Zbigniew Jędrzejewski-Szmek [Fri, 26 Jul 2019 13:01:36 +0000 (15:01 +0200)]
man: reword description of "-" for sysctl.d
Follow-up for
e08be64937.
Zbigniew Jędrzejewski-Szmek [Fri, 26 Jul 2019 12:57:56 +0000 (14:57 +0200)]
Merge pull request #13191 from poettering/sysctl-no-fail
allow sysctl assignments to fail
Zbigniew Jędrzejewski-Szmek [Fri, 26 Jul 2019 10:43:32 +0000 (12:43 +0200)]
Merge pull request #13137 from poettering/efi-random
beef up random seed logic, add boot loader entropy privisioning, improve docs about it
Lennart Poettering [Fri, 26 Jul 2019 07:41:00 +0000 (09:41 +0200)]
Merge pull request #13186 from keszybz/tmpfiles-postponement
Create less stuff when systemd-tmpfiles --create is executed (during installation or otherwise)
Lennart Poettering [Fri, 26 Jul 2019 07:40:21 +0000 (09:40 +0200)]
Merge pull request #13188 from yuwata/news-igmp-version
network: rename `IGMPVersion=` to `MulticastIGMPVersion=`
Yu Watanabe [Fri, 26 Jul 2019 02:15:29 +0000 (11:15 +0900)]
NEWS: mention SpeedMeter=
Lennart Poettering [Fri, 26 Jul 2019 07:28:43 +0000 (09:28 +0200)]
NEWS: mention the new sysctl.d/ - prefix
Lennart Poettering [Fri, 26 Jul 2019 07:26:07 +0000 (09:26 +0200)]
sysctl: prefix ping port range setting with a dash
Fixes: #13177
Lennart Poettering [Fri, 26 Jul 2019 07:25:09 +0000 (09:25 +0200)]
Revert "Revert "sysctl: Enable ping(8) inside rootless Podman containers""
This reverts commit
be74f51605b4c7cb74fec3a50cd13b67598a8ac1.
Let's add this again. With the new sysctl "-" thing we can make this
work.
Lennart Poettering [Fri, 26 Jul 2019 07:24:11 +0000 (09:24 +0200)]
man: document the new sysctl.d/ - prefix
Lennart Poettering [Fri, 26 Jul 2019 07:17:01 +0000 (09:17 +0200)]
sysctl: if options are prefixed with "-" ignore write errors
Lennart Poettering [Fri, 26 Jul 2019 07:04:15 +0000 (09:04 +0200)]
sysctl: reset 'r' only where needed
Lennart Poettering [Fri, 26 Jul 2019 07:03:06 +0000 (09:03 +0200)]
sysctl: switch to log_syntax()
With @keszybz' recent work this will give us clickable links in the
journalctl output.
Evgeny Vereshchagin [Thu, 25 Jul 2019 21:58:42 +0000 (21:58 +0000)]
Revert "sysctl: Enable ping(8) inside rootless Podman containers"
This reverts commit
90ce7627dfe824ff6e7c0ca5f96350fbcfec7118.
See https://github.com/systemd/systemd/issues/13177#issuecomment-
514931461
Yu Watanabe [Fri, 26 Jul 2019 01:13:58 +0000 (10:13 +0900)]
NEWS: mention Bridge.MulticastIGMPVersion=
Yu Watanabe [Fri, 26 Jul 2019 01:59:36 +0000 (10:59 +0900)]
network: slightly update log message
Yu Watanabe [Fri, 26 Jul 2019 01:58:34 +0000 (10:58 +0900)]
network: rename IGMPVersion= -> MulticastIGMPVersion=
Zbigniew Jędrzejewski-Szmek [Thu, 25 Jul 2019 13:55:13 +0000 (15:55 +0200)]
sd-boot: silence one warning about pointer cast
It doesn't matter either way. Fixes #13174.
