summaryrefslogtreecommitdiffstats
path: root/units (follow)
Commit message (Collapse)AuthorAgeFilesLines
* meson: add separate option for sysupdated, disable in release buildsZbigniew Jędrzejewski-Szmek2024-10-311-4/+4
| | | | | | This commit introduces a build-time option to enable/disable sysupdated separately from sysupdate. 'auto' translated to enabled by default in developer builds.
* logind: allow read/write to char-hvc devicesLuca Boccassi2024-10-221-0/+1
| | | | | virtio console uses /dev/hvc* so we need access to write wall messages
* units/{user,capsule}@.service: issue daemon-reexec when notify-reloadingMike Yuan2024-10-112-0/+8
| | | | | | | | | | | | | | | | | | | | | | | Closes #28367 (but not really in the exact form, see below) We have the problem of restarting all user manager instances after upgrade. Current approaches involve systemctl kill with SIGRTMIN+25, which is async and feels rather ugly [1][2]; or systemctl --machine=user@ --user, which requires entering each user session. Neither is particularly elegant. Instead, let's just signal daemon-reexec when user@.service is reloaded from system manager. Our long goal of dropping daemon-reload in favor of reexec (see TODO) is unlikely to happen due to user dbus restrictions, but here the synchronization is done via READY=1. [1] https://gitlab.archlinux.org/archlinux/packaging/packages/systemd/-/blob/main/systemd.install?ref_type=heads#L37 [2] https://salsa.debian.org/systemd-team/systemd/-/blob/debian/master/debian/systemd.postinst#L24 #28367 would not really work for us now I come to think about it, because all processes will be reparented to pid1 as soon as original user manager process exits. This alternative approach seems good enough for our use case.
* logind: add support for hidraw devicesPeter Hutterer2024-10-031-0/+1
| | | | | | Add support for opening /dev/hidraw devices via logind's TakeDevice(). Same semantics as our support for evdev devices, but it requires the HIDIOCREVOKE ioctl in the kernel.
* units: Order ldconfig after systemd-tmpfiles-setup.serviceDaan De Meyer2024-09-241-2/+3
| | | | | | tmpfiles might be linking the configuration for ldconfig into /etc so make sure it runs after it so that the configuration is guaranteed to be in place.
* firstboot: Prompt for keymapDaan De Meyer2024-09-191-1/+1
| | | | | | It's rather crucial to have a good firstboot experience that you can immediately set the right keymap so let's make sure we prompt for it.
* units: Order ldconfig.service after systemd-confext.serviceDaan De Meyer2024-09-121-1/+2
| | | | | | | The configuration files required by ldconfig could be put into place by systemd-confext.service (ldconfig only looks in /etc) so let's order the service after systemd-confext.service to make sure any config files are in place before the service runs.
* emit a warning in networkd if managed sysctls are changedMatteo Croce2024-09-111-3/+3
| | | | | | | | | | | | | | | | | | | Monitor the sysctl set by networkd for writes, if a sysctl is overwritten with a different value than the one we set, emit a warning. Writes are detected with an eBPF program attached as BPF_CGROUP_SYSCTL which reports the sysctl writes only in net/. The eBPF program only reports sysctl writes from a different cgroup than networkd. To do this, it uses the `bpf_current_task_under_cgroup_proto()` helper, which will be available allowed in BPF_CGROUP_SYSCTL from kernel 6.12[1]. Loading a BPF_CGROUP_SYSCTL program requires the CAP_SYS_ADMIN capability, so drop it just after the program load, whether it loads successfully or not. Writes are logged but permitted, in future the functionality can be extended to also deny writes to managed sysctls. [1] https://lore.kernel.org/bpf/20240819162805.78235-3-technoboy85@gmail.com/
* Merge pull request #34336 from yuwata/nspawn-fuse-follow-upsYu Watanabe2024-09-101-3/+0
|\ | | | | nspawn: follow-ups for FUSE support
| * nspawn: sync DeviceAllow= setting with systemd-nspawn@.serviceYu Watanabe2024-09-091-3/+0
| | | | | | | | | | | | | | | | Follow-up for dc3223919f663b7c8b8d8d1d6072b4487df7709b. Addresses https://github.com/systemd/systemd/pull/34067#discussion_r1748592958. Otherwise, containers started with and without --keep-unit option run in different device policies.
