summaryrefslogtreecommitdiffstats
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
| * | getty-generator: minor modernizationsLennart Poettering2023-07-041-5/+3
| | |
| * | getty-generator: allow configuring additional gettys via credentialsLennart Poettering2023-07-041-1/+56
| | |
| * | fstab-generator: add more parameter name commentsLennart Poettering2023-07-041-3/+3
| | |
| * | fstab-generator: optional read addtional fstab lines from credentialsLennart Poettering2023-07-041-0/+39
| | | | | | | | | | | | Fixes: #27260
| * | import-creds: unify acquire_credential_directory() + ↵Lennart Poettering2023-07-041-43/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | acquire_encrypted_credential_directory() Let's unify these very similar functions, and port them to the new mount_credentials_fs() call. While we are at it, if we detect that the credentials dir already is a mount point, remount it writable so that we can actually write to it.
| * | execute: split out mounting of credentials fsLennart Poettering2023-07-043-42/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's add two new helpers: mount_credentials_fs() and credentials_fs_mount_flags(). The former mounts a file system suitable for storing of unencrypted credentials at runtime (i.e. a ramfs or tmpfs). The latter determines the right mount flags to use for such a mount. Both functions mostly just take code from execute.c, but make two changes: 1. If the kernel supports it we'll use a tmpfs with the new "noswap" mount option instead of ramfs. Was added in kernel 6.4, hence is very recent, but tmpfs is so much less crappy than ramfs, hence worth it. 2. We'll set MS_NOSYMFOLLOW on the mounts if supported. These file systems should only contain regulra files, hence no need to allow symlinks.
| * | import-creds: show list of imported credentials during initialization of PID 1Lennart Poettering2023-07-041-0/+58
| | | | | | | | | | | | | | | Let's make things easier to debug: provide an overview what has been passed, during boot.
| * | core: consult credentials for machine ID to use for hostLennart Poettering2023-07-042-5/+30
| | | | | | | | | | | | | | | | | | | | | | | | Let's hook up one more thing with credentials: the machine ID to use when none is initialized yet. This requires some reordering of initialization steps in PID 1: we need to import credentials first, and only then initialize the machine ID.
| * | import-creds: pick up vmm.notify_socket also from encrypted credentialsLennart Poettering2023-07-041-12/+19
| | | | | | | | | | | | | | | | | | | | | Now that we have the infra in place, make PID 1 pick up encrypted credentials too. (While we are at it, split this out into its own helper)
| * | creds-util: add new helper read_credential_with_decryption()Lennart Poettering2023-07-042-1/+76
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is just like read_credential() but also looks into the encrypted credential directory, not just the regular one. Normally, we decrypt credentials at the moment we pass them to services. From service PoV all credentials are hence decrypted credentials. However, when we want to access credentials in a generator this logic does not apply: here we have the regular and the encrypted credentials directory. So far we didn't attempt to make use of credentials in generators hence. Let's address and add helper that looks into both directories, and talks to the TPM if necessary to decrypt the credentials.
| * | import-creds: define a new dir where initrd configurators can pass ↵Lennart Poettering2023-07-041-3/+137
| | | | | | | | | | | | credentials to host
| * | execute: fix credential dir handling for fs which support ACLsLennart Poettering2023-07-045-3/+242
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the credential dir is backed by an fs that supports ACLs we must be more careful with adjusting the 'x' bit of the directory, as any chmod() call on the dir will reset the mask entry of the ACL entirely which we don't want. Hence, do a manual set of ACL changes, that only add/drop the 'x' bit but otherwise leave the ACL as it is. This matters if we use tmpfs rather than ramfs to store credentials.
| * | man: make sure credentials properly show up in directives indexLennart Poettering2023-07-041-1/+1
| |/
* | Merge pull request #28228 from yuwata/repart-free-areaYu Watanabe2023-07-051-1/+3
|\ \ | |/ |/| repart: fix free area calculation
| * repart: fix free area calculationYu Watanabe2023-07-051-0/+2
| | | | | | | | | | | | | | Like fdisk_get_last_lba(), fdisk_partition_get_end() return the last sector in the partition. Fixes #28225.
