summaryrefslogtreecommitdiffstats
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add SPDX license identifiers to source files under the GPLZbigniew Jędrzejewski-Szmek2017-11-1934-0/+34
|
* Add SPDX license identifiers to source files under the LGPLZbigniew Jędrzejewski-Szmek2017-11-191138-2/+1140
| | | | | This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
* machined: support "machinectl bind" on non-directories (#7349)Lennart Poettering2017-11-191-24/+60
| | | Fixes: #7195
* Merge pull request #7365 from poettering/nspawn-bind-usernsZbigniew Jędrzejewski-Szmek2017-11-198-64/+167
|\ | | | | nspawn: document --bind= and --private-users relationship, and make recursive chown()ing safe
| * nspawn: make recursive chown()ing logic safe for being aborted in the middleLennart Poettering2017-11-174-63/+121
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We currently use the ownership of the top-level directory as a hint whether we need to descent into the whole tree to chown() it recursively or not. This is problematic with the previous chown()ing algorithm, as when descending into the tree we'd first chown() and then descend further down, which meant that the top-level directory would be chowned first, and an aborted recursive chowning would appear on the next invocation as successful, even though it was not. Let's reshuffle things a bit, to make the re-chown()ing safe regarding interruptions: a) We chown() the dir we are looking at last, and descent into all its children first. That way we know that if the top-level dir is properly owned everything inside of it is properly owned too. b) Before starting a chown()ing operation, we mark the top-level directory as owned by a special "busy" UID range, which we can use to recognize whether a tree was fully chowned: if it is marked as busy, it's definitely not fully chowned, as the busy ownership will only be fixed as final step of the chowning. Fixes: #6292
| * nspawn: add missing #pragma once to header fileLennart Poettering2017-11-171-0/+2
| |
| * fs-util: add access_fd() which is like access() but for fdsLennart Poettering2017-11-173-1/+44
| | | | | | | | | | | | Linux doesn't have faccess(), hence let's emulate it. Linux has access() and faccessat() but neither allows checking the access rights of an fd passed in directly.
* | core: be more defensive if we can't determine per-connection socket peer (#7329)Lennart Poettering2017-11-171-9/+6
| | | | | | | | | | | | | | | | Let's handle gracefully if a client disconnects very early on. This builds on #4120, but relaxes the condition checks further, since we getpeername() might already fail during ExecStartPre= and friends. Fixes: #7172
* | install: when we encounter a transient/generated unit while presetting all, ↵Lennart Poettering2017-11-171-0/+2
| | | | | | | | | | | | skip over it silently Fixes: #7100
* | main: uid_to_name() might theoretically fail, handle thatLennart Poettering2017-11-171-2/+2
| |
* | core: shorten main() a bit, split out coredump initializationLennart Poettering2017-11-171-11/+17
| | | | | | | | No functional changes.
* | main: let's make main() shorter, let's split out clock initializationLennart Poettering2017-11-171-40/+43
| | | | | | | | no functional changes
* | main: let's make main() shorter, let's split out invocation of shutdown binaryLennart Poettering2017-11-171-71/+83
| | | | | | | | No functional changes
* | core: let's shorten main() a bit, let's split out telinit redirection into a ↵Lennart Poettering2017-11-171-10/+18
| | | | | | | | separate function
* | main: add set_manager_settings(), similar in style to set_manager_defaults()Lennart Poettering2017-11-171-5/+13
| |
* | core: never apply first boot presets in the initrdLennart Poettering2017-11-172-15/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Presets are useful to initialize uninitialized /etc, but that doesn't apply to the initrd. Also, let's rename etc_empty → first_boot. After all, the variable doesn't actually reflect whether /etc is really empty, it just reflects whether /etc/machine-id existed originally or not. Moreover, we later on directly initialize manager_set_first_boot() from it, hence let's just name it the same way all through the codepath, to make this all less confusing. See: #7100
* | main: rename manager_set_defaults() → set_manager_defaults()Lennart Poettering2017-11-171-3/+3
|/ | | | | | This function is really not a method of the Manager object (implemented in manager.c), but just a helper in main.c. Hence let's not confusingly name it the way methods are called.
