| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
Pahole optimization for resolved's DnsQuery
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | | |
yuwata/network-dhcp-server-introduce-server-address
network: dhcp-server: introduce ServerAddress= setting
|
| | | | |
|
| |/ /
| |
| |
| |
| |
| |
| | |
The naming of variables is very inconsistent. I tried to use more
modern style naming (UNDERSCORED_TITLE_CASE), but I didn't change existing
names too much. Only SYSTEM_DATA_UNIT_PATH is renamed to SYSTEM_DATA_UNIT_DIR
to match SYSTEM_CONFIG_UNIT_DIR.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Adds a crypttab option 'silent' that enables the AskPasswordFlag
ASK_PASSWORD_SILENT. This allows usage of systemd-cryptsetup to default
to silent mode, rather than requiring the user to press tab every time.
|
| | | |
|
| |/
|
|
| |
And make net_match_config() propagate the error.
|
| |\
| |
| | |
various follow-ups to socket-bind logic
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In most of our codebase when we referenced "ipv4" and "ipv6" on the
right-hand-side of an assignment, we lowercases it (on the
left-hand-side we used CamelCase, and thus "IPv4" and "IPv6"). In
particular all across the networkd codebase the various "per-protocol
booleans" use the lower-case spelling. Hence, let's use lower-case for
SocketBindAllow=/SocketBindDeny= too, just make sure things feel like
they belong together better.
(This work is not included in any released version, hence let's fix this
now, before any fixes in this area would be API breakage)
Follow-up for #17655
|
| |\ \
| | |
| | | |
varlink ref fix
|
| | |/
| |
| |
| | |
This reverts commit 39ad3f1c092b5dffcbb4b1d12eb9ca407f010a3c.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We usually call specifier_printf() and then check the validity of
the result. In many cases, validity checkers, e.g. path_is_valid(),
refuse too long strings. This makes specifier_printf() refuse such
long results earlier.
Moreover, unit_full_string() and description field in sysuser now
refuse results longer than LONG_LINE_MAX. config_parse() already
refuses the line longer than LONG_LINE_MAX. Hence, it should be ok
to set the same value as the maximum length of the resolved string.
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| |
|
|
|
|
| |
Let's initialize this at the same place for any iterator allocated. (Yes
not all types of iterator objects need this, but it's still nice to
share this trivial code at one place).
|
| |
|
|
|
|
|
|
|
| |
Clearly communicate to callers that we didn't find a single varlink
service, when a lookup is attempted. Note that the fallback's to NSS,
drop-ins and synthesis might eat up this error again, but we should
really make this case reasonably recognizable, in particular as our
various tools already handle this condition correctly and print a nice
message then.
|
| |
|
|
|
| |
Let's explicitly support looking things up via dropin as a varlink
service.
|
| | |
|
| |\
| |
| | |
network, timesync, resolve: check bus is ready before emitting property change or signal
|
| | |
| |
| |
| | |
Follow-up for 54e6f97bc9931679aa9b895546621b15e0f464a4.
|
| |\ \
| | |
| | | |
cryptsetup: add 'headless' parameter to skip password/pin query, allow pin-less enroll on FIDO2, support user presence/verification flags
|
| | | |
| | |
| | |
| | |
| | | |
Newer libfido versions added this error, so check for it since it
can help the user with a more specific message
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Some tokens support authorization via fingerprint or other biometric
ID. Add support for "user verification" to cryptenroll and cryptsetup.
Disable by default, as it is still quite uncommon.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In some cases user presence might not be required to get _a_
secret out of a FIDO2 device, but it might be required to
the get actual secret that was used to lock the volume.
Record whether we used it in the LUKS header JSON metadata.
Let the cryptenroll user ask for the feature, but bail out if it is
required by the token and the user disabled it.
Enabled by default.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Closes: https://github.com/systemd/systemd/issues/19246
Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
On headless setups, in case other methods fail, asking for a password/pin
is not useful as there are no users on the terminal, and generates
unwanted noise. Add a parameter to /etc/crypttab to skip it.
|
| | |/
|/| |
|
| |\ \
| | |
| | | |
nspawn: add support for kernel 5.12 ID mapping mounts
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This makes use of the new kernel 5.12 APIs to add an idmap to a mount
point. It does so by cloning the mountpoint, changing it, and then
unmounting the old mountpoint, replacing it later with the new one.
|
| | |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
So far we basically had two ways to iterate through NSS records: one via
the varlink IPC and one via the userdb.[ch] infra, with slightly
different implementations.
Let's clean this up, and always use userdb.[ch] also when resolving via
userdbd. The different codepaths for the NameServiceSwitch and the
Multiplexer varlink service now differ only in the different flags
passed to the userdb lookup.
Behaviour shouldn't change by this. This is mostly refactoring, reducing
redundant codepaths.
|
| | |
| |
| |
| | |
This is useful to later-on use the userdb infra for only some sources.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
Let's use "exclude" for flags that really exclude records from our
lookup. Let's use "avoid" referring to concepts that when flag is set
we'll not use but we have a fallback path for that should yield the same
result. Let' use "suppress" for suppressing partial info, even if we
return the record otherwise.
So far we used "avoid" for all these cases, which was confusing.
Whiel we are at it, let's reassign the bits a bit, leaving some space
for bits follow-up commits are going to add.
|
| |\
| |
| | |
Escape command lines properly
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I want to tweak behaviour further, and that'll be easier when "style"
is converted to a bitfield.
Some callers used ESCAPE_BACKSLASH_ONELINE, and others not. But the
ones that didn't, simply didn't care, because the argument was assumed to
be one-line anyway (e.g. a service name). In environment-generator, this
could make a difference. But I think it's better to escape the newlines
there too. So newlines are now always escaped, to simplify the code and
the test matrix.
|
| |\ \
| | |
| | | |
introduce a new synthetic hostname "_outbound" that maps to "the" local IP address
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds a small helper, similar in style to local_addresses() and
local_gateways() that determines the local "outbound" addresses.
What's an "outbound" address supposed to be? The local IP addresses that
are the most likely used for outbound communication. It's determined
by using connect() towards the default gws on an UDP socket, and then
reading the address of the socket this caused it to be bound to.
This is not the "public" or "external" IP address of the local system,
and is not supposed to be. It's just the local IP addresses that are
likely the ones going to be used by the local IP stack for
communication with other hosts.
|
| |\ \ \
| | | |
| | | | |
optionally, grow file systems to partition size when mounting them via GPT auto-discovery
|
| | | | |
| | | |
| | | |
| | | | |
partition flag is set
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
created partitions
And set it to on by default, except if partition is marked read-only.
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
The new GPT partition flag the previous commits added is now honoured on
mount.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
systemd-repart can grow partitions dynamically at boot, but it won't
grow the file systems inside them. In /etc/fstab you can request that
via x-systemd.growfs. So far we didn't have a nice scheme for images
with GPT auto-discovery however, and that meant in particular in tools
such as systemd-nspawn the file systems couldn't be grown automatically.
Let's address this: let's define a new GPT partition flag that can be
set for our partition types. If set it indicates that the file system
should be grown to the partition size on mount.
This commit adds the flag and adds code to discover it when dissecting
images. There's no code yet to actually do something about it.
|
| | | | | |
|
| | | | | |
|
