picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Systemd/src/core/manager.c

4933 lines
172 KiB
C
Raw Normal View History

Add SPDX license identifiers to source files under the LGPL This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
2017-11-18 17:09:20 +01:00
/* SPDX-License-Identifier: LGPL-2.1+ */
license: add GPLv2+ license blurbs everwhere
2010-02-03 13:03:47 +01:00
initial commit
2009-11-18 00:42:52 +01:00
#include <errno.h>
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include <fcntl.h>
#include <linux/kd.h>
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
#include <sys/epoll.h>
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include <sys/inotify.h>
manager: actually enable ctrl-alt-del/kbrequest request handling in the kernel
2010-02-14 22:39:40 +01:00
#include <sys/ioctl.h>
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include <sys/reboot.h>
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
#include <sys/timerfd.h>
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include <sys/wait.h>
#include <unistd.h>
audit: smaller fixes to audit hookup
2010-08-11 15:19:50 +02:00
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_AUDIT
audit,utmp: implement audit logic and rip utmp stuff out of the main daemon and into a helper binary
2010-08-11 01:43:23 +02:00
#include <libaudit.h>
audit: smaller fixes to audit hookup
2010-08-11 15:19:50 +02:00
#endif
initial commit
2009-11-18 00:42:52 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
#include "sd-daemon.h"
#include "sd-messages.h"
core: add {State,Cache,Log,Configuration}Directory= (#6384) This introduces {State,Cache,Log,Configuration}Directory= those are similar to RuntimeDirectory=. They create the directories under /var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode specified in {State,Cache,Log,Configuration}DirectoryMode=. This also fixes #6391.
2017-07-18 14:34:52 +02:00
#include "sd-path.h"
build-sys: move public header files into a dir of their own
2012-01-05 16:01:58 +01:00
core: undo the dependency inversion between unit.h and all unit types
2018-05-15 20:17:34 +02:00
#include "all-units.h"
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
#include "alloc-util.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "audit-fd.h"
#include "boot-timestamps.h"
#include "bus-common-errors.h"
#include "bus-error.h"
#include "bus-kernel.h"
#include "bus-util.h"
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
#include "clean-ipc.h"
core: make "taint" string logic a bit more generic and output it at boot The tainting logic existed for a long time, but was hidden inside the bus interfaces. Let's give it a small bit more coverage, by logging its value early at boot during initialization.
2017-12-07 11:27:07 +01:00
#include "clock-util.h"
core: add user/group resolution varlink interface to PID 1
2019-08-07 14:58:59 +02:00
#include "core-varlink.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "dbus-job.h"
#include "dbus-manager.h"
#include "dbus-unit.h"
#include "dbus.h"
Move PLYMOUTH_SOCKET define to def.h and nuke plymouth-util.h Let's not have a file with a single define.
2019-10-24 11:18:35 +02:00
#include "def.h"
core: modernize manager_build_unit_patch_cache() a bit
2016-02-26 18:28:45 +01:00
#include "dirent-util.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "env-util.h"
util: split out escaping code into escape.[ch] This really deserves its own file, given how much code this is now.
2015-10-23 18:52:53 +02:00
#include "escape.h"
basic/util: move execute_directory() to separate file It's a fairly specialized function. Let's make new files for it and the tests.
2017-01-22 18:35:08 +01:00
#include "exec-util.h"
core: implement /run/systemd/units/-based path for passing unit info from PID 1 to journald And let's make use of it to implement two new unit settings with it: 1. LogLevelMax= is a new per-unit setting that may be used to configure log priority filtering: set it to LogLevelMax=notice and only messages of level "notice" and lower (i.e. more important) will be processed, all others are dropped. 2. LogExtraFields= is a new per-unit setting for configuring per-unit journal fields, that are implicitly included in every log record generated by the unit's processes. It takes field/value pairs in the form of FOO=BAR. Also, related to this, one exisiting unit setting is ported to this new facility: 3. The invocation ID is now pulled from /run/systemd/units/ instead of cgroupfs xattrs. This substantially relaxes requirements of systemd on the kernel version and the privileges it runs with (specifically, cgroupfs xattrs are not available in containers, since they are stored in kernel memory, and hence are unsafe to permit to lesser privileged code). /run/systemd/units/ is a new directory, which contains a number of files and symlinks encoding the above information. PID 1 creates and manages these files, and journald reads them from there. Note that this is supposed to be a direct path between PID 1 and the journal only, due to the special runtime environment the journal runs in. Normally, today we shouldn't introduce new interfaces that (mis-)use a file system as IPC framework, and instead just an IPC system, but this is very hard to do between the journal and PID 1, as long as the IPC system is a subject PID 1 manages, and itself a client to the journal. This patch cleans up a couple of types used in journal code: specifically we switch to size_t for a couple of memory-sizing values, as size_t is the right choice for everything that is memory. Fixes: #4089 Fixes: #3041 Fixes: #4441
2017-11-02 19:43:32 +01:00
#include "execute.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "exit-status.h"
util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.
2015-10-25 13:14:12 +01:00
#include "fd-util.h"
util-lib: move more file I/O related calls into fileio.[ch]
2015-10-26 18:05:03 +01:00
#include "fileio.h"
util-lib: move a number of fs operations into fs-util.[ch]
2015-10-26 21:16:26 +01:00
#include "fs-util.h"
Split out generator directory setup to a src/core/generator-setup.c Those functions have only one non-test user, so we can move them to src/core/.
2020-03-24 12:17:43 +01:00
#include "generator-setup.h"
initial commit
2009-11-18 00:42:52 +01:00
#include "hashmap.h"
Create src/shared/unit-file.[ch] for unit-file related ops So far we put such functinos in install.[ch], but that is tied too closely to enable/disable. Let's start moving things to a place with a better name.
2019-07-04 15:46:16 +02:00
#include "install.h"
core: add user/group resolution varlink interface to PID 1
2019-08-07 14:58:59 +02:00
#include "io-util.h"
core: implement /run/systemd/units/-based path for passing unit info from PID 1 to journald And let's make use of it to implement two new unit settings with it: 1. LogLevelMax= is a new per-unit setting that may be used to configure log priority filtering: set it to LogLevelMax=notice and only messages of level "notice" and lower (i.e. more important) will be processed, all others are dropped. 2. LogExtraFields= is a new per-unit setting for configuring per-unit journal fields, that are implicitly included in every log record generated by the unit's processes. It takes field/value pairs in the form of FOO=BAR. Also, related to this, one exisiting unit setting is ported to this new facility: 3. The invocation ID is now pulled from /run/systemd/units/ instead of cgroupfs xattrs. This substantially relaxes requirements of systemd on the kernel version and the privileges it runs with (specifically, cgroupfs xattrs are not available in containers, since they are stored in kernel memory, and hence are unsafe to permit to lesser privileged code). /run/systemd/units/ is a new directory, which contains a number of files and symlinks encoding the above information. PID 1 creates and manages these files, and journald reads them from there. Note that this is supposed to be a direct path between PID 1 and the journal only, due to the special runtime environment the journal runs in. Normally, today we shouldn't introduce new interfaces that (mis-)use a file system as IPC framework, and instead just an IPC system, but this is very hard to do between the journal and PID 1, as long as the IPC system is a subject PID 1 manages, and itself a client to the journal. This patch cleans up a couple of types used in journal code: specifically we switch to size_t for a couple of memory-sizing values, as size_t is the right choice for everything that is memory. Fixes: #4089 Fixes: #3041 Fixes: #4441
2017-11-02 19:43:32 +01:00
#include "label.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "locale-setup.h"
core: reload cache if it's dirty when starting a UNIT_NOT_FOUND unit The time-based cache allows starting a new unit without an expensive daemon-reload, unless there was already a reference to it because of a dependency or ordering from another unit. If the cache is out of date, check again if we can load the fragment.
2020-05-08 00:26:53 +02:00
#include "load-fragment.h"
make use of logging API wherever appropriate
2010-01-20 19:19:53 +01:00
#include "log.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "macro.h"
util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.
2015-10-25 13:14:12 +01:00
#include "manager.h"
util: split out memcmp()/memset() related calls into memory-util.[ch] Just some source rearranging.
2019-03-13 12:02:21 +01:00
#include "memory-util.h"
rename basic.la to shared.la and put selinux deps in shared-selinx.la Only 34 of 74 tools need libselinux linked, and libselinux is a pain with its unconditional library constructor.
2012-04-10 21:54:31 +02:00
#include "mkdir.h"
util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]
2015-10-26 16:18:16 +01:00
#include "parse-util.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "path-lookup.h"
#include "path-util.h"
#include "process-util.h"
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
#include "ratelimit.h"
rlimit-util: add a common destructor call for arrays of struct rlimit
2018-05-03 19:05:59 +02:00
#include "rlimit-util.h"
util: rework rm_rf() logic - Move to its own file rm-rf.c - Change parameters into a single flags parameter - Remove "honour sticky" logic, it's unused these days
2015-04-04 11:52:57 +02:00
#include "rm-rf.h"
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
#include "serialize.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "signal-util.h"
core: undo the dependency inversion between unit.h and all unit types
2018-05-15 20:17:34 +02:00
#include "socket-util.h"
systemctl: add verbs for special units
2010-06-18 04:22:59 +02:00
#include "special.h"
util-lib: split stat()/statfs()/stavfs() related calls into stat-util.[ch]
2015-10-26 22:01:44 +01:00
#include "stat-util.h"
util-lib: move string table stuff into its own string-table.[ch]
2015-10-26 22:31:05 +01:00
#include "string-table.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "string-util.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "strv.h"
core: manager logs firmware and loader time when startup finished
2017-12-25 05:08:23 +01:00
#include "strxcpyx.h"
pid1: disable printk ratelimit in early boot We have the problem that many early boot or late shutdown issues are harder to solve than they could be because we have no logs. When journald is not running, messages are redirected to /dev/kmsg. It is also the time when many things happen in a rapid succession, so we tend to hit the kernel printk ratelimit fairly reliably. The end result is that we get no logs from the time where they would be most useful. Thus let's disable the kernels ratelimit. Once the system is up and running, the ratelimit is not a problem. But during normal runtime, things also log to journald, and not to /dev/kmsg, so the ratelimit is not useful. Hence, there doesn't seem to be much point in trying to restore the ratelimit after boot is finished and journald is up and running. See kernel's commit 750afe7babd117daabebf4855da18e4418ea845e for the description of the kenrel interface. Our setting has lower precedence than explicit configuration on the kenrel command line.
2019-09-18 21:02:07 +02:00
#include "sysctl-util.h"
pid1: preserve current value of log level across re-{load,execution} To make debugging easier, this patches allows one to change the log level and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log max level at runtime (via the bus or via signals), the change was lost on the next daemon reload/reexecution. In order to restore the original value back (set via system.conf, environment variables or any other means), the empty string in the "LogLevel" property is now supported as well as sending SIGRTMIN+23 signal.
2018-05-30 17:57:23 +02:00
#include "syslog-util.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "terminal-util.h"
#include "time-util.h"
#include "transaction.h"
util-lib: split out umask-related code to umask-util.h
2015-10-26 23:20:41 +01:00
#include "umask-util.h"
core: sort includes of manager.[ch] according to CODING_STYLE
2015-09-22 23:24:07 +02:00
#include "unit-name.h"
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
#include "user-util.h"
virt: add missing header inclusion
2011-09-23 17:20:45 +02:00
#include "virt.h"
systemd: add hardware watchdog support This adds minimal hardware watchdog support to PID 1. The idea is that PID 1 supervises and watchdogs system services, while the hardware watchdog is used to supervise PID 1. This adds two hardware watchdog configuration options, for the runtime watchdog and for a shutdown watchdog. The former is active during normal operation, the latter only at reboots to ensure that if a clean reboot times out we reboot nonetheless. If the runtime watchdog is enabled PID 1 will automatically wake up at half the configured interval and write to the watchdog daemon. By default we enable the shutdown watchdog, but leave the runtime watchdog disabled in order not to break independent hardware watchdog daemons people might be using. This is only the most basic hookup. If necessary we can later on hook up the watchdog ping more closely with services deemed crucial.
2012-04-05 22:08:10 +02:00
#include "watchdog.h"
initial commit
2009-11-18 00:42:52 +01:00
sd-daemon: increase sd_notify() socket buffer size Let's make sure we don't start blocking on sd_notify() earlier than necessary, let's bump the socket buffer sizes to 8M. We already do something similar for our logging socket buffers, hence apply a similar bump here.
2015-10-30 11:27:29 +01:00
#define NOTIFY_RCVBUF_SIZE (8*1024*1024)
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
#define CGROUPS_AGENT_RCVBUF_SIZE (8*1024*1024)
sd-daemon: increase sd_notify() socket buffer size Let's make sure we don't start blocking on sd_notify() earlier than necessary, let's bump the socket buffer sizes to 8M. We already do something similar for our logging socket buffers, hence apply a similar bump here.
2015-10-30 11:27:29 +01:00
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
/* Initial delay and the interval for printing status messages about running jobs */
pid1: make cylon timeout significantly bigger when not showing any messages When we are booting with show-status=on, normally new status updates happen a few times per second. Thus, it is reasonable to start showing the cylon eye after 5 s, because that means a significant delay has happened. When we are running with show-status=off or show-status=auto (and no error had occured), the user is expecting maybe 15 to 90 seconds with no output (because that's usually how long the whole boot takes). So we shouldn't bother the user with information about a few seconds of delay. Let's make the timeout 25s if we are not showing any messages. Conversly, when we are outputting status messages, we can show the cylon eye with a shorter delay, now that we removed the connection to enablement status. Let's make this 2s, so users get feedback about delays more quickly.
2020-02-29 16:29:42 +01:00
#define JOBS_IN_PROGRESS_WAIT_USEC (2*USEC_PER_SEC)
#define JOBS_IN_PROGRESS_QUIET_WAIT_USEC (25*USEC_PER_SEC)
manager: rearm jobs timer It would fire just once. Also fix units from sec to usec as appropriate. Decrease the switching interval to 1/3 s, so that when the time remaining is displayed with 1s precision, it doesn't jump by 2s every once in a while. Also, the system is feels noticably faster when the status changes couple of times per second instead of every few seconds.
2014-01-27 07:15:27 +01:00
#define JOBS_IN_PROGRESS_PERIOD_USEC (USEC_PER_SEC / 3)
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
#define JOBS_IN_PROGRESS_PERIOD_DIVISOR 3
codespell: fix spelling errors
2019-04-27 02:22:40 +02:00
/* If there are more than 1K bus messages queue across our API and direct buses, then let's not add more on top until
core: don't process dbus unit and job queue when there are already too many messages pending We maintain a queue of units and jobs that we are supposed to generate change/new notifications for because they were either just created or some of their property has changed. Let's throttle processing of this queue a bit: as soon as > 1K of bus messages are queued for writing let's skip processing the queue, and then recheck on the next iteration again. Moreover, never process more than 100 units in one go, return to the event loop after that. Both limits together should put effective limits on both space and time usage of the function, delaying further operations until a later moment, when the queue is empty or the the event loop is sufficiently idle again. This should keep the number of generated messages much lower than before on busy systems or where some client is hanging. Note that this also means a bad client can slow down message dispatching substantially for up to 90s if it likes to, for all clients. But that should be acceptable as we only allow trusted bus clients, anyway. Fixes: #8166
2018-02-13 18:30:34 +01:00
* the queue gets more empty. */
#define MANAGER_BUS_BUSY_THRESHOLD 1024LU
/* How many units and jobs to process of the bus queue before returning to the event loop. */
#define MANAGER_BUS_MESSAGE_BUDGET 100U
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
static int manager_dispatch_time_change_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
static int manager_dispatch_idle_pipe_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
static int manager_dispatch_user_lookup_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
static int manager_dispatch_jobs_in_progress(sd_event_source *source, usec_t usec, void *userdata);
core: dispatch run queue only if there's nothing else to do Always read all external events before we decide what we do next.
2013-11-25 15:22:41 +01:00
static int manager_dispatch_run_queue(sd_event_source *source, void *userdata);
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
static int manager_dispatch_sigchld(sd_event_source *source, void *userdata);
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
static int manager_dispatch_timezone_change(sd_event_source *source, const struct inotify_event *event, void *userdata);
manager: run environment generators Environment file generators are a lot like unit file generators, but not exactly: 1. environment file generators are run for each manager instance, and their output is (or at least can be) individualized. The generators themselves are system-wide, the same for all users. 2. environment file generators are run sequentially, in priority order. Thus, the lifetime of those files is tied to lifecycle of the manager instance. Because generators are run sequentially, later generators can use or modify the output of earlier generators. Each generator is run with no arguments, and the whole state is stored in the environment variables. The generator can echo a set of variable assignments to standard output: VAR_A=something VAR_B=something else This output is parsed, and the next and subsequent generators run with those updated variables in the environment. After the last generator is done, the environment that the manager itself exports is updated. Each generator must return 0, otherwise the output is ignored. The generators in */user-env-generator are for the user session managers, including root, and the ones in */system-env-generator are for pid1.
2017-01-22 07:13:47 +01:00
static int manager_run_environment_generators(Manager *m);
Implement masking and overriding of generators Sometimes it is necessary to stop a generator from running. Either because of a bug, or for testing, or some other reason. The only way to do that would be to rename or chmod the generator binary, which is inconvenient and does not survive upgrades. Allow masking and overriding generators similarly to units and other configuration files. For the systemd instance, masking would be more common, rather than overriding generators. For the user instances, it may also be useful for users to have generators in $XDG_CONFIG_HOME to augment or override system-wide generators. Directories are searched according to the usual scheme (/usr/lib, /usr/local/lib, /run, /etc), and files with the same name in higher priority directories override files with the same name in lower priority directories. Empty files and links to /dev/null mask a given name. https://bugs.freedesktop.org/show_bug.cgi?id=87230
2015-01-09 02:47:25 +01:00
static int manager_run_generators(Manager *m);
pid1: make manager_vacuum_{uid,gid}_refs() static No functional change.
2020-04-27 08:54:44 +02:00
static void manager_vacuum(Manager *m);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
pid1: make cylon timeout significantly bigger when not showing any messages When we are booting with show-status=on, normally new status updates happen a few times per second. Thus, it is reasonable to start showing the cylon eye after 5 s, because that means a significant delay has happened. When we are running with show-status=off or show-status=auto (and no error had occured), the user is expecting maybe 15 to 90 seconds with no output (because that's usually how long the whole boot takes). So we shouldn't bother the user with information about a few seconds of delay. Let's make the timeout 25s if we are not showing any messages. Conversly, when we are outputting status messages, we can show the cylon eye with a shorter delay, now that we removed the connection to enablement status. Let's make this 2s, so users get feedback about delays more quickly.
2020-02-29 16:29:42 +01:00
static usec_t manager_watch_jobs_next_time(Manager *m) {
return usec_add(now(CLOCK_MONOTONIC),
show_status_on(m->show_status) ? JOBS_IN_PROGRESS_WAIT_USEC :
JOBS_IN_PROGRESS_QUIET_WAIT_USEC);
}
core: ignore any issues with setting time on jobs_in_progress_event_source CID #1237559.
2015-03-14 03:11:09 +01:00
static void manager_watch_jobs_in_progress(Manager *m) {
manager: requeue the cylon eye for 5s later when a job finishes We'd reqeue the next status update very soon after. Change it so that we wait for full 5s without any job status changes until we print anything.
2014-01-29 00:26:06 +01:00
usec_t next;
core: fix event source annotations These looked like a mass-replace gone slightly wrong – two statements with no { }'s, and no error checking.
2015-04-29 20:29:18 +02:00
int r;
manager: requeue the cylon eye for 5s later when a job finishes We'd reqeue the next status update very soon after. Change it so that we wait for full 5s without any job status changes until we print anything.
2014-01-29 00:26:06 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
assert(m);
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
core: prevent the cylon when confirmation_spawn=yes (#2194) When booting with systemd.confirm_spawn=true, the eye of cylon animation kicks in pretty quickly so user doesn't have any chance to answer the questions which services to start before the confirmation message is screwed by the cylon. This basically breaks the confirm_spawn functionality completely. This patch prevents the cylon animation to kick in when confirmation_spawn=yes. Fixes: #2194
2016-11-02 10:50:20 +01:00
/* We do not want to show the cylon animation if the user
* needs to confirm service executions otherwise confirmation
* messages will be screwed by the cylon animation. */
core: add 'c' in confirmation_spawn to resume the boot process
2016-11-15 09:29:04 +01:00
if (!manager_is_confirm_spawn_disabled(m))
core: prevent the cylon when confirmation_spawn=yes (#2194) When booting with systemd.confirm_spawn=true, the eye of cylon animation kicks in pretty quickly so user doesn't have any chance to answer the questions which services to start before the confirmation message is screwed by the cylon. This basically breaks the confirm_spawn functionality completely. This patch prevents the cylon animation to kick in when confirmation_spawn=yes. Fixes: #2194
2016-11-02 10:50:20 +01:00
return;
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
if (m->jobs_in_progress_event_source)
core: ignore any issues with setting time on jobs_in_progress_event_source CID #1237559.
2015-03-14 03:11:09 +01:00
return;
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
pid1: make cylon timeout significantly bigger when not showing any messages When we are booting with show-status=on, normally new status updates happen a few times per second. Thus, it is reasonable to start showing the cylon eye after 5 s, because that means a significant delay has happened. When we are running with show-status=off or show-status=auto (and no error had occured), the user is expecting maybe 15 to 90 seconds with no output (because that's usually how long the whole boot takes). So we shouldn't bother the user with information about a few seconds of delay. Let's make the timeout 25s if we are not showing any messages. Conversly, when we are outputting status messages, we can show the cylon eye with a shorter delay, now that we removed the connection to enablement status. Let's make this 2s, so users get feedback about delays more quickly.
2020-02-29 16:29:42 +01:00
next = manager_watch_jobs_next_time(m);
core: fix event source annotations These looked like a mass-replace gone slightly wrong – two statements with no { }'s, and no error checking.
2015-04-29 20:29:18 +02:00
r = sd_event_add_time(
sd-event: rework API to support CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM, too
2014-03-24 02:49:09 +01:00
m->event,
&m->jobs_in_progress_event_source,
CLOCK_MONOTONIC,
next, 0,
manager_dispatch_jobs_in_progress, m);
core: fix event source annotations These looked like a mass-replace gone slightly wrong – two statements with no { }'s, and no error checking.
2015-04-29 20:29:18 +02:00
if (r < 0)
return;
core: annotate event sources
2015-04-29 16:05:32 +02:00
(void) sd_event_source_set_description(m->jobs_in_progress_event_source, "manager-jobs-in-progress");
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
}
tree-wide: make use of new STRLEN() macro everywhere (#7639) Let's employ coccinelle to do this for us. Follow-up for #7625.
2017-12-14 19:02:29 +01:00
#define CYLON_BUFFER_EXTRA (2*STRLEN(ANSI_RED) + STRLEN(ANSI_HIGHLIGHT_RED) + 2*STRLEN(ANSI_NORMAL))
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
static void draw_cylon(char buffer[], size_t buflen, unsigned width, unsigned pos) {
char *p = buffer;
assert(buflen >= CYLON_BUFFER_EXTRA + width + 1);
assert(pos <= width+1); /* 0 or width+1 mean that the center light is behind the corner */
if (pos > 1) {
util, manager: and mempset() and use it Just like mempcpy() is almost identical to memcpy() except the useful return value, so is the relation of mempset() to memset().
2013-03-05 15:52:44 +01:00
if (pos > 2)
p = mempset(p, ' ', pos-2);
core: disable colors when displaying cylon when systemd.log_color=off (#3495)
2016-06-10 18:33:15 +02:00
if (log_get_show_color())
p = stpcpy(p, ANSI_RED);
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
*p++ = '*';
}
if (pos > 0 && pos <= width) {
core: disable colors when displaying cylon when systemd.log_color=off (#3495)
2016-06-10 18:33:15 +02:00
if (log_get_show_color())
p = stpcpy(p, ANSI_HIGHLIGHT_RED);
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
*p++ = '*';
}
core: disable colors when displaying cylon when systemd.log_color=off (#3495)
2016-06-10 18:33:15 +02:00
if (log_get_show_color())
p = stpcpy(p, ANSI_NORMAL);
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
if (pos < width) {
core: disable colors when displaying cylon when systemd.log_color=off (#3495)
2016-06-10 18:33:15 +02:00
if (log_get_show_color())
p = stpcpy(p, ANSI_RED);
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
*p++ = '*';
util, manager: and mempset() and use it Just like mempcpy() is almost identical to memcpy() except the useful return value, so is the relation of mempset() to memset().
2013-03-05 15:52:44 +01:00
if (pos < width-1)
p = mempset(p, ' ', width-1-pos);
core: disable colors when displaying cylon when systemd.log_color=off (#3495)
2016-06-10 18:33:15 +02:00
if (log_get_show_color())
strcpy(p, ANSI_NORMAL);
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
}
}
pid1: make manager_flip_auto_status() static No functional change.
2020-04-27 08:49:53 +02:00
static void manager_flip_auto_status(Manager *m, bool enable, const char *reason) {
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
assert(m);
manager: also turn on output on unit failure
2014-01-28 04:48:18 +01:00
if (enable) {
if (m->show_status == SHOW_STATUS_AUTO)
pid1: when printing status message status, give reason
2020-02-29 10:59:27 +01:00
manager_set_show_status(m, SHOW_STATUS_TEMPORARY, reason);
manager: also turn on output on unit failure
2014-01-28 04:48:18 +01:00
} else {
if (m->show_status == SHOW_STATUS_TEMPORARY)
pid1: when printing status message status, give reason
2020-02-29 10:59:27 +01:00
manager_set_show_status(m, SHOW_STATUS_AUTO, reason);
manager: also turn on output on unit failure
2014-01-28 04:48:18 +01:00
}
}
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
static void manager_print_jobs_in_progress(Manager *m) {
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
_cleanup_free_ char *job_of_n = NULL;
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
Iterator i;
Job *j;
unsigned counter = 0, print_nr;
char cylon[6 + CYLON_BUFFER_EXTRA + 1];
unsigned cylon_pos;
manager: print ephemeral information about running jobs' timeouts (v2) This reverts commit 28c758de94bc8ba97b89d9dab3f517cf466978d0 but makes job_coldplug smarter. In (v1) I changed the job start timestamp to be always set, so the start time can be reported in the cylon eye message. The bug was that when deserializing jobs, they would be ignored if their start timestamp was unset which was synonymous with no timeout. But after the change, jobs would have a start timestamp set despite having no timeout. After deserialization they would be considered immediately expired. Fix this by checking if the timeout is not zero when considering jobs for expiration.
2014-01-29 00:25:39 +01:00
char time[FORMAT_TIMESPAN_MAX], limit[FORMAT_TIMESPAN_MAX] = "no limit";
uint64_t x;
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
assert(m);
core: rework counting of running jobs Let's unify the code that counts the running jobs a bit, in order to make sure we are less likely to miss one. This is related to this bug: https://bugs.freedesktop.org/show_bug.cgi?id=87349 However, it probably won't fix it fully, and I cannot reproduce the issue. The change also adds an explicit assert change when the counter is off.
2015-01-05 17:22:10 +01:00
assert(m->n_running_jobs > 0);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
pid1: when printing status message status, give reason
2020-02-29 10:59:27 +01:00
manager_flip_auto_status(m, true, "delay");
manager: add systemd.show_status=auto mode When set to auto, status will shown when the first ephemeral message is shown (a job has been running for five seconds). Then until the boot or shutdown ends, status messages will be shown. No indication about the switch is done: I think it should be clear for the user that first the cylon eye and the ephemeral messages appear, and afterwards messages are displayed. The initial arming of the event source was still wrong, but now should really be fixed.
2014-01-28 04:27:07 +01:00
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
print_nr = (m->jobs_in_progress_iteration / JOBS_IN_PROGRESS_PERIOD_DIVISOR) % m->n_running_jobs;
HASHMAP_FOREACH(j, m->jobs, i)
if (j->state == JOB_RUNNING && counter++ == print_nr)
break;
manager: turn a superfluous check into assert The crash that the check prevented has been fixed by commit 9e9e2b7.
2013-03-02 12:44:41 +01:00
/* m->n_running_jobs must be consistent with the contents of m->jobs,
* so the above loop must have succeeded in finding j. */
assert(counter == print_nr + 1);
Introduce _cleanup_fdset_free_
2013-10-12 01:33:48 +02:00
assert(j);
manager: prevent segfault in manager_print_jobs_in_progress()
2013-03-01 14:57:16 +01:00
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
cylon_pos = m->jobs_in_progress_iteration % 14;
if (cylon_pos >= 8)
cylon_pos = 14 - cylon_pos;
draw_cylon(cylon, sizeof(cylon), 6, cylon_pos);
manager: print ephemeral information about running jobs' timeouts (v2) This reverts commit 28c758de94bc8ba97b89d9dab3f517cf466978d0 but makes job_coldplug smarter. In (v1) I changed the job start timestamp to be always set, so the start time can be reported in the cylon eye message. The bug was that when deserializing jobs, they would be ignored if their start timestamp was unset which was synonymous with no timeout. But after the change, jobs would have a start timestamp set despite having no timeout. After deserialization they would be considered immediately expired. Fix this by checking if the timeout is not zero when considering jobs for expiration.
2014-01-29 00:25:39 +01:00
m->jobs_in_progress_iteration++;
core: check asprintf return value CID #1261729.
2015-03-14 03:21:52 +01:00
if (m->n_running_jobs > 1) {
if (asprintf(&job_of_n, "(%u of %u) ", counter, m->n_running_jobs) < 0)
job_of_n = NULL;
}
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
manager: print ephemeral information about running jobs' timeouts (v2) This reverts commit 28c758de94bc8ba97b89d9dab3f517cf466978d0 but makes job_coldplug smarter. In (v1) I changed the job start timestamp to be always set, so the start time can be reported in the cylon eye message. The bug was that when deserializing jobs, they would be ignored if their start timestamp was unset which was synonymous with no timeout. But after the change, jobs would have a start timestamp set despite having no timeout. After deserialization they would be considered immediately expired. Fix this by checking if the timeout is not zero when considering jobs for expiration.
2014-01-29 00:25:39 +01:00
format_timespan(time, sizeof(time), now(CLOCK_MONOTONIC) - j->begin_usec, 1*USEC_PER_SEC);
if (job_get_timeout(j, &x) > 0)
format_timespan(limit, sizeof(limit), x - j->begin_usec, 1*USEC_PER_SEC);
manager: convert ephemeral to enum In preparation for subsequent changes.
2014-10-28 04:02:54 +01:00
manager_status_printf(m, STATUS_TYPE_EPHEMERAL, cylon,
manager: print ephemeral information about running jobs' timeouts (v2) This reverts commit 28c758de94bc8ba97b89d9dab3f517cf466978d0 but makes job_coldplug smarter. In (v1) I changed the job start timestamp to be always set, so the start time can be reported in the cylon eye message. The bug was that when deserializing jobs, they would be ignored if their start timestamp was unset which was synonymous with no timeout. But after the change, jobs would have a start timestamp set despite having no timeout. After deserialization they would be considered immediately expired. Fix this by checking if the timeout is not zero when considering jobs for expiration.
2014-01-29 00:25:39 +01:00
"%sA %s job is running for %s (%s / %s)",
strempty(job_of_n),
job_type_to_string(j->type),
Use unit->id instead of description in messages v2: - rename unit_identifier to unit_status_string
2019-06-06 17:33:59 +02:00
unit_status_string(j->unit),
manager: print ephemeral information about running jobs' timeouts (v2) This reverts commit 28c758de94bc8ba97b89d9dab3f517cf466978d0 but makes job_coldplug smarter. In (v1) I changed the job start timestamp to be always set, so the start time can be reported in the cylon eye message. The bug was that when deserializing jobs, they would be ignored if their start timestamp was unset which was synonymous with no timeout. But after the change, jobs would have a start timestamp set despite having no timeout. After deserialization they would be considered immediately expired. Fix this by checking if the timeout is not zero when considering jobs for expiration.
2014-01-29 00:25:39 +01:00
time, limit);
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
}
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
static int have_ask_password(void) {
_cleanup_closedir_ DIR *dir;
tree-wide: replace all readdir cycles with FOREACH_DIRENT{,_ALL} (#4853)
2016-12-09 10:04:30 +01:00
struct dirent *de;
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
dir = opendir("/run/systemd/ask-password");
if (!dir) {
if (errno == ENOENT)
return false;
else
return -errno;
}
tree-wide: replace all readdir cycles with FOREACH_DIRENT{,_ALL} (#4853)
2016-12-09 10:04:30 +01:00
FOREACH_DIRENT_ALL(de, dir, return -errno) {
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
if (startswith(de->d_name, "ask."))
return true;
}
tree-wide: replace all readdir cycles with FOREACH_DIRENT{,_ALL} (#4853)
2016-12-09 10:04:30 +01:00
return false;
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
}
static int manager_dispatch_ask_password_fd(sd_event_source *source,
int fd, uint32_t revents, void *userdata) {
Manager *m = userdata;
assert(m);
io-util: make flush_fd() return how many bytes where flushed This is useful so that callers know whether anything at all and how much was flushed. This patches through users of this functions to ensure that the return values > 0 which may be returned now are not propagated in public APIs. Also, users that ignore the return value are changed to do so explicitly now.
