Commit Graph

1106 Commits

Author SHA1 Message Date
Alan Jenkins
f1e24a259c units: don't kill the emergency shell when sysinit.target is triggered (#6765)
Why
---

The advantage of this is that starting sysinit.target from the emergency
shell will no longer kill the emergency shell and lock you out of the
system.  Our docs already claimed that emergency.target was useful for
"starting individual units in order to continue the boot process in steps".
This resolves #6509 for my purposes.

Remaining limitation
--------------------

Starting getty.target will still kill the shell, and if you don't have a
root password you will then be locked out at that point.  This is relevant
to distributions which patch the sulogin system to permit logins when the
root password is locked.  Both Debian and RedHat used to follow this
behaviour!  Debian have been discussing what they could replace it with at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806852

So this doesn't quite achieve perfection, but I think it's a worthwhile
change.  It should be easier to understand the logic now it doesn't have
such a big hole in it.  Repairing the sysinit stage of the boot is the main
reason we have emergency.target.  And as discussed in the issue,
sysinit.target gets pulled in implicitly as soon as any DefaultDependencies
service is activated.

How
---

sysinit.target only needs to conflict with emergency.target.  It didn't
need to conflict with emergency.service as well.  In theory the conflicts
are pointless, we could just change the dependency of sysinit.target on
local-fs.target from Wants to Requires.  However, doing so would mean that
when local-fs fails, the screen is flooded with yellow [DEPEND] failures.
That would hinder the poor unfortunate admin, so let's not do that.

There is no additional ordering requirement against emergency.  If the
failure happens, the job for sysinit will be cancelled instantly.  We don't
need to worry about when sysinit.target and its dependents would be
stopped, because sysinit waits for local-fs before it starts.

emergency.target is still necessarily stopped once we reach sysinit
(you can't express a one-way conflict in pure unit directives).
This is largely cosmetic... though perhaps it symbolizes that you're no
longer in Emergency Mode if System Initialization is successful ;-).

As a secondary advantage, the getty's which conflict on rescue.service now
need to conflict on emergency.service as well.  This makes the system more
uniform and simpler to understand.

The only other effect this should have is that
`systemctl start emergency.target` is now practically the same as
`systemctl start rescue.target`.  The only units this command will stop are
the conflicting getty units.  Neither of those commands should ever be
used.  E.g. they will not stop the gdm.service unit on Fedora 26.
2017-09-14 21:43:43 +02:00
Zbigniew Jędrzejewski-Szmek
6579a622ec Merge pull request #6790 from poettering/unit-unsetenv
add UnsetEnvironment= unit file setting, in order to fix #6407
2017-09-14 19:46:55 +02:00
Lennart Poettering
bff8f2543b units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
2017-09-14 19:45:40 +02:00
Lennart Poettering
82f93439af units: properly unset the l10n environment variables where we need to
Now that we have UnsetEnvironment=, let's make proper use of it for
unsetting l10n settings for console gettys.

Fixes: #6407
2017-09-14 15:17:40 +02:00
John Lin
c13ee7cc8b units: remove unnecessary Requires= and After= in system.slice (#6794) 2017-09-11 10:35:51 +02:00
Felipe Sateler
912a0f21d9 sulogin-shell: switch from shell implementation to a C implementation (#6698) 2017-09-08 18:21:37 +02:00
Lennart Poettering
6dd0e05c77 Merge pull request #6748 from msekletar/console-container-getty-pre-after
units: order container and console getty units after getty-pre.target
2017-09-05 19:45:39 +02:00
Michal Sekletar
45e2753297 units: order container and console getty units after getty-pre.target 2017-09-05 14:53:25 +02:00
Zbigniew Jędrzejewski-Szmek
889128b8b2 units: add remote-cryptsetup.target and remote-cryptsetup-pre.target
The pair is similar to remote-fs.target and remote-fs-pre.target. Any
cryptsetup devices which require network shall be ordered after
remote-cryptsetup-pre.target and before remote-cryptsetup.target.
2017-09-05 12:06:30 +02:00
Zbigniew Jędrzejewski-Szmek
947d21171b units: order cryptsetup-pre.target before cryptsetup.target
Normally this happens automatically, but if it happened that both targets were
pulled in, even though there were no cryptsetup units, they could be started
in reverse order, which would be somewhat confusing. Add an explicit ordering
to avoid this potential issue.
2017-09-05 12:06:30 +02:00
Zbigniew Jędrzejewski-Szmek
8a12256c9c Merge pull request #6580 from poettering/nspawn-dm-deviceallow
add DM devices to DeviceAllow for systemd-nspawn@.service
2017-09-04 17:12:17 +03:00
Alan Jenkins
f480777623 units: do not install rescue.target for alt-↑
rescue.target does not work well for this.  It is not meant to be started,
only isolated.

Fixes #6493
2017-08-31 16:17:41 +01:00
Lennart Poettering
d7542c46d6 Merge pull request #6709 from yuwata/imply-requires-mounts
core: StateDirectory= and friends imply RequiresMountsFor=
2017-08-31 13:30:26 +02:00
Yu Watanabe
181b4f56e7 unit: use StateDirectory= instead of RequiresMountsFor= 2017-08-31 18:37:11 +09:00
Yu Watanabe
96f9f6aca7 unit: drop redundant options 2017-08-31 18:29:41 +09:00
Michal Sekletar
1759025418 units: introduce getty-pre.target (#6667)
This new target is a passive unit, hence it is supposed to be pulled in
to the transaction by the service that wants to block login on the
console (e.g. text version of initial-setup). Now both getty and
serial-getty are ordered after this target.

https://lists.freedesktop.org/archives/systemd-devel/2015-July/033754.html
2017-08-31 11:20:14 +02:00
Alan Jenkins
64a36ae4b1 units: starting suspend.target should not fail when suspend is successful (#6678)
and the same for hibernate.target and hybrid-sleep.target.

Tested with both sucessful and unsuccessful suspends.  The result of the
start job was correct in both cases.  Closes #6419 (a regression in v233
and v234).

> suspend is unsual for a target, because it has to stop itself once it's
> started. Otherwise you couldn't start it again, so you could only suspend
> once! Currently that's implemented using BindsTo=systemd-sleep.service.
> Meaning it pulls in systemd-sleep.service to do the actual suspend, and
> then de-activates afterwards. But the behaviour of BindsTo was changed
> recently (not without some issues during development) - maybe this bug
> is caused by poettering/systemd@631b676 which I think was added in
> release v233.
>
> sleep.target (see man systemd.special) has the same need, but it
> implements it differently. It simply has StopWhenUnneeded=yes.

