summaryrefslogtreecommitdiffstats
path: root/src/nspawn (follow)
Commit message (Collapse)AuthorAgeFilesLines
* pid1, nspawn: voidify loopback_setup()Yu Watanabe2020-03-041-1/+1
|
* tree-wide: fix spelling of lookup and setup verbsZbigniew Jędrzejewski-Szmek2020-03-031-1/+1
| | | | "set up" and "look up" are the verbs, "setup" and "lookup" are the nouns.
* nspawn: voidify umount_verbose()Yu Watanabe2020-01-311-1/+1
| | | | Fixes CID#1415122.
* nspawn: fsck all images when mounting thingsLennart Poettering2020-01-291-4/+8
| | | | | Also, start logging about mount errors, things are hard to debug otherwise.
* Merge pull request #14390 from poettering/gpt-var-tmpZbigniew Jędrzejewski-Szmek2020-01-141-2/+2
|\ | | | | introduce GPT partition types for /var and /var/tmp and support them for auto-discovery
| * docs: import discoverable partitions specLennart Poettering2019-12-231-1/+1
| | | | | | | | | | | | | | | | This was previously available here: https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ Let's pull it into our repository.
| * dissect: introduce new recognizable partition types for /var and /var/tmpLennart Poettering2019-12-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This has been requested many times before. Let's add it finally. GPT auto-discovery for /var is a bit more complex than for other partition types: the other partitions can to some degree be shared between multiple OS installations on the same disk (think: swap, /home, /srv). However, /var is inherently something bound to an installation, i.e. specific to its identity, or actually *is* its identity, and hence something that cannot be shared. To deal with this this new code is particularly careful when it comes to /var: it will not mount things blindly, but insist that the UUID of the partition matches a hashed version of the machine-id of the installation, so that each installation has a very specific /var associated with it, and would never use any other. (We actually use HMAC-SHA256 on the GPT partition type for /var, keyed by the machine-id, since machine-id is something we want to keep somewhat private). Setting the right UUID for installations takes extra care. To make things a bit simpler to set up, we avoid this safety check for nspawn and RootImage= in unit files, under the assumption that such container and service images unlikely will have multiple installations on them. The check is hence only required when booting full machines, i.e. in in systemd-gpt-auto-generator. To help with putting together images for full machines, PR #14368 introduces a repartition tool that can automatically fill in correctly calculated UUIDs on first boot if images have the var partition UUID initialized to all zeroes. With that in place systems can be put together in a way that on first boot the machine ID is determined and the partition table automatically adjusted to have the /var partition with the right UUID.
* | Merge pull request #14381 from keszybz/ifindex-cleanupLennart Poettering2020-01-131-18/+10
|\ \ | | | | | | Resolve alternative names
| * | Resolve alternative ifnames wherever we would resolve an interface nameZbigniew Jędrzejewski-Szmek2020-01-121-16/+8
| | | | | | | | | | | | To keep the names manageable, "ifname_or_ifindex" is replaced by "interface".
| * | tree-wide: make parse_ifindex simply return the indexZbigniew Jędrzejewski-Szmek2020-01-111-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | We don't need a seperate output parameter that is of type int. glibc() says that the type is "unsigned", but the kernel thinks it's "int". And the "alternative names" interface also uses ints. So let's standarize on ints, since it's clearly not realisitic to have interface numbers in the upper half of unsigned int range.
* | | nspawn: Correct "container" to "host" MAC setting messagerhn2020-01-111-1/+1
|/ /
* | nspawn: set original ifname as alternative if it is truncatedYu Watanabe2020-01-071-10/+55
| |
* | nspawn: Make a custom mount on root imply --read-only.Daan De Meyer2020-01-031-0/+3
| |
* | nspawn: Don't mount read-only if we have a custom mount on root.Daan De Meyer2020-01-033-1/+16
| |
* | Merge pull request #14401 from DaanDeMeyer/nspawn-move-veth-back-to-hostLennart Poettering2020-01-033-30/+92
|\ \ | | | | | | nspawn: move virtual interfaces added with --network-interface back to the host
| * | nspawn: Move --network-interface interfaces back to the host.Daan De Meyer2020-01-023-10/+48
| | |
| * | nspawn-network: Split off udev checking from parse_interface.Daan De Meyer2019-12-233-20/+44
| |/
* / nspawn: Generate unique short veth namesKai Krakow2020-01-021-10/+57
|/ | | | | | | | This commit lowers the chance of having veth name conflicts for machines created with similar names. Replaces: #12865 Fixes: #13417
* core: create inaccessible nodes for users when making runtime dirsAnita Zhang2019-12-182-4/+8
| | | | | | To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
* Merge pull request #14208 from poettering/json-homed-prepareYu Watanabe2019-12-171-15/+4
|\ | | | | json bits from homed PR
| * nspawn-oci: use new json_variant_strv() helperLennart Poettering2019-12-021-14/+3
| |
| * json: add flags parameter to json_parse_file(), for parsing "sensitive" dataLennart Poettering2019-12-021-1/+1
| | | | | | | | | | | | | | This will call json_variant_sensitive() internally while parsing for each allocated sub-variant. This is better than calling it a posteriori at the end, because partially parsed variants will always be properly erased from memory this way.
* | nspawn: fix overlay with automatic temporary treeLennart Poettering2019-12-131-17/+41
| | | | | | | | | | | | | | This makes --overlay=+/foobar::/foobar work again, i.e. where the middle parameter is left out. According to the documentation this is supposed to generate a temporary writable work place in the midle. But it apparently never did. Weird.
