summaryrefslogtreecommitdiffstats
path: root/units (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #10357 from poettering/import-fsZbigniew Jędrzejewski-Szmek2018-11-291-1/+6
|\ | | | | machinectl import-fs command and other fixes
| * import: drop logic of setting up /var/lib/machines as btrfs loopback mountLennart Poettering2018-11-261-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's simplify things and drop the logic that /var/lib/machines is setup as auto-growing btrfs loopback file /var/lib/machines.raw. THis was done in order to make quota available for machine management, but quite frankly never really worked properly, as we couldn't grow the file system in sync with its use properly. Moreover philosophically it's problematic overriding the admin's choice of file system like this. Let's hence drop this, and simplify things. Deleting code is a good feeling. Now that regular file systems provide project quota we could probably add per-machine quota support based on that, hence the btrfs quota argument is not that interesting anymore (though btrfs quota is a bit more powerful as it allows recursive quota, i.e. that the machine pool gets an overall quota in addition to per-machine quota).
* | units: make fsck/grows/makefs/makeswap units conflict against shutdown.targetLennart Poettering2018-11-262-0/+2
|/ | | | | | They are the only units we shipped/generated where this was missing really. Let's fix these. Follow-up for: #10933
* units: order systemd-rfkill.socket after /var/lib/systemd/rfkill (#10904)Lennart Poettering2018-11-241-1/+2
| | | | | | | | Otherwise we might install the socket unit early, but the service backing it late, and then end up in strange loops when we enter rescue mode, because we saw an event on /dev/rfkill but really can't dispatch it nor flush it. Fixes: #9171
* units: fix Description= of systemd-exit.serviceLennart Poettering2018-11-161-1/+1
| | | | | This file was probably copied from the --user version, let's use some more appropriate wording for the --system version.
* units: use correct command to exitLennart Poettering2018-11-161-1/+1
| | | | Otherwise we'll end a cyclic loop.
* units: add the same ordering deps for systemd-exit.service as for ↵Lennart Poettering2018-11-161-2/+2
| | | | | | | systemd-poweroff.service and friends This stuff runs in containers, and should really behave the same everywhere.
* Revert "units: lock down logind with fs namespacing options"Zbigniew Jędrzejewski-Szmek2018-11-151-9/+1
|
* Merge pull request #10744 from poettering/logind-lock-downLennart Poettering2018-11-131-1/+9
|\ | | | | units: lock down logind with fs namespacing options
| * units: lock down systemd-logind.service with various fs namespacing optionsLennart Poettering2018-11-121-0/+8
| | | | | | | | | | | | now that logind doesn't mount $XDG_RUNTIME_DIR anymore we can lock down the service using fs namespacing (as we don't need the mount to propagate to the host namespace anymore).
| * logind: drop CAP_KILL from caps bounding setLennart Poettering2018-11-121-1/+1
| | | | | | | | | | logind doesn't kill any processes anymore, hence let's drop the capability.
* | units: also change portabled's syscall filter to a whitelistLennart Poettering2018-11-131-1/+1
|/
* units: set NoNewPrivileges= for all long-running servicesLennart Poettering2018-11-1215-171/+186
| | | | | | | | | | | | | | | | | Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219
* units: remove unused busnames.targetAlan Jenkins2018-10-311-12/+0
| | | | | | I found zero references to busnames.target, using git grep "busnames". (And we do not install using a wildcard units/*.*. There is no busnames.target installed on my Fedora 28 system).
* units: drop systemd-user-sessions.service ordering dep on ↵Lennart Poettering2018-10-241-3/+2
| | | | | | | | | systemd-journal-flush.service (#10502) THis dep existed since the unit was introduced, but I cannot see what good it would do. Hence in the interest of simplifying things, let's drop it. If breakages appear later we can certainly revert this again. Fixes: #10469
* units: add simple boot check unitLennart Poettering2018-10-192-0/+25
| | | | | | | | | This is might be useful in some cases, but it's primarily an example for a boot check service that can be plugged before boot-complete.target. It's disabled by default. All it does is check whether the failed unit count is zero
* add new systemd-bless-boot.service that marks boots as successfulLennart Poettering2018-10-192-0/+23
| | | | | | This is the counterpiece to the boot counting implemented in systemd-boot: if a boot is detected as successful we mark drop the counter again from the booted snippet or kernel image.