Lennart Poettering [Thu, 25 Jul 2019 17:25:50 +0000 (19:25 +0200)]
update TODO
Zbigniew Jędrzejewski-Szmek [Thu, 25 Jul 2019 17:13:41 +0000 (19:13 +0200)]
tmpfiles: copy files to /etc only on boot
We'd copy /etc/nsswitch.conf, /etc/pam.d/, and /etc/issue (*) on every
tmpfiles --create run. I think we should only do this at boot, so if
people install systemd.rpm in a larger transaction and want to create those
files at a later step, we don't interfere with that.
(Stuff like /etc/os-release and /etc/mtab is not really configurable,
we might as was create it uncondtionally.)
(Seemingly, the alternative approach might be to not call
systemd-tmpfiles --create in systemd.rpm %post. But this wouldn't have much
effect, because various packages call it anyway, and our
%tmpfiles_create_package macro does too. So we need to change the
configuration instead.)
(*) We don't provide /usr/share/factory/issue, so normally this fails, but
somebody else might provide that file, so it seems useful to keep the
C line.
Zbigniew Jędrzejewski-Szmek [Thu, 25 Jul 2019 17:12:02 +0000 (19:12 +0200)]
tmpfiles: stop creating /etc/localtime symlink
If the symlink is not present, UTC is the default. There *is* a slight
advantage to it: humans might expect it to be present and look in /etc.
But it might interfere with post-install scripts and it doesn't serve
any technical purpose. Let's not create it. Fixes #13183.
Lennart Poettering [Mon, 22 Jul 2019 08:22:56 +0000 (10:22 +0200)]
update TODO
Lennart Poettering [Mon, 22 Jul 2019 08:22:47 +0000 (10:22 +0200)]
TODO: remove apparently fixed issue from TODO
Lennart Poettering [Mon, 22 Jul 2019 16:13:26 +0000 (18:13 +0200)]
docs: add longer document about systemd and random number seeds
Lennart Poettering [Mon, 22 Jul 2019 13:24:49 +0000 (15:24 +0200)]
man: extend on the --print-boot-path description a bit
Lennart Poettering [Mon, 22 Jul 2019 13:05:29 +0000 (15:05 +0200)]
bootctl: add is-installed verb
Fixes: #9428
Lennart Poettering [Mon, 22 Jul 2019 12:19:33 +0000 (14:19 +0200)]
man: document the systemd-random-seed rework
Lennart Poettering [Mon, 22 Jul 2019 12:00:25 +0000 (14:00 +0200)]
docs: document new random seed EFI vars as part of the boot loader interface
Lennart Poettering [Mon, 22 Jul 2019 11:51:30 +0000 (13:51 +0200)]
random-seed: rework systemd-random-seed.service substantially
This makes two major changes to the way systemd-random-seed operates:
1. We now optionally credit entropy if this is configured (via an env
var). Previously we never would do that, with this change we still don't
by default, but it's possible to enable this if people acknowledge that
they shouldn't replicate an image with a contained random seed to
multiple systems. Note that in this patch crediting entropy is a boolean
thing (unlike in previous attempts such as #1062), where only a relative
amount of bits was credited. The simpler scheme implemented here should
be OK though as the random seeds saved to disk are now written only with
data from the kernel's entropy pool retrieved after the pool is fully
initialized. Specifically:
2. This makes systemd-random-seed.service a synchronization point for
kernel entropy pool initialization. It was already used like this, for
example by systemd-cryptsetup-generator's /dev/urandom passphrase
handling, with this change it explicitly operates like that (at least
systems which provide getrandom(), where we can support this). This
means services that rely on an initialized random pool should now place
After=systemd-random-seed.service and everything should be fine. Note
that with this change sysinit.target (and thus early boot) is NOT
systematically delayed until the entropy pool is initialized, i.e.
regular services need to add explicit ordering deps on this service if
they require an initialized random pool.
Fixes: #4271
Replaces: #10621 #4513
Lennart Poettering [Mon, 22 Jul 2019 08:24:50 +0000 (10:24 +0200)]
random-seed: drop falling back to O_WRONLY if O_RDWR on /dev/urandom doesn't work
There's no reason why writing should work if reading and writing
doesn't. Let's simplify this hence. /dev/urandom is generally an r/w
device, and everything else would be a serious system misconfiguration.
