units: increase watchdog timeout to 3min for all our services Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.

units: add more caps to machined Otherwise copying full directory trees between container and host won't work, as we cannot access some fiels and cannot adjust the ownership properly on the destination. Of course, adding these many caps to the daemon kinda defeats the purpose of the caps lock-down... but well... Fixes #433

machined: move logic for bind mounting into containers from machinectl to machined This extends the bus interface, adding BindMountMachine() for bind mounting directories from the host into the container.

Revert "units: add SecureBits" This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html

units: add SecureBits No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.

machined/machinectl: add logic to show list of available images This adds a new bus call to machined that enumerates /var/lib/container and returns all trees stored in it, distuingishing three types: - GPT disk images, which are files suffixed with ".gpt" - directory trees - btrfs subvolumes

machinectl: show /etc/os-release information of container in status output

units: add missing caps so that GetAddresses() can work

units: fix minor typo

core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.

core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.

core: enable PrivateNetwork= for a number of our long running services where this is useful

units: make use of PrivateTmp=yes and PrivateDevices=yes for all our long-running daemons

units: systemd-machined now exits on idle and we shouldn't try to restart it then

event: hook up sd-event with the service watchdog logic Adds a new call sd_event_set_watchdog() that can be used to hook up the event loop with the watchdog supervision logic of systemd. If enabled and $WATCHDOG_USEC is set the event loop will ping the invoking systemd daemon right after coming back from epoll_wait() but not more often than $WATCHDOG_USEC/4. The epoll_wait() will sleep no longer than $WATCHDOG_USEC/4*3, to make sure the service manager is called in time. This means that setting WatchdogSec= in a .service file and calling sd_event_set_watchdog() in your daemon is enough to hook it up with the watchdog logic.

machined: run machined at minimal capabilities

units: add references to bus API documentation to logind+machined

machined: split out machine registration stuff from logind Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.