cgroup: remove support for NetClass= directive Support for net_cls.class_id through the NetClass= configuration directive has been added in v227 in preparation for a per-unit packet filter mechanism. However, it turns out the kernel people have decided to deprecate the net_cls and net_prio controllers in v2. Tejun provides a comprehensive justification for this in his commit, which has landed during the merge window for kernel v4.5: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d671 As we're aiming for full support for the v2 cgroup hierarchy, we can no longer support this feature. Userspace tool such as nftables are moving over to setting rules that are specific to the full cgroup path of a task, which obsoletes these controllers anyway. This commit removes support for tweaking details in the net_cls controller, but keeps the NetClass= directive around for legacy compatibility reasons.

tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

core: make the StartLimitXYZ= settings generic and apply to any kind of unit, not just services This moves the StartLimitBurst=, StartLimitInterval=, StartLimitAction=, RebootArgument= from the [Service] section into the [Unit] section of unit files, and thus support it in all unit types, not just in services. This way we can enforce the start limit much earlier, in particular before testing the unit conditions, so that repeated start-up failure due to failed conditions is also considered for the start limit logic. For compatibility the four options may also be configured in the [Service] section still, but we only document them in their new section [Unit]. This also renamed the socket unit failure code "service-failed-permanent" into "service-start-limit-hit" to express more clearly what it is about, after all it's only triggered through the start limit being hit. Finally, the code in busname_trigger_notify() and socket_trigger_notify() is altered to become more alike. Fixes: #2467

core: clarify which unit file is masked in error message After all, the masked unit file error might be returned when enqueuing a unit that is not masked but requires a masked unit. In this case it should really be clear which unit is meant here.

core: store for each unit when the last low-level unit state change took place This adds a new timestamp field to the Unit struct, storing when the last low-level state change took place, and make sure this is restored after a daemon reload. This new field is useful to allow restarting of per-state timers exactly where they originally started.

core: let's check access before type modification

core: refactoring: add job_type_to_access_method remove duplication

core: fix selinux check for reload Fixes: -bash-4.3# echo 1 >/sys/fs/selinux/enforce -bash-4.3# runcon -t systemd_test_start_t systemctl start hola -bash-4.3# sesearch --allow -s systemd_test_reload_t -c service Found 1 semantic av rules: allow systemd_test_reload_t systemd_unit_file_t : service reload ; -bash-4.3# runcon -t systemd_test_reload_t systemctl reload hola Failed to reload hola.service: Access denied See system logs and 'systemctl status hola.service' for details. -bash-4.3# journalctl -b | grep -i user_avc | grep reload USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' avc: denied { start } for auid=0 uid=0 gid=0 path="/etc/systemd/system/hola.service" cmdline="systemctl reload hola" scontext=unconfined_u:unconfined_r:systemd_test_reload_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service See https://fedoraproject.org/wiki/Features/SELinuxSystemdAccessControl#Documentation

core: make sure "systemctl reload-or-try-restart is actually a noop if a unit is not running This makes sure we follow the same basic logic for try-restart if we have a try-reload. Fixes #688

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

Introduce bus_unit_check_load_state() helper This function is used to check that a previous unit load succeed and returns 0 in this case. In the case the load failed, the function setup a bus error accordingly and returns -errno.

core: drop "override" flag when building transactions Now that we don't have RequiresOverridable= and RequisiteOverridable= dependencies anymore, we can get rid of tracking the "override" boolean for jobs in the job engine, as it serves no purpose anymore. While we are at it, fix some error messages we print when invoking functions that take the override parameter.

core: remove support for RequiresOverridable= and RequisiteOverridable= As discussed at systemd.conf 2015 and on also raised on the ML: http://lists.freedesktop.org/archives/systemd-devel/2015-November/034880.html This removes the two XyzOverridable= unit dependencies, that were basically never used, and do not enhance user experience in any way. Most folks looking for the functionality this provides probably opt for the "ignore-dependencies" job mode, and that's probably a good idea. Hence, let's simplify systemd's dependency engine and remove these two dependency types (and their inverses). The unit file parser and the dbus property parser will now redirect the settings/properties to result in an equivalent non-overridable dependency. In the case of the unit file parser we generate a warning, to inform the user. The dbus properties for this unit type stay available on the unit objects, but they are now hidden from usual introspection and will always return the empty list when queried. This should provide enough compatibility for the few unit files that actually ever made use of this.

