50f48ad37aad99c54de4db34b07c3825cdedcf41 |
|
10-Feb-2016 |
Daniel Mack <daniel@zonque.org> |
cgroup: remove support for NetClass= directive
Support for net_cls.class_id through the NetClass= configuration directive
has been added in v227 in preparation for a per-unit packet filter mechanism.
However, it turns out the kernel people have decided to deprecate the net_cls
and net_prio controllers in v2. Tejun provides a comprehensive justification
for this in his commit, which has landed during the merge window for kernel
v4.5:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d671
As we're aiming for full support for the v2 cgroup hierarchy, we can no
longer support this feature. Userspace tool such as nftables are moving over
to setting rules that are specific to the full cgroup path of a task, which
obsoletes these controllers anyway.
This commit removes support for tweaking details in the net_cls controller,
but keeps the NetClass= directive around for legacy compatibility reasons. |
89beff89edba592366b2960bd830d3f6e602c2c7 |
|
10-Feb-2016 |
Lennart Poettering <lennart@poettering.net> |
core: treat JobTimeout=0 as equivalent to JobTimeout=infinity
Corrects an incompatibility introduced with 36c16a7cdd6c33d7980efc2cd6a2211941f302b4.
Fixes: #2537 |
aad41f08144ab2333a3c42225c853d7d44f31c56 |
|
10-Feb-2016 |
Lennart Poettering <lennart@poettering.net> |
core: simplify how we parse TimeoutSec=, TimeoutStartSec= and TimeoutStopSec=
Let's make things more obvious by placing the parse_usec() invocation directly in config_parse_service_timeout(). |
b26fa1a2fbcfee7d03b0c8fd15ec3aa64ae70b9f |
|
10-Feb-2016 |
Daniel Mack <daniel@zonque.org> |
tree-wide: remove Emacs lines from all files
This should be handled fine now by .dir-locals.el, so need to carry that
stuff in every file. |
36c16a7cdd6c33d7980efc2cd6a2211941f302b4 |
|
01-Feb-2016 |
Lennart Poettering <lennart@poettering.net> |
core: rework unit timeout handling, and add new setting RuntimeMaxSec=
This clean-ups timeout handling in PID 1. Specifically, instead of storing 0 in internal timeout variables as
indication for a disabled timeout, use USEC_INFINITY which is in-line with how we do this in the rest of our code
(following the logic that 0 means "no", and USEC_INFINITY means "never").
This also replace all usec_t additions with invocations to usec_add(), so that USEC_INFINITY is properly propagated,
and sd-event considers it has indication for turning off the event source.
This also alters the deserialization of the units to restart timeouts from the time they were originally started from.
Before this patch timeouts would be restarted beginning with the time of the deserialization, which could lead to
artificially prolonged timeouts if a daemon reload took place.
Finally, a new RuntimeMaxSec= setting is introduced for service units, that specifies a maximum runtime after which a
specific service is forcibly terminated. This is useful to put time limits on time-intensive processing jobs.
This also simplifies the various xyz_spawn() calls of the various types in that explicit distruction of the timers is
removed, as that is done anyway by the state change handlers, and a state change is always done when the xyz_spawn()
calls fail.
Fixes: #2249 |
d0a7c5f69207b6719bab94893035fc8f5f6f87cb |
|
01-Feb-2016 |
Lennart Poettering <lennart@poettering.net> |
core: move parsing of rlimits into rlimit-util.[ch]
This way we can reuse it for parsing rlimit settings in "systemctl set-property" and related commands. |
755d4b67a471ed1a3472b8536cb51315d4e4e3c1 |
|
11-Jan-2016 |
Ismo Puustinen <ismo.puustinen@intel.com> |
capabilities: added support for ambient capabilities.
This patch adds support for ambient capabilities in service files. The
idea with ambient capabilities is that the execed processes can run with
non-root user and get some inherited capabilities, without having any
need to add the capabilities to the executable file.
You need at least Linux 4.3 to use ambient capabilities. SecureBit
keep-caps is automatically added when you use ambient capabilities and
wish to change the user.
An example system service file might look like this:
[Unit]
Description=Service for testing caps
[Service]
ExecStart=/usr/bin/sleep 10000
User=nobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
After starting the service it has these capabilities:
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000003fffffffff
CapAmb: 0000000000003000 |
a103496ca585e22bb5e386e3238b468d133f5659 |
|
11-Jan-2016 |
Ismo Puustinen <ismo.puustinen@intel.com> |
capabilities: keep bounding set in non-inverted format.
Change the capability bounding set parser and logic so that the bounding
set is kept as a positive set internally. This means that the set
reflects those capabilities that we want to keep instead of drop. |
cb48dfca6a8bc15d9081651001a16bf51e03838a |
|
12-Jan-2016 |
WaLyong Cho <walyong.cho@samsung.com> |
core: resolve specifier in config_parse_exec()
When parse ExecXXX=, specifiers are not resolved in
config_parse_exec(). Finally, the specifiers are set into unit
properties. So, systemctl shows not resolved speicifier on "Process:"
field.
To set the exec properties well, resolve specifiers before parse the
rvale by unit_full_printf(); |
4afd3348c7506dd1d36305b7bcb9feb8952b9d6b |
|
27-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008. |
0316f2aeebde7569d24a93ab788ac4bc1657b11b |
|
27-Nov-2015 |
Evgeny Vereshchagin <evvers@ya.ru> |
core: fix rlimit parsing
* refuse limits if soft > hard
* print an actual value instead of (null)
see https://github.com/systemd/systemd/pull/1994#issuecomment-159999123 |
91518d20ddf0376808544576d0ef0883cedc67d4 |
|
25-Nov-2015 |
Karel Zak <kzak@redhat.com> |
core: support <soft:hard> ranges for RLIMIT options
The new parser supports:
<value> - specify both limits to the same value
<soft:hard> - specify both limits
the size or time specific suffixes are supported, for example
LimitRTTIME=1sec
LimitAS=4G:16G
The patch introduces parse_rlimit_range() and rlim type (size, sec,
usec, etc.) specific parsers. No code is duplicated now.
The patch also sync docs for DefaultLimitXXX= and LimitXXX=.
References: https://github.com/systemd/systemd/issues/1769 |
e28bb14a8077fa042ceb5bff84e7d000614a41c0 |
|
24-Nov-2015 |
Susant Sahani <ssahani@gmail.com> |
core: mount flags remove FOREACH_WORD_SEPARATOR
FOREACH_WORD_SEPARATOR is no need here since we only
apply only one mount flag. The rvalue is sufficient for
this. |
74bb646ee5a812e91949c03fa461bc4bd7d2d7b8 |
|
18-Nov-2015 |
Susant Sahani <ssahani@gmail.com> |
socket: Add support for socket protcol
Now we don't support the socket protocol like
sctp and udplite .
This patch add a new config param
SocketProtocol: udplite/sctp
With this now we can configure the protocol as
udplite = IPPROTO_UDPLITE
sctp = IPPROTO_SCTP
Tested with nspawn: |
cf0fbc49e67b55f8d346fc94de28c90113505297 |
|
16-Nov-2015 |
Thomas Hindoe Paaboel Andersen <phomes@gmail.com> |
tree-wide: sort includes
Sort the includes accoding to the new coding style. |
0af20ea2ee2af2bcf2258e7a8e1a13181a6a75d6 |
|
13-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
core: add new DefaultTasksMax= setting for system.conf
This allows initializing the TasksMax= setting of all units by default
to some fixed value, instead of leaving it at infinity as before. |
f32b43bda454a70ae23d6802605d41b26dc24ce2 |
|
12-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
core: remove support for RequiresOverridable= and RequisiteOverridable=
As discussed at systemd.conf 2015 and on also raised on the ML:
http://lists.freedesktop.org/archives/systemd-devel/2015-November/034880.html
This removes the two XyzOverridable= unit dependencies, that were
basically never used, and do not enhance user experience in any way.
Most folks looking for the functionality this provides probably opt for
the "ignore-dependencies" job mode, and that's probably a good idea.
Hence, let's simplify systemd's dependency engine and remove these two
dependency types (and their inverses).
The unit file parser and the dbus property parser will now redirect
the settings/properties to result in an equivalent non-overridable
dependency. In the case of the unit file parser we generate a warning,
to inform the user.
The dbus properties for this unit type stay available on the unit
objects, but they are now hidden from usual introspection and will
always return the empty list when queried.
This should provide enough compatibility for the few unit files that
actually ever made use of this. |
c89f52ac6938374972253d8752ed65f3af0b3ef4 |
|
11-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
core: fix dependency parsing
3d793d29059a7ddf5282efa6b32b953c183d7a4d broke parsing of unit file
names that include backslashes, as extract_first_word() strips those.
Fix this, by introducing a new EXTRACT_RETAIN_ESCAPE flag which disables
looking at any flags, thus being compatible with the classic
FOREACH_WORD() behaviour. |
b4c14404b3e8753c41bac0b1d49369230a15c544 |
|
11-Nov-2015 |
Filipe Brandenburger <filbranden@google.com> |
execute: Add new PassEnvironment= directive
This directive allows passing environment variables from the system
manager to spawned services. Variables in the system manager can be set
inside a container by passing `--set-env=...` options to systemd-spawn.
Tested with an on-disk test.service unit. Tested using multiple variable
names on a single line, with an empty setting to clear the current list
of variables, with non-existing variables.
Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it
works with transient units.
Confirmed that `systemctl show` will display the PassEnvironment
settings.
Checked that man pages are generated correctly.
No regressions in `make check`. |
3d793d29059a7ddf5282efa6b32b953c183d7a4d |
|
10-Nov-2015 |
Susant Sahani <ssahani@gmail.com> |
core: unit deps port to extract_first_word |
a4c1800284e3546bbfab2dc19eb59bcb91c4a2ca |
|
10-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
core: accept time units for time-based resource limits
Let's make sure "LimitCPU=30min" can be parsed properly, following the
usual logic how we parse time values. Similar for LimitRTTIME=.
While we are at it, extend a bit on the man page section about resource
limits.
