Commit Graph

1039 Commits

Author SHA1 Message Date
Alan Jenkins
d8e5a93382 slice: system.slice should be perpetual like -.mount
`-.mount` is placed in `system.slice`, and hence depends on it.
`-.mount` is always active and can never be stopped.  Therefore the same
should be true of `system.slice`.

Synthesize it as perpetual (unless systemd is running as a user manager).
Notice we also drop `Before=slices.target` as unnecessary.

AFAICS the justification for `perpetual` is to provide extra protection
against unintentionally stopping every single service.  So adding
system.slice to the perpetual units is perfectly consistent.

I don't expect this will (or can) fix any other problem.  And the
`perpetual` protection probably isn't formal enough to spend much time
thinking about.  I've just noticed this a couple of times, as something
that looks strange.

Might be a bit surprising that we have user.slice on-disk but not
system.slice, but I think it's ok. `systemctl status system.slice` will
still point you towards `man systemd.special`.  The only detail is that the
system slice disables `DefaultDependencies`.  If you're worrying about how
system shutdown works when you read `man systemd.slice`, I think it is not
too hard to guess that system.slice might do this:

> Only slice units involved with early boot
> or late system shutdown should disable this option

(Docs are great. I really appreciate the systemd ones).
2018-02-04 22:51:34 +00:00
Dimitri John Ledkov
1f1580139e resolved.service: set DefaultDependencies=no
On systems that only use resolved for name resolution, there are usecases that
require resolved to be started before sysinit target, such that network name
resolution is available before network-online/sysinit targets. For example,
cloud-init for some datasources hooks into the boot process ahead of sysinit
target and may need network name resolution at that point already.

systemd-resolved already starts pretty early in the process, thus starting it
slightly earlier should not have negative side effects.

However, this depends on resolved ability to connect to system DBus once that
is up.
2018-01-11 12:40:44 +01:00
Lennart Poettering
9b873d1c79 units: link up debug-generator documentation from debug-shell.service 2017-12-26 12:13:51 +01:00
Lennart Poettering
245992a0c0 man: add a systemd-rc-local-generator(8) man page
Most importantly, let's highlight the differences to the rc-local
behaviour in SysV.

Fixes: #7703
2017-12-26 12:13:51 +01:00
bleep_blop
7629744a3d separate flags from shebang 2017-12-25 19:48:49 +01:00
Lennart Poettering
8fd010bb1b nspawn: turn on watchdog logic for nspawn too
It's a long-running daemon, and it's easy to enable, hence do it.
2017-12-07 12:34:46 +01:00
Lennart Poettering
5dfcaaaf11 units: delegate only "cpu" and "pids" controllers by default (#7564)
Now that we can configure which controllers to delegate precisely, let's
limit wht we delegate to the user session: only "cpu" and "pids" as a
minimal baseline.

Fixes: #1715
2017-12-07 08:48:08 +01:00
Zbigniew Jędrzejewski-Szmek
cfdda37c9f Hook up systemd-tmpfiles as user units
An explicit --user switch is necessary because for the user@0.service instance
systemd-tmpfiles is running as root, and we need to distinguish that from
systemd-tmpfiles running in systemd-tmpfiles*.service.

Fixes #2208.

v2:
- restore "systemd-" prefix
- add systemd-tmpfiles-clean.{service,timer}, systemd-setup.service to
  systemd-tmpfiles(8)
2017-12-06 10:19:35 +01:00
Zbigniew Jędrzejewski-Szmek
cd9f5b68ce units: use SuccessExitStatus to ignore syntax errors in tmpfiles
This makes sense from the point of view of the whole distribution:
if there are some specific files that have syntax problems, or unknown
users or groups, or use unsupported features, failing the whole service
is not useful.

In particular, services with tmpfiles --boot should not be started after boot.
The premise of --boot is that there are actions which are only safe to do once
during boot, because the state evolves later through other means and re-running
the boot-time setup would destroy it. If services with --boot fail in the
initial transaction, they would be re-run later on when a unit which
(indirectly) depends on them is started, causing problems.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1507501.

