Patrik Flykt [Mon, 18 Sep 2017 10:09:44 +0000 (13:09 +0300)]
sd-radv: Free DNS domain search list on unref (#6858)
Evgeny Vereshchagin [Sun, 17 Sep 2017 21:07:12 +0000 (00:07 +0300)]
Merge pull request #6851 from keszybz/fix-masking-with-empty-files
Fix masking with empty files
Zbigniew Jędrzejewski-Szmek [Sun, 17 Sep 2017 13:17:50 +0000 (15:17 +0200)]
test-exec-util: add two test cases for scripts masked with empty file
A test for #6831. Fails without the previous commit.
Suggested by Evgeny Vereshchagin.
Zbigniew Jędrzejewski-Szmek [Sun, 17 Sep 2017 13:26:01 +0000 (15:26 +0200)]
conf-files: fix check for masking with empty files
Fixes #6831.
Zbigniew Jędrzejewski-Szmek [Sun, 17 Sep 2017 13:05:35 +0000 (15:05 +0200)]
Merge pull request #6788 from zerkms/TIMER_TIMEZONE
Timezone support for timers
Ivan Kurnosov [Sun, 17 Sep 2017 11:09:38 +0000 (23:09 +1200)]
Fix for dst/non-dst timezones
The problem was with the tm.tm_isdst that is set to the current environment
value: either DST or not. While the current state is not relevant to the state
in the desired date.
Hence — it should be reset so that the mktime_or_timegm could normalise it
later.
Lennart Poettering [Sun, 17 Sep 2017 10:04:21 +0000 (12:04 +0200)]
Merge pull request #6846 from keszybz/fix-udev_event_apply_format
Fix udev_event_apply_format()
Zbigniew Jędrzejewski-Szmek [Sun, 17 Sep 2017 07:50:52 +0000 (09:50 +0200)]
test-date: add more logging on error
Lennart Poettering [Sun, 17 Sep 2017 09:56:24 +0000 (11:56 +0200)]
Merge pull request #6840 from keszybz/more-docs
Some more documentation updates
Zbigniew Jędrzejewski-Szmek [Sun, 17 Sep 2017 07:10:03 +0000 (09:10 +0200)]
Simplify the if cases for timezone checking
Just to reduce the indentation a bit.
Ivan Kurnosov [Wed, 6 Sep 2017 09:56:36 +0000 (21:56 +1200)]
Added timezone to the CalendarSpec, parser/formatter and the timedatectl
Zbigniew Jędrzejewski-Szmek [Sat, 16 Sep 2017 06:45:02 +0000 (08:45 +0200)]
Move one space from dbus-execute.c to execute.c
The number of spaces is conserved ;)
Zbigniew Jędrzejewski-Szmek [Sat, 16 Sep 2017 06:38:28 +0000 (08:38 +0200)]
udev: fix buffer overflow in udev_event_apply_format()
Fixes #6664.
Christian Hesse [Fri, 15 Sep 2017 19:28:24 +0000 (21:28 +0200)]
fix path in btrfs rule (#6844)
Commit
0e8856d2 (assemble multidevice btrfs volumes without external
tools (#6607)) introduced a call to udevadm. That lives in @rootbindir@,
not @rootlibexecdir@. So fix the path.
Zbigniew Jędrzejewski-Szmek [Fri, 15 Sep 2017 19:24:48 +0000 (21:24 +0200)]
Merge pull request #6832 from poettering/keyring-mode
Add KeyringMode unit property to fix cryptsetup key caching
Zbigniew Jędrzejewski-Szmek [Fri, 15 Sep 2017 15:26:35 +0000 (17:26 +0200)]
Merge pull request #6841 from poettering/doc-exit-codes
document exit codes
Zbigniew Jędrzejewski-Szmek [Fri, 15 Sep 2017 12:59:45 +0000 (14:59 +0200)]
man: use "filename" not "file name" by default
We settled on "filename" and "file system", so change a couple of places for
consistency. The exception is when there's an adjective before "file" that
binds more strongly then "name": "password file name", "output file name", etc.
Those cases are left intact.
