tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

core: make the StartLimitXYZ= settings generic and apply to any kind of unit, not just services This moves the StartLimitBurst=, StartLimitInterval=, StartLimitAction=, RebootArgument= from the [Service] section into the [Unit] section of unit files, and thus support it in all unit types, not just in services. This way we can enforce the start limit much earlier, in particular before testing the unit conditions, so that repeated start-up failure due to failed conditions is also considered for the start limit logic. For compatibility the four options may also be configured in the [Service] section still, but we only document them in their new section [Unit]. This also renamed the socket unit failure code "service-failed-permanent" into "service-start-limit-hit" to express more clearly what it is about, after all it's only triggered through the start limit being hit. Finally, the code in busname_trigger_notify() and socket_trigger_notify() is altered to become more alike. Fixes: #2467

core: rework job_get_timeout() to use usec_t and handle USEC_INFINITY time events correctly

core: rework unit timeout handling, and add new setting RuntimeMaxSec= This clean-ups timeout handling in PID 1. Specifically, instead of storing 0 in internal timeout variables as indication for a disabled timeout, use USEC_INFINITY which is in-line with how we do this in the rest of our code (following the logic that 0 means "no", and USEC_INFINITY means "never"). This also replace all usec_t additions with invocations to usec_add(), so that USEC_INFINITY is properly propagated, and sd-event considers it has indication for turning off the event source. This also alters the deserialization of the units to restart timeouts from the time they were originally started from. Before this patch timeouts would be restarted beginning with the time of the deserialization, which could lead to artificially prolonged timeouts if a daemon reload took place. Finally, a new RuntimeMaxSec= setting is introduced for service units, that specifies a maximum runtime after which a specific service is forcibly terminated. This is useful to put time limits on time-intensive processing jobs. This also simplifies the various xyz_spawn() calls of the various types in that explicit distruction of the timers is removed, as that is done anyway by the state change handlers, and a state change is always done when the xyz_spawn() calls fail. Fixes: #2249

core: socket options fix SCTP_NODELAY SCTP_NODELAY is diffrent to TCP_NODELAY. Apply proper options in case of SCTP.

socket: nullify pointers after free A socket shouldn't be used after socket_done() returns, but follow the general guideline here and avoid dangling pointers anyway.

socket: free fdname member Plug a small memory leak.

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

core: Do not bind a mount unit to a device, if it was from mountinfo If a mount unit is bound to a device, systemd tries to umount the mount point, if it thinks the device has gone away. Due to the uevent queue and inotify of /proc/self/mountinfo being two different sources, systemd can never get the ordering reliably correct. It can happen, that in the uevent queue ADD,REMOVE,ADD is queued and an inotify of mountinfo (or libmount event) happend with the device in question. systemd cannot know, at which point of time the mount happend in the ADD,REMOVE,ADD sequence. The real ordering might have been ADD,REMOVE,ADD,mount and systemd might think ADD,mount,REMOVE,ADD and would umount the mountpoint. A test script which triggered this behaviour is: rm -f test-efi-disk.img dd if=/dev/null of=test-efi-disk.img bs=1M seek=512 count=1 parted --script test-efi-disk.img \ "mklabel gpt" \ "mkpart ESP fat32 1MiB 511MiB" \ "set 1 boot on" LOOP=$(losetup --show -f -P test-efi-disk.img) udevadm settle mkfs.vfat -F32 ${LOOP}p1 mkdir -p mnt mount ${LOOP}p1 mnt ... <dostuffwith mnt> Without the "udevadm settle" systemd unmounted mnt while the script was operating on mnt. Of course the question is, why there was a REMOVE in the first place, but this is not part of this patch.

