| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the past, we asked people to open a security bug on one of the "big"
distros. This worked OK as far as getting bugs reported and notifying some
upstream developers went. But we always had trouble getting information to
all the appropriate parties, because each time a bug was reported, a big
thread was created, with a growing CC list. People who were not CCed early
enough were missing some information, etc.
To clean this up, we decided to create a private mailing list. The natural
place would be freedesktop.org, but unfortunately the request to create a
mailing list wasn't handled
(https://gitlab.freedesktop.org/freedesktop/freedesktop/issues/134). And even
if it was, at this point, if there was ever another administrative issue, it
seems likely it could take months to resolve. So instead, we asked for a list
to be created on the redhat mailservers.
Please consider the previous security issue reporting mechanisms rescinded, and
send any senstive bugs to systemd-security@redhat.com.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Current kernels with BFQ scheduler do not yet set their IO weight
through "io.weight" but through "io.bfq.weight" (using a slightly
different interface supporting only default weights, not per-device
weights). This commit enables "IOWeight=" to just to that.
This patch may be dropped at some time later.
Github-Link: https://github.com/systemd/systemd/issues/7057
Signed-off-by: Kai Krakow <kai@kaishome.de>
|
| |
|
|
| |
We already released this in v240 and had a NEWS entry then.
|
| | |
|
| |\
| |
| | |
quick follow-up for the symbolic exit status PR #13207
|
| | |
| |
| |
| |
| |
| | |
waitid(2) and the libc function signature calls this "exit status", and
uses "exit code" for something different. Let's stick to the same
nomenclature hence.
|
| |/ |
|
| |\
| |
| | |
Symbolic exit code names
|
| | | |
|
| | | |
|
| |/
|
|
|
|
|
|
| |
* missing whitespace.
* NEWS: some small fixes (?) and improvements (???).
* a number of small corrections and (hopefully) improvements
|
| |\
| |
| | |
allow sysctl assignments to fail
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
This reverts commit be74f51605b4c7cb74fec3a50cd13b67598a8ac1.
Let's add this again. With the new sysctl "-" thing we can make this
work.
|
| |\ \
| | |
| | | |
network: rename `IGMPVersion=` to `MulticastIGMPVersion=`
|
| | | | |
|
| | |/
|/| |
|
| |/
|
|
|
|
| |
This reverts commit 90ce7627dfe824ff6e7c0ca5f96350fbcfec7118.
See https://github.com/systemd/systemd/issues/13177#issuecomment-514931461
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes ping(8) work without CAP_NET_ADMIN and CAP_NET_RAW because
those aren't effective inside rootless Podman containers.
It's quite useful when using OSTree based operating systems like Fedora
Silverblue, where development environments are often set up using
rootless Podman containers with helpers like Toolbox [1]. Not having
a basic network utility like ping(8) work inside the development
environment can be inconvenient.
See:
https://lwn.net/Articles/422330/
http://man7.org/linux/man-pages/man7/icmp.7.html
https://github.com/containers/libpod/issues/1550
The upper limit of the range of group identifiers is set to 2147483647,
which is 2^31-1. Values greater than that get rejected by the kernel
because of this definition in linux/include/net/ping.h:
#define GID_T_MAX (((gid_t)~0U) >> 1)
That's not so bad because values between 2^31 and 2^32-1 are reserved
on systemd-based systems anyway [2].
[1] https://github.com/debarshiray/toolbox
[2] https://systemd.io/UIDS-GIDS.html#summary
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Change the resolved.conf Cache option to a tri-state "no, no-negative, yes" values.
If a lookup returns SERVFAIL systemd-resolved will cache the result for 30s (See 201d995),
however, there are several use cases on which this condition is not acceptable (See systemd#5552 comments)
and the only workaround would be to disable cache entirely or flush it , which isn't optimal.
This change adds the 'no-negative' option when set it avoids putting in cache
negative answers but still works the same heuristics for positive answers.
Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
|
| | |
|
| | |
|
| |
|
|
| |
Let's get this ball rolling.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
s/and and/and/
s/explicity/explicitly/
s/that that/that/
s/the the/the/
s/is is/it is/
s/overriden/overridden/
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Make possible to set NUMA allocation policy for manager. Manager's
policy is by default inherited to all forked off processes. However, it
is possible to override the policy on per-service basis. Currently we
support, these policies: default, prefer, bind, interleave, local.
See man 2 set_mempolicy for details on each policy.
Overall NUMA policy actually consists of two parts. Policy itself and
bitmask representing NUMA nodes where is policy effective. Node mask can
be specified using related option, NUMAMask. Default mask can be
overwritten on per-service level.
|
| |
|
|
| |
C.f. https://bugzilla.suse.com/show_bug.cgi?id=1136600
|
| | |
|
| |
|
|
| |
For #12680, #12571.
|
| |
|
|
|
|
| |
Prompted by @evverx' comments:
https://github.com/systemd/systemd/pull/10161#pullrequestreview-158327715
|
| | |
|
| |
|
|
|
|
|
|
| |
These make sense to be explicitly set at 0 (which has a different effect
than the default, since it can affect processing of `DefaultMemoryXXX`).
Without this, it's not easily possible to relinquish memory protection
for a subtree, which is not great.
|
| |
|
|
|
|
|
| |
I missed adding a section in `systemd.resource-control` about
DefaultMemoryMin in #12332.
Also, add a NEWS entry going over the general concept.
|
| | |
|
| |
|
|
| |
Fixes: https://github.com/systemd/systemd/issues/12345
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
network: add PresharedKeyFile= setting and make reading key file failure fatal
|
| | | |
|
| | | |
|
| |/ |
|
| |\ |
|
| | | |
|
