core: set RLIMIT_CORE to unlimited by default The kernel sets RLIMIT_CORE to 0 by default. Let's bump this to unlimited by default (for systemd itself and all processes we fork off), so that the coredump hooks have an effect if they honour it. Bumping RLIMIT_CORE of course would have the effect that "core" files will end up on the system at various places, if no coredump hook is used. To avoid this, make sure PID1 sets the core pattern to the empty string by default, so that this logic is disabled. This change in defaults should be useful for all systems where coredump hooks are used, as it allows useful usage of RLIMIT_CORE from these hooks again. OTOH systems that expect that coredumps are placed under the name "core" in the current directory will break with this change. Given how questionnable this behaviour is, and given that no common distro makes use of this by default it shouldn't be too much of a loss. Also, the old behaviour may be restored by explicitly configuring a "core_pattern" of "core", and setting the default system RLIMIT_CORE to 0 again via system.conf.

tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

resolved: apply epoch to system time from PID 1 For use in timesyncd we already defined a compile-time "epoch" value, which is based on the mtime of the NEWS file, and specifies a point in time we know lies in the past at runtime. timesyncd uses this to filter out nonsensical timestamp file data, and bump the system clock to a time that is after the build time of systemd. This patch adds similar bumping code to earliest PID 1 initialization, so that the system never continues operation with a clock that is in the 1970ies or even 1930s.

manager: print fatal error if early mount failed The mount_setup_early() can fail and if it will occur, there is no sense to make selinux setup and etc.

core: rework unit timeout handling, and add new setting RuntimeMaxSec= This clean-ups timeout handling in PID 1. Specifically, instead of storing 0 in internal timeout variables as indication for a disabled timeout, use USEC_INFINITY which is in-line with how we do this in the rest of our code (following the logic that 0 means "no", and USEC_INFINITY means "never"). This also replace all usec_t additions with invocations to usec_add(), so that USEC_INFINITY is properly propagated, and sd-event considers it has indication for turning off the event source. This also alters the deserialization of the units to restart timeouts from the time they were originally started from. Before this patch timeouts would be restarted beginning with the time of the deserialization, which could lead to artificially prolonged timeouts if a daemon reload took place. Finally, a new RuntimeMaxSec= setting is introduced for service units, that specifies a maximum runtime after which a specific service is forcibly terminated. This is useful to put time limits on time-intensive processing jobs. This also simplifies the various xyz_spawn() calls of the various types in that explicit distruction of the timers is removed, as that is done anyway by the state change handlers, and a state change is always done when the xyz_spawn() calls fail. Fixes: #2249

core: move parsing of rlimits into rlimit-util.[ch] This way we can reuse it for parsing rlimit settings in "systemctl set-property" and related commands.

core: add valgrind helper for daemon-reexec Inspired by https://github.com/systemd/systemd/issues/2187#issuecomment-165587140

core: Add machine-id setting Allow for overriding all other machine-ids which may be present on the system using a kernel command line systemd.machine_id or --machine-id= option. This is especially useful for network booted systems where the machine-id needs to be static, or for containers where a specific machine-id is wanted.

capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

tree-wide: sort includes Sort the includes accoding to the new coding style.

core: enable TasksMax= for all services by default, and set it to 512 Also, enable TasksAccounting= for all services by default, too. See: http://lists.freedesktop.org/archives/systemd-devel/2015-November/035006.html

downgrade warning if setting preset failed

core: add new DefaultTasksMax= setting for system.conf This allows initializing the TasksMax= setting of all units by default to some fixed value, instead of leaving it at infinity as before.

core: make sure DefaultLimitCPU= and DefaultLimitRTTIME= understand time units, too We added this for the per-unit setting, hence let's enable this for the global default settings too.

core: make sure to reset the bus error struct before reusing it Otherwise the call might fail, because the error structure is already initialized.

core: drop "override" flag when building transactions Now that we don't have RequiresOverridable= and RequisiteOverridable= dependencies anymore, we can get rid of tracking the "override" boolean for jobs in the job engine, as it serves no purpose anymore. While we are at it, fix some error messages we print when invoking functions that take the override parameter.

defs: rework CONF_DIRS_NULSTR() macro The macro is generically useful for putting together search paths, hence let's make it truly generic, by dropping the implicit ".d" appending it does, and leave that to the caller. Also rename it from CONF_DIRS_NULSTR() to CONF_PATHS_NULSTR(), since it's not strictly about dirs that way, but any kind of file system path. Also, mark CONF_DIR_SPLIT_USR() as internal macro by renaming it to _CONF_PATHS_SPLIT_USR() so that the leading underscore indicates that it's internal.