socket: Add support for socket protcol Now we don't support the socket protocol like sctp and udplite . This patch add a new config param SocketProtocol: udplite/sctp With this now we can configure the protocol as udplite = IPPROTO_UDPLITE sctp = IPPROTO_SCTP Tested with nspawn:

core: drop "override" flag when building transactions Now that we don't have RequiresOverridable= and RequisiteOverridable= dependencies anymore, we can get rid of tracking the "override" boolean for jobs in the job engine, as it serves no purpose anymore. While we are at it, fix some error messages we print when invoking functions that take the override parameter.

core: simplify things a bit by checking default_dependencies boolean in callee, not caller It's nicer to hide the check away in the various xyz_add_default_dependencies() calls, rather than making it explicit in the caller, and thus require deeper nesing.

core: change type of distribute_fds() prototype to return void We can't handle errors of thisc all sanely anyway, and we never actually return any errors from the unit type that implements the call. Hence, let's make this void, in order to simplify things.

core: all unit types that watch control PIDs should use the same logic When coldplugging the unit state, make sure to follow the same basic logic for all unit types: always verify whether the control PID is still a waitable process before proceeding.

process-util: move a couple of process-related calls over

util-lib: split out allocation calls into alloc-util.[ch]

util-lib: move string table stuff into its own string-table.[ch]

util: remove path_get_parent(), in favour of dirname_malloc() We don't need two functions that do essentialy the same, hence drop path_get_parent(), and stick to dirname_malloc(), but move it to path-util.[ch].

util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]

util-lib: split out user/group/uid/gid calls into user-util.[ch]

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.

core: add support for setting stdin/stdout/stderr for transient services When starting a transient service, allow setting stdin/stdout/stderr fds for it, by passing them in via the bus. This also simplifies some of the serialization code for units.

core: add support for naming file descriptors passed using socket activation This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.

core: simplify fd collection code, return number of fds as return value Let's simplify the fd collection code a bit, and return the number of collected fds as positive integer, the way it's customary in our usual code.

socket: don't double close the same fd for FIFOs

core: add new setting Writable= to ListenSpecial= socket units Writable= is a new boolean setting. If ture, then ListenSpecial= will open the specified path in O_RDWR mode, rather than just O_RDONLY. This is useful for implementing services like rfkill, where /dev/rfkill is more useful when opened in write mode, if we want to not only save but also restore its state.

tree-wide: remove a number of invocations of strerror() and replace by %m Let's clean up our tree a bit, and reduce invocations of the thread-unsafe strerror() by replacing it with printf()'s %m specifier.

socket: rename ffs_xyz to usbffs_xyz The relation to USB should really be clearer.

core: turn a large if statement into a switch

selinux: add _cleanup_ concepts to SELinux label allocation

core: simplify how we create socket fds Let's always return the allocated fds as return values where possible, and make more use of _cleanup_close_

core: small error message wording improvements

Move all unit states to basic/ and extend systemctl --state=help

core: Add FFSDescriptors and FFSStrings service parameters By using these parameters functionfs service can specify ffs descriptors and strings which should be written to ep0.

core: Add socket type for usb functionfs endpoints For handling functionfs endpoints additional socket type is added.

core: Add list of additional file descriptors to socket port Some additional files related to single socket may appear in the filesystem and they should be opened and passed to related service. This commit adds optional list of file descriptors, which are dynamically discovered and opened.

tree-wide: don't do assignments within if checks Turn this: if ((r = foo()) < 0) { ... into this: r = foo(); if (r < 0) { ...

tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.

unit: unify how we assing slices to units This adds a new call unit_set_slice(), and simplifies unit_add_default_slice(). THis should make our code a bit more robust and simpler.

socket: fix setsockopt call. SOL_SOCKET changed to SOL_TCP.

core: add unit_dbus_interface_from_type() to unit-name.h Let's add a way to get the type-specific D-Bus interface of a unit from either its type or name to src/basic/unit-name.[ch]. That way we can share it with the client side, where it is useful in tools like cgls or machinectl. Also ports over machinectl to make use of this.

