| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
Some simple man page fixes to reduce the list of issues tagged for v254
|
| | |
| |
| |
| | |
Reported and diagnosed by gitterman. Fixes #26617.
|
| | |
| |
| |
| |
| |
| |
| | |
Also fix the grammar: "neither" can only be used with two values, and
here we have an inderminate number >= 1.
Fixes #26460.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes #26413: the docs said that the filter prevents writes, but it just a
filter at the system call level, and some of those calls are used for writing
and reading. This is confusing esp. when a higher level library call like
ntp_gettime() is denied.
I don't think it's realistic that we'll make the filter smarter in the near
future, so let's change the docs to describe the implementation.
Also, split out the advice part into a separate paragraph.
|
| |/
|
|
| |
Fixes #26761.
|
| | |
|
| |\
| |
| | |
unit-file: support UpheldBy= in [Install] settings (adding Upholds= deps from .upholds/)
|
| | |
| |
| |
| |
| |
| | |
from .upholds/)
Closes #26896
|
| | |
| |
| |
| |
| |
| | |
As per:
https://social.treehouse.systems/@grawity/110376583742207755
|
| |\ \
| | |
| | | |
Add man page for libsystemd, extend readme and stability promise
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Before libsystemd-daemon, libsystemd-journal, libsystemd-id128, etc., were
merged into libsystemd, it was enough to have individual man pages for them.
But they have been delivered as one thing for many years, so it's better to
have a landing page for libsystemd. It mostly directs to individual pages
anyway.
|
| | |/
| |
| |
| | |
Fixup for 0de343187127f6a5a93602608812e60fc4092c9a.
|
| |/ |
|
| |
|
|
|
|
| |
We already have the systemd.tty.xxx kernel cmdline arguments for
configuring tty's for services, let's make sure the term cmdline
argument applies to pid1 as well.
|
| |\
| |
| | |
ukify: support pesign as alternative to sbsign
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
sbsign is not available everywhere, for example RHEL does not have it.
Add pesign as alternative to it.
pesign will use options "--secureboot-certificate-name" (mandatory) and
"--secureboot-certificate-dir" (optional), while sbsign will use
"--secureboot-private-key" and "--secureboot-certificate".
By default, use sbsign. If no key/cert is provided or sbsign is not found,
try pesign.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If a package is missing, a subprocess is started with None as
command argument. Error raised by subprocess is therefore not helpful
at all to understand what needs to be done to fix that error.
Also fix doc since systemd-stub will look for .cmdline files, and not
.cmdline.efi files.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
| | |
| |
| |
| |
| | |
If '+' is specified with 'C', let's merge the tree with any existing
tree.
|
| |/
|
| |
DefaultControlGroup does not exist any more.
|
| |
|
|
|
| |
TrueCrypt/VeraCrypt (#27548)
* Added veracrypt-pim=<PIM> LUKS option for crypttab
|
| |\
| |
| | |
Add kernel-install plugin that calls ukify
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As in mkosi(1), let's describe the config file and commandline options
together. This is nice for us, because we don't need to duplicate descriptions
and we're less likely to forget to update one place or the other. This is also
nice for users, because they can easily figure out what can be configured
where.
The options are now ordered by config file section.
--summary was not described before.
More examples are added.
|
| | | |
|
| |/
|
|
|
| |
Previously we'd honour --pid= from the main notification we send, but
not from the barrier. This is confusing at best. Let's fix that.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
We hardcode the path the initrd uses to prepare the final mount point at
so many places, let's also imply it in "systemctl switch-root" if not
specified.
This adds the fallback both to systemctl and to PID 1 (this is because
both to — different – checks on the path).
|
| |\
| |
| | |
tmpfiles: add conditionalized execute permission (X) support
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
According to setfacl(1), "the character X stands for
the execute permission if the file is a directory
or already has execute permission for some user."
After this commit, parse_acl() would return 3 acl
objects. The newly-added acl_exec object contains
entries that are subject to conditionalized execute
bit mangling. In tmpfiles, we would iterate the acl_exec
object, check the permission of the target files,
and remove the execute bit if necessary.
Here's an example entry:
A /tmp/test - - - - u:test:rwX
Closes #25114
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements a minimal subset of #24961, but in a lot more
restrictive way: we only allow one level of subcgroup (as that's enough
to address the no-processes in inner cgroups rule), and does not change
anything about threaded cgroup logic or similar, or make any of this new
behaviour mandatory.
