summaryrefslogtreecommitdiffstats
path: root/units (follow)
Commit message (Collapse)AuthorAgeFilesLines
* nspawn: set TasksMax= for containers to 8192 by defaultLennart Poettering2015-11-161-0/+1
|
* core: remove SmackFileSystemRootLabel= againLennart Poettering2015-11-121-3/+0
| | | | | | | | Apparently, util-linux' mount command implicitly drops the smack-related options anyway before passing them to the kernel, if the kernel doesn't know SMACK, hence there's no point in duplicating this in systemd. Fixes #1696
* units: fix system.slice to require -.slice, instead of just want itLennart Poettering2015-11-111-1/+1
|
* journal: restore watchdog supportLennart Poettering2015-11-031-0/+1
|
* Merge pull request #1726 from teg/networkd-2Daniel Mack2015-11-031-1/+1
|\ | | | | networkd: (de)serialize more state and support expiring routes
| * networkd: route - track routesTom Gundersen2015-10-301-1/+1
| |
* | journald: never block when sending messages on NOTIFY_SOCKET socketLennart Poettering2015-11-011-1/+0
|/ | | | | | | | | | | | | | Otherwise we might run into deadlocks, when journald blocks on the notify socket on PID 1, and PID 1 blocks on IPC to dbus-daemon and dbus-daemon blocks on logging to journald. Break this cycle by making sure that journald never ever blocks on PID 1. Note that this change disables support for event loop watchdog support, as these messages are sent in blocking style by sd-event. That should not be a big loss though, as people reported frequent problems with the watchdog hitting journald on excessively slow IO. Fixes: #1505.
* core: rename SmackFileSystemRoot= to SmackFileSystemRootLabel=Lennart Poettering2015-10-261-1/+1
| | | | | | That way it's in sync with the other SMACK label settings. https://github.com/systemd/systemd/pull/1664#issuecomment-150891270
* units: add 'SmackFileSystemRoot=*' option into tmp.mountSangjung Woo2015-10-241-0/+3
| | | | | | | | | | If SMACK is enabled, 'smackfsroot=*' option should be specified when /tmp is mounted since many non-root processes use /tmp for temporary usage. If not, /tmp is labeled as '_' and smack denial occurs when writing. In order to do that, 'SmackFileSystemRoot=*' is newly added into tmp.mount.
* units: also whitelist "blkext" block devices for nspawn serviceLennart Poettering2015-10-221-0/+1
| | | | | | | /dev/loop*p* block devices are of the "blkext" subsystem, not of loop, hence whitelist this too. Fixes #1446
* Revert "units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled"Kay Sievers2015-10-181-3/+1
| | | | | | | This reverts commit 409c2a13fd65692c611b7bcaba12e908ef7cf1e5. It breaks the bootup of systems which enable smack at compile time, but have no smack enabled in the kernel. This needs a different solution.
* units: .gitignore: units - ignore tmp.mountTom Gundersen2015-10-151-0/+1
| | | | This is a follow-up to 409c2a13fd656.
* Merge pull request #1572 from again4you/devel/tmp-smackLennart Poettering2015-10-151-1/+3
|\ | | | | units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled
| * units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabledSangjung Woo2015-10-151-1/+3
| | | | | | | | | | | | | | If SMACK is enabled, 'smackfsroot=*' option should be specified in tmp.mount file since many non-root processes use /tmp for temporary usage. If not, /tmp is labeled as '_' and smack denial occurs when writing.
* | unit: remove [Install] section from the user exit.target unitLennart Poettering2015-10-141-3/+0
|/ | | | | | | There's no concept of ctrl-alt-del for user systemd instances, hence don't suggest it woud make sense to symlink the unit to it. Fixes #1525.
* Merge pull request #1468 from poettering/fdnamesTom Gundersen2015-10-061-1/+1
|\ | | | | Add support for naming fds for socket activation and more
| * unit: give systemd-networkd.socket a better descriptionLennart Poettering2015-10-061-1/+1
| | | | | | | | | | | | Usually we try to properly uppercase first characters in the description, do so here, too. Also, keep it close to the string used in systemd-networkd.service.