| * repart: fix commentYu Watanabe2023-07-031-1/+1
| |
* | journal-remote: upload journals from namespaceIgor Tsiglyar2023-07-041-1/+26
| |
* | NEWS/--help: correct/be clearer on bootclt -R vs. -RRLennart Poettering2023-07-041-1/+4
| | | | | | | | | | | | | | The NEWS file was simply wrong. Let's also improve the --help text on this. Fixes: #28221
* | hibernate-resume-generator: downgrade 'noresume' log messageLennart Poettering2023-07-041-2/+2
| | | | | | | | | | | | | | | | This log message is shown pretty regular at boot in various scenarios (such as CI builds), and it's not a reason for any concern, it's just the immediate effect of explicit configuration. Hence let's downgrade from LOG_NOTICE to LOG_INFO so that it is still usually in the boot output, but not particularly highlighted, since there's really no reason to.
* | systemctl: implement a new "whoami" verb, that just returns unit of caller/PIDLennart Poettering2023-07-044-1/+80
| |
* | Merge pull request #28245 from rpigott/dhcp6-relax-assertYu Watanabe2023-07-041-1/+1
|\ \ | | | | | | relax data assert in dchp6_option_parse_string
| * | dhcp6: relax data assert in dhcp6_option_parse_stringRonan Pigott2023-07-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | dhcp6_option_parse_string is intended to clear strings with length 0, for consistency. The data assert is too strict for this purpose, so we will allow data || data_len == 0, similar to other dhcp6_option_parse* helpers. Fixes: fde788601be8 ("dhcp6-client: parse RFC8910 captive portal dhcp6 option")
* | | Merge pull request #28215 from poettering/start-as-restartMike Yuan2023-07-038-49/+61
|\ \ \ | |/ / |/| | pid1: enqueue auto-restart job for the unit itself as JOB_START and for dependending units as JOB_RESTART
| * | core/service: show correct restart usec for services in ↵Mike Yuan2023-07-031-6/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SERVICE_AUTO_RESTART_QUEUED Follow-up for #28215 We can now correctly distinguish enqueued auto-restarts from those that are still pending. Let's take advantage of that.
| * | core: introduce a new job mode JOB_RESTART_DEPENDENCIESLennart Poettering2023-07-038-37/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new job mode will enqueue a start job for a unit, and all units depending on the unit will get a restart job enqueued. This is then used for automatic sevice restarts: the unit itself is only started, the depending units restarted. This way the unit will not go down unnecessarily, triggering OnSuccess= needlessly. This also introduces a new state SERVICE_AUTO_RESTART_QUEUED that is entered once the restart jobs are enqueued. Previously we'd stay in SERVICE_AUTO_RESTART, but that's problematic, since we'd lose information whether we still need to enqueue the restart job during a serialization/deserialization cycle or not. By having an explicit state for this we know exactly whether we still need to enqueue the job or not. It's also good since when we are in SERVICE_AUTO_RESTART_QUEUED we want to act on unit_start(), but on SERVICE_AUTO_RESTART we want to wait for the holdoff time to pass before we act on unit_start(). Fixes: #27722
| * | service: re-linebreak some comments matching current coding styleLennart Poettering2023-07-031-12/+10
| | |
* | | Merge pull request #28232 from rpigott/ndisc-captive-portal-mfreeYu Watanabe2023-07-031-2/+2
|\ \ \ | | | | | | | | ndisc: clear ndisc captive portal value on bogus zero-len option
| * | | ndisc: reject malformed captive portal URI with EBADMSGRonan Pigott2023-07-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows the correct, gracious, error handling to follow up in the ndisc handler. Otherwise, an internal error is assumed and the interface disabled. Fixes: 9747955d2d60 ("ndisc: parse RFC8910 captive portal ipv6ra option")
| * | | ndisc: clear ndisc captive portal value on bogus zero-len optionRonan Pigott2023-07-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This value was freed but erroneously never cleared, leading to use-after-free. Fixes: 9747955d2d60 ("ndisc: parse RFC8910 captive portal ipv6ra option")
* | | | loginctl,machinectl: use same ansi formatting in --help texts as in systemctlLennart Poettering2023-07-032-20/+22
| |/ / |/| |
* | | network: delay to configure address until it is removed on reconfigureYu Watanabe2023-07-032-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | When we request an address that already exists and is under removing, we need to wait for the address being removed. Otherwise, configuration of a route whose preferred source is the address will fail. Fixes #28009. Replaces #28088.