This commit switches suspend.target etc. to the approach used by
sleep.target.
2017-08-30 18:20:23 +02:00
Lennart Poettering
0e614814b7 Merge pull request #6617 from sourcejedi/udev-unit-deps
udev service dependency nitpicks
2017-08-30 17:33:07 +02:00
Lennart Poettering
6d405b6909 Merge pull request #6672 from yuwata/drop-priv
use !! prefix in networkd and timesyncd
2017-08-30 10:45:24 +02:00
Yu Watanabe
53d133ea1b timesync: move stamp file to /var/lib/systemd/timesync/clock 2017-08-30 15:59:57 +09:00
Lennart Poettering
7123a951d0 Merge pull request #6670 from fsateler/disable-networkd
build-sys: don't build networkctl if networkd is disabled
2017-08-29 17:28:06 +02:00
Lennart Poettering
3982becc92 units: include DM devices in DeviceAllow fpor systemd-nspawn@.service
We need it to make LUKS devices work.

Fixes: #6525
2017-08-29 16:01:19 +02:00
Felipe Sateler
a174f618eb networkd: do not install the socket when networkd is not enabled 2017-08-27 10:49:10 -03:00
Yu Watanabe
87a85e25a2 units: make use of !! ExecStart= prefix in systemd-timesyncd.service
Let's make use of !! to run timesyncd with ambient capabilities on
systems supporting them.
2017-08-27 01:41:12 +09:00
Yu Watanabe
c61f302d3c units: make use of !! ExecStart= prefix in systemd-networkd.service
Let's make use of !! to run networkd with ambient capabilities on
systems supporting them.
2017-08-27 01:40:47 +09:00
Alan Jenkins
1d422b153b units: order service(s) before udevd, not udev-trigger (coldplug)
Since hotplugs happen as soon as udevd is started, there is not much sense
in giving udev-trigger an After= dependency on any service.  The device
could be hotplugged before coldplug starts.

This is intended to avoid the race window where we create the hwdb with
the wrong selinux context (then fix it up afterwards).
https://github.com/systemd/systemd/issues/3458#issuecomment-322444107
2017-08-15 14:22:44 +01:00
Alan Jenkins
3533b49e74 units: Sockets= already implies Wants= and After= (systemd-udevd.service)
I grepped for other `After=` on a socket unit as well.  This was the only
instance.
2017-08-15 14:11:23 +01:00
Lennart Poettering
635f3df5dc units: make use of the new !! ExecStart= prefix in systemd-resolved.service
Let's make use of !! to run resolved with ambient capabilities on
systems supporting them.
2017-08-10 15:04:32 +02:00
Lennart Poettering
4f41b69cd9 Merge pull request #6579 from sourcejedi/getty
getty nitpicks
2017-08-10 12:05:21 +02:00
Lennart Poettering
97f7e3663e Merge pull request #6467 from yuwata/journal-remote-units
units: use {State,Logs}Directory= if they are applicable
2017-08-09 21:09:13 +02:00
Alan Jenkins
ae805c89ef units: console-getty.service: use the default RestartSec
> Note that console-getty.service as more uses than just containers. The
> idea is that it may be used as alternative to the whole VC/logind stuff,
> if all you need is a console on /dev/console, even on physical devices.

This means we want to remove RestartSec=0, for serial systems.
See 4bf0432 "units/serial-getty@.service: use the default RestartSec".
2017-08-09 18:56:26 +01:00
Alan Jenkins
d32465fb41 units: add Conflicts=rescue.service to container-getty@.service
The traditional runlevel 1 is "single user mode", and shuts down all but
the main console.  In systemd, rescue.target provides runlevel1.target.
But it did not shut down logins on secondary consoles... if systemd was
running in a container.

I don't think we strictly need to change this.  But when you look at both
container-getty@.service and getty@.service, you see that both have
IgnoreOnIsolate, but only the latter has Conflicts=rescue.service.

This also makes rescue.target in a container consistent with
emergency.target.  In the latter case, the gettys were already stopped,
because they have a Requires dependency on sysinit.target.
2017-08-09 18:52:05 +01:00
Alan Jenkins
858beb391b units/console-getty.service: comment reason for ConditionPathExists
Currently we have 4 getty services.  1 has a BindsTo dependency on a
device unit.  3 have ConditionPathExists, but the reason is different in
every single one.

* Add comment to console-getty@.service (see commit 1b41981d)
* getty@.service is already commented
* container-getty.service is not strictly correct, as I realized while
  trying to compose a comment.  Reported as #6584.
2017-08-09 18:51:46 +01:00
Alan Jenkins
8522ee7975 man/systemd-getty-generator fix/update
* Containers don't use serial-getty@console.service,
  they use console-getty.service instead, and suppress
  scanning for kernel or virtualizer consoles.

* Nowadays gettys are started on *all* configured kernel consoles.

* except for the line printer console, because that's not a tty.
  (Seriously.  Search CONFIG_LP_CONSOLE).
2017-08-09 15:53:55 +01:00
Yu Watanabe
4429c69f8d units: do not perform m4 if not necessary (#6575) 2017-08-09 09:13:41 -04:00
Yu Watanabe
debe5d2376 unit: remove redundant options 2017-08-08 12:17:12 +09:00
Yu Watanabe
d0e62ae0f6 units: use {State,Logs}Directory= if they are applicable 2017-08-08 12:17:01 +09:00
Lennart Poettering
0d44940773 Revert "units: set ConditionVirtualization=!private-users on journald audit socket" (#6513)
* Revert "modprobe.d: ship drop-in to set bonding max_bonds to 0 (#6448)"

This reverts commit 582faeb461.

* Revert "units: set ConditionVirtualization=!private-users on journald audit socket (#6508)"

This reverts commit d2a1ba103b.
2017-08-02 16:39:54 +02:00
Dimitri John Ledkov
d2a1ba103b units: set ConditionVirtualization=!private-users on journald audit socket (#6508)
It fails to start in an unprivileged container as audit is not namespace aware.
2017-08-02 10:15:26 +02:00
Lennart Poettering
e362b5a77f Merge pull request #6472 from yuwata/journal-gateway-fix
Some journal-gateway and journal-remote related fixes
2017-07-31 12:11:48 +02:00
Yu Watanabe
b7f2d0ba24 units,sysusers: use DynamicUser= for journal-gatewayd and drop user systemd-journal-gateway from sysusers 2017-07-28 13:37:10 +09:00
Zbigniew Jędrzejewski-Szmek
a132bef023 Drop kdbus bits
Some kdbus_flag and memfd related parts are left behind, because they
are entangled with the "legacy" dbus support.

test-bus-benchmark is switched to "manual". It was already broken before
(in the non-kdbus mode) but apparently nobody noticed. Hopefully it can
be fixed later.
2017-07-23 12:01:54 -04:00
Zbigniew Jędrzejewski-Szmek
4bc5d27b94 Drop busname unit type
Since busname units are only useful with kdbus, they weren't actively
used. This was dead code, only compile-tested. If busname units are
ever added back, it'll be cleaner to start from scratch (possibly reverting
parts of this patch).
2017-07-23 09:29:02 -04:00
Zbigniew Jędrzejewski-Szmek
e5f752082e build-sys: drop gitignore patterns for in-tree builds
... and other autotools-generated files.
2017-07-18 10:05:06 -04:00
Zbigniew Jędrzejewski-Szmek
72cdb3e783 build-sys: drop automake support
v2:
- also mention m4
2017-07-18 10:04:44 -04:00
Michal Sekletar
3c978aca69 journald: make sure we retain all stream fds across restarts (#6348)
Currently we set 4096 as maximum for number of stream connections that
we accept. However maximum number of file descriptors that systemd is
willing to accept from us is just 1024. This means we can't retain all
stream connections that we accepted. Hence bump the limit of fds in a
unit file so that systemd holds open all stream fds while we are
restarted.