Remove snapshot unit type Snapshots were never useful or used for anything. Many systemd developers that I spoke to at systemd.conf2015, didn't even know they existed, so it is fairly safe to assume that this type can be deleted without harm. The fundamental problem with snapshots is that the state of the system is dynamic, devices come and go, users log in and out, timers fire... and restoring all units to some state from the past would "undo" those changes, which isn't really possible. Tested by creating a snapshot, running the new binary, and checking that the transition did not cause errors, and the snapshot is gone, and snapshots cannot be created anymore. New systemctl says: Unknown operation snapshot. Old systemctl says: Failed to create snapshot: Support for snapshots has been removed. IgnoreOnSnaphost settings are warned about and ignored: Support for option IgnoreOnSnapshot= has been removed and it is ignored http://lists.freedesktop.org/archives/systemd-devel/2015-November/034872.html

util-lib: split out allocation calls into alloc-util.[ch]

user-util: move UID/GID related macros from macro.h to user-util.h

util-lib: move more locale-related calls to locale-util.[ch]

core: don't allow manual start with reload-or-restart too fix bug: systemctl reload-or-restart starts a service with RefuseManualStart=yes

util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.

core: fix type of NetClass dbus property it's exposed as uint32_t and it is internally an uint32_t, hence no need to treat it as an unsigned.

cgroup: add support for net_cls controllers Add a new config directive called NetClass= to CGroup enabled units. Allowed values are positive numbers for fix assignments and "auto" for picking a free value automatically, for which we need to keep track of dynamically assigned net class IDs of units. Introduce a hash table for this, and also record the last ID that was given out, so the allocator can start its search for the next 'hole' from there. This could eventually be optimized with something like an irb. The class IDs up to 65536 are considered reserved and won't be assigned automatically by systemd. This barrier can be made a config directive in the future. Values set in unit files are stored in the CGroupContext of the unit and considered read-only. The actually assigned number (which may have been chosen dynamically) is stored in the unit itself and is guaranteed to remain stable as long as the unit is active. In the CGroup controller, set the configured CGroup net class to net_cls.classid. Multiple unit may share the same net class ID, and those which do are linked together.

core: add support for the "pids" cgroup controller This adds support for the new "pids" cgroup controller of 4.3 kernels. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a gloabl option DefaultTasksAccounting=. This also updated "cgtop" to optionally make use of the new kernel-provided accounting. systemctl has been updated to show the number of tasks for each service if it is available. This patch also adds correct support for undoing memory limits for units using a MemoryLimit=infinity syntax. We do the same for TasksMax= now and hence keep things in sync here.

core: pass details to polkit for some unit actions The following details are passed: - unit: the primary name of the unit upon which the action was invoked (i.e. after resolving any aliases); - verb: one of 'start', 'stop', 'reload', 'restart', 'try-restart', 'reload-or-restart', 'reload-or-try-restart', 'kill', 'reset-failed', or 'set-property', corresponding to the systemctl verb used to invoke the action. Typical use of these details in a polkit policy rule might be: // Allow alice to manage example.service; // fall back to implicit authorization otherwise. polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "example.service" && subject.user == "alice") { return polkit.Result.YES; } }); We also supply a custom polkit message that includes the unit's name and the requested operation.