* | | network: constify several functionsYu Watanabe2023-07-031-3/+3
|/ /
* | Merge pull request #28132 from rpigott/dhcp-captive-portalYu Watanabe2023-07-0324-2/+298
|\ \ | |/ |/| Implement RFC8910: captive portal dhcp options
| * networkctl: show captive portal configuration in link statusRonan Pigott2023-07-021-1/+5
| |
| * networkd: include captive portal information in link json descriptionRonan Pigott2023-07-021-0/+45
| |
| * network: Introduce UseCaptivePortal IPv6RA optionRonan Pigott2023-07-022-0/+11
| | | | | | | | | | Accepts a boolean. When enabled retains captive portal configuration advertised by the router.
| * network: Introduce UseCaptivePortal DHCPv6 optionRonan Pigott2023-07-025-1/+23
| | | | | | | | | | Acepts a boolean. When enabled requests and retains captive portal configuration from the DHCPv6 server.
| * network: Introduce UseCaptivePortal DHCPv4 optionRonan Pigott2023-07-027-1/+28
| | | | | | | | | | Accepts a boolean. When enabled, UseCaptivePortal will request and retain the captive portal configuration from the DHCP server.
| * ndisc: parse RFC8910 captive portal ipv6ra optionRonan Pigott2023-07-027-0/+89
| |
| * dhcp6-client: parse RFC8910 captive portal dhcp6 optionRonan Pigott2023-06-305-0/+59
| |
| * dhcp-client: parse RFC8910 captive portal dhcp optionRonan Pigott2023-06-304-0/+39
| |
* | Merge pull request #28226 from mrc0mmand/coverity-fixesLuca Boccassi2023-07-029-15/+9
|\ \ | | | | | | A couple of Coverity-related fixes
| * | tree-wide: explicitly ignore return value in a couple more placesFrantisek Sumsal2023-07-026-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: - CID#1490777 - CID#1498366 - CID#1508639 - CID#1509084 - CID#1509086 - CID#1509087
| * | unit: drop an unused assignmentFrantisek Sumsal2023-07-021-3/+1
| | | | | | | | | | | | Resolves: CID#1509244
| * | virt: drop an unused assignmentFrantisek Sumsal2023-07-021-2/+0
| | | | | | | | | | | | | | | | | | As `v` gets overwritten by the following detect_vm_cpuid() call. Resolves: CID#1509247
| * | test: drop an unused assignmentFrantisek Sumsal2023-07-021-2/+0
| | | | | | | | | | | | | | | Unused since 788c2d9523. Resolves: CID#1509248
* | | tree-wide: "<n>bit" → "<n>-bit"Zbigniew Jędrzejewski-Szmek2023-07-0258-121/+118
| | | | | | | | | | | | In some places, "<n> bits" is used when more appropriate.
* | | Merge pull request #28187 from bluca/sbatLuca Boccassi2023-06-304-5/+48
|\ \ \ | | | | | | | | ukify: merge .sbat sections from stub and kernel
| * | | boot: measure .sbat sectionLuca Boccassi2023-06-303-0/+5
| | | | | | | | | | | | | | | | | | | | We are now merging .sbat sections from sd-stub and kernel image, so measure it in PCR11.
| * | | ukify: merge .sbat sections from stub and kernelLuca Boccassi2023-06-301-5/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If the kernel contains a .sbat section (they should start soon) then merge it with the stub's so that revocations can apply to either component. Fixes https://github.com/systemd/systemd/issues/27866
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 10:44:59 +0100