New limit is set to 4224 (4096 + 128).
2017-07-17 10:04:37 +02:00
Nikolai Kondrashov
db6aedab92 units: Tell login to preserve environment (#6023)
Make agetty started by *getty* units pass '-p' option to "login", so it
doesn't clear the environment and passes whatever was setup by systemd
to shells. This is needed especially for programs which are specified as
user shells, but won't read locale settings from anywhere but
environment.

[zj: cherry-pick just the second patch from the series, see discussion
on the pull request.]
2017-07-09 10:53:31 -04:00
Zbigniew Jędrzejewski-Szmek
9db307820e units: use Requires in systemd-networkd-wait-online.service (#6065)
In the initial design, foobar-wait-online.service would have
Requisite=foobar.service, so that foobar-wait-online.service could be enabled
unconditionally, irrespective of whether foobar.service itself is enabled.
Unfortunately this doesn't work too well:

1. the message about foobar-wait-online.service being skipped because of a
   "missing dependency" *looks* like an is problem. This is mostly cosmetic,
   but it also quite confusing. We generally don't want any messages of this
   type during default boot.

2. it is impossible to start and wait for the network in an
   implementation-agnostic way: systemctl start network-online.target, or
   Wants/After=network-online.target in a unit don't work because pulling in
   network-online.target pulls in foobar-wait-online.service, but it in turn
   does not pull in foobar.service. During startup, foobar.service is pulled in
   by multi-user.target, but not in a smaller transaction which does not
   include multi-user.target.

This change means that *-wait-online.service should be installed through
presets, so that it can be enabled/disabled at will by the administrator.
Our own systemd-networkd-wait-online.service does this already, and
similar change has been requested for NetworkManager-wait-online.service
(https://bugzilla.redhat.com/show_bug.cgi?id=1455704).

This change should by mostly backwards-compatible, unless somebody has some
wait-online.service enabled, without having the corresponding network
implementation enabled, and they are relying on it not being started.  I think
that's relatively unlikely because of issue 1. above, and I'm not aware of this
being the default in any distro. And being able to start the network in an
implementation-agnostic way is pretty important, see
https://bugzilla.redhat.com/show_bug.cgi?id=1452866.
2017-07-03 17:05:20 +02:00
AsciiWolf
16a5d4128f units: use https for the freedesktop url (#6227) 2017-06-28 22:54:12 -04:00
Stefan Schweter
56892b0b36 man: update reference for binfmt documentation (#6223) 2017-06-28 13:18:37 -04:00
Zbigniew Jędrzejewski-Szmek
7e867138f5 Merge pull request #5600 from fbuihuu/make-logind-restartable
Make logind restartable.
2017-06-24 18:58:36 -04:00
Felipe Sateler
2221c17afb machined: add RequiresMountsFor=/var/lib/machines
Since any part of the path could be remote mounted, make sure they are
before starting machined
2017-06-21 16:20:11 -04:00
Felipe Sateler
78d1039d6b nspawn: hook var-lib-machines.mount to machines.target and remote-fs.target
/var can be on a remote filesystem, thus hooking it to local-fs.target is not correct.

Also, only install the mount unit when machined is enabled, because
machined is the one managing the underlying device, and thus makes no
sense without machined.

Fixes #1175
2017-06-21 16:19:20 -04:00
Franck Bui
aed24c4cd7 logind: save/restore session devices and their respective file descriptors
This patch ensures that session devices are saved for each session.

In order to make the revokation logic work when logind is restarted, the
session devices are now saved in the session state files and their respective
file descriptors sent to PID1's fdstore in order to keep them open accross
restart.

This is mandatory in order to keep the revokation logic working. Indeed in case
of input-devices, the same file descriptors must be shared by logind and a
given session controller in order EVIOCREVOKE to work otherwise multiple
sessions can have device access in parallel.

This should be the only remaining and missing piece for making logind fully
restartable.

Fixes: #1163
2017-06-08 16:21:36 +02:00
Josef Gajdusek
be5bd2ec62 systemd-nspawn@.service: start after /var/lib/machines is mounted (#6079)
This fixes a race condition during boot, where an nspawn container would start
before /var/lib/machines got mounted resulting in a failure.
2017-06-06 11:18:22 -04:00
Zbigniew Jędrzejewski-Szmek
9a4eeb4a0c units: make descriptions of api filesystems less generic (#5914)
All those names were very generic. Fixes #5911.
2017-05-10 13:09:52 +02:00
Zbigniew Jędrzejewski-Szmek
2c201c2140 meson: use booleans for conf.set and drop unecessary conditionals
Using conf.set() with a boolean argument does the right thing:
either #ifdef or #undef. This means that conf.set can be used unconditionally.

Previously I used '1' as the placeholder value, and that needs to be changed to
'true' for consistency (under meson 1 cannot be used in boolean context). All
checks need to be adjusted.
2017-05-02 16:29:11 -04:00
userwithuid
1c9f131444 meson: do not install files from disabled features (#5811)
Mirror conditions from Makefile.am.
2017-04-27 13:47:04 -04:00
Zbigniew Jędrzejewski-Szmek
b884196cc1 meson: also indent scripts with 8 spaces 2017-04-25 08:49:16 -04:00
Zbigniew Jędrzejewski-Szmek
dc25d2adb5 meson: $DESTDIR might be undefined
This causes an error with -u. Just add an empty fallback.
2017-04-24 19:25:33 -04:00
Zbigniew Jędrzejewski-Szmek
08936cea45 meson: install the dbus aliases for resolve1 and network1 in /etc
This way when the units are disabled, their dbus activation is also disabled.

v2:
- fix the symlink location
2017-04-23 21:47:29 -04:00
Zbigniew Jędrzejewski-Szmek
86b3ca7a66 meson: use "sh -eu" and make .sh +x, .py -x
Shell scripts should be executable so that meson reports their
invocation succinctly (does not print 'sh' '-e').
Python scripts should not be executable so that meson does the
detection of the right python binary itself.

Add -u everywhere to catch potential errors.
2017-04-23 21:47:29 -04:00
Zbigniew Jędrzejewski-Szmek
37efbbd821 meson: reindent all files with 8 spaces
The indentation for emacs'es meson-mode is added .dir-locals.

All files are reindented automatically, using the lasest meson-mode from git.
Indentation should now be fairly consistent.
2017-04-23 21:47:29 -04:00
Zbigniew Jędrzejewski-Szmek
9ac47f3815 meson: fix condition for installation of .in units, 99-default.link
The condition to install in_units was calculated, but not used.