core: unified cgroup hierarchy support This patch set adds full support the new unified cgroup hierarchy logic of modern kernels. A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is added. If specified the unified hierarchy is mounted to /sys/fs/cgroup instead of a tmpfs. No further hierarchies are mounted. The kernel command line option defaults to off. We can turn it on by default as soon as the kernel's APIs regarding this are stabilized (but even then downstream distros might want to turn this off, as this will break any tools that access cgroupfs directly). It is possibly to choose for each boot individually whether the unified or the legacy hierarchy is used. nspawn will by default provide the legacy hierarchy to containers if the host is using it, and the unified otherwise. However it is possible to run containers with the unified hierarchy on a legacy host and vice versa, by setting the $UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0, respectively. The unified hierarchy provides reliable cgroup empty notifications for the first time, via inotify. To make use of this we maintain one manager-wide inotify fd, and each cgroup to it. This patch also removes cg_delete() which is unused now. On kernel 4.2 only the "memory" controller is compatible with the unified hierarchy, hence that's the only controller systemd exposes when booted in unified heirarchy mode. This introduces a new enum for enumerating supported controllers, plus a related enum for the mask bits mapping to it. The core is changed to make use of this everywhere. This moves PID 1 into a new "init.scope" implicit scope unit in the root slice. This is necessary since on the unified hierarchy cgroups may either contain subgroups or processes but not both. PID 1 hence has to move out of the root cgroup (strictly speaking the root cgroup is the only one where processes and subgroups are still allowed, but in order to support containers nicey, we move PID 1 into the new scope in all cases.) This new unit is also used on legacy hierarchy setups. It's actually pretty useful on all systems, as it can then be used to filter journal messages coming from PID 1, and so on. The root slice ("-.slice") is now implicitly created and started (and does not require a unit file on disk anymore), since that's where "init.scope" is located and the slice needs to be started before the scope can. To check whether we are in unified or legacy hierarchy mode we use statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in legacy mode, if it reports cgroupfs we are in unified mode. This patch set carefuly makes sure that cgls and cgtop continue to work as desired. When invoking nspawn as a service it will implicitly create two subcgroups in the cgroup it is using, one to move the nspawn process into, the other to move the actual container processes into. This is done because of the requirement that cgroups may either contain processes or other subgroups.

unit: unify how we assing slices to units This adds a new call unit_set_slice(), and simplifies unit_add_default_slice(). THis should make our code a bit more robust and simpler.

unit: add new macros to test for unit contexts

core: add unit_dbus_interface_from_type() to unit-name.h Let's add a way to get the type-specific D-Bus interface of a unit from either its type or name to src/basic/unit-name.[ch]. That way we can share it with the client side, where it is useful in tools like cgls or machinectl. Also ports over machinectl to make use of this.

core: report root cgroup as "/" over the bus Internally, the root cgroup is stored as the empty string in Unit.cgroup_path, and "no cgroup" as NULL. Unfortunately, D-Bus does not know a NULL concept, hence when reporting the cgroup to clients we should turn the root cgroup into "/", and leave the empty string for the "no cgroup" case. This should make sure that "systemctl status -- -.slice" works correctly and shows the entire cgroup tree.

core: fix OOM checks in dbus-unit CID#1299014

core: introduce seperate reverse dependencies for Requires= and Requisite= This allows us to ensure that Requisite= dependencies never cause propagation between units, while Requires= dependencies might. http://lists.freedesktop.org/archives/systemd-devel/2015-May/031742.html

core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters

core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name

sd-bus: drop bus parameter from message callback prototype This should simplify the prototype a bit. The bus parameter is redundant in most cases, and in the few where it matters it can be derived from the message via sd_bus_message_get_bus().

core: expose consumed CPU time per unit This adds support for showing the accumulated consumed CPU time per-unit in the "systemctl status" output. The property is also readable via the bus.

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

core: rework policykit hookup - Always issue selinux access check as early as possible, and PK check as late as possible. - Introduce a new policykit action for altering environment - Open most remaining bus calls to unprivileged clients via PK

core: open up DefaultDependencies= property for transient units

core: add a property that shows the current memory usage of a unit This is exposed the memory.usage_in_bytes cgroup property on the bus, and makes "systemctl status" show it in its default output.

core: properly pass unit file state to clients via the bus

sd-bus: move common errors src/shared/bus-errors.h → src/libsystemd/sd-bus/bus-common-errors.h Stuff in src/shared/ should not use stuff from src/libsystemd/ really.

systemctl: show unit file preset state in "systemctl status" output"

treewide: no need to negate errno for log_*_errno() It corrrectly handles both positive and negative errno values.

treewide: auto-convert the simple cases to log_*_errno() As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().