* | shell: define three system credentials we can propagate into shell prompts ↵Lennart Poettering2024-09-094-0/+4
|/ | | | and welcome messages
* nspawn: enable FUSE in containersLuke T. Shumaker2024-09-071-3/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux kernel v4.18 (2018-08-12) added user-namespace support to FUSE, and bumped the FUSE version to 7.27 (see: da315f6e0398 (Merge tag 'fuse-update-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse, Linus Torvalds, 2018-06-07). This means that on such kernels it is safe to enable FUSE in nspawn containers. In outer_child(), before calling copy_devnodes(), check the FUSE version to decide whether enable (>=7.27) or disable (<7.27) FUSE in the container. We look at the FUSE version instead of the kernel version in order to enable FUSE support on older-versioned kernels that may have the mentioned patchset backported ([as requested by @poettering][1]). However, I am not sure that this is safe; user-namespace support is not a documented part of the FUSE protocol, which is what FUSE_KERNEL_VERSION/FUSE_KERNEL_MINOR_VERSION are meant to capture. While the same patchset - added FUSE_ABORT_ERROR (which is all that the 7.27 version bump is documented as including), - bumped FUSE_KERNEL_MINOR_VERSION from 26 to 27, and - added user-namespace support these 3 things are not inseparable; it is conceivable to me that a backport could include the first 2 of those things and exclude the 3rd; perhaps it would be safer to check the kernel version. Do note that our get_fuse_version() function uses the fsopen() family of syscalls, which were not added until Linux kernel v5.2 (2019-07-07); so if nothing has been backported, then the minimum kernel version for FUSE-in-nspawn is actually v5.2, not v4.18. Pass whether or not to enable FUSE to copy_devnodes(); have copy_devnodes() copy in /dev/fuse if enabled. Pass whether or not to enable FUSE back over fd_outer_socket to run_container() so that it can pass that to append_machine_properties() (via either register_machine() or allocate_scope()); have append_machine_properties() append "DeviceAllow=/dev/fuse rw" if enabled. For testing, simply check that /dev/fuse can be opened for reading and writing, but that actually reading from it fails with EPERM. The test assumes that if FUSE is supported (/dev/fuse exists), then the testsuite is running on a kernel with FUSE >= 7.27; I am unsure how to go about writing a test that validates that the version check disables FUSE on old kernels. [1]: https://github.com/systemd/systemd/issues/17607#issuecomment-745418835 Closes #17607
* coredump: set ProtectHome to read-onlyEtienne Cordonnier2024-09-061-1/+1
| | | | | | | | | | | | In https://github.com/systemd/systemd/pull/5283/commits/924453c22599cc246746a0233b2f52a27ade0819 ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump. At that point the object analysis was done in the main systemd-coredump process. Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names). However, later in https://github.com/systemd/systemd/commit/61aea456c12c54f49c4a76259af130e576130ce9 systemd-coredump was changed to do the object analysis in a forked process, covering those security concerns. Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home.
* units: don't set LISTEN_FDNAMES for varlink services explicitlyLennart Poettering2024-08-265-5/+0
| | | | | Now that FileDescriptorName= is properly honored by Accept=yes sockets, this explicit override is pointless.