* | nspawn: fix --image= when nspawn is run as serviceLennart Poettering2015-10-031-0/+5
|/ | | | | | | nspawn needs access to /dev/loop to implement --image=, hence grant that in the service file. Fixes #1446.
* rfkill: rework and make it listen on /dev/rfkillLennart Poettering2015-10-013-10/+27
| | | | | | | | | | | | | | With this rework we introduce systemd-rfkill.service as singleton that is activated via systemd-rfkill.socket that listens on /dev/rfkill. That way, we get notified each time a new rfkill device shows up or changes state, in which case we restore and save its current setting to disk. This is nicer than the previous logic, as this means we save/restore state even of rfkill devices that are around only intermittently, and save/restore the state even if the system is shutdown abruptly instead of cleanly. This implements what I suggested in #1019 and obsoletes it.
* machine-id-commit: merge machine-id-commit functionality into machine-id-setupLennart Poettering2015-09-291-1/+1
| | | | | | | | | | | | | And remove machine-id-commit as separate binary. There's really no point in keeping this separate, as the sources are pretty much identical, and have pretty identical interfaces. Let's unify this in one binary. Given that machine-id-commit was a private binary of systemd (shipped in /usr/lib/) removing the tool is not an API break. While we are at it, improve the documentation of the command substantially.
* units: increase watchdog timeout to 3min for all our servicesLennart Poettering2015-09-2913-13/+13
| | | | | | | | Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
* units: run ldconfig also when cache is unpopulatedMichal Sekletar2015-09-231-1/+2
|
* containers: systemd exits with non-zero codeAlban Crequy2015-09-213-0/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a systemd service running in a container exits with a non-zero code, it can be useful to terminate the container immediately and get the exit code back to the host, when systemd-nspawn returns. This was not possible to do. This patch adds the following to make it possible: - Add a read-only "ExitCode" property on PID 1's "Manager" bus object. By default, it is 0 so the behaviour stays the same as previously. - Add a method "SetExitCode" on the same object. The method fails when called on baremetal: it is only allowed in containers or in user session. - Add support in systemctl to call "systemctl exit 42". It reuses the existing code for user session. - Add exit.target and systemd-exit.service to the system instance. - Change main() to actually call systemd-shutdown to exit() with the correct value. - Add verb 'exit' in systemd-shutdown with parameter --exit-code - Update systemctl manpage. I used the following to test it: | $ sudo rkt --debug --insecure-skip-verify run \ | --mds-register=false --local docker://busybox \ | --exec=/bin/chroot -- /proc/1/root \ | systemctl --force exit 42 | ... | Container rkt-895a0cba-5c66-4fa5-831c-e3f8ddc5810d failed with error code 42. | $ echo $? | 42 Fixes https://github.com/systemd/systemd/issues/1290
* units: make sure that .nspawn files override the default settings in ↵Lennart Poettering2015-09-061-1/+1
| | | | systemd-nspawn@.service
* bus-proxy: increase NOFILE limitDavid Herrmann2015-09-041-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | The bus-proxy manages the kdbus connections of all users on the system (regarding the system bus), hence, it needs an elevated NOFILE. Otherwise, a single user can trigger ENFILE by opening NOFILE connections to the bus-proxy. Note that the bus-proxy still does per-user accounting, indirectly via the proxy/fake API of kdbus. Hence, the effective per-user limit is not raised by this. However, we now prevent one user from consuming the whole FD limit of the shared proxy. Also note that there is no *perfect* way to set this. The proxy is a shared object, so it needs a larger NOFILE limit than the highest limit of all users. This limit can be changed dynamically, though. Hence, we cannot protect against it. However, a raised NOFILE limit is a privilege, so we just treat it as such and basically allow these privileged users to be able to consume more resources than normal users (and, maybe, cause some limits to be exceeded by this). Right now, kdbus hard-codes 1024 max connections per user on each bus. However, we *must not* rely on this. This limits could be easily dropped entirely, as the NOFILE limit is a suitable limit on its on.
