summaryrefslogtreecommitdiffstats
path: root/presets (follow)
Commit message (Collapse)AuthorAgeFilesLines
* mountfsd: add new systemd-mountfsd componentLennart Poettering2024-04-061-1/+2
|
* nsresourced: add new daemon for granting clients user namespaces and ↵Lennart Poettering2024-04-061-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | assigning resources to them This adds a small, socket-activated Varlink daemon that can delegate UID ranges for user namespaces to clients asking for it. The primary call is AllocateUserRange() where the user passes in an uninitialized userns fd, which is then set up. There are other calls that allow assigning a mount fd to a userns allocated that way, to set up permissions for a cgroup subtree, and to allocate a veth for such a user namespace. Since the UID assignments are supposed to be transitive, i.e. not permanent, care is taken to ensure that users cannot create inodes owned by these UIDs, so that persistancy cannot be acquired. This is implemented via a BPF-LSM module that ensures that any member of a userns allocated that way cannot create files unless the mount it operates on is owned by the userns itself, or is explicitly allowelisted. BPF LSM program with contributions from Alexei Starovoitov.
* preset: enable homed sidecar servicesZbigniew Jędrzejewski-Szmek2024-02-081-0/+2
| | | | | | | | | | | | | | | As described in https://github.com/systemd/systemd/issues/31235, the preset state for systemd-homed-activate.service was unclear. On the one hand, we have a preset with 'enable systemd-homed.service', and systemd-homed.service has 'Also=systemd-homed-activate.service systemd-homed-firstboot.service', so 'preset systemd-homed.service' would also enable those two services, but 'preset systemd-homed-activate.service' would disable it, because the presets don't say it is enabled. It seems that this configuration is internally inconsistent. As described in the issue, maybe systemctl should be smarter here, or warn about such configs. Either way, let's make our config consistent. Follow-up for d1f6e01e4743ae94740314eeb46a162112ef4599 and 3ccadbce3358ba1db7ce5fa3f8dd17c627ffd93b.
* preset: enable confext and sysext by default (#31211)Maanya Goenka2024-02-061-0/+2
|
* preset: add some alphabetical sortingLennart Poettering2024-01-231-9/+10
| | | | | | | | | I think the existing sections in the preset file make sense, but alphabetical ordering is kinda cool too. try to find a middle ground, and at least sort within each section. No actual change of behaviour, just some reordering of lines.
* preset: enable systemd-networkd-wait-online.service by defaultLennart Poettering2023-06-071-1/+1
| | | | | | | | | | | | | As #25459 points out our default preset is contradictory. Let's fix that. This enables systemd-networkd-wait-online.service, as we enable systemd-networkd.service which enables that anyway. This is safe since network-online.target should not be pulled in by default. Fixes: #25459
* journal: give the ability to enable/disable systemd-journald-audit.socketFranck Bui2023-01-111-0/+1
| | | | | | | | | | Before this patch the only way to prevent journald from reading the audit messages was to mask systemd-journald-audit.socket. However this had main drawback that downstream couldn't ship the socket disabled by default (beside the fact that masking units is not supposed to be the usual way to disable them). Fixes #15777
* units: enable systemd-network-generator by defaultZbigniew Jędrzejewski-Szmek2021-12-161-1/+1
| | | | | | It is used by udevd and networkd. Since udevd is enabled statically, let's also change the preset to "on". networkd is opt-in, so let's pull in the generator when enabling networkd too.
* boot: optionally update sd-boot on bootLennart Poettering2021-07-301-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Boot loaders are software like any other, and hence muse be updated in regular intervals. Let's add a simple (optional) service that updates sd-boot automatically from the host if it is found installed but out-of-date in the ESP. Note that traditional distros probably should invoke "bootctl update" directly from the package scripts whenver they update the sd-boot package. This new service is primarily intended for image-based update systems, i.e. where the rootfs or /usr are atomically updated in A/B style and where the current boot loader should be synced into the ESP from the currently booted image every now and then. It can also act as safety net if the packaging scripts in classic systems are't doing the bootctl update stuff themselves. Since updating boot loaders mit be a tiny bit risky (even though we try really hard to make them robust, by fsck'ing the ESP and mounting it only on demand, by doing updates mostly as single file updates and by fsync()ing heavily) this is an optional feature, i.e. subject to "systemctl enable". However, since it's the right thing to do I think, it's enabled by default via the preset logic. Note that the updating logic is implemented gracefully: i.e. it's a NOP if the boot loader is already new enough, or was never installed.
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-093-3/+3
|
* preset: don't enable proc-sys-fs-binfmt_misc.mountHarald Seiler2020-10-191-0/+1
| | | | | | | The proc-sys-fs-binfmt_misc.mount unit should not be enabled by preset-all because it should only be used as fallback in case proc-sys-fs-binfmt_misc.automount cannot be used on a system. In these cases it should be enabled manually by an administrator.