Fixes: #1772 |
d580265eb4bbbafabdb3b7f0b501c0b05b76b2b7 |
|
10-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
core: when parsing resource limits, be more careful with types and corner cases
Let's not convert RLIM_INFINITY to "unsigned long long" and then back to
rlim_t, but let's leave it in the right type right-away.
Parse resource limits as 64 bit in all cases, as according to the man
page that's what libc does anyway.
Make sure setting a resource limit to (uint64_t) -1 results in a parsing
error, and isn't implicitly converted to RLIM_INFINITY. |
65dce26488030eff078c498673d5d93e3c87b6a1 |
|
10-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
core: simplify parsing of capability bounding set settings
Let's generate a simple error, and that's it. Let's not try to be smart
and record the last word that failed.
Also, let's make sure we don't compare numeric values with 0 by relying
on C's downgrade-to-bool feature, as suggested in CODING_STYLE. |
6a0f3175dc83bf5f02733f218eda47b17df234fc |
|
07-Nov-2015 |
Thomas Hindoe Paaboel Andersen <phomes@gmail.com> |
core: remove unused variable
unused since 7b2313f5 |
412ea7a936ebaa5342a4c2abf48b9e408e6ba5dc |
|
06-Nov-2015 |
Karel Zak <kzak@redhat.com> |
core: support IEC suffixes for RLIMIT stuff
Let's make things more user-friendly and support for example
LimitAS=16G
rather than force users to always use LimitAS=16106127360.
The change is relevant for options:
[Default]Limit{FSIZE,DATA,STACK,CORE,RSS,AS,MEMLOCK,MSGQUEUE}
The patch introduces config_parse_bytes_limit(), it's the same as
config_parse_limit() but uses parse_size() tu support the suffixes.
Addresses: https://github.com/systemd/systemd/issues/1772 |
0293a7a8302d73806a04ecfe915e1aeeacdefd6f |
|
03-Nov-2015 |
Evgeny Vereshchagin <evvers@ya.ru> |
core: small fixes to parse_namespace
* don't hide ENOMEM
* log r instead of 0 |
7b2313f5caa3c48c23724cb9f575e2406c04edc4 |
|
03-Nov-2015 |
Susant Sahani <ssahani@gmail.com> |
core: parse socket port to extract_first_word |
9ef57298cc57b105c62e2f1dab9ef5837d910604 |
|
30-Oct-2015 |
Evgeny Vereshchagin <evvers@ya.ru> |
core: port config_parse_bounding_set to extract_first_word |
661b37b05be6720dc8678ba44ed6b321679aa260 |
|
29-Oct-2015 |
Evgeny Vereshchagin <evvers@ya.ru> |
core: fix capability bounding set parsing
bug: CapabilityBoundingSet= doesn't reset all caps |
7b3e062cb6872e28ef5a2e069810070e28bbe0cd |
|
27-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
process-util: move a couple of process-related calls over |
b5efdb8af40ea759a1ea584c1bc44ecc81dd00ce |
|
27-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: split out allocation calls into alloc-util.[ch] |
49cf4170d0b586551527ebf4297f8a3fe6bd71a3 |
|
27-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: move web-related calls into web-util.[ch] |
8fcde01280adcbd07e8205b91ac52b06305b6208 |
|
27-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: split stat()/statfs()/stavfs() related calls into stat-util.[ch] |
f4f15635ec05293ffcc83a5b39f624bbabbd8fd0 |
|
27-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: move a number of fs operations into fs-util.[ch] |
6bedfcbb2970e06a4d3280c8fb62083d252ede73 |
|
27-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: split string parsing related calls from util.[ch] into parse-util.[ch] |
b9d345b53ff0ee402c9dceee1bc14bf0d8907706 |
|
27-Oct-2015 |
Evgeny Vereshchagin <evvers@ya.ru> |
core: fix CapabilityBoundingSet merging
Fixes: #1221 |
3ffd4af22052963e7a29431721ee204e634bea75 |
|
25-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: split out fd-related operations into fd-util.[ch]
There are more than enough to deserve their own .c file, hence move them
over. |
07630cea1f3a845c09309f197ac7c4f11edd3b62 |
|
24-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch]
There are more than enough calls doing string manipulations to deserve
its own files, hence do something about it.
This patch also sorts the #include blocks of all files that needed to be
updated, according to the sorting suggestions from CODING_STYLE. Since
pretty much every file needs our string manipulation functions this
effectively means that most files have sorted #include blocks now.
Also touches a few unrelated include files. |
4f5dd3943bef8a04be7e3b838b822bb9a7ad6cb3 |
|
24-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util: split out escaping code into escape.[ch]
This really deserves its own file, given how much code this is now. |
dea7b6b043f0cd9e34ee719b9b612c3a4776387e |
|
24-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: rework extract_first_word_and_warn() a bit
- Really warn in all error cases, not just some. We need to make sure
that all errors are logged to not confuse the user.
- Explicitly check for EINVAL error code before claiming anything about
invalid escapes, could be ENOMEM after all. |
727f76d715e297f6e0ae409d5d9b1c8aa3c8987b |
|
22-Oct-2015 |
Evgeny Vereshchagin <evvers@ya.ru> |
core: use extract_first_word for namespace parsing
see https://github.com/systemd/systemd/pull/1632#issuecomment-149903791
We should port this loop over to extract_first_word(), too. |
5268dcef5a4d319e8a45f1371690a359b4f052ff |
|
21-Oct-2015 |
Evgeny Vereshchagin <evvers@ya.ru> |
core: fix namespace parsing
ReadOnlyDirectories=-/ works fine |
0245cf8167d34e483955b90da7f5d5f154ca57ef |
|
19-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
core: actually set pids_max field after parsing it
Fixes one of the issues pointed out in #1522. |
8dd4c05b5495c7ffe0f12ace87e71abe17bd0a0e |
|
06-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
core: add support for naming file descriptors passed using socket activation
This adds support for naming file descriptors passed using socket
activation. The names are passed in a new $LISTEN_FDNAMES= environment
variable, that matches the existign $LISTEN_FDS= one and contains a
colon-separated list of names.
This also adds support for naming fds submitted to the per-service fd
store using FDNAME= in the sd_notify() message.
This also adds a new FileDescriptorName= setting for socket unit files
to set the name for fds created by socket units.
This also adds a new call sd_listen_fds_with_names(), that is similar to
sd_listen_fds(), but also returns the names of the fds.
systemd-activate gained the new --fdname= switch to specify a name for
testing socket activation.
This is based on #1247 by Maciej Wereski.
Fixes #1247. |
618234a5258768359cb1086b152c5f08aaf89754 |
|
30-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
basic: split out cpu set specific APIs into cpu-set-util.[ch] |
765d143b5fc8dcb44f5fbd391ef36d0835793e7c |
|
30-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
util: rename parse_cpu_set() to parse_cpu_set_and_warn()
It's pretty untypical for our parsing functions to log on their own.
Clarify in the name that this one does. |
0e05ee044a6e23745bb8906ad91ec7b97c37dbac |
|
30-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
log: move log_invalid_utf8() to log.h
Also, make sure it follows the same scheme as log_syntax() does in its
behaviour. |
12ca818ffddb77eb6a0fabe369a5bcbf6994ff8b |
|
30-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
tree-wide: clean up log_syntax() usage
- Rely everywhere that we use abs() on the error code passed in anyway,
thus don't need to explicitly negate what we pass in
- Never attach synthetic error number information to log messages. Only
log about errors we *receive* with the error number we got there,
don't log any synthetic error, that don#t even propagate, but just eat
up.
- Be more careful with attaching exactly the error we get, instead of
errno or unrelated errors randomly.
- Fix one occasion where the error number and line number got swapped.
- Make sure we never tape over OOM issues, or inability to resolve
specifiers |
5f5d8eab1f2f5f5e088bc301533b3e4636de96c7 |
|
29-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
core: allow setting WorkingDirectory= to the special value ~
If set to ~ the working directory is set to the home directory of the
user configured in User=.
This change also exposes the existing switch for the working directory
that allowed making missing working directories non-fatal.
This also changes "machinectl shell" to make use of this to ensure that
the invoked shell is by default in the user's home directory.
Fixes #1268. |
9d5ca7f882d3c65f6d85e9fc727a0eea3262aaf9 |
|
25-Sep-2015 |
Filipe Brandenburger <filbranden@google.com> |
load-fragment: Use parse_cpu_set in CPUAffinity support
Tested with a dummy service running 'sleep', modifying its CPUAffinity,
restarting the service and checking the ^Cpus_allowed entries in the
/proc/PID/status file. |
15087cdbd63312f706f21339489daf210ae609d0 |
|
22-Sep-2015 |
Pawel Szewczyk <p.szewczyk@samsung.com> |
core: Add list of additional file descriptors to socket port
Some additional files related to single socket may appear in the
filesystem and they should be opened and passed to related service.
This commit adds optional list of file descriptors, which are
dynamically discovered and opened. |
9b5864d9d97bd1f1ba7a2010c8f0b679fb0d0d58 |
|
18-Sep-2015 |
Michael Gebetsroither <michael@mgeb.org> |
load-fragment: resolve specifiers in RuntimeDirectory |
32ee7d3309816994a02b3ff000e9734120d71214 |
|
16-Sep-2015 |
Daniel Mack <daniel@zonque.org> |
cgroup: add support for net_cls controllers
Add a new config directive called NetClass= to CGroup enabled units.
Allowed values are positive numbers for fix assignments and "auto" for
picking a free value automatically, for which we need to keep track of
dynamically assigned net class IDs of units. Introduce a hash table for
this, and also record the last ID that was given out, so the allocator
can start its search for the next 'hole' from there. This could
eventually be optimized with something like an irb.
The class IDs up to 65536 are considered reserved and won't be
assigned automatically by systemd. This barrier can be made a config
directive in the future.
Values set in unit files are stored in the CGroupContext of the
unit and considered read-only. The actually assigned number (which
may have been chosen dynamically) is stored in the unit itself and
is guaranteed to remain stable as long as the unit is active.