* sysupdate: Implement systemd-sysupdated dbus serviceAdrian Vovk2024-08-212-0/+35
| | | | | Co-authored-by: Tom Coldrick <thomas.coldrick@codethink.co.uk> Co-authored-by: Abderrahim Kitouni <abderrahim.kitouni@codethink.co.uk>
* units: drop "-p" flag from agetty's login optionsRonan Pigott2024-08-154-16/+12
| | | | | | | | | | | | | | | | | | | | | | | | This flag was added in db6aedab9292 with the justification that locale environment variables should be preserved by the user session. However, the companion patch to drop the UnsetEnvironment= directive blocking these variables was never merged, so the intended change was never effected. While the patch was ineffective toward its stated goal, the "-p" option does have material negative consequences for the user session in systemd — environment variables to support the use of credentials and memory pressure directives, such as $CREDENTIALS_DIRECTORY and $MEMORY_PRESSURE_WATCH, which are now directly used by agetty and login, get leaked into the user session potentially breaking applications that rely on these values. E.g. systemd-ask-password fails from the tty when $CREDENTIALS_DIRECTORY has been leaked from agetty, because it expects to be able to access credentials in $CREDENTIALS_DIRECTORY. This effectively reverts db6aedab9292. References: db6aedab9292 (units: Tell login to preserve environment (#6023), 2017-05-24)
* units: Import tty specific credentials for each getty unitDaan De Meyer2024-07-314-0/+8
| | | | | As explained in the previous commit, this allows us to configure agetty and login for individual ttys instead of globally.
* units: bring agetty command lines back into syncLennart Poettering2024-07-194-9/+10
| | | | | | | | | | Let's always rely on our own TTY reset logic and tty disallocation/clear screen logic, thus always pass --noclear and --noreset. Also, bring the list of baud rates to try into sync for console-getty and serial-getty (the former might or might not be connected to rs232, we can't know, hence assume the worst, and copy what serial-getty@.service does)
* fsck: do not pull down mount units on soft-rebootLuca Boccassi2024-07-091-1/+2
| | | | Otherwise they will pull down the disk too, which we don't want on soft-reboot
* Remove extra period at the end of systemd-bsod's unit description. (#33632)fwfy2024-07-061-1/+1
| | | | | | | * Remove extra period at end of unit description. Having an extra period at the end of this unit description makes log entries pertaining to it appear weirdly, as it seems the default expectation is that there is not to be a period at the end of a unit description. e.g.: `systemd[1]: Started Displays emergency message in full screen..`
* units: add dep on systemd-logind.service by user@.serviceLennart Poettering2024-07-012-2/+2
| | | | | | | | | | | | | | | | | | | | | | | Let's make sure logind is accessible by the time user@.service runs, and that logind stays around as long as it does so. Addresses an issue reported here: https://lists.freedesktop.org/archives/systemd-devel/2024-June/050468.html This addresses an issued introduced by 278e815bfa3e4c2e3914e00121c37fc844cb2025, which dropped the a dependency from user@.service systemd-user-sessions.service without replacement. While dropping that dependency does make sense, it should have been replaced with the weaker dependency on systemd-logind.service, hence fix that now. user@.service is after all a logind concept, hence logind really should be around for its lifetime. systemd-user-sessions.service is a later milestone that only really should apply to regular users (not root), hence it's too strong a requirement.
* importd: allow activation in early boot, and make it socket activatableLennart Poettering2024-06-253-1/+36
| | | | | | | | | | Previously, importd was only accessible via D-Bus, which required it to be a late boot service. Now that we have Varlink we can rearrange things to become early-boot activated, just after the image directories are mounted. This will later allow us to have generator that auto-downloads images on boot.
* units: register vmspawn VMs started via systemd-vmspawn@.service by default ↵Lennart Poettering2024-06-211-1/+1
| | | | with machined
* man,units: drop "temporary" from description of systemd-tmpfilesMike Yuan2024-06-152-2/+2
| | | | | | | | | Historically, systemd-tmpfiles was designed to manager temporary files, but nowadays it has become a generic tool for managing all kinds of files. To avoid user confusion, let's remove "temporary" from the tool's description. As discussed in #33349
* tpm2-setup: Don't fail if we can't access the TPM due to authorization failureDaan De Meyer2024-06-122-0/+6
| | | | | | The TPM might be password/pin protected for various reasons even if there is no SRK yet. Let's handle those cases gracefully instead of failing the unit as it is enabled by default.