(If we had a mode where a service would at most run once, and would not be
started in subsequent transactions, that'd be a good additional safeguard.
Using ExecStart=-... is a bit like that, but it causes all failure to be
ignored, which is too big of a hammer.)
2017-12-01 18:58:54 +01:00
Zbigniew Jędrzejewski-Szmek
3a726fcd08 Add license headers and SPDX identifiers to meson.build files
So far I avoided adding license headers to meson files, but they are pretty
big and important and should carry license headers like everything else.
I added my own copyright, even though other people modified those files too.
But this is mostly symbolic, so I hope that's OK.
2017-11-19 19:08:15 +01:00
Zbigniew Jędrzejewski-Szmek
a7df2d1e43 Add SPDX license headers to unit files 2017-11-19 19:08:15 +01:00
Lennart Poettering
3e3852b3c6 core: make "tmpfs" dependencies on swapfs a "default" dep, not an "implicit"
There should be a way to turn this logic of, and DefaultDependencies=
appears to be the right option for that, hence let's downgrade this
dependency type from "implicit" to "default, and thus honour
DefaultDependencies=.

This also drops mount_get_fstype() as we only have a single user needing
this now.

A follow-up for #7076.
2017-11-10 19:52:41 +01:00
Yu Watanabe
3bd469546b meson: do not create systemd-user-sessions.service if PAM is disabled
Fixes #7227.
2017-10-31 17:12:36 +09:00
Lennart Poettering
b5487fa0b6 Merge pull request #7078 from keszybz/cryptsetup-netdev-fixes
Cryptsetup _netdev fixes
2017-10-18 21:15:29 +08:00
Zbigniew Jędrzejewski-Szmek
a0e030f53b units: make remote-cryptsetup.target also after cryptsetup-pre.target
This way people can order units before cryptsetup-pre.target and
have them run before any cryptsetup-related stuff.
2017-10-18 15:14:46 +02:00
Zbigniew Jędrzejewski-Szmek
a0dd209763 units: replace remote-cryptsetup-pre.target with remote-fs-pre.target
remote-cryptsetup-pre.target was designed as an active unit (that pulls in
network-online.target), the opposite of remote-fs-pre.target (a passive unit,
with individual provider services ordering itself before it and pulling it in,
for example iscsi.service and nfs-client.target).

To make remote-cryptsetup-pre.target really work, those services should be
ordered before it too. But this would require updates to all those services,
not just changes from systemd side.

But the requirements for remote-fs-pre.target and remote-cryptset-pre.target
are fairly similar (e.g. iscsi devices can certainly be used for both), so
let's reuse remote-fs-pre.target also for remote cryptsetup units. This loses
a bit of flexibility, but does away with the requirement for various provider
services to know about remote-cryptsetup-pre.target.
2017-10-17 19:15:58 +02:00
Michal Sekletar
fab35afabf mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076)
In the past we introduced this property just for tmp.mount. However on
todays systems usually there are many more tmpfs mounts. Most notably
mounts backing XDG_RUNTIME_DIR for each user.

Let's generalize what we already have for tmp.mount and implement the
ordering After=swap.target for all tmpfs based mounts.
2017-10-16 16:15:05 +02:00
Zbigniew Jędrzejewski-Szmek
8f462b074e units: add [Install] section to remote-cryptsetup.target
This makes this target the same as remote-fs.target in this regard. In practice
it probably doesn't make that much difference, because all encrypted devices
that are part of remote-fs.target (marked with _netdev) will be used for mount
points, so they will be pulled in anyway individually, but with this change any
such device will be configured, even if it is not pulled by any other unit.
2017-10-13 08:03:16 +02:00
Yu Watanabe
941afc4b90 unit: enable DynamicUser= for journal-upload 2017-10-06 16:06:21 +09:00
Yu Watanabe
48d3e88c18 timesyncd: enable DynamicUser= 2017-10-06 16:05:20 +09:00
Lennart Poettering
fdb6343484 Merge pull request #6909 from sourcejedi/units
Unit dependency fixes (and cleanups)
2017-10-05 18:26:02 +02:00
Lennart Poettering
c74cdb5cc3 units: restore User=systemd-journal-gateway in systemd-journal-gatewayd.service (#7005)
After the discussions around #7003 I think we should restore the
User=systemd-journal-gateway line for systemd-journal-gatewayd.service,
too, so that we continue to use the state user if it exists, and create
it as dynamic user only when it does not.