2017-12-12 23:21:09 +01:00
(void) flush_fd(fd);
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
m->have_ask_password = have_ask_password();
if (m->have_ask_password < 0)
/* Log error but continue. Negative have_ask_password
* is treated as unknown status. */
treewide: more log_*_errno() conversions, multiline calls Basically: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/log_(debug|info|notice|warning|error|emergency)\("([^"]*)%s"([^;]*),\s*strerror\(-?([->a-zA-Z_]+)\)\);/log_\1_errno(\4, "\2%m"\3);/gms;print;' \ $f; done Plus manual indentation fixups.
2014-11-28 17:09:20 +01:00
log_error_errno(m->have_ask_password, "Failed to list /run/systemd/ask-password: %m");
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
return 0;
}
static void manager_close_ask_password(Manager *m) {
assert(m);
m->ask_password_event_source = sd_event_source_unref(m->ask_password_event_source);
manager: remove ask-password fd from sd_event before closing it Otherwise we might attempt to remove a non-existing fd from epoll.
2015-08-30 22:13:55 +02:00
m->ask_password_inotify_fd = safe_close(m->ask_password_inotify_fd);
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
m->have_ask_password = -EINVAL;
}
static int manager_check_ask_password(Manager *m) {
int r;
assert(m);
if (!m->ask_password_event_source) {
assert(m->ask_password_inotify_fd < 0);
core: vodify one more call to mkdir CID #1400460.
2019-04-12 09:03:52 +02:00
(void) mkdir_p_label("/run/systemd/ask-password", 0755);
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
m->ask_password_inotify_fd = inotify_init1(IN_NONBLOCK|IN_CLOEXEC);
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (m->ask_password_inotify_fd < 0)
journalctl: voidify mkdir_p() call and unify two similar code paths Let's unify the two similar code paths to watch /run/systemd/journal. The code in manager.c is similar, but it uses mkdir_p_label(), and unifying that would be too much trouble, so let's just adjust the error messages to be the same. CID #1400224.
2019-03-27 09:30:35 +01:00
return log_error_errno(errno, "Failed to create inotify object: %m");
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
fs-util: introduce inotify_add_watch_and_warn() helper The default message for ENOSPC is very misleading: it says that the disk is filled, but in fact the inotify watch limit is the problem. So let's introduce and use a wrapper that simply calls inotify_add_watch(2) and which fixes the error message up in case ENOSPC is returned.
2019-09-17 11:16:52 +02:00
r = inotify_add_watch_and_warn(m->ask_password_inotify_fd,
"/run/systemd/ask-password",
IN_CREATE|IN_DELETE|IN_MOVE);
if (r < 0) {
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
manager_close_ask_password(m);
fs-util: introduce inotify_add_watch_and_warn() helper The default message for ENOSPC is very misleading: it says that the disk is filled, but in fact the inotify watch limit is the problem. So let's introduce and use a wrapper that simply calls inotify_add_watch(2) and which fixes the error message up in case ENOSPC is returned.
2019-09-17 11:16:52 +02:00
return r;
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
}
r = sd_event_add_io(m->event, &m->ask_password_event_source,
m->ask_password_inotify_fd, EPOLLIN,
manager_dispatch_ask_password_fd, m);
if (r < 0) {
core: minor error code handling fixes
2020-04-21 17:21:38 +02:00
log_error_errno(r, "Failed to add event source for /run/systemd/ask-password: %m");
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
manager_close_ask_password(m);
core: minor error code handling fixes
2020-04-21 17:21:38 +02:00
return r;
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
}
core: annotate event sources
2015-04-29 16:05:32 +02:00
(void) sd_event_source_set_description(m->ask_password_event_source, "manager-ask-password");
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
/* Queries might have been added meanwhile... */
manager_dispatch_ask_password_fd(m->ask_password_event_source,
m->ask_password_inotify_fd, EPOLLIN, m);
}
return m->have_ask_password;
}
systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/
2013-07-16 03:34:57 +02:00
static int manager_watch_idle_pipe(Manager *m) {
int r;
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
assert(m);
if (m->idle_pipe_event_source)
systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/
2013-07-16 03:34:57 +02:00
return 0;
if (m->idle_pipe[2] < 0)
return 0;
api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.
2014-02-19 23:54:58 +01:00
r = sd_event_add_io(m->event, &m->idle_pipe_event_source, m->idle_pipe[2], EPOLLIN, manager_dispatch_idle_pipe_fd, m);
treewide: more log_*_errno + return simplifications
2014-11-28 18:23:20 +01:00
if (r < 0)
return log_error_errno(r, "Failed to watch idle pipe: %m");
systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/
2013-07-16 03:34:57 +02:00
core: annotate event sources
2015-04-29 16:05:32 +02:00
(void) sd_event_source_set_description(m->idle_pipe_event_source, "manager-idle-pipe");
systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/
2013-07-16 03:34:57 +02:00
return 0;
}
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
static void manager_close_idle_pipe(Manager *m) {
assert(m);
systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/
2013-07-16 03:34:57 +02:00
core: invalidate idle pipe event source in manager_close_idle_pipe() In all occasions when this function is called we do so anyway, so let's move this inside, to make things easier.
2015-09-11 18:15:58 +02:00
m->idle_pipe_event_source = sd_event_source_unref(m->idle_pipe_event_source);
util: replace close_pipe() with new safe_close_pair() safe_close_pair() is more like safe_close(), except that it handles pairs of fds, and doesn't make and misleading allusion, as it works similarly well for socketpairs() as for pipe()s...
2014-03-24 03:22:44 +01:00
safe_close_pair(m->idle_pipe);
safe_close_pair(m->idle_pipe + 2);
systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/
2013-07-16 03:34:57 +02:00
}
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
static int manager_setup_time_change(Manager *m) {
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
int r;
Use initalization instead of explicit zeroing Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.
2013-03-25 00:59:00 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
assert(m);
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m))
test-engine: fix access to unit load path Also add a bit of debugging output to help diagnose problems, add missing units, and simplify cppflags. Move test-engine to normal tests from manual tests, it should now work without destroying the system.
2014-01-07 14:41:24 +01:00
return 0;
core: move destruction of old time event sources to manager_setup_time_change() It's a bit prettier that day as the function won't silently overwrite any possibly pre-initialized field, and destroy it right before we allocate a new event source.
2018-05-28 21:32:03 +02:00
m->time_change_event_source = sd_event_source_unref(m->time_change_event_source);
m->time_change_fd = safe_close(m->time_change_fd);
time-util: introduce common implementation of TFD_TIMER_CANCEL_ON_SET client code We now use pretty much the same code at three places, let's unify that.
2018-05-29 12:55:33 +02:00
m->time_change_fd = time_change_fd();
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (m->time_change_fd < 0)
time-util: introduce common implementation of TFD_TIMER_CANCEL_ON_SET client code We now use pretty much the same code at three places, let's unify that.
2018-05-29 12:55:33 +02:00
return log_error_errno(m->time_change_fd, "Failed to create timer change timer fd: %m");
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.
2014-02-19 23:54:58 +01:00
r = sd_event_add_io(m->event, &m->time_change_event_source, m->time_change_fd, EPOLLIN, manager_dispatch_time_change_fd, m);
treewide: more log_*_errno + return simplifications
2014-11-28 18:23:20 +01:00
if (r < 0)
return log_error_errno(r, "Failed to create time change event source: %m");
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
core: schedule time and timezone change events a bit before .timer elapsation events We really should make sure that .timer units are dispatched while taking the newest time/timezone data into account.
2018-05-29 16:26:24 +02:00
/* Schedule this slightly earlier than the .timer event sources */
r = sd_event_source_set_priority(m->time_change_event_source, SD_EVENT_PRIORITY_NORMAL-1);
if (r < 0)
return log_error_errno(r, "Failed to set priority of time change event sources: %m");
core: annotate event sources
2015-04-29 16:05:32 +02:00
(void) sd_event_source_set_description(m->time_change_event_source, "manager-time-change");
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
log_debug("Set up TFD_TIMER_CANCEL_ON_SET timerfd.");
return 0;
}
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
static int manager_read_timezone_stat(Manager *m) {
struct stat st;
bool changed;
assert(m);
/* Read the current stat() data of /etc/localtime so that we detect changes */
if (lstat("/etc/localtime", &st) < 0) {
log_debug_errno(errno, "Failed to stat /etc/localtime, ignoring: %m");
changed = m->etc_localtime_accessible;
m->etc_localtime_accessible = false;
} else {
usec_t k;
k = timespec_load(&st.st_mtim);
changed = !m->etc_localtime_accessible || k != m->etc_localtime_mtime;
m->etc_localtime_mtime = k;
m->etc_localtime_accessible = true;
}
return changed;
}
static int manager_setup_timezone_change(Manager *m) {
core: schedule time and timezone change events a bit before .timer elapsation events We really should make sure that .timer units are dispatched while taking the newest time/timezone data into account.
2018-05-29 16:26:24 +02:00
_cleanup_(sd_event_source_unrefp) sd_event_source *new_event = NULL;
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
int r;
assert(m);
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m))
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
return 0;
/* We watch /etc/localtime for three events: change of the link count (which might mean removal from /etc even
* though another link might be kept), renames, and file close operations after writing. Note we don't bother
* with IN_DELETE_SELF, as that would just report when the inode is removed entirely, i.e. after the link count
* went to zero and all fds to it are closed.
*
* Note that we never follow symlinks here. This is a simplification, but should cover almost all cases
* correctly.
*
* Note that we create the new event source first here, before releasing the old one. This should optimize
* behaviour as this way sd-event can reuse the old watch in case the inode didn't change. */
r = sd_event_add_inotify(m->event, &new_event, "/etc/localtime",
IN_ATTRIB|IN_MOVE_SELF|IN_CLOSE_WRITE|IN_DONT_FOLLOW, manager_dispatch_timezone_change, m);
core: add debug logging if we cant watch /etc/localtime itself
2018-10-13 15:12:16 +02:00
if (r == -ENOENT) {
/* If the file doesn't exist yet, subscribe to /etc instead, and wait until it is created either by
* O_CREATE or by rename() */
log_debug_errno(r, "/etc/localtime doesn't exist yet, watching /etc instead.");
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
r = sd_event_add_inotify(m->event, &new_event, "/etc",
IN_CREATE|IN_MOVED_TO|IN_ONLYDIR, manager_dispatch_timezone_change, m);
core: add debug logging if we cant watch /etc/localtime itself
2018-10-13 15:12:16 +02:00
}
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
if (r < 0)
return log_error_errno(r, "Failed to create timezone change event source: %m");
core: schedule time and timezone change events a bit before .timer elapsation events We really should make sure that .timer units are dispatched while taking the newest time/timezone data into account.
2018-05-29 16:26:24 +02:00
/* Schedule this slightly earlier than the .timer event sources */
r = sd_event_source_set_priority(new_event, SD_EVENT_PRIORITY_NORMAL-1);
if (r < 0)
return log_error_errno(r, "Failed to set priority of timezone change event sources: %m");
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
sd_event_source_unref(m->timezone_change_event_source);
core: schedule time and timezone change events a bit before .timer elapsation events We really should make sure that .timer units are dispatched while taking the newest time/timezone data into account.
2018-05-29 16:26:24 +02:00
m->timezone_change_event_source = TAKE_PTR(new_event);
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
return 0;
}
rework tty handling We now make sure to run all services in their own session, possibly with a controlling terminal. This also extends the service and socket state machines a little.
2010-04-13 02:06:27 +02:00
static int enable_special_signals(Manager *m) {
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
_cleanup_close_ int fd = -1;
rework tty handling We now make sure to run all services in their own session, possibly with a controlling terminal. This also extends the service and socket state machines a little.
2010-04-13 02:06:27 +02:00
assert(m);
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m))
core: don't enable special signals in test mode Fixes: $ systemd-analyze verify ... Failed to open /dev/tty0: Permission denied
2016-01-04 19:39:55 +01:00
return 0;
manager: support systems lacking /dev/tty0
2012-04-13 16:53:49 +02:00
/* Enable that we get SIGINT on control-alt-del. In containers
main: newer kernels return EINVAL if we invoke reboot() in a container lacking perms, deal with it
2012-09-17 18:28:40 +02:00
* this will fail with EPERM (older) or EINVAL (newer), so
* ignore that. */
tree-wide: use IN_SET macro (#6977)
2017-10-04 16:01:32 +02:00
if (reboot(RB_DISABLE_CAD) < 0 && !IN_SET(errno, EPERM, EINVAL))
treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:29:59 +01:00
log_warning_errno(errno, "Failed to enable ctrl-alt-del handling: %m");
rework tty handling We now make sure to run all services in their own session, possibly with a controlling terminal. This also extends the service and socket state machines a little.
2010-04-13 02:06:27 +02:00
manager: support systems lacking /dev/tty0
2012-04-13 16:53:49 +02:00
fd = open_terminal("/dev/tty0", O_RDWR|O_NOCTTY|O_CLOEXEC);
if (fd < 0) {
/* Support systems without virtual console */
if (fd != -ENOENT)
treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:29:59 +01:00
log_warning_errno(errno, "Failed to open /dev/tty0: %m");
manager: support systems lacking /dev/tty0
2012-04-13 16:53:49 +02:00
} else {
rework tty handling We now make sure to run all services in their own session, possibly with a controlling terminal. This also extends the service and socket state machines a little.
2010-04-13 02:06:27 +02:00
/* Enable that we get SIGWINCH on kbrequest */
if (ioctl(fd, KDSIGACCEPT, SIGWINCH) < 0)
treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:29:59 +01:00
log_warning_errno(errno, "Failed to enable kbrequest handling: %m");
rework tty handling We now make sure to run all services in their own session, possibly with a controlling terminal. This also extends the service and socket state machines a little.
2010-04-13 02:06:27 +02:00
}
return 0;
}
pid1: make use of high rt signals on hppa with newer kernels Back in 4dffec1459f50ac9f8f67ccfcb79836b4ed5a50e we stopped using SIGRTMIN+26 and higher on hppa because they were not available. Then they became available in linux 3.18: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f25df2eff5b25f52c139d3ff31bc883eee9a0ab Instead of hard-coding the list based on architecture, let's use a runtime check like signal(7) says. (A note about implementation: RTSIG_IF_AVAILABLE is defined to take the full signal and not just an offset from SIGRTMIN so that it's still possible to grep for SIGRTMIN\+.) Add a simple "test" to print the signal values. Fixes https://bugs.freedesktop.org/show_bug.cgi?id=84931.
2018-03-09 09:32:03 +01:00
#define RTSIG_IF_AVAILABLE(signum) (signum <= SIGRTMAX ? signum : -1)
add infrastructure for special units
2010-01-28 02:01:15 +01:00
static int manager_setup_signals(Manager *m) {
Use initalization instead of explicit zeroing Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.
2013-03-25 00:59:00 +01:00
struct sigaction sa = {
.sa_handler = SIG_DFL,
.sa_flags = SA_NOCLDSTOP|SA_RESTART,
};
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
sigset_t mask;
int r;
initial commit
2009-11-18 00:42:52 +01:00
add infrastructure for special units
2010-01-28 02:01:15 +01:00
assert(m);
manager: we are not interested in SIGSTOP notifications
2010-04-13 02:36:56 +02:00
assert_se(sigaction(SIGCHLD, &sa, NULL) == 0);
manager: Linux on hppa has fewer rtsigs, hence avoid using the higher ones there https://bugs.freedesktop.org/show_bug.cgi?id=84931
2014-10-24 13:44:45 +02:00
/* We make liberal use of realtime signals here. On
* Linux/glibc we have 30 of them (with the exception of Linux
* on hppa, see below), between SIGRTMIN+0 ... SIGRTMIN+30
* (aka SIGRTMAX). */
manager: expose a few special units via SIGRTMIN+x signals
2010-06-17 23:22:56 +02:00
manager: Linux on hppa has fewer rtsigs, hence avoid using the higher ones there https://bugs.freedesktop.org/show_bug.cgi?id=84931
2014-10-24 13:44:45 +02:00
assert_se(sigemptyset(&mask) == 0);
manager: expose a few special units via SIGRTMIN+x signals
2010-06-17 23:22:56 +02:00
sigset_add_many(&mask,
SIGCHLD, /* Child died */
SIGTERM, /* Reexecute daemon */
SIGHUP, /* Reload configuration */
SIGUSR1, /* systemd/upstart: reconnect to D-Bus */
SIGUSR2, /* systemd: dump status */
SIGINT, /* Kernel sends us this on control-alt-del */
SIGWINCH, /* Kernel sends us this on kbrequest (alt-arrowup) */
SIGPWR, /* Some kernel drivers and upsd send us this on power failure */
manager: Linux on hppa has fewer rtsigs, hence avoid using the higher ones there https://bugs.freedesktop.org/show_bug.cgi?id=84931
2014-10-24 13:44:45 +02:00
manager: expose a few special units via SIGRTMIN+x signals
2010-06-17 23:22:56 +02:00
SIGRTMIN+0, /* systemd: start default.target */
manager: hookup shutdown helper and signals
2010-10-14 00:54:48 +02:00
SIGRTMIN+1, /* systemd: isolate rescue.target */
manager: expose a few special units via SIGRTMIN+x signals
2010-06-17 23:22:56 +02:00
SIGRTMIN+2, /* systemd: isolate emergency.target */
SIGRTMIN+3, /* systemd: start halt.target */
SIGRTMIN+4, /* systemd: start poweroff.target */
SIGRTMIN+5, /* systemd: start reboot.target */
manager: hookup shutdown helper and signals
2010-10-14 00:54:48 +02:00
SIGRTMIN+6, /* systemd: start kexec.target */
manager: Linux on hppa has fewer rtsigs, hence avoid using the higher ones there https://bugs.freedesktop.org/show_bug.cgi?id=84931
2014-10-24 13:44:45 +02:00
/* ... space for more special targets ... */
manager: hookup shutdown helper and signals
2010-10-14 00:54:48 +02:00
SIGRTMIN+13, /* systemd: Immediate halt */
SIGRTMIN+14, /* systemd: Immediate poweroff */
SIGRTMIN+15, /* systemd: Immediate reboot */
SIGRTMIN+16, /* systemd: Immediate kexec */
manager: Linux on hppa has fewer rtsigs, hence avoid using the higher ones there https://bugs.freedesktop.org/show_bug.cgi?id=84931
2014-10-24 13:44:45 +02:00
/* ... space for more immediate system state changes ... */
manager: if we receive SIGRTMIN+20/21 enable/disable showing of status on the console
2011-02-09 12:12:30 +01:00
SIGRTMIN+20, /* systemd: enable status messages */
SIGRTMIN+21, /* systemd: disable status messages */
manager: add log control via RT signals
2011-07-23 04:15:38 +02:00
SIGRTMIN+22, /* systemd: set log level to LOG_DEBUG */
SIGRTMIN+23, /* systemd: set log level to LOG_INFO */
manager: connect SIGRTMIN+24 to terminating --user instances
2012-10-18 01:19:35 +02:00
SIGRTMIN+24, /* systemd: Immediate exit (--user only) */
manager: Linux on hppa has fewer rtsigs, hence avoid using the higher ones there https://bugs.freedesktop.org/show_bug.cgi?id=84931
2014-10-24 13:44:45 +02:00
/* .. one free signal here ... */
pid1: make use of high rt signals on hppa with newer kernels Back in 4dffec1459f50ac9f8f67ccfcb79836b4ed5a50e we stopped using SIGRTMIN+26 and higher on hppa because they were not available. Then they became available in linux 3.18: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f25df2eff5b25f52c139d3ff31bc883eee9a0ab Instead of hard-coding the list based on architecture, let's use a runtime check like signal(7) says. (A note about implementation: RTSIG_IF_AVAILABLE is defined to take the full signal and not just an offset from SIGRTMIN so that it's still possible to grep for SIGRTMIN\+.) Add a simple "test" to print the signal values. Fixes https://bugs.freedesktop.org/show_bug.cgi?id=84931.
2018-03-09 09:32:03 +01:00
/* Apparently Linux on hppa had fewer RT signals until v3.18,
* SIGRTMAX was SIGRTMIN+25, and then SIGRTMIN was lowered,
* see commit v3.17-7614-g1f25df2eff.
*
* We cannot unconditionally make use of those signals here,
* so let's use a runtime check. Since these commands are
* accessible by different means and only really a safety
* net, the missing functionality on hppa shouldn't matter.
*/
RTSIG_IF_AVAILABLE(SIGRTMIN+26), /* systemd: set log target to journal-or-kmsg */
RTSIG_IF_AVAILABLE(SIGRTMIN+27), /* systemd: set log target to console */
RTSIG_IF_AVAILABLE(SIGRTMIN+28), /* systemd: set log target to kmsg */
RTSIG_IF_AVAILABLE(SIGRTMIN+29), /* systemd: set log target to syslog-or-kmsg (obsolete) */
manager: Linux on hppa has fewer rtsigs, hence avoid using the higher ones there https://bugs.freedesktop.org/show_bug.cgi?id=84931
2014-10-24 13:44:45 +02:00
/* ... one free signal here SIGRTMIN+30 ... */
manager: expose a few special units via SIGRTMIN+x signals
2010-06-17 23:22:56 +02:00
-1);
add infrastructure for special units
2010-01-28 02:01:15 +01:00
assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
m->signal_fd = signalfd(-1, &mask, SFD_NONBLOCK|SFD_CLOEXEC);
if (m->signal_fd < 0)
add infrastructure for special units
2010-01-28 02:01:15 +01:00
return -errno;
api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.
2014-02-19 23:54:58 +01:00
r = sd_event_add_io(m->event, &m->signal_event_source, m->signal_fd, EPOLLIN, manager_dispatch_signal_fd, m);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
if (r < 0)
return r;
add infrastructure for special units
2010-01-28 02:01:15 +01:00
core: annotate event sources
2015-04-29 16:05:32 +02:00
(void) sd_event_source_set_description(m->signal_event_source, "manager-signal");
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
/* Process signals a bit earlier than the rest of things, but later than notify_fd processing, so that the
* notify processing can still figure out to which process/service a message belongs, before we reap the
* process. Also, process this before handling cgroup notifications, so that we always collect child exit
* status information before detecting that there's no process in a cgroup. */
r = sd_event_source_set_priority(m->signal_event_source, SD_EVENT_PRIORITY_NORMAL-6);
core: set some event source priorities to enforce dispatching order
2013-11-25 15:35:10 +01:00
if (r < 0)
return r;
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
if (MANAGER_IS_SYSTEM(m))
rework tty handling We now make sure to run all services in their own session, possibly with a controlling terminal. This also extends the service and socket state machines a little.
2010-04-13 02:06:27 +02:00
return enable_special_signals(m);
manager: actually enable ctrl-alt-del/kbrequest request handling in the kernel
2010-02-14 22:39:40 +01:00
add infrastructure for special units
2010-01-28 02:01:15 +01:00
return 0;
}
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
static char** sanitize_environment(char **l) {
core: don't allow setting NOTIFY_SOCKET and similar env vars we need ourselves via SetEnvironment bus calls We just quietly eat them up, so that simple environment importing still works without error.
2014-01-12 13:10:40 +01:00
manager: rework manager_clean_environment() Let's rename it manager_sanitize_environment() which is a more precise name. Moreover, sort the environment implicitly inside it, as all our callers do that anyway afterwards and we can save some code this way. Also, update the list of env vars to drop, i.e. the env vars we manage ourselves and don't want user code to interfear with. Also sort this list to make it easier to update later on.
2018-01-10 18:28:42 +01:00
/* Let's remove some environment variables that we need ourselves to communicate with our clients */
core: don't allow setting NOTIFY_SOCKET and similar env vars we need ourselves via SetEnvironment bus calls We just quietly eat them up, so that simple environment importing still works without error.
2014-01-12 13:10:40 +01:00
strv_env_unset_many(
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
l,
core: clean more env vars from env block pid1 receives We generally clean all env vars we use ourselves to communicate with out childrens. We forgot some more recent additions however. Let's correct that.
2020-07-23 08:48:56 +02:00
"CACHE_DIRECTORY",
"CONFIGURATION_DIRECTORY",
manager: rework manager_clean_environment() Let's rename it manager_sanitize_environment() which is a more precise name. Moreover, sort the environment implicitly inside it, as all our callers do that anyway afterwards and we can save some code this way. Also, update the list of env vars to drop, i.e. the env vars we manage ourselves and don't want user code to interfear with. Also sort this list to make it easier to update later on.
2018-01-10 18:28:42 +01:00
"EXIT_CODE",
"EXIT_STATUS",
"INVOCATION_ID",
"JOURNAL_STREAM",
"LISTEN_FDNAMES",
"LISTEN_FDS",
"LISTEN_PID",
core: clean more env vars from env block pid1 receives We generally clean all env vars we use ourselves to communicate with out childrens. We forgot some more recent additions however. Let's correct that.
2020-07-23 08:48:56 +02:00
"LOGS_DIRECTORY",
core: don't allow setting NOTIFY_SOCKET and similar env vars we need ourselves via SetEnvironment bus calls We just quietly eat them up, so that simple environment importing still works without error.
2014-01-12 13:10:40 +01:00
"MAINPID",
"MANAGERPID",
manager: rework manager_clean_environment() Let's rename it manager_sanitize_environment() which is a more precise name. Moreover, sort the environment implicitly inside it, as all our callers do that anyway afterwards and we can save some code this way. Also, update the list of env vars to drop, i.e. the env vars we manage ourselves and don't want user code to interfear with. Also sort this list to make it easier to update later on.
2018-01-10 18:28:42 +01:00
"NOTIFY_SOCKET",
core: export $PIDFILE env var for services, derived from PIDFile=
2019-01-30 17:39:09 +01:00
"PIDFILE",
manager: rework manager_clean_environment() Let's rename it manager_sanitize_environment() which is a more precise name. Moreover, sort the environment implicitly inside it, as all our callers do that anyway afterwards and we can save some code this way. Also, update the list of env vars to drop, i.e. the env vars we manage ourselves and don't want user code to interfear with. Also sort this list to make it easier to update later on.
2018-01-10 18:28:42 +01:00
"REMOTE_ADDR",
"REMOTE_PORT",
core: clean more env vars from env block pid1 receives We generally clean all env vars we use ourselves to communicate with out childrens. We forgot some more recent additions however. Let's correct that.
2020-07-23 08:48:56 +02:00
"RUNTIME_DIRECTORY",
manager: rework manager_clean_environment() Let's rename it manager_sanitize_environment() which is a more precise name. Moreover, sort the environment implicitly inside it, as all our callers do that anyway afterwards and we can save some code this way. Also, update the list of env vars to drop, i.e. the env vars we manage ourselves and don't want user code to interfear with. Also sort this list to make it easier to update later on.
2018-01-10 18:28:42 +01:00
"SERVICE_RESULT",
core: clean more env vars from env block pid1 receives We generally clean all env vars we use ourselves to communicate with out childrens. We forgot some more recent additions however. Let's correct that.
2020-07-23 08:48:56 +02:00
"STATE_DIRECTORY",
core: don't allow setting NOTIFY_SOCKET and similar env vars we need ourselves via SetEnvironment bus calls We just quietly eat them up, so that simple environment importing still works without error.
2014-01-12 13:10:40 +01:00
"WATCHDOG_PID",
"WATCHDOG_USEC",
NULL);
manager: rework manager_clean_environment() Let's rename it manager_sanitize_environment() which is a more precise name. Moreover, sort the environment implicitly inside it, as all our callers do that anyway afterwards and we can save some code this way. Also, update the list of env vars to drop, i.e. the env vars we manage ourselves and don't want user code to interfear with. Also sort this list to make it easier to update later on.
2018-01-10 18:28:42 +01:00
/* Let's order the environment alphabetically, just to make it pretty */
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
strv_sort(l);
return l;
core: don't allow setting NOTIFY_SOCKET and similar env vars we need ourselves via SetEnvironment bus calls We just quietly eat them up, so that simple environment importing still works without error.
2014-01-12 13:10:40 +01:00
}
main: when reloading PID 1 let's reset the default environment Otherwise we keep collecting stuff from env generators, and we really shouldn't. This was working properly on reexec but not on reload, as for reexec we would always start fresh, but for reload would reuse the Manager object and hence its default environment set. Fixes: #10671
2018-11-19 12:23:13 +01:00
int manager_default_environment(Manager *m) {
manager: put bin before sbin for user instances Traditionally, user logins had a $PATH in which /bin was before /sbin, while root logins had a $PATH with /sbin first. This allows the tricks that consolehelper is doing to work. But even if we ignore consolehelper, having the path in this order might have been used by admins for other purposes, and keeping the order in user sessions will make it easier the adoption of systemd user sessions a bit easier. Fixes #733. https://bugzilla.redhat.com/show_bug.cgi?id=1744059 OOM handling in manager_default_environment wasn't really correct. Now the (theorertical) malloc failure in strv_new() is handled. Please note that this has no effect on: - systems with merged /bin-/sbin (e.g. arch) - when there are no binaries that differ between the two locations. E.g. on my F30 laptop there is exactly one program that is affected: /usr/bin/setup -> consolehelper. There is less and less stuff that relies on consolehelper, but there's still some. So for "clean" systems this makes no difference, but helps with legacy setups. $ dnf repoquery --releasever=31 --qf %{name} --whatrequires usermode anaconda-live audit-viewer beesu chkrootkit driftnet drobo-utils-gui hddtemp mate-system-log mock pure-ftpd setuptool subscription-manager system-config-httpd system-config-rootpassword system-switch-java system-switch-mail usermode-gtk vpnc-consoleuser wifi-radar xawtv
2015-08-07 03:34:15 +02:00
int r;
main: drop container/initrd env vars from inherited set Leave the env vars used in the container/initrd logic set for PID1, but don't inherit them to any children.
2012-04-11 12:56:51 +02:00
assert(m);
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
m->transient_environment = strv_free(m->transient_environment);
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
if (MANAGER_IS_SYSTEM(m)) {
rework systemd's own process environment handling/passing Stop importing non-sensical kernel-exported variables. All parameters in the kernel command line are exported to the initial environment of PID1, but suppressed if they are recognized by kernel built-in code. The EFI booted kernel will add further kernel-internal things which do not belong into userspace. The passed original environ data of the process is not touched and preserved across re-execution, to allow external reading of /proc/self/environ for process properties like container*=.
2013-07-26 05:22:22 +02:00
/* The system manager always starts with a clean
* environment for its children. It does not import
core/manager: fix grammar in comment
2017-02-10 21:41:42 +01:00
* the kernel's or the parents' exported variables.
rework systemd's own process environment handling/passing Stop importing non-sensical kernel-exported variables. All parameters in the kernel command line are exported to the initial environment of PID1, but suppressed if they are recognized by kernel built-in code. The EFI booted kernel will add further kernel-internal things which do not belong into userspace. The passed original environ data of the process is not touched and preserved across re-execution, to allow external reading of /proc/self/environ for process properties like container*=.
2013-07-26 05:22:22 +02:00
*
core/manager: fix grammar in comment
2017-02-10 21:41:42 +01:00
* The initial passed environment is untouched to keep
rework systemd's own process environment handling/passing Stop importing non-sensical kernel-exported variables. All parameters in the kernel command line are exported to the initial environment of PID1, but suppressed if they are recognized by kernel built-in code. The EFI booted kernel will add further kernel-internal things which do not belong into userspace. The passed original environ data of the process is not touched and preserved across re-execution, to allow external reading of /proc/self/environ for process properties like container*=.
2013-07-26 05:22:22 +02:00
* /proc/self/environ valid; it is used for tagging
* the init process inside containers. */
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
m->transient_environment = strv_new("PATH=" DEFAULT_PATH);
manager: put bin before sbin for user instances Traditionally, user logins had a $PATH in which /bin was before /sbin, while root logins had a $PATH with /sbin first. This allows the tricks that consolehelper is doing to work. But even if we ignore consolehelper, having the path in this order might have been used by admins for other purposes, and keeping the order in user sessions will make it easier the adoption of systemd user sessions a bit easier. Fixes #733. https://bugzilla.redhat.com/show_bug.cgi?id=1744059 OOM handling in manager_default_environment wasn't really correct. Now the (theorertical) malloc failure in strv_new() is handled. Please note that this has no effect on: - systems with merged /bin-/sbin (e.g. arch) - when there are no binaries that differ between the two locations. E.g. on my F30 laptop there is exactly one program that is affected: /usr/bin/setup -> consolehelper. There is less and less stuff that relies on consolehelper, but there's still some. So for "clean" systems this makes no difference, but helps with legacy setups. $ dnf repoquery --releasever=31 --qf %{name} --whatrequires usermode anaconda-live audit-viewer beesu chkrootkit driftnet drobo-utils-gui hddtemp mate-system-log mock pure-ftpd setuptool subscription-manager system-config-httpd system-config-rootpassword system-switch-java system-switch-mail usermode-gtk vpnc-consoleuser wifi-radar xawtv
2015-08-07 03:34:15 +02:00
if (!m->transient_environment)
return log_oom();
rework systemd's own process environment handling/passing Stop importing non-sensical kernel-exported variables. All parameters in the kernel command line are exported to the initial environment of PID1, but suppressed if they are recognized by kernel built-in code. The EFI booted kernel will add further kernel-internal things which do not belong into userspace. The passed original environ data of the process is not touched and preserved across re-execution, to allow external reading of /proc/self/environ for process properties like container*=.
