summaryrefslogtreecommitdiffstats
path: root/units (follow)
Commit message (Collapse)AuthorAgeFilesLines
* units: add a tpm2.target synchronization point and small generator that pulls inLennart Poettering2024-01-0312-4/+27
| | | | | | | | | | | | | | | | | | | Distributions apparently only compile a subset of TPM2 drivers into the kernel. For those not compiled it but provided as kmod we need a synchronization point: we must wait before the first TPM2 interaction until the driver is available and accessible. This adds a tpm2.target unit as such a synchronization point. It's ordered after /dev/tpmrm0, and is pulled in by a generator whenever we detect that the kernel reported a TPM2 to exist but we have no device for it yet. This should solve the issue, but might create problems: if there are TPM devices supported by firmware that we don't have Linux drivers for we'll hang for a bit. Hence let's add a kernel cmdline switch to disable (or alternatively force) this logic. Fixes: #30164
* Merge pull request #30686 from poettering/uki-measured-check-imply-tpm2Mike Yuan2024-01-032-2/+0
|\ | | | | efi-loader: when detecting if we are booted in UKI measured boot mode, imply a check for TPM2
| * Revert "units: add ConditionSecurity=tpm2 to systemd-tpm2-setup units"Lennart Poettering2024-01-022-2/+0
| | | | | | | | | | | | | | Now that the ConditionSecurity=uki-measured check is tighter we can drop the explicit TPM2 check again. This reverts commit aa735b02196cf6f947fd1e4b2ec46b544ec7c3e1.
* | unit: order systemd-resolved after systemd-sysctlYu Watanabe2024-01-021-1/+1
|/ | | | | Otherwise, IPv6 enable/disable setting may be changed after resolved is started.
* units: add ConditionSecurity=tpm2 to systemd-tpm2-setup unitsLuca Boccassi2023-12-282-0/+2
| | | | | | | | | ConditionSecurity=measured-uki can be true even with TPM 1.2 which we don't support, so add an explicit check for TPM 2.0. Fixes https://github.com/systemd/systemd/issues/30650 Follow-up for 2e64cb71b9c0160c3
* creds: add varlink API for encrypting/decrypting credentialsLennart Poettering2023-12-213-0/+47
|
* homectl: add "firstboot" commandLennart Poettering2023-12-183-1/+33
| | | | | | | This extends what systemd-firstboot does and runs on first boots only and either processes user records passed in via credentials to create, or asks the user interactively to create one (only if no regular user exists yet).
* systemd-homed.service.in: add quotactl to SystemCallFilterNeil Wilson2023-12-011-1/+1
| | | | | Standard directories make a call to the quotactl system call to enforce disk size limits. Fixes #30287
* unit: make journald stopped on soft-reboot before broadcasting SIGKILLYu Watanabe2023-11-282-0/+10
| | | | Workaround for #30195.
* units: disable start rate limit for systemd-vconsole-setup.serviceZbigniew Jędrzejewski-Szmek2023-11-251-0/+6
| | | | | | | | | | | | | | | | | | The unit will be started or restarted a few times during boot, but but it has StartLimitBurst = DefaultStartLimitBurst = 5, which means that the fifth restart will already fail. On my laptop, I have exactly 4 restarts, so I don't hit the limit, but on a slightly different system we will easily hit the limit. In https://bugzilla.redhat.com/show_bug.cgi?id=2251394, there are five reloads and we hit the limit. Since 6ef512c0bb7aeb2000588d7d05e23b4681da8657 we propagate the start counter over switch-root and daemon reloads, so it's easier to hit the limit during boot. In principle there might be systems with lots of vtcon devices, so let's just allow the unit to be restarted without a limit. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251394.