In the CGroup controller, set the configured CGroup net class to
net_cls.classid. Multiple unit may share the same net class ID,
and those which do are linked together. |
d53d94743c5e5e3a4a668b0c707826a90a08949a |
|
11-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
core: refactor cpu shares/blockio weight cgroup logic
Let's stop using the "unsigned long" type for weights/shares, and let's
just use uint64_t for this, as that's what we expose on the bus.
Unify parsers, and always validate the range for these fields.
Correct the default blockio weight to 500, since that's what the kernel
actually uses.
When parsing the weight/shares settings from unit files accept the empty
string as a way to reset the weight/shares value. When getting it via
the bus, uniformly map (uint64_t) -1 to unset.
Open up StartupCPUShares= and StartupBlockIOWeight= to transient units. |
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8f |
|
10-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
core: add support for the "pids" cgroup controller
This adds support for the new "pids" cgroup controller of 4.3 kernels.
It allows accounting the number of tasks in a cgroup and enforcing
limits on it.
This adds two new setting TasksAccounting= and TasksMax= to each unit,
as well as a gloabl option DefaultTasksAccounting=.
This also updated "cgtop" to optionally make use of the new
kernel-provided accounting.
systemctl has been updated to show the number of tasks for each service
if it is available.
This patch also adds correct support for undoing memory limits for units
using a MemoryLimit=infinity syntax. We do the same for TasksMax= now
and hence keep things in sync here. |
59f448cf15f94bc5ebfd5b254de6f2441d02fbec |
|
10-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
tree-wide: never use the off_t unless glibc makes us use it
off_t is a really weird type as it is usually 64bit these days (at least
in sane programs), but could theoretically be 32bit. We don't support
off_t as 32bit builds though, but still constantly deal with safely
converting from off_t to other types and back for no point.
Hence, never use the type anymore. Always use uint64_t instead. This has
various benefits, including that we can expose these values directly as
D-Bus properties, and also that the values parse the same in all cases. |
525d3cc746a037e8cc6b2e0ebaaf76a51856fa6b |
|
09-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
tree-wide: take benefit of the fact that hashmap_free() returns NULL
And set_free() too.
Another Coccinelle patch. |
6796073e330f49923c5134652ee085e29fc88002 |
|
09-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
tree-wide: make use of the fact that strv_free() returns NULL
Another Coccinelle patch. |
ece174c5439021e32ebcc858842de9586072c006 |
|
09-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
tree-wide: drop {} from one-line if blocks
Patch via coccinelle. |
a1e58e8ee1c84b633d6d6d651d5328d4dd4eba5b |
|
09-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
tree-wide: use coccinelle to patch a lot of code to use mfree()
This replaces this:
free(p);
p = NULL;
by this:
p = mfree(p);
Change generated using coccinelle. Semantic patch is added to the
sources. |
f757855e81fc0bc116de372220096e532afb5cb8 |
|
06-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
nspawn: add new .nspawn files for container settings
.nspawn fiels are simple settings files that may accompany container
images and directories and contain settings otherwise passed on the
nspawn command line. This provides an efficient way to attach execution
data directly to containers. |
9ce56418b1ff83303c607a7759e8830ec73dbc19 |
|
05-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
core: don't use uninitialized errno |
d79200e26ee39d4b451f95e876fc4595df51fe51 |
|
31-Aug-2015 |
Lennart Poettering <lennart@poettering.net> |
unit: unify how we assing slices to units
This adds a new call unit_set_slice(), and simplifies
unit_add_default_slice(). THis should make our code a bit more robust
and simpler. |
3f5e811594bcdb25d3aa859cb0be06f6df3a03b9 |
|
31-Aug-2015 |
Lennart Poettering <lennart@poettering.net> |
core: don't generate stub unit file for transient units
We store the properties for transient units in drop-ins anyway, and
units don't have to have fragment files, hence don't bother with them,
and don't create them. |
023a4f67011f24d4b085995a4a3a02661c4794a2 |
|
24-Aug-2015 |
Lennart Poettering <lennart@poettering.net> |
core: optionally create LOGIN_PROCESS or USER_PROCESS utmp entries
When generating utmp/wtmp entries, optionally add both LOGIN_PROCESS and
INIT_PROCESS entries or even all three of LOGIN_PROCESS, INIT_PROCESS
and USER_PROCESS entries, instead of just a single INIT_PROCESS entry.
With this change systemd may be used to not only invoke a getty directly
in a SysV-compliant way but alternatively also a login(1) implementation
or even forego getty and login entirely, and invoke arbitrary shells in
a way that they appear in who(1) or w(1).
This is preparation for a later commit that adds a "machinectl shell"
operation to invoke a shell in a container, in a way that is compatible
with who(1) and w(1). |
12ba2c44dde4d7cfc0e531dbc3cbd0581c323637 |
|
07-Aug-2015 |
Richard Maw <richard.maw@codethink.co.uk> |
util: Don't interpret quotes by default in extract_first_word
This adds an EXTRACT_QUOTES option to allow the previous behaviour, of
not interpreting any character inside ' or " quotes as separators. |
6868560773ada8ea31d1f86422be6bf026a1f660 |
|
07-Aug-2015 |
Richard Maw <richard.maw@codethink.co.uk> |
util: change unquote_*_word to extract_*_word
It now takes a separators argument, which defaults to WHITESPACE if NULL
is passed. |
4b1c17535115b70f4ddf4bf5850049b885a40173 |
|
07-Aug-2015 |
Richard Maw <richard.maw@codethink.co.uk> |
Convert unquote_*_word users to expect isempty(p) after the last entry
This is so that, when called in a loop, unquote_first_word can
distinguish between reaching the end of a string because it has consumed
all the input before the end, and consuming all the input.
This is important because we later add a flag that allows
char *in = "";
char *out;
unquote_first_word(&in, &out, flags);
To put "" in out, and set in = NULL, so the trailing empty string of the
input can be consumed, and mark that the input has been consumed. |
67a3328fbdecd1d81431cc6380de5b3f2d628def |
|
07-Aug-2015 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
load-fragment: fix segv on parse error
https://bugzilla.redhat.com/show_bug.cgi?id=1251334 |
97b11eedff9d2e17101ad453caf9e48b73246719 |
|
31-Jul-2015 |
David Herrmann <dh.herrmann@gmail.com> |
tree-wide: introduce mfree()
Pretty trivial helper which wraps free() but returns NULL, so we can
simplify this:
free(foobar);
foobar = NULL;
to this:
foobar = mfree(foobar); |
c83f1f30b80253de8a1a6034e7b016fa55d24523 |
|
17-Jun-2015 |
Filipe Brandenburger <filbranden@google.com> |
load-fragment: reset the list on an ExecStart= containing only whitespace
This is consistent with how an empty string works in an ExecStart=
statement. We should not differentiate between an empty string and
whitespace only (since they look the same.)
Update the test case with whitespace only to reflect that the list is
reset.
Tested that `test-unit-file` passes and other test cases are not
affected. Installed the patched systemd binaries on a machine, booted
it, looked for out of the usual behavior but did not find any. |
46a0d98ac0fb5b507a6423e60058a2483830b432 |
|
17-Jun-2015 |
Filipe Brandenburger <filbranden@google.com> |
load-fragment: use unquote_first_word in config_parse_exec
Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop
of unquote_first_word.
Loop through the arguments only once (the FOREACH_WORD_QUOTED
implementation did it twice, once to count them and another time to
process and store them.)
Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve
unrecognized escape sequences such as regexps matches such as "\w",
"\d", etc. (Valid escape sequences such as "\s" or "\b" still need an
extra backslash if literals are desired for regexps.)
Differences in behavior:
- Handle ; (command separator) in special, so that only ; on its own is
valid for that purpose, an quoted semicolon ";" or ';' will now behave
as a literal semicolon. This is probably what was initially intended.
- Handle \; (to introduce a literal semicolon) in special, so that only \;
is turned into a semicolon but not \\; or "\\;" or "\;" which are kept
as a literal \; in the output. This is probably what was initially
intended.
Known issues:
- Using an empty string (for example, ExecStartPre=<empty>) will empty
the list and remove the existing commands, but using whitespace only
(for example, ExecStartPre=<spaces>) will not. This is a pre-existing
issue and will be dealt with in a follow up commit.
Tested:
- Unit tests passing. Also `make distcheck` still works as expected.
- Installed it on a local machine and booted with it, checked console
output, systemctl and journalctl output, did not notice any issues
running the patched systemd binaries.
Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794 |
22874a348fb1540c1a2b7907748fc57c9756a7ed |
|
01-Jun-2015 |
Daniel Mack <daniel@zonque.org> |
load-fragment: use UNESCAPE_RELAX flag to parse exec directives
The cunescape() helper function used to handle unknown escaping sequences
gracefully by copying them over verbatim.
Commit 527b7a42 ("util: rework cunescape(), improve error handling") added
a flag to make that behavior optional, and changed to default to error out
with -EINVAL otherwise.
However, config_parse_exec(), which is used to parse the
Exec{Start,Stop}{Post,Pre,} directives of unit files, was not changed along
with that commit, which means that directives with improperly escaped
command line strings are no longer parsed.
Relevant bugreports include:
https://bugs.freedesktop.org/show_bug.cgi?id=90794
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787256
Fix this by passing UNESCAPE_RELAX to config_parse_exec() in order to
restore the original behavior. |
24882e06c135584f16f31ba8a00fecde8b7f6fad |
|
29-May-2015 |
Lennart Poettering <lennart@poettering.net> |
util: split out signal-util.[ch] from util.[ch]
No functional changes. |
050f727728f0631ce2b9c5f9635054480ccea3f6 |
|
21-May-2015 |
Lennart Poettering <lennart@poettering.net> |
util: introduce PERSONALITY_INVALID as macro for 0xffffffffLU |
c18d201808e70949b45fe206d9c29efb8107a152 |
|
17-May-2015 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
load-fragment: put quotes around iffy rvalue |
7693146dee53a2b0f524e977188347166bf454ca |
|
15-May-2015 |
Lennart Poettering <lennart@poettering.net> |
socket-util: socket_address_parse() should not log errors on its own
Given that socket_address_parse() is mostly a "library" call it
shouldn't log on its own, but leave that to its caller.