2013-07-26 05:22:22 +02:00
/* Import locale variables LC_*= from configuration */
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
(void) locale_setup(&m->transient_environment);
manager: put bin before sbin for user instances Traditionally, user logins had a $PATH in which /bin was before /sbin, while root logins had a $PATH with /sbin first. This allows the tricks that consolehelper is doing to work. But even if we ignore consolehelper, having the path in this order might have been used by admins for other purposes, and keeping the order in user sessions will make it easier the adoption of systemd user sessions a bit easier. Fixes #733. https://bugzilla.redhat.com/show_bug.cgi?id=1744059 OOM handling in manager_default_environment wasn't really correct. Now the (theorertical) malloc failure in strv_new() is handled. Please note that this has no effect on: - systems with merged /bin-/sbin (e.g. arch) - when there are no binaries that differ between the two locations. E.g. on my F30 laptop there is exactly one program that is affected: /usr/bin/setup -> consolehelper. There is less and less stuff that relies on consolehelper, but there's still some. So for "clean" systems this makes no difference, but helps with legacy setups. $ dnf repoquery --releasever=31 --qf %{name} --whatrequires usermode anaconda-live audit-viewer beesu chkrootkit driftnet drobo-utils-gui hddtemp mate-system-log mock pure-ftpd setuptool subscription-manager system-config-httpd system-config-rootpassword system-switch-java system-switch-mail usermode-gtk vpnc-consoleuser wifi-radar xawtv
2015-08-07 03:34:15 +02:00
} else {
_cleanup_free_ char *k = NULL;
rework systemd's own process environment handling/passing Stop importing non-sensical kernel-exported variables. All parameters in the kernel command line are exported to the initial environment of PID1, but suppressed if they are recognized by kernel built-in code. The EFI booted kernel will add further kernel-internal things which do not belong into userspace. The passed original environ data of the process is not touched and preserved across re-execution, to allow external reading of /proc/self/environ for process properties like container*=.
2013-07-26 05:22:22 +02:00
/* The user manager passes its own environment
manager: put bin before sbin for user instances Traditionally, user logins had a $PATH in which /bin was before /sbin, while root logins had a $PATH with /sbin first. This allows the tricks that consolehelper is doing to work. But even if we ignore consolehelper, having the path in this order might have been used by admins for other purposes, and keeping the order in user sessions will make it easier the adoption of systemd user sessions a bit easier. Fixes #733. https://bugzilla.redhat.com/show_bug.cgi?id=1744059 OOM handling in manager_default_environment wasn't really correct. Now the (theorertical) malloc failure in strv_new() is handled. Please note that this has no effect on: - systems with merged /bin-/sbin (e.g. arch) - when there are no binaries that differ between the two locations. E.g. on my F30 laptop there is exactly one program that is affected: /usr/bin/setup -> consolehelper. There is less and less stuff that relies on consolehelper, but there's still some. So for "clean" systems this makes no difference, but helps with legacy setups. $ dnf repoquery --releasever=31 --qf %{name} --whatrequires usermode anaconda-live audit-viewer beesu chkrootkit driftnet drobo-utils-gui hddtemp mate-system-log mock pure-ftpd setuptool subscription-manager system-config-httpd system-config-rootpassword system-switch-java system-switch-mail usermode-gtk vpnc-consoleuser wifi-radar xawtv
2015-08-07 03:34:15 +02:00
* along to its children, except for $PATH. */
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
m->transient_environment = strv_copy(environ);
manager: put bin before sbin for user instances Traditionally, user logins had a $PATH in which /bin was before /sbin, while root logins had a $PATH with /sbin first. This allows the tricks that consolehelper is doing to work. But even if we ignore consolehelper, having the path in this order might have been used by admins for other purposes, and keeping the order in user sessions will make it easier the adoption of systemd user sessions a bit easier. Fixes #733. https://bugzilla.redhat.com/show_bug.cgi?id=1744059 OOM handling in manager_default_environment wasn't really correct. Now the (theorertical) malloc failure in strv_new() is handled. Please note that this has no effect on: - systems with merged /bin-/sbin (e.g. arch) - when there are no binaries that differ between the two locations. E.g. on my F30 laptop there is exactly one program that is affected: /usr/bin/setup -> consolehelper. There is less and less stuff that relies on consolehelper, but there's still some. So for "clean" systems this makes no difference, but helps with legacy setups. $ dnf repoquery --releasever=31 --qf %{name} --whatrequires usermode anaconda-live audit-viewer beesu chkrootkit driftnet drobo-utils-gui hddtemp mate-system-log mock pure-ftpd setuptool subscription-manager system-config-httpd system-config-rootpassword system-switch-java system-switch-mail usermode-gtk vpnc-consoleuser wifi-radar xawtv
2015-08-07 03:34:15 +02:00
if (!m->transient_environment)
return log_oom();
k = strdup("PATH=" DEFAULT_USER_PATH);
if (!k)
return log_oom();
core: clean up environment block for --user instances a bit
2014-01-12 12:39:56 +01:00
manager: put bin before sbin for user instances Traditionally, user logins had a $PATH in which /bin was before /sbin, while root logins had a $PATH with /sbin first. This allows the tricks that consolehelper is doing to work. But even if we ignore consolehelper, having the path in this order might have been used by admins for other purposes, and keeping the order in user sessions will make it easier the adoption of systemd user sessions a bit easier. Fixes #733. https://bugzilla.redhat.com/show_bug.cgi?id=1744059 OOM handling in manager_default_environment wasn't really correct. Now the (theorertical) malloc failure in strv_new() is handled. Please note that this has no effect on: - systems with merged /bin-/sbin (e.g. arch) - when there are no binaries that differ between the two locations. E.g. on my F30 laptop there is exactly one program that is affected: /usr/bin/setup -> consolehelper. There is less and less stuff that relies on consolehelper, but there's still some. So for "clean" systems this makes no difference, but helps with legacy setups. $ dnf repoquery --releasever=31 --qf %{name} --whatrequires usermode anaconda-live audit-viewer beesu chkrootkit driftnet drobo-utils-gui hddtemp mate-system-log mock pure-ftpd setuptool subscription-manager system-config-httpd system-config-rootpassword system-switch-java system-switch-mail usermode-gtk vpnc-consoleuser wifi-radar xawtv
2015-08-07 03:34:15 +02:00
r = strv_env_replace(&m->transient_environment, k);
if (r < 0)
return log_oom();
TAKE_PTR(k);
}
manager: clean environment before passing it on to others
2013-02-11 23:53:14 +01:00
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
sanitize_environment(m->transient_environment);
manager: always sort environment block, it's prettier
2013-11-21 19:31:46 +01:00
rework systemd's own process environment handling/passing Stop importing non-sensical kernel-exported variables. All parameters in the kernel command line are exported to the initial environment of PID1, but suppressed if they are recognized by kernel built-in code. The EFI booted kernel will add further kernel-internal things which do not belong into userspace. The passed original environ data of the process is not touched and preserved across re-execution, to allow external reading of /proc/self/environ for process properties like container*=.
2013-07-26 05:22:22 +02:00
return 0;
main: drop container/initrd env vars from inherited set Leave the env vars used in the container/initrd logic set for PID1, but don't inherit them to any children.
2012-04-11 12:56:51 +02:00
}
core: add {State,Cache,Log,Configuration}Directory= (#6384) This introduces {State,Cache,Log,Configuration}Directory= those are similar to RuntimeDirectory=. They create the directories under /var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode specified in {State,Cache,Log,Configuration}DirectoryMode=. This also fixes #6391.
2017-07-18 14:34:52 +02:00
static int manager_setup_prefix(Manager *m) {
struct table_entry {
uint64_t type;
const char *suffix;
};
core: usually our enum's _INVALID and _MAX special values are named after the full type In most cases we followed the rule that the special _INVALID and _MAX values we use in our enums use the full type name as prefix (in contrast to regular values that we often make shorter), do so for ExecDirectoryType as well. No functional changes, just a little bit of renaming to make this code more like the rest.
2017-09-28 16:58:43 +02:00
static const struct table_entry paths_system[_EXEC_DIRECTORY_TYPE_MAX] = {
core: add {State,Cache,Log,Configuration}Directory= (#6384) This introduces {State,Cache,Log,Configuration}Directory= those are similar to RuntimeDirectory=. They create the directories under /var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode specified in {State,Cache,Log,Configuration}DirectoryMode=. This also fixes #6391.
2017-07-18 14:34:52 +02:00
[EXEC_DIRECTORY_RUNTIME] = { SD_PATH_SYSTEM_RUNTIME, NULL },
[EXEC_DIRECTORY_STATE] = { SD_PATH_SYSTEM_STATE_PRIVATE, NULL },
[EXEC_DIRECTORY_CACHE] = { SD_PATH_SYSTEM_STATE_CACHE, NULL },
[EXEC_DIRECTORY_LOGS] = { SD_PATH_SYSTEM_STATE_LOGS, NULL },
[EXEC_DIRECTORY_CONFIGURATION] = { SD_PATH_SYSTEM_CONFIGURATION, NULL },
};
core: usually our enum's _INVALID and _MAX special values are named after the full type In most cases we followed the rule that the special _INVALID and _MAX values we use in our enums use the full type name as prefix (in contrast to regular values that we often make shorter), do so for ExecDirectoryType as well. No functional changes, just a little bit of renaming to make this code more like the rest.
2017-09-28 16:58:43 +02:00
static const struct table_entry paths_user[_EXEC_DIRECTORY_TYPE_MAX] = {
core: add {State,Cache,Log,Configuration}Directory= (#6384) This introduces {State,Cache,Log,Configuration}Directory= those are similar to RuntimeDirectory=. They create the directories under /var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode specified in {State,Cache,Log,Configuration}DirectoryMode=. This also fixes #6391.
2017-07-18 14:34:52 +02:00
[EXEC_DIRECTORY_RUNTIME] = { SD_PATH_USER_RUNTIME, NULL },
[EXEC_DIRECTORY_STATE] = { SD_PATH_USER_CONFIGURATION, NULL },
core: fix special directories for user services The system paths were listed where the user paths should have been listed. Correct that.
2017-10-02 11:27:03 +02:00
[EXEC_DIRECTORY_CACHE] = { SD_PATH_USER_STATE_CACHE, NULL },
[EXEC_DIRECTORY_LOGS] = { SD_PATH_USER_CONFIGURATION, "log" },
[EXEC_DIRECTORY_CONFIGURATION] = { SD_PATH_USER_CONFIGURATION, NULL },
core: add {State,Cache,Log,Configuration}Directory= (#6384) This introduces {State,Cache,Log,Configuration}Directory= those are similar to RuntimeDirectory=. They create the directories under /var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode specified in {State,Cache,Log,Configuration}DirectoryMode=. This also fixes #6391.
2017-07-18 14:34:52 +02:00
};
assert(m);
core: minor simplification
2020-05-26 19:28:53 +02:00
const struct table_entry *p = MANAGER_IS_SYSTEM(m) ? paths_system : paths_user;
int r;
core: add {State,Cache,Log,Configuration}Directory= (#6384) This introduces {State,Cache,Log,Configuration}Directory= those are similar to RuntimeDirectory=. They create the directories under /var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode specified in {State,Cache,Log,Configuration}DirectoryMode=. This also fixes #6391.
2017-07-18 14:34:52 +02:00
core: minor simplification
2020-05-26 19:28:53 +02:00
for (ExecDirectoryType i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++) {
sd-path: rename the two functions I think the two names were both pretty bad. They did not give a proper hint what the difference between the two functions is, and sd_path_home sounds like it is somehow related to /home or home directories or whatever, when in fact both functions return the same set of paths as either a colon-delimited string or a strv. "_strv" suffix is used by various functions in sd-bus, so let's reuse that. Those functions are not public yet, so let's rename.
2020-03-23 19:50:59 +01:00
r = sd_path_lookup(p[i].type, p[i].suffix, &m->prefix[i]);
core: add {State,Cache,Log,Configuration}Directory= (#6384) This introduces {State,Cache,Log,Configuration}Directory= those are similar to RuntimeDirectory=. They create the directories under /var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode specified in {State,Cache,Log,Configuration}DirectoryMode=. This also fixes #6391.
2017-07-18 14:34:52 +02:00
if (r < 0)
return r;
}
return 0;
}
pid1: use a cache for all unit aliases This reworks how we load units from disk. Instead of chasing symlinks every time we are asked to load a unit by name, we slurp all symlinks from disk and build two hashmaps: 1. from unit name to either alias target, or fragment on disk (if an alias, we put just the target name in the hashmap, if a fragment we put an absolute path, so we can distinguish both). 2. from a unit name to all aliases Reading all this data can be pretty costly (40 ms) on my machine, so we keep it around for reuse. The advantage is that we can reliably know what all the aliases of a given unit are. This means we can reliably load dropins under all names. This fixes #11972.
2019-07-18 13:11:28 +02:00
static void manager_free_unit_name_maps(Manager *m) {
m->unit_id_map = hashmap_free(m->unit_id_map);
m->unit_name_map = hashmap_free(m->unit_name_map);
shared/unit-file: make sure the old hashmaps and sets are freed upon replacement Possibly fixes #15220. (There might be another leak. I'm still investigating.) The leak would occur when the path cache was rebuilt. So in normal circumstances it wouldn't be too bad, since usually the path cache is not rebuilt too often. But the case in #15220, where new unit files are created in a loop and started, the leak occurs once for each unit file: $ for i in {1..300}; do cp ~/.config/systemd/user/test0001.service ~/.config/systemd/user/test$(printf %04d $i).service; systemctl --user start test$(printf %04d $i).service;done
2020-05-28 14:58:35 +02:00
m->unit_path_cache = set_free(m->unit_path_cache);
pid1: drop unit caches only based on mtime v2: - do not watch mtime of transient and generated dirs We'd reload the map after every transient unit we created, which we don't need to do, since we create those units ourselves and know their fragment path.
2019-07-10 18:01:13 +02:00
m->unit_cache_mtime = 0;
pid1: use a cache for all unit aliases This reworks how we load units from disk. Instead of chasing symlinks every time we are asked to load a unit by name, we slurp all symlinks from disk and build two hashmaps: 1. from unit name to either alias target, or fragment on disk (if an alias, we put just the target name in the hashmap, if a fragment we put an absolute path, so we can distinguish both). 2. from a unit name to all aliases Reading all this data can be pretty costly (40 ms) on my machine, so we keep it around for reuse. The advantage is that we can reliably know what all the aliases of a given unit are. This means we can reliably load dropins under all names. This fixes #11972.
2019-07-18 13:11:28 +02:00
}
manager: split out code that sets up run_queue event source into function of its own Let's shorten manager_new() a bit.
2017-12-06 23:24:00 +01:00
static int manager_setup_run_queue(Manager *m) {
int r;
assert(m);
assert(!m->run_queue_event_source);
r = sd_event_add_defer(m->event, &m->run_queue_event_source, manager_dispatch_run_queue, m);
if (r < 0)
return r;
r = sd_event_source_set_priority(m->run_queue_event_source, SD_EVENT_PRIORITY_IDLE);
if (r < 0)
return r;
r = sd_event_source_set_enabled(m->run_queue_event_source, SD_EVENT_OFF);
if (r < 0)
return r;
(void) sd_event_source_set_description(m->run_queue_event_source, "manager-run-queue");
return 0;
}
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
static int manager_setup_sigchld_event_source(Manager *m) {
int r;
assert(m);
assert(!m->sigchld_event_source);
r = sd_event_add_defer(m->event, &m->sigchld_event_source, manager_dispatch_sigchld, m);
if (r < 0)
return r;
r = sd_event_source_set_priority(m->sigchld_event_source, SD_EVENT_PRIORITY_NORMAL-7);
if (r < 0)
return r;
r = sd_event_source_set_enabled(m->sigchld_event_source, SD_EVENT_OFF);
if (r < 0)
return r;
(void) sd_event_source_set_description(m->sigchld_event_source, "manager-sigchld");
return 0;
}
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
int manager_new(UnitFileScope scope, ManagerTestRunFlags test_run_flags, Manager **_m) {
Introduce _cleanup_(manager_freep)
2018-03-09 21:55:55 +01:00
_cleanup_(manager_freep) Manager *m = NULL;
core: allocate a kdbus bus for each systemd instance, if we can
2013-11-30 03:53:42 +01:00
int r;
cgroup: add cgroupsification
2010-03-31 16:29:55 +02:00
assert(_m);
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
assert(IN_SET(scope, UNIT_FILE_SYSTEM, UNIT_FILE_USER));
add infrastructure for special units
2010-01-28 02:01:15 +01:00
core: use structure initialization for Manager No changes in behaviour, just a nicer way to fill in the Manager initially.
2018-10-09 15:54:10 +02:00
m = new(Manager, 1);
manager: extend performance measurement interface to include firmware/loader times This only adds the fields to the D-Bus interfaces but doesn't fill them in with anything useful yet. Gummiboot exposes the necessary bits of information to use however and as soon as I get my fingers on a proper UEFI laptop I'll hook up the remaining bits. Since we want to stabilize the D-Bus interface soon and include it in the stability promise we should get the last fixes in, hence this change now.
2012-09-13 18:54:32 +02:00
if (!m)
cgroup: add cgroupsification
2010-03-31 16:29:55 +02:00
return -ENOMEM;
initial commit
2009-11-18 00:42:52 +01:00
core: use structure initialization for Manager No changes in behaviour, just a nicer way to fill in the Manager initially.
2018-10-09 15:54:10 +02:00
*m = (Manager) {
.unit_file_scope = scope,
.objective = _MANAGER_OBJECTIVE_INVALID,
Add config and kernel commandline option to use short identifiers No functional change, just docs and configuration and parsing. v2: - change ShortIdentifiers=yes|no to StatusUnitFormat=name|description.
2019-06-06 19:22:20 +02:00
.status_unit_format = STATUS_UNIT_FORMAT_DEFAULT,
core: use structure initialization for Manager No changes in behaviour, just a nicer way to fill in the Manager initially.
2018-10-09 15:54:10 +02:00
.default_timer_accuracy_usec = USEC_PER_MINUTE,
.default_memory_accounting = MEMORY_ACCOUNTING_DEFAULT,
.default_tasks_accounting = true,
core: make TasksMax a partially dynamic property TasksMax= and DefaultTasksMax= can be specified as percentages. We don't actually document of what the percentage is relative to, but the implementation uses the smallest of /proc/sys/kernel/pid_max, /proc/sys/kernel/threads-max, and /sys/fs/cgroup/pids.max (when present). When the value is a percentage, we immediately convert it to an absolute value. If the limit later changes (which can happen e.g. when systemd-sysctl runs), the absolute value becomes outdated. So let's store either the percentage or absolute value, whatever was specified, and only convert to an absolute value when the value is used. For example, when starting a unit, the absolute value will be calculated when the cgroup for the unit is created. Fixes #13419.
2019-11-05 13:50:28 +01:00
.default_tasks_max = TASKS_MAX_UNSET,
core: use structure initialization for Manager No changes in behaviour, just a nicer way to fill in the Manager initially.
2018-10-09 15:54:10 +02:00
.default_timeout_start_usec = DEFAULT_TIMEOUT_USEC,
.default_timeout_stop_usec = DEFAULT_TIMEOUT_USEC,
.default_restart_usec = DEFAULT_RESTART_USEC,
.original_log_level = -1,
.original_log_target = _LOG_TARGET_INVALID,
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
.watchdog_overridden[WATCHDOG_RUNTIME] = USEC_INFINITY,
.watchdog_overridden[WATCHDOG_REBOOT] = USEC_INFINITY,
.watchdog_overridden[WATCHDOG_KEXEC] = USEC_INFINITY,
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
.show_status_overridden = _SHOW_STATUS_INVALID,
core: use structure initialization for Manager No changes in behaviour, just a nicer way to fill in the Manager initially.
2018-10-09 15:54:10 +02:00
.notify_fd = -1,
.cgroups_agent_fd = -1,
.signal_fd = -1,
.time_change_fd = -1,
.user_lookup_fds = { -1, -1 },
.private_listen_fd = -1,
.dev_autofs_fd = -1,
.cgroup_inotify_fd = -1,
.pin_cgroupfs_fd = -1,
.ask_password_inotify_fd = -1,
.idle_pipe = { -1, -1, -1, -1},
/* start as id #1, so that we can leave #0 around as "null-like" value */
.current_job_id = 1,
.have_ask_password = -EINVAL, /* we don't know */
.first_boot = -1,
.test_run_flags = test_run_flags,
core: implement OOMPolicy= and watch cgroups for OOM killings This adds a new per-service OOMPolicy= (along with a global DefaultOOMPolicy=) that controls what to do if a process of the service is killed by the kernel's OOM killer. It has three different values: "continue" (old behaviour), "stop" (terminate the service), "kill" (let the kernel kill all the service's processes). On top of that, track OOM killer events per unit: generate a per-unit structured, recognizable log message when we see an OOM killer event, and put the service in a failure state if an OOM killer event was seen and the selected policy was not "continue". A new "result" is defined for this case: "oom-kill". All of this relies on new cgroupv2 kernel functionality: the "memory.events" notification interface and the "memory.oom.group" attribute (which makes the kernel kill all cgroup processes automatically).
2019-03-19 19:05:19 +01:00
.default_oom_policy = OOM_STOP,
core: use structure initialization for Manager No changes in behaviour, just a nicer way to fill in the Manager initially.
2018-10-09 15:54:10 +02:00
};
rework tty handling We now make sure to run all services in their own session, possibly with a controlling terminal. This also extends the service and socket state machines a little.
2010-04-13 02:06:27 +02:00
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if ENABLE_EFI
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
if (MANAGER_IS_SYSTEM(m) && detect_container() <= 0)
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
boot_timestamps(m->timestamps + MANAGER_TIMESTAMP_USERSPACE,
m->timestamps + MANAGER_TIMESTAMP_FIRMWARE,
m->timestamps + MANAGER_TIMESTAMP_LOADER);
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
#endif
core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters
2015-05-11 20:38:21 +02:00
/* Prepare log fields we can use for structured logging */
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
if (MANAGER_IS_SYSTEM(m)) {
m->unit_log_field = "UNIT=";
m->unit_log_format_string = "UNIT=%s";
core: add "invocation ID" concept to service manager This adds a new invocation ID concept to the service manager. The invocation ID identifies each runtime cycle of a unit uniquely. A new randomized 128bit ID is generated each time a unit moves from and inactive to an activating or active state. The primary usecase for this concept is to connect the runtime data PID 1 maintains about a service with the offline data the journal stores about it. Previously we'd use the unit name plus start/stop times, which however is highly racy since the journal will generally process log data after the service already ended. The "invocation ID" kinda matches the "boot ID" concept of the Linux kernel, except that it applies to an individual unit instead of the whole system. The invocation ID is passed to the activated processes as environment variable. It is additionally stored as extended attribute on the cgroup of the unit. The latter is used by journald to automatically retrieve it for each log logged message and attach it to the log entry. The environment variable is very easily accessible, even for unprivileged services. OTOH the extended attribute is only accessible to privileged processes (this is because cgroupfs only supports the "trusted." xattr namespace, not "user."). The environment variable may be altered by services, the extended attribute may not be, hence is the better choice for the journal. Note that reading the invocation ID off the extended attribute from journald is racy, similar to the way reading the unit name for a logging process is. This patch adds APIs to read the invocation ID to sd-id128: sd_id128_get_invocation() may be used in a similar fashion to sd_id128_get_boot(). PID1's own logging is updated to always include the invocation ID when it logs information about a unit. A new bus call GetUnitByInvocationID() is added that allows retrieving a bus path to a unit by its invocation ID. The bus path is built using the invocation ID, thus providing a path for referring to a unit that is valid only for the current runtime cycleof it. Outlook for the future: should the kernel eventually allow passing of cgroup information along AF_UNIX/SOCK_DGRAM messages via a unique cgroup id, then we can alter the invocation ID to be generated as hash from that rather than entirely randomly. This way we can derive the invocation race-freely from the messages.
2016-08-30 23:18:46 +02:00
m->invocation_log_field = "INVOCATION_ID=";
core: make sure to log invocation ID of units also when doing structured logging
2017-09-20 18:27:53 +02:00
m->invocation_log_format_string = "INVOCATION_ID=%s";
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
} else {
m->unit_log_field = "USER_UNIT=";
m->unit_log_format_string = "USER_UNIT=%s";
core: add "invocation ID" concept to service manager This adds a new invocation ID concept to the service manager. The invocation ID identifies each runtime cycle of a unit uniquely. A new randomized 128bit ID is generated each time a unit moves from and inactive to an activating or active state. The primary usecase for this concept is to connect the runtime data PID 1 maintains about a service with the offline data the journal stores about it. Previously we'd use the unit name plus start/stop times, which however is highly racy since the journal will generally process log data after the service already ended. The "invocation ID" kinda matches the "boot ID" concept of the Linux kernel, except that it applies to an individual unit instead of the whole system. The invocation ID is passed to the activated processes as environment variable. It is additionally stored as extended attribute on the cgroup of the unit. The latter is used by journald to automatically retrieve it for each log logged message and attach it to the log entry. The environment variable is very easily accessible, even for unprivileged services. OTOH the extended attribute is only accessible to privileged processes (this is because cgroupfs only supports the "trusted." xattr namespace, not "user."). The environment variable may be altered by services, the extended attribute may not be, hence is the better choice for the journal. Note that reading the invocation ID off the extended attribute from journald is racy, similar to the way reading the unit name for a logging process is. This patch adds APIs to read the invocation ID to sd-id128: sd_id128_get_invocation() may be used in a similar fashion to sd_id128_get_boot(). PID1's own logging is updated to always include the invocation ID when it logs information about a unit. A new bus call GetUnitByInvocationID() is added that allows retrieving a bus path to a unit by its invocation ID. The bus path is built using the invocation ID, thus providing a path for referring to a unit that is valid only for the current runtime cycleof it. Outlook for the future: should the kernel eventually allow passing of cgroup information along AF_UNIX/SOCK_DGRAM messages via a unique cgroup id, then we can alter the invocation ID to be generated as hash from that rather than entirely randomly. This way we can derive the invocation race-freely from the messages.
2016-08-30 23:18:46 +02:00
m->invocation_log_field = "USER_INVOCATION_ID=";
core: make sure to log invocation ID of units also when doing structured logging
2017-09-20 18:27:53 +02:00
m->invocation_log_format_string = "USER_INVOCATION_ID=%s";
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
}
core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters
2015-05-11 20:38:21 +02:00
core: when the user hits Ctrl-Alt-Del more than 7x per 2s, reboot immediately This should be useful for cases where clean rebooting doesn't work, and the user wants to hurry up the reboot.
2015-01-28 02:18:59 +01:00
/* Reboot immediately if the user hits C-A-D more often than 7x per 2s */
Drop RATELIMIT macros Using plain structure initialization is both shorter _and_ more clearer. We get type safety for free.
2019-09-19 17:41:20 +02:00
m->ctrl_alt_del_ratelimit = (RateLimit) { .interval = 2 * USEC_PER_SEC, .burst = 7 };
core: when the user hits Ctrl-Alt-Del more than 7x per 2s, reboot immediately This should be useful for cases where clean rebooting doesn't work, and the user wants to hurry up the reboot.
2015-01-28 02:18:59 +01:00
rework systemd's own process environment handling/passing Stop importing non-sensical kernel-exported variables. All parameters in the kernel command line are exported to the initial environment of PID1, but suppressed if they are recognized by kernel built-in code. The EFI booted kernel will add further kernel-internal things which do not belong into userspace. The passed original environ data of the process is not touched and preserved across re-execution, to allow external reading of /proc/self/environ for process properties like container*=.
2013-07-26 05:22:22 +02:00
r = manager_default_environment(m);
if (r < 0)
Introduce _cleanup_(manager_freep)
2018-03-09 21:55:55 +01:00
return r;
environment: allow control of the environment block via D-Bus
2010-05-09 23:53:52 +02:00
hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-13 01:00:18 +02:00
r = hashmap_ensure_allocated(&m->units, &string_hash_ops);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
if (r < 0)
Introduce _cleanup_(manager_freep)
2018-03-09 21:55:55 +01:00
return r;
initial commit
2009-11-18 00:42:52 +01:00
tree-wide: use path_hash_ops instead of string_hash_ops whenever we key by a path Let's make use of our new hash_ops!
2018-02-08 18:58:35 +01:00
r = hashmap_ensure_allocated(&m->cgroup_unit, &path_hash_ops);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
if (r < 0)
Introduce _cleanup_(manager_freep)
2018-03-09 21:55:55 +01:00
return r;
add simple event loop
2010-01-24 00:39:29 +01:00
hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-13 01:00:18 +02:00
r = hashmap_ensure_allocated(&m->watch_bus, &string_hash_ops);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
if (r < 0)
Introduce _cleanup_(manager_freep)
2018-03-09 21:55:55 +01:00
return r;
service: optionally, trie dbus name cycle to service cycle
2010-04-15 23:16:16 +02:00
job: make the run queue order deterministic Jobs are added to the run queue in random order. This happens because most jobs are added by iterating over the transaction or dependency hash maps. As a result, jobs that can be executed at the same time are started in a different order each time. On small embedded devices this can cause a measurable jitter for the point in time when a job starts (~100ms jitter for 10 units that are started in random order). This results is a similar jitter for the boot time. This is undesirable in general and make optimizing the boot time a lot harder. Also, jobs that should have a higher priority because the unit has a higher CPU weight might get executed later than others. Fix this by turning the job run_queue into a Prioq and sort by the following criteria (use the next if the values are equal): - CPU weight - nice level - unit type - unit name The last one is just there for deterministic sorting to avoid any jitter.
2019-05-22 12:12:17 +02:00
r = prioq_ensure_allocated(&m->run_queue, compare_job_priority);
if (r < 0)
return r;
Make MANAGER_TEST_RUN_MINIMAL just allocate data structures When running tests like test-unit-name, there is not point in setting up the cgroup and signals and interacting with the environment. Similarly when running fuzz testing of the parser. Add new MANAGER_TEST_RUN_BASIC which takes the role of MANAGER_TEST_RUN_MINIMAL, and redefine MANAGER_TEST_RUN_MINIMAL to just create the basic data structures.
2018-03-10 11:02:18 +01:00
r = manager_setup_prefix(m);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
if (r < 0)
Introduce _cleanup_(manager_freep)
2018-03-09 21:55:55 +01:00
return r;
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
Make MANAGER_TEST_RUN_MINIMAL just allocate data structures When running tests like test-unit-name, there is not point in setting up the cgroup and signals and interacting with the environment. Similarly when running fuzz testing of the parser. Add new MANAGER_TEST_RUN_BASIC which takes the role of MANAGER_TEST_RUN_MINIMAL, and redefine MANAGER_TEST_RUN_MINIMAL to just create the basic data structures.
2018-03-10 11:02:18 +01:00
r = sd_event_default(&m->event);
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
if (r < 0)
Introduce _cleanup_(manager_freep)
2018-03-09 21:55:55 +01:00
return r;
add simple event loop
2010-01-24 00:39:29 +01:00
Make MANAGER_TEST_RUN_MINIMAL just allocate data structures When running tests like test-unit-name, there is not point in setting up the cgroup and signals and interacting with the environment. Similarly when running fuzz testing of the parser. Add new MANAGER_TEST_RUN_BASIC which takes the role of MANAGER_TEST_RUN_MINIMAL, and redefine MANAGER_TEST_RUN_MINIMAL to just create the basic data structures.
2018-03-10 11:02:18 +01:00
r = manager_setup_run_queue(m);
Revert "core: don't setup init.scope in test mode (#8380)" (#8390) This reverts commit a9e8ecf0374c675831208559ba37749a8f9719ef, as it breaks test-path. Fixes #8389.
2018-03-08 07:29:19 +01:00
if (r < 0)
Introduce _cleanup_(manager_freep)
2018-03-09 21:55:55 +01:00
return r;
cgroup: add cgroupsification
2010-03-31 16:29:55 +02:00
Make MANAGER_TEST_RUN_MINIMAL just allocate data structures When running tests like test-unit-name, there is not point in setting up the cgroup and signals and interacting with the environment. Similarly when running fuzz testing of the parser. Add new MANAGER_TEST_RUN_BASIC which takes the role of MANAGER_TEST_RUN_MINIMAL, and redefine MANAGER_TEST_RUN_MINIMAL to just create the basic data structures.
2018-03-10 11:02:18 +01:00
if (test_run_flags == MANAGER_TEST_RUN_MINIMAL) {
m->cgroup_root = strdup("");
if (!m->cgroup_root)
return -ENOMEM;
} else {
r = manager_setup_signals(m);
if (r < 0)
return r;
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
Make MANAGER_TEST_RUN_MINIMAL just allocate data structures When running tests like test-unit-name, there is not point in setting up the cgroup and signals and interacting with the environment. Similarly when running fuzz testing of the parser. Add new MANAGER_TEST_RUN_BASIC which takes the role of MANAGER_TEST_RUN_MINIMAL, and redefine MANAGER_TEST_RUN_MINIMAL to just create the basic data structures.