* test-cgroup-util: skip cg hierarchy tests when necessary (#7371)Zbigniew Jędrzejewski-Szmek2017-11-171-2/+7
|
* core/cgroup: assigning empty string to Delegate= resets list of controllers ↵Yu Watanabe2017-11-172-2/+11
| | | | | | | | | | | (#7336) Before this, assigning empty string to Delegate= makes no change to the controller list. This is inconsistent to the other options that take list of strings. After this, when empty string is assigned to Delegate=, the list of controllers is reset. Such behavior is consistent to other options and useful for drop-in configs. Closes #7334.
* Merge pull request #7357 from yuwata/7314-modLennart Poettering2017-11-171-6/+19
|\ | | | | mount: add "-G" as shortcut for "--property=CollectMode=inactive-or-failed"
| * mount: show which argument is invalidYu Watanabe2017-11-171-4/+4
| |
| * mount: add "-G" as shortcut for "--property=CollectMode=inactive-or-failed"Yu Watanabe2017-11-171-2/+15
| |
* | cgroup: assume the use of v1 when all the preceding checks fail (#7366)Evgeny Vereshchagin2017-11-171-10/+11
|/ | | | | | This patch restores the default that was changed in 2977724b09eb997fc8, making the tools depending on it work again. Closes: #6477 and https://github.com/lxc/lxc/issues/1669
* run: add "-G" as shortcut for "--property=CollectMode=inactive-or-failed"Lennart Poettering2017-11-161-2/+15
| | | | | | | | | This option is likely to be very useful for systemd-run invocations, hence let's add a shortcut for it. With this new concepts it's now very easy to put together systemd-run invocations that leave zero artifacts in the system, including when they fail.
* core: add a new unit file setting CollectMode= for tweaking the GC logicLennart Poettering2017-11-167-6/+73
| | | | | | | | | | | | | | | | | | | | | Right now, the option only takes one of two possible values "inactive" or "inactive-or-failed", the former being the default, and exposing same behaviour as the status quo ante. If set to "inactive-or-failed" units may be collected by the GC logic when in the "failed" state too. This logic should be a nicer alternative to using the "-" modifier for ExecStart= and friends, as the exit data is collected and logged about and only removed when the GC comes along. This should be useful in particular for per-connection socket-activated services, as well as "systemd-run" command lines that shall leave no artifacts in the system. I was thinking about whether to expose this as a boolean, but opted for an enum instead, as I have the suspicion other tweaks like this might be a added later on, in which case we extend this setting instead of having to add yet another one. Also, let's add some documentation for the GC logic.
* unit: rework a bit how we keep the service fdstore from being destroyed ↵Lennart Poettering2017-11-164-16/+25
| | | | | | | | | | | | | | | | | | | | | | during service restart When preparing for a restart we quickly go through the DEAD/INACTIVE service state before entering AUTO_RESTART. When doing this, we need to make sure we don't destroy the FD store. Previously this was done by checking the failure state of the unit, and keeping the FD store around when the unit failed, under the assumption that the restart logic will then get into action. This is not entirely correct howver, as there might be failure states that will no result in restarts. With this commit we slightly alter the logic: a ref counter for the fd store is added, that is increased right before we handle the restart logic, and decreased again right-after. This should ensure that the fdstore lives exactly as long as it needs. Follow-up for f0bfbfac43b7faa68ef1bb2ad659c191b9ec85d2.