This patch removes logging from the call in case IPv6 is not available
but and IPv6 address shall be parsed. Instead a new call
socket_address_parse_and_warn() is introduced which first invokes
socket_address_parse() and then logs if necessary.
This should fix "make check" on ipv6-less kernels:
http://lists.freedesktop.org/archives/systemd-devel/2015-April/031385.html |
35b1078e1c375df244e19961792aeb78ca34bb54 |
|
15-May-2015 |
Martin Pitt <martin.pitt@ubuntu.com> |
core: Fix assertion with empty Exec*= paths
An Exec*= line with whitespace after modifiers, like
ExecStart=- /bin/true
is considered to have an empty command path. This is as specified, but causes
systemd to crash with
Assertion 'skip < l' failed at ../src/core/load-fragment.c:607, function config_parse_exec(). Aborting.
Aborted (core dumped)
Fix this by logging an error instead and ignoring the invalid line.
Add corresponding test cases. Also add a test case for a completely empty value
which resets the command list.
https://launchpad.net/bugs/1454173 |
b2c23da8cea1987a1a329f5a964d3299b7ca7890 |
|
11-May-2015 |
Lennart Poettering <lennart@poettering.net> |
core: rename SystemdRunningAs to ManagerRunningAs
It's primarily just a property of the Manager object after all, and we
try to refer to PID 1 as "manager" instead of "systemd", hence let's to
stick to this here too. |
7410616cd9dbbec97cf98d75324da5cda2b2f7a2 |
|
06-May-2015 |
Lennart Poettering <lennart@poettering.net> |
core: rework unit name validation and manipulation logic
A variety of changes:
- Make sure all our calls distuingish OOM from other errors if OOM is
not the only error possible.
- Be much stricter when parsing escaped paths, do not accept trailing or
leading escaped slashes.
- Change unit validation to take a bit mask for allowing plain names,
instance names or template names or an combination thereof.
- Refuse manipulating invalid unit name |
8d9803b83c1f72e1bf158af4615b1c53a4749118 |
|
23-Apr-2015 |
Lennart Poettering <lennart@poettering.net> |
core: fix parsing of mount flags
As reported my Maciej Wereski:
http://lists.freedesktop.org/archives/systemd-devel/2015-February/028320.html |
756c09e672a08efd9e728a5cab50a641b022b84c |
|
10-Apr-2015 |
Ronny Chevalier <chevalier.ronny@gmail.com> |
core: set_put never returns -EEXIST
When the value is already there it returns 0.
Also add a test to ensure this |
a40e26f392239322492623187d1e9a97908fcf83 |
|
08-Apr-2015 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Indentation |
527b7a421ff3927d4f3f170b1b143452e88ae1dc |
|
07-Apr-2015 |
Lennart Poettering <lennart@poettering.net> |
util: rework cunescape(), improve error handling
Change cunescape() to return a normal error code, so that we can
distuingish OOM errors from parse errors.
This also adds a flags parameter to control whether "relaxed" or normal
parsing shall be done. If set no parse failures are generated, and the
only reason why cunescape() can fail is OOM. |
bdb26d423a7f992bec5c28e17894c684d770d6f3 |
|
14-Mar-2015 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core: remove left-over debug message |
15411c0cb1192799b37ec8f25d6f30e8d7292fc6 |
|
13-Mar-2015 |
David Herrmann <dh.herrmann@gmail.com> |
tree-wide: there is no ENOTSUP on linux
Replace ENOTSUP by EOPNOTSUPP as this is what linux actually uses. |
d4ad27a104af707b20651327d7a57dd9dc780f79 |
|
07-Mar-2015 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core/load-fragment: safe_close() protects errno |
2eec67acbb00593e414549a7e5b35eb7dd776b1b |
|
23-Feb-2015 |
Thomas Hindoe Paaboel Andersen <phomes@gmail.com> |
remove unused includes
This patch removes includes that are not used. The removals were found with
include-what-you-use which checks if any of the symbols from a header is
in use. |
615938651d3a4fd9253b08da00db22d451a8cef8 |
|
01-Feb-2015 |
Michael Olbrich <m.olbrich@pengutronix.de> |
config_parse_set_status: put signals in the correct set
This was broken when the code was rearranged in "1e2fd62d70ff
core/load-fragment.c: correct argument sign and split up long lines" |
cc98b3025eeb89addb76a27390cb2baca4eab8b9 |
|
26-Jan-2015 |
Torstein Husebø <torstein@huseboe.net> |
treewide: fix multiple typos |
a2e0337875addaf08225fbf9b231435ba12a88b5 |
|
20-Jan-2015 |
Lennart Poettering <lennart@poettering.net> |
util: make http url validity checks more generic, and move them to util.c |
e01ff428993f0c126f010b5625002e6a0a8aff4a |
|
12-Jan-2015 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core/load-fragment: avoid allocating 0 bytes when given an invalid command
With a command line like "@/something" we would allocate an array with
0 elements. Avoid that, and add a test too. |
b02cb41c78c61c27bf1432e19f241a3c3d47a419 |
|
07-Jan-2015 |
Lennart Poettering <lennart@poettering.net> |
conf-parse: don't accept invalid bus names as BusName= arguments in service units |
c853953658865ec3b3487e3f1eb2cc0516320bf3 |
|
19-Dec-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
load-fragment: allow quoting in command name and document allowed escapes
The handling of the command name and other arguments is unified. This
simplifies things and should make them more predictable for users.
Incidentally, this makes ExecStart handling match the .desktop file
specification, apart for the requirment for an absolute path.
https://bugs.freedesktop.org/show_bug.cgi?id=86171 |
447021aafdf4bd0c0f70a3078d35a8f00ada4504 |
|
19-Dec-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
tree-wide: make condition_free_list return NULL |
f1acf85a36f4c32d69511fe1bfa12f66e28fa80d |
|
19-Dec-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core: make exec_command_free_list return NULL |
3851c51ad1dae6a1266896e7e364e424dc82467a |
|
18-Dec-2014 |
tomsod-m ya ru <tomsod-m@ya.ru> |
load-fragment: properly unescape \;
https://bugs.freedesktop.org/show_bug.cgi?id=87393 |
abc08d4d08006fa19dec645859f81af9f227339e |
|
12-Dec-2014 |
Thomas Hindoe Paaboel Andersen <phomes@gmail.com> |
wrap a few *_FOREACH macros in curly braces
cppcheck would give up with "syntax error" without them. This led
to reports of syntax errors in unrelated locations and potentially
hid other errors |
ae6c3cc009a21df4b51851fb8fe3fde0b7d6d8f0 |
|
12-Dec-2014 |
Lennart Poettering <lennart@poettering.net> |
util: when using basename() for creating temporary files, verify the resulting name is actually valid
Also, rename filename_is_safe() to filename_is_valid(), since it
actually does a full validation for what the kernel will accept as file
name, it's not just a heuristic. |
2822da4fb7f891e5320f02f1d00f64b72221ced4 |
|
10-Dec-2014 |
Lennart Poettering <lennart@poettering.net> |
util: introduce our own gperf based capability list
This way, we can ensure we have a more complete, up-to-date list of
capabilities around, always. |
4e7dff9b099bfbf7e367e339f5ddcd387caf78ae |
|
08-Dec-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
load-fragment: remove wrong ifdef guard
config_parse_warn_compat is now always used for removed options.
https://bugs.freedesktop.org/show_bug.cgi?id=87125 |
9e37c9544b22aab2173695ac9c0e4b8bb02cb75c |
|
01-Dec-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core: warn and ignore SysVStartPriority=
Option was being parsed but not used for anything. |
a2c0e528b8b5ba370527db279605e4e4135689c1 |
|
01-Dec-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
When warning about unsupported options, be more detailed |
4e2744fcb579f5314043c0045e6902c64b7efe67 |
|
30-Nov-2014 |
Ronny Chevalier <chevalier.ronny@gmail.com> |
core: remove unused variables |
2ca620c4ed28c01f285d869d0b22f22a360957da |
|
24-Nov-2014 |
WaLyong Cho <walyong.cho@samsung.com> |
smack: introduce new SmackProcessLabel option
In service file, if the file has some of special SMACK label in
ExecStart= and systemd has no permission for the special SMACK label
then permission error will occurred. To resolve this, systemd should
be able to set its SMACK label to something accessible of ExecStart=.
So introduce new SmackProcessLabel. If label is specified with
SmackProcessLabel= then the child systemd will set its label to
that. To successfully execute the ExecStart=, accessible label should
be specified with SmackProcessLabel=.
Additionally, by SMACK policy, if the file in ExecStart= has no
SMACK64EXEC then the executed process will have given label by
SmackProcessLabel=. But if the file has SMACK64EXEC then the
SMACK64EXEC label will be overridden.
[zj: reword man page] |
59fccdc587bc179c1638916ee16a24099f94f81f |
|
06-Nov-2014 |
Lennart Poettering <lennart@poettering.net> |
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met |
0b76b4d8c28e8d82422ddeea2cc3c079fe4bb3dc |
|
24-Oct-2014 |
Lennart Poettering <lennart@poettering.net> |
calendar: make freeing a calendar spec object deal fine with NULL
In order to make object destruction easier (in particular in combination
with _cleanup_) we usually make destructors deal with NULL objects as
NOPs. Change the calendar spec destructor to follow the same scheme. |
b1389b0d0805392570085acc7cb10eafcf885405 |
|
12-Oct-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Modernization |
d5099efc47d4e6ac60816b5381a5f607ab03f06e |
|
15-Sep-2014 |
Michal Schmidt <mschmidt@redhat.com> |
hashmap: introduce hash_ops to make struct Hashmap smaller
It is redundant to store 'hash' and 'compare' function pointers in
struct Hashmap separately. The functions always comprise a pair.