Note that undoes part of a change made after 234, i.e. a never released
change.
2017-10-05 15:05:02 +02:00
Lennart Poettering
4aa1d31c89 Merge pull request #6974 from keszybz/clean-up-defines
Clean up define definitions
2017-10-04 19:25:30 +02:00
Lennart Poettering
0a9b166b43 units: prohibit all IP traffic on all our long-running services (#6921)
Let's lock things down further.
2017-10-04 14:16:28 +02:00
Zbigniew Jędrzejewski-Szmek
1ec57f3394 build-sys: s/ENABLE_RESOLVED/ENABLE_RESOLVE/
The configuration option was called -Dresolve, but the internal define
was …RESOLVED. This options governs more than just resolved itself, so
let's settle on the version without "d".
2017-10-04 12:09:51 +02:00
Zbigniew Jędrzejewski-Szmek
3211da4bcb build-sys: s/HAVE_UTMP/ENABLE_UTMP/
"Have" should be about the external environment and dependencies. Anything
which is a pure yes/no choice should be "enable".
2017-10-04 12:09:50 +02:00
Zbigniew Jędrzejewski-Szmek
349cc4a507 build-sys: use #if Y instead of #ifdef Y everywhere
The advantage is that is the name is mispellt, cpp will warn us.

$ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/"
$ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;'
$ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g'
$ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g'
+ manual changes to meson.build

squash! build-sys: use #if Y instead of #ifdef Y everywhere

v2:
- fix incorrect setting of HAVE_LIBIDN2
2017-10-04 12:09:29 +02:00
Alan Jenkins
2d4b910383 units: DefaultDependencies already implies conflict with shutdown.target
(and system-update.target does not have DefaultDependencies=no)
2017-09-30 22:02:05 +01:00
Alan Jenkins
0b9ad5bf2e units: add missing Before=shutdown.target for units which it Conflicts
There's a few services missing this ordering.

Also remove a duplicate Conflicts=shutdown.target from
systemd-volatile-root.service.
2017-09-30 22:01:42 +01:00
Alan Jenkins
6f6d1a8a6a units: add missing ordering deps for Conflicts= of emergency.service
1. If we exited emergency mode immediately, we don't want to have an
   irreversible stop job still running for syslog.socket.  I _suspect_ that
   can't happen, but let's not waste effort working out exactly why it's
   impossible and not just very improbable.

2. Similarly, it seems undesirable to have rescue.service and
   emergency.service both running with an open FD of /dev/console, for
   however short a period.
2017-09-29 17:35:44 +01:00
Alan Jenkins
950d8fcdd9 units: express Conflict in syslog.socket instead of emergency.service
Note this commit only changes how the code is expressed; it does not change
the existence of any dependency.

The `Conflicts=` was added in 3136ec90, "Stop syslog.socket when entering
emergency mode".  The discussion in the issue #266 raised concerns that
this might be needed for other units, but failed to point out why
syslog.socket is special.  The reason is that syslog.socket has
DefaultDepedencies=no, so it does not get Requires=sysinit.target like
other socket units do.  But syslog.service does require sysinit.target,
among other things.

We don't have many socket, path, or timer units with
DefaultDependencies=no, and I don't think any of the triggered services
have such additional hard dependencies as syslog.service does.

It is much less confusing if we keep this `Conflicts=` in the same file as
the `DefaultDependencies=no` which made it necessary.
2017-09-29 17:34:55 +01:00
Alan Jenkins
a3b22cc596 units: do not kill rescue shell when machines.target is started
The original aim of this commit is that starting machines.target from the
rescue shell would not kill the rescue shell and lock you out of the
system.

This is similar to commit 6579a622, for the conflict between
sysinit.target and the _emergency_ shell.  That particular commit
introduced an ordering cycle and will need to be reverted and/or
fixed.  This one does not, because it does not need to introduce any new
dependencies.

The reason why this commit is allowable also has it's own merit:

machines.target was not marked as AllowIsolate.  Also, the point of
containers is to not escape them...  I don't think we want to promote
machines.target as a default target or similar; you would generally want
some system service to allow you to shut down the machine, for example.  I
don't see this approach used in CoreOS, nor in Fedora Atomic Host; we are
missing any positive examples of its utility.

