tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

machined: add early checks for unrealistically large image/pool sizes

machined: when the pool limit is set to infinity don't resize backing loopback file An unlimited quota makes a lot of sense, but we really should try to propagate this onto the loopback file size, since an infinitely sized file makes no sense. Fixes: #2314 #2253

logind,machined: bump TasksMax= Issue #2388 suggests the current TasksMax= setting for user processes is to low. Bump it to 12K. Also, bump the container TasksMax= from 8K to 16K, so that it remains higher than the one for user processes. (Compare: the kernel default limit for processes system-wide is 32K). Fixes #2388

tree-wide: check if errno is greater than zero (2) Compare errno with zero in a way that tells gcc that (if the condition is true) errno is positive.

nspawn: set TasksMax in machined instead of nspawn https://github.com/systemd/systemd/issues/2016

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

tree-wide: use right cast macros for UIDs, GIDs and PIDs

machined,logind: be more careful when accepting PIDs and UIDs from clients Always validate first before we start processing the data.

util-lib: split out allocation calls into alloc-util.[ch]

util-lib: split out printf() helpers to stdio-util.h

util-lib: split out user/group/uid/gid calls into user-util.[ch]

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

btrfs: beef-up btrfs support with a limited understanding of quota With this change we understand more than just leaf quota groups for btrfs file systems. Specifically: - When we create a subvolume we can now optionally add the new subvolume to all qgroups its parent subvolume was member of too. Alternatively it is also possible to insert an intermediary quota group between the parent's qgroups and the subvolume's leaf qgroup, which is useful for a concept of "subtree" qgroups, that contain a subvolume and all its children. - The remove logic for subvolumes has been updated to optionally remove any leaf qgroups or "subtree" qgroups, following the logic above. - The snapshot logic for subvolumes has been updated to replicate the original qgroup setup of the source, if it follows the "subtree" design described above. It will not cover qgroup setups that introduce arbitrary qgroups, especially those orthogonal to the subvolume hierarchy. This also tries to be more graceful when setting up /var/lib/machines as btrfs. For example, if mkfs.btrfs is missing we don't even try to set it up as loopback device. Fixes #1559 Fixes #1129

util: drop UID_IS_INVALID() in favour of uid_is_valid() No need to keep both functions, settle on uid_is_valid() for everything.

bus-util: support details in CheckAuthorization calls Extra details for an action can be supplied when calling polkit's CheckAuthorization method. Details are a list of key/value string pairs. Custom policy can use these details when making authorization decisions.

machined: userns is only supported for container-class machines We do not support userns for VM machines or for the host itself.

machined: introduce pseudo-machine ".host" refererring to the host system Some of the operations machined/machinectl implement are also very useful when applied to the host system (such as machinectl login, machinectl shell or machinectl status), hence introduce a pseudo-machine by the name of ".host" in machined that refers to the host system, and may be used top execute operations on the host system with. This copies the pseudo-image ".host" machined already implements for image related commands. (This commit also adds a PK privilege for opening a PTY in a container, which was previously not accessible for non-root.)

util: make machine_name_is_valid() a macro and move it to hostname-util.h As it turns out machine_name_is_valid() does the exact same thing as hostname_is_valid() these days, as it just invoked that and checked the name length was < 64. However, hostname_is_valid() checks the length against HOST_NAME_MAX anyway (which is 64 on Linux), hence any additional check is redundant. We hence replace machine_name_is_valid() by a macro that simply maps it to hostname_is_valid() but sets the allow_trailing_dot parameter to false. We also move this this call to hostname-util.h, to the same place as the hostname_is_valid() declaration.

machined: always look for leader PID first When looking for the machine belonging to a PID, always look for the leader first, only then fall back to a cgroup check. We keep direct track of the leader PID, but only indirectly of the cgroup, hence prefer the PID.

machined: add new OpenShell() bus call This new bus call opens an interactive shell in a container. It works like the existing OpenLogin() call, but does not involve getty, and instead opens an arbitrary command line. This is similar to "systemd-run -t -M" but is controlled by a specific PolicyKit privilege.

machined: rework state tracking logic for machines This splits up the stopping logic for machines into two steps: first on machine_stop() we begin with the shutdown of a machine by queuing the stop method call for it. Then, in machine_finalize() we actually remove the rest of its runtime context. This mimics closely how sessions are handled in logind. This also reworks the GC logic to strictly check the current state of the machine unit, rather than shortcutting a few cases, like for example assuming that UnitRemoved really means a machine is gone (which it isn't since Reloading might trigger it, see #376). Fixes #376.

logind,machined: various smaller cleanups Use mfree() where we can. Drop unnecessary {}. Drop unnecessary variable declarations. Cast syscall invocations where explicitly don't care for the return value to (void). Reword a comment.

