| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
udevadm-wait: introduce periodic timer for checking devices
|
| | |
| |
| |
| |
| | |
When --initialized=no is specified, it is not necessary to wait
for uevents to be processed by udevd.
|
| |\ \
| | |
| | | |
network: NetLabel integration
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
New directive `NetLabel=` provides a method for integrating static and dynamic
network configuration into Linux NetLabel subsystem rules, used by Linux
Security Modules (LSMs) for network access control. The label, with suitable
LSM rules, can be used to control connectivity of (for example) a service with
peers in the local network. At least with SELinux, only the ingress can be
controlled but not egress. The benefit of using this setting is that it may be
possible to apply interface independent part of NetLabel configuration at very
early stage of system boot sequence, at the time when the network interfaces
are not available yet, with netlabelctl(8), and the per-interface configuration
with systemd-networkd once the interfaces appear later. Currently this feature
is only implemented for SELinux.
The option expects a single NetLabel label. The label must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses,
the addresses and subnetwork masks will be appended to the NetLabel Fallback
Peer Labeling rules. They will be removed when the interface is
deconfigured. Failures to manage the labels will be ignored.
Example:
```
[DHCPv4]
NetLabel=system_u:object_r:localnet_peer_t:s0
```
With the above rules for interface `eth0`, when the interface is configured with
an IPv4 address of 10.0.0.123/8, `systemd-networkd` performs the equivalent of
`netlabelctl` operation
```
$ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
```
Result:
```
$ sudo netlabelctl -p unlbl list
...
interface: eth0
address: 10.0.0.0/8
label: "system_u:object_r:localnet_peer_t:s0"
...
```
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Added functions to generate netmasks for IPv6 and generic IP family addresses.
|
| | | |
| | |
| | |
| | |
| | | |
This doesn't really change anything, since we know the stat data used
here also contains S_IFBLK, but it's frickin' confusing.
|
| |\ \ \
| | | |
| | | | |
improve loopback warning message
|
| | | | | |
|
| | |/ /
| | |
| | |
| | |
| | | |
We print the very same log message for loopback block devices and for
loopback network devices. Let's better be clear what kind it is.
|
| |/ / |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The inquiry is issued to kernel via ioctl, kernelspace would set
this inquiry command's retry count to 0 which means the command
would not be retried in kernel space even if the LLDs returned
a status which need to be retried. So we should take the retry
in user space.
|
| |/
|
|
|
|
|
|
|
| |
The path /sys/firmware/device-tree doesn't exist. This should be either
/proc/device-tree or /sys/firmware/devicetree.
The first path is only a link. So lets use the second path.
See https://github.com/torvalds/linux/blob/v4.14/drivers/of/base.c#L218.
|
| |
|
|
| |
Follow-ups for #24420.
|
| |\
| |
| | |
sd-device: introduce two helper functions for devnum
|
| | |
| |
| |
| | |
Fixes #24465.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
The functions provided by the file are only used in sd-device.
|
| | |
| |
| |
| |
| |
| | |
Follow-up for 0f79b3469f167583033d17f9a6fa0e4341a68003.
To obtain device node, sd_device_get_devname() must be used.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
assigned
Also refuse invalid log level.
|
| |/ |
|
| | |
|
| | |
|
| |\
| |
| | |
oomd: allow ManagedOOMPreference on all cgroups
|
| | |
| |
| |
| |
| |
| |
| | |
When we kill a cgroup that is towards the end of the sorted candidate
list (i.e. when we have to resort to killing a candidate with
ManagedOOMPreference=avoid), this cgroup is not logged in the candidate
list. This is due to an off-by-one error when assigning dump_until.
|
| | |
| |
| |
| |
| |
| |
| | |
Add a new test function, test_oomd_fetch_cgroup_oom_preference, to test
the ManagedOOMPreference logic. For starters, cut the relevant tests out
of test_oomd_cgroup_context_acquire_and_insert, and add them to the new
function. Then, expand these tests to cover the new behavior.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The ManagedOOMPreference property is only honored on cgroups which are
owned by root. This precludes anyone from setting ManagedOOMPreference
on cgroups managed by user managers.