Requires=basic.target / After=basic.target can be removed for the same
reason.
2017-09-29 17:32:14 +01:00
Alan Jenkins
0d18f808a4 Revert "units: don't kill the emergency shell when sysinit.target is triggered (#6765)" (#6904)
This reverts commit f1e24a259c.  Oops.

# systemctl emergency
Failed to start emergency.target: Transaction order is cyclic. See syste...
See system logs and 'systemctl status emergency.target' for details.
# systemctl status emergency.target
● emergency.target - Emergency Mode
   Loaded: loaded (/usr/lib/systemd/system/emergency.target; static; vendor preset: disabled)
   Active: inactive (dead) since Mon 2017-09-25 10:43:02 BST; 2h 42min ago
     Docs: man:systemd.special(7)

systemd[1]: sysinit.target: Found dependency on sysinit.target/stop
sysinit.target: Unable to break cycle starting with sysinit.target/stop
network.target: Found ordering cycle on wpa_supplicant.service/stop
network.target: Found dependency on sysinit.target/stop
network.target: Found dependency on emergency.target/start
network.target: Found dependency on emergency.service/start
network.target: Found dependency on serial-getty@ttyS0.service/stop
network.target: Found dependency on systemd-user-sessions.service/stop
network.target: Found dependency on network.target/stop
network.target: Unable to break cycle starting with network.target/stop


IMO #6509 is ugly enough that we should aim to answer it.  But it could
take some time to investigate, so let's re-open the issue as a first step.
2017-09-26 19:47:50 +02:00
Alan Jenkins
f1e24a259c units: don't kill the emergency shell when sysinit.target is triggered (#6765)
Why
---

The advantage of this is that starting sysinit.target from the emergency
shell will no longer kill the emergency shell and lock you out of the
system.  Our docs already claimed that emergency.target was useful for
"starting individual units in order to continue the boot process in steps".
This resolves #6509 for my purposes.

Remaining limitation
--------------------

Starting getty.target will still kill the shell, and if you don't have a
root password you will then be locked out at that point.  This is relevant
to distributions which patch the sulogin system to permit logins when the
root password is locked.  Both Debian and RedHat used to follow this
behaviour!  Debian have been discussing what they could replace it with at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806852

So this doesn't quite achieve perfection, but I think it's a worthwhile
change.  It should be easier to understand the logic now it doesn't have
such a big hole in it.  Repairing the sysinit stage of the boot is the main
reason we have emergency.target.  And as discussed in the issue,
sysinit.target gets pulled in implicitly as soon as any DefaultDependencies
service is activated.

How
---

sysinit.target only needs to conflict with emergency.target.  It didn't
need to conflict with emergency.service as well.  In theory the conflicts
are pointless, we could just change the dependency of sysinit.target on
local-fs.target from Wants to Requires.  However, doing so would mean that
when local-fs fails, the screen is flooded with yellow [DEPEND] failures.
That would hinder the poor unfortunate admin, so let's not do that.

There is no additional ordering requirement against emergency.  If the
failure happens, the job for sysinit will be cancelled instantly.  We don't
need to worry about when sysinit.target and its dependents would be
stopped, because sysinit waits for local-fs before it starts.

emergency.target is still necessarily stopped once we reach sysinit
(you can't express a one-way conflict in pure unit directives).
This is largely cosmetic... though perhaps it symbolizes that you're no
longer in Emergency Mode if System Initialization is successful ;-).

As a secondary advantage, the getty's which conflict on rescue.service now
need to conflict on emergency.service as well.  This makes the system more
uniform and simpler to understand.

The only other effect this should have is that
`systemctl start emergency.target` is now practically the same as
`systemctl start rescue.target`.  The only units this command will stop are
the conflicting getty units.  Neither of those commands should ever be
used.  E.g. they will not stop the gdm.service unit on Fedora 26.
2017-09-14 21:43:43 +02:00
Zbigniew Jędrzejewski-Szmek
6579a622ec Merge pull request #6790 from poettering/unit-unsetenv
add UnsetEnvironment= unit file setting, in order to fix #6407
2017-09-14 19:46:55 +02:00
Lennart Poettering
bff8f2543b units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
2017-09-14 19:45:40 +02:00
Lennart Poettering
82f93439af units: properly unset the l10n environment variables where we need to
Now that we have UnsetEnvironment=, let's make proper use of it for
unsetting l10n settings for console gettys.