* units: pull in plymouth when booting into storagetm modeLennart Poettering2023-11-132-3/+3
|
* units: add units that put together and install a TPM2 PCR policy at bootLennart Poettering2023-11-038-0/+208
| | | | (This is disabled by default, for now)
* storagetm: add new systemd-storagetm componentLennart Poettering2023-11-023-0/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements a "storage target mode", similar to what MacOS provides since a long time as "Target Disk Mode": https://en.wikipedia.org/wiki/Target_Disk_Mode This implementation is relatively simple: 1. a new generic target "storage-target-mode.target" is added, which when booted into defines the target mode. 2. a small tool and service "systemd-storagetm.service" is added which exposes a specific device or all devices as NVMe-TCP devices over the network. NVMe-TCP appears to be hot shit right now how to expose block devices over the network. And it's really simple to set up via configs, hence our code is relatively short and neat. The idea is that systemd-storagetm.target can be extended sooner or later, for example to expose block devices also as USB mass storage devices and similar, in case the system has "dual mode" USB controller that can also work as device, not just as host. (And people could also plug in sharing as NBD, iSCSI, whatever they want.) How to use this? Boot into your system with a kernel cmdline of "rd.systemd.unit=storage-target-mode.target ip=link-local", and you'll see on screen the precise "nvme connect" command line to make the relevant block devices available locally on some other machine. This all requires that the target mode stuff is included in the initrd of course. And the system will the stay in the initrd forever. Why bother? Primarily three use-cases: 1. Debug a broken system: with very few dependencies during boot get access to the raw block device of a broken machine. 2. Migrate from system to another system, by dd'ing the old to the new directly. 3. Installing an OS remotely on some device (for example via Thunderbolt networking) (And there might be more, for example the ability to boot from a laptop's disk on another system) Limitations: 1. There's no authentication/encryption. Hence: use this on local links only. 2. NVMe target mode on Linux supports r/w operation only. Ideally, we'd have a read-only mode, for security reasons, and default to it. Future love: 1. We should have another mode, where we simply expose the homed LUKS home dirs like that. 2. Some lightweight hookup with plymouth, to display a (shortened) version of the info we write to the console. To test all this, just run: mkosi --kernel-command-line-extra="rd.systemd.unit=storage-target-mode.target" qemu
* units: modprobe@.service: don't unescape instance nameMartin Wilck2023-10-211-1/+1
| | | | | | | | | | | modprobe treats "-" and "_" interchangeably, thereby avoiding frequent errors because some module names contain dashes and others underscores. Because modprobe@.service unescapes the instance name, an attempt to start "modprobe@dm-crypt.service" will run "modprobe -abq dm/crypt", which is doomed to fail. "modprobe@dm_crypt.service" will work as expected. Thus unescaping the instance name has surprising side effects. Use "%i" instead.
* Merge pull request #29272 from enr0n/coredump-containerLennart Poettering2023-10-161-0/+1
|\ | | | | coredump: support forwarding coredumps to containers
| * nspawn: set CoredumpReceive=yes on container's scope when --boot is setNick Rosbrook2023-10-131-0/+1
| | | | | | | | | | | | | | | | | | | | When --boot is set, and --keep-unit is not, set CoredumpReceive=yes on the scope allocated for the container. When --keep-unit is set, nspawn does not allocate the container's unit, so the existing unit needs to configure this setting itself. Since systemd-nspawn@.service sets --boot and --keep-unit, add CoredumpReceives=yes to that unit.
* | sysext: make some calls available via varlinkLennart Poettering2023-10-163-0/+54
| |
* | systemd-journal-upload: Increase failure tolerance (#19426, #2877)Priit Laes2023-10-131-0/+3
|/ | | | | | | | | | | | As systemd-journal-upload deals mostly with remote servers, add some failsafes to its unit to restart on failures. ``` [Service] Restart=on-failure RestartSteps=10 RestartMaxDelaySec=60 ```
* pcrextend: make pcrextend tool acccessible via varlinkLennart Poettering2023-10-063-0/+52
| | | | | | | | This is primarily supposed to be a 1st step with varlinkifying our various command line tools, and excercise in how this might look like across our codebase one day. However, at AllSystemsGo! 2023 it was requested that we provide an API to do a PCR measurement along with a matching event log record, and this provides that.
