summaryrefslogtreecommitdiffstats
path: root/units (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Merge pull request #29721 from poettering/systemd-projectZbigniew Jędrzejewski-Szmek2024-03-265-0/+64
|\ | | | | New capsule@.service feature
| * units: add systemd-capsule@.serviceLennart Poettering2024-03-145-0/+64
| |
* | units: add one more equivalency of '-' in '_' on kernel cmdlineZbigniew Jędrzejewski-Szmek2024-03-191-0/+1
| | | | | | | | | | | | | | | | c0aeff4b999318d4da48328fff0ea93c8c457ace added this in one unit file, but the same problem occurs here. (There are no other files where this would apply.) I think we should solve this systematically somehow, but it's not clear how to do that, so until we have that better solution, let's apply the manual solution so that our units work as expected.
* | unit/network: use ProtectSystem=strict againYu Watanabe2024-03-191-2/+1
| | | | | | | | | | | | | | Now, networkd accesses the state directory through the file descriptor passed from systemd-networkd-persistent-storage.service. Hence, the networkd itself does not need to access the state directory through its path, and we can use more stronger mode for ProtectSystem=.
* | tpm2-setup: Add --gracefulDaan De Meyer2024-03-172-2/+2
| | | | | | | | | | | | | | Currently the associated units fail if full tpm support is not available on the system. Similar to systemd-pcrextend, let's add a --graceful option that exits gracefully if no full TPM support is detected and use it in both units.
* | units: Accept modules_load and rd.modules_load in systemd-modules-load.serviceDaan De Meyer2024-03-171-0/+2
| | | | | | | | | | The service will use either, so let's make sure either of them starts the service as well.
* | units: use relative pathYu Watanabe2024-03-155-6/+6
| |
* | Merge pull request #31777 from keszybz/unit-retitling-and-commentsZbigniew Jędrzejewski-Szmek2024-03-1529-29/+29
|\ \ | | | | | | Unit retitling and comments
| * | units: retitle systemd-bootctl*.{service,socket}Zbigniew Jędrzejewski-Szmek2024-03-142-2/+2
| | | | | | | | | | | | | | | | | | "Starting Boot Control…" would be a fairly confusing message in the boot logs. Use "… Service" to mirror what we have in other services like systemd-{hostnamed,timedated,portabled,machined,…}.service.
| * | units: drop "(Varlink)"Zbigniew Jędrzejewski-Szmek2024-03-1411-11/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We generally don't specify the protocol implementation in unit descriptions. For journald, we have: $ git grep Description 'units/*journald*' units/systemd-journald-audit.socket:Description=Journal Audit Socket units/systemd-journald-dev-log.socket:Description=Journal Socket (/dev/log) units/systemd-journald-varlink@.socket:Description=Journal Varlink Socket for Namespace %i units/systemd-journald.service.in:Description=Journal Service units/systemd-journald.socket:Description=Journal Sockets units/systemd-journald@.service.in:Description=Journal Service for Namespace %i units/systemd-journald@.socket:Description=Journal Sockets for Namespace %i so we need to keep "Varlink" in the name. But also use "Sockets" (plural) for the "main" socket unit, since it opens multiple sockets.
| * | units/systemd-machine-id-commit: retitleZbigniew Jędrzejewski-Szmek2024-03-141-1/+1
| | | | | | | | | | | | | | | Our docs say that the Description should be capitalized. Also, change "commit" to "save" to make this more accessible.
| * | units: retitle systemd-pcrextend.{service,socket}, change TPM2→TPMZbigniew Jędrzejewski-Szmek2024-03-1419-19/+19
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I was looking at the logs in some bug and saw this: Mar 13 15:55:12 fedora systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki). Mar 13 15:55:12 fedora systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems... Mar 13 15:55:12 fedora systemd[1]: systemd-tpm2-setup-early.service - TPM2 SRK Setup (Early) was skipped because of an unmet condition check (ConditionSecurity=measured-uki). This is overly technical, for most units we don't provide this level of detail about the implementation. So retitle the units to be more accessible. Also, the fact that it's a v. 2 of the TPM is not that important. We don't support TPM 1.2, but computers without TPM v2 are getting rare. For other units we don't advertise the version of hardware, and let's not do this here, to reduce some complexity.
* | ssh-generator: introduce ssh-access.targetLennart Poettering2024-03-142-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | This new passive target is supposed to be pulled in by SSH implementations and should be reached when remote SSH access is possible. The idea is that this target can be used as indicator for other components to determine if and when SSH access is possible. One specific usecase for this is the new sd_notify() logic in PID 1 that sends its own supervisor notifications whenever target units are reached. This can be used to precisely schedule SSH connections from host to VM/container, or just to identify systems where SSH is even available.