core: support IEC suffixes for RLIMIT stuff Let's make things more user-friendly and support for example LimitAS=16G rather than force users to always use LimitAS=16106127360. The change is relevant for options: [Default]Limit{FSIZE,DATA,STACK,CORE,RSS,AS,MEMLOCK,MSGQUEUE} The patch introduces config_parse_bytes_limit(), it's the same as config_parse_limit() but uses parse_size() tu support the suffixes. Addresses: https://github.com/systemd/systemd/issues/1772

core: fix typo

core: use runlevel_to_target for /proc/cmdline parsing

core: bump net.unix.max_dgram_qlen really early during boot Only that way it actually has an effect on all our sockets, including $NOTIFY_SOCKET.

core: drop check for /etc/mtab util-linux 2.27.1 now entirely stops looking at /etc/mtab, so we don't need to verify /etc/mtab during early boot any more. Later on, tmpfiles.d/etc.conf will fix /etc/mtab anyway, so there's not even a point in warning about it. Drop test_mtab() and bump the util-linux dependency to >= 2.17.1. Fixes #1495

util-lib: split out allocation calls into alloc-util.[ch]

util-lib: split out printf() helpers to stdio-util.h

util-lib: move /proc/cmdline parsing code to proc-cmdline.[ch]

src/basic: rename audit.[ch] → audit-util.[ch] and capability.[ch] → capability-util.[ch] The files are named too generically, so that they might conflict with the upstream project headers. Hence, let's add a "-util" suffix, to clarify that this are just our utility headers and not any official upstream headers.

util-lib: split stat()/statfs()/stavfs() related calls into stat-util.[ch]

util-lib: move a number of fs operations into fs-util.[ch]

util-lib: split out resource limits related calls into rlimit-util.[ch]

util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]

util-lib: split out user/group/uid/gid calls into user-util.[ch]

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

core: always let the kernel reap zombies when we're about to freeze Regardless of whether we're going to spawn a crash shell or not, let the kernel reap zombies. It's more consistent this way.

core: change how crash_shell and crash_reboot interact Instead of freezing in PID1 and letting the forked child freeze or reboot when exec("/bin/sh") fails, just wait for the child's exit and then do the freeze_or_reboot in PID1 as usual. This means that when both crash_shell and crash_reboot are enabled, the system will reboot after the shell exits.

core: remove spurious assert in parsing CrashChangeVT= "data" is always NULL (and unused) in config_parse_crash_chvt().

core: adjust error message about /etc/mtab Since having /etc/mtab as a regular file is now a fatal error, stop mentioning irrelevant minor consequences.

ask-password: add support for caching passwords in the kernel keyring This adds support for caching harddisk passwords in the kernel keyring if it is available, thus supporting caching without Plymouth being around. This is also useful for hooking up "gdm-auto-login" with the collected boot-time harddisk password, in order to support gnome keyring passphrase unlocking via the HDD password, if it is the same. Any passwords added to the kernel keyring this way have a timeout of 2.5min at which time they are purged from the kernel.

basic: split out cpu set specific APIs into cpu-set-util.[ch]

util: rename parse_cpu_set() to parse_cpu_set_and_warn() It's pretty untypical for our parsing functions to log on their own. Clarify in the name that this one does.

tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers

core: rework crash handling This introduces a new systemd.crash_reboot=1 kernel command line option that triggers a reboot after crashing. This also cleans up crash VT handling. Specifically, it cleans up the configuration setting, to be between 1..63 or a boolean. This is to replace the previous logic where "-1" meant disabled. We continue to accept that setting, but only document the boolean syntax instead. This also brings the documentation of the default settings in sync with what actually happens. The CrashChVT= configuration file setting is renamed to CrashChangeVT=, following our usual logic of not abbreviating unnecessarily. The old setting stays support for compat reasons. Fixes #1300

core: properly use the ExitCode bus property when exiting is --user instance

util: introduce common version() implementation and use it everywhere This also allows us to drop build.h from a ton of files, hence do so. Since we touched the #includes of those files, let's order them properly according to CODING_STYLE.

util: unify implementation of NOP signal handler This is highly complex code after all, we really should make sure to only keep one implementation of this extremely difficult function around.

core: remove set_default_unit() The new free_and_strdup() call does pretty much the same thing these days, no need to keep a private limited purpose version around.

core: modernize prepare_reexecute()

core: exit early if we hit OOM

core: use %m rather than strerror() where we can

main: minor clean-ups Add (void) casting for a couple of functions where we knowingly ignore the returning error code. Use EXIT_FAILURE where appropriate. Try to initialize structures at declaration time, or at once.

tree-wide: take benefit of the fact that fdset_free() returns NULL

core: order #includes in main.c

strv: add strv_free_free() to strv.c and make use of it Let's teach it a new trick, and make it return NULL.

util: refactor cpu_set parsing into its own function Use the new code in config_parse_cpu_affinity2. Tested by modifying CPUAffinity=... setting in /etc/systemd/system.conf and reloading the daemon, then checking ^Cpus_allowed in /proc/1/status to confirm the correct CPU mask is in place.