Russell Stuart [Tue, 12 Sep 2017 23:25:04 +0000 (09:25 +1000)]
man: update udevadm -y/--sysname-match documentation
Fixes #6792.
[zj: reorganize the sentece for grammatical correctness.]
Zbigniew Jędrzejewski-Szmek [Fri, 15 Sep 2017 12:49:44 +0000 (14:49 +0200)]
mailmap: add entry to fix encoding issues
Lennart Poettering [Fri, 15 Sep 2017 12:17:32 +0000 (14:17 +0200)]
man: add a whole section detailing journal stdout/stderr stream logging
Details about EPIPE/SIGPIPE handling, metadata and more.
Fixes: #6620
Lennart Poettering [Thu, 14 Sep 2017 19:23:56 +0000 (21:23 +0200)]
cryptsetup: make sure we invoke the cryptsetup tools with a shared keyring
We want that cryptsetup can cache keys between multiple invocations, and
it does so via the root user's user keyring, hence let's share it among
services.
Replaces: #6286
Lennart Poettering [Thu, 14 Sep 2017 19:19:05 +0000 (21:19 +0200)]
core: add new per-unit setting KeyringMode= for controlling kernel keyring setup
Usually, it's a good thing that we isolate the kernel session keyring
for the various services and disconnect them from the user keyring.
However, in case of the cryptsetup key caching we actually want that
multiple instances of the cryptsetup service can share the keys in the
root user's user keyring, hence we need to be able to disable this logic
for them.
This adds KeyringMode=inherit|private|shared:
inherit: don't do any keyring magic (this is the default in systemd --user)
private: a private keyring as before (default in systemd --system)
shared: the new setting
Lennart Poettering [Fri, 15 Sep 2017 14:48:41 +0000 (16:48 +0200)]
Merge pull request #6830 from keszybz/generator-dirs
Redirect generators to a temporary directory in test mode
Jan Synacek [Thu, 26 Jan 2017 12:45:46 +0000 (13:45 +0100)]
doc: document service exit codes
(Heavily reworked by Lennart while rebasing)
Fixes: #3545
Replaces: #5159
Lennart Poettering [Fri, 15 Sep 2017 14:42:09 +0000 (16:42 +0200)]
execute: improve and augment execution log messages
Let's generate friendly messages for more cases, and make slight
adjustments to the existing messages.
Lennart Poettering [Fri, 15 Sep 2017 14:41:19 +0000 (16:41 +0200)]
exit-status: drop EXIT_MAKE_STARTER
This is unused since kdbus has been removed.
Zbigniew Jędrzejewski-Szmek [Fri, 15 Sep 2017 12:47:57 +0000 (14:47 +0200)]
build-sys: require libmount >= 2.30 (#6795)
Fixes #4871.
The new libmount has two changes relevant for us:
- x-* options are propagated to /run/mount/utab and are visible through
libmount (fixes #4817).
- umount -c now really works (partially solves #6115).
Lennart Poettering [Fri, 15 Sep 2017 11:17:36 +0000 (13:17 +0200)]
Merge pull request #6772 from pfl/dnssl
networkd: DNSSL option for systemd-networkd prefix delegation
Zbigniew Jędrzejewski-Szmek [Fri, 15 Sep 2017 09:47:46 +0000 (11:47 +0200)]
man: update the description of machinectl -M
Fixes #6621.
Also rework the introduction a bit.
Zbigniew Jędrzejewski-Szmek [Fri, 15 Sep 2017 09:23:57 +0000 (11:23 +0200)]
man: explain when networkd removed existing configuration and when not
Fixes #6693.
Patrik Flykt [Thu, 7 Sep 2017 09:24:00 +0000 (12:24 +0300)]
man: Document Domains for Router Advertisement network configuration
Patrik Flykt [Mon, 21 Aug 2017 12:20:56 +0000 (15:20 +0300)]
test-ndisc-ra: Update test to include DNSSL option
Update the test to include the already provided DNSSL option.