* presets: Don't enable systemd-homed-firstboot.service by defaultDaan De Meyer2024-06-081-1/+1
| | | | | | | | | | Enabling this service by default means every CI image without a regular user now gets stuck on first boot due to the password prompt from systemd-homed-firstboot.service. Let's not enable the service by default but instead require users to enable it explicitly if they want its behavior. Fixes #33249
* journald: enable persistent FD Store to fix logging during soft-rebootLuca Boccassi2024-06-031-0/+2
| | | | | | | | A unit with StandardOutput=journal (the default) will get its stdout/stderr sockets disconnected when journald stops, as the file descriptors on journald's side are not preserved (it works on restart, as the FD Store keeps them open during restarts). Set FileDescriptorStorePreserve=yes so that the journal FD's stay open during a soft reboot, and applications don't get broken stdout/stderr.
* man: update links to "API File Systems"Zbigniew Jędrzejewski-Szmek2024-05-2811-11/+11
|
* various: update links to more wiki pagesZbigniew Jędrzejewski-Szmek2024-05-282-4/+4
|
* unit: also stop systemd-journal-flush.service on soft-rebootYu Watanabe2024-05-251-0/+3
| | | | | | | After soft-reboot, /var/log/journal may be initially read-only, and becomes writable a bit later. In such case, runtime journal is initially opened by journald. Hence, we need to flush to /var when it is ready.
* units: stop systemd-journald before systemd-soft-reboot.serviceYu Watanabe2024-05-221-1/+4
| | | | | | Typically, soft-reboot.target is never reached. So, without this change, systemd-journald may be killed by PID1 on soft-reboot, and may cause journal corruption.
* Revert "units: do not soft-reboot before soft-reboot.target reached"Yu Watanabe2024-05-222-4/+3
| | | | | | | | This reverts commit 4263d7617f0e6ea741e227db223ac6085479165f. Still I think this is the way to go. But the change was merged after -rc2, and still discussion is continued. So, at least now let's revert it, and do that after v256-final is released if approved.
* units: add JobTimeoutAction= to exit.target and friendsYu Watanabe2024-05-173-0/+6
| | | | | For consistency with other targets, e.g. poweroff.target or reboot.target.
* units: do not soft-reboot before soft-reboot.target reachedYu Watanabe2024-05-172-3/+4
| | | | | | | | | | | | | Otherwise, at the time systemd-soft-reboot.service succeeds, services which has Conflicts= and Before=soft-reboot.target may not be stopped yet, and may be SIGKILLed. Especially, systemd-journald.service has the dependencies, thus journal may be corrupted. See #32223. Follow-up for 13ffc60749df0ca7c76cfcac317b41a05679b364. Fixes #32834.
* units: drop dependencies of soft-reboot.target from systemd-journald@.serviceYu Watanabe2024-05-171-5/+0
| | | | | | | | The service deos not have DefaultDependencies=no. Hence it has dependencies of shutdown.target, and dependencies of soft-reboot.target are not necessary. Follow-up for f89985ca494b79b2beed47e1f10d46ef2d59ce3e.
* journal: explicitly sync namespaced journals before stopping socket unitsYu Watanabe2024-05-022-0/+25
| | | | | | | | | | | | | Otherwise, if a service unit that requests LogNamespace= stopped before systemd-journald@.service is started, logs generated by the service will be lost, as systemd-journald@.socket is stopped and systemd-journald@.service will never started. To prevent the issue, let's introduce another implicit dependency to a oneshot service that explicitly synchronizes a namespaced journal file when the log namespace is not needed anymore. Fixes #32604.
* treewide: fix a few typos in NEWS, docs, comments, and log messagesDmitry V. Levin2024-04-271-1/+1
|
* units: add Before=shutdown.target to systemd-networkd-persistent-storage.serviceLuca Boccassi2024-04-261-0/+1
| | | | | | | | It's ordered with networkd, but just in case. Lintian complains: W: systemd: systemd-service-file-shutdown-problems [usr/lib/systemd/system/systemd-networkd-persistent-storage.service] Follow-up for 91676b645886382328c261efd5e83490d16e75cf
* units: merge two After= linesLennart Poettering2024-04-221-2/+1
|
* tpm2-setup-early: order against pcrphase-initrdLennart Poettering2024-04-221-1/+1
| | | | | | | | | | | | | | | | | | Right now systemd-tpm2-setup-early and systemd-pcrphase-initrd.service are not ordered against each other. However, they require the same slow resource to operate: the TPM2. If we allow them to access the device simultaneously, the kernel resource manager like has to save/restore TPM state while they operate, slowing things down further. hence, let's avoid all this mess, and just order them against each other so that the shared resource is first used in full by one and then by the other. I opted to order systemd-pcrphase-initrd before systemd-tpm2-setup-early, since there's value in having the former as early as possible in userspace, to be a good marker for the transition from kernel to first userspace. I can see no benefit in the opposite order however.