Revert "sd-bus: do not connect to dbus-1 socket when kdbus is available" This reverts commit d4d00020d6ad855d65d31020fefa5003e1bb477f. The idea of the commit is broken and needs to be reworked. We really cannot reduce the bus-addresses to a single address. We always will have systemd with native clients and legacy clients at the same time, so we also need both addresses at the same time.

sd-bus: do not connect to dbus-1 socket when kdbus is available We should not fall back to dbus-1 and connect to the proxy when kdbus returns an error that indicates that kdbus is running but just does not accept new connections because of quota limits or something similar. Using is_kdbus_available() in libsystemd/ requires it to move from shared/ to libsystemd/. Based on a patch from David Herrmann: https://github.com/systemd/systemd/pull/886

smack-util: revise smack-util apis and add read smack attr apis - Add smack xattr lookup table - Unify all of mac_smack_apply_xxx{_fd}() to mac_smack_apply() and mac_smack_apply_fd(). - Add smack xattr read apis similar with apply apis as mac_smack_read{_fd}().

core: remove generic job completion messages from unit vtables These units' message format strings are identical to the generic strings. Since we can always rely on the fallback, these are now redundant.

socket: Set SO_REUSEPORT before bind() bind() fails if it is called before setting SO_REUSEPORT and another process is already binded to the same addess. A new reuse_port option has been introduced to socket_address_listen() to set the option as part of socket initialization.

tree-wide: whenever we fork off a foreign child process reset signal mask/handlers Also, when the child is potentially long-running make sure to set a death signal. Also, ignore the result of the reset operations explicitly by casting them to (void).

tree-wide: remove spurious space

util: split out signal-util.[ch] from util.[ch] No functional changes.

core: only set event source name when we create an event source

core: rename SystemdRunningAs to ManagerRunningAs It's primarily just a property of the Manager object after all, and we try to refer to PID 1 as "manager" instead of "systemd", hence let's to stick to this here too.

core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters

core: always initialize ExecParamters.bus_endpoint_fd to -1 Otherwise it might be passed in as 0, which is a valid fd, but usually does not refer to a real endpoint.

core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name

core: fix event source annotations These looked like a mass-replace gone slightly wrong – two statements with no { }'s, and no error checking.

core: annotate event sources

Revert "core: do not spawn jobs or touch other units during coldplugging" This reverts commit 6e392c9c45643d106673c6643ac8bf4e65da13c1. We really shouldn't invent external state keeping hashmaps, if we can keep this state in the units themselves.

shared: add formats-util.h

socket: minor modernizations

core: do not spawn jobs or touch other units during coldplugging Because the order of coldplugging is not defined, we can reference a not-yet-coldplugged unit and read its state while it has not yet been set to a meaningful value. This way, already active units may get started again. We fix this by deferring such actions until all units have been at least somehow coldplugged. Fixes https://bugs.freedesktop.org/show_bug.cgi?id=88401

core: expose consumed CPU time per unit This adds support for showing the accumulated consumed CPU time per-unit in the "systemctl status" output. The property is also readable via the bus.

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

core, shared: in deserializing, match same files reached via different paths When dbus.socket is updated like this: -ListenStream=/var/run/dbus/system_bus_socket +ListenStream=/run/dbus/system_bus_socket ... and daemon-reload is performed, bad things happen. During deserialization systemd does not recognize that the two paths refer to the same named socket and replaces the socket file with a new one. As a result, applications hang when they try talking to dbus. Fix this by finding a match not only when the path names are equal, but also when they point to the same inode. In socket_address_equal() it is necessary to move the address size comparison into the abstract sockets branch. For path name sockets the comparison must not be done and for other families it is redundant (their sizes are constant and checked by socket_address_verify()). FIFOs and special files can also have multiple pathnames, so compare the inodes for them as well. Note that previously the pathname checks used streq_ptr(), but the paths cannot be NULL. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186018

core: don't watch for socket events when service is in SERVICE_STOP If a service has an ExecStop= program that uses the socket the service was activated by to tell it to terminate, then that should not be used as trigger to start the service again. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028058.html

util: rework strappenda(), and rename it strjoina() After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.