Patrik Flykt [Mon, 21 Aug 2017 10:44:25 +0000 (13:44 +0300)]
networkd-radv: Set DNSSL information on Router Advertisement enabling
Patrik Flykt [Mon, 21 Aug 2017 10:41:20 +0000 (13:41 +0300)]
sd-radv: Add Router Advertisement DNS Search List option
Add Router Advertisement DNS Search List option as specified
in RFC 8106. The search list option uses and identical option
header as the RDNSS option and therefore the option header
structure can be reused.
If systemd is compiled with IDNA support, internationalization
of the provided search domain is applied, after which the search
list is written in wire format into the DNSSL option.
Patrik Flykt [Wed, 16 Aug 2017 10:29:51 +0000 (13:29 +0300)]
networkd: Parse DNS search domain information for Router Advertisement
Parse DNS search domains from .network files so that they are included
in Router Advertisement DNSSL options.
DNS search domains are added to the [IPv6PrefixDelegation] section using
the following syntax:
Domains=foo.example.com bar.example.com
If IDNA libraries are enabled in systemd, international domain names
are supported.
Zbigniew Jędrzejewski-Szmek [Fri, 15 Sep 2017 07:33:17 +0000 (09:33 +0200)]
man: delete note about propagating signal termination
That advice is generally apropriate for "user" programs, i.e. programs which
are run interactively and used pipelines and such. But it makes less sense for
daemons to propagate the exit signal. For example, if a process receives a SIGTERM,
it is apropriate for it to exit with 0 code. So let's just delete the whole
paragraph, since this page doesn't seem to be the right place for the longer
discussion which would be required to mention all the caveats and considerations.
Fixes #6415.
Martin Pitt [Fri, 15 Sep 2017 07:21:49 +0000 (09:21 +0200)]
Revert "device : reload when udev generates a "changed" event" (#6836)
This reverts commit
0ffddc6e2c6e19e5dc81812aee9fbe964059f3aa. That
causes a rather severe disruption of D-Bus and other services when e. g.
restarting local-fs.target (as spotted by the "storage" test regression).
Fixes #6834
Lennart Poettering [Fri, 15 Sep 2017 06:26:38 +0000 (08:26 +0200)]
core: make sure that $JOURNAL_STREAM prefers stderr over stdout information (#6824)
If two separate log streams are connected to stdout and stderr, let's
make sure $JOURNAL_STREAM points to the latter, as that's the preferred
log destination, and the environment variable has been created in order
to permit services to automatically upgrade from stderr based logging to
native journal logging.
Also, document this behaviour.
Fixes: #6800
Martin Pitt [Fri, 15 Sep 2017 05:32:50 +0000 (07:32 +0200)]
cryptsetup: fix unused variable (#6833)
When building without veracrypt, gcc warns
../src/cryptsetup/cryptsetup.c:55:13: warning: ‘arg_tcrypt_veracrypt’ defined but not used [-Wunused-variable]
static bool arg_tcrypt_veracrypt = false;
Fix this by conditionalizing the declaration.
Susant Sahani [Thu, 14 Sep 2017 19:51:39 +0000 (19:51 +0000)]
networkd: add support to configure IP Rule (#5725)
Routing Policy rule manipulates rules in the routing policy database control the
route selection algorithm.
This work supports to configure Rule
```
[RoutingPolicyRule]
TypeOfService=0x08
Table=7
From= 192.168.100.18
```
```
ip rule show
0: from all lookup local
0: from 192.168.100.18 tos 0x08 lookup 7
```
V2 changes:
1. Added logic to handle duplicate rules.
2. If rules are changed or deleted and networkd restarted
then those are deleted when networkd restarts next time
V3:
1. Add parse_fwmark_fwmask
Alan Jenkins [Thu, 14 Sep 2017 19:43:43 +0000 (20:43 +0100)]
units: don't kill the emergency shell when sysinit.target is triggered (#6765)
Why
---
The advantage of this is that starting sysinit.target from the emergency
shell will no longer kill the emergency shell and lock you out of the
system. Our docs already claimed that emergency.target was useful for
"starting individual units in order to continue the boot process in steps".
This resolves #6509 for my purposes.