* units: add generic boot-complete.targetLennart Poettering2018-10-192-0/+15
|
* Merge pull request #10428 from keszybz/failure-actionsLennart Poettering2018-10-176-20/+8
|\ | | | | Implement manager status changes using SuccessAction=
| * units: allow and use SuccessAction=exit-force in system systemd-exit.serviceZbigniew Jędrzejewski-Szmek2018-10-172-5/+2
| | | | | | | | | | | | | | | | | | C.f. 287419c119ef961db487a281162ab037eba70c61: 'systemctl exit 42' can be used to set an exit value and pulls in exit.target, which pulls in systemd-exit.service, which calls org.fdo.Manager.Exit, which calls method_exit(), which sets the objective to MANAGER_EXIT. Allow the same to happen through SuccessAction=exit. v2: update for 'exit' and 'exit-force'
| * units: use SuccessAction=poweroff-force in systemd-poweroff.serviceZbigniew Jędrzejewski-Szmek2018-10-172-5/+2
| | | | | | | | | | | | | | Explicit systemctl calls remain in systemd-halt.service and the system systemd-exit.service. To convert systemd-halt, we'd need to add SuccessAction=halt-force. Halting doesn't make much sense, so let's just leave that is. systemd-exit.service will be converted in the next commit.
| * units: use SuccessAction=reboot-force in systemd-reboot.serviceZbigniew Jędrzejewski-Szmek2018-10-172-5/+2
| |
| * units: use SuccessAction=exit-force in systemd-exit.serviceZbigniew Jędrzejewski-Szmek2018-10-172-5/+2
| | | | | | | | | | | | | | | | Fixes #10414. v2: - rename .service.in to .service - rename 'exit' to 'exit-force'
* | meson: define @HIGH_RLIMIT_NOFILE@ and use it everywhereZbigniew Jędrzejewski-Szmek2018-10-175-5/+5
| |
* | units: bump the RLIMIT_NOFILE soft limit for all services that access the ↵Lennart Poettering2018-10-165-14/+16
|/ | | | | | | | | | | | | | journal This updates the unit files of all our serviecs that deal with journal stuff to use a higher RLIMIT_NOFILE soft limit by default. The new value is the same as used for the new HIGH_RLIMIT_NOFILE we just added. With this we ensure all code that access the journal has higher RLIMIT_NOFILE. The code that runs as daemon via the unit files, the code that is run from the user's command line via C code internal to the relevant tools. In some cases this means we'll redundantly bump the limits as there are tools run both from the command line and as service.
* units: use =yes rather than =true everywhereLennart Poettering2018-10-131-1/+1
| | | | | | So far we always used "yes" instead of "true" in all our unit files, except for one outlier. Let's do this here too. No change in behaviour whatsoever, except that it looks prettier ;-)
* logind: change user-runtime-dir to query runtime dir size from logind via ↵Lennart Poettering2018-10-131-2/+2
| | | | | | | | | | | | | | | | the bus I think this is a slightly cleaner approach than parsing the configuration file at multiple places, as this way there's only a single reload cycle for logind.conf, and that's systemd-logind.service's runtime. This means that logind and dbus become a requirement of user-runtime-dir, but given that XDG_RUNTIME_DIR is not set anyway without logind and dbus around this isn't really any limitation. This also simplifies linking a bit as this means user-runtime-dir doesn't have to link against any code of logind itself.
* units: improve Description= string a bitLennart Poettering2018-10-131-1/+1
| | | | | | Let's not use the word "wrapper", as it's not clear what that is, and in some way any unit file is a "wrapper"... let's simply say that it's about the runtime directory.
* units: set StopWhenUnneeded= for the user slice units tooLennart Poettering2018-10-131-0/+1
| | | | | We'd like them to go away, just like the user-runtime-dir@.service when they aren't needed anymore.