2018-03-10 11:02:18 +01:00
r = manager_setup_cgroup(m);
if (r < 0)
return r;
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
Make MANAGER_TEST_RUN_MINIMAL just allocate data structures When running tests like test-unit-name, there is not point in setting up the cgroup and signals and interacting with the environment. Similarly when running fuzz testing of the parser. Add new MANAGER_TEST_RUN_BASIC which takes the role of MANAGER_TEST_RUN_MINIMAL, and redefine MANAGER_TEST_RUN_MINIMAL to just create the basic data structures.
2018-03-10 11:02:18 +01:00
r = manager_setup_time_change(m);
if (r < 0)
return r;
swap: always track the current real device node of all swap devices, even when not active This way, we can avoid executing two /bin/swapon jobs to be dispatched for the same swap device if it is configured for two different paths. Previously we were just tracking the device nodes of active swap devices, which would not allow us to recognize the identity of two swap devices before they are active. https://bugs.freedesktop.org/show_bug.cgi?id=69835
2013-11-25 21:08:39 +01:00
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
r = manager_read_timezone_stat(m);
if (r < 0)
return r;
core: ensure it's not fatal if we cannot watch /etc/localtime See: #9602
2018-10-13 15:12:41 +02:00
(void) manager_setup_timezone_change(m);
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
Make MANAGER_TEST_RUN_MINIMAL just allocate data structures When running tests like test-unit-name, there is not point in setting up the cgroup and signals and interacting with the environment. Similarly when running fuzz testing of the parser. Add new MANAGER_TEST_RUN_BASIC which takes the role of MANAGER_TEST_RUN_MINIMAL, and redefine MANAGER_TEST_RUN_MINIMAL to just create the basic data structures.
2018-03-10 11:02:18 +01:00
r = manager_setup_sigchld_event_source(m);
if (r < 0)
return r;
}
manager: don't check /usr state of initrd to determine "taint-usr" taint
2017-12-07 11:09:09 +01:00
core,journal: export user units' InvocationID and use as _SYSTEMD_INVOCATION_ID Write a user unit's invocation ID to /run/user/<uid>/systemd/units/ similar to how a system unit's invocation ID is written to /run/systemd/units/. This lets the journal read and add a user unit's invocation ID to the _SYSTEMD_INVOCATION_ID field of logs instead of the user manager's invocation ID. Fixes #12474
2019-12-12 06:15:42 +01:00
if (test_run_flags == 0) {
if (MANAGER_IS_SYSTEM(m))
r = mkdir_label("/run/systemd/units", 0755);
else {
_cleanup_free_ char *units_path = NULL;
r = xdg_user_runtime_dir(&units_path, "/systemd/units");
if (r < 0)
return r;
r = mkdir_p_label(units_path, 0755);
}
core: implement /run/systemd/units/-based path for passing unit info from PID 1 to journald And let's make use of it to implement two new unit settings with it: 1. LogLevelMax= is a new per-unit setting that may be used to configure log priority filtering: set it to LogLevelMax=notice and only messages of level "notice" and lower (i.e. more important) will be processed, all others are dropped. 2. LogExtraFields= is a new per-unit setting for configuring per-unit journal fields, that are implicitly included in every log record generated by the unit's processes. It takes field/value pairs in the form of FOO=BAR. Also, related to this, one exisiting unit setting is ported to this new facility: 3. The invocation ID is now pulled from /run/systemd/units/ instead of cgroupfs xattrs. This substantially relaxes requirements of systemd on the kernel version and the privileges it runs with (specifically, cgroupfs xattrs are not available in containers, since they are stored in kernel memory, and hence are unsafe to permit to lesser privileged code). /run/systemd/units/ is a new directory, which contains a number of files and symlinks encoding the above information. PID 1 creates and manages these files, and journald reads them from there. Note that this is supposed to be a direct path between PID 1 and the journal only, due to the special runtime environment the journal runs in. Normally, today we shouldn't introduce new interfaces that (mis-)use a file system as IPC framework, and instead just an IPC system, but this is very hard to do between the journal and PID 1, as long as the IPC system is a subject PID 1 manages, and itself a client to the journal. This patch cleans up a couple of types used in journal code: specifically we switch to size_t for a couple of memory-sizing values, as size_t is the right choice for everything that is memory. Fixes: #4089 Fixes: #3041 Fixes: #4441
2017-11-02 19:43:32 +01:00
if (r < 0 && r != -EEXIST)
Introduce _cleanup_(manager_freep)
2018-03-09 21:55:55 +01:00
return r;
core: implement /run/systemd/units/-based path for passing unit info from PID 1 to journald And let's make use of it to implement two new unit settings with it: 1. LogLevelMax= is a new per-unit setting that may be used to configure log priority filtering: set it to LogLevelMax=notice and only messages of level "notice" and lower (i.e. more important) will be processed, all others are dropped. 2. LogExtraFields= is a new per-unit setting for configuring per-unit journal fields, that are implicitly included in every log record generated by the unit's processes. It takes field/value pairs in the form of FOO=BAR. Also, related to this, one exisiting unit setting is ported to this new facility: 3. The invocation ID is now pulled from /run/systemd/units/ instead of cgroupfs xattrs. This substantially relaxes requirements of systemd on the kernel version and the privileges it runs with (specifically, cgroupfs xattrs are not available in containers, since they are stored in kernel memory, and hence are unsafe to permit to lesser privileged code). /run/systemd/units/ is a new directory, which contains a number of files and symlinks encoding the above information. PID 1 creates and manages these files, and journald reads them from there. Note that this is supposed to be a direct path between PID 1 and the journal only, due to the special runtime environment the journal runs in. Normally, today we shouldn't introduce new interfaces that (mis-)use a file system as IPC framework, and instead just an IPC system, but this is very hard to do between the journal and PID 1, as long as the IPC system is a subject PID 1 manages, and itself a client to the journal. This patch cleans up a couple of types used in journal code: specifically we switch to size_t for a couple of memory-sizing values, as size_t is the right choice for everything that is memory. Fixes: #4089 Fixes: #3041 Fixes: #4441
2017-11-02 19:43:32 +01:00
}
manager: don't check /usr state of initrd to determine "taint-usr" taint
2017-12-07 11:09:09 +01:00
m->taint_usr =
!in_initrd() &&
dir_is_empty("/usr") > 0;
pid1: drop kdbus_fd and all associated logic
2016-09-09 16:16:26 +02:00
/* Note that we do not set up the notify fd here. We do that after deserialization,
* since they might have gotten serialized across the reexec. */
core: add {State,Cache,Log,Configuration}Directory= (#6384) This introduces {State,Cache,Log,Configuration}Directory= those are similar to RuntimeDirectory=. They create the directories under /var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode specified in {State,Cache,Log,Configuration}DirectoryMode=. This also fixes #6391.
2017-07-18 14:34:52 +02:00
tree-wide: use TAKE_PTR() and TAKE_FD() macros
2018-04-05 07:26:26 +02:00
*_m = TAKE_PTR(m);
cgroup: add cgroupsification
2010-03-31 16:29:55 +02:00
return 0;
initial commit
2009-11-18 00:42:52 +01:00
}
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
static int manager_setup_notify(Manager *m) {
core: move notify sockets to /run and $XDG_RUNTIME_DIR A service with PrivateNetwork= cannot access abstract namespace sockets of the host anymore, hence let's better not use abstract namespace sockets for this, since we want to make sure that PrivateNetwork= is useful and doesn't break sd_notify().
2014-03-19 22:46:45 +01:00
int r;
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m))
test-engine: fix access to unit load path Also add a bit of debugging output to help diagnose problems, add missing units, and simplify cppflags. Move test-engine to normal tests from manual tests, it should now work without destroying the system.
2014-01-07 14:41:24 +01:00
return 0;
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
if (m->notify_fd < 0) {
_cleanup_close_ int fd = -1;
tree-wide: use the return value from sockaddr_un_set_path() It fully initializes the address structure, so no need for pre-initialization, and also returns the length of the address, so no need to recalculate using SOCKADDR_UN_LEN(). socklen_t is unsigned, so let's not use an int for it. (It doesn't matter, but seems cleaner and more portable to not assume anything about the type.)
2020-03-02 15:51:31 +01:00
union sockaddr_union sa;
socklen_t sa_len;
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
/* First free all secondary fields */
tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.
2015-09-08 18:43:11 +02:00
m->notify_socket = mfree(m->notify_socket);
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
m->notify_event_source = sd_event_source_unref(m->notify_event_source);
fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (fd < 0)
return log_error_errno(errno, "Failed to allocate notification socket: %m");
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
sd-daemon: increase sd_notify() socket buffer size Let's make sure we don't start blocking on sd_notify() earlier than necessary, let's bump the socket buffer sizes to 8M. We already do something similar for our logging socket buffers, hence apply a similar bump here.
2015-10-30 11:27:29 +01:00
fd_inc_rcvbuf(fd, NOTIFY_RCVBUF_SIZE);
tree-wide: get rid of strappend() It's a special case of strjoin(), so no need to keep both. In particular as typing strjoin() is even shoert than strappend().
2019-07-11 19:14:16 +02:00
m->notify_socket = path_join(m->prefix[EXEC_DIRECTORY_RUNTIME], "systemd/notify");
manager: cast mkdir() result to (void) to make sure coverity is quiet Also simplify the code a bit by moving mkdir to the common path.
2014-11-07 02:05:50 +01:00
if (!m->notify_socket)
return log_oom();
tree-wide: use the return value from sockaddr_un_set_path() It fully initializes the address structure, so no need for pre-initialization, and also returns the length of the address, so no need to recalculate using SOCKADDR_UN_LEN(). socklen_t is unsigned, so let's not use an int for it. (It doesn't matter, but seems cleaner and more portable to not assume anything about the type.)
2020-03-02 15:51:31 +01:00
r = sockaddr_un_set_path(&sa.un, m->notify_socket);
if (r < 0)
return log_error_errno(r, "Notify socket '%s' not valid for AF_UNIX socket address, refusing.",
m->notify_socket);
sa_len = r;
tree-wide: port various users over to sockaddr_un_set_path() CID 1396140 CID 1396141
2018-10-15 13:58:31 +02:00
manager: cast mkdir() result to (void) to make sure coverity is quiet Also simplify the code a bit by moving mkdir to the common path.
2014-11-07 02:05:50 +01:00
(void) mkdir_parents_label(m->notify_socket, 0755);
tree-wide: use sockaddr_un_unlink() at two more places where appropriate
2018-10-15 19:40:18 +02:00
(void) sockaddr_un_unlink(&sa.un);
core: move notify sockets to /run and $XDG_RUNTIME_DIR A service with PrivateNetwork= cannot access abstract namespace sockets of the host anymore, hence let's better not use abstract namespace sockets for this, since we want to make sure that PrivateNetwork= is useful and doesn't break sd_notify().
2014-03-19 22:46:45 +01:00
tree-wide: use the return value from sockaddr_un_set_path() It fully initializes the address structure, so no need for pre-initialization, and also returns the length of the address, so no need to recalculate using SOCKADDR_UN_LEN(). socklen_t is unsigned, so let's not use an int for it. (It doesn't matter, but seems cleaner and more portable to not assume anything about the type.)
2020-03-02 15:51:31 +01:00
r = bind(fd, &sa.sa, sa_len);
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (r < 0)
tree-wide: port various users over to sockaddr_un_set_path() CID 1396140 CID 1396141
2018-10-15 13:58:31 +02:00
return log_error_errno(errno, "bind(%s) failed: %m", m->notify_socket);
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
tree-wide: introduce setsockopt_int() helper and make use of it everywhere As suggested by @heftig: https://github.com/systemd/systemd/commit/6d5e65f6454212cd400d0ebda34978a9f20cc26a#commitcomment-30938667
2018-10-18 19:48:18 +02:00
r = setsockopt_int(fd, SOL_SOCKET, SO_PASSCRED, true);
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (r < 0)
tree-wide: introduce setsockopt_int() helper and make use of it everywhere As suggested by @heftig: https://github.com/systemd/systemd/commit/6d5e65f6454212cd400d0ebda34978a9f20cc26a#commitcomment-30938667
2018-10-18 19:48:18 +02:00
return log_error_errno(r, "SO_PASSCRED failed: %m");
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
macro: introduce new TAKE_FD() macro This is similar to TAKE_PTR() but operates on file descriptors, and thus assigns -1 to the fd parameter after returning it. Removes 60 lines from our codebase. Pretty good too I think.
2018-03-22 17:04:29 +01:00
m->notify_fd = TAKE_FD(fd);
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
log_debug("Using notification socket %s", m->notify_socket);
}
if (!m->notify_event_source) {
api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.
2014-02-19 23:54:58 +01:00
r = sd_event_add_io(m->event, &m->notify_event_source, m->notify_fd, EPOLLIN, manager_dispatch_notify_fd, m);
core: fix return value in error path after sd_event_add_io() failure sd_event_add_io() does not set errno, it returns negative errno. Noticed during log_*_errno conversions.
2014-11-28 19:20:59 +01:00
if (r < 0)
return log_error_errno(r, "Failed to allocate notify event source: %m");
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
/* Process notification messages a bit earlier than SIGCHLD, so that we can still identify to which
* service an exit message belongs. */
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
r = sd_event_source_set_priority(m->notify_event_source, SD_EVENT_PRIORITY_NORMAL-8);
treewide: more log_*_errno + return simplifications
2014-11-28 18:23:20 +01:00
if (r < 0)
return log_error_errno(r, "Failed to set priority of notify event source: %m");
core: annotate event sources
2015-04-29 16:05:32 +02:00
(void) sd_event_source_set_description(m->notify_event_source, "manager-notify");
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
}
return 0;
}
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
static int manager_setup_cgroups_agent(Manager *m) {
static const union sockaddr_union sa = {
.un.sun_family = AF_UNIX,
.un.sun_path = "/run/systemd/cgroups-agent",
};
int r;
/* This creates a listening socket we receive cgroups agent messages on. We do not use D-Bus for delivering
* these messages from the cgroups agent binary to PID 1, as the cgroups agent binary is very short-living, and
* each instance of it needs a new D-Bus connection. Since D-Bus connections are SOCK_STREAM/AF_UNIX, on
* overloaded systems the backlog of the D-Bus socket becomes relevant, as not more than the configured number
* of D-Bus connections may be queued until the kernel will start dropping further incoming connections,
* possibly resulting in lost cgroups agent messages. To avoid this, we'll use a private SOCK_DGRAM/AF_UNIX
* socket, where no backlog is relevant as communication may take place without an actual connect() cycle, and
* we thus won't lose messages.
*
* Note that PID 1 will forward the agent message to system bus, so that the user systemd instance may listen
* to it. The system instance hence listens on this special socket, but the user instances listen on the system
* bus for these messages. */
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m))
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
return 0;
if (!MANAGER_IS_SYSTEM(m))
return 0;
cgroup: rename cg_unified() → cg_unified_controller() cg_unified() is a bit generic a name, let's make clear that it checks whether a specified controller is in unified mode.
2017-02-24 18:00:04 +01:00
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
cgroup: change cg_unified() to possibly return errors again We use our cgroup APIs in various contexts, including from our libraries sd-login, sd-bus. As we don#t control those environments we can't rely that the unified cgroup setup logic succeeds, and hence really shouldn't assert on it. This more or less reverts 415fc41ceaeada2e32639f24f134b1c248b9e43f.
2017-02-24 17:52:58 +01:00
if (r < 0)
return log_error_errno(r, "Failed to determine whether unified cgroups hierarchy is used: %m");
if (r > 0) /* We don't need this anymore on the unified hierarchy */
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
return 0;
if (m->cgroups_agent_fd < 0) {
_cleanup_close_ int fd = -1;
/* First free all secondary fields */
m->cgroups_agent_event_source = sd_event_source_unref(m->cgroups_agent_event_source);
fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
if (fd < 0)
return log_error_errno(errno, "Failed to allocate cgroups agent socket: %m");
fd_inc_rcvbuf(fd, CGROUPS_AGENT_RCVBUF_SIZE);
tree-wide: use sockaddr_un_unlink() whereever appropriate Let's port everything over.
2018-10-15 12:08:30 +02:00
(void) sockaddr_un_unlink(&sa.un);
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
/* Only allow root to connect to this socket */
RUN_WITH_UMASK(0077)
tree-wide: introduce new SOCKADDR_UN_LEN() macro, and use it everywhere The macro determines the right length of a AF_UNIX "struct sockaddr_un" to pass to connect() or bind(). It automatically figures out if the socket refers to an abstract namespace socket, or a socket in the file system, and properly handles the full length of the path field. This macro is not only safer, but also simpler to use, than the usual offsetof() + strlen() logic.
2016-05-05 22:24:36 +02:00
r = bind(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
if (r < 0)
return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path);
tree-wide: make use of TAKE_FD() at two more places
2018-10-15 12:09:17 +02:00
m->cgroups_agent_fd = TAKE_FD(fd);
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
}
if (!m->cgroups_agent_event_source) {
r = sd_event_add_io(m->event, &m->cgroups_agent_event_source, m->cgroups_agent_fd, EPOLLIN, manager_dispatch_cgroups_agent_fd, m);
if (r < 0)
return log_error_errno(r, "Failed to allocate cgroups agent event source: %m");
core: rearrange cgroup empty events a bit So far the priorities for cgroup empty event handling were pretty weird. The raw events (on cgroupsv2 from inotify, on cgroupsv1 from the agent dgram socket) where scheduled at a lower priority than the cgroup empty queue dispatcher. Let's swap that and ensure that we can coalesce events more agressively: let's process the raw events at higher priority than the cgroup empty event (which remains at the same prio).
2019-03-18 20:21:11 +01:00
/* Process cgroups notifications early. Note that when the agent notification is received
* we'll just enqueue the unit in the cgroup empty queue, hence pick a high priority than
* that. Also see handling of cgroup inotify for the unified cgroup stuff. */
r = sd_event_source_set_priority(m->cgroups_agent_event_source, SD_EVENT_PRIORITY_NORMAL-9);
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
if (r < 0)
return log_error_errno(r, "Failed to set priority of cgroups agent event source: %m");
(void) sd_event_source_set_description(m->cgroups_agent_event_source, "manager-cgroups-agent");
}
return 0;
}
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
static int manager_setup_user_lookup_fd(Manager *m) {
int r;
assert(m);
/* Set up the socket pair used for passing UID/GID resolution results from forked off processes to PID
* 1. Background: we can't do name lookups (NSS) from PID 1, since it might involve IPC and thus activation,
* and we might hence deadlock on ourselves. Hence we do all user/group lookups asynchronously from the forked
* off processes right before executing the binaries to start. In order to be able to clean up any IPC objects
* created by a unit (see RemoveIPC=) we need to know in PID 1 the used UID/GID of the executed processes,
* hence we establish this communication channel so that forked off processes can pass their UID/GID
* information back to PID 1. The forked off processes send their resolved UID/GID to PID 1 in a simple
* datagram, along with their unit name, so that we can share one communication socket pair among all units for
* this purpose.
*
* You might wonder why we need a communication channel for this that is independent of the usual notification
* socket scheme (i.e. $NOTIFY_SOCKET). The primary difference is about trust: data sent via the $NOTIFY_SOCKET
* channel is only accepted if it originates from the right unit and if reception was enabled for it. The user
* lookup socket OTOH is only accessible by PID 1 and its children until they exec(), and always available.
*
* Note that this function is called under two circumstances: when we first initialize (in which case we
* allocate both the socket pair and the event source to listen on it), and when we deserialize after a reload
* (in which case the socket pair already exists but we still need to allocate the event source for it). */
if (m->user_lookup_fds[0] < 0) {
/* Free all secondary fields */
safe_close_pair(m->user_lookup_fds);
m->user_lookup_event_source = sd_event_source_unref(m->user_lookup_event_source);
if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, m->user_lookup_fds) < 0)
return log_error_errno(errno, "Failed to allocate user lookup socket: %m");
(void) fd_inc_rcvbuf(m->user_lookup_fds[0], NOTIFY_RCVBUF_SIZE);
}
if (!m->user_lookup_event_source) {
r = sd_event_add_io(m->event, &m->user_lookup_event_source, m->user_lookup_fds[0], EPOLLIN, manager_dispatch_user_lookup_fd, m);
if (r < 0)
return log_error_errno(errno, "Failed to allocate user lookup event source: %m");
/* Process even earlier than the notify event source, so that we always know first about valid UID/GID
* resolutions */
core: move user lookup event priority to -11 This is internal stuff, us talking to ourselves and relatively independent of everything else, let's put this at highest priority hence.
2018-01-23 18:15:16 +01:00
r = sd_event_source_set_priority(m->user_lookup_event_source, SD_EVENT_PRIORITY_NORMAL-11);
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
if (r < 0)
codespell: fix spelling errors
2019-04-27 02:22:40 +02:00
return log_error_errno(errno, "Failed to set priority of user lookup event source: %m");
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
(void) sd_event_source_set_description(m->user_lookup_event_source, "user-lookup");
}
return 0;
}
rework merging/loading logic
2010-04-06 02:43:58 +02:00
static unsigned manager_dispatch_cleanup_queue(Manager *m) {
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
Unit *u;
rework merging/loading logic
2010-04-06 02:43:58 +02:00
unsigned n = 0;
assert(m);
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
while ((u = m->cleanup_queue)) {
assert(u->in_cleanup_queue);
rework merging/loading logic
2010-04-06 02:43:58 +02:00
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
unit_free(u);
rework merging/loading logic
2010-04-06 02:43:58 +02:00
n++;
}
return n;
}
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
enum {
Spelling Corrections Just some lame spelling corrections with no functionality.
2011-02-21 15:32:17 +01:00
GC_OFFSET_IN_PATH, /* This one is on the path we were traveling */
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
GC_OFFSET_UNSURE, /* No clue */
GC_OFFSET_GOOD, /* We still need this unit */
GC_OFFSET_BAD, /* We don't need this unit anymore */
_GC_OFFSET_MAX
};
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
static void unit_gc_mark_good(Unit *u, unsigned gc_marker) {
manager: reduce complexity of unit_gc_sweep (#3507) When unit is marked as UNSURE, we are trying to find if it state was changed over and over again. So lets not go through the UNSURE states again. Also when we find a GOOD unit lets propagate the GOOD state to all units that this unit reference. This is a problem on machines with a lot of initscripts with different starting priority, since those units will reference each other and the original algorithm might get to n! complexity. Thanks HATAYAMA Daisuke for the expand_good_state code.
2016-06-14 14:20:56 +02:00
Unit *other;
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
Iterator i;
void *v;
manager: reduce complexity of unit_gc_sweep (#3507) When unit is marked as UNSURE, we are trying to find if it state was changed over and over again. So lets not go through the UNSURE states again. Also when we find a GOOD unit lets propagate the GOOD state to all units that this unit reference. This is a problem on machines with a lot of initscripts with different starting priority, since those units will reference each other and the original algorithm might get to n! complexity. Thanks HATAYAMA Daisuke for the expand_good_state code.
2016-06-14 14:20:56 +02:00
u->gc_marker = gc_marker + GC_OFFSET_GOOD;
/* Recursively mark referenced units as GOOD as well */
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
HASHMAP_FOREACH_KEY(v, other, u->dependencies[UNIT_REFERENCES], i)
manager: reduce complexity of unit_gc_sweep (#3507) When unit is marked as UNSURE, we are trying to find if it state was changed over and over again. So lets not go through the UNSURE states again. Also when we find a GOOD unit lets propagate the GOOD state to all units that this unit reference. This is a problem on machines with a lot of initscripts with different starting priority, since those units will reference each other and the original algorithm might get to n! complexity. Thanks HATAYAMA Daisuke for the expand_good_state code.
2016-06-14 14:20:56 +02:00
if (other->gc_marker == gc_marker + GC_OFFSET_UNSURE)
unit_gc_mark_good(other, gc_marker);
}
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
static void unit_gc_sweep(Unit *u, unsigned gc_marker) {
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
Unit *other;
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
bool is_bad;
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
Iterator i;
void *v;
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
assert(u);
tree-wide: use IN_SET macro (#6977)
2017-10-04 16:01:32 +02:00
if (IN_SET(u->gc_marker - gc_marker,
GC_OFFSET_GOOD, GC_OFFSET_BAD, GC_OFFSET_UNSURE, GC_OFFSET_IN_PATH))
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
return;
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->in_cleanup_queue)
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
goto bad;
pid1: rename unit_check_gc to unit_may_gc "check" is unclear: what is true, what is false? Let's rename to "can_gc" and revert the return value ("positive" values are easier to grok). v2: - rename from unit_can_gc to unit_may_gc
2018-02-13 10:50:13 +01:00
if (!unit_may_gc(u))
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
goto good;
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
u->gc_marker = gc_marker + GC_OFFSET_IN_PATH;
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
is_bad = true;
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
HASHMAP_FOREACH_KEY(v, other, u->dependencies[UNIT_REFERENCED_BY], i) {
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
unit_gc_sweep(other, gc_marker);
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (other->gc_marker == gc_marker + GC_OFFSET_GOOD)
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
goto good;
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (other->gc_marker != gc_marker + GC_OFFSET_BAD)
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
is_bad = false;
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
}
pid1: fix collection of cycles of units which reference one another A .socket will reference a .service unit, by registering a UnitRef with the .service unit. If this .service unit has the .socket unit listed in Wants or Sockets or such, a cycle will be created. We would not free this cycle properly, because we treated any unit with non-empty refs as uncollectable. To solve this issue, treats refs with UnitRef in u->refs_by_target similarly to the refs in u->dependencies, and check if the "other" unit is known to be needed. If it is not needed, do not treat the reference from it as preventing the unit we are looking at from being freed.
2018-02-13 14:37:11 +01:00
if (u->refs_by_target) {
const UnitRef *ref;
LIST_FOREACH(refs_by_target, ref, u->refs_by_target) {
unit_gc_sweep(ref->source, gc_marker);
if (ref->source->gc_marker == gc_marker + GC_OFFSET_GOOD)
goto good;
if (ref->source->gc_marker != gc_marker + GC_OFFSET_BAD)
is_bad = false;
}
}
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
if (is_bad)
goto bad;
/* We were unable to find anything out about this entry, so
* let's investigate it later */
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
u->gc_marker = gc_marker + GC_OFFSET_UNSURE;
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
unit_add_to_gc_queue(u);
return;
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
bad:
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
/* We definitely know that this one is not useful anymore, so
* let's mark it for deletion */
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
u->gc_marker = gc_marker + GC_OFFSET_BAD;
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
unit_add_to_cleanup_queue(u);
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
return;
good:
manager: reduce complexity of unit_gc_sweep (#3507) When unit is marked as UNSURE, we are trying to find if it state was changed over and over again. So lets not go through the UNSURE states again. Also when we find a GOOD unit lets propagate the GOOD state to all units that this unit reference. This is a problem on machines with a lot of initscripts with different starting priority, since those units will reference each other and the original algorithm might get to n! complexity. Thanks HATAYAMA Daisuke for the expand_good_state code.
2016-06-14 14:20:56 +02:00
unit_gc_mark_good(u, gc_marker);
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
}
core: GC redundant device jobs from the run queue In contrast to all other unit types device units when queued just track external state, they cannot effect state changes on their own. Hence unless a client or other job waits for them there's no reason to keep them in the job queue. This adds a concept of GC'ing jobs of this type as soon as no client or other job waits for them anymore. To ensure this works correctly we need to track which clients actually reference a job (i.e. which ones enqueued it). Unfortunately that's pretty nasty to do for direct connections, as sd_bus_track doesn't work for them. For now, work around this, by simply remembering in a boolean that a job was requested by a direct connection, and reset it when we notice the direct connection is gone. This means the GC logic works fine, except that jobs are not immediately removed when direct connections disconnect. In the longer term, a rework of the bus logic should fix this properly. For now this should be good enough, as GC works for fine all cases except this one, and thus is a clear improvement over the previous behaviour. Fixes: #1921
2016-11-15 19:32:50 +01:00
static unsigned manager_dispatch_gc_unit_queue(Manager *m) {
unsigned n = 0, gc_marker;
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
Unit *u;
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
assert(m);
core: make GC more aggressive Since we should allow registering/unregistering transient units with the same name in a tight-loop, we need to make the GC more aggressive, so that dead units are cleaned up immediately instead of later. hence, execute the GC sweep on every event loop iteration and clean up units. This of course, means we need to be careful with adding units to the GC queue, which we already are since we execute check_gc() of each unit type already when adding something to the queue.
2013-07-02 17:41:57 +02:00
/* log_debug("Running GC..."); */
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
m->gc_marker += _GC_OFFSET_MAX;
if (m->gc_marker + _GC_OFFSET_MAX <= _GC_OFFSET_MAX)
manager: fix GC logic
2010-04-22 02:41:14 +02:00
m->gc_marker = 1;
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
gc_marker = m->gc_marker;
core: GC redundant device jobs from the run queue In contrast to all other unit types device units when queued just track external state, they cannot effect state changes on their own. Hence unless a client or other job waits for them there's no reason to keep them in the job queue. This adds a concept of GC'ing jobs of this type as soon as no client or other job waits for them anymore. To ensure this works correctly we need to track which clients actually reference a job (i.e. which ones enqueued it). Unfortunately that's pretty nasty to do for direct connections, as sd_bus_track doesn't work for them. For now, work around this, by simply remembering in a boolean that a job was requested by a direct connection, and reset it when we notice the direct connection is gone. This means the GC logic works fine, except that jobs are not immediately removed when direct connections disconnect. In the longer term, a rework of the bus logic should fix this properly. For now this should be good enough, as GC works for fine all cases except this one, and thus is a clear improvement over the previous behaviour. Fixes: #1921
2016-11-15 19:32:50 +01:00
while ((u = m->gc_unit_queue)) {
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
assert(u->in_gc_queue);
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
unit_gc_sweep(u, gc_marker);
manager: fix GC algorithm
2010-04-23 18:47:49 +02:00
core: GC redundant device jobs from the run queue In contrast to all other unit types device units when queued just track external state, they cannot effect state changes on their own. Hence unless a client or other job waits for them there's no reason to keep them in the job queue. This adds a concept of GC'ing jobs of this type as soon as no client or other job waits for them anymore. To ensure this works correctly we need to track which clients actually reference a job (i.e. which ones enqueued it). Unfortunately that's pretty nasty to do for direct connections, as sd_bus_track doesn't work for them. For now, work around this, by simply remembering in a boolean that a job was requested by a direct connection, and reset it when we notice the direct connection is gone. This means the GC logic works fine, except that jobs are not immediately removed when direct connections disconnect. In the longer term, a rework of the bus logic should fix this properly. For now this should be good enough, as GC works for fine all cases except this one, and thus is a clear improvement over the previous behaviour. Fixes: #1921
2016-11-15 19:32:50 +01:00
LIST_REMOVE(gc_queue, m->gc_unit_queue, u);
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
u->in_gc_queue = false;
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
n++;
tree-wide: use IN_SET macro (#6977)
2017-10-04 16:01:32 +02:00
if (IN_SET(u->gc_marker - gc_marker,
GC_OFFSET_BAD, GC_OFFSET_UNSURE)) {
core: remove useless debug message Mar 13 19:48:28 adam.happyassassin.net systemd[1]: Collecting (null) Mar 13 19:48:28 adam.happyassassin.net systemd[1]: Collecting (null) Mar 13 19:48:28 adam.happyassassin.net systemd[1]: Collecting (null) Mar 13 19:48:28 adam.happyassassin.net systemd[1]: Collecting (null) Mar 13 19:48:28 adam.happyassassin.net systemd[1]: Collecting (null) Mar 13 19:48:28 adam.happyassassin.net systemd[1]: Collecting (null) Mar 13 19:48:28 adam.happyassassin.net systemd[1]: Collecting (null)
2015-03-15 17:12:19 +01:00
if (u->id)
core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters
2015-05-11 20:38:21 +02:00
log_unit_debug(u, "Collecting.");
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
u->gc_marker = gc_marker + GC_OFFSET_BAD;
unit_add_to_cleanup_queue(u);
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
}
}
return n;
}
core: GC redundant device jobs from the run queue In contrast to all other unit types device units when queued just track external state, they cannot effect state changes on their own. Hence unless a client or other job waits for them there's no reason to keep them in the job queue. This adds a concept of GC'ing jobs of this type as soon as no client or other job waits for them anymore. To ensure this works correctly we need to track which clients actually reference a job (i.e. which ones enqueued it). Unfortunately that's pretty nasty to do for direct connections, as sd_bus_track doesn't work for them. For now, work around this, by simply remembering in a boolean that a job was requested by a direct connection, and reset it when we notice the direct connection is gone. This means the GC logic works fine, except that jobs are not immediately removed when direct connections disconnect. In the longer term, a rework of the bus logic should fix this properly. For now this should be good enough, as GC works for fine all cases except this one, and thus is a clear improvement over the previous behaviour. Fixes: #1921
2016-11-15 19:32:50 +01:00
static unsigned manager_dispatch_gc_job_queue(Manager *m) {
unsigned n = 0;
Job *j;
assert(m);
while ((j = m->gc_job_queue)) {
assert(j->in_gc_queue);
LIST_REMOVE(gc_queue, m->gc_job_queue, j);
j->in_gc_queue = false;
n++;
pid1: rename job_check_gc to job_may_gc The reasoning is the same as for unit_can_gc. v2: - rename can_gc to may_gc
2018-02-14 00:39:06 +01:00
if (!job_may_gc(j))
core: GC redundant device jobs from the run queue In contrast to all other unit types device units when queued just track external state, they cannot effect state changes on their own. Hence unless a client or other job waits for them there's no reason to keep them in the job queue. This adds a concept of GC'ing jobs of this type as soon as no client or other job waits for them anymore. To ensure this works correctly we need to track which clients actually reference a job (i.e. which ones enqueued it). Unfortunately that's pretty nasty to do for direct connections, as sd_bus_track doesn't work for them. For now, work around this, by simply remembering in a boolean that a job was requested by a direct connection, and reset it when we notice the direct connection is gone. This means the GC logic works fine, except that jobs are not immediately removed when direct connections disconnect. In the longer term, a rework of the bus logic should fix this properly. For now this should be good enough, as GC works for fine all cases except this one, and thus is a clear improvement over the previous behaviour. Fixes: #1921
2016-11-15 19:32:50 +01:00
continue;
log_unit_debug(j->unit, "Collecting job.");
(void) job_finish_and_invalidate(j, JOB_COLLECTED, false, false);
}
return n;
}
core: rework StopWhenUnneeded= logic Previously, we'd act immediately on StopWhenUnneeded= when a unit state changes. With this rework we'll maintain a queue instead: whenever there's the chance that StopWhenUneeded= might have an effect we enqueue the unit, and process it later when we have nothing better to do. This should make the implementation a bit more reliable, as the unit notify event cannot immediately enqueue tons of side-effect jobs that might contradict each other, but we do so only in a strictly ordered fashion, from the main event loop. This slightly changes the check when to consider a unit "unneeded". Previously, we'd assume that a unit in "deactivating" state could also be cleaned up. With this new logic we'll only consider units unneeded that are fully up and have no job queued. This means that whenever there's something pending for a unit we won't clean it up.