Remaining limitation
--------------------
Starting getty.target will still kill the shell, and if you don't have a
root password you will then be locked out at that point. This is relevant
to distributions which patch the sulogin system to permit logins when the
root password is locked. Both Debian and RedHat used to follow this
behaviour! Debian have been discussing what they could replace it with at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806852
So this doesn't quite achieve perfection, but I think it's a worthwhile
change. It should be easier to understand the logic now it doesn't have
such a big hole in it. Repairing the sysinit stage of the boot is the main
reason we have emergency.target. And as discussed in the issue,
sysinit.target gets pulled in implicitly as soon as any DefaultDependencies
service is activated.
How
---
sysinit.target only needs to conflict with emergency.target. It didn't
need to conflict with emergency.service as well. In theory the conflicts
are pointless, we could just change the dependency of sysinit.target on
local-fs.target from Wants to Requires. However, doing so would mean that
when local-fs fails, the screen is flooded with yellow [DEPEND] failures.
That would hinder the poor unfortunate admin, so let's not do that.
There is no additional ordering requirement against emergency. If the
failure happens, the job for sysinit will be cancelled instantly. We don't
need to worry about when sysinit.target and its dependents would be
stopped, because sysinit waits for local-fs before it starts.
emergency.target is still necessarily stopped once we reach sysinit
(you can't express a one-way conflict in pure unit directives).
This is largely cosmetic... though perhaps it symbolizes that you're no
longer in Emergency Mode if System Initialization is successful ;-).
As a secondary advantage, the getty's which conflict on rescue.service now
need to conflict on emergency.service as well. This makes the system more
uniform and simpler to understand.
The only other effect this should have is that
`systemctl start emergency.target` is now practically the same as
`systemctl start rescue.target`. The only units this command will stop are
the conflicting getty units. Neither of those commands should ever be
used. E.g. they will not stop the gdm.service unit on Fedora 26.
Lennart Poettering [Thu, 14 Sep 2017 19:41:13 +0000 (21:41 +0200)]
Merge pull request #6801 from johnlinp/master
man: explicitly distinguish "implicit dependencies" and "default dependencies"
Zbigniew Jędrzejewski-Szmek [Thu, 14 Sep 2017 18:14:37 +0000 (20:14 +0200)]
Merge pull request #6826 from poettering/empty-list-conf
don't unnecessarily create empty but allocated strv in config_parse_strv()
Felipe Sateler [Thu, 14 Sep 2017 17:51:20 +0000 (14:51 -0300)]
shared: end string with % if one was found at the end of a expandible string (#6828)
Current behavior is that %X where X is an unidentified specifier, then the result is
the same %X string. This was not the case when the string ended with a stray %, where
the character would have not been output. Lets add that missing character.
Fixes: #6374
Zbigniew Jędrzejewski-Szmek [Thu, 14 Sep 2017 17:47:59 +0000 (19:47 +0200)]
Merge pull request #6818 from poettering/nspawn-whitelist
convert nspawn syscall blacklist into a whitelist (and related stuff)
Zbigniew Jędrzejewski-Szmek [Thu, 14 Sep 2017 17:46:55 +0000 (19:46 +0200)]
Merge pull request #6790 from poettering/unit-unsetenv
add UnsetEnvironment= unit file setting, in order to fix #6407
Lennart Poettering [Thu, 14 Sep 2017 17:45:40 +0000 (19:45 +0200)]
units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
Zbigniew Jędrzejewski-Szmek [Thu, 14 Sep 2017 17:26:29 +0000 (19:26 +0200)]
core/manager: when running in test mode, use a temp dir for generated stuff
When running through systemd-analyze verify or with --test, we would
not run generators (environment or unit). But at the end, we would nuke
the generator dirs anyway.
Simplify things by actually running generators of both types, but redirecting
their output to a temporary directory. This has the advantage that we test more
code, and the verification is more complete.
Since now we are not touching the real generator directories, we also don't
delete them, which fixes #5609.