core: fix shutdown of --user Shutting down a user session currently fails with: Sep 22 22:35:38 david-t2 systemd[640]: Reached target Shutdown. Sep 22 22:35:38 david-t2 systemd[640]: Starting Exit the Session... Sep 22 22:35:38 david-t2 systemd[640]: Received SIGRTMIN+24 from PID 659 (kill). Sep 22 22:35:38 david-t2 systemd[640]: Shutting down. Sep 22 22:35:38 david-t2 systemd[640]: Not executed by init (PID 1). Sep 22 22:35:38 david-t2 systemd[640]: Critical error while doing system shutdown: Operation not permitted This is a regression from: commit 287419c119ef961db487a281162ab037eba70c61 Author: Alban Crequy <alban.crequy@gmail.com> Date: Fri Sep 18 13:37:34 2015 +0200 containers: systemd exits with non-zero code Make sure we never ever execute systemd-shutdown from within a user-manager. Restore the previous behavior by partially reverting given commit.

cgtop: underline table header Let's underline the header line of the table shown by cgtop, how it is customary for tables. In order to do this, let's introduce new ANSI underline macros, and clean up the existing ones as side effect.

containers: systemd exits with non-zero code When a systemd service running in a container exits with a non-zero code, it can be useful to terminate the container immediately and get the exit code back to the host, when systemd-nspawn returns. This was not possible to do. This patch adds the following to make it possible: - Add a read-only "ExitCode" property on PID 1's "Manager" bus object. By default, it is 0 so the behaviour stays the same as previously. - Add a method "SetExitCode" on the same object. The method fails when called on baremetal: it is only allowed in containers or in user session. - Add support in systemctl to call "systemctl exit 42". It reuses the existing code for user session. - Add exit.target and systemd-exit.service to the system instance. - Change main() to actually call systemd-shutdown to exit() with the correct value. - Add verb 'exit' in systemd-shutdown with parameter --exit-code - Update systemctl manpage. I used the following to test it: | $ sudo rkt --debug --insecure-skip-verify run \ | --mds-register=false --local docker://busybox \ | --exec=/bin/chroot -- /proc/1/root \ | systemctl --force exit 42 | ... | Container rkt-895a0cba-5c66-4fa5-831c-e3f8ddc5810d failed with error code 42. | $ echo $? | 42 Fixes https://github.com/systemd/systemd/issues/1290

core: add support for the "pids" cgroup controller This adds support for the new "pids" cgroup controller of 4.3 kernels. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a gloabl option DefaultTasksAccounting=. This also updated "cgtop" to optionally make use of the new kernel-provided accounting. systemctl has been updated to show the number of tasks for each service if it is available. This patch also adds correct support for undoing memory limits for units using a MemoryLimit=infinity syntax. We do the same for TasksMax= now and hence keep things in sync here.

tree-wide: take benefit of the fact that hashmap_free() returns NULL And set_free() too. Another Coccinelle patch.

util: introduce safe_fclose() and port everything over to it Adds a coccinelle script to port things over automatically.

tree-wide: update empty-if coccinelle script to cover empty-while and more Let's also clean up single-line while and for blocks.

core: freeze execution if /etc/mtab exists The mount monitor that was added to libmount v2.27 requires /etc/mtab to be non-existant. As systemd now uses that functionality, we cannot monitor any mounts anymore, and hence not support .mount units. Systems that have /etc/mtab around as regular file are unsupported by systemd since a long time. This patch makes that condition fatal, so we do not boot up with non-working mount monitor support.

tree-wide: drop {} from one-line if blocks Patch via coccinelle.

tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.

basic: rework virtualization detection API Introduce a proper enum, and don't pass around string ids anymore. This simplifies things quite a bit, and makes virtualization detection more similar to architecture detection.

core: Log parse errors in config_parse_cpu_affinity2

cgroup: small cleanups and coding style fixes A number of simplications and adjustments to brings things closer to our coding style.

core: add OOM check in config_parse_join_controllers

core: Log parse errors in config_parse_join_controllers

core: Use extract_first_word in config_parse_join_controllers Related to the TODO item to replace FOREACH_WORD_QUOTED with it. Tested by setting `JoinControllers=cpu,cpuacct,memory net_cls,blkio' in /etc/systemd/system.conf, rebooting the system with the patched binaries and checking that the desired setup was created by inspecting the entries under /sys/fs/cgroup. No regressions observed in test cases.

util: Declare a cleanup routine for a cpu_set_t Make use of it in config_parse_cpu_affinity2. Tested by tweaking the `CPUAffinity' setting in /etc/systemd/system.conf and reloading the daemon to confirm it is working as expected. No regressions observed in test cases.

core: Use extract_first_word in config_parse_cpu_affinity2 Related to the TODO item to replace FOREACH_WORD_QUOTED with it. Tested by setting `CPUAfinity=0 1' (and other similar settings) in /etc/systemd/system.conf, booting the system with the patched binaries (and also using `systemctl daemon-reload` to reconfigure) and checking that /proc/1/status indicates only CPUs 0 and 1 are allowed for PID 1. No regressions observed in test cases.