core: output unit status output strings to console, only if we actually are changing unit state Unit _start() and _stop() implementations can fail with -EAGAIN to delay execution temporarily. Thus, we should not output status messages before invoking these calls, but after, and only when we know that the invocation actually made a change.

tmpfiles: add new line type 'v' for creating btrfs subvolumes

treewide: introduce UID_INVALID (and friends) as macro for (uid_t) -1

core: convert log_unit_*() to log_unit_*_errno() Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_unit_(debug|info|notice|warning|error|emergency)\(([^"]+), "(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_unit_\1_errno(\2, \5, "\3%m"\4);/'

treewide: no need to negate errno for log_*_errno() It corrrectly handles both positive and negative errno values.

treewide: auto-convert the simple cases to log_*_errno() As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().

log: rearrange log function naming - Rename log_meta() → log_internal(), to follow naming scheme of most other log functions that are usually invoked through macros, but never directly. - Rename log_info_object() to log_object_info(), simply because the object should be before any other parameters, to follow OO-style programming style.

core: introduce new Delegate=yes/no property controlling creation of cgroup subhierarchies For priviliged units this resource control property ensures that the processes have all controllers systemd manages enabled. For unpriviliged services (those with User= set) this ensures that access rights to the service cgroup is granted to the user in question, to create further subgroups. Note that this only applies to the name=systemd hierarchy though, as access to other controllers is not safe for unpriviliged processes. Delegate=yes should be set for container scopes where a systemd instance inside the container shall manage the hierarchies below its own cgroup and have access to all controllers. Delegate=yes should also be set for user@.service, so that systemd --user can run, controlling its own cgroup tree. This commit changes machined, systemd-nspawn@.service and user@.service to set this boolean, in order to ensure that container management will just work, and the user systemd instance can run fine.

core: send sigabrt on watchdog timeout to get the stacktrace if sigabrt doesn't do the job, follow regular shutdown routine, sigterm > sigkill.

socket: properly label socket symlinks

socket: fix error comparison

selinux: clean up selinux label function naming

selinux: rework label query APIs APIs that query and return something cannot silently fail, they must either return something useful, or an error. Fix that. Also, properly rollback socket unit fd creation when something goes wrong with the security framework.

smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it

mac: rename all calls that apply a label mac_{selinux|smack}_apply_xyz(), and all that reset it to defaults mac_{selinux|smack}_fix() Let's clean up the naming schemes a bit and use the same one for SMACK and for SELINUX.

mac: rename apis with mac_{selinux/smack}_ prefix

socket: introduce SELinuxContextFromNet option This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>

exec: factor out most function arguments of exec_spawn() to ExecParameters This way, the list of arguments to that function gets more comprehensive, and we can get around passing lots of NULL and 0 arguments from socket.c, swap.c and mount.c. It also allows for splitting up the code in exec_spawn(). While at it, make ExecContext const in execute.c.

core: unify how we generate the prefix string when dumping unit state

socket: suffix newly added TCP sockopt time properties with "Sec" This is what we have done so far for all other time values, and hence we should do this here. This indicates the default unit of time values specified here, if they don't contain a unit.

Revert "socket: introduce SELinuxLabelViaNet option" This reverts commit cf8bd44339b00330fdbc91041d6731ba8aba9fec. Needs more discussion on the mailing list.

socket: introduce SELinuxLabelViaNet option This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>

socket: Add support for TCP defer accept TCP_DEFER_ACCEPT Allow a listener to be awakened only when data arrives on the socket. If TCP_DEFER_ACCEPT set on a server-side listening socket, the TCP/IP stack will not to wait for the final ACK packet and not to initiate the process until the first packet of real data has arrived. After sending the SYN/ACK, the server will then wait for a data packet from a client. Now, only three packets will be sent over the network, and the connection establishment delay will be significantly reduced.

socket: Add Support for TCP keep alive variables The tcp keep alive variables now can be configured via conf parameter. Follwing variables are now supported by this patch. tcp_keepalive_intvl: The number of seconds between TCP keep-alive probes tcp_keepalive_probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end. tcp_keepalive_time: The number of seconds a connection needs to be idle before TCP begins sending out keep-alive probes.