Lennart Poettering [Mon, 22 Jul 2019 08:24:26 +0000 (10:24 +0200)]
random-seed: reduce scope of variable
Lennart Poettering [Fri, 19 Jul 2019 16:06:00 +0000 (18:06 +0200)]
units: automatically initialize the system token if that makes sense
Lennart Poettering [Fri, 19 Jul 2019 17:13:24 +0000 (19:13 +0200)]
bootctl: show random seed state
Lennart Poettering [Fri, 19 Jul 2019 12:51:43 +0000 (14:51 +0200)]
bootctl: add new verb for initializing a random seed in the ESP
Lennart Poettering [Fri, 19 Jul 2019 17:34:10 +0000 (19:34 +0200)]
random-seed: move pool size determination to random-util.[ch]
That way we can reuse it elsewhere.
Lennart Poettering [Fri, 19 Jul 2019 17:39:15 +0000 (19:39 +0200)]
core: take random seed from boot loader and credit it to kernel entropy pool
Lennart Poettering [Thu, 18 Jul 2019 18:58:10 +0000 (20:58 +0200)]
sd-boot: read random seed from ESP and pass it to OS
Lennart Poettering [Fri, 19 Jul 2019 09:04:03 +0000 (11:04 +0200)]
efi: steal glibc sha256 implementation
Lennart Poettering [Thu, 18 Jul 2019 18:57:23 +0000 (20:57 +0200)]
bootctl: add new feature flag for indicating random seed management support
Lennart Poettering [Fri, 19 Jul 2019 16:28:16 +0000 (18:28 +0200)]
bootctl: shortcut configuration file parsing
Lennart Poettering [Fri, 19 Jul 2019 16:27:39 +0000 (18:27 +0200)]
bootctl: drop const from non-pointer function argument
Lennart Poettering [Fri, 19 Jul 2019 16:27:10 +0000 (18:27 +0200)]
bootctl: use the fact that startswith() returns the suffix
Lennart Poettering [Fri, 19 Jul 2019 16:29:53 +0000 (18:29 +0200)]
efivars: modernize efi_get_variable() a bit
Primarily, make sure the return parameters are all individually
optional.
Lennart Poettering [Thu, 18 Jul 2019 18:59:16 +0000 (20:59 +0200)]
efi: add log_oom() helper
Lennart Poettering [Thu, 18 Jul 2019 18:59:05 +0000 (20:59 +0200)]
efi: modernize file_read() a bit
Lennart Poettering [Mon, 22 Jul 2019 11:49:17 +0000 (13:49 +0200)]
xattr-util: document that we NUL suffix
Lennart Poettering [Mon, 22 Jul 2019 11:48:12 +0000 (13:48 +0200)]
fs-util: add fsync_full() helper
We usually combine an fsync() with fsync_directory_of_file() hence let's
add a helper that does both in one.
Zbigniew Jędrzejewski-Szmek [Thu, 25 Jul 2019 09:34:37 +0000 (11:34 +0200)]
Merge pull request #13144 from poettering/nspawn-modprobe
nspawn modprobe fixes
Yu Watanabe [Thu, 25 Jul 2019 01:11:45 +0000 (10:11 +0900)]
network: drop redundant Link::kind check
All CAN devices' iftype are ARPHRD_CAN. So, checking Link::kind is
redundant.
Follow-up for
c6ac3729c9ece63185a3c4e7bc1970b98d2feb01.