Store a single pointer to struct hash_ops instead.
systemd keeps hundreds of hashmaps, so this saves a little bit of
memory. |
eed9386748cb6bd7b1aecc62ea723db2e0c541ca |
|
13-Sep-2014 |
Dave Reisner <dreisner@archlinux.org> |
core: use correct function to free CalendarSpec |
4d5e13a125cf8d77d432225ab69826caa1d1cf59 |
|
13-Sep-2014 |
Thomas Hindoe Paaboel Andersen <phomes@gmail.com> |
core: fix a potential mem leak
Found with Coverity. Fixes: CID#996438 |
501996231293506a85bf4d610938a655ddc8cb92 |
|
08-Sep-2014 |
Daniel Mack <zonque@gmail.com> |
bus: parse BusPolicy directive in service files
Add a new directive called BusPolicy to define custom endpoint policies. If
one such directive is given, an endpoint object in the service's ExecContext is
created and the given policy is added to it. |
5369c77d2ee864ac0464d4adc0774ee70ba9c4bc |
|
08-Sep-2014 |
Daniel Mack <zonque@gmail.com> |
bus: factor out bus policy items
In order to re-use the policy definitions, factor them out into their own
files. |
1e2fd62d70ff1a960551d28fce745847a9dbd3b7 |
|
31-Jul-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core/load-fragment.c: correct argument sign and split up long lines
With everything on one line they are just harder to read. |
b2fadec6048adb3596f2633cb7fe7a49f5937a18 |
|
31-Jul-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Properly report invalid quoted strings
$ systemd-analyze verify trailing-g.service
[./trailing-g.service:2] Trailing garbage, ignoring.
trailing-g.service lacks ExecStart setting. Refusing.
Error: org.freedesktop.systemd1.LoadFailed: Unit trailing-g.service failed to load: Invalid argument.
Failed to create trailing-g.service/start: Invalid argument |
a2a5291b3f5ab6ed4c92f51d0fd10a03047380d8 |
|
31-Jul-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Reject invalid quoted strings
String which ended in an unfinished quote were accepted, potentially
with bad memory accesses.
Reject anything which ends in a unfished quote, or contains
non-whitespace characters right after the closing quote.
_FOREACH_WORD now returns the invalid character in *state. But this return
value is not checked anywhere yet.
Also, make 'word' and 'state' variables const pointers, and rename 'w'
to 'word' in various places. Things are easier to read if the same name
is used consistently.
mbiebl_> am I correct that something like this doesn't work
mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"'
mbiebl_> systemd seems to strip of the quotes
mbiebl_> systemctl status shows
mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint
mbiebl_> which is pretty weird |
3a43da2832dc5360a638d043f469a6dcbe025582 |
|
29-Jul-2014 |
Kay Sievers <kay@vrfy.org> |
time-util: add and use USEC/NSEC_INFINIY |
36f822c4bd077f9121757e24b6516e5c7ada63b5 |
|
17-Jul-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Let config_parse open file where applicable
Special care is needed so that we get an error message if the
file failed to parse, but not when it is missing. To avoid duplicating
the same error check in every caller, add an additional 'warn' boolean
to tell config_parse whether a message should be issued.
This makes things both shorter and more robust wrt. to error reporting. |
e9f3d2d508bfd9fb5b54e82994bda365a71eb864 |
|
16-Jul-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Constify ConfigTableItem tables |
3e2d435b3d2247a60d6def932d28a4856566a7d7 |
|
03-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
exit-status: rename ExitStatusSet's "code" field to "status"
We should follow the naming scheme waitid() uses, not come up with our
own reversed one... |
a4152e3fe28b53b8919cc404dd7eca7ead1bf9bd |
|
05-Jun-2014 |
Lennart Poettering <lennart@poettering.net> |
kdbus: when uploading bus name policy, resolve users/groups out-of-process
It's not safe invoking NSS from PID 1, hence fork off worker processes
that upload the policy into the kernel for busnames. |
1b8689f94983b47bf190e77ddb03a8fc6af15fb3 |
|
04-Jun-2014 |
Lennart Poettering <lennart@poettering.net> |
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.
With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data. |
811ba7a0e292eda0f2f470613cc28a97bda7ee66 |
|
04-Jun-2014 |
Lennart Poettering <lennart@poettering.net> |
socket: add new Symlinks= option for socket units
With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO
nodes in the file system, with the same lifecycle as the socket itself.
This has two benefits: first, this allows us to remove /dev/log and
/dev/initctl from /dev, thus leaving only symlinks, device nodes and
directories in the /dev tree. More importantly however, this allows us
to move /dev/log out of /dev, while still making it accessible there, so
that PrivateDevices= can provide /dev/log too. |
417116f23432073162ebfcb286a7800846482eed |
|
03-Jun-2014 |
Lennart Poettering <lennart@poettering.net> |
core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data. |
9a0549093332880df47c4218209ce126b8586835 |
|
22-May-2014 |
Lennart Poettering <lennart@poettering.net> |
cgroups: simplify CPUQuota= logic
Only accept cpu quota values in percentages, get rid of period
definition.
It's not clear whether the CFS period controllable per-cgroup even has a
future in the kernel, hence let's simplify all this, hardcode the period
to 100ms and only accept percentage based quota values. |
db785129c9bce9294a118484cbc9bb6935ca34c2 |
|
22-May-2014 |
Lennart Poettering <lennart@poettering.net> |
cgroup: rework startup logic
Introduce a (unsigned long) -1 as "unset" state for cpu shares/block io
weights, and keep the startup unit set around all the time. |
95ae05c0e79868c22b3e8e6fbc53432786876730 |
|
22-May-2014 |
WaLyong Cho <walyong.cho@samsung.com> |
core: add startup resource control option
Similar to CPUShares= and BlockIOWeight= respectively. However only
assign the specified weight during startup. Each control group
attribute is re-assigned as weight by CPUShares=weight and
BlockIOWeight=weight after startup. If not CPUShares= or
BlockIOWeight= be specified, then the attribute is re-assigned to each
default attribute value. (default cpu.shares=1024, blkio.weight=1000)
If only CPUShares=weight or BlockIOWeight=weight be specified, then
that implies StartupCPUShares=weight and StartupBlockIOWeight=weight. |
f1721625e7145977ba705e169580f2eb0002600c |
|
18-May-2014 |
Nis Martensen <nis.martensen@web.de> |
fix spelling of privilege |
a429267c4449e16f68962b1b3a3037b54e487c1d |
|
06-May-2014 |
Lennart Poettering <lennart@poettering.net> |
load-fragment: minor cleanup |
b2f8b02ec27dfec9cbd23573f47aba494f2e9b5f |
|
25-Apr-2014 |
Lennart Poettering <lennart@poettering.net> |
core: expose CFS CPU time quota as high-level unit properties |
bf500566323bbc2240d1fdd1165a8c908faf4098 |
|
24-Apr-2014 |
Michael Olbrich <m.olbrich@pengutronix.de> |
service: rename StartLimitAction enum to FailureAction
It's used for the FailureAction property as well. |
7f8aa67131cfc03ddcbd31c0420754864fc122f0 |
|
24-Mar-2014 |
Lennart Poettering <lennart@poettering.net> |
core: remove tcpwrap support
tcpwrap is legacy code, that is barely maintained upstream. It's APIs
are awful, and the feature set it exposes (such as DNS and IDENT
access control) questionnable. We should not support this natively in
systemd.
Hence, let's remove the code. If people want to continue making use of
this, they can do so by plugging in "tcpd" for the processes they start.
With that scheme things are as well or badly supported as they were from
traditional inetd, hence no functionality is really lost. |
dedabea4b3d61a87cedb5c8d7ccce5b86ea84afe |
|
24-Mar-2014 |
Lennart Poettering <lennart@poettering.net> |
timer: support timers that can resume the system from suspend |
c2c13f2df42e0691aecabe3979ea81cd7faa35c7 |
|
20-Mar-2014 |
Lennart Poettering <lennart@poettering.net> |
unit: turn off mount propagation for udevd
Keep mounts done by udev rules private to udevd. Also, document how
MountFlags= may be used for this. |
03e334a1c7dc8c20c38902aa039440763acc9b17 |
|
18-Mar-2014 |
Lennart Poettering <lennart@poettering.net> |
util: replace close_nointr_nofail() by a more useful safe_close()
safe_close() automatically becomes a NOP when a negative fd is passed,
and returns -1 unconditionally. This makes it easy to write lines like
this:
fd = safe_close(fd);
Which will close an fd if it is open, and reset the fd variable
correctly.
By making use of this new scheme we can drop a > 200 lines of code that
was required to test for non-negative fds or to reset the closed fd
variable afterwards. |
54d76c92868838e17d6aad0a3bb0cc7a5b11e35f |
|
07-Mar-2014 |
Daniel Mack <zonque@gmail.com> |
busname: add parser for bus name policies
There are three directives to specify bus name polices in .busname
files:
* AllowUser [username] [access]
* AllowGroup [groupname] [access]
* AllowWorld [access]
Where [access] is one of
* 'see': The user/group/world is allowed to see a name on the bus
* 'talk': The user/group/world is allowed to talk to a name
* 'own': The user/group/world is allowed to own a name
There is no user added yet in this commit. |
760b9d7cbaa72cc7446ad915f84d4939c11a360c |
|
05-Mar-2014 |
Lennart Poettering <lennart@poettering.net> |
core: don't override NoNewPriviliges= from SystemCallFilter= if it is already explicitly set |
b5d742138f71e87312541a89aac5657015f50f48 |
|
04-Mar-2014 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Do not print invalid UTF-8 in error messages
Inexplicably, 550a40ec ('core: do not print invalid utf-8 in error
messages') only fixed two paths. Convert all of them now. |
94828d2ddc89c9dba3d6f386e55b6c9310d8f627 |
|
03-Mar-2014 |
Lennart Poettering <lennart@poettering.net> |
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c
The parse code actually checked for specific lvalue names, which is
really wrong for supposedly generic parsers... |
3af00fb85a26a1d812363fbf88c045311fd05376 |
|
03-Mar-2014 |
Lennart Poettering <lennart@poettering.net> |
core: move config_parse_set_status() into load-fragment.c
Let's keep specific config parsers close to where they are needed. Only
the really generic ones should be defined in conf-parser.[ch]. |
ca37242e52cbf90d6cdb3b26b2986b11ed1d5e91 |
|
03-Mar-2014 |
Lennart Poettering <lennart@poettering.net> |
conf-parse: rename config_parse_level() to config_parse_log_level()
"level" is a bit too generic, let's clarify what kind of level we are
referring to here. |
e66cf1a3f94fff48a572f6dbd19b43c9bcf7b8c7 |
|
03-Mar-2014 |
Lennart Poettering <lennart@poettering.net> |
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings
As discussed on the ML these are useful to manage runtime directories
below /run for services. |
4298d0b5128326621c8f537107c4c8b459490721 |
|
26-Feb-2014 |
Lennart Poettering <lennart@poettering.net> |
core: add new RestrictAddressFamilies= switch
This new unit settings allows restricting which address families are
available to processes. This is an effective way to minimize the attack
surface of services, by turning off entire network stacks for them.