Revert "socket: add support for TCP fast Open" This reverts commit 9528592ff8d7ff361da430285deba8196e8984d5. Apparently TFO is actually the default at least for the server side now. Also the setsockopt doesn't actually take a bool, but a qlen integer.

socket: add support for TCP fast Open TCP Fast Open (TFO) speeds up the opening of successiveTCP) connections between two endpoints.It works by using a TFO cookie in the initial SYN packet to authenticate a previously connected client. It starts sending data to the client before the receipt of the final ACK packet of the three way handshake is received, skipping a round trip and lowering the latency in the start of transmission of data.

socket: add support for tcp nagle This patch adds support for TCP TCP_NODELAY socket option. This can be configured via NoDelay conf parameter. TCP Nagle's algorithm works by combining a number of small outgoing messages, and sending them all at once. This controls the TCP_NODELAY socket option.

systemd-verify: a simple tool for offline unit verification This tool will warn about misspelt directives, unknown sections, and non-executable commands. It will also catch the common mistake of using Accept=yes with a non-template unit and vice versa. https://bugs.freedesktop.org/show_bug.cgi?id=56607

socket: check return from exec_spawn

Remove sysv parser from service.c Parsing sysv files was moved to the sysv-generator in the previous commit. This patch removes the sysv parsing from serivce.c. Note that this patch drops the following now unused sysv-specific info from service dump: "SysV Init Script has LSB Header: (yes/no)" "SysVEnabled: (yes/no)" "SysVRunLevels: (levels)"

fix warnings Prevent use of uninitialized variable and removed a now unused cleanup function for freeaddrinfo

kdbus: when uploading bus name policy, resolve users/groups out-of-process It's not safe invoking NSS from PID 1, hence fork off worker processes that upload the policy into the kernel for busnames.

socket: add SocketUser= and SocketGroup= for chown()ing sockets in the file system This is relatively complex, as we cannot invoke NSS from PID 1, and thus need to fork a helper process temporarily.

socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.

socket: optionally remove sockets/FIFOs in the file system after use

build-sys: use glibc's xattr support instead of requiring libattr

socket: properly handle if our service vanished during runtime

Remove unnecessary casts in printfs No functional change expected :)

Handle Unix domain socket connections from outside our namespace v2 This is a second attempt at 9754d56, reverted in 2f20a8e, because I lost a 'break;' when moving chunks around.

Revert "Handle Unix domain socket connections from outside our namespace" This reverts commit 9754d56e9b21bfe89fc18f47987d6bef491b8521. It causes a crash in PID1: Apr 19 13:49:32 lon systemd[1]: Code should not be reached 'Unhandled socket type.' at src/core/socket.c:684, function instance_from_socket(). Aborting. Apr 19 13:49:32 lon systemd[1]: Caught <ABRT>, dumped core as pid 336. Apr 19 13:49:32 lon systemd[1]: Freezing execution.

Handle Unix domain socket connections from outside our namespace NixOS uses Unix domain sockets for certain host <-> container interaction; i.e. the host connects to a socket visible in the container's directory tree, where the container uses a .socket unit to spawn the handler program on demand. This worked in systemd 203, but in 212 fails with "foo.socket failed to queue service startup job (Maybe the service file is missing or not a template unit?): No data available". The reason is that getpeercred() now returns ENODATA if it can't get the PID of the client, which happens in this case because the client is not in the same PID namespace. Since getpeercred() is only used to generate the instance name, this patch simply handles ENODATA by creating an instance name "<nr>-unknown". [zj: reorder clauses and remove (unsigned long) casts.]

sd-event: rework API to support CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM, too

core: rework context initialization/destruction logic Let's automatically initialize the kill, exec and cgroup contexts of the various unit types when the object is constructed, instead of invididually in type-specific code. Also, when PrivateDevices= is set, set DevicePolicy= to closed.

util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.