core: use DUAL_TIMESTAMP_NULL where we can

core: s/reexection/reexecution/ typo fix Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

tree-wide: introduce mfree() Pretty trivial helper which wraps free() but returns NULL, so we can simplify this: free(foobar); foobar = NULL; to this: foobar = mfree(foobar);

Reload manager defaults at daemon-reload "systemctl daemon-reload" should also update the manager defaults from /etc/systemd/system.conf. For details, see: http://lists.freedesktop.org/archives/systemd-devel/2015-June/033062.html Amended to use manager_set_defaults() as common function.

fileio: consolidate write_string_file*() Merge write_string_file(), write_string_file_no_create() and write_string_file_atomic() into write_string_file() and provide a flags mask that allows combinations of atomic writing, newline appending and automatic file creation. Change all users accordingly.

core: handle --log-target=null when calling systemd-shutdown When shutting down, if systemd was started with --log-target=null, systemd-shutdown was being called with --log-target=console.

tree-wide: whenever we fork off a foreign child process reset signal mask/handlers Also, when the child is potentially long-running make sure to set a death signal. Also, ignore the result of the reset operations explicitly by casting them to (void).

core: Remove "old kernel" warning if PR_SET_CHILD_SUBREAPER fails This made sense when systemd ran on older kernels, nowdays not so much.

util: split out signal-util.[ch] from util.[ch] No functional changes.

fix extraneous space in equality check

fix extraneous space in equality check

core: Execute first boot presets in an enable-only preset-mode. This means any existing enabled units well be preserved and no pre-created symlinks will be removed. This is done on first boot, when the assumption is that /etc is not populated at all (no machine-id setup). For minimal containers that gives a significant first boot speed up, approximately ~20ms / ~16% in my trials.

core: rename SystemdRunningAs to ManagerRunningAs It's primarily just a property of the Manager object after all, and we try to refer to PID 1 as "manager" instead of "systemd", hence let's to stick to this here too.

core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters

treewide: Correct typos and spell plural of bus consistent

shared: add terminal-util.[ch]

shared: add process-util.[ch]

shared: add formats-util.h

core: Remove explicit Plymouth integration Even if plymouth is running, it might have not displayed the splash yet, so we'll see a few lines on fbcon when we should have otherwise had nothing. Plymouth integration was added to systemd in commit 6faa11140bf776cdaeb8d22d01816e6e48296971. That same day, Plymouth got systemd integration [0]. As such, the Plymouth integration has always been obsolete, and was probably only for older Plymouth's. But I can't imagine anybody running a Plymouth from 2011 with a systemd from 2015. Remove the Plymouth/systemd integration, and let Plymouth's code tell systemd to print the details. [0] http://cgit.freedesktop.org/plymouth/commit/?id=537c16422cd49f1beeaab1ad39846a00018faec1 Signed-off-by: Jasper St. Pierre <jstpierre@mecheye.net> Cc: Daniel Drake <dsd@endlessm.com> Cc: Ray Strode <rstrode@redhat.com>

Add (void) where we don't care about return value

core: do not use quotes around virt and arch Quotes are useful when the string can contain spaces or be otherwise confusing. Not possible with those two.

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

everywhere: remove configurability of sysv runlevel to target mapping With this change runlevel 2, 3, 4 are mapped to multi-user.target for good, and 5 to graphical.target. This was already the previous mapping but is now no longer reconfigurable, but hard-coded into the core. This should generally simplify things, but also fix one bug: the sysv-generator previously generated symlinks to runlevel[2-5].target units, which possibly weren't picked up if these aliases were otherwise only referenced by the real names "multi-user.target" and "graphical.target". We keep compat aliases "runlevel[2345].target" arround for cases where this target name is explicitly requested.

core: disarm shutdown watchdog if we fail to set timeout Better safe than sorry, if drivers are stupid, and reset immediately on device closing if the timeout could not be initialized. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777735

core: don't reset log level to NOTICE if we get quiet on the kernel cmdline quiet should really just have an effect on the stuff we dump on the console, not what we log elsewhere. Hence: debug on kernel cmdline → interpreted by every tool, turns up log levels to "debug" everywhere. quiet on kernel cmdline → interpreted only by PID 1 (and obviously the kernel) no alteration of the max log level, but turns off status output. http://lists.freedesktop.org/archives/systemd-devel/2014-December/026271.html

core: use some nice macros where appropriate

Add a snprinf wrapper which checks that the buffer was big enough If we scale our buffer to be wide enough for the format string, we should expect that the calculation was correct. char_array_0() invocations are removed, since snprintf nul-terminates the output in any case. A similar wrapper is used for strftime calls, but only in timedatectl.c.