2018-08-09 16:26:27 +02:00
static unsigned manager_dispatch_stop_when_unneeded_queue(Manager *m) {
unsigned n = 0;
Unit *u;
int r;
assert(m);
while ((u = m->stop_when_unneeded_queue)) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
assert(m->stop_when_unneeded_queue);
assert(u->in_stop_when_unneeded_queue);
LIST_REMOVE(stop_when_unneeded_queue, m->stop_when_unneeded_queue, u);
u->in_stop_when_unneeded_queue = false;
n++;
if (!unit_is_unneeded(u))
continue;
log_unit_debug(u, "Unit is not needed anymore.");
/* If stopping a unit fails continuously we might enter a stop loop here, hence stop acting on the
* service being unnecessary after a while. */
if (!ratelimit_below(&u->auto_stop_ratelimit)) {
log_unit_warning(u, "Unit not needed anymore, but not stopping since we tried this too often recently.");
continue;
}
/* Ok, nobody needs us anymore. Sniff. Then let's commit suicide */
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
r = manager_add_job(u->manager, JOB_STOP, u, JOB_FAIL, NULL, &error, NULL);
core: rework StopWhenUnneeded= logic Previously, we'd act immediately on StopWhenUnneeded= when a unit state changes. With this rework we'll maintain a queue instead: whenever there's the chance that StopWhenUneeded= might have an effect we enqueue the unit, and process it later when we have nothing better to do. This should make the implementation a bit more reliable, as the unit notify event cannot immediately enqueue tons of side-effect jobs that might contradict each other, but we do so only in a strictly ordered fashion, from the main event loop. This slightly changes the check when to consider a unit "unneeded". Previously, we'd assume that a unit in "deactivating" state could also be cleaned up. With this new logic we'll only consider units unneeded that are fully up and have no job queued. This means that whenever there's something pending for a unit we won't clean it up.
2018-08-09 16:26:27 +02:00
if (r < 0)
log_unit_warning_errno(u, r, "Failed to enqueue stop job, ignoring: %s", bus_error_message(&error, r));
}
return n;
}
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
static void manager_clear_jobs_and_units(Manager *m) {
Unit *u;
initial commit
2009-11-18 00:42:52 +01:00
assert(m);
s/name/unit
2010-01-26 21:39:06 +01:00
while ((u = hashmap_first(m->units)))
unit_free(u);
unit: when destructing units make sure we don't readd the unit to the gc queue after we already removed it there
2010-06-05 02:16:20 +02:00
manager_dispatch_cleanup_queue(m);
assert(!m->load_queue);
job: make the run queue order deterministic Jobs are added to the run queue in random order. This happens because most jobs are added by iterating over the transaction or dependency hash maps. As a result, jobs that can be executed at the same time are started in a different order each time. On small embedded devices this can cause a measurable jitter for the point in time when a job starts (~100ms jitter for 10 units that are started in random order). This results is a similar jitter for the boot time. This is undesirable in general and make optimizing the boot time a lot harder. Also, jobs that should have a higher priority because the unit has a higher CPU weight might get executed later than others. Fix this by turning the job run_queue into a Prioq and sort by the following criteria (use the next if the values are equal): - CPU weight - nice level - unit type - unit name The last one is just there for deterministic sorting to avoid any jitter.
2019-05-22 12:12:17 +02:00
assert(prioq_isempty(m->run_queue));
unit: when destructing units make sure we don't readd the unit to the gc queue after we already removed it there
2010-06-05 02:16:20 +02:00
assert(!m->dbus_unit_queue);
assert(!m->dbus_job_queue);
assert(!m->cleanup_queue);
core: GC redundant device jobs from the run queue In contrast to all other unit types device units when queued just track external state, they cannot effect state changes on their own. Hence unless a client or other job waits for them there's no reason to keep them in the job queue. This adds a concept of GC'ing jobs of this type as soon as no client or other job waits for them anymore. To ensure this works correctly we need to track which clients actually reference a job (i.e. which ones enqueued it). Unfortunately that's pretty nasty to do for direct connections, as sd_bus_track doesn't work for them. For now, work around this, by simply remembering in a boolean that a job was requested by a direct connection, and reset it when we notice the direct connection is gone. This means the GC logic works fine, except that jobs are not immediately removed when direct connections disconnect. In the longer term, a rework of the bus logic should fix this properly. For now this should be good enough, as GC works for fine all cases except this one, and thus is a clear improvement over the previous behaviour. Fixes: #1921
2016-11-15 19:32:50 +01:00
assert(!m->gc_unit_queue);
assert(!m->gc_job_queue);
core: rework StopWhenUnneeded= logic Previously, we'd act immediately on StopWhenUnneeded= when a unit state changes. With this rework we'll maintain a queue instead: whenever there's the chance that StopWhenUneeded= might have an effect we enqueue the unit, and process it later when we have nothing better to do. This should make the implementation a bit more reliable, as the unit notify event cannot immediately enqueue tons of side-effect jobs that might contradict each other, but we do so only in a strictly ordered fashion, from the main event loop. This slightly changes the check when to consider a unit "unneeded". Previously, we'd assume that a unit in "deactivating" state could also be cleaned up. With this new logic we'll only consider units unneeded that are fully up and have no job queued. This means that whenever there's something pending for a unit we won't clean it up.
2018-08-09 16:26:27 +02:00
assert(!m->stop_when_unneeded_queue);
unit: when destructing units make sure we don't readd the unit to the gc queue after we already removed it there
2010-06-05 02:16:20 +02:00
assert(hashmap_isempty(m->jobs));
assert(hashmap_isempty(m->units));
core: fix running jobs counters after reload/reexec All active units will call unit_notify() during coldplug, so we just make sure we're counting from zero again and get the correct result for n_on_console. For n_running_jobs we likewise reset it to zero and then count the running jobs as we encounter them in deserialization.
2013-03-01 14:47:46 +01:00
m->n_on_console = 0;
m->n_running_jobs = 0;
core/manager: Make sure jobs statistics are not double after daemon-reload We add n_installed_jobs and n_failed_jobs to our inner state after deserialization. This is fine during daemon-reexec when we start with clear Manager (and some jobs possibly queued before deserialization), however, daemon-reload works with the same manager and adding the values would effectively double the counters. Reset the counters before we deserialize and add their values again.
2018-06-22 16:19:52 +02:00
m->n_installed_jobs = 0;
m->n_failed_jobs = 0;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
}
manager: let manager_free() handle NULLs This makes the calling code a bit simpler.
2014-11-08 16:06:12 +01:00
Manager* manager_free(Manager *m) {
if (!m)
return NULL;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
manager_clear_jobs_and_units(m);
rework merging/loading logic
2010-04-06 02:43:58 +02:00
core: minor simplification
2020-05-26 19:28:53 +02:00
for (UnitType c = 0; c < _UNIT_TYPE_MAX; c++)
add new manager initializer callbacks to per-unit type vtable
2010-01-28 06:45:44 +01:00
if (unit_vtable[c]->shutdown)
unit_vtable[c]->shutdown(m);
core: tiny tweak for cgroup trimming during manager_free() Instead of blacklisting when not to trim the cgroup tree, let's instead whitelist when to do it, as an excercise of being careful when being destructive. This should not change behaviour with exception that during switch roots we now won't attempt to trim the cgroup tree anymore. Which is more correct behaviour after all we serialize/deserialize during the transition and should be needlessly destructive.
2018-10-09 15:56:27 +02:00
/* Keep the cgroup hierarchy in place except when we know we are going down for good */
manager_shutdown_cgroup(m, IN_SET(m->objective, MANAGER_EXIT, MANAGER_REBOOT, MANAGER_POWEROFF, MANAGER_HALT, MANAGER_KEXEC));
cgroup: add cgroupsification
2010-03-31 16:29:55 +02:00
core: move flushing of generated unit files to path-lookup.c It's very similar to the mkdir and trim operations for the generator dirs, hence let's unify this at a single place.
2016-04-06 20:47:44 +02:00
lookup_paths_flush_generator(&m->lookup_paths);
manager: hookup generators
2010-11-11 21:28:33 +01:00
dbus: to make sure that systemd stays controllable during early bootup, register our services on our own micro usb server in addition to the bus
2010-06-19 03:04:04 +02:00
bus_done(m);
core: add user/group resolution varlink interface to PID 1
2019-08-07 14:58:59 +02:00
manager_varlink_done(m);
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
core: make ExecRuntime be manager managed object Before this, each ExecRuntime object is owned by a unit. However, it may be shared with other units which enable JoinsNamespaceOf=. Thus, by the serialization/deserialization process, its sharing information, more specifically, reference counter is lost, and causes issue #7790. This makes ExecRuntime objects be managed by manager, and changes the serialization/deserialization process. Fixes #7790.
2018-02-06 08:00:34 +01:00
exec_runtime_vacuum(m);
hashmap_free(m->exec_runtime_by_id);
core: add a concept of "dynamic" user ids, that are allocated as long as a service is running This adds a new boolean setting DynamicUser= to service files. If set, a new user will be allocated dynamically when the unit is started, and released when it is stopped. The user ID is allocated from the range 61184..65519. The user will not be added to /etc/passwd (but an NSS module to be added later should make it show up in getent passwd). For now, care should be taken that the service writes no files to disk, since this might result in files owned by UIDs that might get assigned dynamically to a different service later on. Later patches will tighten sandboxing in order to ensure that this cannot happen, except for a few selected directories. A simple way to test this is: systemd-run -p DynamicUser=1 /bin/sleep 99999
2016-07-14 12:37:28 +02:00
dynamic_user_vacuum(m, false);
hashmap_free(m->dynamic_users);
s/name/unit
2010-01-26 21:39:06 +01:00
hashmap_free(m->units);
core: add "invocation ID" concept to service manager This adds a new invocation ID concept to the service manager. The invocation ID identifies each runtime cycle of a unit uniquely. A new randomized 128bit ID is generated each time a unit moves from and inactive to an activating or active state. The primary usecase for this concept is to connect the runtime data PID 1 maintains about a service with the offline data the journal stores about it. Previously we'd use the unit name plus start/stop times, which however is highly racy since the journal will generally process log data after the service already ended. The "invocation ID" kinda matches the "boot ID" concept of the Linux kernel, except that it applies to an individual unit instead of the whole system. The invocation ID is passed to the activated processes as environment variable. It is additionally stored as extended attribute on the cgroup of the unit. The latter is used by journald to automatically retrieve it for each log logged message and attach it to the log entry. The environment variable is very easily accessible, even for unprivileged services. OTOH the extended attribute is only accessible to privileged processes (this is because cgroupfs only supports the "trusted." xattr namespace, not "user."). The environment variable may be altered by services, the extended attribute may not be, hence is the better choice for the journal. Note that reading the invocation ID off the extended attribute from journald is racy, similar to the way reading the unit name for a logging process is. This patch adds APIs to read the invocation ID to sd-id128: sd_id128_get_invocation() may be used in a similar fashion to sd_id128_get_boot(). PID1's own logging is updated to always include the invocation ID when it logs information about a unit. A new bus call GetUnitByInvocationID() is added that allows retrieving a bus path to a unit by its invocation ID. The bus path is built using the invocation ID, thus providing a path for referring to a unit that is valid only for the current runtime cycleof it. Outlook for the future: should the kernel eventually allow passing of cgroup information along AF_UNIX/SOCK_DGRAM messages via a unique cgroup id, then we can alter the invocation ID to be generated as hash from that rather than entirely randomly. This way we can derive the invocation race-freely from the messages.
2016-08-30 23:18:46 +02:00
hashmap_free(m->units_by_invocation_id);
initial commit
2009-11-18 00:42:52 +01:00
hashmap_free(m->jobs);
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
hashmap_free(m->watch_pids);
service: optionally, trie dbus name cycle to service cycle
2010-04-15 23:16:16 +02:00
hashmap_free(m->watch_bus);
add simple event loop
2010-01-24 00:39:29 +01:00
job: make the run queue order deterministic Jobs are added to the run queue in random order. This happens because most jobs are added by iterating over the transaction or dependency hash maps. As a result, jobs that can be executed at the same time are started in a different order each time. On small embedded devices this can cause a measurable jitter for the point in time when a job starts (~100ms jitter for 10 units that are started in random order). This results is a similar jitter for the boot time. This is undesirable in general and make optimizing the boot time a lot harder. Also, jobs that should have a higher priority because the unit has a higher CPU weight might get executed later than others. Fix this by turning the job run_queue into a Prioq and sort by the following criteria (use the next if the values are equal): - CPU weight - nice level - unit type - unit name The last one is just there for deterministic sorting to avoid any jitter.
2019-05-22 12:12:17 +02:00
prioq_free(m->run_queue);
core: add startup resource control option Similar to CPUShares= and BlockIOWeight= respectively. However only assign the specified weight during startup. Each control group attribute is re-assigned as weight by CPUShares=weight and BlockIOWeight=weight after startup. If not CPUShares= or BlockIOWeight= be specified, then the attribute is re-assigned to each default attribute value. (default cpu.shares=1024, blkio.weight=1000) If only CPUShares=weight or BlockIOWeight=weight be specified, then that implies StartupCPUShares=weight and StartupBlockIOWeight=weight.
2014-05-15 17:09:34 +02:00
set_free(m->startup_units);
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
set_free(m->failed_units);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
sd_event_source_unref(m->signal_event_source);
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
sd_event_source_unref(m->sigchld_event_source);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
sd_event_source_unref(m->notify_event_source);
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
sd_event_source_unref(m->cgroups_agent_event_source);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
sd_event_source_unref(m->time_change_event_source);
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
sd_event_source_unref(m->timezone_change_event_source);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
sd_event_source_unref(m->jobs_in_progress_event_source);
core: dispatch run queue only if there's nothing else to do Always read all external events before we decide what we do next.
2013-11-25 15:22:41 +01:00
sd_event_source_unref(m->run_queue_event_source);
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
sd_event_source_unref(m->user_lookup_event_source);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.
2014-03-18 19:22:43 +01:00
safe_close(m->signal_fd);
safe_close(m->notify_fd);
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
safe_close(m->cgroups_agent_fd);
util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.
2014-03-18 19:22:43 +01:00
safe_close(m->time_change_fd);
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
safe_close_pair(m->user_lookup_fds);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
manager: do not print anything while passwords are being queried https://bugs.freedesktop.org/show_bug.cgi?id=73942
2014-10-26 02:30:51 +02:00
manager_close_ask_password(m);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
manager_close_idle_pipe(m);
sd_event_unref(m->event);
initial commit
2009-11-18 00:42:52 +01:00
service: add minimal access control logic for notifcation socket
2010-06-18 23:12:48 +02:00
free(m->notify_socket);
manager: split off path lookup logic into own .c file
2010-06-15 14:45:15 +02:00
lookup_paths_free(&m->lookup_paths);
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
strv_free(m->transient_environment);
strv_free(m->client_environment);
config: implement search path logic
2010-02-13 01:07:02 +01:00
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
hashmap_free(m->cgroup_unit);
pid1: use a cache for all unit aliases This reworks how we load units from disk. Instead of chasing symlinks every time we are asked to load a unit by name, we slurp all symlinks from disk and build two hashmaps: 1. from unit name to either alias target, or fragment on disk (if an alias, we put just the target name in the hashmap, if a fragment we put an absolute path, so we can distinguish both). 2. from a unit name to all aliases Reading all this data can be pretty costly (40 ms) on my machine, so we keep it around for reuse. The advantage is that we can reliably know what all the aliases of a given unit are. This means we can reliably load dropins under all names. This fixes #11972.
2019-07-18 13:11:28 +02:00
manager_free_unit_name_maps(m);
cgroup: make sure the user cannot accidentaly unmount our cgroup filesystem
2010-06-18 20:15:34 +02:00
manager: introduce SwitchRoot bus call for initrd/main transition
2012-05-09 01:24:50 +02:00
free(m->switch_root);
free(m->switch_root_init);
rlimit-util: add a common destructor call for arrays of struct rlimit
2018-05-03 19:05:59 +02:00
rlimit_free_all(m->rlimit);
main: allow system wide limits for services
2012-03-21 18:03:40 +01:00
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
assert(hashmap_isempty(m->units_requiring_mounts_for));
hashmap_free(m->units_requiring_mounts_for);
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
hashmap_free(m->uid_refs);
hashmap_free(m->gid_refs);
core: minor simplification
2020-05-26 19:28:53 +02:00
for (ExecDirectoryType dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++)
core/manager: fix memory leak (#6400) This fixes the memory leak introduced by 3536f49e8fa281539798a7bc5004d73302f39673, which forgot to free the prefixes in the manager. Fixes #6398.
2017-07-18 16:30:52 +02:00
m->prefix[dt] = mfree(m->prefix[dt]);
tree-wide: use mfree more
2016-10-17 00:28:30 +02:00
return mfree(m);
initial commit
2009-11-18 00:42:52 +01:00
}
core: enumerate perpetual units in a separate per-unit-type method Previously the enumerate() callback defined for each unit type would do two things: 1. It would create perpetual units (i.e. -.slice, system.slice, -.mount and init.scope) 2. It would enumerate units from /proc/self/mountinfo, /proc/swaps and the udev database With this change these two parts are split into two seperate methods: enumerate() now only does #2, while enumerate_perpetual() is responsible for #1. Why make this change? Well, perpetual units should have a slightly different effect that those found through enumeration: as perpetual units should be up unconditionally, perpetually and thus never change state, they should also not pull in deps by their state changing, not even when the state is first set to active. Thus, their state is generally initialized through the per-device coldplug() method in similar fashion to the deserialized state from a previous run would be put into place. OTOH units found through regular enumeration should result in state changes (and thus pull in deps due to state changes), hence their state should be put in effect in the catchup() method instead. Hence, given this difference, let's also separate the functions, so that the rule is: 1. What is created in enumerate_perpetual() should be started in coldplug() 2. What is created in enumerate() should be started in catchup().
2018-06-05 18:26:45 +02:00
static void manager_enumerate_perpetual(Manager *m) {
assert(m);
core: do not enumerate units in MANAGER_TEST_RUN_MINIMAL mode In this mode we are not supposed to "interact with the environment", so loading all units and printing warnings about syntax errors and /var/run usage seems inappropriate.
2019-06-26 14:56:59 +02:00
if (m->test_run_flags == MANAGER_TEST_RUN_MINIMAL)
return;
core: enumerate perpetual units in a separate per-unit-type method Previously the enumerate() callback defined for each unit type would do two things: 1. It would create perpetual units (i.e. -.slice, system.slice, -.mount and init.scope) 2. It would enumerate units from /proc/self/mountinfo, /proc/swaps and the udev database With this change these two parts are split into two seperate methods: enumerate() now only does #2, while enumerate_perpetual() is responsible for #1. Why make this change? Well, perpetual units should have a slightly different effect that those found through enumeration: as perpetual units should be up unconditionally, perpetually and thus never change state, they should also not pull in deps by their state changing, not even when the state is first set to active. Thus, their state is generally initialized through the per-device coldplug() method in similar fashion to the deserialized state from a previous run would be put into place. OTOH units found through regular enumeration should result in state changes (and thus pull in deps due to state changes), hence their state should be put in effect in the catchup() method instead. Hence, given this difference, let's also separate the functions, so that the rule is: 1. What is created in enumerate_perpetual() should be started in coldplug() 2. What is created in enumerate() should be started in catchup().
2018-06-05 18:26:45 +02:00
/* Let's ask every type to load all units from disk/kernel that it might know */
core: minor simplification
2020-05-26 19:28:53 +02:00
for (UnitType c = 0; c < _UNIT_TYPE_MAX; c++) {
core: enumerate perpetual units in a separate per-unit-type method Previously the enumerate() callback defined for each unit type would do two things: 1. It would create perpetual units (i.e. -.slice, system.slice, -.mount and init.scope) 2. It would enumerate units from /proc/self/mountinfo, /proc/swaps and the udev database With this change these two parts are split into two seperate methods: enumerate() now only does #2, while enumerate_perpetual() is responsible for #1. Why make this change? Well, perpetual units should have a slightly different effect that those found through enumeration: as perpetual units should be up unconditionally, perpetually and thus never change state, they should also not pull in deps by their state changing, not even when the state is first set to active. Thus, their state is generally initialized through the per-device coldplug() method in similar fashion to the deserialized state from a previous run would be put into place. OTOH units found through regular enumeration should result in state changes (and thus pull in deps due to state changes), hence their state should be put in effect in the catchup() method instead. Hence, given this difference, let's also separate the functions, so that the rule is: 1. What is created in enumerate_perpetual() should be started in coldplug() 2. What is created in enumerate() should be started in catchup().
2018-06-05 18:26:45 +02:00
if (!unit_type_supported(c)) {
log_debug("Unit type .%s is not supported on this system.", unit_type_to_string(c));
continue;
}
if (unit_vtable[c]->enumerate_perpetual)
unit_vtable[c]->enumerate_perpetual(m);
}
}
core/manager: make manager_enumerate() static
2018-04-20 12:12:11 +02:00
static void manager_enumerate(Manager *m) {
implement coldpluggin
2010-01-29 03:18:09 +01:00
assert(m);
core: do not enumerate units in MANAGER_TEST_RUN_MINIMAL mode In this mode we are not supposed to "interact with the environment", so loading all units and printing warnings about syntax errors and /var/run usage seems inappropriate.
2019-06-26 14:56:59 +02:00
if (m->test_run_flags == MANAGER_TEST_RUN_MINIMAL)
return;
core: enumerate perpetual units in a separate per-unit-type method Previously the enumerate() callback defined for each unit type would do two things: 1. It would create perpetual units (i.e. -.slice, system.slice, -.mount and init.scope) 2. It would enumerate units from /proc/self/mountinfo, /proc/swaps and the udev database With this change these two parts are split into two seperate methods: enumerate() now only does #2, while enumerate_perpetual() is responsible for #1. Why make this change? Well, perpetual units should have a slightly different effect that those found through enumeration: as perpetual units should be up unconditionally, perpetually and thus never change state, they should also not pull in deps by their state changing, not even when the state is first set to active. Thus, their state is generally initialized through the per-device coldplug() method in similar fashion to the deserialized state from a previous run would be put into place. OTOH units found through regular enumeration should result in state changes (and thus pull in deps due to state changes), hence their state should be put in effect in the catchup() method instead. Hence, given this difference, let's also separate the functions, so that the rule is: 1. What is created in enumerate_perpetual() should be started in coldplug() 2. What is created in enumerate() should be started in catchup().
2018-06-05 18:26:45 +02:00
/* Let's ask every type to load all units from disk/kernel that it might know */
core: minor simplification
2020-05-26 19:28:53 +02:00
for (UnitType c = 0; c < _UNIT_TYPE_MAX; c++) {
core: simplify unit type detection logic Introduce a new call unit_type_supported() and make use of it everywhere. Also, drop Manager parameter from per-type supported method prototype.
2015-04-30 01:29:00 +02:00
if (!unit_type_supported(c)) {
core: downgrade unit type not supported message Otherwise every daemon reload prints out warnings like: systemd[1]: Unit type .busname is not supported on this system. systemd[1]: Unit type .swap is not supported on this system.
2015-02-20 10:53:28 +01:00
log_debug("Unit type .%s is not supported on this system.", unit_type_to_string(c));
unit: handle nicely of certain unit types are not supported on specific systems Containers do not really support .device, .automount or .swap units; Systems compiled without support for swap do not support .swap units; Systems without kdbus do not support .busname units. With this change attempts to start a unsupported unit types will result in an immediate "unsupported" job result, which is a lot more descriptive then before. Also, attempts to start device units in containers will now immediately fail instead of causing jobs to be enqueued that never go away.
2014-12-12 21:05:32 +01:00
continue;
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
}
implement coldpluggin
2010-01-29 03:18:09 +01:00
core/manager: trivial simplification
2018-04-20 12:10:32 +02:00
if (unit_vtable[c]->enumerate)
unit_vtable[c]->enumerate(m);
unit: handle nicely of certain unit types are not supported on specific systems Containers do not really support .device, .automount or .swap units; Systems compiled without support for swap do not support .swap units; Systems without kdbus do not support .busname units. With this change attempts to start a unsupported unit types will result in an immediate "unsupported" job result, which is a lot more descriptive then before. Also, attempts to start device units in containers will now immediately fail instead of causing jobs to be enqueued that never go away.
2014-12-12 21:05:32 +01:00
}
implement coldpluggin
2010-01-29 03:18:09 +01:00
manager_dispatch_load_queue(m);
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
}
manager: don't fail fatally if we cannot coldplug a unit It's better to continue as good as we can, than to totally fail. Hence, let's log about the failure and continue.
2015-04-24 16:09:15 +02:00
static void manager_coldplug(Manager *m) {
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
Iterator i;
Unit *u;
char *k;
manager: don't fail fatally if we cannot coldplug a unit It's better to continue as good as we can, than to totally fail. Hence, let's log about the failure and continue.
2015-04-24 16:09:15 +02:00
int r;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
assert(m);
implement coldpluggin
2010-01-29 03:18:09 +01:00
core: add a new unit method "catchup()" This is very similar to the existing unit method coldplug() but is called a bit later. The idea is that that coldplug() restores the unit state from before any prior reload/restart, i.e. puts the deserialized state in effect. The catchup() call is then called a bit later, to catch up with the system state for which we missed notifications while we were reloading. This is only really useful for mount, swap and device mount points were we should be careful to generate all missing unit state change events (i.e. call unit_notify() appropriately) for everything that happened while we were reloading.
2018-06-05 16:53:22 +02:00
log_debug("Invoking unit coldplug() handlers…");
/* Let's place the units back into their deserialized state */
implement coldpluggin
2010-01-29 03:18:09 +01:00
HASHMAP_FOREACH_KEY(u, k, m->units, i) {
/* ignore aliases */
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->id != k)
implement coldpluggin
2010-01-29 03:18:09 +01:00
continue;
manager: don't fail fatally if we cannot coldplug a unit It's better to continue as good as we can, than to totally fail. Hence, let's log about the failure and continue.
2015-04-24 16:09:15 +02:00
r = unit_coldplug(u);
if (r < 0)
log_warning_errno(r, "We couldn't coldplug %s, proceeding anyway: %m", u->id);
implement coldpluggin
2010-01-29 03:18:09 +01:00
}
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
}
core: add a new unit method "catchup()" This is very similar to the existing unit method coldplug() but is called a bit later. The idea is that that coldplug() restores the unit state from before any prior reload/restart, i.e. puts the deserialized state in effect. The catchup() call is then called a bit later, to catch up with the system state for which we missed notifications while we were reloading. This is only really useful for mount, swap and device mount points were we should be careful to generate all missing unit state change events (i.e. call unit_notify() appropriately) for everything that happened while we were reloading.
2018-06-05 16:53:22 +02:00
static void manager_catchup(Manager *m) {
Iterator i;
Unit *u;
char *k;
assert(m);
log_debug("Invoking unit catchup() handlers…");
/* Let's catch up on any state changes that happened while we were reloading/reexecing */
HASHMAP_FOREACH_KEY(u, k, m->units, i) {
/* ignore aliases */
if (u->id != k)
continue;
unit_catchup(u);
}
}
core: change type of distribute_fds() prototype to return void We can't handle errors of thisc all sanely anyway, and we never actually return any errors from the unit type that implements the call. Hence, let's make this void, in order to simplify things.
2015-11-10 20:42:58 +01:00
static void manager_distribute_fds(Manager *m, FDSet *fds) {
Remove dead code and unexport some calls "make check-api-unused" informs us about code that is not used anymore or that is exported but only used internally. Fix these all over the place.
2013-11-08 18:11:09 +01:00
Iterator i;
core: change type of distribute_fds() prototype to return void We can't handle errors of thisc all sanely anyway, and we never actually return any errors from the unit type that implements the call. Hence, let's make this void, in order to simplify things.
2015-11-10 20:42:58 +01:00
Unit *u;
Remove dead code and unexport some calls "make check-api-unused" informs us about code that is not used anymore or that is exported but only used internally. Fix these all over the place.
2013-11-08 18:11:09 +01:00
assert(m);
HASHMAP_FOREACH(u, m->units, i) {
if (fdset_size(fds) <= 0)
break;
core: change type of distribute_fds() prototype to return void We can't handle errors of thisc all sanely anyway, and we never actually return any errors from the unit type that implements the call. Hence, let's make this void, in order to simplify things.
2015-11-10 20:42:58 +01:00
if (!UNIT_VTABLE(u)->distribute_fds)
continue;
Remove dead code and unexport some calls "make check-api-unused" informs us about code that is not used anymore or that is exported but only used internally. Fix these all over the place.
2013-11-08 18:11:09 +01:00
core: change type of distribute_fds() prototype to return void We can't handle errors of thisc all sanely anyway, and we never actually return any errors from the unit type that implements the call. Hence, let's make this void, in order to simplify things.
2015-11-10 20:42:58 +01:00
UNIT_VTABLE(u)->distribute_fds(u, fds);
}
Remove dead code and unexport some calls "make check-api-unused" informs us about code that is not used anymore or that is exported but only used internally. Fix these all over the place.
2013-11-08 18:11:09 +01:00
}
core: rework how we connect to the bus This removes the current bus_init() call, as it had multiple problems: it munged handling of the three bus connections we care about (private, "api" and system) into one, even though the conditions when which was ready are very different. It also added redundant logging, as the individual calls it called all logged on their own anyway. The three calls bus_init_api(), bus_init_private() and bus_init_system() are now made public. A new call manager_dbus_is_running() is added that works much like manager_journal_is_running() and is a lot more careful when checking whether dbus is around. Optionally it checks the unit's deserialized_state rather than state, in order to accomodate for cases where we cant to connect to the bus before deserializing the "subscribed" list, before coldplugging the units. manager_recheck_dbus() is added, that works a lot like manager_recheck_journal() and is invoked in unit_notify(), i.e. when units change state. All in all this should make handling a bit more alike to journal handling, and it also fixes one major bug: when running in user mode we'll now connect to the system bus early on, without conditionalizing this in anyway.
2018-02-07 14:52:22 +01:00
static bool manager_dbus_is_running(Manager *m, bool deserialized) {
Unit *u;
assert(m);
/* This checks whether the dbus instance we are supposed to expose our APIs on is up. We check both the socket
* and the service unit. If the 'deserialized' parameter is true we'll check the deserialized state of the unit
* rather than the current one. */
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m))
core: rework how we connect to the bus This removes the current bus_init() call, as it had multiple problems: it munged handling of the three bus connections we care about (private, "api" and system) into one, even though the conditions when which was ready are very different. It also added redundant logging, as the individual calls it called all logged on their own anyway. The three calls bus_init_api(), bus_init_private() and bus_init_system() are now made public. A new call manager_dbus_is_running() is added that works much like manager_journal_is_running() and is a lot more careful when checking whether dbus is around. Optionally it checks the unit's deserialized_state rather than state, in order to accomodate for cases where we cant to connect to the bus before deserializing the "subscribed" list, before coldplugging the units. manager_recheck_dbus() is added, that works a lot like manager_recheck_journal() and is invoked in unit_notify(), i.e. when units change state. All in all this should make handling a bit more alike to journal handling, and it also fixes one major bug: when running in user mode we'll now connect to the system bus early on, without conditionalizing this in anyway.