Do not return -1 (EINVAL) on allocation error

socket.c: make use of union sockaddr_union

core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.

core: add global settings for enabling CPUAccounting=, MemoryAccounting=, BlockIOAccounting= for all units at once

api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.

core: make sure to always go through both SIGTERM and SIGKILL states of units Given that we now have KillMode=mixed where SIGTERM might kill a smaller set than SIGKILL we need to make sure to always go explicitly throught the SIGKILL state to get the right end result.

core: add function to tell when job will time out Things will continue when either the job timeout or the unit timeout is reached. Add functionality to access that info.

make socket_instantiate_service use cleanup gcc attribute

util: unify SO_PEERCRED/SO_PEERSEC invocations Introduce new call getpeercred() which internally just uses SO_PEERCRED but checks if the returned data is actually useful due to namespace quirks.

sd-daemon: introduce sd_watchdog_enabled() for parsing $WATCHDOG_USEC Also, introduce a new environment variable named $WATCHDOG_PID which cotnains the PID of the process that is supposed to send the keep-alive events. This is similar how $LISTEN_FDS and $LISTEN_PID work together, and protects against confusing processes further down the process tree due to inherited environment.

core: no need to list properties for PropertiesChanged messages anymore Since the vtable includes this information anyway, let's just use that

bus: when a busname unit refuses to activate a service it should flush the queue

bus: add .busname unit type to implement kdbus-style bus activation

service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

core/socket: fix SO_REUSEPORT

core/socket: use _cleanup_free_

active: rework make_socket_fd() to be based on socket_address_listen() Among other things this makes sure we set SO_REUSEADDR which is immensely useful.

Configurable Timeouts/Restarts default values https://bugs.freedesktop.org/show_bug.cgi?id=71132 Patch adds DefaultTimeoutStartSec, DefaultTimeoutStopSec, DefaultRestartSec configuration options to manager configuration file.

list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.

smack: minimize ifdef use, and move all labeling to smack-util.c

security: missing header inclusions

security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.

core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740

cgroup: if we do a cgroup operation then do something on all supported controllers Previously we did operations like attach, trim or migrate only on the controllers that were enabled for a specific unit. With this changes we will now do them for all supproted controllers, and fall back to all possible prefix paths if the specified paths do not exist. This fixes issues if a controller is being disabled for a unit where it was previously enabled, and makes sure that all processes stay as "far down" the tree as groups exist.

specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.

core: notify triggered by socket of a service

basic SO_REUSEPORT support

dbus: hookup runtime property changes for mouns, services, sockets, swaps too

core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).

logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.

core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.

Make it possible to disable smack separately from xattr support Additionally, compile out rule loading if feature is disabled.

build-sys: support builds without EAs again

Add __attribute__((const, pure, format)) in various places I'm assuming that it's fine if a _const_ or _pure_ function calls assert. It is assumed that the assert won't trigger, and even if it does, it can only trigger on the first call with a given set of parameters, and we don't care if the compiler moves the order of calls.

unit: rework stop pending logic When a trigger unit wants to know if a stop is queued for it, we should just check precisely that and do not check whether it is actually stopped already. This is because we use these checks usually from state change calls where the state variables are not updated yet. This change splits unit_pending_inactive() into two calls unit_inactive_or_pending() and unit_stop_pending(). The former checks state and pending jobs, the latter only pending jobs.

Move bus_error to dbus-common and remove bus_error_message_or_strerror bus_error and bus_error_message_or_strerror dit almost exactly the same, so use only one of them and place it in dbus-common.