core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met

condition: record test state internally and beef it up to be a full enum

bus: use STR_IN_SET

mac: add mac_ prefix to distinguish origin security apis

job: optionally, when a job timeout is hit, also execute a failure action

core: Verify systemd1 DBus method callers via polkit DBus methods that retrieve information can be called by anyone. DBus methods that modify state of units are verified via polkit action: org.freedesktop.systemd1.manage-units DBus methods that modify state of unit files are verified via polkit action: org.freedesktop.systemd1.manage-unit-files DBus methods that reload the entire daemon state are verified via polkit action: org.freedesktop.systemd1.reload-daemon DBus methods that modify job state are callable from the clients that started the job. root (ie: CAP_SYS_ADMIN) can continue to perform all calls, property access etc. There are several DBus methods that can only be called by root. Open up the dbus1 policy for the above methods. (Heavily modified by Lennart, making use of the new bus_verify_polkit_async() version that doesn't force us to always pass the original callback around. Also, interactive auhentication must be opt-in, not unconditional, hence I turned this off.)

core: Rename Job.subscribed field to Job.clients This reflects how this field will be used, to not only track where to send signals, but also which callers (other than root) are allowed to call DBus methods on the Job.

core: no need to pass bus object to selinux access check calls anymore

dbus: suppress duplicate and misleading messages When we try to send a signal on a connection we didn't hae the time to process the Disconnected message yet, don't generate multiple warning messages, but only a single debug message. https://bugs.freedesktop.org/show_bug.cgi?id=75874

bus: add sd_bus_track object for tracking peers, and port core over to it This is primarily useful for services that need to track clients which reference certain objects they maintain, or which explicitly want to subscribe to certain events. Something like this is done in a large number of services, and not trivial to do. Hence, let's unify this at one place. This also ports over PID 1 to use this to ensure that subscriptions to job and manager events are correctly tracked. As a side-effect this makes sure we properly serialize and restore the track list across daemon reexec/reload, which didn't work correctly before. This also simplifies how we distribute messages to broadcast to the direct busses: we only track subscriptions for the API bus and implicitly assume that all direct busses are subscribed. This should be a pretty OK simplification since clients connected via direct bus connections are shortlived anyway.

api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.

core: fix property changes in transient units

core: fix oom check

Use enums to make it obvious what boolean params mean Suggested-by: Russ Allbery <rra@debian.org>

core: no need to list properties for PropertiesChanged messages anymore Since the vtable includes this information anyway, let's just use that

bus: decorate the various object vtables with SD_BUS_VTABLE_PROPERTY_CONST where appropriate

core: fix Unit.SetProperties argument parsing SetProperties has signature "ba(sv)", but the bus_unit_set_properties() helper already does a enter_container('a', "sv") so we have to skip it in bus_unit_method_set_properties().

service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces

core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable

core: fix bus serialization of conditions

core: don't warn loudly if we cannot send a bus signal to a disconnected client

core: fix deserialization of StartTransientUnit() parameters

bus: rework message handlers to always take an error argument Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.

bus: let's simplify things by getting rid of unnecessary bus parameters

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

bus: remove static introspection file export

list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.

cgroup: only check once when mode is UNIT_CHECK If the mode is UNIT_CHECK,it means we only want to check if the paramaters are valid. the first round of cycle already did this check, no need to check again.

systemd,systemctl: export condition status and show failing condition $ systemctl --user status hoohoo hoohoo.service Loaded: loaded (/home/zbyszek/.config/systemd/user/hoohoo.service; static) Active: inactive (dead) start condition failed at Tue 2013-06-25 18:08:42 EDT; 1s ago ConditionPathExists=/tmp/hoo was not met Full information is exported over D-Bus: [(condition, trigger, negate, param, state),...] where state is one of "failed" (<0), "untested" (0), "OK" (>0). I've decided to use 0 for "untested", because it might be useful to differentiate different types of failure later on, without breaking compatibility. systemctl shows the failing condition, if there was a non-trigger failing condition, or says "none of the trigger conditions were met", because there're often many trigger conditions, and they must all fail for the condition to fail, so printing them all would consume a lot of space, and bring unnecessary attention to something that is quite low-level.

core: simplify drop-in writing logic a bit let's make use of some format string magic!

core: when writing drop-in files, name them directly after the property we set Mapping from "FooBar" to "foo-bar" is unnecessary and makes it hard to handle many different properties with the same code, hence, let's just not do it.

user-sessions: rely on PID 1 to kill sessions As we want to centralized cgroup access we should stop killing the user sessions directly from the systemd-user-sessions service. Instead, rely on PID 1 doing this by adding the right ordering dependencies to the session scope units.

unit: save description/slice of transient units to /run This is necessary so that these properties survive a daemon reload.