2018-02-07 14:52:22 +01:00
return false;
u = manager_get_unit(m, SPECIAL_DBUS_SOCKET);
if (!u)
return false;
if ((deserialized ? SOCKET(u)->deserialized_state : SOCKET(u)->state) != SOCKET_RUNNING)
return false;
u = manager_get_unit(m, SPECIAL_DBUS_SERVICE);
if (!u)
return false;
if (!IN_SET((deserialized ? SERVICE(u)->deserialized_state : SERVICE(u)->state), SERVICE_RUNNING, SERVICE_RELOAD))
return false;
return true;
}
core: split out bus initialization from manager_setup()
2018-06-04 20:02:59 +02:00
static void manager_setup_bus(Manager *m) {
assert(m);
/* Let's set up our private bus connection now, unconditionally */
(void) bus_init_private(m);
/* If we are in --user mode also connect to the system bus now */
if (MANAGER_IS_USER(m))
(void) bus_init_system(m);
/* Let's connect to the bus now, but only if the unit is supposed to be up */
if (manager_dbus_is_running(m, MANAGER_IS_RELOADING(m))) {
(void) bus_init_api(m);
if (MANAGER_IS_SYSTEM(m))
(void) bus_init_system(m);
}
}
core: split out early-boot preset logic into a function of its own
2018-06-04 23:05:20 +02:00
static void manager_preset_all(Manager *m) {
int r;
assert(m);
if (m->first_boot <= 0)
return;
if (!MANAGER_IS_SYSTEM(m))
return;
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m))
core: split out early-boot preset logic into a function of its own
2018-06-04 23:05:20 +02:00
return;
/* If this is the first boot, and we are in the host system, then preset everything */
r = unit_file_preset_all(UNIT_FILE_SYSTEM, 0, NULL, UNIT_FILE_PRESET_ENABLE_ONLY, NULL, 0);
if (r < 0)
log_full_errno(r == -EEXIST ? LOG_NOTICE : LOG_WARNING, r,
"Failed to populate /etc with preset unit settings, ignoring: %m");
else
log_info("Populated /etc with preset unit settings.");
}
core: add a common helper call manager_ready() sharing some common code between manager_reload() and manager_startup() Just sharing some common code. No functional changes
2018-10-09 19:41:24 +02:00
static void manager_ready(Manager *m) {
assert(m);
/* After having loaded everything, do the final round of catching up with what might have changed */
m->objective = MANAGER_OK; /* Tell everyone we are up now */
/* It might be safe to log to the journal now and connect to dbus */
manager_recheck_journal(m);
manager_recheck_dbus(m);
/* Let's finally catch up with any changes that took place while we were reloading/reexecing */
manager_catchup(m);
core: add Manager::honor_device_enumeration flag When system manager is started first time or after switching root, then the udev's device tag data do not exist yet. So, let's not honor the enumeration results. Fixes #11997.
2019-03-15 11:37:43 +01:00
m->honor_device_enumeration = true;
core: add a common helper call manager_ready() sharing some common code between manager_reload() and manager_startup() Just sharing some common code. No functional changes
2018-10-09 19:41:24 +02:00
}
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
static Manager* manager_reloading_start(Manager *m) {
m->n_reloading++;
return m;
}
static void manager_reloading_stopp(Manager **m) {
if (*m) {
assert((*m)->n_reloading > 0);
(*m)->n_reloading--;
}
}
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
int manager_startup(Manager *m, FILE *serialization, FDSet *fds) {
core/manager: just return an error if we fail halfway We would continue, but still return an error at the end. This isn't useful because we'd still error-out in main(). Also, add a missing error message when we fail to mkdir.
2017-11-15 10:38:04 +01:00
int r;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
assert(m);
core/manager: when running in test mode, use a temp dir for generated stuff When running through systemd-analyze verify or with --test, we would not run generators (environment or unit). But at the end, we would nuke the generator dirs anyway. Simplify things by actually running generators of both types, but redirecting their output to a temporary directory. This has the advantage that we test more code, and the verification is more complete. Since now we are not touching the real generator directories, we also don't delete them, which fixes #5609.
2017-09-14 19:26:29 +02:00
/* If we are running in test mode, we still want to run the generators,
* but we should not touch the real generator directories. */
r = lookup_paths_init(&m->lookup_paths, m->unit_file_scope,
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
MANAGER_IS_TEST_RUN(m) ? LOOKUP_PATHS_TEMPORARY_GENERATED : 0,
core/manager: when running in test mode, use a temp dir for generated stuff When running through systemd-analyze verify or with --test, we would not run generators (environment or unit). But at the end, we would nuke the generator dirs anyway. Simplify things by actually running generators of both types, but redirecting their output to a temporary directory. This has the advantage that we test more code, and the verification is more complete. Since now we are not touching the real generator directories, we also don't delete them, which fixes #5609.
2017-09-14 19:26:29 +02:00
NULL);
Implement masking and overriding of generators Sometimes it is necessary to stop a generator from running. Either because of a bug, or for testing, or some other reason. The only way to do that would be to rename or chmod the generator binary, which is inconvenient and does not survive upgrades. Allow masking and overriding generators similarly to units and other configuration files. For the systemd instance, masking would be more common, rather than overriding generators. For the user instances, it may also be useful for users to have generators in $XDG_CONFIG_HOME to augment or override system-wide generators. Directories are searched according to the usual scheme (/usr/lib, /usr/local/lib, /run, /etc), and files with the same name in higher priority directories override files with the same name in lower priority directories. Empty files and links to /dev/null mask a given name. https://bugs.freedesktop.org/show_bug.cgi?id=87230
2015-01-09 02:47:25 +01:00
if (r < 0)
core: log in all cases in manager_startup() We missed some cases where we'd fail without any logging at all. Let's fix that.
2018-10-09 17:16:08 +02:00
return log_error_errno(r, "Failed to initialize path lookup table: %m");
manager: hookup generators
2010-11-11 21:28:33 +01:00
core: serialize/deserialize several timestamps on initrd in different names
2018-07-22 06:41:44 +02:00
dual_timestamp_get(m->timestamps + manager_timestamp_initrd_mangle(MANAGER_TIMESTAMP_GENERATORS_START));
core: include environment generator runtime in generator timestamps Currently they aren't covered and it probably isn't worth adding another kind of timestamp just for this, hence simply include it in the regular generator timestamps.
2018-10-09 19:42:28 +02:00
r = manager_run_environment_generators(m);
if (r >= 0)
r = manager_run_generators(m);
core: serialize/deserialize several timestamps on initrd in different names
2018-07-22 06:41:44 +02:00
dual_timestamp_get(m->timestamps + manager_timestamp_initrd_mangle(MANAGER_TIMESTAMP_GENERATORS_FINISH));
manager: rework generator logic Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-23 03:43:29 +02:00
if (r < 0)
return r;
core: split out early-boot preset logic into a function of its own
2018-06-04 23:05:20 +02:00
manager_preset_all(m);
core: log in all cases in manager_startup() We missed some cases where we'd fail without any logging at all. Let's fix that.
2018-10-09 17:16:08 +02:00
core: stop removing non-existent and duplicate lookup paths When we would iterate over the lookup paths for each unit, making the list as short as possible was important for performance. With the current cache, it doesn't matter much. Two classes of paths were being removed: - paths which don't exist in the filesystem - paths which symlink to a path earlier in the search list Both of those points cause problems with the caching code: - if a user creates a directory that didn't exist before and puts units there, now we will notice the new mtime an properly load the unit. When the path was removed from list, we wouldn't. - we now properly detect whether a unit path is on the path or not. Before, if e.g. /lib/systemd/system, /usr/lib/systemd/systemd were both on the path, and /lib was a symlink to /usr/lib, the second directory would be pruned from the path. Then, the code would think that a symlink /etc/systemd/system/foo.service→/lib/systemd/system/foo.service is an alias, but /etc/systemd/system/foo.service→/usr/lib/systemd/system/foo.service would be considered a link (in the systemctl link sense). Removing the pruning has a slight negative performance impact in case of usr-merge systems which have systemd compiled with non-usr-merge paths. Non-usr-merge systems are deprecated, and this impact should be very small, so I think it's OK. If it turns out to be an issue, the loop in function that builds the cache could be improved to skip over "duplicate" directories with same logic that the cache pruning did before. I didn't want to add this, becuase it complicates the code to improve a corner case. Fixes #13272.
2019-08-26 08:58:41 +02:00
lookup_paths_log(&m->lookup_paths);
core: log in all cases in manager_startup() We missed some cases where we'd fail without any logging at all. Let's fix that.
2018-10-09 17:16:08 +02:00
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
{
/* This block is (optionally) done with the reloading counter bumped */
_cleanup_(manager_reloading_stopp) Manager *reloading = NULL;
/* If we will deserialize make sure that during enumeration this is already known, so we increase the
* counter here already */
if (serialization)
reloading = manager_reloading_start(m);
/* First, enumerate what we can from all config files */
dual_timestamp_get(m->timestamps + manager_timestamp_initrd_mangle(MANAGER_TIMESTAMP_UNITS_LOAD_START));
manager_enumerate_perpetual(m);
manager_enumerate(m);
dual_timestamp_get(m->timestamps + manager_timestamp_initrd_mangle(MANAGER_TIMESTAMP_UNITS_LOAD_FINISH));
/* Second, deserialize if there is something to deserialize */
if (serialization) {
r = manager_deserialize(m, serialization, fds);
if (r < 0)
return log_error_errno(r, "Deserialization failed: %m");
}
socket: support socket activation of containers
2012-12-22 19:30:07 +01:00
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
/* Any fds left? Find some unit which wants them. This is useful to allow container managers to pass
* some file descriptors to us pre-initialized. This enables socket-based activation of entire
* containers. */
manager_distribute_fds(m, fds);
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
/* We might have deserialized the notify fd, but if we didn't then let's create the bus now */
r = manager_setup_notify(m);
if (r < 0)
/* No sense to continue without notifications, our children would fail anyway. */
return r;
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
r = manager_setup_cgroups_agent(m);
if (r < 0)
/* Likewise, no sense to continue without empty cgroup notifications. */
return r;
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
r = manager_setup_user_lookup_fd(m);
if (r < 0)
/* This shouldn't fail, except if things are really broken. */
return r;
core: rework how we connect to the bus This removes the current bus_init() call, as it had multiple problems: it munged handling of the three bus connections we care about (private, "api" and system) into one, even though the conditions when which was ready are very different. It also added redundant logging, as the individual calls it called all logged on their own anyway. The three calls bus_init_api(), bus_init_private() and bus_init_system() are now made public. A new call manager_dbus_is_running() is added that works much like manager_journal_is_running() and is a lot more careful when checking whether dbus is around. Optionally it checks the unit's deserialized_state rather than state, in order to accomodate for cases where we cant to connect to the bus before deserializing the "subscribed" list, before coldplugging the units. manager_recheck_dbus() is added, that works a lot like manager_recheck_journal() and is invoked in unit_notify(), i.e. when units change state. All in all this should make handling a bit more alike to journal handling, and it also fixes one major bug: when running in user mode we'll now connect to the system bus early on, without conditionalizing this in anyway.
2018-02-07 14:52:22 +01:00
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
/* Connect to the bus if we are good for it */
manager_setup_bus(m);
core: allocate a kdbus bus for each systemd instance, if we can
2013-11-30 03:53:42 +01:00
codespell: fix spelling errors
2019-04-27 02:22:40 +02:00
/* Now that we are connected to all possible buses, let's deserialize who is tracking us. */
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
r = bus_track_coldplug(m, &m->subscribed, false, m->deserialized_subscribed);
if (r < 0)
log_warning_errno(r, "Failed to deserialized tracked clients, ignoring: %m");
m->deserialized_subscribed = strv_free(m->deserialized_subscribed);
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
core: add user/group resolution varlink interface to PID 1
2019-08-07 14:58:59 +02:00
r = manager_varlink_init(m);
if (r < 0)
log_warning_errno(r, "Failed to set up Varlink server, ignoring: %m");
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
/* Third, fire things up! */
manager_coldplug(m);
core: bring manager_startup() and manager_reload() more inline Both functions do partly the same, let's make sure they do it in the same order, and that we don't miss some calls. This makes a number of changes: 1. Moves exec_runtime_vacuum() two calls down in manager_startup(). This should not have any effect but makes manager_startup() more like manager_reload(). 2. Calls manager_recheck_journal(), manager_recheck_dbus(), manager_enqueue_sync_bus_names() in manager_startup() too. This is a good idea since during reeexec we pass through manager_startup() and hence can't assume dbus and journald weren't up yet, hence let's check if they are ready to be connected to. 3. Include manager_enumerate_perpetual() in manager_reload(), too. This is not strictly necessary, since these units are included in the serialization anyway, but it's still a nice thing, in particular as theoretically the deserialization could fail.
2018-10-09 17:37:57 +02:00
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
/* Clean up runtime objects */
manager_vacuum(m);
core: send out "Reloading" signal before and after doing a full reload/reexec of PID 1 Since we'll unload all units/job during a reload, and then readd them it is really useful for clients to be aware of this phase hence sent a signal out before and after. This signal is called "Reloading" (despite the fact that it is also sent out during reexecution, which we consider a special case in this context) and has one boolean parameter which is true for the signal sent before the reload, and false for the signal after the reload. The UnitRemoved/JobRremoved and UnitNew/JobNew due to the reloading are guranteed to be between the pair of Reloading messages.
2013-07-10 21:10:53 +02:00
manager: also use the reloading "cleanup" function in manager_startup Here the behaviour is nominally changed, because we will decrease the counter on error. But the only caller quits the program if error occurs, so this makes no practical difference.
2018-10-10 13:41:44 +02:00
if (serialization)
/* Let's wait for the UnitNew/JobNew messages being sent, before we notify that the
* reload is finished */
m->send_reloading_done = true;
unit: disable retroactive starting/stopping of units when deserializing
2010-07-13 19:01:20 +02:00
}
core: add a common helper call manager_ready() sharing some common code between manager_reload() and manager_startup() Just sharing some common code. No functional changes
2018-10-09 19:41:24 +02:00
manager_ready(m);
core: add a new unit method "catchup()" This is very similar to the existing unit method coldplug() but is called a bit later. The idea is that that coldplug() restores the unit state from before any prior reload/restart, i.e. puts the deserialized state in effect. The catchup() call is then called a bit later, to catch up with the system state for which we missed notifications while we were reloading. This is only really useful for mount, swap and device mount points were we should be careful to generate all missing unit state change events (i.e. call unit_notify() appropriately) for everything that happened while we were reloading.
2018-06-05 16:53:22 +02:00
core/manager: just return an error if we fail halfway We would continue, but still return an error at the end. This isn't useful because we'd still error-out in main(). Also, add a missing error message when we fail to mkdir.
2017-11-15 10:38:04 +01:00
return 0;
implement coldpluggin
2010-01-29 03:18:09 +01:00
}
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
int manager_add_job(
Manager *m,
JobType type,
Unit *unit,
JobMode mode,
Set *affected_jobs,
sd_bus_error *error,
Job **ret) {
manager: Transaction as an object This makes it obvious that transactions are short-lived. They are created in manager_add_job() and destroyed after the application of jobs. It also prepares for a split of the transaction code to a new source.
2012-04-20 10:22:07 +02:00
Transaction *tr;
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
int r;
implement transaction engine
2010-01-20 02:12:51 +01:00
assert(m);
assert(type < _JOB_TYPE_MAX);
s/name/unit
2010-01-26 21:39:06 +01:00
assert(unit);
implement transaction engine
2010-01-20 02:12:51 +01:00
assert(mode < _JOB_MODE_MAX);
initial commit
2009-11-18 00:42:52 +01:00
Convert the rest to sd_bus_errnomap I tried to preserve most errno values, but in some cases they were inconsistent (different errno values for the same error name) or just mismatched.
2014-10-31 01:32:17 +01:00
if (mode == JOB_ISOLATE && type != JOB_START)
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Isolate is only valid for start.");
manager: introduce 'isolate' job mode which kills all units but the requested one
2010-04-22 02:42:59 +02:00
Convert the rest to sd_bus_errnomap I tried to preserve most errno values, but in some cases they were inconsistent (different errno values for the same error name) or just mismatched.
2014-10-31 01:32:17 +01:00
if (mode == JOB_ISOLATE && !unit->allow_isolate)
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
return sd_bus_error_setf(error, BUS_ERROR_NO_ISOLATION, "Operation refused, unit may not be isolated.");
unit: introduce AllowIsolate= switch
2010-08-30 22:45:46 +02:00
core: Add triggering job mode When used with systemctl stop, follows TRIGGERED_BY dependencies and adds them to the same transaction. Fixes: #3043
2019-11-01 08:54:03 +01:00
if (mode == JOB_TRIGGERING && type != JOB_STOP)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "--job-mode=triggering is only valid for stop.");
core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters
2015-05-11 20:38:21 +02:00
log_unit_debug(unit, "Trying to enqueue job %s/%s/%s", unit->id, job_type_to_string(type), job_mode_to_string(mode));
fix ordering cycle detection
2010-01-29 04:11:36 +01:00
core: when propagating restart requests due to deps, downgrade restart to try-restart Previously, if a service A depended on a service B via Requires=, and A was not running and B restarted this would trigger a start of A as well, since the restart was propagated as restart independently of the state of A. This patch ensures that a restart of B would be propagated as a try-restart to A, thus not changing its state if it isn't up. http://lists.freedesktop.org/archives/systemd-devel/2015-May/032061.html
2015-05-19 18:13:22 +02:00
type = job_type_collapse(type, unit);
core: add NOP jobs, job type collapsing Two of our current job types are special: JOB_TRY_RESTART, JOB_RELOAD_OR_START. They differ from other job types by being sensitive to the unit active state. They perform some action when the unit is active and some other action otherwise. This raises a question: when exactly should the unit state be checked to make the decision? Currently the unit state is checked when the job becomes runnable. It's more sensible to check the state immediately when the job is added by the user. When the user types "systemctl try-restart foo.service", he really intends to restart the service if it's running right now. If it isn't running right now, the restart is pointless. Consider the example (from Bugzilla[1]): sleep.service takes some time to start. hello.service has After=sleep.service. Both services get started. Two jobs will appear: hello.service/start waiting sleep.service/start running Then someone runs "systemctl try-restart hello.service". Currently the try-restart operation will block and wait for sleep.service/start to complete. The correct result is to complete the try-restart operation immediately with success, because hello.service is not running. The two original jobs must not be disturbed by this. To fix this we introduce two new concepts: - a new job type: JOB_NOP A JOB_NOP job does not do anything to the unit. It does not pull in any dependencies. It is always immediately runnable. When installed to a unit, it sits in a special slot (u->nop_job) where it never conflicts with the installed job (u->job) of a different type. It never merges with jobs of other types, but it can merge into an already installed JOB_NOP job. - "collapsing" of job types When a job of one of the two special types is added, the state of the unit is checked immediately and the job type changes: JOB_TRY_RESTART -> JOB_RESTART or JOB_NOP JOB_RELOAD_OR_START -> JOB_RELOAD or JOB_START Should a job type JOB_RELOAD_OR_START appear later during job merging, it collapses immediately afterwards. Collapsing actually makes some things simpler, because there are now fewer job types that are allowed in the transaction. [1] Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=753586
2012-04-25 11:58:27 +02:00
core, systemctl: add support for irreversible jobs Add a new job mode: replace-irreversibly. Jobs enqueued using this mode cannot be implicitly canceled by later enqueued conflicting jobs. They can however still be canceled with an explicit "systemctl cancel" call.
2013-02-22 11:21:37 +01:00
tr = transaction_new(mode == JOB_REPLACE_IRREVERSIBLY);
manager: Transaction as an object This makes it obvious that transactions are short-lived. They are created in manager_add_job() and destroyed after the application of jobs. It also prepares for a split of the transaction code to a new source.
2012-04-20 10:22:07 +02:00
if (!tr)
return -ENOMEM;
first try at implementing job creation
2010-01-19 04:15:20 +01:00
core: drop "override" flag when building transactions Now that we don't have RequiresOverridable= and RequisiteOverridable= dependencies anymore, we can get rid of tracking the "override" boolean for jobs in the job engine, as it serves no purpose anymore. While we are at it, fix some error messages we print when invoking functions that take the override parameter.
2015-11-12 19:52:31 +01:00
r = transaction_add_job_and_dependencies(tr, type, unit, NULL, true, false,
tree-wide: use IN_SET where possible In addition to the changes from #6933 this handles cases that could be matched with the included cocci file.
2017-09-29 00:37:23 +02:00
IN_SET(mode, JOB_IGNORE_DEPENDENCIES, JOB_IGNORE_REQUIREMENTS),
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
mode == JOB_IGNORE_DEPENDENCIES, error);
manager: Transaction as an object This makes it obvious that transactions are short-lived. They are created in manager_add_job() and destroyed after the application of jobs. It also prepares for a split of the transaction code to a new source.
2012-04-20 10:22:07 +02:00
if (r < 0)
goto tr_abort;
manager: introduce 'isolate' job mode which kills all units but the requested one
2010-04-22 02:42:59 +02:00
manager: Transaction as an object This makes it obvious that transactions are short-lived. They are created in manager_add_job() and destroyed after the application of jobs. It also prepares for a split of the transaction code to a new source.
2012-04-20 10:22:07 +02:00
if (mode == JOB_ISOLATE) {
r = transaction_add_isolate_jobs(tr, m);
if (r < 0)
goto tr_abort;
}
core: Add triggering job mode When used with systemctl stop, follows TRIGGERED_BY dependencies and adds them to the same transaction. Fixes: #3043
2019-11-01 08:54:03 +01:00
if (mode == JOB_TRIGGERING) {
r = transaction_add_triggering_jobs(tr, unit);
if (r < 0)
goto tr_abort;
}
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
r = transaction_activate(tr, m, mode, affected_jobs, error);
manager: Transaction as an object This makes it obvious that transactions are short-lived. They are created in manager_add_job() and destroyed after the application of jobs. It also prepares for a split of the transaction code to a new source.
2012-04-20 10:22:07 +02:00
if (r < 0)
goto tr_abort;
implement transaction engine
2010-01-20 02:12:51 +01:00
core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters
2015-05-11 20:38:21 +02:00
log_unit_debug(unit,
systemd: use unit logging macros
2013-01-05 18:00:35 +01:00
"Enqueued job %s/%s as %u", unit->id,
job_type_to_string(type), (unsigned) tr->anchor_job->id);
implement coldpluggin
2010-01-29 03:18:09 +01:00
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
if (ret)
*ret = tr->anchor_job;
initial commit
2009-11-18 00:42:52 +01:00
manager: Transaction as an object This makes it obvious that transactions are short-lived. They are created in manager_add_job() and destroyed after the application of jobs. It also prepares for a split of the transaction code to a new source.
2012-04-20 10:22:07 +02:00
transaction_free(tr);
implement transaction engine
2010-01-20 02:12:51 +01:00
return 0;
manager: Transaction as an object This makes it obvious that transactions are short-lived. They are created in manager_add_job() and destroyed after the application of jobs. It also prepares for a split of the transaction code to a new source.
2012-04-20 10:22:07 +02:00
tr_abort:
transaction_abort(tr);
transaction_free(tr);
return r;
implement transaction engine
2010-01-20 02:12:51 +01:00
}
initial commit
2009-11-18 00:42:52 +01:00
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
int manager_add_job_by_name(Manager *m, JobType type, const char *name, JobMode mode, Set *affected_jobs, sd_bus_error *e, Job **ret) {
core/manager: silence gcc warning about unitialized variable At -O3, this was printed a hundred times for various callers of manager_add_job_by_name(). AFAICT, there is no error and `unit` is always intialized. Nevertheless, add explicit initialization to silence the noise. src/core/manager.c: In function 'manager_start_target': src/core/manager.c:1413:16: warning: 'unit' may be used uninitialized in this function [-Wmaybe-uninitialized] return manager_add_job(m, type, unit, mode, e, ret); ^ src/core/manager.c:1401:15: note: 'unit' was declared here Unit *unit; ^
2017-02-12 18:56:40 +01:00
Unit *unit = NULL; /* just to appease gcc, initialization is not really necessary */
manager: simplify startup of special targets
2010-04-13 01:59:06 +02:00
int r;
assert(m);
assert(type < _JOB_TYPE_MAX);
assert(name);
assert(mode < _JOB_MODE_MAX);
selinux: use existing library calls for audit data
2012-09-18 01:55:49 +02:00
r = manager_load_unit(m, name, NULL, NULL, &unit);
if (r < 0)
manager: simplify startup of special targets
2010-04-13 01:59:06 +02:00
return r;
core/manager: silence gcc warning about unitialized variable At -O3, this was printed a hundred times for various callers of manager_add_job_by_name(). AFAICT, there is no error and `unit` is always intialized. Nevertheless, add explicit initialization to silence the noise. src/core/manager.c: In function 'manager_start_target': src/core/manager.c:1413:16: warning: 'unit' may be used uninitialized in this function [-Wmaybe-uninitialized] return manager_add_job(m, type, unit, mode, e, ret); ^ src/core/manager.c:1401:15: note: 'unit' was declared here Unit *unit; ^
2017-02-12 18:56:40 +01:00
assert(unit);
manager: simplify startup of special targets
2010-04-13 01:59:06 +02:00
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
return manager_add_job(m, type, unit, mode, affected_jobs, e, ret);
core: unify code that warns about jobs we fail to enqueue This allows us to shorten our code a bit.
2015-11-12 20:13:42 +01:00
}
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
int manager_add_job_by_name_and_warn(Manager *m, JobType type, const char *name, JobMode mode, Set *affected_jobs, Job **ret) {
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.
2015-11-27 19:13:45 +01:00
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
core: unify code that warns about jobs we fail to enqueue This allows us to shorten our code a bit.
2015-11-12 20:13:42 +01:00
int r;
assert(m);
assert(type < _JOB_TYPE_MAX);
assert(name);
assert(mode < _JOB_MODE_MAX);
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
r = manager_add_job_by_name(m, type, name, mode, affected_jobs, &error, ret);
core: unify code that warns about jobs we fail to enqueue This allows us to shorten our code a bit.
2015-11-12 20:13:42 +01:00
if (r < 0)
return log_warning_errno(r, "Failed to enqueue %s job for %s: %s", job_mode_to_string(mode), name, bus_error_message(&error, r));
return r;
manager: simplify startup of special targets
2010-04-13 01:59:06 +02:00
}
core: propagate reload from RELOADING=1 notification (#6550)
2017-08-07 11:27:24 +02:00
int manager_propagate_reload(Manager *m, Unit *unit, JobMode mode, sd_bus_error *e) {
int r;
Transaction *tr;
assert(m);
assert(unit);
assert(mode < _JOB_MODE_MAX);
assert(mode != JOB_ISOLATE); /* Isolate is only valid for start */
tr = transaction_new(mode == JOB_REPLACE_IRREVERSIBLY);
if (!tr)
return -ENOMEM;
/* We need an anchor job */
r = transaction_add_job_and_dependencies(tr, JOB_NOP, unit, NULL, false, false, true, true, e);
if (r < 0)
goto tr_abort;
/* Failure in adding individual dependencies is ignored, so this always succeeds. */
transaction_add_propagate_reload_jobs(tr, unit, tr->anchor_job, mode == JOB_IGNORE_DEPENDENCIES, e);
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
r = transaction_activate(tr, m, mode, NULL, e);
core: propagate reload from RELOADING=1 notification (#6550)
2017-08-07 11:27:24 +02:00
if (r < 0)
goto tr_abort;
transaction_free(tr);
return 0;
tr_abort:
transaction_abort(tr);
transaction_free(tr);
return r;
}
initial commit
2009-11-18 00:42:52 +01:00
Job *manager_get_job(Manager *m, uint32_t id) {
assert(m);
return hashmap_get(m->jobs, UINT32_TO_PTR(id));
}
s/name/unit
2010-01-26 21:39:06 +01:00
Unit *manager_get_unit(Manager *m, const char *name) {
initial commit
2009-11-18 00:42:52 +01:00
assert(m);
assert(name);
s/name/unit
2010-01-26 21:39:06 +01:00
return hashmap_get(m->units, name);
initial commit
2009-11-18 00:42:52 +01:00
}
core: delay adding target dependencies until all units are loaded and aliases resolved (#8381) Currently we add target dependencies while we are loading units. This can create ordering loops even if configuration doesn't contain any loop. Take for example following configuration, $ systemctl get-default multi-user.target $ cat /etc/systemd/system/test.service [Unit] After=default.target [Service] ExecStart=/bin/true [Install] WantedBy=multi-user.target If we encounter such unit file early during manager start-up (e.g. load queue is dispatched while enumerating devices due to SYSTEMD_WANTS in udev rules) we would add stub unit default.target and we order it Before test.service. At the same time we add implicit Before to multi-user.target. Later we merge two units and we create ordering cycle in the process. To fix the issue we will now never add any target dependencies until we loaded all the unit files and resolved all the aliases.
2018-03-23 15:28:06 +01:00
static int manager_dispatch_target_deps_queue(Manager *m) {
Unit *u;
unsigned k;
int r = 0;
static const UnitDependency deps[] = {
UNIT_REQUIRED_BY,
UNIT_REQUISITE_OF,
UNIT_WANTED_BY,
UNIT_BOUND_BY
};
assert(m);
while ((u = m->target_deps_queue)) {
assert(u->in_target_deps_queue);
LIST_REMOVE(target_deps_queue, u->manager->target_deps_queue, u);
u->in_target_deps_queue = false;
for (k = 0; k < ELEMENTSOF(deps); k++) {
Unit *target;
Iterator i;
void *v;
HASHMAP_FOREACH_KEY(v, target, u->dependencies[deps[k]], i) {
r = unit_add_default_target_dependency(u, target);
if (r < 0)
return r;
}
}
}
return r;
}
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
unsigned manager_dispatch_load_queue(Manager *m) {
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
Unit *u;
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
unsigned n = 0;
initial commit
2009-11-18 00:42:52 +01:00
assert(m);
manager: add basic support for loading name fragment files
2009-11-19 02:52:17 +01:00
/* Make sure we are not run recursively */
if (m->dispatching_load_queue)
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
return 0;
manager: add basic support for loading name fragment files
2009-11-19 02:52:17 +01:00
m->dispatching_load_queue = true;
s/name/unit
2010-01-26 21:39:06 +01:00
/* Dispatches the load queue. Takes a unit from the queue and
initial commit
2009-11-18 00:42:52 +01:00
* tries to load its data until the queue is empty */
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
while ((u = m->load_queue)) {
assert(u->in_load_queue);
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
unit_load(u);
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
n++;
initial commit
2009-11-18 00:42:52 +01:00
}
manager: add basic support for loading name fragment files
2009-11-19 02:52:17 +01:00
m->dispatching_load_queue = false;
core: delay adding target dependencies until all units are loaded and aliases resolved (#8381) Currently we add target dependencies while we are loading units. This can create ordering loops even if configuration doesn't contain any loop. Take for example following configuration, $ systemctl get-default multi-user.target $ cat /etc/systemd/system/test.service [Unit] After=default.target [Service] ExecStart=/bin/true [Install] WantedBy=multi-user.target If we encounter such unit file early during manager start-up (e.g. load queue is dispatched while enumerating devices due to SYSTEMD_WANTS in udev rules) we would add stub unit default.target and we order it Before test.service. At the same time we add implicit Before to multi-user.target. Later we merge two units and we create ordering cycle in the process. To fix the issue we will now never add any target dependencies until we loaded all the unit files and resolved all the aliases.
2018-03-23 15:28:06 +01:00
/* Dispatch the units waiting for their target dependencies to be added now, as all targets that we know about
* should be loaded and have aliases resolved */
(void) manager_dispatch_target_deps_queue(m);
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
return n;
initial commit
2009-11-18 00:42:52 +01:00
}
core: refresh unit cache when building a transaction if UNIT_NOT_FOUND When a command asks to load a unit directly and it is in state UNIT_NOT_FOUND, and the cache is outdated, we refresh it and attempto to load again. Use the same logic when building up a transaction and a dependency in UNIT_NOT_FOUND state is encountered. Update the unit test to exercise this code path.
2020-07-03 19:45:19 +02:00
bool manager_unit_file_maybe_loadable_from_cache(Unit *u) {
assert(u);
if (u->load_state != UNIT_NOT_FOUND)
return false;
if (u->manager->unit_cache_mtime == 0)
return false;
if (u->manager->unit_cache_mtime > u->fragment_loadtime)
return true;
core: reload cache if it's dirty when starting a UNIT_NOT_FOUND unit The time-based cache allows starting a new unit without an expensive daemon-reload, unless there was already a reference to it because of a dependency or ordering from another unit. If the cache is out of date, check again if we can load the fragment.
2020-05-08 00:26:53 +02:00
core: refresh unit cache when building a transaction if UNIT_NOT_FOUND When a command asks to load a unit directly and it is in state UNIT_NOT_FOUND, and the cache is outdated, we refresh it and attempto to load again. Use the same logic when building up a transaction and a dependency in UNIT_NOT_FOUND state is encountered. Update the unit test to exercise this code path.
2020-07-03 19:45:19 +02:00
return !lookup_paths_mtime_good(&u->manager->lookup_paths, u->manager->unit_cache_mtime);
core: reload cache if it's dirty when starting a UNIT_NOT_FOUND unit The time-based cache allows starting a new unit without an expensive daemon-reload, unless there was already a reference to it because of a dependency or ordering from another unit. If the cache is out of date, check again if we can load the fragment.