Lennart Poettering [Thu, 14 Sep 2017 17:12:51 +0000 (19:12 +0200)]
Merge pull request #6820 from keszybz/sysusers-doc-update
Assorted updates to man pages
Zbigniew Jędrzejewski-Szmek [Thu, 14 Sep 2017 13:44:48 +0000 (15:44 +0200)]
pid1: improve the check guarding unit_file_preset_all()
When running in systemd-analyze verify, first_boot was initialized to -1
and never changed, so we'd try to run unit_file_preset_all(). Change the
check to > 0 which is more correct. Also, add a separate test for !test_run,
since we wouldn't want to run presets even if we were in first boot
(or /etc was empty for whatever other reason).
Lennart Poettering [Thu, 14 Sep 2017 16:26:10 +0000 (18:26 +0200)]
timer: don't use persietent file timestamps from the future (#6823)
Also, use the mtime rather than the atime of the timestamp file. While
the atime is not completely wrong, the mtime appears more appropriate
as that's what we actually explicitly change, and is not effected by
mere reading.
Fixes: #6821
Lennart Poettering [Thu, 14 Sep 2017 14:54:32 +0000 (16:54 +0200)]
conf-parser: when the empty string assigned to Personality= reset it
Let's support assigning the empty string to reset things in one more
place.
Lennart Poettering [Thu, 14 Sep 2017 14:53:34 +0000 (16:53 +0200)]
core: don't synthesize empty list when empty string is read in config_parse_strv()
This was added to make
https://bugs.freedesktop.org/show_bug.cgi?id=62558 work, which has long
been removed, hence let's revert to the original behaviour and fully
flush out the list when an empty string is assigned.
Lennart Poettering [Thu, 14 Sep 2017 14:49:09 +0000 (16:49 +0200)]
Merge pull request #6746 from yuwata/parse-empty-string
allow to input empty string to config_parse_xxx()
Lennart Poettering [Thu, 14 Sep 2017 08:23:36 +0000 (10:23 +0200)]
man: minor correction for systemd-run
The meaning was acidentally inverted in
156d6036be8c4d64747b5919adf372c289d3423a, let's correct this.
Lennart Poettering [Thu, 14 Sep 2017 08:18:57 +0000 (10:18 +0200)]
nspawn: replace syscall blacklist by a whitelist
Let's lock things down a bit, and maintain a list of what's permitted
rather than a list of what's prohibited in nspawn (also to make things a
bit more like Docker and friends).
Note that this slightly alters the effect of --system-call-filter=, as
now the negative list now takes precedence over the positive list.
However, given that the option is just a few days old and not included
in any released version it should be fine to change it at this point in
time.
Note that the whitelist is good chunk more restrictive thatn the
previous blacklist. Specifically:
- fanotify is not permitted (given the buffer size issues it's
problematic in containers)
- nfsservctl is not permitted (NFS server support is not virtualized)
- pkey_xyz stuff is not permitted (really new stuff I don't grok)
- @cpu-emulation is prohibited (untested legacy stuff mostly, and if
people really want to run dosemu in nspawn, they should use
--system-call-filter=@cpu-emulation and all should be good)
Lennart Poettering [Wed, 13 Sep 2017 17:57:32 +0000 (19:57 +0200)]
seccomp: improve debug logging
Let's log explicitly at debug level if we encounter a syscall or group
that doesn#t exist at all.
Lennart Poettering [Wed, 13 Sep 2017 17:56:35 +0000 (19:56 +0200)]
tests: let's make sure the seccomp filter lists remain properly ordered
It's too easy to corrupt the order, hence let's check for the right
order automatically as part of testing.
Lennart Poettering [Wed, 13 Sep 2017 17:55:16 +0000 (19:55 +0200)]
seccomp: add four new syscall groups
These groups should be useful shortcuts for sets of closely related
syscalls where it usually makes more sense to allow them altogether or
not at all.
Lennart Poettering [Wed, 13 Sep 2017 17:44:11 +0000 (19:44 +0200)]
seccomp: augment the @resources group a bit
Given that sched_setattr/sched_setparam/sched_setscheduler are already
in the group the closely related nice + ioprio_set should also be
included.
Also, order things alphabetically.