Yu Watanabe [Thu, 25 Jul 2019 04:01:59 +0000 (13:01 +0900)]
units: add initrd-network-generator.service
Yu Watanabe [Thu, 25 Jul 2019 06:44:25 +0000 (15:44 +0900)]
Merge pull request #13179 from yuwata/network-drop-new-settings-from-dhcp-section
network: drop recently added settings from deprecated [DHCP] section
Yu Watanabe [Thu, 25 Jul 2019 03:39:33 +0000 (12:39 +0900)]
network: drop recently added settings from deprecated [DHCP] section
Yu Watanabe [Thu, 25 Jul 2019 03:38:57 +0000 (12:38 +0900)]
test-network: use [DHCPv4] and [DHCPv6] sections instead of deprecated [DHCP] section
Yu Watanabe [Thu, 25 Jul 2019 03:12:40 +0000 (12:12 +0900)]
Merge pull request #13169 from ssahani/bridge-igmp-group-version
Bridge igmp group version
Yu Watanabe [Thu, 25 Jul 2019 01:01:46 +0000 (10:01 +0900)]
test-network: add test for Bridge.IGMPVersion=
Susant Sahani [Wed, 24 Jul 2019 12:58:57 +0000 (18:28 +0530)]
networkd: bridge add support to set IGMP version
Shreyas Behera [Wed, 24 Jul 2019 12:54:51 +0000 (18:24 +0530)]
Add IFLA_BR_MCAST_IGMP_VERSION
Yu Watanabe [Thu, 25 Jul 2019 00:49:56 +0000 (09:49 +0900)]
Merge pull request #13166 from yuwata/network-slcan-support
network: slcan support
Yu Watanabe [Thu, 25 Jul 2019 00:47:59 +0000 (09:47 +0900)]
Merge pull request #13173 from kinvolk/iaguis/fix-norbind
Revert "nspawn: remove unnecessary mount option parsing logic"
Evgeny Vereshchagin [Wed, 24 Jul 2019 15:36:19 +0000 (15:36 +0000)]
tests: pass --werror to meson on Semaphore
Lennart Poettering [Fri, 19 Jul 2019 16:29:11 +0000 (18:29 +0200)]
core: try to reopen /dev/kmsg again right after mounting /dev
I was debugging stuff during early boot, and was confused that I never
found the logs for it in kmsg. The reason for that was that /proc is
generally not mounted the first time we do log_open() and hence
log_set_target(LOG_TARGET_KMSG) we do when running as PID 1 had not
effect. A lot later during start-up we call log_open() again where this
is fixed (after the point where we close all remaining fds still open),
but in the meantime no logs every got written to kmsg. This patch fixes
that.
RussianNeuroMancer [Wed, 24 Jul 2019 17:49:44 +0000 (01:49 +0800)]
Add Logitech touchpads, sort vendors alphabetically (#13167)
hwdb: Add Logitech touchpads, such as Logitech Wireless Touchpad, Logitech T650 and others
Sort vendors alphabetically.
Lennart Poettering [Wed, 24 Jul 2019 15:05:09 +0000 (17:05 +0200)]
update NEWS with more recently commited stuff
Lennart Poettering [Wed, 24 Jul 2019 15:08:05 +0000 (17:08 +0200)]
Revert "timesyncd: add Conflicts for ntpd and chronyd"
This reverts commit
971a7a1526a6c1d5cb439a8a41dc65ccd4e3a66f.
These unit names are typically different on distributions, let's not
hardcode those. Stuff like this should probably live in the distro
RPM/.deb, but not upstream, where we should be distro agnostic and
agnostic to other higher level packages like this.
Iago López Galeiras [Wed, 24 Jul 2019 14:55:17 +0000 (16:55 +0200)]
test: add some test for norbind
This regressed so let's add a test to make sure it doesn't happen again.
Iago López Galeiras [Wed, 24 Jul 2019 14:41:29 +0000 (16:41 +0200)]
Revert "nspawn: remove unnecessary mount option parsing logic"
This reverts commit
72d967df3e27186dd014bed2c6e7400cc32d84c5.
Revert this because it broke the `norbind` option of the bind flags
because it does bind-mounts unconditionally recursive.
Let's bring the old logic back.
Fixes: #13170
Lennart Poettering [Wed, 24 Jul 2019 14:42:18 +0000 (16:42 +0200)]
Merge pull request #13168 from ssahani/fix-dhcp-route-no-parsing
network: fix DHCP route rumber parsing.
Debarshi Ray [Mon, 22 Jul 2019 19:30:25 +0000 (21:30 +0200)]
sysctl: Enable ping(8) inside rootless Podman containers
This makes ping(8) work without CAP_NET_ADMIN and CAP_NET_RAW because
those aren't effective inside rootless Podman containers.
It's quite useful when using OSTree based operating systems like Fedora
Silverblue, where development environments are often set up using
rootless Podman containers with helpers like Toolbox [1]. Not having
a basic network utility like ping(8) work inside the development
environment can be inconvenient.