machined,logind: don't generate errors on signal match functions If we get a weird signal, then we should log about it, but not return an error, since sd-bus will not call us again then anymore, but for these signals we match here we actually do want to be called on the next invocation.

nss-mymachines: map userns users of containers to real user names Given a container "foo", that maps user id $UID to container user, using user namespaces, this NSS module extenstion will now map the $UID to a name "vu-foo-$TUID" for the translated UID $UID. Similar, userns groups are mapped to "vg-foo-$TGID" for translated GIDs of $GID. This simple change should make userns users more discoverable. Also, given that many tools like "adduser" check NSS before allocating a UID, should lower the chance of UID range conflicts between tools.

sd-bus: allow passing NULL as bus parameter to sd_bus_send() If NULL is specified for the bus it is now automatically derived from the passed in message. This commit also changes a number of invocations of sd_bus_send() to make use of this.

sd-bus: drop bus parameter from message callback prototype This should simplify the prototype a bit. The bus parameter is redundant in most cases, and in the few where it matters it can be derived from the message via sd_bus_message_get_bus().

machined: make sure to track machine unit states properly If a unit is stopped for a moment, we need to invalidate our knowledge of it, otherwise we might be confused by automatic restarts This makes reboots for nspawn containers run as service work correctly. https://bugs.freedesktop.org/show_bug.cgi?id=87428

shared: add formats-util.h

shared: the btrfs quota field is called "referenced" not "referred"

importd: automatically grow /var/lib/machines/ loopback filesystem during downloads If /var/lib/machines is mounted as btrfs loopback file system in /var/lib/machines.raw with this change we automatically grow the file system as it fills up. After each 10M we write to it during imports, we check the free disk space, and if the fill level grows beyond 66% we increase the size of the file system to 3x the fill level (thus lowering it to 33%).

machined: also set up /var/lib/machines as btrfs, if "machinectl set-limit" is called

machined: if /var/lib/machines is backed by a loop file, resize it on "machinectl set-limit" When the pool size limit is altered with "machinectl set-limit", then not only set the subvolume quota of the /var/lib/machine subvolume, but also resize the backing loop file and the btrfs file system on it dynamically.

machined,machinectl: add calls for changing container/VM quotas

machined/machinectl: when "machinectl image-status" is used without arguments show statistics about pool

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

machined: open up most of machined's commands to unprivileged clients via PolicyKit

machined: make "machinectl copy-to" and "machinectl copy-from" server side operations This way, any bus client can make use of these calls.

machined: move logic for bind mounting into containers from machinectl to machined This extends the bus interface, adding BindMountMachine() for bind mounting directories from the host into the container.

machined: refer to the disk space allocated for an image to "usage" rather than "size" After all, it's closer to the "du"-reported value than to the file sizes...

Revert "machined: don't force terminate registered machines" This reverts commit 206e7a5f7b55ac61188efd895e65ab26e478cbb2. We actually want to allow shutting down containers that use RegisterMachine() rather than CreateMachine() to register their own unit. It should be safe to do so, since the primary usecase for RegisterMachine() are container managers that run only a single container within their own unit, such as systemd-nspawn.

machined: ignore spurious error

machined: don't look for images on each property get, but cache the image object inbetween

machined: add support for reporting image size via btrfs quota

machinectl/machined: implement "rename", "clone", "read-only" verbs for machine images

machined: add "machinectl remove" for removing images

machined: Move image discovery logic into src/shared, so that we can make use of it from nspawn

machined: remove spurious include of <sys/capability.h> They do not use any functions from libcap directly. The CAP_KILL constant in use by these files comes from <linux/capability.h> imported through "missing.h". Tested that "systemd-machined" builds cleanly and works after this change.

machined: beef up machined image listing with creation/modification times of subvolumes We make use of the btrfs subvol crtime for this, and for gpt images of a manually managed xattr, if we can.

machined: introduce polkit for OpenLogin() call This way "machinectl login" can be opened up to run without privileges.

machined: add new call OpenMachineLogin() that starts a getty in a container on a pty and returns the pty master fd to the client This is a one-stop solution for "machinectl login", and should simplify getting logins in containers.

machined: add OpenMachinePTY() bus call for allocating a PTY device within a container Then, port "machinectl" over to make use of it.

machined: add new GetImage() bus call for retrieving the bus path for an image

machined/machinectl: add logic to show list of available images This adds a new bus call to machined that enumerates /var/lib/container and returns all trees stored in it, distuingishing three types: - GPT disk images, which are files suffixed with ".gpt" - directory trees - btrfs subvolumes

sd-bus: move common errors src/shared/bus-errors.h → src/libsystemd/sd-bus/bus-common-errors.h Stuff in src/shared/ should not use stuff from src/libsystemd/ really.

