| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
--oem can be used to only install OEM partitions (usr, verity,
verity-sig, ...). OEM= is used to indicate OEM partitions. If unset,
defaults to !FactoryReset. We also add a credential repart.oem to
allow configuring --oem via a credential.
|
| |
|
|
|
|
|
|
|
|
| |
Let's allow the combination of these two options. When used, repart
will first try to apply the CopyBlocks= behavior. If that's not possible,
it falls back to the CopyFiles= behavior.
This is a first step in being able to also use the partition definition
files shipped in the image to build the image in mkosi instead of having
a separate set of repart definition files to build the image.
|
| |\
| |
| | |
Two documentation updates
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The descriptions of various options are reworked: first say what protocol
actually is, i.e. describe what type of notification the manager waits
for. Only after that describe various steps and things the service should
do. Also, apply some paragraph breaks.
Instead of recommending Type=simple, recommend Type=exec. Say explicitly that
Type=simple, Type=forking are not recommended. Type=simple ignores failure in a
way that doesn't make any sense except as a historical accident. We introduced
'exec' instead of changing 'simple' to keep backwards-compatiblity, but
'simple' is not very useful. 'forking' works, but is inefficient: correctly
programming the interface requires a lot of work, and at runtime, the
additional one or two forks are just a waste of CPU resources. Furthermore, we
now understand that because of COW traps, they may also increase memory
requirements. There is really no reason to use 'forking', except if it's
already implemented and the code cannot be changed to use 'notify'.
Also, remove the recommendations to use Type=simple to avoid delaying boot. In
most cases, if the service can support notifications about startup, those
should be done.
Overall, for new services, "notify", "notify-reload", and "dbus" are the
types that make sense.
|
| | |
| |
| |
| |
| | |
Added show-server-state verb to resolvectl
Added DumpStatistics and ResetStatistics methods to varlink
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
RFC4861 Neighbor Discovery – Sections 4.2 and 6.3.4
From section 4.2. Router Advertisement Message Format:
Cur Hop Limit 8-bit unsigned integer. The default value that
should be placed in the Hop Count field of the IP
header for outgoing IP packets. A value of zero
means unspecified (by this router).
|
| |/
|
|
|
|
|
| |
The setting has not been never worked, not tested, and should not been
used. As the option is RFC incompliant. Let's drop it.
Closes #25562.
|
| |\
| |
| | |
networkd: allow setting rp_filter for an interface
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
| |
As previously announced, execute order 66:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
The meson options split-usr, rootlibdir and rootprefix become no-ops
that print a warning if they are set to anything other than the
default values. We can remove them in a future release.
|
| |\
| |
| | |
network: DHCP4 allow to set InitialCongestionWindow and InitialAdvert…
|
| | |
| |
| |
| | |
InitialAdvertisedReceiveWindow
|
| |\ \
| | |
| | | |
ukify: add an option to read the PE sections
|
| | | |
| | |
| | |
| | | |
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
|
| |\ \ \
| | | |
| | | | |
fstab-generator: fixes for systemd.mount-extra=
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Previously, mounts specified in systemd.mount-extra= are equally handled
both in initrd and the main system. So, the mounts for the main system
are also mounted in initrd.
This introduces rd.systemd.mount-extra=, which specifies mounts in initrd.
Then, mounts specified in systemd.mount-extra= are still mounted both in
initrd and the main system, but prefixed with /sysroot/ when running in
initrd.
Fixes #28516.
|
| |/ / / |
|
| | | |
| | |
| | |
| | |
| | | |
Having surviving processes is not ready yet as a feature, so ensure
everything is killed on the transition for now
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The feature is not ready, postpone it
This reverts commit b80fc61e8971283606f9cd0a48e31d0f701c82f1.
|
| |\ \ \
| | | |
| | | | |
mkfs-util: Escape spaces with slashes in protofile format
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As it says on the tin, configures the unit to survive a soft reboot.
Currently all the following options have to be set by hand:
Conflicts=reboot.target kexec.target poweroff.target halt.target
Before=reboot.target kexec.target poweroff.target halt.target
After=sysinit.target basic.target
DefaultDependencies=no
IgnoreOnIsolate=yes
This is not very user friendly. If new default dependencies are added,
or new shutdown/reboot types, they also have to be added manually.