See:
https://lwn.net/Articles/422330/
http://man7.org/linux/man-pages/man7/icmp.7.html
https://github.com/containers/libpod/issues/1550
The upper limit of the range of group identifiers is set to
2147483647,
which is 2^31-1. Values greater than that get rejected by the kernel
because of this definition in linux/include/net/ping.h:
#define GID_T_MAX (((gid_t)~0U) >> 1)
That's not so bad because values between 2^31 and 2^32-1 are reserved
on systemd-based systems anyway [2].
[1] https://github.com/debarshiray/toolbox
[2] https://systemd.io/UIDS-GIDS.html#summary
Yu Watanabe [Wed, 24 Jul 2019 09:23:45 +0000 (18:23 +0900)]
network: support slcan
The device driver does not have IFLA_INFO_KIND attribute. So, we need to
check iftype.
Closes #13150.
Susant Sahani [Wed, 24 Jul 2019 11:26:31 +0000 (16:56 +0530)]
network: fix DHCP route rumber parsing.
Zbigniew Jędrzejewski-Szmek [Wed, 24 Jul 2019 10:00:30 +0000 (12:00 +0200)]
Merge pull request #13145 from poettering/nss-gateway-fix
filter _gateway NSS resolving to only use main routing table
Lennart Poettering [Wed, 24 Jul 2019 07:59:38 +0000 (09:59 +0200)]
man: highlight the different concepts behind h/H and t/T
Fixes: #13151
Yu Watanabe [Wed, 24 Jul 2019 09:22:43 +0000 (18:22 +0900)]
tree-wide: drop netinet/ether.h from socket-util.h and sd-netlink.h
Lennart Poettering [Wed, 24 Jul 2019 09:11:03 +0000 (11:11 +0200)]
Merge pull request #13118 from bluca/shutdown_watchdog_kexec
core: add KExecWatchdogSec and rename ShutdownWatchdogSec to RebootWatchdogSec
Yu Watanabe [Wed, 24 Jul 2019 07:50:39 +0000 (16:50 +0900)]
Merge pull request #13143 from poettering/logind-inhibit-restart
logind restart inhibition fixes
Lennart Poettering [Tue, 23 Jul 2019 12:29:18 +0000 (14:29 +0200)]
meson: reorder alphabetically
Lennart Poettering [Tue, 23 Jul 2019 12:28:41 +0000 (14:28 +0200)]
local-addresses: filter out any routing tables but the main one
Fixes: #13132
Lennart Poettering [Tue, 23 Jul 2019 12:22:06 +0000 (14:22 +0200)]
netlink: move local-addresses.[ch] to src/shared
This code is not part of the public API of sd-netlink, nor used by it
internally and hence should not be in the sd-netlink directory.
Also, move the test case for it to src/test/.
Anita Zhang [Tue, 23 Jul 2019 20:26:51 +0000 (13:26 -0700)]
[systemctl] Don't print ExecXYZEx= when doing 'systemctl status'
The info printed in this function is the same as the non-Ex version of the
property so there's no point double printing.
Other places that print ExecXYZEx= properties are left alone since the
displayed information is different.
Lennart Poettering [Tue, 23 Jul 2019 18:22:23 +0000 (20:22 +0200)]
factory: add default /etc/issue file
Booting up an image with --volatile=yes otherwise looks so naked, so
let's include this file in the default factory too. It's common and
simple and should be safe to ship.