* Merge pull request #10117 from keszybz/undynamicifyLennart Poettering2018-10-053-6/+8
|\ | | | | Set DynamicUser=no for networkd, resolved, timesyncd
| * Revert "network: set DynamicUser= to systemd-networkd.service"Zbigniew Jędrzejewski-Szmek2018-09-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit d4e9e574ea0b5d23598a317e68399584d229568b. (systemd.conf.m4 part was already reverted in 5b5d82615011b9827466b7cd5756da35627a1608.) Together those reverts should "fix" #10025 and #10011. ("fix" is in quotes because this doesn't really fix the underlying issue, which is combining DynamicUser= with strict container sandbox, but it avoids the problem by not using that feature in our default installation.) Dynamic users don't work well if the service requires matching configuration in other places, for example dbus policy. This is true for those three services. In effect, distros create the user statically [1, 2]. Dynamic users make more sense for "add-on" services where not creating the user, or more precisely, creating the user lazily, can save resources. For "basic" services, if we are going to create the user on package installation anyway, setting DynamicUser= just creates unneeded confusion. The only case where it is actually used is when somebody forgets to do system configuration. But it's better to have the service fail cleanly in this case too. If we want to turn on some side-effect of DynamicUser=yes for those services, we should just do that directly through fine-grained options. By not using DynamicUser= we also avoid the need to restart dbus. [1] https://salsa.debian.org/systemd-team/systemd/commit/bd9bf307274faca24699c0c2d67cb86f18c0b2cb [2] https://src.fedoraproject.org/rpms/systemd/blob/48ac1cebdedb055d9daf3dfe28c7bde80103f7a1/f/systemd.spec#_473 (Fedora does not create systemd-timesync user.)
| * Revert "resolve: enable DynamicUser= for systemd-resolved.service"Zbigniew Jędrzejewski-Szmek2018-09-201-2/+3
| | | | | | | | | | This reverts commit 0187368cadea183e18c6d575a9d6b7f491a402af. (systemd.conf.m4 part was already reverted in 5b5d82615011b9827466b7cd5756da35627a1608.)
| * Revert "timesyncd: enable DynamicUser="Zbigniew Jędrzejewski-Szmek2018-09-191-1/+2
| | | | | | | | | | | | | | This reverts commit 48d3e88c18258d423c3953372ec4a2e638ab0422. I kept the follow-symlink=false → follow-symlink=true change instact, since we're likely to have existing installations with a symlink now.
| * Revert "unit: drop After=systemd-sysusers.service from timesyncd"Zbigniew Jędrzejewski-Szmek2018-09-191-1/+1
| | | | | | | | This reverts commit be80154827100b19b6cc79a59323791b4f1a409f.
* | emergency: make sure console password agents don't interfere with the ↵Franck Bui2018-09-263-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | emergency shell If for any reason local-fs.target fails at startup while a password is requested by systemd-cryptsetup@.service, we end up with the emergency shell competing with systemd-ask-password-console.service for the console. This patch makes sure that: - systemd-ask-password-console.service is stopped before entering in emergency mode so it won't make any access to the console while the emergency shell is running. - systemd-ask-password-console.path is also stopped so any attempts to restart systemd-cryptsetup in the emergency shell won't restart systemd-ask-password-console.service and kill the emergency shell. - systemd-ask-password-wall.path is stopped so systemd-ask-password-wall.service won't be started as this service pulls the default dependencies in. Fixes: #10131
* | tmpfiles: Order tmpfiles-setup after journaldJoão Paulo Rechi Vita2018-09-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | systemd-tmpfiles-setup.service needs to be ordered after systemd-journald.service, so entries in /run/log/journal are already created when systemd-tmpfiles tries to adjust its permissions. This is specially problematic for setups using a volatile journal where the initrd does not ship a machine-id (i.e. OSTree-based systems), where logs from the initrd will be inaccessible for users in the systemd-journal group. It also has a side effect of `journalctl --user` failing with "No journal files were opened due to insufficient permissions". Fixes #10128.
* | meson: fix dirname/basename confusion in meson-and-wants.sh install helper ↵Zbigniew Jędrzejewski-Szmek2018-09-201-2/+2
|/ | | | | | | | | | | | (#10126) We would create a useless empty directory under build/. It seems we were lucky and all symlinks were installed into directories which were alredy created because we installed something into the same location earlier. While at it, also add '-v' to 'mkdir -p'. This will print the names of directories as they are created (just once), making it easier to see all of what the install script is doing.