* bus-proxy: add ExecReload=David Herrmann2015-08-042-0/+2
| | | | | | | | Make sure we support ExecReload= for bus-proxyd to reload configuration during runtime. This is *really* handy when hacking on kdbus. Package-managers are still recommended to run `busctl --address=unix:path=` directly.
* terminal: drop unfinished codeDavid Herrmann2015-07-272-16/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This drops the libsystemd-terminal and systemd-consoled code for various reasons: * It's been sitting there unfinished for over a year now and won't get finished any time soon. * Since its initial creation, several parts need significant rework: The input handling should be replaced with the now commonly used libinput, the drm accessors should coordinate the handling of mode-object hotplugging (including split connectors) with other DRM users, and the internal library users should be converted to sd-device and friends. * There is still significant kernel work required before sd-console is really useful. This includes, but is not limited to, simpledrm and drmlog. * The authority daemon is needed before all this code can be used for real. And this will definitely take a lot more time to get done as no-one else is currently working on this, but me. * kdbus maintenance has taken up way more time than I thought and it has much higher priority. I don't see me spending much time on the terminal code in the near future. If anyone intends to hack on this, please feel free to contact me. I'll gladly help you out with any issues. Once kdbus and authorityd are finished (whenever that will be..) I'll definitely pick this up again. But until then, lets reduce compile times and maintenance efforts on this code and drop it for now.
* units: add more caps to machinedLennart Poettering2015-07-271-1/+1
| | | | | | | | | | | Otherwise copying full directory trees between container and host won't work, as we cannot access some fiels and cannot adjust the ownership properly on the destination. Of course, adding these many caps to the daemon kinda defeats the purpose of the caps lock-down... but well... Fixes #433
* units: order networkd after sysctlTom Gundersen2015-07-231-1/+1
| | | | | | | This way networkd will correctly and race-freely inherit the default settings applied by sysctl. Suggested in issue #468.
* units: emergency.service: wait for plymouth to shut downMartin Pitt2015-07-101-1/+1
| | | | | | | | | Merely calling "plymouth quit" isn't sufficient, as plymouth needs some time to shut down. This needs plymouth --wait (which is a no-op when it's not running). Fixes invisible emergency shell with plymouth running endlessly. https://launchpad.net/bugs/1471258
* turn kdbus support into a runtime optionKay Sievers2015-06-172-4/+0
| | | | | | | | | | | | | ./configure --enable/disable-kdbus can be used to set the default behavior regarding kdbus. If no kdbus kernel support is available, dbus-dameon will be used. With --enable-kdbus, the kernel command line option "kdbus=0" can be used to disable kdbus. With --disable-kdbus, the kernel command line option "kdbus=1" is required to enable kdbus support.
* Revert "hwdb: actually search /run/udev/hwdb.d"Lennart Poettering2015-06-091-1/+0
|
* hwdb: actually search /run/udev/hwdb.dPeter Hutterer2015-06-091-0/+1
| | | | | The documentation claims hwdb entries may be placed in the volatile /run/udev/hwdb.d directory but nothing actually looked at it.
* udevd: hook up watchdog supportTom Gundersen2015-05-291-0/+1
| | | | | We are already sending watchdog notification, this tells PID1 to actually listen for them and restart udevd in case it gets stuck.
* units: conditionalize audit multicast socket on CAP_AUDIT_READLennart Poettering2015-05-201-0/+1
| | | | | The multicast logic can only work if the capability is available, hence require it.
* units: make sure systemd-nspawn@.slice instances are actually located in ↵Lennart Poettering2015-05-191-0/+1
| | | | | | machine.slice https://plus.google.com/112206451048767236518/posts/SYAueyXHeEX
* Use "new" --job-mode= option in more placesZbigniew Jędrzejewski-Szmek2015-05-182-2/+2
| | | | | | --irreversible/--ignore-dependencies/--fail are deprececated since 4dc5b821ae737914499119e29811fc3346e3d97c. Also add shell completions for --jobs-mode.