This is based on seccomp, and does not work on x86-32, since seccomp
cannot filter socketcall() syscalls on that platform. |
5556b5fe41173107a67dbe875fbd916a46e52a02 |
|
23-Feb-2014 |
Lennart Poettering <lennart@poettering.net> |
core: clean up some confusing regarding SI decimal and IEC binary suffixes for sizes
According to Wikipedia it is customary to specify hardware metrics and
transfer speeds to the basis 1000 (SI decimal), while software metrics
and physical volatile memory (RAM) sizes to the basis 1024 (IEC binary).
So far we specified everything in IEC, let's fix that and be more
true to what's otherwise customary. Since we don't want to parse "Mi"
instead of "M" we document each time what the context used is. |
90060676c442604780634c0a993e3f9c3733f8e6 |
|
22-Feb-2014 |
Lennart Poettering <lennart@poettering.net> |
cgroup: Extend DeviceAllow= syntax to whitelist groups of devices, not just particular devices nodes |
eef65bf3ee6f73afa4a5de23ae3a794a279f30c0 |
|
21-Feb-2014 |
Michael Scherer <misc@zarb.org> |
core: Add AppArmor profile switching
This permit to switch to a specific apparmor profile when starting a daemon. This
will result in a non operation if apparmor is disabled.
It also add a new build requirement on libapparmor for using this feature. |
ac45f971a12280de55b834a65237f72dcacfc099 |
|
19-Feb-2014 |
Lennart Poettering <lennart@poettering.net> |
core: add Personality= option for units to set the personality for spawned processes |
6a6751fe24bf456cf5c1efad785a4d11e78b42d0 |
|
17-Feb-2014 |
Lennart Poettering <lennart@poettering.net> |
core: warn when unit files with unsupported options are parsed |
5f8640fb628cb034981e02d741fd9ddf26fdf38d |
|
17-Feb-2014 |
Lennart Poettering <lennart@poettering.net> |
core: store and expose SELinuxContext field normalized as bool + string |
d3b1c5083359faa6cfca81810cf87ef70d0290f6 |
|
13-Feb-2014 |
Lennart Poettering <lennart@poettering.net> |
core: add a system-wide SystemCallArchitectures= setting
This is useful to prohibit execution of non-native processes on systems,
for example 32bit binaries on 64bit systems, this lowering the attack
service on incorrect syscall and ioctl 32→64bit mappings. |
57183d117a1d6a96d71ce99d648beb0d2b36228d |
|
13-Feb-2014 |
Lennart Poettering <lennart@poettering.net> |
core: add SystemCallArchitectures= unit setting to allow disabling of non-native
architecture support for system calls
Also, turn system call filter bus properties into complex types instead
of concatenated strings. |
17df7223be064b1542dbe868e3b35cca977ee639 |
|
12-Feb-2014 |
Lennart Poettering <lennart@poettering.net> |
core: rework syscall filter
- Allow configuration of an errno error to return from blacklisted
syscalls, instead of immediately terminating a process.
- Fix parsing logic when libseccomp support is turned off
- Only keep the actual syscall set in the ExecContext, and generate the
string version only on demand. |
c0467cf387548dc98c0254f63553d862b35a84e5 |
|
12-Feb-2014 |
Ronny Chevalier <chevalier.ronny@gmail.com> |
syscallfilter: port to libseccomp |
f78e6385dc4cee0a1f399c4c89ebf823c108d447 |
|
26-Dec-2013 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Use enums to make it obvious what boolean params mean
Suggested-by: Russ Allbery <rra@debian.org> |
bc9fd78c7bfc39881e19457e476393635f8b0442 |
|
14-Dec-2013 |
Lennart Poettering <lennart@poettering.net> |
bus: when connecting to a container's kdbus instance, enter namespace first
Previously we'd open the connection in the originating namespace, which
meant most peers of the bus would not be able to make sense of the
PID/UID/... identity of us since we didn't exist in the namespace they
run in. However they require this identity for privilege decisions,
hence disallowing access to anything from the host.
Instead, when connecting to a container, create a temporary subprocess,
make it join the container's namespace and then connect from there to
the kdbus instance. This is similar to how we do it for socket
conections already.
THis also unifies the namespacing code used by machinectl and the bus
APIs. |
2b6bf07dd23bb467099d213c97b3875c5e453491 |
|
07-Dec-2013 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Get rid of our reimplementation of basename
The only problem is that libgen.h #defines basename to point to it's
own broken implementation instead of the GNU one. This can be fixed
by #undefining basename. |
e821075a23fdfa3ca7738fc30bb2d4c430fe10c0 |
|
02-Dec-2013 |
Lennart Poettering <lennart@poettering.net> |
bus: add .busname unit type to implement kdbus-style bus activation |
613b411c947635136637f8cdd66b94512f761eab |
|
27-Nov-2013 |
Lennart Poettering <lennart@poettering.net> |
service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces |
d420282b28f50720e233ccb1c02547c562195653 |
|
26-Nov-2013 |
Lennart Poettering <lennart@poettering.net> |
core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable |
71a6151083d842b2f5bf04e50239f0bf85d34d2e |
|
25-Nov-2013 |
Tom Gundersen <teg@jklm.no> |
conf-parser: distinguish between multiple sections with the same name
Pass on the line on which a section was decleared to the parsers, so they
can distinguish between multiple sections (if they chose to). Currently
no parsers take advantage of this, but a follow-up patch will do that
to distinguish
[Address]
Address=192.168.0.1/24
Label=one
[Address]
Address=192.168.0.2/24
Label=two
from
[Address]
Address=192.168.0.1/24
Label=one
Address=192.168.0.2/24
Label=two |
2e41a51ea4cf68f67d6d1e71482d95d9d50091b3 |
|
21-Nov-2013 |
Lennart Poettering <lennart@poettering.net> |
socket: fix segfault |
718db96199eb307751264e4163555662c9a389fa |
|
20-Nov-2013 |
Lennart Poettering <lennart@poettering.net> |
core: convert PID 1 to libsystemd-bus
This patch converts PID 1 to libsystemd-bus and thus drops the
dependency on libdbus. The only remaining code using libdbus is a test
case that validates our bus marshalling against libdbus' marshalling,
and this dependency can be turned off.
This patch also adds a couple of things to libsystem-bus, that are
necessary to make the port work:
- Synthesizing of "Disconnected" messages when bus connections are
severed.
- Support for attaching multiple vtables for the same interface on the
same path.
This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus
calls which used an inappropriate signature.
As a side effect we will now generate PropertiesChanged messages which
carry property contents, rather than just invalidation information. |
e48614c4b268d9e7ecbd478d1d2410f9e92095e0 |
|
16-Nov-2013 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core: some more _cleanup_free_ |
84f6181c2ac99a0514ca5e0c8fc8c8e284caf789 |
|
06-Nov-2013 |
Lennart Poettering <lennart@poettering.net> |
clients: various simplifications |
accdd018ede77ef1c057775396c18c73406cbcb4 |
|
19-Oct-2013 |
Tom Gundersen <teg@jklm.no> |
mount/service: drop FsckPassNo support
We now treat passno as boleans in the generators, and don't need this any more. fsck itself
is able to sequentialize checks on the same local media, so in the common case the ordering
is redundant.
It is still possible to force an order by using .d fragments, in case that is desired. |
71fda00f320379f5cbee8e118848de98caaa229d |
|
14-Oct-2013 |
Lennart Poettering <lennart@poettering.net> |
list: make our list macros a bit easier to use by not requring type spec on each invocation
We can determine the list entry type via the typeof() gcc construct, and
so we should to make the macros much shorter to use. |
f6d2d421470a566cca05ceede788d61a0773e276 |
|
13-Oct-2013 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Make sure that we don't dereference NULL
The code was actually safe, because b should
never be null, because if rvalue is empty, a different
branch is taken. But we *do* check for NULL in the
loop above, so it's better to also check here for symmetry. |
8a7935a23bfec14beb73e004beb01273254cf789 |
|
27-Sep-2013 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Do not use unitialized variable and remove duplicated line |
a57f7e2c828b852eb32fd810dcea041bb2975501 |
|
26-Sep-2013 |
Lennart Poettering <lennart@poettering.net> |
core: rework how we match mount units against each other
Previously to automatically create dependencies between mount units we
matched every mount unit agains all others resulting in O(n^2)
complexity. On setups with large amounts of mount units this might make
things slow.
This change replaces the matching code to use a hashtable that is keyed
by a path prefix, and points to a set of units that require that path to
be around. When a new mount unit is installed it is hence sufficient to
simply look up this set of units via its own file system paths to know
which units to order after itself.
This patch also changes all unit types to only create automatic mount
dependencies via the RequiresMountsFor= logic, and this is exposed to
the outside to make things more transparent.