* units: introduce systemd-udev-load-credentials.serviceYu Watanabe2024-04-163-0/+31
|
* units: order repart after systemd-tpm2-setup-early.serviceLennart Poettering2024-04-151-1/+1
| | | | | | | | | | | | | This mimics what we do for systemd-cryptsetup@.service (see src/shared/generator.c), and makes sense since repart might lock up the root volume against a TPM, which ideally has its SRK already set up by then. More importantly though, this ensures that we ordered correctly after tpm2.target (which systemd-tpm2-setup-early.service has a dependency on), for systems where the TPM drivers are not compiled into the kernel. See: https://lists.freedesktop.org/archives/systemd-devel/2024-April/050201.html
* units/systemd-boot-check-no-failures.service: drop unneeded dep on ↵Mike Yuan2024-04-101-2/+0
| | | | shutdown.target
* mountfsd: add new systemd-mountfsd componentLennart Poettering2024-04-063-0/+76
|
* nsresourced: add new daemon for granting clients user namespaces and ↵Lennart Poettering2024-04-063-0/+78
| | | | | | | | | | | | | | | | | | | | | | | | assigning resources to them This adds a small, socket-activated Varlink daemon that can delegate UID ranges for user namespaces to clients asking for it. The primary call is AllocateUserRange() where the user passes in an uninitialized userns fd, which is then set up. There are other calls that allow assigning a mount fd to a userns allocated that way, to set up permissions for a cgroup subtree, and to allocate a veth for such a user namespace. Since the UID assignments are supposed to be transitive, i.e. not permanent, care is taken to ensure that users cannot create inodes owned by these UIDs, so that persistancy cannot be acquired. This is implemented via a BPF-LSM module that ensures that any member of a userns allocated that way cannot create files unless the mount it operates on is owned by the userns itself, or is explicitly allowelisted. BPF LSM program with contributions from Alexei Starovoitov.
* units: introduce systemd-hibernate-clear.service that clearsMike Yuan2024-04-032-0/+29
| | | | | | | | | | | | | | | | | | | | | stale HibernateLocation EFI variable Currently, if the HibernateLocation EFI variable exists, but we failed to resume from it, the boot carries on without clearing the stale variable. Therefore, the subsequent boots would still be waiting for the device timeout, unless the variable is purged manually. There's no point to keep trying to resume after a successful switch-root, because the hibernation image state would have been invalidated by then. OTOH, we don't want to clear the variable prematurely either, i.e. in initrd, since if the resume device is the same as root one, the boot won't succeed and the user might be able to try resuming again. So, let's introduce a unit that only runs after switch-root and clears the var. Fixes #32021
* units: remove implicit RequiresMountsFor=Mike Yuan2024-04-011-1/+0
|
* Merge pull request #31951 from bluca/resolve_reloadYu Watanabe2024-03-261-1/+1
|\ | | | | resolved: support reloading configuration at runtime
| * resolved: support reloading configuration at runtimeLuca Boccassi2024-03-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | Drop connections and caches and reload config from files, to allow for low-interruptions updates, and hook up to the usual SIGHUP and ExecReload=. Mark servers and services configured directly via D-Bus so that they can be kept around, and only the configuration file settings are dropped and reloaded. Fixes https://github.com/systemd/systemd/issues/17503 Fixes https://github.com/systemd/systemd/issues/20604
* | units: sort lists in meson.buildMike Yuan2024-03-262-3/+3
|/