99-default.link should be installed uncoditionally.
2017-04-23 21:47:28 -04:00
Michael Biebl
e17e5ba9bf meson: use join_paths consistently
With -Dsplit-usr=true, we set rootprefix to /. This leads to //lib/systemd or
//lib/udev for various dir variables. Using join_paths() avoids this.
2017-04-23 21:47:28 -04:00
Zbigniew Jędrzejewski-Szmek
082ef2adbd meson: rework processing of unit files
Ideally, we would chain the m4 processing, .in substitutions, and file
installation so that the commands don't have to be repeated. Unfortunately
this does not seem currently possible, because custom_target() output cannot
be fed into install_data(), so it's necessary to use the 'install',
'install_dir' arguments to control installation. Nevertheless, rework the
rules to repeat less stuff and unify handling of conditions between the
different file types.
2017-04-23 21:47:28 -04:00
Zbigniew Jędrzejewski-Szmek
aa13df5874 meson: support (the removal of) lines with ## 2017-04-23 21:47:28 -04:00
Zbigniew Jędrzejewski-Szmek
7b76fce1a5 meson: create various symlinks
v2:
- remove bashisms
2017-04-23 21:47:27 -04:00
Zbigniew Jędrzejewski-Szmek
94e75a5409 meson: create dirs and touch /usr
This is the equivalent of $(INSTALL_DIRS) and install-touch-usr-hook.
I did not bother to create the directories into which we install files,
since they will be created anyway.

v2:
- remove bashism
2017-04-23 21:47:27 -04:00
Zbigniew Jędrzejewski-Szmek
2d9f0c6878 meson: add unit installation symlinks
This is the equivalent of $(SYSTEM_UNIT_ALIASES) and $(GENERAL_ALIASES)
in Makefile.am.

ninja-build uninstall does not remove the symlinks, see
https://github.com/mesonbuild/meson/issues/1602.
I don't consider this a blocker: after all either one installs into $DESTDIR,
where uninstallation doesn't make much sense, or into a real system, where a
successfull uninstallation would likely destroy the system.

v2:
- remove bashisms
- add various forgotten symlinks and fix service/timer/target confusions
2017-04-23 21:47:27 -04:00
Zbigniew Jędrzejewski-Szmek
5c23128dab meson: build systemd using meson
It's crucial that we can build systemd using VS2010!

... er, wait, no, that's not the official reason. We need to shed old systems
by requring python 3! Oh, no, it's something else. Maybe we need to throw out
345 years of knowlege accumulated in autotools? Whatever, this new thing is
cool and shiny, let's use it.

This is not complete, I'm throwing it out here for your amusement and critique.

- rules for sd-boot are missing. Those might be quite complicated.

- rules for tests are missing too. Those are probably quite simple and
  repetitive, but there's lots of them.

- it's likely that I didn't get all the conditions right, I only tested "full"
  compilation where most deps are provided and nothing is disabled.

- busname.target and all .busname units are skipped on purpose.

  Otherwise, installation into $DESTDIR has the same list of files and the
  autoconf install, except for .la files.

It'd be great if people had a careful look at all the library linking options.
I added stuff until things compiled, and in the end there's much less linking
then in the old system. But it seems that there's still a lot of unnecessary
deps.

meson has a `shared_module` statement, which sounds like something appropriate
for our nss and pam modules. Unfortunately, I couldn't get it to work. For the
nss modules, we need an .so version of '2', but `shared_module` disallows the
version argument. For the pam module, it also didn't work, I forgot the reason.

The handling of .m4 and .in and .m4.in files is rather awkward. It's likely
that this could be simplified. If make support is ever dropped, I think it'd
make sense to switch to a different templating system so that two different
languages and not required, which would make everything simpler yet.

v2:
- use get_pkgconfig_variable
- use sh not bash
- use add_project_arguments

v3:
- drop required:true and fix progs/prog typo

v4:
- use find_library('bz2')
- add TTY_GID definition
- define __SANE_USERSPACE_TYPES__
- use join_paths(prefix, ...) is used on all paths to make them all absolute

v5:
- replace all declare_dependency's with []
- add more conf.get guards around optional components

v6:
- drop -pipe, -Wall which are the default in meson
- use compiler.has_function() and compiler.has_header_symbol instead of the
  hand-rolled checks.
- fix duplication in 'liblibsystemd' library name
- use the right .sym file for pam_systemd
- rename 'compiler' to 'cc': shorter, and more idiomatic.

v7:
- use ENABLE_ENVIRONMENT_D not HAVE_ENVIRONMENT_D
- rename prefix to prefixdir, rootprefix to rootprefixdir
  ("prefix" is too common of a name and too easy to overwrite by mistake)
- wrap more stuff with conf.get('ENABLE...') == 1
- use rootprefix=='/' and rootbindir as install_dir, to fix paths under
  split-usr==true.

v8:
- use .split() also for src/coredump. Now everything is consistent ;)
- add rootlibdir option and use it on the libraries that require it

v9:
- indentation

v10:
- fix check for qrencode and libaudit

v11:
- unify handling of executable paths, provide options for all progs

  This makes the meson build behave slightly differently than the
  autoconf-based one, because we always first try to find the executable in the
  filesystem, and fall back to the default. I think different handling of
  loadkeys, setfont, and telinit was just a historical accident.

  In addition to checking in $PATH, also check /usr/sbin/, /sbin for programs.
  In Fedora $PATH includes /usr/sbin, (and /sbin is is a symlink to /usr/sbin),
  but in Debian, those directories are not included in the path.

  C.f. https://github.com/mesonbuild/meson/issues/1576.

- call all the options 'xxx-path' for clarity.
- sort man/rules/meson.build properly so it's stable
2017-04-23 21:47:26 -04:00
Martin Pitt
56744c037d Merge pull request #5756 from keszybz/make-cleanups
Various meson-independent cleanups from the meson patchset
2017-04-21 21:36:56 +02:00
Yu Watanabe
3e06055500 units: systemd-resolved should start before network-online.target and nss-lookup.target (#5691)
systemd-resolved provides
1. local API via NSS and D-Bus
2. kind of a local "DNS proxy" through its stub listener
The 1st item should be started before nss-lookup.target.
The 2nd item should be started before network-online.target,
because if the networking works in general, then DNS (and DNS proxy) should too.