Lennart Poettering [Wed, 13 Sep 2017 17:40:23 +0000 (19:40 +0200)]
seccomp: beef up @process group a bit
Include the waid syscalls. If we permit forking then we should also
permit waiting for a process.
Similar to that: also permit determining the usage counters for
processes.
Include calls to determine process/thread identity. They have little
impact security-wise, but are very likely used when process management
of any form is done.
Also, add rt_sigqueueinfo + rt_tgsigqueueinfo as they are similar to
kill() and friends, but permit passing along a userdata ptr.
Lennart Poettering [Wed, 13 Sep 2017 17:39:54 +0000 (19:39 +0200)]
seccomp: "idle" is another obsolete syscall
Lennart Poettering [Wed, 13 Sep 2017 17:39:02 +0000 (19:39 +0200)]
seccomp: order the syscalls in more groups alphabetically
No changes besides reordering.
Lennart Poettering [Wed, 13 Sep 2017 17:33:54 +0000 (19:33 +0200)]
seccomp: let's update @file-system a bit
Let's add fremovexattr which was the only xattr syscall so far missing
from the group, even though lremovexattr and friends where included.
Add inotify_init, which is an older (but still supported) version of
inotify_init1.
Add oldfstat, oldlstat, oldstat which are old versions of the stat
syscalls on some archs.
Add utime, which is an older more limited version of utimes and
utimensat.
Enclose the "statx" entry in some ifdeffery to ensure libseccomp
actually knows the syscall. If libseccomp doesn't know it, then we'd get
EINVAL rather than EDOM (which is what is returned if a syscall is known
but not available on the local system) when resolving the syscall name
and we really don't want that, as we use the EDOM vs. EINVAL check for
determining whether a syscall makes sense at all.
Also, order things alphabetically.
Lennart Poettering [Wed, 13 Sep 2017 17:31:43 +0000 (19:31 +0200)]
seccomp: let's update base-io a bit
Let's add _llseek which is the syscall name on some archs that on others
is simply lseek (due to 64bit vs 32bit off_t confusion). Also, let's
sort things alphabetically.
Lennart Poettering [Wed, 13 Sep 2017 17:27:51 +0000 (19:27 +0200)]
seccomp: update "@default" seccomp group a bit
Let's add more of the most basic operations to "@default" as absolute
baseline needed by glibc and such to operate. Specifically:
futex, get_robust_list, get_thread_area, membarrier, set_robust_list,
set_thread_area, set_tid_address are all required to properly implement
mutexes and other thread synchronization logic. Given that a ton of
datastructures are protected by mutexes (such as stdio and such), let's
just whitelist this by default, so that things can just work.
restart_syscall is used to implement EAGAIN SA_RESTART stuff in some
archs, and synthesized by the kernel without any explicit user logic,
hence let's make this work out of the box.
Lennart Poettering [Tue, 12 Sep 2017 18:07:30 +0000 (20:07 +0200)]
core: rework how we treat specifiers in Environment= of transient units
Let's validate the data passed in after resolving specifiers, but let's
write out to the unit snippet the list without specifiers applied. This
way the pre-existing comment actually starts matching what is actually
implemented.
Lennart Poettering [Tue, 12 Sep 2017 17:48:29 +0000 (19:48 +0200)]
core: support specifier expansion in PassEnvironment=
I can't come up with any usecase for this, but let's add this here, to
match what we support for Environment=. It's kind surprising if we
support specifier expansion for some environment related settings, but
not for others.
Lennart Poettering [Tue, 12 Sep 2017 17:47:58 +0000 (19:47 +0200)]
core: print the right string when we fail to replace specifiers in config_parse_environ()
Lennart Poettering [Sun, 10 Sep 2017 10:19:02 +0000 (12:19 +0200)]
units: properly unset the l10n environment variables where we need to
Now that we have UnsetEnvironment=, let's make proper use of it for
unsetting l10n settings for console gettys.