* tpm2-setup: add new early boot tool for initializing the SRKLennart Poettering2023-09-293-0/+56
| | | | | | | | | | | | | | | | | | | This adds an explicit service for initializing the TPM2 SRK. This is implicitly also done by systemd-cryptsetup, hence strictly speaking redundant, but doing this early has the benefit that we can parallelize this in a nicer way. This also write a copy of the SRK public key in PEM format to /run/ + /var/lib/, thus pinning the disk image to the TPM. Making the SRK public key is also useful for allowing easy offline encryption for a specific TPM. Sooner or later we should probably grow what this service does, the above is just the first step. For example, the service should probably offer the ability to reset the TPM (clear the owner hierarchy?) on a factory reset, if such a policy is needed. And we might want to install some default AK (?). Fixes: #27986 Also see: #22637
* Merge pull request #29345 from poettering/measured-uki-conditionLennart Poettering2023-09-276-12/+6
|\ | | | | pid1: introduce ConditionSecurity=measured-uki
| * units: move units over to ConditionSecurity=measured-ukiLennart Poettering2023-09-276-12/+6
| |
* | units/blockdev@.target: conflict with umount.targetMike Yuan2023-09-271-0/+4
|/ | | | | | | | | | | | | | | Follow-up for d120ce478dc0043c89899799b5c1aaf62901bea9 blockdev@.target is used as a synchronization point between the mount unit and corresponding systemd-cryptsetup@.service. After the mentioned commit, it doesn't get a stop job enqueued during shutdown, and thus the stop job for systemd-cryptsetup@.service could be run before the mount unit is stopped. Therefore, let's make blockdev@.target conflict with umount.target, which is also what systemd-cryptsetup@.service does. Fixes #29336
* Revert "userdbd: Order systemd-userdbd.service after systemd-remount-fs.service"Lennart Poettering2023-09-271-1/+1
| | | | This reverts commit 9dd88582813b6dbeea6ce336f70cae681e6cbfc6.
* oomd: correct listening socketsLennart Poettering2023-09-251-1/+1
| | | | | | | | | | | So, unfortunately oomd uses "io.system." rather than "io.systemd." as prefix for its sockets. This is a mistake, and doesn't match the Varlink interface naming or anything else in oomd. hence, let's fix that. Given that this is an internal protocol between PID1 and oomd let's simply change this without retaining compat.
* pcrphase: rename binary to pcrextendLennart Poettering2023-09-256-9/+9
| | | | | | | | | | | | | | | | | | | The tool initially just measured the boot phase, but was subsequently extended to measure file system and machine IDs, too. At AllSystemsGo there were request to add more, and make the tool generically accessible. Hence, let's rename the binary (but not the pcrphase services), to make clear the tool is not just measureing the boot phase, but a lot of other things too. The tool is located in /usr/lib/ and still relatively new, hence let's just rename the binary and be done with it, while keeping the unit names stable. While we are at it, also move the tool out of src/boot/ and into its own src/pcrextend/ dir, since it's not really doing boot related stuff anymore.
* repart: Don't fail on boot if we can't find the root block deviceDaan De Meyer2023-09-221-0/+2
| | | | | | When booting from virtiofs, we won't be able to find a root block device. Let's gracefully handle this similar to how we don't fail if we can't find a GPT partition table.
* treewide: fix typosJoerg Behrmann2023-09-191-2/+2
| | | | | | - mostly: usecase -> use case - continously -> continuously - single typos in docs/FILE_DESCRIPTOR_STORE.md
* units: order battery-check before hibernate-resumeMike Yuan2023-09-071-1/+1
|
* hibernate-resume: split out the logic of finding hibernate locationMike Yuan2023-09-072-0/+28
| | | | | | | | | | | | | | | | | | | Before this commit, the hibernate location logic only exists in the generator. Also, we compare device nodes (devnode_same()) and clear EFI variable HibernateLocation in the generator too. This is not ideal though: when the generator gets to run, udev hasn't yet started, so effectively devnode_same() always fails. Moreover, if the boot process is interrupted by e.g. battery-check, the hibernate information is lost. Therefore, let's split out the logic of finding hibernate location. The generator only does the initial validation of system info and enables systemd-hibernate-resume.service, and when the service actually runs we validate everything again, which includes comparing the device nodes and clearing the EFI variable. This should make things more robust, plus systems that don't utilize a systemd-enabled initrd can use the exact same logic to resume using the EFI variable. I.e., systemd-hibernate-resume can be used standalone.
* userdbd: Order systemd-userdbd.service after systemd-remount-fs.serviceVictor Westerhuis2023-09-041-1/+1
| | | | | | | | Otherwise the root filesystem might still be readonly and systemd-userdbd fails to start. Explicitly pick systemd-remount-fs.service instead of local-fs-pre.target to prevent a dependency cycle.
* bsod: several cleanupsYu Watanabe2023-08-222-5/+5
| | | | | | | - add reference to the service unit in the man page, - fix several indentation and typos, - replace '(uint64_t) -1' with 'UINT64_MAX', - drop unnecessary 'continue'.