With this change we still have some O(n) complexities in place when
handling mounts, but that's currently unavoidable due to kernel APIs,
and still substantially better than O(n^2) as before.
https://bugs.freedesktop.org/show_bug.cgi?id=69740 |
ddca82aca08712a302cfabdbe59f73ee9ed3f73a |
|
17-Sep-2013 |
Lennart Poettering <lennart@poettering.net> |
cgroup: get rid of MemorySoftLimit=
The cgroup attribute memory.soft_limit_in_bytes is unlikely to stay
around in the kernel for good, so let's not expose it for now. We can
readd something like it later when the kernel guys decided on a final
API for this. |
19f6d710772305610b928bc2678b9d77fe11e770 |
|
17-Sep-2013 |
Lennart Poettering <lennart@poettering.net> |
specifier: rework specifier calls to return proper error message
Previously the specifier calls could only indicate OOM by returning
NULL. With this change they will return negative errno-style error codes
like everything else. |
47c0980d37a6255e411747572a00638bca35be5a |
|
10-Sep-2013 |
Gao feng <gaofeng@cn.fujitsu.com> |
blkio bandwidth: don't clean up all of entries in blockio_device_bandwidths list
if we get BlockIOReadBandwidth="", we should only remove the
read-bandwidth-entries in blockio_device_bandwidths list. |
e862b60f1c77bc12bf49475930f79ce68489828a |
|
28-Aug-2013 |
Gao feng <gaofeng@cn.fujitsu.com> |
blcokio bandwidth: add missing set of CGroupBlockIODeviceBandwidth's read
BlockIOReadBandwidth and BlockIOWriteBandwidth both use
config_parse_blockio_bandwidth to set up CGroupBlockIODeviceBandwidth,
We should set the read value based on the left values
in config files. |
7f0386f62c128896519aafa203caa1b3aafd4393 |
|
19-Jul-2013 |
Lennart Poettering <lennart@poettering.net> |
core: update configuration directive list "systemd --dump-configuration-items" shows |
8e7076caae32a560a11c1643b53fc4f12db4a6b1 |
|
11-Jul-2013 |
Lennart Poettering <lennart@poettering.net> |
cgroup: split out per-device BlockIOWeight= setting into BlockIODeviceWeight=
This way we can nicely map the configuration directive to properties and
back, without requiring two different signatures for the same property. |
c2756a68401102786be343712c0c35acbd73d28d |
|
28-Jun-2013 |
Lennart Poettering <lennart@poettering.net> |
core: add transient units
Transient units can be created via the bus API. They are configured via
the method call parameters rather than on-disk files. They are subject
to normal GC. Transient units currently may only be created for
services (however, we will extend this), and currently only ExecStart=
and the cgroup parameters can be configured (also to be extended).
Transient units require a unique name, that previously had no
configuration file on disk.
A tool systemd-run is added that makes use of this functionality to run
arbitrary command lines as transient services:
$ systemd-run /bin/ping www.heise.de
Will cause systemd to create a new transient service and run ping in it. |
4ad490007b70e6ac18d3cb04fa2ed92eba1451fa |
|
27-Jun-2013 |
Lennart Poettering <lennart@poettering.net> |
core: general cgroup rework
Replace the very generic cgroup hookup with a much simpler one. With
this change only the high-level cgroup settings remain, the ability to
set arbitrary cgroup attributes is removed, so is support for adding
units to arbitrary cgroup controllers or setting arbitrary paths for
them (especially paths that are different for the various controllers).
This also introduces a new -.slice root slice, that is the parent of
system.slice and friends. This enables easy admin configuration of
root-level cgrouo properties.
This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in
/dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is
turned off by DevicePolicy=). |
97d0e5f83ba4dd713170f802b90149b7325bc992 |
|
20-Jun-2013 |
Umut Tezduyar <umut@tezduyar.com> |
manager: add DefaultEnvironment option
This complements existing functionality of setting variables
through 'systemctl set-environment', the kernel command line,
and through normal environment variables for systemd in session
mode. |
a016b9228f338cb9b380ce7e00826ef462767d98 |
|
17-Jun-2013 |
Lennart Poettering <lennart@poettering.net> |
core: add new .slice unit type for partitioning systems
In order to prepare for the kernel cgroup rework, let's introduce a new
unit type to systemd, the "slice". Slices can be arranged in a tree and
are useful to partition resources freely and hierarchally by the user.
Each service unit can now be assigned to one of these slices, and later
on login users and machines may too.
Slices translate pretty directly to the cgroup hierarchy, and the
various objects can be assigned to any of the slices in the tree. |
db5c0122853a9ecf1cc92e6593461932df2fa866 |
|
25-Apr-2013 |
Lennart Poettering <lennart@poettering.net> |
conf-parser: restrict .include usage
Disallow recursive .include, and make it unavailable in anything but
unit files. |
ef42202ac8ed27e7ff1fc90ef8bc2590046dff25 |
|
24-Apr-2013 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Add set_consume which always takes ownership
Freeing in error path is the common pattern with set_put(). |
3ecaa09bccd8a59c9f1e06756a1334a162206dc4 |
|
23-Apr-2013 |
Lennart Poettering <lennart@poettering.net> |
unit: rework trigger dependency logic
Instead of having explicit type-specific callbacks that inform the
triggering unit when a triggered unit changes state, make this generic
so that state changes are forwarded betwee any triggered and triggering
unit.
Also, get rid of UnitRef references from automount, timer, path units,
to the units they trigger and rely exclsuively on UNIT_TRIGGER type
dendencies. |
7fd1b19bc9e9f5574f2877936b8ac267c7706947 |
|
18-Apr-2013 |
Harald Hoyer <harald@redhat.com> |
move _cleanup_ attribute in front of the type
http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html |
449101fce2757575c4813a9512890536365445f6 |
|
18-Apr-2013 |
Simon Peeters <peeters.simon@gmail.com> |
Move bus_error to dbus-common and remove bus_error_message_or_strerror
bus_error and bus_error_message_or_strerror dit almost exactly the same,
so use only one of them and place it in dbus-common. |
543295ad369793bdac510c6c3bf4afae8f1cdab5 |
|
17-Apr-2013 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core/main: use _cleanup_ |
e8e581bf256b8c0fbd430935af79fa0e8ee570a1 |
|
17-Apr-2013 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
Report about syntax errors with metadata
The information about the unit for which files are being parsed
is passed all the way down. This way messages land in the journal
with proper UNIT=... or USER_UNIT=... attribution.
'systemctl status' and 'journalctl -u' not displaying those messages
has been a source of confusion for users, since the journal entry for
a misspelt setting was often logged quite a bit earlier than the
failure to start a unit.
Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com> |
7f602784de4fd378120e8ebfe6d830862b9cae03 |
|
03-Apr-2013 |
Lennart Poettering <lennart@poettering.net> |
util: rename parse_usec() to parse_sec() sinds the default unit is seconds
Internally we store all time values in usec_t, however parse_usec()
actually was used mostly to parse values in seconds (unless explicit
units were specified to define a different unit). Hence, be clear about
this and name the function about what we pass into it, not what we get
out of it. |
cbb21cca098f9063b0ff5548b2c73ab517f55ea5 |
|
31-Mar-2013 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
execute: convert secure bits into mask properly
C.f. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5975c725dfd6f7d36f493ab1453fbdbd35c1f0e3 |
d91c34f21ff7445dcee3efe2368aebe2d6c266db |
|
22-Mar-2013 |
Lennart Poettering <lennart@poettering.net> |
exec: Assigning the empty string to CapabilityBoundSet= should drop all caps
Previously, it would set all caps, but it should drop them all, anything
else makes little sense.
Also, document that this works as it does, and what to do in order to
assign all caps to the bounding set.
https://bugzilla.redhat.com/show_bug.cgi?id=914705 |
487060c2394b7703e59650ef332053645ffae2a3 |
|
01-Mar-2013 |
Lennart Poettering <lennart@poettering.net> |
specifier: when resolving specifier strings when loading configuration, don't misunderstand parse failures as OOM
http://lists.freedesktop.org/archives/systemd-devel/2013-February/009179.html |
26d04f86a36595e3565c74d67863e076c3e3c773 |
|
27-Feb-2013 |
Lennart Poettering <lennart@poettering.net> |
unit: rework resource management API
This introduces a new static list of known attributes and their special
semantics. This means that cgroup attribute values can now be
automatically translated from user to kernel notation for command line
set settings, too.
This also adds proper support for multi-line attributes. |
641906e9366891e0ad3e6e38b7396a427678c4cf |
|
13-Feb-2013 |
Thomas Hindoe Paaboel Andersen <phomes@gmail.com> |
use strneq instead of strncmp |
853b8397acdebdd44777810e560403bae3756859 |
|
11-Feb-2013 |
Lennart Poettering <lennart@poettering.net> |
core: properly validate environment data from Environment= lines in unit files |
843fc7f7f26a6507fe896a79ed1b474c35c4300f |
|
19-Jan-2013 |
Jonathan Callen <abcd@gentoo.org> |
execute: Fix seccomp support on x32
In the x32 ABI, syscall numbers start at 0x40000000. Mask that bit on
x32 for lookups in the syscall_names array and syscall_filter and ensure
that syscall.h is parsed correctly.
[zj: added SYSCALL_TO_INDEX, INDEX_TO_SYSCALL macros.] |
74051b9b5865586bf4d30b9075649af838fb92bd |
|
17-Jan-2013 |
Lennart Poettering <lennart@poettering.net> |
units: for all unit settings that take lists, allow the empty string for resetting the lists
https://bugzilla.redhat.com/show_bug.cgi?id=756787 |
cd7409576d36baeb4ccc93471d3bd9d72a436d59 |
|
15-Jan-2013 |
Lennart Poettering <lennart@poettering.net> |
load-fragment: fix bad memory access |
858c33bf6002bcdbea185ddedde8f8d660afc731 |
|
15-Jan-2013 |
Lennart Poettering <lennart@poettering.net> |
load-fragment: replace specifiers in path unit's Unit= setting |
246aa6dd9dcea84bb945d16ec86e69f869dbb9b4 |
|
14-Jan-2013 |
Lennart Poettering <lennart@poettering.net> |
core: add bus API and systemctl commands for altering cgroup parameters during runtime |
36697dc0199e25f09b78090fcf5f1cf8a3648ffd |
|
23-Nov-2012 |
Lennart Poettering <lennart@poettering.net> |
timer: implement calendar time events |
ac97e2c559f5d386a332aba4a24bf9930cdb1c51 |
|
19-Nov-2012 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core/load-fragment: fix (potential) bad memory access
strncmp() could be used with size bigger then the size of the string,
because MAX was used instead of MIN.