Fixes #5650
2017-04-21 11:21:17 +02:00
Zbigniew Jędrzejewski-Szmek
fb369a5bdf Makefile.am: link dbus-org.freedesktop.network1 alias in /etc
This makes dbus-org.freedesktop.network1.service like dbus-org.freedesktop.resolve1.service.
When systemd-networkd.service is disabled, the alias is also removed.
2017-04-19 19:27:01 -04:00
Michal Sekletar
6f0e6bd253 units: drop explicit NotifyAccess setting from journald's unit file (#5749)
systemd-journald service consists of only single process and that is the
MainPID. Make unit file shorter and drop NotifyAccess=all since it is
not useful in such case.

https://lists.freedesktop.org/archives/systemd-devel/2017-April/038667.html
2017-04-19 08:52:40 +02:00
Yu Watanabe
b0b46a2c12 journal-upload: add state file directory to ReadWritePaths (#5578)
The commit c7fb922d62 prohibits
journal-upload to save its state in /var/lib/systemd/journal-upload/state,
thus the daemon fails and outputs the following error message even if
the directory is not read-only file system
```Cannot save state to /var/lib/systemd/journal-upload/state: Read-only file system```
This commit adds the permission the daemon to write the state file.
2017-03-30 18:01:03 +02:00
tblume
4e6f13af93 units: move Before deps for quota services to remote-fs.target (#5627)
Creating quota on an iscsi device is causing dependency loops at next reboot.
Reason is that systemd-quotacheck and quotaon.service are ordered before
local-fs.target and quota enabled mounts have a before dependency to them.
This cannot work for _netdev mounts, because network activation is ordered
after local-fs.target.
Moving the Before dependency for systemd-quotacheck and quotaon.service
to remote-fs.target fixes this.
2017-03-30 11:21:18 +02:00
Franck Bui
9aeac5c623 serial-getty@.service.m4: add Conflicts=/Before= against rescue.service (#5632)
Commit 5ed020d8d1 already fixed this issue for
getty@.service but forgot serial console.

Note that this is not needed for emergency target as the sysinit target
conflicts against this target already.
2017-03-30 10:39:16 +02:00
Zbigniew Jędrzejewski-Szmek
9e49656037 units: make enablement of s-n-wait-online.service follow systemd-networkd.service (#5635)
In 58a6dd1558 s-n-wait-online.service was added
to presets to synchronize the presets with the state after installation. But it
is harmful to have s-n-wait-online.service enabled when s-n.service is
disabled, because s-n-wait-online.service has Requsite=s-n.service and cannot
be activated. Thus remove s-n-wait-online.service from presets again, and let
it be enabled whenever s-n.service is enabled.

During installation we create enablement symlinks by hand, and since s-n.service
is enabled, s-n-w-o.service should be enabled too, so the symlink should still
be created during installation.

https://bugzilla.redhat.com/show_bug.cgi?id=1433459#c15
2017-03-27 12:55:55 +02:00
Michael Biebl
29f3265584 units: simplify rescue.service and emergency.service (#5623)
The emergency.service and rescue.service units have become rather
convoluted. We spawn multiple shells and the help text spans multiple lines
which makes the units hard to read.

Move the logic into a single shell script and call that via ExecStart.
2017-03-22 23:37:06 -04:00
Daniel Molkentin
03bf096ba2 units: apply plymouth warning fix to in rescue mode as well (#5615)
Follow up for #5528.
2017-03-20 22:26:05 -04:00
Daniel Molkentin
7e3ba38919 units: do not throw a warning in emergency mode if plymouth is not installed (#5528)
Ideally, plymouth should only be referenced via dependencies,
not ExecStartPre's. This at least avoids the confusing error message
on minimal installations that do not carry plymouth.
2017-03-17 12:13:19 +01:00
Lennart Poettering
268b6e1932 Merge pull request #5283 from poettering/tighten-sandbox
Tighten sandbox of long-running services
2017-03-01 23:35:06 +01:00
Lennart Poettering
dec718065b units: order systemd-nspawn@.service after systemd-resolved.service
This way, the nspawn internal check whether resolved is running will
succeed if it is enabled.

Fixes: #4649
2017-02-17 16:06:31 -05:00
Lennart Poettering
4d1f490c93 units: enable resolved bus activation though a symlink in /etc
The change:
-/usr/lib/systemd/system/dbus-org.freedesktop.resolve1.service
+/etc/systemd/system/dbus-org.freedesktop.resolve1.service

If resolved is disabled, without this, talking to the resolved bus API will
activate it regardless whether it is enabled or not, let's fix that.
2017-02-17 16:03:47 -05:00
Zbigniew Jędrzejewski-Szmek
9c0f732c62 Introduce '## ' as internal comment prefix in .in files and filter out a comment (#5289)
Sometimes we have comments which don't make sense outside of the systemd
codebase, so let's filter them out from the user-visible files.

Fixes #5286.
2017-02-09 16:28:37 +01:00
Lennart Poettering
6489ccfe48 units: make use of @reboot and @swap in our long-running service SystemCallFilter= settings
Tighten security up a bit more.
2017-02-09 16:12:03 +01:00
Lennart Poettering
924453c225 units: lock down coredump service a bit
Dissecting a coredump is possibly risky and might take a while, hence
lock down the unit as much as we can.
2017-02-09 16:12:03 +01:00
Lennart Poettering
b6c7278c38 units: turn on ProtectKernelModules= for most long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
c7fb922d62 units: switch on ProtectSystem=strict for our long running services
Let's step up the protection a notch
2017-02-09 16:12:03 +01:00
Lennart Poettering
3c19d0b46b units: restrict namespace for a good number of our own services
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"
2017-02-09 16:12:03 +01:00
Lennart Poettering
7f396e5f66 units: set SystemCallArchitectures=native on all our long-running services 2017-02-09 16:12:03 +01:00
Zbigniew Jędrzejewski-Szmek
750e550eba units: restore Before dependencies for systemd-vconsole-setup.service
When the service is run in the initramfs, it is possible for it to get started
and not be fast enough to exit before the root switch happens. It is started
multiple times (depending on the consoles being detected), and runs
asynchronously, so this is quite likely. It'll then get killed by killall(),
and systemd will consider the service failed. To avoid all this, just wait
for the service to terminate on it's own.

Before=initrd-switch-root.target should be good for the initramfs, and
Before=shutdown.tuarget should be good for the real system, although it's
unlikely to make any difference there.
2017-01-31 01:34:40 -05:00
Zbigniew Jędrzejewski-Szmek
0af9a194ca units: drop KillMode= from initrd-switch-root.service
The service already has DefaultDeps disabled, so systemd should not try to stop
it. And if it *does* get stopped, we don't want the zombie process around.
KillMode=none does not change anything in the killall() phase, and we already
use argv[0][0] = '@' to protect against that anyway. KillMode=none should not
be useful in normal operation, so let's leave it out.
2017-01-31 01:34:40 -05:00
Zbigniew Jędrzejewski-Szmek
6b3d378331 Merge pull request #4879 from poettering/systemd 2017-01-14 21:29:27 -05:00
Lennart Poettering
73c729d768 units: fix condition for systemd-journal-catalog-update.service (#4990)
The service is supposed to regenerate the catalog index whenever /usr is
updated, but /var is not. Hence the ConditionNeedsUpdate= line should
actually reference /var, as that's where the index file is located.
2016-12-29 10:38:52 +01:00
Lennart Poettering
91214a37ef fstab-generator: add support for volatile boots
This adds support for a new kernel command line option "systemd.volatile=" that