Add Listen* to dbus properties sockets.socket - Test Loaded: loaded (/home/alxchk/.config/systemd/user/sockets.socket; static) Active: inactive (dead) Listen: Stream: /tmp/stream1 Stream: @stream4 Stream: [::]:9999 Stream: 127.0.0.2:9996 Stream: [::1]:9996 Datagram: /tmp/stream2 Datagram: @stream5 Datagram: [::]:9998 Datagram: 127.0.0.2:9995 Datagram: [::1]:9995 SequentialPacket: @stream6 SequentialPacket: /tmp/stream3 FIFO: /tmp/fifo1 Special: /dev/input/event9 Netlink: kobject-uevent 0 MessageQueue: /msgqueue1 [zj: - minor cleanups, - free i.listen, - remove sorting, because the order or sockets matters.]

core/socket: log errors when starting socket for this socket When showing an error like 'Socket service not loaded', the error won't show up in the status for the socket, unless it is marked as SYSTEMD_UNIT=*.socket. Marking it as SYSTEMD_UNIT=*.service, when the service is non-existent, is not useful.

units: introduce new timers.target and paths.target to hook timer/path units into for boot

core: reuse the same /tmp, /var/tmp and inaccessible dir All Execs within the service, will get mounted the same /tmp and /var/tmp directories, if service is configured with PrivateTmp=yes. Temporary directories are cleaned up by service itself in addition to systemd-tmpfiles. Directory which is mounted as inaccessible is created at runtime in /run/systemd.

core: single unit_kill implementation for all unit types There are very few differences in the implementations of the kill method in the unit types that have one. Let's unify them. This does not yet unify unit_kill() with unit_kill_context().

core: unify kill code of mount, service, socket, swap units

unit: optionally allow making cgroup attribute changes persistent

units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787

core: do not make sockets dependent on lo /sys/subsystem/net/devices/lo is never considered active, so sockets with BindToDevice=lo would never be activated.

systemd: use unit logging macros

socket: support socket activation of containers

socket: properly serialize/desrialize mqueue fds

socket: Too many incoming connections Hello list, some socket activated service gave me the error message you can see on the subject, maybe systemd should be more verbose in that case. Thanks, Dimitris

timer: implement calendar time events

Add #ifdef guards around xattr usage This adds #ifdef HAVE_ATTR_XATTR_H guards around all usage of xattr. This unbreaks building with --disable-xattr when <attr/xattr.h> doesn't exist. <attr/xattr.h> and usage of fsetxattr() without

socket: improve error message when we cannot spawn the socket's service unit

Revert "Implement SocketUser= and SocketGroup= for [Socket]" This was never intended to be pushed. This reverts commit aea54018a5e66a41318afb6c6be745b6aef48d9e.

Implement SocketUser= and SocketGroup= for [Socket] Since we already allow defining the mode of AF_UNIX sockets and FIFO, it makes sense to also allow specific user/group ownership of the socket file for restricting access.

SMACK: Add configuration options. (v3) This adds SMACK label configuration options to socket units. SMACK labels should be applied to most objects on disk well before execution time, but two items remain that are generated dynamically at run time that require SMACK labels to be set in order to enforce MAC on all objects. Files on disk can be labelled using package management. For device nodes, simple udev rules are sufficient to add SMACK labels at boot/insertion time. Sockets can be created at run time and systemd does just that for several services. In order to protect FIFO's and UNIX domain sockets, we must instruct systemd to apply SMACK labels at runtime. This patch adds the following options: Smack - applicable to FIFO's. SmackIpIn/SmackIpOut - applicable to sockets. No external dependencies are required to support SMACK, as setting the labels is done using fsetxattr(). The labels can be set on a kernel that does not have SMACK enabled either, so there is no need to #ifdef any of this code out. For more information about SMACK, please see Documentation/Smack.txt in the kernel source code. v3 of this patch changes the config options to be CamelCased.