* | Merge pull request #14269 from DaanDeMeyer/enable-mounts-on-rootLennart Poettering2019-12-133-61/+58
|\ \ | | | | | | nspawn: Enable specifying root as the mount target directory.
| * | nspawn-mount: Use FLAGS_SET to check flags.Daan De Meyer2019-12-121-14/+14
| | |
| * | nspawn: Only bind-mount directory when necessary.Daan De Meyer2019-12-121-7/+7
| | |
| * | nspawn-mount: Remove unused parametersDaan De Meyer2019-12-123-33/+12
| | |
| * | nspawn: Enable specifying root as the mount target directory.Daan De Meyer2019-12-123-13/+31
| | | | | | | | | | | | Fixes #3847.
* | | nspawn: allow combination of private-network and network-namespace-pathShengjing Zhu2019-12-121-3/+3
| | | | | | | | | | | | Fixes: #14289
* | | tree-wide: use SD_ID128_STRING_MAX where appropriateLennart Poettering2019-12-101-1/+1
| | |
* | | id128: introduce ID128_UUID_STRING_MAX for sizing UUID buffersLennart Poettering2019-12-101-1/+1
|/ /
* | Merge pull request #14229 from yuwata/nspawn-network-interface-14223Yu Watanabe2019-12-051-11/+21
|\ \ | | | | | | nspawn: do not fail if udev is not running
| * | nspawn: do not fail if udev is not runningYu Watanabe2019-12-051-11/+21
| |/ | | | | | | | | | | | | | | | | If /sys is read only filesystem, e.g., nspawn is running in container, then usually udev is not running. In such a case, let's assume that the interface is already initialized. Also, this makes nspawn refuse to use the network interface which is under renaming. Fixes #14223.
* / loop-util: accept loopback flags when creating loopback deviceLennart Poettering2019-12-021-1/+1
|/ | | | This way callers can choose if they want partition scanning or not.
* nspawn: allow Capability=all in systemd.nspawn [EXEC] sectionafg2019-11-291-6/+10
| | | | | Just like --capability=all is allowed in the systemd-nspawn command line.
* nspawn: highlight description string in --help textLennart Poettering2019-11-281-2/+4
| | | | We do so in most tools now, do so here, too.
* nspawn: log syscalls we cannot add at debug levelZbigniew Jędrzejewski-Szmek2019-11-221-4/+3
| | | | | | | Without out at least a debug log line it is hard to figure out when something goes wrong. Reduce scope of a variable while at it.
* nspawn: dump capability list with --capabilities=helpZbigniew Jędrzejewski-Szmek2019-11-221-28/+48
|
* nspawn: Allow Capability= to overrule private network settingTorsten Hilbrich2019-11-151-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | The commit: a3fc6b55ac nspawn: mask out CAP_NET_ADMIN again if settings file turns off private networking turned off the CAP_NET_ADMIN capability whenever no private networking feature was enabled. This broke configurations where the CAP_NET_ADMIN capability was explicitly requested in the configuration. Changing the order of evalution here to allow the Capability= setting to overrule this implicit setting: Order of evaluation: 1. if no private network setting is enabled, CAP_NET_ADMIN is removed 2. if a private network setting is enabled, CAP_NET_ADMIN is added 3. the settings of Capability= are added 4. the settings of DropCapability= are removed This allows the fix for #11755 to be retained and to still allow the admin to specify CAP_NET_ADMIN as additional capability. Fixes: a3fc6b55acd3f37e50915304d87bed100efa9d9d Fixes: #13995
* nspawn: do not emit any warning when $UNIFIED_CGROUP_HIERARCHY is usedZbigniew Jędrzejewski-Szmek2019-11-131-6/+1
| | | | | | | | | | | | Initially I thought this is a good idea, but when reviewing a different PR (https://github.com/systemd/systemd/pull/13862#discussion_r340604313) I changed my mind about this. At some point we probably should start warning about the old option name, and yet later remove it. But it'll make it easier for people to transition to the new option name if there's a period of support for both names without any fuss. There's nothing particularly wrong about the old name, and there is no support cost. Fixes #13919 (by avoiding the issue completely).
* Add @pkey syscall groupZbigniew Jędrzejewski-Szmek2019-11-081-3/+1
| | | | | | Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1769299. This change doesn't solve the issue, but makes it easier to whitelist the syscall group.
* tree-wide: drop stdio.h when stdio-util.h is includedYu Watanabe2019-11-031-1/+0
|
* tree-wide: drop signal.h when signal-util.h is includedYu Watanabe2019-11-031-1/+0
|
* tree-wide: drop magic.h when missing_magic.h is includedYu Watanabe2019-11-031-1/+0
|
* tree-wide: drop stat.h or statfs.h when stat-util.h is includedYu Watanabe2019-11-031-1/+0
|
* tree-wide: drop blkid.h when blkid-util.h is includedYu Watanabe2019-11-031-1/+0
|
* tree-wide: drop acl.h when acl-util.h is includedYu Watanabe2019-11-031-3/+0
|
* tree-wide: drop pwd.h and grp.h when user-util.h is includedYu Watanabe2019-11-032-3/+0
|
* tree-wide: drop sched.h when missing_sched.h is includedYu Watanabe2019-11-031-1/+0
|
* tree-wide: drop string.h when string-util.h or friends are includedYu Watanabe2019-11-031-1/+0
|
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-29 23:38:23 +0100