* units: make networkd pull in its own .busname unitTom Gundersen2015-05-152-0/+8
| | | | | | | | The daemon requires the busname unit to operate (on kdbus systems), since it contains the policy that allows it to acquire its service name. This fixes https://bugs.freedesktop.org/show_bug.cgi?id=90287
* units: fix typo in systemd-resolved.serviceLennart Poettering2015-05-141-1/+1
| | | | | | There's no network.service unit, we actually mean network.target here. Reported by Fco. Eduardo Ramírez.
* units: order nspawn containers after network.targetLennart Poettering2015-05-111-0/+1
| | | | | | | | This way we know that any bridges and other user-created network devices are in place, and can be properly added to the container. In the long run this should be dropped, and replaced by direct calls inside nspawn that cause the devices to be created when necessary.
* nspawn: make sure we install the device policy if nspawn is run as unit as ↵Lennart Poettering2015-04-281-0/+14
| | | | on the command line
* fsck: remove fsckd again, but keep the door open for external replacementLennart Poettering2015-04-285-37/+1
| | | | | | | | | | | | | | | | | For a longer discussion see this: http://lists.freedesktop.org/archives/systemd-devel/2015-April/030175.html This introduces /run/systemd/fsck.progress as a simply AF_UNIX/SOCK_STREAM socket. If it exists and is connectable we'll connect fsck's -c switch with it. If external programs want to get progress data they should hence listen on this socket and will get all they need via that socket. To get information about the connecting fsck client they should use SO_PEERCRED. Unless /run/systemd/fsck.progress is around and connectable this change reverts back to v219 behaviour where we'd forward fsck output to /dev/console on our own.
* units: specify timeouts for more oneshot servicesZbigniew Jędrzejewski-Szmek2015-04-288-0/+8
| | | | | | | | | Even trivial service occasionally get stuck, for example when there's a problem with the journal. There's nothing more annoying that looking at the cylon eye for a job with an infinite timeout. Use standard 90s for jobs that do some work, and 30s for those which should be almost instantenous.
* shutdownd: kill the old implementationDaniel Mack2015-04-243-34/+0
| | | | | | Not that all functionality has been ported over to logind, the old implementation can be removed. There goes one of the oldest parts of the systemd code base.
* units: set KillMode=mixed for our daemons that fork worker processesLennart Poettering2015-04-242-0/+2
| | | | | | | The daemons should really have the time to kill the workers first, before systemd does it, hence use KillMode=mixed for these daemons. https://bugs.freedesktop.org/show_bug.cgi?id=90051
* importd: add CAP_DAC_OVERRIDE capabilityLubomir Rintel2015-04-211-1/+1
| | | | | | | | | | | Fedora's filesystem package ships /usr/bin (and other directories) which are not writable by its owner. machinectl pull-dkr (and possibly others) are not able to extract those: 14182 mkdirat(3, "usr", 0700) = 0 14182 mkdirat(3, "usr/bin", 0500) = 0 14182 openat(3, "usr/bin/[", O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_NONBLOCK|O_CLOEXEC, 0700) = -1 EACCES (Permission denied) ...
* units: explicitly require /var, /tmp and /var/tmp to be mounted before ↵Lennart Poettering2015-04-031-3/+5
| | | | | | | | | | | | basic.target We support /var, /tmp and /var/tmp on NFS. NFS shares however are by default ordered only before remote-fs.target which is a late-boot service. /var, /tmp, /var/tmp need to be around earlier though, hence explicitly order them before basic.target. Note that this change simply makes explicit what was implicit before, since many early-boot services pulled in parts of /var anyway early.
* units: explicitly order systemd-user-sessions.service after ↵Lennart Poettering2015-04-031-1/+1
| | | | | | nss-user-lookup.target We should not allow logins before NIS/LDAP users are available.
* units: move After=systemd-hwdb-update.service dependency from udev to ↵Lennart Poettering2015-04-032-2/+2
| | | | | | | | | | udev-trigger Let's move the hwdb regeneration a bit later. Given that hwdb is non-essential it should be OK to allow udev to run without it until we do the full trigger. http://lists.freedesktop.org/archives/systemd-devel/2015-April/030074.html
* resolved: Do not add .busname dependencies, when compiling without kdbus.Dimitri John Ledkov2015-03-192-0/+3
|