* test-unit-file: add test for config_parse_log_extra_fields()Zbigniew Jędrzejewski-Szmek2017-11-161-0/+68
|
* core: implement /run/systemd/units/-based path for passing unit info from ↵Lennart Poettering2017-11-1627-87/+766
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | PID 1 to journald And let's make use of it to implement two new unit settings with it: 1. LogLevelMax= is a new per-unit setting that may be used to configure log priority filtering: set it to LogLevelMax=notice and only messages of level "notice" and lower (i.e. more important) will be processed, all others are dropped. 2. LogExtraFields= is a new per-unit setting for configuring per-unit journal fields, that are implicitly included in every log record generated by the unit's processes. It takes field/value pairs in the form of FOO=BAR. Also, related to this, one exisiting unit setting is ported to this new facility: 3. The invocation ID is now pulled from /run/systemd/units/ instead of cgroupfs xattrs. This substantially relaxes requirements of systemd on the kernel version and the privileges it runs with (specifically, cgroupfs xattrs are not available in containers, since they are stored in kernel memory, and hence are unsafe to permit to lesser privileged code). /run/systemd/units/ is a new directory, which contains a number of files and symlinks encoding the above information. PID 1 creates and manages these files, and journald reads them from there. Note that this is supposed to be a direct path between PID 1 and the journal only, due to the special runtime environment the journal runs in. Normally, today we shouldn't introduce new interfaces that (mis-)use a file system as IPC framework, and instead just an IPC system, but this is very hard to do between the journal and PID 1, as long as the IPC system is a subject PID 1 manages, and itself a client to the journal. This patch cleans up a couple of types used in journal code: specifically we switch to size_t for a couple of memory-sizing values, as size_t is the right choice for everything that is memory. Fixes: #4089 Fixes: #3041 Fixes: #4441
* journald: when logging about dropped messages, include more meta dataLennart Poettering2017-11-165-12/+15
| | | | | | | | | | | When we drop messages of a unit, we log about. Let's add some structured data to that. Let's include how many messages we dropped, but more importantly, let's link up the message we generate to the unit we dropped the messages from by using the "OBJECT" logic, i.e. by generating OBJECT_SYSTEMD_UNIT= fields and suchlike, that "journalctl -u" and friends already look for. Fixes: #6494
* journal: reindent field mapping tablesLennart Poettering2017-11-161-23/+23
| | | | Let's fix up whitespace so that the tables look nicely aligned.
* journal: make use of IOVEC_MAKE() where it makes senseLennart Poettering2017-11-162-13/+5
|
* journal: move valid_user_field() to journal-util.[ch] and rename it → ↵Lennart Poettering2017-11-163-37/+44
| | | | | | | journal_field_valid() Being able to validate journal field names is useful outside of the journal itself.
* Merge pull request #7356 from keszybz/cgroup-and-manager-cleanupsLennart Poettering2017-11-164-25/+64
|\ | | | | Cgroup and manager cleanups
| * core/manager: just return an error if we fail halfwayZbigniew Jędrzejewski-Szmek2017-11-151-16/+21
| | | | | | | | | | | | | | We would continue, but still return an error at the end. This isn't useful because we'd still error-out in main(). Also, add a missing error message when we fail to mkdir.
| * core: fix message about detected memory hierarchyZbigniew Jędrzejewski-Szmek2017-11-151-3/+3
| | | | | | | | Just the error check and message were wrong, otherwise the logic was OK.
| * test-cgroup-util: add basic test for ↵Zbigniew Jędrzejewski-Szmek2017-11-151-0/+27
| | | | | | | | cg_all_unified/cg_hybrid_unified/cg_unified_controller
| * util-lib: add debug messages when checking cgroup layoutZbigniew Jędrzejewski-Szmek2017-11-151-5/+12
| | | | | | | | This has become very complex, let's make it a bit easier to diagnose.
| * Use plural DelegateControllers= consistentlyZbigniew Jędrzejewski-Szmek2017-11-151-1/+1
| |
* | tmpfiles: when /etc is not fully initialized, some specifiers are expected ↵Franck Bui2017-11-161-41/+106
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to be unresolvable (#6860) In chroot environments, /etc might not be fully initialized: /etc/machine-id can be missing for example. This makes the expansions of affected specifiers impossible at that time. These cases should not be considered as errors and such failures shouldn't be logged at an error level therefore this patch downgrades the level used to LOG_NOTICE in such cases. Also this is logged at LOG_NOTICE only the first time and then downgrade to LOG_DEBUG for the rest. That way, if debugging is enabled we get the full output, but otherwise we only see only one message. The expansion of specifiers is now self contained in a dedicated function instead of being spread all over the place.
