wiki[^ $<'\\\")]*\)\(.*\)#\\1#" | \
sort | uniq
|
| |
|
|
|
|
|
| |
This adds support for dm integrity targets and an associated
/etc/integritytab file which is required as the dm integrity device
super block doesn't include all of the required metadata to bring up
the device correctly. See integritytab man page for details.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
synthetic network interfaces have been created
Prompted by: #18793
|
| |
|
|
|
|
| |
other hosts
Let's make things a tiny bit more explicit.
|
| |
|
|
| |
The man page otherwise looks very weirdly aligned.
|
| |
|
|
| |
Fixes #18397.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the support for veritytab.
The veritytab file contains at most five fields, the first four are
mandatory, the last one is optional:
- The first field contains the name of the resulting verity volume; its
block device is set up /dev/mapper/</filename>.
- The second field contains a path to the underlying block data device,
or a specification of a block device via UUID= followed by the UUID.
- The third field contains a path to the underlying block hash device,
or a specification of a block device via UUID= followed by the UUID.
- The fourth field is the roothash in hexadecimal.
- The fifth field, if present, is a comma-delimited list of options.
The following options are recognized only: ignore-corruption,
restart-on-corruption, panic-on-corruption, ignore-zero-blocks,
check-at-most-once and root-hash-signature. The others options will
be implemented later.
Also, this adds support for the new kernel verity command line boolean
option "veritytab" which enables the read for veritytab, and the new
environment variable SYSTEMD_VERITYTAB which sets the path to the file
veritytab to read.
|
| |
|
|
| |
Co-authored-by: Alexander Batischev <eual.jp@gmail.com>
|
| |
|
|
|
|
|
|
| |
Let's link the three man pages together more tightly and explain what
the two targets are about, emphasizing local/quick/reliable/approximate
vs remote/slow/unreliable/accurate synchronization.
Follow-up for: 1431b2f701f7ba71e5d8664e709b1fad26797918 fe934b42e480473afba8a29a4a0d3d0e789543ac
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* man: Advertise systemd-time-wait-sync.service more
The description of time-sync.target says that NTP services *should* pull
that target, but doesn't mention that e.g. systemd-timesyncd.service
doesn't actually do that. As a result, time-sync.target is reached way
earlier than people expect; see #5097, #8861, #11008.
systemd provides systemd-time-wait-sync.service to ameliorate this
problem, but doesn't feature it prominently in relevant manpages. In
fact, it's only mentioned in passing in systemd-timesyncd.service(8). As
a result, I ended up re-implementing that service, and I'm not the first
one: https://github.com/NixOS/nixpkgs/pull/51338
This patch adds a mention right in the description of time-sync.target,
which will hopefully raise awareness of this helper service.
|
| |\
| |
| | |
Use app.slice by default in user manager (and define special user slices)
|
| | |
| |
| |
| | |
Add documentation for the special slice user slice units.
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
| |
This reverts commit 6c5496c492a8d74e54d22bf8824160cab1e63c10.
sysinit.target is shared between the initrd and the host system. Pulling in
initrd-cryptsetup.target into sysinit.target causes the following warning at
boot:
Oct 27 10:42:30 workstation-uefi systemd[1]: initrd-cryptsetup.target: Starting requested but asserts failed.
Oct 27 10:42:30 workstation-uefi systemd[1]: Assertion failed for initrd-cryptsetup.target.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For encrypted block devices that we need to unlock from the initramfs,
we currently rely on dracut shipping `cryptsetup.target`. This works,
but doesn't cover the case where the encrypted block device requires
networking (i.e. the `remote-cryptsetup.target` version). That target
however is traditionally dynamically enabled.
Instead, let's rework things here by adding a `initrd-cryptsetup.target`
specifically for initramfs encrypted block device setup. This plays the
role of both `cryptsetup.target` and `remote-cryptsetup.target` in the
initramfs.
Then, adapt `systemd-cryptsetup-generator` to hook all generated
services to this new unit when running from the initrd. This is
analogous to `systemd-fstab-generator` hooking all mounts to
`initrd-fs.target`, regardless of whether they're network-backed or not.
|
| |
|
|
|
|
|
| |
Add a new target for synchronizing units that wish to run once during
the first boot of the system. The machine-id will be committed to disk
only after the target has been reached, thus ensuring that all units
ordered before it had a chance to complete.
|
| | |
|
| |
|
|
| |
This is almost all of #17177.
|
| |
|
|
| |
For #17177.
|
| |
|
|
|
|
|
| |
For users, the square brackets already serve as markup and clearly delineate
the section name from surrounding text. Putting additional markup around that
only adds clutter. Also, we were very inconsistent in using the quotes. Let's
just drop them altogether.
|
| |
|
|
| |
Fixes #16363. Also includes some changes where I generalized the pattern.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on an internal discussion whether emergency.target should remount disks
ro, or maybe remount them rw, or do nothing. In some cases people want to boot
ro, and always remounting rw would break that. In other cases, remounting disks
ro after they have already been mounted rw is mostly pointless and might even
not be possible. So let's just document that we don't change the state.
Also: any→other, since emergency.service *is* pulled in.
Also: just advertise "emergency" as the way to boot into the target.
We are not going to remove this option, and it's way easier to type than
"systemd.unit=emergency.target".
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This generator can be used by desktop environments to launch autostart
applications and services. The feature is an opt-in, triggered by
xdg-desktop-autostart.target being activated.
Also included is the new binary xdg-autostart-condition. This binary is
used as an ExecCondition to test the OnlyShowIn and NotShowIn XDG
desktop file keys. These need to be evaluated against the
XDG_CURRENT_DESKTOP environment variable which may not be known at
generation time.
Co-authored-by: Henri Chain <henri.chain@enioka.com>
|
| |
|
|
|
|
|
|
|
| |
For whatever reason, this does not get rendered propely in the man
page and results in an invalid code:
W: manual-page-warning /usr/share/man/man7/systemd.special.7.gz 103: warning: macro `AQ' not defined
We say 'user manager' and 'system manager' in most other places, so let's just
use this form here too.
|
| |
|
|
|
|
| |
In particular, let's just say "is" and "must" instead of "may be" and
"should". The weaker forms are obviously correct, but the text is easier to
understand if non-conditional forms are used.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Discussed in #13743, the -.service semantic conflicts with the
existing root mount and slice names, making this feature not
uniformly extensible to all types. Change the name to be
<type>.d instead.
Updating to this format also extends the top-level dropin to
unit types.
|
| |
|
|
| |
Closes #12830
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
time-sync.target is supposed to indicate system clock is synchronized
with a remote clock, but as used through 241 it only provided a system
clock that was updated based on a locally-maintained timestamp. Systems
that are powered off for extended periods would not come up with
accurate time.
Retain the existing behavior using a new time-set.target leaving
time-sync.target for cases where accuracy is required.
Closes #8861
|