2020-05-08 00:26:53 +02:00
}
core: add transient units Transient units can be created via the bus API. They are configured via the method call parameters rather than on-disk files. They are subject to normal GC. Transient units currently may only be created for services (however, we will extend this), and currently only ExecStart= and the cgroup parameters can be configured (also to be extended). Transient units require a unique name, that previously had no configuration file on disk. A tool systemd-run is added that makes use of this functionality to run arbitrary command lines as transient services: $ systemd-run /bin/ping www.heise.de Will cause systemd to create a new transient service and run ping in it.
2013-06-28 04:12:58 +02:00
int manager_load_unit_prepare(
Manager *m,
const char *name,
const char *path,
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
sd_bus_error *e,
core: add transient units Transient units can be created via the bus API. They are configured via the method call parameters rather than on-disk files. They are subject to normal GC. Transient units currently may only be created for services (however, we will extend this), and currently only ExecStart= and the cgroup parameters can be configured (also to be extended). Transient units require a unique name, that previously had no configuration file on disk. A tool systemd-run is added that makes use of this functionality to run arbitrary command lines as transient services: $ systemd-run /bin/ping www.heise.de Will cause systemd to create a new transient service and run ping in it.
2013-06-28 04:12:58 +02:00
Unit **_ret) {
Introduce _cleanup_(unit_freep)
2018-03-09 21:34:28 +01:00
_cleanup_(unit_freep) Unit *cleanup_ret = NULL;
s/name/unit
2010-01-26 21:39:06 +01:00
Unit *ret;
unit: reduce heap usage for unit objects The storage of the unit objects on the heap is currently not very efficient. For every unit object we allocate a chunk of memory as large as the biggest unit type, although there are significant differences in the units' real requirements. pahole shows the following sizes of structs: 488 Target 496 Snapshot 512 Device 528 Path 560 Timer 576 Automount 1080 Socket 1160 Swap 1168 Service 1280 Mount Usually there aren't many targets or snapshots in the system, but Device is one of the most common unit types and for every one we waste 1280 - 512 = 768 bytes. Fix it by allocating only the right amount for the given unit type. On my machine (x86_64, with 39 LVM volumes) this decreases systemd's USS (unique set size) by more than 300 KB.
2012-01-15 10:53:49 +01:00
UnitType t;
initial commit
2009-11-18 00:42:52 +01:00
int r;
assert(m);
core/manager: make manager_load_unit*() functions always take output arg We were inconsistent, manager_load_unit_prepare() would crash if _ret was ever NULL. But none of the callers use NULL. So simplify things and require it to be non-NULL.
2017-02-12 18:40:09 +01:00
assert(_ret);
initial commit
2009-11-18 00:42:52 +01:00
service: sysv priorities in link names should take precedence, since they are possibly fixed up by chkconfig
2010-04-24 04:26:33 +02:00
/* This will prepare the unit for loading, but not actually
* load anything from disk. */
implement drop-in directories
2010-01-27 00:15:56 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
if (path && !is_path(path))
return sd_bus_error_setf(e, SD_BUS_ERROR_INVALID_ARGS, "Path %s is not absolute.", path);
core: add minimal templating system
2010-04-15 03:11:11 +02:00
tree-wide: Workaround -Wnonnull GCC bug See issue #6119
2020-05-06 21:24:05 +02:00
if (!name) {
/* 'name' and 'path' must not both be null. Check here 'path' using assert_se() to
* workaround a bug in gcc that generates a -Wnonnull warning when calling basename(),
* but this cannot be possible in any code path (See #6119). */
assert_se(path);
Get rid of our reimplementation of basename The only problem is that libgen.h #defines basename to point to it's own broken implementation instead of the GNU one. This can be fixed by #undefining basename.
2013-12-07 03:29:55 +01:00
name = basename(path);
tree-wide: Workaround -Wnonnull GCC bug See issue #6119
2020-05-06 21:24:05 +02:00
}
core: add minimal templating system
2010-04-15 03:11:11 +02:00
unit: reduce heap usage for unit objects The storage of the unit objects on the heap is currently not very efficient. For every unit object we allocate a chunk of memory as large as the biggest unit type, although there are significant differences in the units' real requirements. pahole shows the following sizes of structs: 488 Target 496 Snapshot 512 Device 528 Path 560 Timer 576 Automount 1080 Socket 1160 Swap 1168 Service 1280 Mount Usually there aren't many targets or snapshots in the system, but Device is one of the most common unit types and for every one we waste 1280 - 512 = 768 bytes. Fix it by allocating only the right amount for the given unit type. On my machine (x86_64, with 39 LVM volumes) this decreases systemd's USS (unique set size) by more than 300 KB.
2012-01-15 10:53:49 +01:00
t = unit_name_to_type(name);
core: improve error message when starting template without instance
2016-03-30 13:49:50 +02:00
if (t == _UNIT_TYPE_INVALID || !unit_name_is_valid(name, UNIT_NAME_PLAIN|UNIT_NAME_INSTANCE)) {
if (unit_name_is_valid(name, UNIT_NAME_TEMPLATE))
return sd_bus_error_setf(e, SD_BUS_ERROR_INVALID_ARGS, "Unit name %s is missing the instance name.", name);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
return sd_bus_error_setf(e, SD_BUS_ERROR_INVALID_ARGS, "Unit name %s is not valid.", name);
core: improve error message when starting template without instance
2016-03-30 13:49:50 +02:00
}
initial commit
2009-11-18 00:42:52 +01:00
unit: reduce heap usage for unit objects The storage of the unit objects on the heap is currently not very efficient. For every unit object we allocate a chunk of memory as large as the biggest unit type, although there are significant differences in the units' real requirements. pahole shows the following sizes of structs: 488 Target 496 Snapshot 512 Device 528 Path 560 Timer 576 Automount 1080 Socket 1160 Swap 1168 Service 1280 Mount Usually there aren't many targets or snapshots in the system, but Device is one of the most common unit types and for every one we waste 1280 - 512 = 768 bytes. Fix it by allocating only the right amount for the given unit type. On my machine (x86_64, with 39 LVM volumes) this decreases systemd's USS (unique set size) by more than 300 KB.
2012-01-15 10:53:49 +01:00
ret = manager_get_unit(m, name);
if (ret) {
core: reload cache if it's dirty when starting a UNIT_NOT_FOUND unit The time-based cache allows starting a new unit without an expensive daemon-reload, unless there was already a reference to it because of a dependency or ordering from another unit. If the cache is out of date, check again if we can load the fragment.
2020-05-08 00:26:53 +02:00
/* The time-based cache allows to start new units without daemon-reload,
* but if they are already referenced (because of dependencies or ordering)
* then we have to force a load of the fragment. As an optimization, check
* first if anything in the usual paths was modified since the last time
core: store timestamps of unit load attempts When the system is under heavy load, it can happen that the unit cache is refreshed for an unrelated reason (in the test I simulate this by attempting to start a non-existing unit). The new unit is found and accounted for in the cache, but it's ignored since we are loading something else. When we actually look for it, by attempting to start it, the cache is up to date so no refresh happens, and starting fails although we have it loaded in the cache. When the unit state is set to UNIT_NOT_FOUND, mark the timestamp in u->fragment_loadtime. Then when attempting to load again we can check both if the cache itself needs a refresh, OR if it was refreshed AFTER the last failed attempt that resulted in the state being UNIT_NOT_FOUND. Update the test so that this issue reproduces more often.
2020-06-16 19:46:55 +02:00
* the cache was loaded. Also check if the last time an attempt to load the
* unit was made was before the most recent cache refresh, so that we know
* we need to try again - even if the cache is current, it might have been
* updated in a different context before we had a chance to retry loading
* this particular unit. */
core: refresh unit cache when building a transaction if UNIT_NOT_FOUND When a command asks to load a unit directly and it is in state UNIT_NOT_FOUND, and the cache is outdated, we refresh it and attempto to load again. Use the same logic when building up a transaction and a dependency in UNIT_NOT_FOUND state is encountered. Update the unit test to exercise this code path.
2020-07-03 19:45:19 +02:00
if (manager_unit_file_maybe_loadable_from_cache(ret))
core: reload cache if it's dirty when starting a UNIT_NOT_FOUND unit The time-based cache allows starting a new unit without an expensive daemon-reload, unless there was already a reference to it because of a dependency or ordering from another unit. If the cache is out of date, check again if we can load the fragment.
2020-05-08 00:26:53 +02:00
ret->load_state = UNIT_STUB;
else {
*_ret = ret;
return 1;
}
} else {
ret = cleanup_ret = unit_new(m, unit_vtable[t]->object_size);
if (!ret)
return -ENOMEM;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
}
initial commit
2009-11-18 00:42:52 +01:00
unit: reduce heap usage for unit objects The storage of the unit objects on the heap is currently not very efficient. For every unit object we allocate a chunk of memory as large as the biggest unit type, although there are significant differences in the units' real requirements. pahole shows the following sizes of structs: 488 Target 496 Snapshot 512 Device 528 Path 560 Timer 576 Automount 1080 Socket 1160 Swap 1168 Service 1280 Mount Usually there aren't many targets or snapshots in the system, but Device is one of the most common unit types and for every one we waste 1280 - 512 = 768 bytes. Fix it by allocating only the right amount for the given unit type. On my machine (x86_64, with 39 LVM volumes) this decreases systemd's USS (unique set size) by more than 300 KB.
2012-01-15 10:53:49 +01:00
if (path) {
core: reload cache if it's dirty when starting a UNIT_NOT_FOUND unit The time-based cache allows starting a new unit without an expensive daemon-reload, unless there was already a reference to it because of a dependency or ordering from another unit. If the cache is out of date, check again if we can load the fragment.
2020-05-08 00:26:53 +02:00
r = free_and_strdup(&ret->fragment_path, path);
if (r < 0)
return r;
unit: reduce heap usage for unit objects The storage of the unit objects on the heap is currently not very efficient. For every unit object we allocate a chunk of memory as large as the biggest unit type, although there are significant differences in the units' real requirements. pahole shows the following sizes of structs: 488 Target 496 Snapshot 512 Device 528 Path 560 Timer 576 Automount 1080 Socket 1160 Swap 1168 Service 1280 Mount Usually there aren't many targets or snapshots in the system, but Device is one of the most common unit types and for every one we waste 1280 - 512 = 768 bytes. Fix it by allocating only the right amount for the given unit type. On my machine (x86_64, with 39 LVM volumes) this decreases systemd's USS (unique set size) by more than 300 KB.
2012-01-15 10:53:49 +01:00
}
implement drop-in directories
2010-01-27 00:15:56 +01:00
systemctl: suggest 'systemctl daemon-reload' without --system --system is default anyway, and some poor user might type 9 characters without needing to.
2013-05-31 02:28:09 +02:00
r = unit_add_name(ret, name);
Introduce _cleanup_(unit_freep)
2018-03-09 21:34:28 +01:00
if (r < 0)
fix job merging
2010-01-21 00:51:37 +01:00
return r;
initial commit
2009-11-18 00:42:52 +01:00
s/name/unit
2010-01-26 21:39:06 +01:00
unit_add_to_load_queue(ret);
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
unit_add_to_dbus_queue(ret);
manager: add newly created units to gc queue
2010-05-16 04:31:07 +02:00
unit_add_to_gc_queue(ret);
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
core/manager: make manager_load_unit*() functions always take output arg We were inconsistent, manager_load_unit_prepare() would crash if _ret was ever NULL. But none of the callers use NULL. So simplify things and require it to be non-NULL.
2017-02-12 18:40:09 +01:00
*_ret = ret;
Introduce _cleanup_(unit_freep)
2018-03-09 21:34:28 +01:00
cleanup_ret = NULL;
service: sysv priorities in link names should take precedence, since they are possibly fixed up by chkconfig
2010-04-24 04:26:33 +02:00
return 0;
}
core: add transient units Transient units can be created via the bus API. They are configured via the method call parameters rather than on-disk files. They are subject to normal GC. Transient units currently may only be created for services (however, we will extend this), and currently only ExecStart= and the cgroup parameters can be configured (also to be extended). Transient units require a unique name, that previously had no configuration file on disk. A tool systemd-run is added that makes use of this functionality to run arbitrary command lines as transient services: $ systemd-run /bin/ping www.heise.de Will cause systemd to create a new transient service and run ping in it.
2013-06-28 04:12:58 +02:00
int manager_load_unit(
Manager *m,
const char *name,
const char *path,
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
sd_bus_error *e,
core: add transient units Transient units can be created via the bus API. They are configured via the method call parameters rather than on-disk files. They are subject to normal GC. Transient units currently may only be created for services (however, we will extend this), and currently only ExecStart= and the cgroup parameters can be configured (also to be extended). Transient units require a unique name, that previously had no configuration file on disk. A tool systemd-run is added that makes use of this functionality to run arbitrary command lines as transient services: $ systemd-run /bin/ping www.heise.de Will cause systemd to create a new transient service and run ping in it.
2013-06-28 04:12:58 +02:00
Unit **_ret) {
service: sysv priorities in link names should take precedence, since they are possibly fixed up by chkconfig
2010-04-24 04:26:33 +02:00
int r;
assert(m);
core/manager: make manager_load_unit*() functions always take output arg We were inconsistent, manager_load_unit_prepare() would crash if _ret was ever NULL. But none of the callers use NULL. So simplify things and require it to be non-NULL.
2017-02-12 18:40:09 +01:00
assert(_ret);
service: sysv priorities in link names should take precedence, since they are possibly fixed up by chkconfig
2010-04-24 04:26:33 +02:00
/* This will load the service information files, but not actually
* start any services or anything. */
selinux: use existing library calls for audit data
2012-09-18 01:55:49 +02:00
r = manager_load_unit_prepare(m, name, path, e, _ret);
if (r != 0)
service: sysv priorities in link names should take precedence, since they are possibly fixed up by chkconfig
2010-04-24 04:26:33 +02:00
return r;
implement coldpluggin
2010-01-29 03:18:09 +01:00
manager_dispatch_load_queue(m);
initial commit
2009-11-18 00:42:52 +01:00
core/manager: make manager_load_unit*() functions always take output arg We were inconsistent, manager_load_unit_prepare() would crash if _ret was ever NULL. But none of the callers use NULL. So simplify things and require it to be non-NULL.
2017-02-12 18:40:09 +01:00
*_ret = unit_follow_merge(*_ret);
core/manager: split out function to verify that unit is loaded and not masked No functional change.
2018-04-12 15:13:14 +02:00
return 0;
}
int manager_load_startable_unit_or_warn(
Manager *m,
const char *name,
const char *path,
Unit **ret) {
/* Load a unit, make sure it loaded fully and is not masked. */
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
Unit *unit;
int r;
r = manager_load_unit(m, name, path, &error, &unit);
if (r < 0)
return log_error_errno(r, "Failed to load %s %s: %s",
core: rework manager_load_startable_unit_or_warn() on top of unit_validate_load_state() These functions do very similar work, let's unify common code.
2018-06-01 17:37:20 +02:00
name ? "unit" : "unit file", name ?: path,
core/manager: split out function to verify that unit is loaded and not masked No functional change.
2018-04-12 15:13:14 +02:00
bus_error_message(&error, r));
core: rework manager_load_startable_unit_or_warn() on top of unit_validate_load_state() These functions do very similar work, let's unify common code.
2018-06-01 17:37:20 +02:00
r = bus_unit_validate_load_state(unit, &error);
if (r < 0)
return log_error_errno(r, "%s", bus_error_message(&error, r));
core: add minimal templating system
2010-04-15 03:11:11 +02:00
core/manager: split out function to verify that unit is loaded and not masked No functional change.
2018-04-12 15:13:14 +02:00
*ret = unit;
initial commit
2009-11-18 00:42:52 +01:00
return 0;
}
add functions for dumping server state
2010-01-19 00:22:34 +01:00
extend test a little
2010-01-20 04:02:39 +01:00
void manager_dump_jobs(Manager *s, FILE *f, const char *prefix) {
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
Iterator i;
add functions for dumping server state
2010-01-19 00:22:34 +01:00
Job *j;
assert(s);
assert(f);
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
HASHMAP_FOREACH(j, s->jobs, i)
extend test a little
2010-01-20 04:02:39 +01:00
job_dump(j, f, prefix);
add functions for dumping server state
2010-01-19 00:22:34 +01:00
}
s/name/unit
2010-01-26 21:39:06 +01:00
void manager_dump_units(Manager *s, FILE *f, const char *prefix) {
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
Iterator i;
s/name/unit
2010-01-26 21:39:06 +01:00
Unit *u;
first try at implementing job creation
2010-01-19 04:15:20 +01:00
const char *t;
add functions for dumping server state
2010-01-19 00:22:34 +01:00
assert(s);
assert(f);
s/name/unit
2010-01-26 21:39:06 +01:00
HASHMAP_FOREACH_KEY(u, t, s->units, i)
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->id == t)
s/name/unit
2010-01-26 21:39:06 +01:00
unit_dump(u, f, prefix);
add functions for dumping server state
2010-01-19 00:22:34 +01:00
}
start implementing a test suite for the engine
2010-01-20 05:03:52 +01:00
core: add manager_dump() call, and make it output timestamp data It's a wrapper around manager_dump_units() and manager_dump_jobs(), and outputs some additional timestamp data. Also, port two users of this over.
2017-11-20 21:11:32 +01:00
void manager_dump(Manager *m, FILE *f, const char *prefix) {
ManagerTimestamp q;
assert(m);
assert(f);
for (q = 0; q < _MANAGER_TIMESTAMP_MAX; q++) {
pid1: use monotonic timestamp in dump if realtime is not available $ systemd-analyze dump | head -3 Timestamp firmware: (null) Timestamp loader: (null) Timestamp kernel: Mon 2019-07-01 17:21:02 CEST Since this is a debugging interface, it is OK to change the output format. The user can infer what "Timestamp firmware: 123.456ms" means.
2019-07-04 19:12:03 +02:00
const dual_timestamp *t = m->timestamps + q;
char buf[CONST_MAX(FORMAT_TIMESPAN_MAX, FORMAT_TIMESTAMP_MAX)];
core: add manager_dump() call, and make it output timestamp data It's a wrapper around manager_dump_units() and manager_dump_jobs(), and outputs some additional timestamp data. Also, port two users of this over.
2017-11-20 21:11:32 +01:00
pid1: use monotonic timestamp in dump if realtime is not available $ systemd-analyze dump | head -3 Timestamp firmware: (null) Timestamp loader: (null) Timestamp kernel: Mon 2019-07-01 17:21:02 CEST Since this is a debugging interface, it is OK to change the output format. The user can infer what "Timestamp firmware: 123.456ms" means.
2019-07-04 19:12:03 +02:00
if (dual_timestamp_is_set(t))
core: add manager_dump() call, and make it output timestamp data It's a wrapper around manager_dump_units() and manager_dump_jobs(), and outputs some additional timestamp data. Also, port two users of this over.
2017-11-20 21:11:32 +01:00
fprintf(f, "%sTimestamp %s: %s\n",
strempty(prefix),
manager_timestamp_to_string(q),
pid1: use monotonic timestamp in dump if realtime is not available $ systemd-analyze dump | head -3 Timestamp firmware: (null) Timestamp loader: (null) Timestamp kernel: Mon 2019-07-01 17:21:02 CEST Since this is a debugging interface, it is OK to change the output format. The user can infer what "Timestamp firmware: 123.456ms" means.
2019-07-04 19:12:03 +02:00
timestamp_is_set(t->realtime) ? format_timestamp(buf, sizeof buf, t->realtime) :
format_timespan(buf, sizeof buf, t->monotonic, 1));
core: add manager_dump() call, and make it output timestamp data It's a wrapper around manager_dump_units() and manager_dump_jobs(), and outputs some additional timestamp data. Also, port two users of this over.
2017-11-20 21:11:32 +01:00
}
manager_dump_units(m, f, prefix);
manager_dump_jobs(m, f, prefix);
}
manager: add manager_get_dump_string() It's like manager_dump(), but returns a string. This allows us to reduce some duplicate code. Also, while we are at it, turn off stdio locking while we write to the memory FILE *f.
2017-11-20 21:20:44 +01:00
int manager_get_dump_string(Manager *m, char **ret) {
_cleanup_free_ char *dump = NULL;
_cleanup_fclose_ FILE *f = NULL;
size_t size;
int r;
assert(m);
assert(ret);
Add open_memstream_unlocked() wrapper
2019-04-04 11:46:44 +02:00
f = open_memstream_unlocked(&dump, &size);
manager: add manager_get_dump_string() It's like manager_dump(), but returns a string. This allows us to reduce some duplicate code. Also, while we are at it, turn off stdio locking while we write to the memory FILE *f.
2017-11-20 21:20:44 +01:00
if (!f)
return -errno;
manager_dump(m, f, NULL);
r = fflush_and_check(f);
if (r < 0)
return r;
f = safe_fclose(f);
tree-wide: use TAKE_PTR() and TAKE_FD() macros
2018-04-05 07:26:26 +02:00
*ret = TAKE_PTR(dump);
manager: add manager_get_dump_string() It's like manager_dump(), but returns a string. This allows us to reduce some duplicate code. Also, while we are at it, turn off stdio locking while we write to the memory FILE *f.
2017-11-20 21:20:44 +01:00
return 0;
}
start implementing a test suite for the engine
2010-01-20 05:03:52 +01:00
void manager_clear_jobs(Manager *m) {
Job *j;
assert(m);
while ((j = hashmap_first(m->jobs)))
transaction: cancel jobs non-recursively on isolate Recursive cancellation of jobs would trigger OnFailure actions of dependent jobs. This is not desirable when isolating. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=798328
2012-04-24 11:21:03 +02:00
/* No need to recurse. We're cancelling all jobs. */
core: don't log job status message in case job was effectively NOP (#3199) We currently generate log message about unit being started even when unit was started already and job didn't do anything. This is because job was requested explicitly and hence became anchor job of the transaction thus we could not eliminate it. That is fine but, let's not pollute journal with useless log messages. $ systemctl start systemd-resolved $ systemctl start systemd-resolved $ systemctl start systemd-resolved Current state: $ journalctl -u systemd-resolved | grep Started May 05 15:31:42 rawhide systemd[1]: Started Network Name Resolution. May 05 15:31:59 rawhide systemd[1]: Started Network Name Resolution. May 05 15:32:01 rawhide systemd[1]: Started Network Name Resolution. After patch applied: $ journalctl -u systemd-resolved | grep Started May 05 16:42:12 rawhide systemd[1]: Started Network Name Resolution. Fixes #1723
2016-05-16 17:24:51 +02:00
job_finish_and_invalidate(j, JOB_CANCELED, false, false);
start implementing a test suite for the engine
2010-01-20 05:03:52 +01:00
}
implement proper binding on ports
2010-01-23 22:56:47 +01:00
core: reduce the number of stalled PIDs from the watched processes list when possible Some PIDs can remain in the watched list even though their processes have exited since a long time. It can easily happen if the main process of a forking service manages to spawn a child before the control process exits for example. However when a pid is about to be mapped to a unit by calling unit_watch_pid(), the caller usually knows if the pid should belong to this unit exclusively: if we just forked() off a child, then we can be sure that its PID is otherwise unused. In this case we take this opportunity to remove any stalled PIDs from the watched process list. If we learnt about a PID in any other form (for example via PID file, via searching, MAINPID= and so on), then we can't assume anything.
2019-03-18 20:59:36 +01:00
void manager_unwatch_pid(Manager *m, pid_t pid) {
assert(m);
/* First let's drop the unit keyed as "pid". */
(void) hashmap_remove(m->watch_pids, PID_TO_PTR(pid));
/* Then, let's also drop the array keyed by -pid. */
free(hashmap_remove(m->watch_pids, PID_TO_PTR(-pid)));
}
core: dispatch run queue only if there's nothing else to do Always read all external events before we decide what we do next.
2013-11-25 15:22:41 +01:00
static int manager_dispatch_run_queue(sd_event_source *source, void *userdata) {
Manager *m = userdata;
implement proper binding on ports
2010-01-23 22:56:47 +01:00
Job *j;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
core: dispatch run queue only if there's nothing else to do Always read all external events before we decide what we do next.
2013-11-25 15:22:41 +01:00
assert(source);
assert(m);
add simple event loop
2010-01-24 00:39:29 +01:00
job: make the run queue order deterministic Jobs are added to the run queue in random order. This happens because most jobs are added by iterating over the transaction or dependency hash maps. As a result, jobs that can be executed at the same time are started in a different order each time. On small embedded devices this can cause a measurable jitter for the point in time when a job starts (~100ms jitter for 10 units that are started in random order). This results is a similar jitter for the boot time. This is undesirable in general and make optimizing the boot time a lot harder. Also, jobs that should have a higher priority because the unit has a higher CPU weight might get executed later than others. Fix this by turning the job run_queue into a Prioq and sort by the following criteria (use the next if the values are equal): - CPU weight - nice level - unit type - unit name The last one is just there for deterministic sorting to avoid any jitter.
2019-05-22 12:12:17 +02:00
while ((j = prioq_peek(m->run_queue))) {
get rid of 'linked' notion for objects
2010-01-26 19:25:02 +01:00
assert(j->installed);
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
assert(j->in_run_queue);
core: make unit_start() return a distinguishable error code in case conditions didn't hold Ideally we'd even propagate this all the way to the client, by having a separate JobType enum value for this. But it's hard to add this without breaking compat, hence for now let's at least internally propagate this case differently from the case "already on it". This is then used to call job_finish_and_invalidate() slightly differently, with the already= parameter false, as in the failed condition case no message was likely produced so far.
2018-11-14 11:38:51 +01:00
(void) job_run_and_invalidate(j);
add simple event loop
2010-01-24 00:39:29 +01:00
}
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
core/manager: fix conditions to start and stop watching running jobs Harald encountered division by zero in manager_print_jobs_in_progress. Clearly we had the watch enabled when we shouldn't - there were no running jobs in m->jobs, only waiting ones. This is either a deadlock, or maybe some of them would be detected as runnable in the next dispatch of the run queue. In any case we mustn't crash. Fix it by starting and stopping the watch based on n_running_jobs instead of the number of all jobs.
2013-03-04 14:38:51 +01:00
if (m->n_running_jobs > 0)
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
manager_watch_jobs_in_progress(m);
systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/
2013-07-16 03:34:57 +02:00
if (m->n_on_console > 0)
manager_watch_idle_pipe(m);
core: dispatch run queue only if there's nothing else to do Always read all external events before we decide what we do next.
2013-11-25 15:22:41 +01:00
return 1;
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
}
Remove dead code and unexport some calls "make check-api-unused" informs us about code that is not used anymore or that is exported but only used internally. Fix these all over the place.
2013-11-08 18:11:09 +01:00
static unsigned manager_dispatch_dbus_queue(Manager *m) {
core: don't process dbus unit and job queue when there are already too many messages pending We maintain a queue of units and jobs that we are supposed to generate change/new notifications for because they were either just created or some of their property has changed. Let's throttle processing of this queue a bit: as soon as > 1K of bus messages are queued for writing let's skip processing the queue, and then recheck on the next iteration again. Moreover, never process more than 100 units in one go, return to the event loop after that. Both limits together should put effective limits on both space and time usage of the function, delaying further operations until a later moment, when the queue is empty or the the event loop is sufficiently idle again. This should keep the number of generated messages much lower than before on busy systems or where some client is hanging. Note that this also means a bad client can slow down message dispatching substantially for up to 90s if it likes to, for all clients. But that should be acceptable as we only allow trusted bus clients, anyway. Fixes: #8166
2018-02-13 18:30:34 +01:00
unsigned n = 0, budget;
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
Unit *u;
core: don't process dbus unit and job queue when there are already too many messages pending We maintain a queue of units and jobs that we are supposed to generate change/new notifications for because they were either just created or some of their property has changed. Let's throttle processing of this queue a bit: as soon as > 1K of bus messages are queued for writing let's skip processing the queue, and then recheck on the next iteration again. Moreover, never process more than 100 units in one go, return to the event loop after that. Both limits together should put effective limits on both space and time usage of the function, delaying further operations until a later moment, when the queue is empty or the the event loop is sufficiently idle again. This should keep the number of generated messages much lower than before on busy systems or where some client is hanging. Note that this also means a bad client can slow down message dispatching substantially for up to 90s if it likes to, for all clients. But that should be acceptable as we only allow trusted bus clients, anyway. Fixes: #8166
2018-02-13 18:30:34 +01:00
Job *j;
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
assert(m);
core: make sure we don't throttle change signal generator when a reload is pending Fixes: #10627
2018-11-13 12:48:49 +01:00
/* When we are reloading, let's not wait with generating signals, since we need to exit the manager as quickly
* as we can. There's no point in throttling generation of signals in that case. */
if (MANAGER_IS_RELOADING(m) || m->send_reloading_done || m->pending_reload_message)
budget = (unsigned) -1; /* infinite budget in this case */
else {
/* Anything to do at all? */
if (!m->dbus_unit_queue && !m->dbus_job_queue)
return 0;
/* Do we have overly many messages queued at the moment? If so, let's not enqueue more on top, let's
* sit this cycle out, and process things in a later cycle when the queues got a bit emptier. */
if (manager_bus_n_queued_write(m) > MANAGER_BUS_BUSY_THRESHOLD)
return 0;
/* Only process a certain number of units/jobs per event loop iteration. Even if the bus queue wasn't
* overly full before this call we shouldn't increase it in size too wildly in one step, and we
* shouldn't monopolize CPU time with generating these messages. Note the difference in counting of
* this "budget" and the "threshold" above: the "budget" is decreased only once per generated message,
codespell: fix spelling errors
2019-04-27 02:22:40 +02:00
* regardless how many buses/direct connections it is enqueued on, while the "threshold" is applied to
* each queued instance of bus message, i.e. if the same message is enqueued to five buses/direct
core: make sure we don't throttle change signal generator when a reload is pending Fixes: #10627
2018-11-13 12:48:49 +01:00
* connections it will be counted five times. This difference in counting ("references"
* vs. "instances") is primarily a result of the fact that it's easier to implement it this way,
* however it also reflects the thinking that the "threshold" should put a limit on used queue memory,
* i.e. space, while the "budget" should put a limit on time. Also note that the "threshold" is
* currently chosen much higher than the "budget". */
budget = MANAGER_BUS_MESSAGE_BUDGET;
}
core: don't process dbus unit and job queue when there are already too many messages pending We maintain a queue of units and jobs that we are supposed to generate change/new notifications for because they were either just created or some of their property has changed. Let's throttle processing of this queue a bit: as soon as > 1K of bus messages are queued for writing let's skip processing the queue, and then recheck on the next iteration again. Moreover, never process more than 100 units in one go, return to the event loop after that. Both limits together should put effective limits on both space and time usage of the function, delaying further operations until a later moment, when the queue is empty or the the event loop is sufficiently idle again. This should keep the number of generated messages much lower than before on busy systems or where some client is hanging. Note that this also means a bad client can slow down message dispatching substantially for up to 90s if it likes to, for all clients. But that should be acceptable as we only allow trusted bus clients, anyway. Fixes: #8166
2018-02-13 18:30:34 +01:00
core: make sure we don't throttle change signal generator when a reload is pending Fixes: #10627
2018-11-13 12:48:49 +01:00
while (budget != 0 && (u = m->dbus_unit_queue)) {
core: don't process dbus unit and job queue when there are already too many messages pending We maintain a queue of units and jobs that we are supposed to generate change/new notifications for because they were either just created or some of their property has changed. Let's throttle processing of this queue a bit: as soon as > 1K of bus messages are queued for writing let's skip processing the queue, and then recheck on the next iteration again. Moreover, never process more than 100 units in one go, return to the event loop after that. Both limits together should put effective limits on both space and time usage of the function, delaying further operations until a later moment, when the queue is empty or the the event loop is sufficiently idle again. This should keep the number of generated messages much lower than before on busy systems or where some client is hanging. Note that this also means a bad client can slow down message dispatching substantially for up to 90s if it likes to, for all clients. But that should be acceptable as we only allow trusted bus clients, anyway. Fixes: #8166
2018-02-13 18:30:34 +01:00
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
assert(u->in_dbus_queue);
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
bus_unit_send_change_signal(u);
core: make sure we don't throttle change signal generator when a reload is pending Fixes: #10627
2018-11-13 12:48:49 +01:00
n++;
if (budget != (unsigned) -1)
budget--;
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
}
core: make sure we don't throttle change signal generator when a reload is pending Fixes: #10627
2018-11-13 12:48:49 +01:00
while (budget != 0 && (j = m->dbus_job_queue)) {
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
assert(j->in_dbus_queue);
bus_job_send_change_signal(j);
core: make sure we don't throttle change signal generator when a reload is pending Fixes: #10627
2018-11-13 12:48:49 +01:00
n++;
if (budget != (unsigned) -1)
budget--;
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
}
core: make sure we don't throttle change signal generator when a reload is pending Fixes: #10627
2018-11-13 12:48:49 +01:00
if (m->send_reloading_done) {
core: send out "Reloading" signal before and after doing a full reload/reexec of PID 1 Since we'll unload all units/job during a reload, and then readd them it is really useful for clients to be aware of this phase hence sent a signal out before and after. This signal is called "Reloading" (despite the fact that it is also sent out during reexecution, which we consider a special case in this context) and has one boolean parameter which is true for the signal sent before the reload, and false for the signal after the reload. The UnitRemoved/JobRremoved and UnitNew/JobNew due to the reloading are guranteed to be between the pair of Reloading messages.