* | units: make systemd-journald@.socket installableMike Yuan2024-03-141-0/+3
|/
* units: Bump various oneshot unit timeouts to 90sDaan De Meyer2024-03-132-2/+2
| | | | | | | In mkosi, we've been having CI failures caused by systemd-machine-id-commit.service timing out. Let's bump the timeout for it and systemd-rfkill.service to 90s which we also use for other oneshot services to avoid transient failures on slower systems.
* unit: do not trigger automount for /boot and/or /efiYu Watanabe2024-03-131-0/+1
| | | | | | | | | | | | | ProtectSystem=full remounts /boot and/or /efi read-only, but that may trigger automount for the paths and delay the service being started. === systemd[1]: boot.automount: Got automount request for /boot, triggered by 720 ((networkd)) === The service does not need to access the paths, so let's hide them. Follow-up for f90eb086270f0aea8efcbff5a5e4c338d178cfd4. Fixes #31742.
* unit: sort optionYu Watanabe2024-03-131-1/+1
|
* networkctl: introduce "persistent-storage" commandYu Watanabe2024-03-113-1/+32
| | | | | | | | | | | | | Then, this introduces systemd-networkd-persistent-storage.service. systemd-networkd.service is an early starting service. So, at the time it is started, the persistent storage for the service may not be ready, and we cannot use StateDirectory=systemd/network in systemd-networkd.service. The newly added systemd-networkd-persistent-storage.service creates the state directory for networkd, and notify systemd-networkd that the directory is usable.
* network/varlink: introduce io.systemd.Network.SetPersistentStorage methodYu Watanabe2024-03-111-1/+1
| | | | | | And make the networkd use state directory. Currently, the state directory and the method are not used, but will be used later.
* units: make quota services bind to corresponding mount unitsMike Yuan2024-03-102-2/+3
| | | | | | Follow-up for a628d933cc67cc8b183dc809ba1451aa5b2996e5 systemd-growfs@.service does the same.
* units: make templates for quotaon and systemd-quotacheck serviceThomas Blume2024-03-096-9/+69
|
* tree-wide: use "_" rather than "-" as separator in kernel cmdline optionsLennart Poettering2024-02-281-1/+1
| | | | | | | | | | | Most of our kernel cmdline options use underscores as word separators in kernel cmdline options, but there were some exceptions. Let's fix those, and also use underscores. Since our /proc/cmdline parsers don't distinguish between the two characters anyway this should not break anything, but makes sure our own codebase (and in particular docs and log messages) are internally consistent.
* homed: Create & advertise blob directoryAdrian Vovk2024-02-191-0/+1
| | | | | | | | | This ensures that a user-specific blob directory exists in /var/cache/systemd/homed for as long as the user exists, and gets deleted if the user gets deleted. It also advertises this blob directory via the user record, so that clients can find and use it.
* Merge pull request #31218 from CodethinkLabs/vmspawn/journal_forwardingLuca Boccassi2024-02-161-1/+2
|\ | | | | vmspawn: support journal forwarding
| * journald: implement socket forwardingSam Leonard2024-02-151-1/+2
| | | | | | | | | | | | | | | | | | | | | | This commit adds a new way of forwarding journal messages - forwarding over a socket. The socket can be any of AF_INET, AF_INET6, AF_UNIUX or AF_VSOCK. The address to connect to is retrieved from the "journald.forward_address" credential. It can also be specified in systemd-journald's unit file with ForwardAddress=
* | logind-user: track user started/stopping state through user-runtime-dir@.serviceMike Yuan2024-02-152-2/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before #30884, the user state is tied to user@.service (user service manager). However, #30884 introduced sessions that need no manager, and we can no longer rely on that. Consider the following situation: 1. A 'background-light' session '1' is created (i.e. no user service manager is needed) 2. Session '1' scope unit pulls in user-runtime-dir@.service 3. Session '1' exits. A stop job is enqueued for user-runtime-dir@.service due to StopWhenUnneeded=yes 4. At the same time, another session '2' which requires user manager is started. However, session scope units have JobMode=fail, therefore the start job for user-runtime-dir@.service that was pulled in by session '2' scope job is deleted as it conflicts with the stop job. We want session scope units to continue using JobMode=fail, but we still need the dependencies to be started correctly, i.e. explicitly requested by logind beforehand. Therefore, let's stop using StopWhenUnneeded=yes for user-runtime-dir@.service, and track users' `started` and `stopping` state based on that when user@.service is not needed. Then, for every invocation of user_start(), we'll recheck if we need the service manager and start it if so. Also, the dependency type on user-runtime-dir@.service from user@.service is upgraded to `BindsTo=`, in order to ensure that when logind stops the former, the latter is stopped as well.