core: make setting the shutdown watchdog configuration via dbus work https://bugs.freedesktop.org/show_bug.cgi?id=88284

Revert "core: make setting the shutdown watchdog configuration via dbus work" This reverts commit df6e44c4affced590b0d19c594d9301ffd436591. systemd --version segfaults. Starting program: /usr/lib/systemd/systemd --version Missing separate debuginfos, use: debuginfo-install systemd-216-16.fc21.x86_64 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". systemd 218 +PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN Program received signal SIGSEGV, Segmentation fault. 0x000055555557c9be in main (argc=2, argv=0x7fffffffe4d8) at src/core/main.c:1832 1832 arg_shutdown_watchdog = m->shutdown_watchdog; (gdb) bt (gdb) bt full m = 0x0

core: make setting the shutdown watchdog configuration via dbus work https://bugs.freedesktop.org/show_bug.cgi?id=88284

core: explain why failing to set up the crash handler is not a real problem http://lists.freedesktop.org/archives/systemd-devel/2015-January/027428.html

core: fix typo in log message

tree-wide: spelling fixes https://github.com/vlajos/misspell_fixer https://github.com/torstehu/systemd/commit/b6fdeb618cf2f3ce1645b3315f15f482710c7ffa Thanks to Torstein Husebo <torstein@huseboe.net>.

tmpfiles: add new line type 'v' for creating btrfs subvolumes

core: use raw_clone instead of fork in signal handler fork() is not async-signal-safe and calling it from the signal handler could result in a deadlock when at_fork() handlers are called. Using the raw clone() syscall sidesteps that problem. The tricky part is that raise() does not work, since getpid() does not work. Add raw_getpid() to get the real pid, and use kill() instead of raise(). https://bugs.freedesktop.org/show_bug.cgi?id=86604

core: correct spacing near eol in code comments

core: Support system.conf.d and user.conf.d directories in the usual search paths

treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".

treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.

treewide: more log_*_errno + return simplifications

treewide: more log_*_errno() conversions, multiline calls Basically: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/log_(debug|info|notice|warning|error|emergency)\("([^"]*)%s"([^;]*),\s*strerror\(-?([->a-zA-Z_]+)\)\);/log_\1_errno(\4, "\2%m"\3);/gms;print;' \ $f; done Plus manual indentation fixups.

treewide: more log_*_errno() conversions

treewide: no need to negate errno for log_*_errno() It corrrectly handles both positive and negative errno values.

treewide: auto-convert the simple cases to log_*_errno() As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().

log: rearrange log function naming - Rename log_meta() → log_internal(), to follow naming scheme of most other log functions that are usually invoked through macros, but never directly. - Rename log_info_object() to log_object_info(), simply because the object should be before any other parameters, to follow OO-style programming style.

manager: print fatal errors on the console too When booting in quiet mode, fatal messages would not be shown at all to the user. https://bugzilla.redhat.com/show_bug.cgi?id=1155468

manager: log some fatal errors at emergency level This adds a new log_emergency() function, which is equivalent to log_error() for non-PID-1, and logs at the highest priority for PID 1. Some messages which occur before freezing are converted to use it.

manager: let manager_free() handle NULLs This makes the calling code a bit simpler.

kmod: move #ifdef checks for kmod-setup out of main.c into kmod-setup.c

mount-setup: remove mount_setup_late() Turns out we can just do kmod_setup() earlier, before we do mount_setup(), so there's no need for mount_setup_late() anymore. Instead, put kdbusfs in mount_table[].

sd-bus: sync with kdbus upstream (ABI break) kdbus has seen a larger update than expected lately, most notably with kdbusfs, a file system to expose the kdbus control files: * Each time a file system of this type is mounted, a new kdbus domain is created. * The layout inside each mount point is the same as before, except that domains are not hierarchically nested anymore. * Domains are therefore also unnamed now. * Unmounting a kdbusfs will automatically also detroy the associated domain. * Hence, the action of creating a kdbus domain is now as privileged as mounting a filesystem. * This way, we can get around creating dev nodes for everything, which is last but not least something that is not limited by 20-bit minor numbers. The kdbus specific bits in nspawn have all been dropped now, as nspawn can rely on the container OS to set up its own kdbus domain, simply by mounting a new instance. A new set of mounts has been added to mount things *after* the kernel modules have been loaded. For now, only kdbus is in this set, which is invoked with mount_setup_late().

util: simplify proc_cmdline() to reuse get_process_cmdline() Also, make all parsing of the kernel cmdline non-fatal.

mac: add mac_ prefix to distinguish origin security apis

core: remove system start timeout logic again The system start timeout as previously implemented would get confused by long-running services that are included in the initial system startup transaction for example by being cron-job-like long-running services triggered immediately at boot. Such long-running jobs would be subject to the default 15min timeout, esily triggering it. Hence, remove this again. In a subsequent commit, introduce per-target job timeouts instead, that allow us to control these timeouts more finegrained.