Lennart Poettering [Tue, 23 Jul 2019 18:21:07 +0000 (20:21 +0200)]
update TODO
Lennart Poettering [Fri, 19 Jul 2019 15:52:26 +0000 (17:52 +0200)]
bootctl: show correct error code
Lennart Poettering [Thu, 18 Jul 2019 18:58:34 +0000 (20:58 +0200)]
efi: drop unused define
Lennart Poettering [Thu, 18 Jul 2019 18:56:41 +0000 (20:56 +0200)]
efi: remove trailing whitespace in string
Yu Watanabe [Tue, 23 Jul 2019 19:50:52 +0000 (04:50 +0900)]
fuzzit: ignore library version
Lennart Poettering [Tue, 23 Jul 2019 12:55:42 +0000 (14:55 +0200)]
hwdb: run 'meson hwdb-update'
Bastien Nocera [Tue, 5 Sep 2017 15:14:58 +0000 (17:14 +0200)]
libudev: Update list of possible actions
Add "move" action as per src/libsystemd/sd-device/device-private.c
Lennart Poettering [Tue, 23 Jul 2019 06:38:21 +0000 (08:38 +0200)]
core: add spdx header to all-units.h
The specific header file is probably not copyrightable anyway, since
it's so trivial, but let's still add the SPDX header line so that a
systematic check for the line does't spit out this header needlessly.
Luca Boccassi [Mon, 22 Jul 2019 10:39:25 +0000 (11:39 +0100)]
core: rename ShutdownWatchdogSec to RebootWatchdogSec
This option is only used on reboot, not on other types of shutdown
modes, so it is misleading.
Keep the old name working for backward compatibility, but remove it
from the documentation.
Luca Boccassi [Fri, 19 Jul 2019 10:54:15 +0000 (11:54 +0100)]
core: add KExecWatchdogSec option
Rather than always enabling the shutdown WD on kexec, which might be
dangerous in case the kernel driver and/or the hardware implementation
does not reset the wd on kexec, add a new timer, disabled by default,
to let users optionally enable the shutdown WD on kexec separately
from the runtime and reboot ones. Advise in the documentation to
also use the runtime WD in conjunction with it.
Fixes:
a637d0f9ecbe ("core: set shutdown watchdog on kexec too")
Lennart Poettering [Tue, 23 Jul 2019 16:21:00 +0000 (18:21 +0200)]
Merge pull request #12977 from yuwata/network-route-type-local-12975
network: do not touch kernel-created multicast route
Christian Kellner [Tue, 23 Jul 2019 13:41:20 +0000 (15:41 +0200)]
hwdb: add HHKB Pro JP keyboard lack of LEDs
The HHKB Pro JP has no leds whatsoever, record that. The sysfs
file "capabilities/led" says "1f".
Lennart Poettering [Tue, 23 Jul 2019 16:16:57 +0000 (18:16 +0200)]
Merge pull request #13148 from poettering/v243-news-more
more v243 news preparation
Lennart Poettering [Tue, 23 Jul 2019 10:41:05 +0000 (12:41 +0200)]
logind: don't unlink session fifo when exiting logind
Let's only close our fds, but not unlink it. That's done when the
session is stopped.
This should make sure the fd will survive daemon restarts.
Lennart Poettering [Tue, 23 Jul 2019 10:40:52 +0000 (12:40 +0200)]
logind: make id const, since it points into another buffer
Lennart Poettering [Tue, 23 Jul 2019 08:33:39 +0000 (10:33 +0200)]
logind: at start-up automatically clean up orphaned inhibitors
Lennart Poettering [Tue, 23 Jul 2019 08:32:41 +0000 (10:32 +0200)]
logind: un-export and voidify a few functions
Let's minimize scope of functions and make sure that functions that
semantically should never fail can't return errors.
Lennart Poettering [Tue, 23 Jul 2019 08:27:19 +0000 (10:27 +0200)]
logind: rework allocation/freeing of inhibitors
Let's follow our modern style (i.e. return proper errors, use structure
initialization and _cleanup_).
Most importantly: remove state file and FIFO removal from
inhibitor_free() and let's move it to inhibitor_stop().
This makes sure that state files/FIFOs are not removed when the we
terminate logind, i.e. that they can survive logind restarts.
Fixes: #11825
Lennart Poettering [Tue, 23 Jul 2019 08:25:03 +0000 (10:25 +0200)]
logind: use free_and_replace() where that makes sense
Lennart Poettering [Tue, 23 Jul 2019 08:23:15 +0000 (10:23 +0200)]
logind: add logging to inhibitor_load()
Also make some parsing errors, fatals and others (that just care fore
'decoration') non-fatal.
The single caller of inhibitor_load() didn't log about any errors, hence
let's do this in our function, similar to how this is done in
session_load() already.