provides the same functionality that systemd-nspawn's --volatile= switch
provides, but for host systems (i.e. systems booting with a kernel).

It takes the same parameter and has the same effect.

In order to implement systemd.volatile=yes a new service
systemd-volatile-root.service is introduced that only runs in the initrd and
rearranges the root directory as needed to become a tmpfs instance. Note that
systemd.volatile=state is implemented different: it simply generates a
var.mount unit file that is part of the normal boot and has no effect on the
initrd execution.

The way this is implemented ensures that other explicit configuration for /var
can always override the effect of these options.  Specifically, the var.mount
unit is generated in the "late" generator directory, so that it only is in
effect if nothing else overrides it.
2016-12-21 19:09:29 +01:00
Lennart Poettering
6f4e2f97d7 units: drop --fail parameter from "systemctl switch-root" invocation
This parameter has no effect on switch root hence we shouldn't specify it.
2016-12-20 20:00:09 +01:00
Zbigniew Jędrzejewski-Szmek
953bf4604f units: add system-update-cleanup.service to guard against offline-update loops
Note: the name is "system-update-cleanup.service" rather than
"system-update-done.service", because it should not run normally, and also
because there's already "systemd-update-done.service", and having them named
so similarly would be confusing.

In https://bugzilla.redhat.com/show_bug.cgi?id=1395686 the system repeatedly
entered system-update.target on boot. Because of a packaging issue, the tool
that created the /system-update symlink could be installed without the service
unit that was supposed to perform the upgrade (and remove the symlink). In
fact, if there are no units in system-update.target, and /system-update symlink
is created, systemd always "hangs" in system-update.target. This is confusing
for users, because there's no feedback what is happening, and fixing this
requires starting an emergency shell somehow, and also knowing that the symlink
must be removed. We should be more resilient in this case, and remove the
symlink automatically ourselves, if there are no upgrade service to handle it.

This adds a service which is started after system-update.target is reached and
the symlink still exists. It nukes the symlink and reboots the machine. It
should subsequently boot into the default default.target.

This is a more general fix for
https://bugzilla.redhat.com/show_bug.cgi?id=1395686 (the packaging issue was
already fixed).
2016-11-29 01:40:34 -05:00
Zbigniew Jędrzejewski-Szmek
2b656050b6 man: update the description of offline updates
- use "service" instead of "script", because various offline updaters that we have
  aren't really scripts, e.g. dnf-plugin-system-upgrade, packagekit-offline-update,
 fwupd-offline-update.
- strongly recommend After=sysinit.target, Wants=sysinit.target
- clarify a bit what should happen when multiple update services are started
- replace links to the wiki with refs to the man page that replaced it.
2016-11-29 01:40:34 -05:00
Franck Bui
acc28e2e30 core: make sure initrd-switch-root command survives PID1's killing spree (#4730)
This is a different way to implement the fix proposed by commit
a4021390fe suggested by Lennart Poettering.

In this patch we instruct PID1 to not kill "systemctl switch-root" command
started by initrd-switch-root service using the "argv[0][0]='@'" trick.

See: https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/ for
more details.

We had to backup argv[0] because argv is modified by dispatch_verb().
2016-11-24 18:52:04 +01:00
Lennart Poettering
bbe16abb61 Merge pull request #4710 from martinpitt/networkd-dbus
networkd: allow networkd to start in early boot
2016-11-24 01:58:33 +01:00
Martin Pitt
5f004d1e32 networkd: allow networkd to start in early boot
With the previous improvements, networkd.service's "After=dbus.service" can now
be dropped. That ordering effectively forced networkd.service to run in late
boot only (dbus.service was rejected to run in early boot in
https://bugs.freedesktop.org/show_bug.cgi?id=98254).

Fixes #4504
2016-11-23 17:05:11 +01:00
Franck Bui
a4021390fe core: consider SIGTERM as a clean exit status for initrd-switch-root.service (#4713)
Since commit 1f0958f640, systemd considers SIGTERM for short-running
services (aka Type=oneshot) as a failure.

This can be an issue with initrd-switch-root.service as the command run by this
service (in order to switch to the new rootfs) may still be running when
systemd does the switch.

However PID1 sends SIGTERM to all remaining processes right before
switching and initrd-switch-root.service can be one of those.

After systemd is reexecuted and its previous state is deserialized, systemd
notices that initrd-switch-root.service was killed with SIGTERM and considers
this as a failure which leads to the emergency shell.

To prevent this, this patch teaches systemd to consider a SIGTERM exit as a
clean one for this service.

It also removes "KillMode=none" since this is pretty useless as the service is
never stopped by systemd but it either exits normally or it's killed by a
SIGTERM as described previously.
2016-11-23 16:31:24 +01:00
Zbigniew Jędrzejewski-Szmek
b878b618ad units: disable /sys/fs/fuse/connections in private user namespaces (#4592)
The mount fails, even though CAP_SYS_ADMIN is granted.

Only file systems with FU_USERNS_MOUNT in .fs_flags may be mounted in userns,
and the patch to add that fusectl was rejected [1]. It would be nice if we
could check if the kernel has FU_USERNS_MOUNT for a given fs type, since this
could change over time, but this information doesn't seem to be exported.
So let's just skip this mount in userns to avoid an error during boot.

[1] https://patchwork.kernel.org/patch/2828269/
2016-11-11 19:00:33 +01:00
Evgeny Vereshchagin
492466c1b5 Merge pull request #4442 from keszybz/detect-virt-userns
detect-virt: add --private-users switch to check if a userns is active; add Condition=private-users
2016-10-27 13:16:16 +03:00
Zbigniew Jędrzejewski-Szmek
4bb30aeaf8 units: disable /dev/hugepages in private user namespaces
The mount fails, even though CAP_SYS_ADMIN is granted.
2016-10-26 20:12:52 -04:00
Lennart Poettering
828d92acbc core: drop -.slice from shipped units
Since this unit is synthesized anyway there's no point in actually shipping it
on disk. This also has the benefit that "cd /usr/lib/systemd/system ; ls *"
won't be confused by the leading dash of the file name anymore.
2016-10-24 20:49:48 +02:00
Lennart Poettering
411e869f49 sysctl: run sysctl service if /proc/sys/net is writable (#4425)
This simply changes this line:

    ConditionPathIsReadWrite=/proc/sys/

to this:

     ConditionPathIsReadWrite=/proc/sys/net/

The background for this is that the latter is namespaced through network
namespacing usually and hence frequently set as writable in containers, even
though the former is kept read-only. If /proc/sys is read-only but
/proc/sys/net is writable we should run the sysctl service, as useful settings
may be made in this case.

Fixes: #4370
2016-10-20 19:36:28 +02:00
Lennart Poettering
2fa4f10835 units: extend stop timeout for user@.service to 120s (#4426)
By default all user and all system services get stop timeouts for 90s. This is
problematic as the user manager of course is run as system service. Thus, if
the default time-out is hit for any user service, then it will also be hit for
user@.service as a whole, thus making the whole concept useless for user
services.

This patch extends the stop timeout to 120s for user@.service hence, so that