* bootctl: add a Varlink interfaceLennart Poettering2024-02-143-0/+50
| | | | | For now, just super basic functionality: return the list of boot menu entries, and read/write the reboot to firmware flag
* vmspawn: add template unit to start systemd-vmspawn -MSam Leonard2024-02-132-0/+38
|
* Merge pull request #31233 from poettering/pcrlock-varlinkLennart Poettering2024-02-123-0/+55
|\ | | | | pcrlock: add simple Varlink API + some varlinkctl tweaks
| * pcrlock: add basic Varlink interfaceLennart Poettering2024-02-123-0/+55
| | | | | | | | | | This can be used to make or delete a PCR policy via Varlink. It can also be used to query the current event log in CEL format.
* | units: enable MaxConnectionsPerSocket= for all our Accept=yes unitsLennart Poettering2024-02-124-0/+4
|/ | | | | | | | | | | Let's make sure that user's cannot DoS services for other users so easily, and enable MaxConnectionsPerSocket= by default for all of them. Note that this is mostly paranoia for systemd-pcrextend.socket and systemd-sysext.socket: the socket is only accessible to root anyway, hence the accounting shouldn#t change anything. But this is just a safety net, in preparation that we open up some functionality of these services sooner or later.
* units: drop userdbd from homed's Also=Zbigniew Jędrzejewski-Szmek2024-02-061-1/+1
| | | | | | Also= lists units which should be enabled/disabled together with the first unit. But userdbd is independent of homed, we shouldn't e.g. disable it even if homed is disabled.
* units: Order pcrlock services after systemd-remounts-fs.serviceDaan De Meyer2024-01-267-2/+7
| | | | | These write to /var and as such need to wait until after the rootfs has been remounted read-write.
* unit: systemd-creds.socket is statically enabled, hence drop [Install]Lennart Poettering2024-01-231-3/+0
| | | | This is statically enabled, hence needs to [Install] section.
* units: update Description= for systemd-sleep unitsMike Yuan2024-01-143-3/+3
|
* Revert "initrd-parse-etc: override argv[0] to avoid dracut issue"Antonio Alvarez Feijoo2024-01-111-3/+1
| | | | | | | This reverts commit db5276215ae496074c163fca4014baf1bcd05984. dracut is patched since https://github.com/dracutdevs/dracut/commit/23684e4a, and this commit is included in the latest dracut-059 release.
* localed: modernizationMike Yuan2024-01-091-0/+1
|
* hostnamed: use Type=notifyMike Yuan2024-01-091-0/+1
|
* importd: use Type=notifyMike Yuan2024-01-091-0/+1
|
* timedated: modernizationMike Yuan2024-01-091-0/+1
| | | | Switch to sd_event_set_signal_exit() and use Type=notify
* Merge pull request #30833 from poettering/hostnamed-varlinkLennart Poettering2024-01-092-0/+24
|\ | | | | hostnamed: add simple varlink interface
| * hostnamed: add simple Varlink API, tooLennart Poettering2024-01-092-0/+24
| |
* | networkd/wireguard: support network.wireguard.* credentialsMike Yuan2024-01-091-0/+1
|/ | | | Closes #26702
* Merge pull request #30827 from poettering/network-generator-credsLennart Poettering2024-01-081-0/+3
|\ | | | | network-generator: pick up .netdev/.link/.network configuration via c…
| * network-generator: pick up .netdev/.link/.network configuration via credentialsLennart Poettering2024-01-081-0/+3
| | | | | | | | | | | | | | | | | | To me this is the last major basic functionality that couldn't be configured via credentials: the network. We do not invent any new format for this, but simply copy relevant creds 1:1 into /run/systemd/network/ to open up the full functionality of networkd to VM hosts.
* | hostnamed: expose local AF_VSOCK CID among other host infoLennart Poettering2024-01-081-1/+1
|/ | | | | This is a host identifier of major relevance, since it is how you connect to this system if it is a VM, hence expose this nicely.
* Merge pull request #30610 from YHNdnzj/logind-serialize-pidrefYu Watanabe2024-01-041-1/+1
|\ | | | | logind: serialize session leader pidfd to fdstore
| * logind: serialize session leader pidfd to fdstoreMike Yuan2024-01-041-1/+1
| |
* | Merge pull request #30578 from bluca/polkit-varlinkLennart Poettering2024-01-041-1/+1
|\ \ | |/ |/| varlink: add glue to allow authenticating varlink connections via polkit
| * creds: open up access to clients via PolkitLennart Poettering2024-01-031-1/+1
| | | | | | | | | | Use auth_admin_keep, so that users don't have to re-auth interactively again and again when encrypting/decrypting batches of credentials.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-11 13:50:16 +0100