machined: reorder method calls in vtable

core: introduce new Delegate=yes/no property controlling creation of cgroup subhierarchies For priviliged units this resource control property ensures that the processes have all controllers systemd manages enabled. For unpriviliged services (those with User= set) this ensures that access rights to the service cgroup is granted to the user in question, to create further subgroups. Note that this only applies to the name=systemd hierarchy though, as access to other controllers is not safe for unpriviliged processes. Delegate=yes should be set for container scopes where a systemd instance inside the container shall manage the hierarchies below its own cgroup and have access to all controllers. Delegate=yes should also be set for user@.service, so that systemd --user can run, controlling its own cgroup tree. This commit changes machined, systemd-nspawn@.service and user@.service to set this boolean, in order to ensure that container management will just work, and the user systemd instance can run fine.

machined: fix address API signatures

machined: allow registering host-side network interfaces for communication with containers

machine: properly distuingish created and registered machines

machinectl: show /etc/os-release information of container in status output

machined: don't force terminate registered machines When a machine is registered in machined with CreateMachine it is OK to kill the machine when it is terminated, but when an existing unit is simply registered via RegisterMachine we shouldn't do that, as the unit is controlled by somebody else.

sd-bus: support connecting to remote hosts, directly into containers systemctl -H root@foobar:waldi will now show a list of services running on container "waldi" on host "foobar", using "root" for authenticating at "foobar". Since entereing a container requires priviliges, this will only work correctly for root logins.

machined: add logic to query IP addresses of containers

Remove unnecessary casts in printfs No functional change expected :)

machined: fix Kill() bus call on machine objects when "what" is specified as "leader"

api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.

machined: optionally, allow registration of pre-existing units (scopes or services) as machine with machined

machined: since we can now somewhat reliable get notifications for dying scopes we don't need to lower the stop timeout anymore

bus: introduce "trusted" bus concept and encode access control in object vtables Introduces a new concept of "trusted" vs. "untrusted" busses. For the latter libsystemd-bus will automatically do per-method access control, for the former all access is automatically granted. Per-method access control is encoded in the vtables: by default all methods are only accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag is set for a method it is accessible to unprivileged clients too. By default whether a client is privileged is determined via checking for its CAP_SYS_ADMIN capability, but this can be altered via the SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field of the method. Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note however that read access is unrestricted, as PropertiesChanged messages might send out the values anyway as an unrestricted broadcast. By default the system bus is set to "untrusted" and the user bus is "trusted" since per-method access control on the latter is unnecessary. On dbus1 busses we check the UID of the caller rather than the configured capability since the capability cannot be determined without race. On kdbus the capability is checked if possible from the attached meta-data of a message and otherwise queried from the sending peer. This also decorates the vtables of the various daemons we ship with these flags.

bus: add new sd_bus_creds object to encapsulate process credentials This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.

logind,machined,run: properly invoke StartTransientUnit() bus call

bus: rework message handlers to always take an error argument Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.

bus: let's simplify things by getting rid of unnecessary bus parameters

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

bus: rename sd_bus_send_with_reply_and_block() to sd_bus_call() The call is one of the most important ones we expose, where we place major emphasis on. We should make sure to give it a short, memorable name.

machine: add missing header include

machine: move symbols referenced by shared code from main to shared file With --enable-address-sanitizer we get: machined-dbus.c:228: undefined reference to 'manager_add_machine'

logind: add virtual object paths that always can be used to refer to the callers session, user, seat or machine object This way clients can skip invoking GetSessionByPID() for their own PID or a similar call to access these objects.

logind: automatically determine client side PID if GetSessionByPID() is called with a PID == 0

machined: simplifications

machined: port over to libsystemd-bus

bus: fix access to unitialized variable in error path src/machine/machined-dbus.c:237:13: warning: Branch condition evaluates to a garbage value if (m) ^

Move functions around to fix underlinking in test-machine-tables

Remove six unused variables and add annotation clang FTW!

logind: update the session state file before we send out the CreateSession() reply https://bugs.freedesktop.org/show_bug.cgi?id=67273

logind: update state file after generating the session fifo, not before https://bugs.freedesktop.org/show_bug.cgi?id=67273

machined: forward scope properties array from client to systemd This makes nspawn's --scope= switch work again.

logind: don't misunderstand UnitRemoved signals during reloading When PID 1 reloads the units logind/machined will see UnitRemoved signals for all units. Instead of trusting these immediately, let's check the actual unit state before considering a unit gone, so that reloading PID 1 is not mistaken as the end of all sessions.

logind/machined: properly notice when units are gc'ed

machined: sync to /run after job completed

nspawn: use the corect method signature for CreateMachine()

machined: split out machine registration stuff from logind Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.