* Revert "presets: "disable" all passive targets by default"Lennart Poettering2020-05-262-21/+0
| | | | | | | | | This reverts commit 61c3e2c8bfc28cea5b52d8643fac3d85f4c571d2. The original commit doesn't make sense to me, none of the listed units have an [Install] section, they hence are not subject to enable/disable and hence not preset either. This commit hence has no effect whatsoever, let's undo it to avoid further confusion.
* preset: let's clean up preset list a bitLennart Poettering2020-04-071-2/+6
| | | | | | | | | let's make sure we list all singleton units we define in the preset list, either as disable or as enable. Only four were missing, let's add them in. Also, let's group the pstore one with the other ones that are enabled, right at the top.
* Revert "units: make systemd-repart.service installable"Lennart Poettering2020-04-021-1/+0
| | | | | | | | | | | | | | | | | | | | This reverts commit 7e1ed1f3b29162df25064b33dc55ac8cf432bb0b. systemd-repart is not a user service that should be something people enable/disable, instead it should just work if there's configuration for it. It's like systemd-tmpfiles, systemd-sysusers, systemd-load-modules, systemd-binfmt, systemd-systemd-sysctl which are NOPs if they have no configuration, and thus don't hurt, but cannot be disabled since they are too deep part of the OS. This doesn't mean people couldn't disable the service if they really want to, there's after all "systemctl mask" and build-time disabling, but those are OS developer facing instead of admin facing, that's how it should be. Note that systemd-repart is in particular an initrd service, and so far enable/disable state of those is not managed anyway via "systemctl enable/disable" but more what dracut decides to package up and what not.
* units: make systemd-userdbd.{socket,service} installableZbigniew Jędrzejewski-Szmek2020-03-311-0/+1
| | | | | | | | It's lightweight and generally useful, so it should be enabled by default. But users might want to disable it for whatever reason, and things should be fine without it, so let's make it installable so it can be disabled if wanted. Fixes #15175.
* units: make systemd-homed.service installableZbigniew Jędrzejewski-Szmek2020-03-311-0/+1
| | | | Fixes #15083. Users might want to disable homed if not used to save resources.
* units: make systemd-repart.service installableZbigniew Jędrzejewski-Szmek2020-03-311-0/+1
| | | | | | This essentially adds another layer of configurability: build disable, this, presence of configuration. The default is set to enabled, because the service does nothing w/o config.
* presets: enable systemd-pstore.service by defaultZbigniew Jędrzejewski-Szmek2020-02-291-0/+2
| | | | | | | It has no effect is the pstore is not used, and prevents the non-volatile storage from filling up if is used by the kernel. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952767
* presets: "disable" all passive targets by defaultZbigniew Jędrzejewski-Szmek2020-02-042-4/+27
| | | | | | | | | | | | | Officially we default to a "enable *", even though pretty much everybody overrides this with "disable *". We have a bunch of targets and services which should not be enabled by default. In case the default policy is not overriden, our passive units would be enabled by presets, which is generally not useful at all. So let's explicitly mark them as disabled. Note that this effectively changes very little. E.g. on Fedora, all the units listed in this patch were "disabled" already. Fixes #14648.
* Drop my copyright headersZbigniew Jędrzejewski-Szmek2018-06-141-2/+0
| | | | | | | perl -i -0pe 's/\s*Copyright © .... Zbigniew Jędrzejewski.*?\n/\n/gms' man/*xml git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/(#\n)?# +Copyright © [0-9, -]+ Zbigniew Jędrzejewski.*?\n//gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s*\/\*\*\*\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*?\s*\*\*\*\/\s*/\n\n/gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*//gms'
* tree-wide: beautify remaining copyright statementsLennart Poettering2018-06-141-1/+1
| | | | | | Let's unify an beautify our remaining copyright statements, with a unicode ©. This means our copyright statements are now always formatted the same way. Yay.
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* Hook up systemd-tmpfiles as user unitsZbigniew Jędrzejewski-Szmek2017-12-062-0/+17
| | | | | | | | | | | | | An explicit --user switch is necessary because for the user@0.service instance systemd-tmpfiles is running as root, and we need to distinguish that from systemd-tmpfiles running in systemd-tmpfiles*.service. Fixes #2208. v2: - restore "systemd-" prefix - add systemd-tmpfiles-clean.{service,timer}, systemd-setup.service to systemd-tmpfiles(8)
* Rename "system-preset" source dir to "presets"Zbigniew Jędrzejewski-Szmek2017-12-062-0/+55
I want to add presets/user/ later. This mirrors the layout for units: we have units/ and units/user. The advantage is that we avoid having yet another directory at the top level.