Loosen this restriction in the following way: when processing a
monitored cgroup for kill candidates, honor the ManagedOOMPreference
setting if the monitored cgroup and cgroup candidate are owned by the
same user. This allows unprivileged users to configure
ManagedOOMPreference on their cgroups without affecting the kill
priority of ancestor cgroups.
N.B. that since swap kill operates globally to kill the largest
candidate, it is not appropriate to apply this logic to the swap kill
scenario. Therefore, the existing restriction on ManagedOOMPreference
will remain when calculating candidates for swap kill.
Add a new function, oomd_fetch_cgroup_oom_preference, to assist with
this new logic. To simplify things, move the `user.oomd_{avoid,omit}`
xattr reads to this function so that the xattr reads and uid checks are
performed all at once.
|
| | |
| |
| |
| |
| |
| |
| | |
The extended attributes 'user.oomd_avoid' and 'user.oomd_omit' are used
to store the setting of the ManagedOOMPrefernce property. Since these
are user extended attributes, the access permissions are defined by the
file permissions, and there is no need to guard this from user managers.
|
| | |
| |
| |
| |
| | |
Use sd_device_new_from_devnum() instead of
device_path_make_major_minor_sysfs().
|
| |\ \
| |/
|/| |
network: introduce TCPCongestionControlAlgorithm=
|
| | |
| |
| |
| | |
Closes #24432.
|
| | | |
|
| |\ \
| | |
| | | |
tmpfiles: make absent source of "C" copy lines graceful
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We need to normalize/validate the path (i.e. first column) of
tmpfiles.d/ lines before we start using the path, otherwise we'll use it
before it's known to be good. This matters since for some line types the
path is mangled into the argument column (i.e. sevents column), and we
should only do that once we know it's in a good state.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I don't see where it would ever be a good thing that file copies done
via tmpfiles.d/ C lines cause the tmpfiles operation to fail if their
source happens to be missing. It's a problem if we can't set up the
destination properly (which is the job of systemd-tmpfiles after all),
but if the source is simply missing (NB: setting up the source is the job of
of the rules writer) this shouldn't be a problem.
This is useful for copying stuff into place if it happens to exist. For
example, if systemd-stub passes additional data into the initrd's
/.extra/ directory, we can copy it into a better place (e.g. /run/) with
this, where it will survive the initrd→host transition.
This mirrors behaviour of the recently added "^" line modifier which may
be used source "w" lines from credentials – there two the behaviour is
to simply skip the line if the source is missing.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This is a bugfix.
Follow-up for 599fe002a135570406504998dbb7a42dabc963da
|
| | | |
| | |
| | |
| | |
| | | |
No code change, just some refactoring, so that we can reuse the
measurement logic later elsewhere.
|
| | | | |
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
I possess a machine with ')' in its BIOS version string, which will
cause the current parser to mistake it as the closing ')' of the
smbios-fields() expression.
Let's make sure we always fo for the last, not the first ')', hence.
|
| |/
|
|
|
|
|
| |
The test is quite racy. Let's wait for all queued udev events to be
processed, and run the test several times.
Fixes #24400.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
getopt allows non-ambiguous abbreviations, so backwards-compat is maintained, and
people can use --kill-who (or even shorter abbreviations). English is flexible,
so in common speach people would use both forms, even if "whom" is technically
more correct. The advantage of using the longer form in the code is that we
effectively allow both forms, so we stop punishing people who DTGCT¹, but still
allow people to use the spoken form if they prefer.
1. Do the gramatically correct thing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the field "_SYSTEM_CONTEXT" knew he values "initrd" + "main". Let's change
this to "_RUNTIME_SCOPE" and "initrd" + "system".
Why? The sysext logic has a very similar concept of "scopes", declaring
whether a sysext image is intended for the initrd or the main system.
Let's thus use the same naming for both.
sysext's extension-release files hence know SYSEXT_SCOPE=initrd|system,
and the journal messages know _RUNTIME_SCOPE=initrd|system, which makes
this reasonably systematic.
Follow-up for: cae8edd93ca2ef90c41cb9b6322b6908d12947b5
(This is not an API break, since no version with this commit has ever
been released.)
|
| |
|
|
| |
information
|