* user-runtime-dir@.service: don't stop on runlevel switch (#10079)Alan Jenkins2018-09-141-0/+1
| | | | | | | | | | | | Followup to commit 13cf422e04b7 ("user@.service: don't kill user manager at runlevel switch") I think there's a general rule that units with `StopWhenUnneeded=yes` need `IgnoreOnIsolate=yes`... But it doesn't apply to `suspend.target` and friends. `printer.target` and friends break on isolate even if we apply the rule[1]. That just leaves `graphical-session.target`, which is a user service. "isolate" is *mostly* a weird attempt to emulate runlevels, so I decided not to worry about it for user services. [1] https://github.com/systemd/systemd/issues/6505#issuecomment-320644819
* user@.service: don't kill user manager at runlevel switchThomas Blume2018-09-131-0/+1
| | | | | | | | Loggin in as root user and then switching the runlevel results in a stop of the user manager, even though the user ist still logged in. That leaves a broken user session. Adding "IgnoreOnIsolate=true" to user@.service fixes this.
* units: assign user-runtime-dir@.service to user-%i.sliceLennart Poettering2018-08-031-0/+1
| | | | | | This service won't use much resources, but it's certainly nicer to see it attached th the user's slice along with user@.service, so that everything we run for a specific user is properly bound into one unit.
* units: order user-runtime-dir@.service after systemd-user-sessions.serviceLennart Poettering2018-08-031-0/+1
| | | | | | | We use systemd-user-sessions.service as barrier when to allow login sessions. With this patch user@.service is ordered after that too, so that any login related code (which user-runtime-dir@.service is) is guaranteed to run after the barrier, and never before.
* units: make sure user-runtime-dir@.service is Type=oneshotLennart Poettering2018-08-031-0/+1
| | | | | We order user@.service after it, hence we need to properly know when it finished starting up.
* units: make sure user@.service runs with dbus still upLennart Poettering2018-07-251-2/+1
| | | | Fixes: #9565
* man: add a description of user@.service, user-runtime-dir@.service, user-*.sliceZbigniew Jędrzejewski-Szmek2018-07-203-0/+3
| | | | Fixes #9590.
* units: let's use two ExecStart= lines instead of ;Lennart Poettering2018-06-201-1/+2
|
* units: fix typo in After=Zbigniew Jędrzejewski-Szmek2018-06-201-1/+1
| | | | Followup for c7668c1ce04fa85370432d197d2ccd9411e85649.
* units: make system-update-pre.target a passive unit (#9349)Lennart Poettering2018-06-202-3/+1
| | | | | | | This is an additional synchronization point normally not needed. Hence, let's make it passive, i.e. pull it in from the unit which wants to be ordered before the update service rather than by the update service itself.
* units: Add new system-update-pre.targetHans de Goede2018-06-193-0/+18
| | | | | | | | | | | | | | | | | | | | | systemd offline-updates allows dropping multiple system update units to be added to system-update.target.wants. As documented in systemd.offline-updates(7) only 1 of these units should actually be active (based on the /system-update symlink) and when that unit is done it should reboot the system. In some cases it is desirable to run a unit whenever booting in offline-updates mode indepedent of which update unit is going to handle the update. One example of this is integration with bootloader code which checks if the previous boot was succesful. Since the active unit will reboot the system when it is done, there is no guarantee that adding such a unit to system-update.target.wants will get it executed always. This commit adds a system-update-pre.target which can be used for units which should always run when booting in offline-updates mode.
* units: switch from system call blacklist to whitelistLennart Poettering2018-06-1412-11/+24
| | | | | | | | | | | | | | | | | | | | | This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything.
* Drop my copyright headersZbigniew Jędrzejewski-Szmek2018-06-142-4/+0
| | | | | | | perl -i -0pe 's/\s*Copyright © .... Zbigniew Jędrzejewski.*?\n/\n/gms' man/*xml git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/(#\n)?# +Copyright © [0-9, -]+ Zbigniew Jędrzejewski.*?\n//gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s*\/\*\*\*\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*?\s*\*\*\*\/\s*/\n\n/gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*//gms'