mac: rename apis with mac_{selinux/smack}_ prefix

systemd: continue switch-root even if umount fails Leaving the old root around seems better than aborting the switch.

core: map the 'rescue' argument to rescue.target Even though the 'emergency' and 'single' aliases come from sysvinit, the lack of 'rescue' is still quite confusing (caught me by surprise for the 9th time yet) and inconsistent with `systemctl rescue` as well.

core: limit timestamp to sane precision Anything below .1 s is meaningless anyway.

use the switch_root function in shutdown removes code duplication also move switch-root to shared

util: make use of newly added reset_signal_mask() call wherever appropriate

core: introduce "poweroff" as new failure action types Also, change the default action on a system start-up timeout to powering off.

core: add support for a configurable system-wide start-up timeout When this system-wide start-up timeout is hit we execute one of the failure actions already implemented for services that fail. This should not only be useful on embedded devices, but also on laptops which have the power-button reachable when the lid is closed. This devices, when in a backpack might get powered on by accident due to the easily reachable power button. We want to make sure that the system turns itself off if it starts up due this after a while. When the system manages to fully start-up logind will suspend the machine by default if the lid is closed. However, in some cases we don't even get as far as logind, and the boot hangs much earlier, for example because we ask for a LUKS password that nobody ever enters. Yeah, this is a real-life problem on my Yoga 13, which has one of those easily accessible power buttons, even if the device is closed.

main,log: parse the log related kernel command line parameters at one place only, and for all tools Previously, we ended up parsing some of them three times: in main.c when processing the kernel cmdline, in main.c when processing the process cmdline (only for containers), and in log.c again. Let's streamline this, and only parse them in log.c In PID 1 also make sure we parse "quiet" first, and then override this with the more specific checks in log.c

main: minor code modernization for initializing the console

log: never ever log to syslog from PID 1, log to the journal again We don't support journal-less systems anyway, so let's avoid the confusion.

Unify parse_argv style getopt is usually good at printing out a nice error message when commandline options are invalid. It distinguishes between an unknown option and a known option with a missing arg. It is better to let it do its job and not use opterr=0 unless we actually want to suppress messages. So remove opterr=0 in the few places where it wasn't really useful. When an error in options is encountered, we should not print a lengthy help() and overwhelm the user, when we know precisely what is wrong with the commandline. In addition, since help() prints to stdout, it should not be used except when requested with -h or --help. Also, simplify things here and there.

Properly report invalid quoted strings $ systemd-analyze verify trailing-g.service [./trailing-g.service:2] Trailing garbage, ignoring. trailing-g.service lacks ExecStart setting. Refusing. Error: org.freedesktop.systemd1.LoadFailed: Unit trailing-g.service failed to load: Invalid argument. Failed to create trailing-g.service/start: Invalid argument

Reject invalid quoted strings String which ended in an unfinished quote were accepted, potentially with bad memory accesses. Reject anything which ends in a unfished quote, or contains non-whitespace characters right after the closing quote. _FOREACH_WORD now returns the invalid character in *state. But this return value is not checked anywhere yet. Also, make 'word' and 'state' variables const pointers, and rename 'w' to 'word' in various places. Things are easier to read if the same name is used consistently. mbiebl_> am I correct that something like this doesn't work mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"' mbiebl_> systemd seems to strip of the quotes mbiebl_> systemctl status shows mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint mbiebl_> which is pretty weird

time-util: add and use USEC/NSEC_INFINIY

core: only set the kernel's timezone when the RTC runs in local time We can not reliably manage any notion of local time. Every daylight saving time change or time zone change by traveling will make the time jump, and the local time might jump backwards which creates unsolvable problems with file timestamps. We will no longer tell the kernel our local time zone and leave everything set to UTC. This will effectively turn FAT timestamps into UTC timestamps. If and only if the machine is configured to read the RTC in local time mode, the kernel's time zone will be configured, but systemd-timesysnc will disable the kernel's system time to RTC syncing. In this mode, the RTC will not be managed, and external tools like Windows bootups are expected to manage the RTC's time. https://bugs.freedesktop.org/show_bug.cgi?id=81538

test-engine: fix access to unit load path Also add a bit of debugging output to help diagnose problems, add missing units, and simplify cppflags. Move test-engine to normal tests from manual tests, it should now work without destroying the system.

systemd: use pager for --test and --help

Let config_parse open file where applicable Special care is needed so that we get an error message if the file failed to parse, but not when it is missing. To avoid duplicating the same error check in every caller, add an additional 'warn' boolean to tell config_parse whether a message should be issued. This makes things both shorter and more robust wrt. to error reporting.