All this does is this: all non-control processes we invoke for a unit
we'll invoke in a subgroup by the specified name.
We'll later port all our current services that use cgroup delegation
over to this, i.e. user@.service, systemd-nspawn@.service and
systemd-udevd.service.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ukify supports signing with multiple keys, so show an example of this, and just
let ukify print the calls to systemd-measure that will be done.
This also does other small cleanups:
- Use more realistic names in examples
- Use $ as the prompt for commands that don't require root (most don't).
Once we switch to operations that don't require a TPM, we should be able to get
rid of the remaining calls that require root.
- Ellipsize or linebreak various parts
- Use --uname. We warn if it is not specified and we have to do autodetection, so
let's nudge people towards including it rather than not.
Follow-up for e069c57f0616d39363d36ac7f9c3e6ec8be01ab1.
|
| |
|
|
|
| |
Make the kernel optional too, so that we can easily build and sign a PE addon,
that can be used to carry extra command line options.
|
| |\
| |
| | |
udev-rule: fix negative match
|
| | |
| |
| |
| | |
Fixes #27396.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
This is required when / is immutable and cannot be written at runtime.
Co-authored-by: Richard Hughes <richard@hughsie.com>
|
| |\ \
| | |
| | | |
sd: avoid closing sd-bus in a fork, store module-global id for sd-bus/sd-session/sd-journal
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
sd-event objects use hashmaps, which use module-global state, so it is not safe
to pass a sd-event object created by a module instance to another module instance
(e.g.: when two libraries static linking sd-event are pulled in a single process).
Initialize a random per-module origin id and store it in the object, and compare
it when entering a public API, and error out if they don't match, together with
the PID.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
sd-journal objects use hashmaps, which use module-global state, so it is not safe
to pass a sd-journal object created by a module instance to another module instance
(e.g.: when two libraries static linking sd-journal are pulled in a single process).
Initialize a random per-module origin id and store it in the object, and compare
it when entering a public API, and error out if they don't match, together with
the PID.
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| | |
sd-bus objects use hashmaps, which use module-global state, so it is not safe
to pass a sd-bus object created by a module instance to another module instance
(e.g.: when two libraries static linking sd-bus are pulled in a single process).
Initialize a random per-module origin id and store it in the object, and compare
it when entering a public API, and error out if they don't match, together with
the PID.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I guess it was only a question of time until we need to add the final
frontier of notification functions: one that combines the features of
all the others:
1. specifiying a source PID
2. taking a list of fds to send along
3. accepting a format string for the status string
Hence, let's add it.
|
| | |
| |
| |
| |
| |
| | |
/usr/lib/systemd/random-seed is not a thing.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
| |/ |
|
| |\
| |
| | |
Rework serialization of command lines in pid1 and make run not expand variables
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes syntax be the same for commands which are started by the manager and
those which are spawned directly (when --scope is used).
Before:
$ systemd-run -q -t echo '$TERM'
xterm-256color
$ systemd-run -q --scope echo '$TERM'
$TERM
Now:
$ systemd-run -q --scope echo '$TERM'
xterm-256color
Previous behaviour can be restored via --expand-environment=no:
$ systemd-run -q --scope --expand-environment=no echo '$TERM'
$TERM
Fixes #22948.
At some level, this is a compat break. Fortunately --scope is not very widely
used, so I think we can get away with this. Having different syntax depending
on whether --scope was used or not was bad UX.
A NEWS entry will be required.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This uses StartExecEx to get the equivalent of ExecStart=:. StartExecEx was
added in b3d593673c5b8b0b7d781fd26ab2062ca6e7dbdb, so this will not work with
older systemds.
A hint is emitted if we get an error indicating lack of support. PID1 returns
SD_BUS_ERROR_PROPERTY_READ_ONLY, but I'm checking for
SD_BUS_ERROR_UNKNOWN_PROPERTY too for safety.
|
| | |
| |
| |
| | |
Follow-up for c6b8fffdfaf1f7c9a1dac73e1e54993a06c766c0
|
| | |
| |
| |
| | |
It picks the bus based on the cgroup slice.
|
| | |
| |
| |
| | |
Add fully working and documented example that can be copied and pasted
|
| |\ \
| | |
| | | |
tree-wide: code spelling fixes
|