* | systemctl: other wayland sessions should inhibit shutdown, like x11 sessions ↵Alan Jenkins2017-11-161-1/+1
| | | | | | | | | | | | | | do (#7353) Update systemctl code to match the manpage for sd_session_get_type(). "wayland" sessions should be treated the same as "x11". "mir" too, fwiw.
* | sd-dhcp6-client: Implement FQDN Option (#7309)Stefan Agner2017-11-167-2/+137
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement DHCPv6 option to exchange information about the Fully Qualified Domain Name (FQDN) according to RFC 4704. The RFC 4704 describes two models of operations in section 3, currently only the second model is supported (DHCPv6 server updates both the AAAA and the PTR RRs). The existing DHCP Section Options SendHostname and Hostname are sent as FQDN to the server. According to section 4.2 sending only parts of its FQDN is allowed. Fixes #4682.
* | sd-dhcp-client: validate hostnames stricter (#7308)Stefan Agner2017-11-162-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Technically DNS allows any ASCII character to be used in the domain name. Also the DHCP specification for the FQDN option (RFC 4702) does not put restriction on labels. However, hostnames do have stricter requirements and typically should only use characters from a-z (case insensitve), 0-9 and minus. Currently we require hostname/FQDN to be either a hostname or a valid DNS name. Since dns_name_is_valid() allows any ASCII characters this allows to specify hostnames which are typically not valid. Check hostname/FQDN more strictly and require them to pass both tests. Specifically this requires the entire FQDN to be below 63.
* | Merge pull request #6866 from sourcejedi/set-linger2Lennart Poettering2017-11-157-78/+101
|\ \ | | | | | | logind: fix `loginctl enable-linger`
| * | logind: fix SetLinger to authorize by client's effective User IDAlan Jenkins2017-11-141-14/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SetLinger is authorized by the PolicyKit action "set-self-linger", if it is not passed an explicit UID. According to comments we were determining the default UID from the client's session. However, user processes e.g. which are run from a terminal emulator do not necessarily belong to a session scope unit. They may equally be started from the systemd user manager [1][2]. Actually the comment was wrong, and it would also have worked for processes started from the systemd user manager. Nevertheless it seems to involve fetching "augmented credentials" i.e. it's using a racy method, so we shouldn't have been authenticating based on it. We could change the default UID, but that raises issues especially for consistency between the methods. Instead we can just use the clients effective UID for authorization. This commit also fixes `loginctl enable-linger $USER` to match the docs that say it was equivalent to `loginctl enable-linger` (given that $USER matches the callers user and owner_uid). Previously, the former would not have suceeded for unpriviliged users in the default configuration. [1] It seems the main meaning of per-session scopes is tracking the PAM login process. Killing that provokes logind to revoke device access. Less circularly, killing it provokes getty to hangup the TTY. [2] User units may be started with an environment which includes XDG_SESSION_ID (presuambly GNOME does this?). Or not.
| * | loginctl: enable-linger does not need fallback to XDG_SESSION_IDAlan Jenkins2017-11-141-3/+3
| | | | | | | | | | | | | | | | | | | | | To maintain consistency with `loginctl user-status`, drop the fallback to XDG_SESSION_ID for `loginctl enable-linger`. The fallback was unnecessary and also incorrect: it passed the numeric value of the session identifier as a UID value.