Constify ConfigTableItem tables

firstboot: get rid of firstboot generator again, introduce ConditionFirstBoot= instead As Zbigniew pointed out a new ConditionFirstBoot= appears like the nicer way to hook in systemd-firstboot.service on first boots (those with /etc unpopulated), so let's do this, and get rid of the generator again.

firstboot: add new component to query basic system settings on first boot, or when creating OS images offline A new tool "systemd-firstboot" can be used either interactively on boot, where it will query basic locale, timezone, hostname, root password information and set it. Or it can be used non-interactively from the command line when prepareing disk images for booting. When used non-inertactively the tool can either copy settings from the host, or take settings on the command line. $ systemd-firstboot --root=/path/to/my/new/root --copy-locale --copy-root-password --hostname=waldi The tool will be automatically invoked (interactively) now on first boot if /etc is found unpopulated. This also creates the infrastructure for generators to be notified via an environment variable whether they are running on the first boot, or not.

main: explain our /etc empty check a bit in a comment

main: change check whether /etc is unpopulated to look for /etc/machine-id Previously, we checked whether /etc was completely empty. This makes it difficult though for container managers such as nspawn to install a small number of files (such as /etc/timezone), and have the system otherwise populate its own tree. Hence, change this by looking for /etc/machine-id, which should be a good sign whether /etc is populated or not.

main: uid_to_name() might fail due to OOM, protect against that

core: use correct format string for UIDs

core: clean-up signal reset logic when reexec There's no need to save the old sigmask, if we are going to die. Let's simplify this. Also, reset all the signal handlers, so that we don't leave SIG_IGN set for some of them across reexec.

main: don't show help text anymore when we detect an unknown kernel cmdline value starting with "systemd." As generators and other components started to maintain their own kernel command line options this help text needed more and more exceptions and wasn't complete anyway. Fixing that would leak more information about specific generators into PID 1, which we should avoid. Given that kernel cmdline handling traditionally doesn't generate errors or show help texts, let's just remove the logic for it for systemd too.

main: honour rd.systemd.unit= only in the initrd, not the host

core: populate unit file set with preset data if we boot with empty /etc

machine-id-setup: allow passing NULL as function argument, for simplicity

kmod: conditionalize kmod setup on CAP_SYS_MODULE, not whether we run in a container It's generally preferrable to conditionalize on the actual ability to do something then the context we run in.

log: don't downgrade log level in non-PID 1 if "quiet" is passed on kernel cmdline "debug" should apply to all tools, but "quiet" only to PID1.

Reset signal-mask on re-exec to init=.. Process 1 (aka init) needs to be started with an empty signal mask. That includes the process 1 that's started after the initrd is finished. When the initrd is using systemd (as it does with dracut based initrds) then it is systemd that calls the real init. Normally this is systemd again, except when the user uses for instance "init=/bin/bash" on the kernel command line.

core: don't complain at early boot if /etc/mtab is not the right symlink When we boot up with an empty /etc it's ok if the symlink doesn't exist. We will create it later with tmpfiles.

os-release: define /usr/lib/os-release as fallback for /etc/os-release The file should have been in /usr/lib/ in the first place, since it describes the OS container in /usr (and not the configuration in /etc), hence, let's support os-release files in /usr/lib as fallback if no version in /etc exists, following the usual override logic. A prior commit already enabled tmpfiles to create /etc/os-release as a symlink to /usr/lib/os-release should it be missing, thus providing nice compatibility with applications only checking in /etc. While it's probably a good idea if all apps check both locations via a fallback logic, it is only necessary in the early boot process, as long as the /etc/os-release symlink has not been restored, in case we boot with an empty /etc.

virt: rework container detection logic Instead of accessing /proc/1/environ directly, trying to read the $container variable from it, let's make PID 1 save the contents of that variable to /run/systemd/container. This allows us to detect containers without the need for CAP_SYS_PTRACE, which allows us to drop it from a number of daemons and from the file capabilities of systemd-detect-virt. Also, don't consider chroot a container technology anymore. After all, we don't consider file system namespaces container technology anymore, and hence chroot() should be considered a container even less.

shared: rename hwclock.[ch] to clock-util.[ch]

cgroups: simplify CPUQuota= logic Only accept cpu quota values in percentages, get rid of period definition. It's not clear whether the CFS period controllable per-cgroup even has a future in the kernel, hence let's simplify all this, hardcode the period to 100ms and only accept percentage based quota values.

core: require cgroups filesystem to be available We should no longer pretend that we can run in any sensible way without the kernel supporting us with cgroups functionality.

core: expose CFS CPU time quota as high-level unit properties

reduce the amount of messages logged to /dev/kmsg when "debug" is specified

core: add a setting to globally control the default for timer unit accuracy

util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.

machine-id: add --root option to operate on an alternate fs tree This makes it possible to initialize the /etc/machine-id file on an arbitrary filesystem hierarchy. This helps systems that wish to run this at image creation time in a subdirectory, or from initramfs before pivot-root is called. [tomegun: converted to using _cleanup_free_ macros]

fix off by one error in array index assertion Since the index is already post-incremented when the array is appended to, this assertion can be wrongly reached when the array is at capacity (with the NULL terminator). The bug is reproducible on shutdown with the following settings in /etc/systemd/system.conf: LogTarget=journal-or-kmsg LogColor=yes LogLocation=yes Reported by Thermi on IRC.