The new option is much simpler, easy to find, and does the right thing
by default.
|
| |\ \ \ \
| | | | |
| | | | | |
run: disable --expand-environment by default for --scope
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The intention was to have this option enabled by default everywhere,
but unfortunately at least one case was found where it breaks
compatibility of a program using systemd-run --scopes and expecting
variables not to be expanded:
https://sources.debian.org/src/pbuilder/0.231/pbuilder-checkparams/#L400
Example run:
systemd-run --quiet --scope --description=pbuilder_build_xfce4-notes-plugin_1.10.0-1.dsc '--slice=system-pbuilder-build-xfce4\x2dnotes\x2dplugin_1.10.0\x2d1-449932.slice' chroot /var/cache/pbuilder/build/449932 dpkg-query -W '--showformat=${Version}' apt
Restore backward compatibility and make the option disabled by default
when --scope is used, and enabled by default for other types.
In case --expand-environment is not specified and a '$' character is
detected, print a warning to nudge users toward specifying the
parameter as needed. In the future we can then flip the default.
Follow-up for 2ed7a221fafb25eea937c4e86fb88ee501dba51e
|
| | | | | |
|
| |/ / /
| | |
| | |
| | | |
Follow-up for #28476.
|
| | | |
| | |
| | |
| | | |
https://github.com/systemd/systemd/pull/28407#issuecomment-1640900239
|
| |\ \ \
| | | |
| | | | |
core: copy the host's os-release for /run/host/os-release
|
| | | | | |
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently for portable services we automatically add a bind mount
os-release -> /run/host/os-release. This becomes problematic for the
soft-reboot case, as it's likely that portable services will be configured
to survive it, and thus would forever keep a reference to the old host's
os-release, which would be a problem because it becomes outdated, and also
it stops the old rootfs from being garbage collected.
Create a copy when the manager starts under /run/systemd/propagate instead,
and bind mount that for all services using RootDirectory=/RootImage=, so
that on soft-reboot the content gets updated (without creating a new file,
so the existing bind mounts will see the new content too).
This expands the /run/host/os-release protocol to more services, but I
think that's a nice thing to have too.
Closes https://github.com/systemd/systemd/issues/28023
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As mentioned in the NEWS entry, it seems to see very little use, but adds
complexity in our code. It was added mainly with the goal of making it easier
for people using grub2 to modify their boot configuration, but grub2 is gaining
support for BLS snippets. On the systemd side, we now have credentials. So
let's deprecate this, and if there's no outcry, remove it in a few releases.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://www.rfc-editor.org/rfc/rfc4035.html#section-3.2.1 says
security-aware recursive name server MUST set DO bit when sending
requests. systemd-resolved does not do that by design. State it more
clearly in manual page. Unlike other implementations it disables not
only validation as it stated, but complete DNSSEC awareness.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
|
| |\ \
| | |
| | | |
Restore ordering between vconsole-setup and firstboot services
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit e019ea738d63d5f7803f378f8bd3e074d66be08f.
In the new approach, a lock on /dev/console will be used. This lock will solve
the issue for services which run in early boot. Services which run later are
ordered after sysinit.target, so they'll run much later anyway so this
automatic dependency is not useful. Let's remove it again to make the code
simpler.
|
| | |/
| |
| |
| |
| |
| |
| | |
This way, we don't start user interaction before (or while) the configured
fonts are loading.
Tweak the comments a bit while at it.
|
| |\ \
| | |
| | | |
network: cleanups for route table name
|
| | | | |
|
| |/ / |
|
| | | |
|
| |/ |
|
| |
|
|
|
| |
Behavior on constantly failing (or oneshot) unit was unclear. Let's
document it here.
|
| |\
| |
| | |
service: add new RestartMode option
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When this option is set to direct, the service restarts without entering a failed
state. Dependent units are not notified of transitory failure.
This is useful for the following use case:
We have a target with Requires=my-service, After=my-service.
my-service.service is a oneshot service and has Restart=on-failure in
its definition.
my-service.service can get stuck for various reasons and time out, in
which case it is restarted. Currently, when it fails the first time, the
target fails, even though my-service is restarted.
The behavior we're looking for is that until my-service is not restarted
anymore, the target stays pending waiting for my-service.service to
start successfully or fail without being restarted anymore.
|
| |\ \
| | |
| | | |
Detect and expose the confidential virtualization technology in various places
|
| | | |
| | |
| | |
| | |
| | | |
Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reports the confidential virtualization type that was detected
Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This property reports whether the system is running inside a confidential
virtual machine.
Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The "cvm" flag indicates whether the OS is running inside a confidential
virtual machine.
Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The --list-cvm option reports the known types of confidential virtualization
technology that can be detected.
Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The --cvm option detects whether the OS is running inside a confidential
virtual machine.
Related: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