| * | logind: comment use of *_get_session()Alan Jenkins2017-11-142-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The manpages tell that such calls have quite limited meaning. logind has a few in the implementation of what remains of the session concept. At the same time, logind basically exposes sd_pid_get_session() as public API. This is absolutely required, to retain compatability e.g. with Xorg. But client code will work in more situations if it avoids assuming that it runs in a session itself. Its use inside the login session could be replaced with $XDG_SESSION_ID (which pam_systemd sets). I don't know whether it would be useful to change Xorg at this point or not. But if you were building something new, you would think about whether you want to support running it in a systemd service. Comment these logind API features, acknowledging the reason they exist is based in history. I.e. help readers avoid drawing implications from their existence which apply to history, but not the current general case. Finally, searching these revealed a call to sd_pid_get_session() in implementing some types of logind inhibitors. So these inhibitors don't work as intended when taken from inside a systemd user service :(. Comment this as well, deferring it as ticket #6852.
| * | logind: more specific error message for unknown usersAlan Jenkins2017-11-141-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you try to run `loginctl user-status` on a non-logged in user to see whether "Linger" is enabled, it doesn't work. If you're already an expert in logind, the fact that the user is considered unknown actually tells you the user is not lingering. So, probably they they do not have lingering enabled. I think we can point towards this without being misleading. I also reword it because I thought it was slightly confusing to run `loginctl user-status root` and get an error back about "User 0". Try to be more specific, that it is "User ID 0".
| * | logind: "self" objects which do not apply - return specific error messagesAlan Jenkins2017-11-143-33/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's confusing that the bus API has aliases like "session/self" that return an error based on ENXIO, when it also has methods that return e.g. NO_SESSION_FOR_PID for the same problem. The latter kind of error includes more specifically helpful messages. "user/self" is the odd one out; it returns a generic UnknownObject error when it is not applicable to the caller. It's not clear whether this was intentional, but at first I thought it was more correct. More specifically, user_object_find() was returning 0 for "user/self", in the same situations (more or less) where user_node_enumerator() was omitting "user/self". I thought that was a good idea, because returning e.g. -ENXIO instead suggested that there _is_ something specific on that path. And it could be confused with errors of the method being called. Therefore I suggested changing the enumerator, always admitting that there is a handler for the path "foo/self", but returning a specific error when queried. However this interacts poorly with tools like D-Feet or `busctl`. In either tool, looking at logind would show an error message, and then go on to omit "user/self" in the normal listing. These tools are very useful, so we don't want to interfere with them. I think we can change the error codes without causing problems. The self objects were not listed in the documentation. They have been suggested to other projects - but without reference to error reporting. "seat/self" is used by various Wayland compositors for VT switching, but they don't appear to reference specific errors. We _could_ insist on the link between enumeration and UnknownObject, and standardize on that as the error for the aliases. But I'm not aware of any practical complaints, that we returned an error from an object that didn't exist. Instead, let's unify the codepaths for "user/self" vs GetUserByPid(0) etc. We will return the most helpful error message we can think of, if the object does not exist. E.g. for "session/self", we might return an error that the caller does not belong to a session. If one of the compositors is ever simplified to use "session/self" in initialization, users would be able to trigger such errors (e.g. run `gnome-shell` inside gnome-terminal). The message text will most likely be logged. The user might not know what the "session" is, but at least we'll be pointing towards the right questions. I think it should also be clearer for development / debugging. Unifying the code paths is also slightly helpful for auditing / marking calls to sd_bus_creds_get_session() in subsequent commits.
| * | logind: remove an obscure dbus error from GetSessionByPID(0) and friendsAlan Jenkins2017-11-141-26/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | GetSessionByPID(0) can fail with NO_SESSION_FOR_PID. More obscurely, if the session is abandoned, it can return NO_SUCH_SESSION. It is not clear that the latter was intended. The message associated with the former, hints that this was overlooked. We don't have a document enumerating the errors. Any specific error-handling in client code, e.g. translated messages, would also be liable to overlook the more obscure error code. I can't see any equivalent condition for GetUserByPID(0). On the other hand, the code did not return NO_USER_FOR_PID where it probably should. The relevant code is right next to that for GetSessionByPID(0), so it will be simpler to understand if both follow the same pattern.
| * | nspawn: comment to acknowledge lying about "user session"Alan Jenkins2017-10-181-0/+2
| | |