Fixes: #6407
Lennart Poettering [Mon, 11 Sep 2017 17:10:06 +0000 (19:10 +0200)]
test: add test case for UnsetEnvironment=
Lennart Poettering [Sun, 10 Sep 2017 10:16:44 +0000 (12:16 +0200)]
core: add new UnsetEnvironment= setting for unit files
With this setting we can explicitly unset specific variables for
processes of a unit, as last step of assembling the environment block
for them. This is useful to fix #6407.
While we are at it, greatly expand the documentation on how the
environment block for forked off processes is assembled.
Michael Grzeschik [Thu, 14 Sep 2017 12:53:07 +0000 (14:53 +0200)]
rules: ubi mtd - add link to named partitions (#6750)
[zjs:
- rebase onto recent master
- drop signed-off-by]
Lennart Poettering [Thu, 14 Sep 2017 10:46:23 +0000 (12:46 +0200)]
Merge pull request #6428 from boucman/device_reload
device : reload when udev generates a "changed" event
Zbigniew Jędrzejewski-Szmek [Thu, 14 Sep 2017 10:13:31 +0000 (12:13 +0200)]
man: add a note about Name=eth0 being bad
Fixes #2657.
Zbigniew Jędrzejewski-Szmek [Thu, 14 Sep 2017 09:55:34 +0000 (11:55 +0200)]
man: reformat table in sysusers.d(5)
I think it's quite a bit easier to read in this way.
Zbigniew Jędrzejewski-Szmek [Thu, 14 Sep 2017 09:55:00 +0000 (11:55 +0200)]
man: unify titling, fix description of precedence in sysusers.d(5)
Fixes #6639.
(This behaviour of systemd-sysusers is long established, so it's better
to adjust the documentation rather than change the code. If there are any
situations out there where it matters, users must have adjusted to the
current behaviour.)
Lennart Poettering [Thu, 14 Sep 2017 09:21:24 +0000 (11:21 +0200)]
TODO: Drop even more redundant and implemented items
Lennart Poettering [Thu, 14 Sep 2017 09:08:59 +0000 (11:08 +0200)]
TODO: remove some items that are implemented now or otherwise obsolete
Zbigniew Jędrzejewski-Szmek [Thu, 14 Sep 2017 07:20:27 +0000 (09:20 +0200)]
nss: use secure_getenv for behaviour-modifying booleans (#6817)
Follow up for
fe102d6ab15731a199a7ea9f38c4f68d8959f86c.
Lennart Poettering [Thu, 14 Sep 2017 04:20:39 +0000 (06:20 +0200)]
nss-systemd,sysusers: make sure sysusers doesn't get confused by nss-systemd (#6812)
In nss-systemd we synthesize user entries for "nobody" and "root", as
fallback if we boot up with an entirely empty /etc. This is supposed to
be a fallback only though, and it's intended that both users exists
regularly in /etc/passwd + /etc/group. Before this patch
systemd-sysusers would never create the entries however as it notices
the synthetic entries. Let's add a way how systemd-sysusers can tell
nss-systemd not to synthesize the entries for itself.
Fixes: #6808
Davide Cavalca [Thu, 14 Sep 2017 04:14:29 +0000 (00:14 -0400)]
basic: ensure O_TMPFILE is always defined (#6816)
Zbigniew Jędrzejewski-Szmek [Wed, 13 Sep 2017 21:17:20 +0000 (23:17 +0200)]
Merge pull request #6807 from poettering/service-result
man: complete and rework $SERVICE_RESULT documentation
Zbigniew Jędrzejewski-Szmek [Wed, 13 Sep 2017 21:13:10 +0000 (23:13 +0200)]
Merge pull request #6810 from poettering/test-mode-segfault
don't crash in pager code when "systemd --test" is invoked
Zbigniew Jędrzejewski-Szmek [Wed, 13 Sep 2017 21:02:34 +0000 (23:02 +0200)]
man: rework grammatical form of sentences in a table in systemd.exec(5)
"Currently, the following values are defined: xxx: in case <condition>" is
awkward because "xxx" is always defined unconditionally. It is _used_ in case
<condition> is true. Correct this and a bunch of other places where the
sentence structure makes it unclear what is the subject of the sentence.