core: while we are reloading don't suppress bus signals While we are reloading we shouldn't suppress adding units to the bus queue when there are no subscribers, simply because we might not have deserialized the subscribers list yet. Hence, during reloading always assume we have subscribers.

machined: sync to /run after job completed

core: add support to run transient units in arbitrary slices

core: move ControlGroup and Slice properties out of the dbus "Unit" interface Slice/ControlGroup only really makes sense for unit types which actually have cgroups attached to them, hence move them out of the generic Unit interface and into the specific unit type interfaces. These fields will continue to be part of Unit though, simply because things are a log easier that way. However, regardless how this looks internally we should keep things clean and independent of the specific implementation of the inside.

core: allow setting of the description string for transient units

core: add transient units Transient units can be created via the bus API. They are configured via the method call parameters rather than on-disk files. They are subject to normal GC. Transient units currently may only be created for services (however, we will extend this), and currently only ExecStart= and the cgroup parameters can be configured (also to be extended). Transient units require a unique name, that previously had no configuration file on disk. A tool systemd-run is added that makes use of this functionality to run arbitrary command lines as transient services: $ systemd-run /bin/ping www.heise.de Will cause systemd to create a new transient service and run ping in it.

unit: make sure the dropins we write are high-priority

dbus: add infrastructure for changing multiple properties at once on units and hook some cgroup attributes up to it This introduces two bus calls to make runtime changes to selected bus properties, optionally with persistence. This currently hooks this up only for three cgroup atributes, but this brings the infrastructure to add more changable attributes. This allows setting multiple attributes at once, and takes an array rather than a dictionary of properties, in order to implement simple resetting of lists using the same approach as when they are sourced from unit files. This means, that list properties are appended to by this call, unless they are first reset via assigning the empty list.

core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).

logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.

core: expose a "Slice" property on Unit objects on the bus

move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html

nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.

Replace s/Dropin/DropIn/

Introspect and monitor dropin configuration

Use bus_maybe_send_reply() where applicable This is a followup to: commit 1a37b9b9043ef83e9900e460a9a1fccced3acf89 It will fix denial messages from dbus-daemon between gdm and systemd-logind on logging into GNOME due to this. See the previous commit for more details.

unit: rework resource management API This introduces a new static list of known attributes and their special semantics. This means that cgroup attribute values can now be automatically translated from user to kernel notation for command line set settings, too. This also adds proper support for multi-line attributes.

honor SELinux labels, when creating and writing config files Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577

unit: optionally allow making cgroup attribute changes persistent

systemctl: add new "get-cgroup-attr" to query current cgroup attribute value Also adds a pair of bus calls for this to the daemon.

core: add bus API and systemctl commands for altering cgroup parameters during runtime

core/dbus-unit: modernize style

selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind

selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().

selinux: prefer source path over fragment path

selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE-----

man: fix a bunch of typos in docs https://bugs.freedesktop.org/show_bug.cgi?id=54501

dbus-unit: expose PartOf/ConsistsOf properties

core: drop KillMode parameter from KillUnit() bus call It made no sense, and since we are documenting the bus calls now and want to include them in our stability promise we really should get it cleaned up sooner, not later.

unit: rename BindTo= to BindsTo= all other dependencies are in 3rd person. Change BindTo= accordingly to BindsTo=. Of course, the dependency is widely used, hence we parse the old name too for compatibility.

units: remove service sysv_path variable and replace it by generic unit_path UnitPath= is also writable via native units and may be used by generators to clarify from which file a unit is generated. This patch also hooks up the cryptsetup and fstab generators to set UnitPath= accordingly.

units: introduce new Documentation= field and make use of it everywhere This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them.

dbus-unit: always load the unit before handling a message for it We need to be able to show the properties even of inactive units. systemctl loads the unit before getting its properties, but this is racy as the garbage collector may kick in right after the loading. Fix it by always loading the unit before handling a message for it. https://bugzilla.redhat.com/show_bug.cgi?id=814966#c6

unit: add new dependency type RequiresMountsFor= RequiresMountsFor= is a shortcut for adding requires and after dependencies to all mount units neeed for the specified paths. This solves a couple of issues regarding dep loop cycles for encrypted swap.

relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.

move libsystemd_core.la sources into core/