* Merge pull request #28697 from 1awesomeJ/new_bsodLuca Boccassi2023-08-182-0/+26
|\ | | | | systemd-bsod: Add "--continuous" option
| * systemd-bsod: Add "--continuous" optionOMOJOLA JOSHUA2023-08-172-0/+26
| |
* | units: introduce systemd-tmpfiles-setup-dev-early.serviceYu Watanabe2023-08-126-3/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This makes tmpfiles, sysusers, and udevd invoked in the following order: 1. systemd-tmpfiles-setup-dev-early.service Create device nodes gracefully, that is, create device nodes anyway by ignoring unknown users and groups. 2. systemd-sysusers.service Create users and groups, to make later invocations of tmpfiles and udevd can resolve necessary users and groups. 3. systemd-tmpfiles-setup-dev.service Adjust owners of previously created device nodes. 4. systemd-udevd.service Process all devices. Especially to make block devices active and can be mountable. 5. systemd-tmpfiles-setup.service Setup basic filesystem. Follow-up for b42482af904ae0b94a6e4501ec595448f0ba1c06. Fixes #28653. Replaces #28681 and #28732.
* | Revert "unit: make udev rules really take precedence over tmpfiles"Yu Watanabe2023-08-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commits 112a41b6ece19d03e951d886fe2f26512ab31fab, 3178698bb5352989e4bff866641838b1c2a0efcb, and b768379e8b494b025f41946205944a6f3a1a553f. The commit 112a41b6ece19d03e951d886fe2f26512ab31fab introduces #28765, as systemd-tmpfiles-setup.service has ordering after local-fs.target, but usually the target requires block devices processed by udevd. Hence, the service can only start after the block devices timed out. Fixes #28765.
* | unit: make udev rules really take precedence over tmpfilesYu Watanabe2023-08-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Follow-up for b42482af904ae0b94a6e4501ec595448f0ba1c06. The commit makes systemd-tmpfiles-setup.service also updates the permission or owner of device nodes. However, the service does not have ordering for systemd-udevd.service. So, the service may set different permission from the one udevd already set. Fixes #28653. Replaces #28681.
* | Revert "unit: make udev rules take precesence over tmpfiles"Yu Watanabe2023-08-091-1/+0
| | | | | | | | | | | | | | This reverts commit 31845ef554877525dc4ff4f25ad11ad805ebf81c. systemd-tmpfiles-setup-dev.service has Before=systemd-udevd.service. So the commit does not change anything.
* | meson: use install_emptydir() and drop meson-make-symlink.shYu Watanabe2023-08-082-57/+16
| | | | | | | | | | | | The script is mostly equivalent to 'mkdir -p' and 'ln -sfr'. Let's replace it with install_emptydir() builtin function and inline meson call.
* | units/initrd-parse-etc.service: Conflict with emergency.targetFabian Vogt2023-08-081-0/+2
|/ | | | | | | | | | | | | If emergency.target is started while initrd-parse-etc.service/start is queued, the initrd-parse-etc job did not get canceled. In parallel to the emergency units, it eventually runs the service, which starts initrd-cleanup.service, which in turn isolates initrd-switch-root.target. This stops the emergency units and effectively starts the initrd boot process again, which likely fails again like the initial attempt. The system is thus stuck in an endless loop, never really reaching emergency.target. With this conflict added, starting emergency.target automatically cancels initrd-parse-etc.service/start, avoiding the loop.
* unit: make udev rules take precesence over tmpfilesYu Watanabe2023-08-041-0/+1
| | | | | | | | | | Without this change, there are no ordering between udevd and tmpfiles, and if tmpfiles is invoked later it may discard the permission set by udevd. Fixes an issue introduced by b42482af904ae0b94a6e4501ec595448f0ba1c06. Fixes #28588 and #28653.
* Revert "units: Import all repart credentials in systemd-repart.service"Daan De Meyer2023-08-011-1/+0
| | | | This reverts commit ed6b99dbf121f8ad3e68a1eb8e2fff4d4bdf3066.