Fixes: #6407
2017-09-14 15:17:40 +02:00
John Lin
c13ee7cc8b units: remove unnecessary Requires= and After= in system.slice (#6794) 2017-09-11 10:35:51 +02:00
Felipe Sateler
912a0f21d9 sulogin-shell: switch from shell implementation to a C implementation (#6698) 2017-09-08 18:21:37 +02:00
Lennart Poettering
6dd0e05c77 Merge pull request #6748 from msekletar/console-container-getty-pre-after
units: order container and console getty units after getty-pre.target
2017-09-05 19:45:39 +02:00
Michal Sekletar
45e2753297 units: order container and console getty units after getty-pre.target 2017-09-05 14:53:25 +02:00
Zbigniew Jędrzejewski-Szmek
889128b8b2 units: add remote-cryptsetup.target and remote-cryptsetup-pre.target
The pair is similar to remote-fs.target and remote-fs-pre.target. Any
cryptsetup devices which require network shall be ordered after
remote-cryptsetup-pre.target and before remote-cryptsetup.target.
2017-09-05 12:06:30 +02:00
Zbigniew Jędrzejewski-Szmek
947d21171b units: order cryptsetup-pre.target before cryptsetup.target
Normally this happens automatically, but if it happened that both targets were
pulled in, even though there were no cryptsetup units, they could be started
in reverse order, which would be somewhat confusing. Add an explicit ordering
to avoid this potential issue.
2017-09-05 12:06:30 +02:00
Zbigniew Jędrzejewski-Szmek
8a12256c9c Merge pull request #6580 from poettering/nspawn-dm-deviceallow
add DM devices to DeviceAllow for systemd-nspawn@.service
2017-09-04 17:12:17 +03:00
Alan Jenkins
f480777623 units: do not install rescue.target for alt-↑
rescue.target does not work well for this.  It is not meant to be started,
only isolated.

Fixes #6493
2017-08-31 16:17:41 +01:00
Lennart Poettering
d7542c46d6 Merge pull request #6709 from yuwata/imply-requires-mounts
core: StateDirectory= and friends imply RequiresMountsFor=
2017-08-31 13:30:26 +02:00
Yu Watanabe
181b4f56e7 unit: use StateDirectory= instead of RequiresMountsFor= 2017-08-31 18:37:11 +09:00
Yu Watanabe
96f9f6aca7 unit: drop redundant options 2017-08-31 18:29:41 +09:00
Michal Sekletar
1759025418 units: introduce getty-pre.target (#6667)
This new target is a passive unit, hence it is supposed to be pulled in
to the transaction by the service that wants to block login on the
console (e.g. text version of initial-setup). Now both getty and
serial-getty are ordered after this target.

https://lists.freedesktop.org/archives/systemd-devel/2015-July/033754.html
2017-08-31 11:20:14 +02:00
Alan Jenkins
64a36ae4b1 units: starting suspend.target should not fail when suspend is successful (#6678)
and the same for hibernate.target and hybrid-sleep.target.

Tested with both sucessful and unsuccessful suspends.  The result of the
start job was correct in both cases.  Closes #6419 (a regression in v233
and v234).

> suspend is unsual for a target, because it has to stop itself once it's
> started. Otherwise you couldn't start it again, so you could only suspend
> once! Currently that's implemented using BindsTo=systemd-sleep.service.
> Meaning it pulls in systemd-sleep.service to do the actual suspend, and
> then de-activates afterwards. But the behaviour of BindsTo was changed
> recently (not without some issues during development) - maybe this bug
> is caused by poettering/systemd@631b676 which I think was added in
> release v233.
>
> sleep.target (see man systemd.special) has the same need, but it
> implements it differently. It simply has StopWhenUnneeded=yes.

This commit switches suspend.target etc. to the approach used by
sleep.target.
2017-08-30 18:20:23 +02:00