gpt-auto-generator: automatically find the root disk of the system When run in an initrd and no root= argument is set (or is set to root=gpt-auto) we will automatically look for the root partition on the same disk the EFI ESP is located on. Since we look for swap, /home and /srv on the disk the root partition is located on, we hence have a fully discoverable chain: Firmware discovers the EFI ESP partition → the initrd discovers the root partition → the host OS discovers swap, /home, and /srv. Note that this requires an EFI boot loader that sets the LoaderDevicePartUUID EFI variable, such as Gummiboot.

util: move more intellegince into parse_proc_cmdline() Already split variable assignments before invoking the callback. And drop "rd." settings if we are not in an initrd.

missing: if RLIMIT_RTTIME is not defined by the libc, then we need a new define for the max number of rlimits, too

core: move ShowStatus type into the core Let's make the scope of the show-status stuff a bit smaller, and make it private to the core, rather than shared API in shared/.

execute: no need to include seccomp.h from execute.h

core: add global settings for enabling CPUAccounting=, MemoryAccounting=, BlockIOAccounting= for all units at once

smack: set loaded_policy in smack_setup() With loaded_policy set to true mount_setup() relabels /dev properly.

hostnamectl: should the sanitized arch, not the native uname() one

main: make gcc shut up

core: fixate show_status earlier, so that we actually print the welcome message Previously, we'd fixed show_state only after printing the welcome message which had the effect that the welcome message was almost always suppressed.

main: don't set no_new_privs when using SystemCallArchitectures= system-wide After all, we want to allow userspace to get new privs...

Pass log config from systemd to systemd-shutdown If PID 1 debug logging is enabled, it is nice to keep those settings when switching to systemd-shutdown binary, independently of whether this was done through /proc/cmdline options, or through runtime manipulations.

Some modernizations

Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.

seccomp: fix build again if libseccomp is missing

core: add a system-wide SystemCallArchitectures= setting This is useful to prohibit execution of non-native processes on systems, for example 32bit binaries on 64bit systems, this lowering the attack service on incorrect syscall and ioctl 32→64bit mappings.

manager: add systemd.show_status=auto mode When set to auto, status will shown when the first ephemeral message is shown (a job has been running for five seconds). Then until the boot or shutdown ends, status messages will be shown. No indication about the switch is done: I think it should be clear for the user that first the cylon eye and the ephemeral messages appear, and afterwards messages are displayed. The initial arming of the event source was still wrong, but now should really be fixed.

Improve messages about user mode a bit

Remove unused variables

strv: multiple cleanups - turn strv_merge into strv_extend_strv. appending strv b to the end of strv a instead of creating a new strv - strv_append: remove in favor of strv_extend and strv_push. - strv_remove: write slightly more elegant - strv_remove_prefix: remove unused function - strv_overlap: use strv_contains - strv_printf: STRV_FOREACH handles NULL correctly

Use format patterns for usec_t, pid_t, nsec_t, usec_t It is nicer to predefine patterns using configure time check instead of using casts everywhere. Since we do not need to use any flags, include "%" in the format instead of excluding it like PRI* macros.

log: als turn on debug logging in non-PID1 if /proc/cmdline contains "debug"

do not run kmod-setup in a container

core: in a container log to /dev/console if "debug" is specified

log: don't reopen /dev/console each time we call log_open() Instead, force reopen it only if we really really have to.

_noreturn_ --> noreturn for C11 compat also define noreturn w/o <stdnoreturn.h>

core: allocate a kdbus bus for each systemd instance, if we can

tree-wide usage of %m specifier instead of strerror(errno) Also for log_error() except where a specific error is specified e.g. errno ? strerror(errno) : "Some user specified message"

shutdown: during final killing spree also send SIGHUP in addition to SIGTERM to deal with shells This makes shutdown a bit faster if debug-shell.service is enabled.

conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two

valgrind: make running PID 1 in valgrind useful Since valgrind only generates useful output on exit() (rather than exec()) we need to explicitly exit when valgrind is detected.

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

analyze: plot the time spent setting up security modules

manager: configurable StartLimit default values https://bugzilla.redhat.com/show_bug.cgi?id=821723

core: fix require $XDG_RUNTIME_DIR $ sudo dracut -f Trying to run as user instance, but $XDG_RUNTIME_DIR is not set. /usr/lib/dracut/modules.d/98systemd/module-setup.sh: line 10: ((: >= 198 : syntax error: operand expected (error token is ">= 198 ")

udevadm-settle: add missing brace

core: require $XDG_RUNTIME_DIR to be set for user instances It seems that some places use /run otherwise, which isn't going to work.