* units: Import all repart credentials in systemd-repart.serviceDaan De Meyer2023-08-011-0/+1
|
* Drop split-usr and unmerged-usr supportLuca Boccassi2023-07-2865-76/+76
| | | | | | | | | | As previously announced, execute order 66: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html The meson options split-usr, rootlibdir and rootprefix become no-ops that print a warning if they are set to anything other than the default values. We can remove them in a future release.
* units: Load agetty credentials in all getty unitsDaan De Meyer2023-07-274-0/+8
| | | | | | In it's latest release, agetty will support reading the agetty.autologin and login.noauth credentials, so let's make sure we import those in our getty units so they're available to agetty to read.
* units: Add --graceful flag to pcrphase unitsDaan De Meyer2023-07-173-3/+3
| | | | | | | Some of the new units using systemd-pcrphase are missing the --graceful flag which causes them to error if the tpm libraries are not installed. Add --graceful just like in the other pcrphase units to make systemd-pcrphase exit gracefully if the tpm libraries are missing.
* Merge pull request #27867 from keszybz/vconsole-reload-againLuca Boccassi2023-07-152-2/+15
|\ | | | | Restore ordering between vconsole-setup and firstboot services
| * units/systemd-vconsole-setup: suppress error when service is restartedZbigniew Jędrzejewski-Szmek2023-07-131-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The service has Type=oneshot, which means that the default value of SuccessExitStatus=0. When multiple vtcon devices are detected, udev will restart the service after each one. If this happens quickly enough, the old instance will get SIGTERM while it is still running: [ 5.357341] (udev-worker)[593]: vtcon1: /usr/lib/udev/rules.d/90-vconsole.rules:12 RUN '/usr/bin/systemctl --no-block restart systemd-vconsole-setup.service [ 5.357439] (udev-worker)[593]: vtcon1: Running command "/usr/bin/systemctl --no-block restart systemd-vconsole-setup.service" [ 5.357485] (udev-worker)[593]: vtcon1: Starting '/usr/bin/systemctl --no-block restart systemd-vconsole-setup.service' [ 5.357537] (udev-worker)[609]: vtcon0: /usr/lib/udev/rules.d/90-vconsole.rules:12 RUN '/usr/bin/systemctl --no-block restart systemd-vconsole-setup.service [ 5.357587] (udev-worker)[609]: vtcon0: Running command "/usr/bin/systemctl --no-block restart systemd-vconsole-setup.service" [ 5.357634] (udev-worker)[609]: vtcon0: Starting '/usr/bin/systemctl --no-block restart systemd-vconsole-setup.service' ... [ 5.680529] systemd[1]: systemd-vconsole-setup.service: Trying to enqueue job systemd-vconsole-setup.service/restart/replace [ 5.680565] systemd[1]: systemd-vconsole-setup.service: Merged into running job, re-running: systemd-vconsole-setup.service/restart as 557 [ 5.680600] systemd[1]: systemd-vconsole-setup.service: Enqueued job systemd-vconsole-setup.service/restart as 557 ... [ 5.682334] systemd[1]: Received SIGCHLD from PID 744 ((le-setup)). [ 5.682377] systemd[1]: Child 744 ((le-setup)) died (code=killed, status=15/TERM) [ 5.682407] systemd[1]: systemd-vconsole-setup.service: Child 744 belongs to systemd-vconsole-setup.service. [ 5.682436] systemd[1]: systemd-vconsole-setup.service: Main process exited, code=killed, status=15/TERM [ 5.682471] systemd[1]: systemd-vconsole-setup.service: Failed with result 'signal'. [ 5.682518] systemd[1]: systemd-vconsole-setup.service: Service will not restart (manual stop) [ 5.682552] systemd[1]: systemd-vconsole-setup.service: Changed stop-sigterm -> failed This is expected and not a problem. Let's treat SIGTERM as success so we don't get this spurious "failure".
| * units/systemd-firstboot: start the service after systemd-vconsole-setup.serviceZbigniew Jędrzejewski-Szmek2023-07-121-1/+8
| | | | | | | | | | | | | | This way, we don't start user interaction before (or while) the configured fonts are loading. Tweak the comments a bit while at it.
| * units/systemd-vconsole-setup.service: improve titleZbigniew Jędrzejewski-Szmek2023-07-121-1/+1
| | | | | | | | | | | | "Setup" is a noun, and the expected order is "<adjective> <noun>". ("Set up" is the verb. But we want a noun here, so that we can say e.g. "Starting Virtual Console Setup".)