mount: don't try to initialize extra deps for mount units before initializing their basic fields Under some circumstances this could lead to a segfault since we we half-initialized a mount unit, then tried to hook it into the network of things and while doing that recursively ended up looking at our half-initialized mount unit again assuming it was fully initialized.

core: move ManagerRunningAs to shared Note: I did s/MANAGER/SYSTEMD/ everywhere, even though it makes the patch quite verbose. Nevertheless, keeping MANAGER prefix in some places, and SYSTEMD prefix in others would just lead to confusion down the road. Better to rip off the band-aid now.

unit-printf: before resolving exec context specifiers check whether the object actually has an exec context

unit: split unit_printf() and friends into its own .c file

logind: split up inhibit acquire policy

socket: prevent signed integer overflow src/core/socket.c:588:25: error: overflow in implicit constant conversion src/core/socket.c:589:17: error: overflow in implicit constant conversion

service: add options RestartPreventExitStatus and SuccessExitStatus In some cases, like wrong configuration, restarting after error does not help, so administrator can specify statuses by RestartPreventExitStatus which will not cause restart of a service. Sometimes you have non-standart exit status, so this can be specified by SuccessfulExitStatus.

units: apply default resource limits to socket/mount/swap processes too

core: drop KillMode parameter from KillUnit() bus call It made no sense, and since we are documenting the bus calls now and want to include them in our stability promise we really should get it cleaned up sooner, not later.

unit: split off KillContext from ExecContext containing only kill definitions

unit: set default working directory to the user's home directory when running in user mode

unit: get rid of UnitVTable.suffix, which is now unused

journal: set the _SYSTEMD_UNIT field for messages from terminated processes As described in https://bugs.freedesktop.org/show_bug.cgi?id=50184 the journal currently doesn't set fields such as _SYSTEMD_UNIT properly for messages coming from processes that have already terminated. This means among other things that "systemctl status" may not show some of the output of services that wrote messages just before they exited. This patch fixes this by having processes that log to the journal write their unit identifier to journald when the connection to /run/systemd/journal/stdout is opened. Journald stores the unit ID and uses it to fill in _SYSTEMD_UNIT when it cannot be obtained normally (i.e. from the cgroup). To prevent impersonating another unit, this information is only used when the caller is root. This doesn't fix the general problem of getting metadata about messages from terminated processes (which requires some kernel support), but it allows "systemctl status" and similar queries to do the Right Thing for units that log via stdout/stderr.

mkdir: append _label to all mkdir() calls that explicitly set the selinux context

units: remove service sysv_path variable and replace it by generic unit_path UnitPath= is also writable via native units and may be used by generators to clarify from which file a unit is generated. This patch also hooks up the cryptsetup and fstab generators to set UnitPath= accordingly.

unit: unit type dependent status messages Instead of generic "Starting..." and "Started" messages for all unit use type-dependent messages. For example, mounts will announce "Mounting..." and "Mounted". Add status messages to units of types that used to be entirely silent (automounts, sockets, targets, devices). For unit types whose jobs are instantaneous, report only the job completion, not the starting event. Socket units with non-instantaneous jobs are rare (Exec*= is not used often in socket units), so I chose not to print the starting messages for them either. This will hopefully give people better understanding of the boot.

util: split-out path-util.[ch]

service: explicitly remove control/ subcgroup after each control command The kernel will only notify us of cgroups running empty if no subcgroups exist anymore. Hence make sure we don't leave our own control/ subcgroup around longer than necessary. https://bugzilla.redhat.com/show_bug.cgi?id=818381

service: introduce Type=idle and use it for gettys Type=idle is much like Type=simple, however between the fork() and the exec() in the child we wait until PID 1 informs us that no jobs are left. This is mostly a cosmetic fix to make gettys appear only after all boot output is finished and complete. Note that this does not impact the normal job logic as we do not delay the completion of any jobs. We just delay the invocation of the actual binary, and only for services that otherwise would be of Type=simple.