If failing, print just the offending mount flag. |
c040936be2a4c77e9465cffae47d77d5ec14fb49 |
|
19-Nov-2012 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core/load-fragment: be more precise in error messages
Whenever a message fails, mention the offending word, instead
of just giving the whole line. If one bad word causes just this
word to be rejected, print only the word. If one bad word causes
the whole line to be rejected, print the whole line too.
https://bugs.freedesktop.org/show_bug.cgi?id=56874 |
bb11271068ff34434f5b8cefd0c2c0bae5ed7fd1 |
|
15-Nov-2012 |
Holger Hans Peter Freyther <holger@moiji-mobile.com> |
sched: Only setting CPUSchedulingPriority=rr doesn't work
A service that only sets the scheduling policy to round-robin
fails to be started. This is because the cpu_sched_priority is
initialized to 0 and is not adjusted when the policy is changed.
Clamp the cpu_sched_priority when the scheduler policy is set. Use
the current policy to validate the new priority.
Change the manual page to state that the given range only applies
to the real-time scheduling policies.
Add a testcase that verifies this change:
$ make test-sched-prio; ./test-sched-prio
[test/sched_idle_bad.service:6] CPU scheduling priority is out of range, ignoring: 1
[test/sched_rr_bad.service:7] CPU scheduling priority is out of range, ignoring: 0
[test/sched_rr_bad.service:8] CPU scheduling priority is out of range, ignoring: 100 |
0f67f1efae74e6d129338f1b63ede902b3d7e5ae |
|
15-Nov-2012 |
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> |
core: lift restriction on order of - and @ in ExecStart |
7e1a84f55244ca78093b1dabc58683bc0e7f4304 |
|
15-Nov-2012 |
Oleksii Shevchuk <alxchk@gmail.com> |
core: interpret \; token in ExecStart as escaped ;
Some commands (like 'find') take a semicolon as separate arg. With
current parser implementation there is no way to pass one.
Patch adds token \; |
f8b69d1dfc307562a353f6aa923b7c2b915aaddb |
|
30-Oct-2012 |
Michal Schmidt <mschmidt@redhat.com> |
shared, core: do not always accept numbers in string lookups
The behaviour of the common name##_from_string conversion is surprising.
It accepts not only the strings from name##_table but also any number
that falls within the range of the table. The order of items in most of
our tables is an internal affair. It should not be visible to the user.
I know of a case where the surprising numeric conversion leads to a crash.
We will allow the direct numeric conversion only for the tables where the
mapping of strings to numeric values has an external meaning. This holds
for the following lookup tables:
- netlink_family, ioprio_class, ip_tos, sched_policy - their numeric
values are stable as they are defined by the Linux kernel interface.
- log_level, log_facility_unshifted - the well-known syslog interface.
We allow the user to use numeric values whose string names systemd does
not know. For instance, the user may want to test a new kernel featuring
a scheduling policy that did not exist when his systemd version was
released. A slightly unpleasant effect of this is that the
name##_to_string conversion cannot return pointers to constant strings
anymore. The strings have to be allocated on demand and freed by the
caller. |
5198dabcce9da535c4531b53990cfa11bd9f7896 |
|
03-Oct-2012 |
Lennart Poettering <lennart@poettering.net> |
man: document behaviour of ListenStream= with only a port number in regards to IPv4/IPv6 |
93e4c84bb3d6169a02a5ddd1cd0690ad64d20cd8 |
|
19-Sep-2012 |
Lennart Poettering <lennart@poettering.net> |
path: support specifier resolvin in .path units |
41f9172f427bdbb8221c64029f78364b8dd4e527 |
|
18-Sep-2012 |
Lennart Poettering <lennart@poettering.net> |
unit: split unit_printf() and friends into its own .c file |
2fbe635a83a79f8889afec421ae3990ea106fb91 |
|
13-Sep-2012 |
Lennart Poettering <lennart@poettering.net> |
macro: introduce _cleanup_free_ macro for automatic freeing of scoped vars and make use of it |
095b2d7ab9e7d66d44b93ab6e03ca69fd9e7020c |
|
13-Sep-2012 |
Auke Kok <auke-jan.h.kok@intel.com> |
load-fragment: Expand specifiers in conditions.
Add specifier expansion to Path and String conditions.
Specifier expansion for conditions will help create instance
and user session units by allowing us to template conditions
based on the instance or user session parameters.
An example would be a system-wide user session service file
that conditionally runs based on whether a user has the
service configured through a configuration file in ~/.config/. |
b5fb37899d34ec16f2a88dc3a8be3f4f7bf12ef3 |
|
23-Aug-2012 |
Lukas Nykryn <lnykryn@redhat.com> |
load-fragment: initialize bool invert before use |
c0d6e764d107a81a6439c41edbe92790623ed7de |
|
22-Aug-2012 |
Lennart Poettering <lennart@poettering.net> |
unit: add new ConditionHost= condition type |
d568a3350ee8a45877eef87cd026a954124e2cf8 |
|
08-Aug-2012 |
Michal Sekletar <msekleta@redhat.com> |
systemd: introduced new timeout types
Makes possible to specify separate timeout for start and stop of
the service.
[ Improved the manpage. Coding style fix. -- michich ] |
956b78e8e3636bbf04e264ca96128edc2cbf3626 |
|
23-Jul-2012 |
Jim Meyering <jim@meyering.net> |
sd-daemon: remove unnecessary memset calls
There is no point in clearing the bits of a "struct stat" when the very
next statement just calls stat or fstat to fill in that same memory.
[zj: two more places] |
8351ceaea9480d9c2979aa2ff0f4982cfdfef58d |
|
17-Jul-2012 |
Lennart Poettering <lennart@poettering.net> |
execute: support syscall filtering using seccomp filters |
49f43d5f91a99b23f745726aa351d8f159774357 |
|
16-Jul-2012 |
Ville Skyttä <ville.skytta@iki.fi> |
Spelling fixes. |
9946996cda11a18b44d82344676e5a0e96339408 |
|
03-Jul-2012 |
Lennart Poettering <lennart@poettering.net> |
load-fragment: a few modernizations |
8ff290af3b7db00eef76bdec61fee4aca7d84d0b |
|
22-Jun-2012 |
Lennart Poettering <lennart@poettering.net> |
unit: drop the Names= option
Names= is a source of errors, simply because alias names specified like
this only become relevant after a unit has been loaded but cannot be
used to load a unit.
Let's get rid of the confusion and drop this field. To establish alias
names peope should use symlinks, which have the the benefit of being
useful as key to load a unit, even though they are not taken into
account if unit names are listed but they haven't been explicitly
referenced before. |
98709151f3e782eb508ba15e2a12c0b46003f061 |
|
15-Jun-2012 |
Lukas Nykryn <lnykryn@redhat.com> |
service: timeout for oneshot services
Add possibility to specify timeout for oneshot services.
[ https://bugzilla.redhat.com/show_bug.cgi?id=761656
Added minor fixups. -- michich ] |
213ba152fdf7978773be5b8a72e040584765137f |
|
01-Jun-2012 |
Lennart Poettering <lennart@poettering.net> |
journal: allow setting of a cutoff log level for disk storage, syslog, kmsg, console forwarding |
d88a251b125f6e9178b9ca9ea47ab7da3234cb58 |
|
31-May-2012 |
Lennart Poettering <lennart@poettering.net> |
util: introduce a proper nsec_t and make use of it where appropriate |
ec8927ca5940e809f0b72f530582c76f1db4f065 |
|
24-May-2012 |
Lennart Poettering <lennart@poettering.net> |
main: add configuration option to alter capability bounding set for PID 1
This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway. |
1b64d026af01277e332d10d9e67e2eed5a4ded28 |
|
22-May-2012 |
Lennart Poettering <lennart@poettering.net> |
units: remove service sysv_path variable and replace it by generic unit_path
UnitPath= is also writable via native units and may be used by generators
to clarify from which file a unit is generated. This patch also hooks up
the cryptsetup and fstab generators to set UnitPath= accordingly. |
49dbfa7b2b0bf3906704dac1eaeb4eba91056a19 |
|
21-May-2012 |
Lennart Poettering <lennart@poettering.net> |
units: introduce new Documentation= field and make use of it everywhere
This should help making the boot process a bit easier to explore and
understand for the administrator. The simple idea is that "systemctl
status" now shows a link to documentation alongside the other status and
decriptionary information of a service.
This patch adds the necessary fields to all our shipped units if we have
proper documentation for them. |
9eb977db5b89b44f254ab40c1876a76b7d7ea2d0 |
|
08-May-2012 |
Kay Sievers <kay@vrfy.org> |
util: split-out path-util.[ch] |
7c8fa05c4d5d01748ff2a04edb882afb3119b7d7 |
|
30-Apr-2012 |
Lennart Poettering <lennart@poettering.net> |
unit: add new dependency type RequiresMountsFor=
RequiresMountsFor= is a shortcut for adding requires and after
dependencies to all mount units neeed for the specified paths.
This solves a couple of issues regarding dep loop cycles for encrypted
swap. |
5430f7f2bc7330f3088b894166bf3524a067e3d8 |
|
12-Apr-2012 |
Lennart Poettering <lennart@poettering.net> |
relicense to LGPLv2.1 (with exceptions)
We finally got the OK from all contributors with non-trivial commits to
relicense systemd from GPL2+ to LGPL2.1+.
Some udev bits continue to be GPL2+ for now, but we are looking into
relicensing them too, to allow free copy/paste of all code within
systemd.
The bits that used to be MIT continue to be MIT.
The big benefit of the relicensing is that closed source code may now
link against libsystemd-login.so and friends. |
b30e2f4c18ad81b04e4314fd191a5d458553773c |
|
11-Apr-2012 |
Kay Sievers <kay@vrfy.org> |
move libsystemd_core.la sources into core/ |