Zbigniew Jędrzejewski-Szmek [Wed, 13 Sep 2017 20:27:04 +0000 (22:27 +0200)]
Merge pull request #6775 from poettering/run-pipe2
run: add new --pipe option for "systemd-run"
Zbigniew Jędrzejewski-Szmek [Wed, 13 Sep 2017 20:26:41 +0000 (22:26 +0200)]
Merge pull request #6805 from poettering/exec-dir
exec-util,conf-files: skip non-executable files in execute_directories()
Zbigniew Jędrzejewski-Szmek [Wed, 13 Sep 2017 20:11:03 +0000 (22:11 +0200)]
man: fix repeated use of "use" in a sentence
Lennart Poettering [Wed, 13 Sep 2017 17:08:26 +0000 (19:08 +0200)]
sd-bus: extend D-Bus authentication timeout considerably (#6813)
As it turns out the authentication phase times out too often than is
good, mostly due to PRNG pools not being populated during boot. Hence,
let's increase the authentication timeout from 25s to 90s, to cover for
that.
(Note that we leave the D-Bus method call timeout at 25s, matching the
reference implementation's value. And if the auth phase managed to
complete then the pools should be populated enough and mehtod calls
shouldn't take needlessly long anymore).
Fixes: #6418
Lennart Poettering [Wed, 13 Sep 2017 13:09:25 +0000 (15:09 +0200)]
Merge pull request #6811 from fbuihuu/dont-detach-root-DM-dev
Dont try to detach DM dev hosting "/" even when it uses BTRFS
Lennart Poettering [Wed, 13 Sep 2017 10:57:59 +0000 (12:57 +0200)]
Merge pull request #6798 from poettering/nspawn-seccomp
nspawn seccomp improvements
Franck Bui [Wed, 13 Sep 2017 09:04:17 +0000 (11:04 +0200)]
shutdown: don't be fooled when detaching DM devices with BTRFS
Otherwise we would try to detach the DM device hosting the rootfs with BTRFS
which is doomed to fail.
Franck Bui [Wed, 13 Sep 2017 09:47:15 +0000 (11:47 +0200)]
util: make get_block_device() available
Lennart Poettering [Wed, 13 Sep 2017 09:41:41 +0000 (11:41 +0200)]
conf-files: log when we skip a drop-in configuration file
Lennart Poettering [Tue, 12 Sep 2017 14:57:33 +0000 (16:57 +0200)]
exec-util,conf-files: skip non-executable files in execute_directories()
Fixes: #6787
Lennart Poettering [Wed, 13 Sep 2017 08:35:28 +0000 (10:35 +0200)]
pager: let's create pager fds with O_CLOEXEC first
We make copies (without O_CLOEXEC) of the fds anyway before using them,
hence let's be safe and create them with O_CLOEXEC first, so that we
don't run into issues should pager_open() be called in a threaded
environment where another thread fork()s at the wrong time and ends up
with fds not marked O_CLOEXEC.
Lennart Poettering [Wed, 13 Sep 2017 08:31:40 +0000 (10:31 +0200)]
main: skip many initialization steps when running in --test mode
Most importantly, don't collect open socket activation fds when in
--test mode. This specifically created a problem because we invoke
pager_open() beforehand (which these days makes copies of the original
stdout/stderr in order to be able to restore them when the pager goes
away) and we might mistakenly the fd copies it creates as socket
activation fds.
Fixes: #6383
Lennart Poettering [Wed, 13 Sep 2017 08:08:37 +0000 (10:08 +0200)]
shutdown: fix incorrect fscanf() result check (#6806)
A correction for
090e3c9796ef6468d4f396610804d62f6ffd797f.
Fixes: #6796
John Lin [Tue, 12 Sep 2017 04:02:27 +0000 (12:02 +0800)]
man: explicitly distinguish "implicit dependencies" and "default dependencies"
Fixes: #6793
jonasBoss [Tue, 12 Sep 2017 16:39:25 +0000 (18:39 +0200)]
hwdb: add Lenovo Yoga 510-14IKB sensor mount quirk (#6799)