that the user service manager has ample time to process user services timing
out.

(The other option would have been to shorten the default user service timeout,
but I think a user service should get the same timeout by default as a system
service)

Fixes: #4206
2016-10-20 17:45:27 +02:00
Yu Watanabe
3f2a3726d0 units: journal-upload Wants= and After=network-online.target (#4354)
To upload journal entries to a remote server, it is required that
the network is online.
2016-10-12 11:13:13 +02:00
Yu Watanabe
a8cb1dc3e0 units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345)
`systemctl isolate initrd-switch-root.target` called by initrd-cleanup.service
kills initrd-cleanup.service itself. Then, initrd-cleanup.service failed and
system goes to emergency shell.
To prevent this problem, this commit adds `Wants=initrd-cleanup.service` to
initrd-switch-root.target.

fixes: #4343.
2016-10-11 14:36:14 +02:00
Franck Bui
84a69ca9ba unit: drop console-shell.service (#4298) (#4325)
console-shell.service was supposed to be useful for normal clean boots
(i.e. multi-user.target or so), as a replacement for logind/getty@.service for
simpler use cases.

But due to the lack of documentation and sanity check one can easily be
confused and enable this service in // with getty@.service.

In this case we end up with both services sharing the same tty which ends up in
strange results.

Even worse, console-shell.service might be failing while getty@.service tries
to acquire the terminal which ends up in the system to poweroff since
console-shell.service uses:

  "ExecStopPost=-/usr/bin/systemctl poweroff".

Another issue: this service doesn't work well if plymouth is also used since it
lets the splash screen program run and mess the tty (at least a "plymouth quit"
is missing).

So let's kill it for now.
2016-10-10 12:06:26 +02:00
Yu Watanabe
94f42fe3a6 units: systemd-udevd: add AF_INET and AF_INET6 to RestrictAddressFamilies= (#4296)
The udev builtin command `net_setup_link` requires AF_INET and AF_INET6.

Fixes #4293.
2016-10-06 15:40:53 +02:00
Lennart Poettering
0c28d51ac8 units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.

Specifically:

- Turn on RestrictRealtime=yes for all of them

- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
  them

- Turn on RestrictAddressFamilies= for all of them, but different sets of
  address families for each

Also, always order settings in the unit files, that the various sandboxing
features are close together.

Add a couple of missing, older settings for a numbre of unit files.

Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
2016-09-25 10:52:57 +02:00
Lennart Poettering
f6eb19a474 units: permit importd to mount stuff
Fixes #3996
2016-09-25 10:52:57 +02:00
Michal Sekletar
51bce29f8e units: remove udev control socket when systemd stops the socket unit (#4039)
Mere presence of the socket in the filesystem makes
udev_queue_get_udev_is_active() return that udev is running. Note that,
udev on exit doesn't unlink control socket nor does systemd. Thus socket
stays around even when both daemon and socket are stopped. This causes
problems for cryptsetup because when it detects running udev it launches
synchronous operations that *really* require udev. This in turn may
cause blocking and subsequent timeout in systemd-cryptsetup on reboot
while machine is in a state that udev and its control socket units are
stopped, e.g. emergency mode.

Fixes #2477
2016-08-26 00:07:58 +02:00
Lennart Poettering
a457bd26cc Merge pull request #3955 from keszybz/fix-preset-all
Fix preset-all
2016-08-19 19:10:30 +02:00
Zbigniew Jędrzejewski-Szmek
de78fa9ba0 units: install user units as real files, not symlinks to ../system/
This was causing preset-all --global to create symlinks:

$ systemctl preset-all --global --root=/var/tmp/inst1
Created symlink /var/tmp/inst1/etc/systemd/user/shutdown.target → /usr/lib/systemd/user/../system/shutdown.target.
Created symlink /var/tmp/inst1/etc/systemd/user/sockets.target → /usr/lib/systemd/user/../system/sockets.target.
Created symlink /var/tmp/inst1/etc/systemd/user/timers.target → /usr/lib/systemd/user/../system/timers.target.
Created symlink /var/tmp/inst1/etc/systemd/user/paths.target → /usr/lib/systemd/user/../system/paths.target.
Created symlink /var/tmp/inst1/etc/systemd/user/bluetooth.target → /usr/lib/systemd/user/../system/bluetooth.target.
Created symlink /var/tmp/inst1/etc/systemd/user/printer.target → /usr/lib/systemd/user/../system/printer.target.
Created symlink /var/tmp/inst1/etc/systemd/user/sound.target → /usr/lib/systemd/user/../system/sound.target.
Created symlink /var/tmp/inst1/etc/systemd/user/smartcard.target → /usr/lib/systemd/user/../system/smartcard.target.
Created symlink /var/tmp/inst1/etc/systemd/user/busnames.target → /usr/lib/systemd/user/../system/busnames.target.

It is better to create units in a state that completely matches the presets, i.e.
preset-all should do nothing when invoked immediately after installation.

I'm sure it was confusing to users too, suggesting that system and user units
may somehow alias each other.
2016-08-19 09:55:55 -04:00
Zbigniew Jędrzejewski-Szmek
04d0f7e9f9 units: do not start load-random-seed in containers (#3941)
Random numbers are provided by the host kernel, we don't need to do anything.

https://bugzilla.redhat.com/show_bug.cgi?id=1329124
2016-08-13 17:15:19 +02:00
Martin Pitt
98d2d46876 units: add graphical-session-pre.target user unit (#3848)
This complements graphical-session.target for services which set up the
environment (e. g. dbus-update-activation-environment) and need to run before
the actual graphical session.
2016-08-02 08:56:45 -04:00
tblume
7633f8ef37 systemd-ask-password: make sure directory watch is started before cryptsetup (#3850)
The password directory watch should get ordered before cryptsetup to make sure
that the password for unlocking the crypt device gets prompted.
2016-08-02 08:55:25 -04:00
Zbigniew Jędrzejewski-Szmek
0fbd465f41 Merge pull request #3742 from msoltyspl/vconfix2
vconsole-setup: updates & fixes V2
2016-07-28 23:59:06 -04:00
Michal Soltys
8125e8d38e vconsole: Don't do static installation under sysinit.target
Udev rules cover all the necessary initializations.

As the service now is neither installed, nor installable - we can
remove explicit dependencies and RemainAfterExit=yes option.
2016-07-27 00:57:01 +02:00
Martin Pitt
c92fcc4f43 units: add graphical-session.target user unit (#3678)
This unit acts as a dynamic "alias" target for any concrete graphical user
session like gnome-session.target; these should declare
"BindsTo=graphical-session.target" so that both targets stop and start at the
same time.

This allows services that run in a particular graphical user session (e. g.
gnome-settings-daemon.service) to declare "PartOf=graphical-session.target"
without having to know or get updated for all/new session types. This will
ensure that stopping the graphical session will stop all services which are
associated to it.
2016-07-25 22:01:35 +02:00
Michal Soltys
5ed020d8d1 getty@.service.m4: add Conflicts=/Before= against rescue.service (#3792)
If user isolates rescue target from multi-user or graphical target (or just
starts the service), IgnoreOnIsolate will cause issues with sulogin which is
directly started on current virtual console. This patch adds necessary
Conflicts= and Before= against rescue.service.

Note that this is not needed for emergency target, as implicit Requires= and
After= against sysinit.target is in effect for this service
(DefaultDependencies=yes).
2016-07-25 16:18:00 +02:00
Alessandro Puccetti
54cd6556b3 nspawn: set DevicesPolicy closed and clean up duplicated devices 2016-07-22 16:08:26 +02:00
Martin Pitt
5c3c778014 Merge pull request #3764 from poettering/assorted-stuff-2
Assorted fixes
2016-07-22 09:10:04 +02:00
Alessandro Puccetti
31d28eabc1 nspawn: enable major=0/minor=0 devices inside the container (#3773)
https://github.com/systemd/systemd/pull/3685 introduced
/run/systemd/inaccessible/{chr,blk} to map inacessible devices,
this patch allows systemd running inside a nspawn container to create
/run/systemd/inaccessible/{chr,blk}.
2016-07-21 17:39:38 +02:00
Lennart Poettering
8d36b53a2d units: fix TasksMax=16384 for systemd-nspawn@.service
When a container scope is allocated via machined it gets 16K set already since
cf7d1a30e4. Make sure when a container is run as
system service it gets the same values.
2016-07-20 14:53:15 +02:00
Martin Pitt
bed48d6655 Merge pull request #3572 from poettering/machinectl-shell-fix
machinectl: interpret options placed between "shell" verb and machine name
2016-06-26 17:46:23 +02:00
Tom Gundersen
a2c28c6451 Merge pull request #3549 from poettering/resolved-more
resolved: more fixes, among them "systemctl-resolve --status" to see DNS configuration in effect, and a local DNS stub listener on 127.0.0.53
2016-06-24 01:26:25 +02:00
Franck Bui
de2edc008a udev: bump TasksMax to inifinity (#3593)
udevd already limits its number of workers/children: the max number is actually
twice the number of CPUs the system is using.

(The limit can also be raised with udev.children-max= kernel command line
option BTW).

On some servers, this limit can easily exceed the maximum number of tasks that
systemd put on all services, which is 512 by default.

Since udevd has already its limitation logic, simply disable the static
limitation done by TasksMax.
2016-06-23 22:31:01 +02:00
Martin Pitt
2f9df7c96a units: add nosuid and nodev options to tmp.mount (#3575)
This makes privilege escalation attacks harder by putting traps and exploits
into /tmp.

https://bugs.debian.org/826377
2016-06-22 12:32:59 +02:00
Lennart Poettering
5b566d2475 units: machined needs mount-related syscalls for its namespacing operations
Specifically "machinectl shell" (or its OpenShell() bus call) is implemented by
entering the file system namespace of the container  and opening a TTY there.
In order to enter the file system namespace, chroot() is required, which is
filtered by SystemCallFilter='s @mount group. Hence, let's make this work again
and drop @mount from the filter list.
2016-06-21 21:32:17 +02:00
Lennart Poettering
6f696ca30c emergency.service: Don't say "Welcome" when it's an emergency (#3569)
Quoting @cgwalters:

        Just uploading this as an RFC.  Now I know reading the code that systemd says
        `Welcome to $OS` as a generic thing, but my initial impression on seeing this
        was that it was almost sarcastic =)

        Let's say "You are in emergency mode" as a more neutral/less excited phrase.

This patch is based on #3556, but makes the same change for rescue mode.
2016-06-21 16:09:47 +02:00
Lennart Poettering
b30bf55d5c resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.

Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.

The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).

Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.

In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.

This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.

In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.

resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.

This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 14:15:23 +02:00
Lennart Poettering
4e069746fe units: tighten system call filters a bit
Take away kernel keyring access, CPU emulation system calls and various debug
system calls from the various daemons we have.
2016-06-13 16:25:54 +02:00
Topi Miettinen
40093ce5dd units: add a basic SystemCallFilter (#3471)
Add a line
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
for daemons shipped by systemd. As an exception, systemd-timesyncd
needs @clock system calls and systemd-localed is not privileged.
ptrace(2) is blocked to prevent seccomp escapes.
2016-06-09 09:32:04 +02:00
Topi Miettinen
40652ca479 units: enable MemoryDenyWriteExecute (#3459)
Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute.

Closes: #3459
2016-06-08 14:23:37 +02:00
Franck Bui
ce3eb7790c units: wait for plymouth to shut down in rescue.sevice (#3367)
In the same vein as commit ac59f0c12c which added
the --wait option to the emergency service, this patch makes sure that plymouth
has exited before entering into the rescue mode.
2016-06-01 11:52:35 +02:00
Lennart Poettering
0525107594 units: restore ConditionNeesUpdate=/etc in ldconfig.service (#3311)
In order to support stateless systems that support offline /usr updates
properly, let's restore the ConditionNeesUpdate=/etc line that makes sure we
are run when /usr is updated and this update needs to be propagated to the
/etc/ld.so.conf file stored in /etc.

This reverts part of #2859, which snuck this change in, but really shouldn't
have.
2016-05-21 17:09:18 -04:00
Daniel Drake
7163e1ca11 Create initrd-root-device.target synchronization point (#3239)
Add a synchronization point so that custom initramfs units can run
after the root device becomes available, before it is fsck'd and
mounted.

This is useful for custom initramfs units that may modify the
root disk partition table, where the root device is not known in
advance (it's dynamically selected by the generators).
2016-05-12 18:42:39 +02:00
tblume
2a44df950f units: make sure that fsck is executed before quotacheck
fsck determines wheter an automatic quotacheck should be executed.
Hence fsck service needs to run before quotacheck service.
2016-05-10 14:10:17 +02:00
Martin Pitt
3136ec90ad Stop syslog.socket when entering emergency mode (#3130)
When enabling ForwardToSyslog=yes, the syslog.socket is active when entering
emergency mode. Any log message then triggers the start of rsyslog.service (or
other implementation) along with its dependencies such as local-fs.target and
sysinit.target. As these might fail themselves (e. g. faulty /etc/fstab), this
breaks the emergency mode.

This causes syslog.socket to fail with "Failed to queue service startup job:
Transition is destructive".

Add Conflicts=syslog.socket to emergency.service to make sure the socket is
stopped when emergency.service is started.

Fixes #266
2016-04-27 10:34:24 +02:00
Lennart Poettering
d7fe83bbc2 Merge pull request #3093 from poettering/nspawn-userns-magic
nspawn automatic user namespaces
2016-04-26 14:57:04 +02:00
Lennart Poettering
c34b73d050 machined: add CAP_MKNOD to capabilities to run with (#3116)
Container images from Debian or suchlike contain device nodes in /dev. Let's
make sure we can clone them properly, hence pass CAP_MKNOD to machined.

Fixes: #2867 #465
2016-04-25 15:38:56 -04:00
Lennart Poettering
af88764ff8 units: turn on user namespace by default in systemd-nspawn@.service
Now that user namespacing is supported in a pretty automatic way, actually turn
it on by default if the systemd-nspawn@.service template is used.
2016-04-25 12:16:03 +02:00
Lennart Poettering
8c85680478 units: order systemd-user-sessions.service after network.target
That way we can be sure that local users are logged out before the network is
shut down when the system goes down, so that SSH session should be ending
cleanly before the system goes down.

Fixes: #2390
2016-04-22 16:17:00 +02:00
frankheckenbach
a11fe93e04 tmp.mount.hm4: After swap.target (#3087)
fix issue #2930
2016-04-22 14:21:30 +02:00