2013-07-10 21:10:53 +02:00
m->send_reloading_done = false;
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
bus_manager_send_reloading(m, false);
core: make sure we don't throttle change signal generator when a reload is pending Fixes: #10627
2018-11-13 12:48:49 +01:00
n++;
core: send out "Reloading" signal before and after doing a full reload/reexec of PID 1 Since we'll unload all units/job during a reload, and then readd them it is really useful for clients to be aware of this phase hence sent a signal out before and after. This signal is called "Reloading" (despite the fact that it is also sent out during reexecution, which we consider a special case in this context) and has one boolean parameter which is true for the signal sent before the reload, and false for the signal after the reload. The UnitRemoved/JobRremoved and UnitNew/JobNew due to the reloading are guranteed to be between the pair of Reloading messages.
2013-07-10 21:10:53 +02:00
}
core: make sure we don't throttle change signal generator when a reload is pending Fixes: #10627
2018-11-13 12:48:49 +01:00
if (m->pending_reload_message) {
core: rename queued_message → pending_reload_message This field is only used for pending Reload() replies, hence let's rename it to be more descriptive and precise. No change in behaviour.
2018-11-13 11:59:06 +01:00
bus_send_pending_reload_message(m);
core: don't process dbus unit and job queue when there are already too many messages pending We maintain a queue of units and jobs that we are supposed to generate change/new notifications for because they were either just created or some of their property has changed. Let's throttle processing of this queue a bit: as soon as > 1K of bus messages are queued for writing let's skip processing the queue, and then recheck on the next iteration again. Moreover, never process more than 100 units in one go, return to the event loop after that. Both limits together should put effective limits on both space and time usage of the function, delaying further operations until a later moment, when the queue is empty or the the event loop is sufficiently idle again. This should keep the number of generated messages much lower than before on busy systems or where some client is hanging. Note that this also means a bad client can slow down message dispatching substantially for up to 90s if it likes to, for all clients. But that should be acceptable as we only allow trusted bus clients, anyway. Fixes: #8166
2018-02-13 18:30:34 +01:00
n++;
}
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
return n;
add simple event loop
2010-01-24 00:39:29 +01:00
}
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
Manager *m = userdata;
pid1: fix (harmless) off-by-one in PATH_MAX comparison PATH_MAX is supposed to include the terminating NUL byte. But we already check that there is no NUL byte in the specified path. Hence the maximum length we can expect is PATH_MAX - 1. This doesn't change much, but makes this use of PATH_MAX consistent with the rest of the codebase.
2018-12-07 16:22:10 +01:00
char buf[PATH_MAX];
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
ssize_t n;
n = recv(fd, buf, sizeof(buf), 0);
if (n < 0)
return log_error_errno(errno, "Failed to read cgroups agent message: %m");
if (n == 0) {
log_error("Got zero-length cgroups agent message, ignoring.");
return 0;
}
if ((size_t) n >= sizeof(buf)) {
log_error("Got overly long cgroups agent message, ignoring.");
return 0;
}
if (memchr(buf, 0, n)) {
log_error("Got cgroups agent message with embedded NUL byte, ignoring.");
return 0;
}
buf[n] = 0;
manager_notify_cgroup_empty(m, buf);
core: downgrade log message about inability to propagate cgroup release message If dbus is already down during shutdown, we can't propagate the cgroup release message anymore, but that's expected and nothing to warn about. Hence let's downgrade the message from LOG_WARN to LOG_DEBUG. Fixes: #6777
2017-09-08 17:24:57 +02:00
(void) bus_forward_agent_released(m, buf);
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
return 0;
}
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
static bool manager_process_barrier_fd(char * const *tags, FDSet *fds) {
Introduce sd_notify_barrier This adds the sd_notify_barrier function, to allow users to synchronize against the reception of sd_notify(3) status messages. It acts as a synchronization point, and a successful return gurantees that all previous messages have been consumed by the manager. This can be used to eliminate race conditions where the sending process exits too early for systemd to associate its PID to a cgroup and attribute the status message to a unit correctly. systemd-notify now uses this function for proper notification delivery and be useful for NotifyAccess=all units again in user mode, or in cases where it doesn't have a control process as parent. Fixes: #2739
2020-04-28 16:09:27 +02:00
/* nothing else must be sent when using BARRIER=1 */
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
if (strv_contains(tags, "BARRIER=1")) {
if (strv_length(tags) == 1) {
if (fdset_size(fds) != 1)
log_warning("Got incorrect number of fds with BARRIER=1, closing them.");
} else
log_warning("Extra notification messages sent with BARRIER=1, ignoring everything.");
/* Drop the message if BARRIER=1 was found */
Introduce sd_notify_barrier This adds the sd_notify_barrier function, to allow users to synchronize against the reception of sd_notify(3) status messages. It acts as a synchronization point, and a successful return gurantees that all previous messages have been consumed by the manager. This can be used to eliminate race conditions where the sending process exits too early for systemd to associate its PID to a cgroup and attribute the status message to a unit correctly. systemd-notify now uses this function for proper notification delivery and be useful for NotifyAccess=all units again in user mode, or in cases where it doesn't have a control process as parent. Fixes: #2739
2020-04-28 16:09:27 +02:00
return true;
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
}
Introduce sd_notify_barrier This adds the sd_notify_barrier function, to allow users to synchronize against the reception of sd_notify(3) status messages. It acts as a synchronization point, and a successful return gurantees that all previous messages have been consumed by the manager. This can be used to eliminate race conditions where the sending process exits too early for systemd to associate its PID to a cgroup and attribute the status message to a unit correctly. systemd-notify now uses this function for proper notification delivery and be useful for NotifyAccess=all units again in user mode, or in cases where it doesn't have a control process as parent. Fixes: #2739
2020-04-28 16:09:27 +02:00
return false;
}
core: be stricter when handling PID files and MAINPID sd_notify() messages Let's be more restrictive when validating PID files and MAINPID= messages: don't accept PIDs that make no sense, and if the configuration source is not trusted, don't accept out-of-cgroup PIDs. A configuratin source is considered trusted when the PID file is owned by root, or the message was received from root. This should lock things down a bit, in case service authors write out PID files from unprivileged code or use NotifyAccess=all with unprivileged code. Note that doing so was always problematic, just now it's a bit less problematic. When we open the PID file we'll now use the CHASE_SAFE chase_symlinks() logic, to ensure that we won't follow an unpriviled-owned symlink to a privileged-owned file thinking this was a valid privileged PID file, even though it really isn't. Fixes: #6632
2018-01-05 12:20:22 +01:00
static void manager_invoke_notify_message(
Manager *m,
Unit *u,
const struct ucred *ucred,
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
char * const *tags,
core: be stricter when handling PID files and MAINPID sd_notify() messages Let's be more restrictive when validating PID files and MAINPID= messages: don't accept PIDs that make no sense, and if the configuration source is not trusted, don't accept out-of-cgroup PIDs. A configuratin source is considered trusted when the PID file is owned by root, or the message was received from root. This should lock things down a bit, in case service authors write out PID files from unprivileged code or use NotifyAccess=all with unprivileged code. Note that doing so was always problematic, just now it's a bit less problematic. When we open the PID file we'll now use the CHASE_SAFE chase_symlinks() logic, to ensure that we won't follow an unpriviled-owned symlink to a privileged-owned file thinking this was a valid privileged PID file, even though it really isn't. Fixes: #6632
2018-01-05 12:20:22 +01:00
FDSet *fds) {
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
assert(m);
assert(u);
core: be stricter when handling PID files and MAINPID sd_notify() messages Let's be more restrictive when validating PID files and MAINPID= messages: don't accept PIDs that make no sense, and if the configuration source is not trusted, don't accept out-of-cgroup PIDs. A configuratin source is considered trusted when the PID file is owned by root, or the message was received from root. This should lock things down a bit, in case service authors write out PID files from unprivileged code or use NotifyAccess=all with unprivileged code. Note that doing so was always problematic, just now it's a bit less problematic. When we open the PID file we'll now use the CHASE_SAFE chase_symlinks() logic, to ensure that we won't follow an unpriviled-owned symlink to a privileged-owned file thinking this was a valid privileged PID file, even though it really isn't. Fixes: #6632
2018-01-05 12:20:22 +01:00
assert(ucred);
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
assert(tags);
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
if (u->notifygen == m->notifygen) /* Already invoked on this same unit in this same iteration? */
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
return;
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
u->notifygen = m->notifygen;
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
if (UNIT_VTABLE(u)->notify_message)
core: be stricter when handling PID files and MAINPID sd_notify() messages Let's be more restrictive when validating PID files and MAINPID= messages: don't accept PIDs that make no sense, and if the configuration source is not trusted, don't accept out-of-cgroup PIDs. A configuratin source is considered trusted when the PID file is owned by root, or the message was received from root. This should lock things down a bit, in case service authors write out PID files from unprivileged code or use NotifyAccess=all with unprivileged code. Note that doing so was always problematic, just now it's a bit less problematic. When we open the PID file we'll now use the CHASE_SAFE chase_symlinks() logic, to ensure that we won't follow an unpriviled-owned symlink to a privileged-owned file thinking this was a valid privileged PID file, even though it really isn't. Fixes: #6632
2018-01-05 12:20:22 +01:00
UNIT_VTABLE(u)->notify_message(u, ucred, tags, fds);
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
else if (DEBUG_LOGGING) {
_cleanup_free_ char *buf = NULL, *x = NULL, *y = NULL;
pid1: more informative error message for ignored notifications It's probably easier to diagnose a bad notification message if the contents are printed. But still, do anything only if debugging is on.
2016-09-29 16:07:41 +02:00
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
buf = strv_join(tags, ", ");
if (buf)
x = ellipsize(buf, 20, 90);
pid1: more informative error message for ignored notifications It's probably easier to diagnose a bad notification message if the contents are printed. But still, do anything only if debugging is on.
2016-09-29 16:07:41 +02:00
if (x)
manager: swap order in which we ellipsize/escape sd_notify() messages for debugging If we have to chose between truncated escape sequences and strings exploded to 4 times the desried length by fully escaping, prefer the latter. It's for debug only, hence doesn't really matter much.
2018-01-04 21:00:10 +01:00
y = cescape(x);
pid1: more informative error message for ignored notifications It's probably easier to diagnose a bad notification message if the contents are printed. But still, do anything only if debugging is on.
2016-09-29 16:07:41 +02:00
log_unit_debug(u, "Got notification message \"%s\", ignoring.", strnull(y));
}
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
}
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
manager: remove spurious newline
2016-05-23 15:57:18 +02:00
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
_cleanup_fdset_free_ FDSet *fds = NULL;
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
Manager *m = userdata;
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
char buf[NOTIFY_BUFFER_MAX+1];
struct iovec iovec = {
.iov_base = buf,
.iov_len = sizeof(buf)-1,
};
tree-wide: make sure our control buffers are properly aligned We always need to make them unions with a "struct cmsghdr" in them, so that things properly aligned. Otherwise we might end up at an unaligned address and the counting goes all wrong, possibly making the kernel refuse our buffers. Also, let's make sure we initialize the control buffers to zero when sending, but leave them uninitialized when reading. Both the alignment and the initialization thing is mentioned in the cmsg(3) man page.
2020-04-24 23:54:25 +02:00
CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred)) +
CMSG_SPACE(sizeof(int) * NOTIFY_FD_MAX)) control;
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
struct msghdr msghdr = {
.msg_iov = &iovec,
.msg_iovlen = 1,
.msg_control = &control,
.msg_controllen = sizeof(control),
};
struct cmsghdr *cmsg;
struct ucred *ucred = NULL;
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
_cleanup_free_ Unit **array_copy = NULL;
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
_cleanup_strv_free_ char **tags = NULL;
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
Unit *u1, *u2, **array;
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
int r, *fd_array = NULL;
tree-wide: be more careful with the type of array sizes Previously we were a bit sloppy with the index and size types of arrays, we'd regularly use unsigned. While I don't think this ever resulted in real issues I think we should be more careful there and follow a stricter regime: unless there's a strong reason not to use size_t for array sizes and indexes, size_t it should be. Any allocations we do ultimately will use size_t anyway, and converting forth and back between unsigned and size_t will always be a source of problems. Note that on 32bit machines "unsigned" and "size_t" are equivalent, and on 64bit machines our arrays shouldn't grow that large anyway, and if they do we have a problem, however that kind of overly large allocation we have protections for usually, but for overflows we do not have that so much, hence let's add it. So yeah, it's a story of the current code being already "good enough", but I think some extra type hygiene is better. This patch tries to be comprehensive, but it probably isn't and I missed a few cases. But I guess we can cover that later as we notice it. Among smaller fixes, this changes: 1. strv_length()' return type becomes size_t 2. the unit file changes array size becomes size_t 3. DNS answer and query array sizes become size_t Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=76745
2018-04-27 14:09:31 +02:00
size_t n_fds = 0;
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
bool found = false;
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
ssize_t n;
assert(m);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
assert(m->notify_fd == fd);
if (revents != EPOLLIN) {
log_warning("Got unexpected poll event for notify fd.");
return 0;
}
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
tree-wide: use recvmsg_safe() at various places Let's be extra careful whenever we return from recvmsg() and see MSG_CTRUNC set. This generally means we ran into a programming error, as we didn't size the control buffer large enough. It's an error condition we should at least log about, or propagate up. Hence do that. This is particularly important when receiving fds, since for those the control data can be of any size. In particular on stream sockets that's nasty, because if we miss an fd because of control data truncation we cannot recover, we might not even realize that we are one off. (Also, when failing early, if there's any chance the socket might be AF_UNIX let's close all received fds, all the time. We got this right most of the time, but there were a few cases missing. God, UNIX is hard to use)
2020-04-23 09:40:03 +02:00
n = recvmsg_safe(m->notify_fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC|MSG_TRUNC);
if (IN_SET(n, -EAGAIN, -EINTR))
return 0; /* Spurious wakeup, try again */
if (n < 0)
/* If this is any other, real error, then let's stop processing this socket. This of course
* means we won't take notification messages anymore, but that's still better than busy
* looping around this: being woken up over and over again but being unable to actually read
* the message off the socket. */
return log_error_errno(n, "Failed to receive notification message: %m");
core: add new logic for services to store file descriptors in PID 1 With this change it is possible to send file descriptors to PID 1, via sd_pid_notify_with_fds() which PID 1 will store individually for each service, and pass via the usual fd passing logic on next invocation. This is useful for enable daemon reload schemes where daemons serialize their state to /run, push their fds into PID 1 and terminate, restoring their state on next start from the data in /run and passed in from PID 1. The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on them, and the service they belong to are either not dead or failed, or have a job queued.
2015-01-06 00:26:25 +01:00
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
CMSG_FOREACH(cmsg, &msghdr) {
if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
core: add new logic for services to store file descriptors in PID 1 With this change it is possible to send file descriptors to PID 1, via sd_pid_notify_with_fds() which PID 1 will store individually for each service, and pass via the usual fd passing logic on next invocation. This is useful for enable daemon reload schemes where daemons serialize their state to /run, push their fds into PID 1 and terminate, restoring their state on next start from the data in /run and passed in from PID 1. The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on them, and the service they belong to are either not dead or failed, or have a job queued.
2015-01-06 00:26:25 +01:00
tree-wide: use recvmsg_safe() at various places Let's be extra careful whenever we return from recvmsg() and see MSG_CTRUNC set. This generally means we ran into a programming error, as we didn't size the control buffer large enough. It's an error condition we should at least log about, or propagate up. Hence do that. This is particularly important when receiving fds, since for those the control data can be of any size. In particular on stream sockets that's nasty, because if we miss an fd because of control data truncation we cannot recover, we might not even realize that we are one off. (Also, when failing early, if there's any chance the socket might be AF_UNIX let's close all received fds, all the time. We got this right most of the time, but there were a few cases missing. God, UNIX is hard to use)
2020-04-23 09:40:03 +02:00
assert(!fd_array);
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
fd_array = (int*) CMSG_DATA(cmsg);
n_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
core: add new logic for services to store file descriptors in PID 1 With this change it is possible to send file descriptors to PID 1, via sd_pid_notify_with_fds() which PID 1 will store individually for each service, and pass via the usual fd passing logic on next invocation. This is useful for enable daemon reload schemes where daemons serialize their state to /run, push their fds into PID 1 and terminate, restoring their state on next start from the data in /run and passed in from PID 1. The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on them, and the service they belong to are either not dead or failed, or have a job queued.
2015-01-06 00:26:25 +01:00
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
} else if (cmsg->cmsg_level == SOL_SOCKET &&
cmsg->cmsg_type == SCM_CREDENTIALS &&
cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred))) {
core: add new logic for services to store file descriptors in PID 1 With this change it is possible to send file descriptors to PID 1, via sd_pid_notify_with_fds() which PID 1 will store individually for each service, and pass via the usual fd passing logic on next invocation. This is useful for enable daemon reload schemes where daemons serialize their state to /run, push their fds into PID 1 and terminate, restoring their state on next start from the data in /run and passed in from PID 1. The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on them, and the service they belong to are either not dead or failed, or have a job queued.
2015-01-06 00:26:25 +01:00
tree-wide: use recvmsg_safe() at various places Let's be extra careful whenever we return from recvmsg() and see MSG_CTRUNC set. This generally means we ran into a programming error, as we didn't size the control buffer large enough. It's an error condition we should at least log about, or propagate up. Hence do that. This is particularly important when receiving fds, since for those the control data can be of any size. In particular on stream sockets that's nasty, because if we miss an fd because of control data truncation we cannot recover, we might not even realize that we are one off. (Also, when failing early, if there's any chance the socket might be AF_UNIX let's close all received fds, all the time. We got this right most of the time, but there were a few cases missing. God, UNIX is hard to use)
2020-04-23 09:40:03 +02:00
assert(!ucred);
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
ucred = (struct ucred*) CMSG_DATA(cmsg);
core: add new logic for services to store file descriptors in PID 1 With this change it is possible to send file descriptors to PID 1, via sd_pid_notify_with_fds() which PID 1 will store individually for each service, and pass via the usual fd passing logic on next invocation. This is useful for enable daemon reload schemes where daemons serialize their state to /run, push their fds into PID 1 and terminate, restoring their state on next start from the data in /run and passed in from PID 1. The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on them, and the service they belong to are either not dead or failed, or have a job queued.
2015-01-06 00:26:25 +01:00
}
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
}
core: add new logic for services to store file descriptors in PID 1 With this change it is possible to send file descriptors to PID 1, via sd_pid_notify_with_fds() which PID 1 will store individually for each service, and pass via the usual fd passing logic on next invocation. This is useful for enable daemon reload schemes where daemons serialize their state to /run, push their fds into PID 1 and terminate, restoring their state on next start from the data in /run and passed in from PID 1. The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on them, and the service they belong to are either not dead or failed, or have a job queued.
2015-01-06 00:26:25 +01:00
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
if (n_fds > 0) {
assert(fd_array);
core: add new logic for services to store file descriptors in PID 1 With this change it is possible to send file descriptors to PID 1, via sd_pid_notify_with_fds() which PID 1 will store individually for each service, and pass via the usual fd passing logic on next invocation. This is useful for enable daemon reload schemes where daemons serialize their state to /run, push their fds into PID 1 and terminate, restoring their state on next start from the data in /run and passed in from PID 1. The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on them, and the service they belong to are either not dead or failed, or have a job queued.
2015-01-06 00:26:25 +01:00
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
r = fdset_new_array(&fds, fd_array, n_fds);
if (r < 0) {
close_many(fd_array, n_fds);
pid1: don't return any error in manager_dispatch_notify_fd() (#4240) If manager_dispatch_notify_fd() fails and returns an error then the handling of service notifications will be disabled entirely leading to a compromised system. For example pid1 won't be able to receive the WATCHDOG messages anymore and will kill all services supposed to send such messages.
2016-09-29 19:44:34 +02:00
log_oom();
return 0;
core: add new logic for services to store file descriptors in PID 1 With this change it is possible to send file descriptors to PID 1, via sd_pid_notify_with_fds() which PID 1 will store individually for each service, and pass via the usual fd passing logic on next invocation. This is useful for enable daemon reload schemes where daemons serialize their state to /run, push their fds into PID 1 and terminate, restoring their state on next start from the data in /run and passed in from PID 1. The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on them, and the service they belong to are either not dead or failed, or have a job queued.
2015-01-06 00:26:25 +01:00
}
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
}
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
manager: make use of pid_is_valid() where appropriate
2018-01-05 12:19:22 +01:00
if (!ucred || !pid_is_valid(ucred->pid)) {
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
log_warning("Received notify message without valid credentials. Ignoring.");
return 0;
}
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
manager: be stricter with incomining notifications, warn properly about too large ones Let's make the kernel let us know the full, original datagram size of the incoming message. If it's larger than the buffer space provided by us, drop the whole message with a warning. Before this change the kernel would truncate the message for us to the buffer space provided, and we'd not complain about this, and simply process the incomplete message as far as it made sense.
2016-10-07 12:12:10 +02:00
if ((size_t) n >= sizeof(buf) || (msghdr.msg_flags & MSG_TRUNC)) {
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
log_warning("Received notify message exceeded maximum size. Ignoring.");
return 0;
}
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
manager: tighten incoming notification message checks Let's not accept datagrams with embedded NUL bytes. Previously we'd simply ignore everything after the first NUL byte. But given that sending us that is pretty ugly let's instead complain and refuse. With this change we'll only accept messages that have exactly zero or one NUL bytes at the very end of the datagram.
2016-10-07 12:14:33 +02:00
/* As extra safety check, let's make sure the string we get doesn't contain embedded NUL bytes. We permit one
* trailing NUL byte in the message, but don't expect it. */
if (n > 1 && memchr(buf, 0, n-1)) {
log_warning("Received notify message with embedded NUL bytes. Ignoring.");
return 0;
}
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
/* Make sure it's NUL-terminated, then parse it to obtain the tags list */
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
buf[n] = 0;
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
tags = strv_split_newlines(buf);
if (!tags) {
log_oom();
return 0;
}
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
Introduce sd_notify_barrier This adds the sd_notify_barrier function, to allow users to synchronize against the reception of sd_notify(3) status messages. It acts as a synchronization point, and a successful return gurantees that all previous messages have been consumed by the manager. This can be used to eliminate race conditions where the sending process exits too early for systemd to associate its PID to a cgroup and attribute the status message to a unit correctly. systemd-notify now uses this function for proper notification delivery and be useful for NotifyAccess=all units again in user mode, or in cases where it doesn't have a control process as parent. Fixes: #2739
2020-04-28 16:09:27 +02:00
/* possibly a barrier fd, let's see */
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
if (manager_process_barrier_fd(tags, fds))
Introduce sd_notify_barrier This adds the sd_notify_barrier function, to allow users to synchronize against the reception of sd_notify(3) status messages. It acts as a synchronization point, and a successful return gurantees that all previous messages have been consumed by the manager. This can be used to eliminate race conditions where the sending process exits too early for systemd to associate its PID to a cgroup and attribute the status message to a unit correctly. systemd-notify now uses this function for proper notification delivery and be useful for NotifyAccess=all units again in user mode, or in cases where it doesn't have a control process as parent. Fixes: #2739
2020-04-28 16:09:27 +02:00
return 0;
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
/* Increase the generation counter used for filtering out duplicate unit invocations. */
m->notifygen++;
/* Notify every unit that might be interested, which might be multiple. */
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
u1 = manager_get_unit_by_pid_cgroup(m, ucred->pid);
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
u2 = hashmap_get(m->watch_pids, PID_TO_PTR(ucred->pid));
array = hashmap_get(m->watch_pids, PID_TO_PTR(-ucred->pid));
if (array) {
size_t k = 0;
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
while (array[k])
k++;
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
array_copy = newdup(Unit*, array, k+1);
if (!array_copy)
log_oom();
}
/* And now invoke the per-unit callbacks. Note that manager_invoke_notify_message() will handle duplicate units
* make sure we only invoke each unit's handler once. */
if (u1) {
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
manager_invoke_notify_message(m, u1, ucred, tags, fds);
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
found = true;
}
if (u2) {
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
manager_invoke_notify_message(m, u2, ucred, tags, fds);
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
found = true;
}
if (array_copy)
for (size_t i = 0; array_copy[i]; i++) {
core: Parse the tags list sooner, and use it for multiple function - Parse the tags list using strv_split_newlines() which remove any unnecessary empty string at the end of the strv. - Use this parsed list for manager_process_barrier_fd() and every call to manager_invoke_notify_message(). - This also allow to simplify the manager_process_barrier_fd() function.
2020-05-10 18:46:45 +02:00
manager_invoke_notify_message(m, array_copy[i], ucred, tags, fds);
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
found = true;
}
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
if (!found)
log_warning("Cannot find unit for notify message of PID "PID_FMT", ignoring.", ucred->pid);
core: add new logic for services to store file descriptors in PID 1 With this change it is possible to send file descriptors to PID 1, via sd_pid_notify_with_fds() which PID 1 will store individually for each service, and pass via the usual fd passing logic on next invocation. This is useful for enable daemon reload schemes where daemons serialize their state to /run, push their fds into PID 1 and terminate, restoring their state on next start from the data in /run and passed in from PID 1. The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on them, and the service they belong to are either not dead or failed, or have a job queued.
2015-01-06 00:26:25 +01:00
core: fix priority ordering in notify-handling Currently, we dispatch NOTIFY messages in a tight loop. Regardless how much data is incoming, we always dispatch everything that is queued. This, however, completely breaks priority event-handling of sd-event. When dispatching one NOTIFY event, another completely different event might fire, or might be queued by the NOTIFY handling. However, this event will not get dispatched until all other further NOTIFY messages are handled. Those might even arrive _after_ the other event fired, and as such completely break priority ordering of sd-event (which several code paths rely on). Break this by never dispatching multiple messages. Just return after each message that was read and let sd-event handle everything else. (The patch looks scarier that it is. It basically just drops the for(;;) loop and re-indents the loop-content.)
2015-10-28 19:11:36 +01:00
if (fdset_size(fds) > 0)
core: update warning message "closing all" might suggest that _all_ fds received with the notification message will be closed. Reword the message to clarify that only the "unused" ones will be closed.
2016-09-30 13:35:07 +02:00
log_warning("Got extra auxiliary fds with notification message, closing them.");
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
return 0;
}
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
static void manager_invoke_sigchld_event(
Manager *m,
Unit *u,
const siginfo_t *si) {
manager: Only invoke a single sigchld per unit within a cleanup cycle By default, each iteration of manager_dispatch_sigchld() results in a unit level sigchld event being invoked. For scope units, this results in a scope_sigchld_event() which can seemingly stall for workloads that have a large number of PIDs within the scope. The stall exhibits itself as a SIG_0 being initiated for each u->pids entry as a result of pid_is_unwaited(). v2: This patch resolves this condition by only paying to cost of a sigchld in the underlying scope unit once per sigchld iteration. A new "sigchldgen" member resides within the Unit struct. The Manager is incremented via the sd event loop, accessed via sd_event_get_iteration, and the Unit member is set to the same value as the manager each time that a sigchld event is invoked. If the Manager iteration value and Unit member match, the sigchld event is not invoked for that iteration.
2016-06-30 21:12:18 +02:00
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
assert(m);
assert(u);
assert(si);
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
/* Already invoked the handler of this unit in this iteration? Then don't process this again */
if (u->sigchldgen == m->sigchldgen)
return;
u->sigchldgen = m->sigchldgen;
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
log_unit_debug(u, "Child "PID_FMT" belongs to %s.", si->si_pid, u->id);
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
unit_unwatch_pid(u, si->si_pid);
core: update invoke_sigchld_event() to handle NULL ->sigchld_event() After receiving SIGCHLD, one of the ways manager_dispatch_sigchld() maps the now zombie $PID to its unit is through manager_get_unit_by_pid_cgroup() which reads /proc/$PID/cgroup and looks up the unit associated with the cgroup path. On non-unified cgroup hierarchies, a process is immediately migrated to the root cgroup on death and the cgroup lookup would always have returned the unit associated with it, making it rather pointless but safe. On unified hierarchy, a zombie remains associated with the cgroup that it was associated with at the time of death and thus manager_get_unit_by_pid_cgroup() will look up the unit properly. However, by the time manager_dispatch_sigchld() is running, the original cgroup may have become empty and it and its associated unit might already have been removed. If the cgroup path doesn't yield a match, manager_dispatch_sigchld() keeps pruning the leaf component. This means that the function may return a slice unit for a pid and as a slice doesn't have ->sigchld_event() handler, calling invoke_sigchld_event() on it causes a segfault. This patch updates invoke_sigchld_event() so that it skips calling if the handler is not set.
2016-03-25 16:38:50 +01:00
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
if (UNIT_VTABLE(u)->sigchld_event)
UNIT_VTABLE(u)->sigchld_event(u, si->si_pid, si->si_code, si->si_status);
core: allow PIDs to be watched by two units at the same time In some cases it is interesting to map a PID to two units at the same time. For example, when a user logs in via a getty, which is reexeced to /sbin/login that binary will be explicitly referenced as main pid of the getty service, as well as implicitly referenced as part of the session scope.
2014-02-07 11:58:25 +01:00
}
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
static int manager_dispatch_sigchld(sd_event_source *source, void *userdata) {
Manager *m = userdata;
siginfo_t si = {};
int r;
assert(source);
add simple event loop
2010-01-24 00:39:29 +01:00
assert(m);
small fixes: make get_process_state() static and fix typo
2019-05-20 13:37:03 +02:00
/* First we call waitid() for a PID and do not reap the zombie. That way we can still access /proc/$PID for it
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
* while it is a zombie. */
add simple event loop
2010-01-24 00:39:29 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
if (waitid(P_ALL, 0, &si, WEXITED|WNOHANG|WNOWAIT) < 0) {
yay, we can start socket units
2010-01-27 04:31:52 +01:00
manager: avoid infinite loop for unexpected waitid() error (#8168) I think if we log the error as being _ignored_, we should also consider the event as handled and clear it. This was the behaviour prior to 575b300b (PR #7968). I don't think we particularly wanted to change behaviour and keep retrying. Sometimes that's useful, other times you cause more problems by filling the logs. Plus a nearby typo fix.
2018-02-13 19:04:31 +01:00
if (errno != ECHILD)
log_error_errno(errno, "Failed to peek for child with waitid(), ignoring: %m");
yay, we can start socket units
2010-01-27 04:31:52 +01:00
manager: avoid infinite loop for unexpected waitid() error (#8168) I think if we log the error as being _ignored_, we should also consider the event as handled and clear it. This was the behaviour prior to 575b300b (PR #7968). I don't think we particularly wanted to change behaviour and keep retrying. Sometimes that's useful, other times you cause more problems by filling the logs. Plus a nearby typo fix.
2018-02-13 19:04:31 +01:00
goto turn_off;
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
}
manager: instead of using siginfo_t when reading SIGCHLD PIDs, run waitid() twice to avoid dropped signals
2010-04-13 02:05:27 +02:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
if (si.si_pid <= 0)
goto turn_off;
if (IN_SET(si.si_code, CLD_EXITED, CLD_KILLED, CLD_DUMPED)) {
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
_cleanup_free_ Unit **array_copy = NULL;
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
_cleanup_free_ char *name = NULL;
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
Unit *u1, *u2, **array;
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
(void) get_process_comm(si.si_pid, &name);
log_debug("Child "PID_FMT" (%s) died (code=%s, status=%i/%s)",
si.si_pid, strna(name),
sigchld_code_to_string(si.si_code),
si.si_status,
strna(si.si_code == CLD_EXITED
? exit_status_to_string(si.si_status, EXIT_STATUS_FULL)
: signal_to_string(si.si_status)));
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
/* Increase the generation counter used for filtering out duplicate unit invocations */
m->sigchldgen++;
/* And now figure out the unit this belongs to, it might be multiple... */
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
u1 = manager_get_unit_by_pid_cgroup(m, si.si_pid);
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
u2 = hashmap_get(m->watch_pids, PID_TO_PTR(si.si_pid));
array = hashmap_get(m->watch_pids, PID_TO_PTR(-si.si_pid));
if (array) {
size_t n = 0;
codespell: fix spelling errors
2019-04-27 02:22:40 +02:00
/* Count how many entries the array has */
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
while (array[n])
n++;
/* Make a copy of the array so that we don't trip up on the array changing beneath us */
array_copy = newdup(Unit*, array, n+1);
if (!array_copy)
log_oom();
}
/* Finally, execute them all. Note that u1, u2 and the array might contain duplicates, but
* that's fine, manager_invoke_sigchld_event() will ensure we only invoke the handlers once for
* each iteration. */
core: do an extra check if oom was triggered when handling sigchild Should fix #12425.
2019-05-19 15:52:02 +02:00
if (u1) {
/* We check for oom condition, in case we got SIGCHLD before the oom notification.
* We only do this for the cgroup the PID belonged to. */
(void) unit_check_oom(u1);
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
manager_invoke_sigchld_event(m, u1, &si);
core: do an extra check if oom was triggered when handling sigchild Should fix #12425.
2019-05-19 15:52:02 +02:00
}
core: rework how we track which PIDs to watch for a unit Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit interested in SIGCHLD events for them. This scheme allowed a specific PID to be watched by exactly 0, 1 or 2 units. With this rework this is replaced by a single hashmap which is primarily keyed by the PID and points to a Unit interested in it. However, it optionally also keyed by the negated PID, in which case it points to a NULL terminated array of additional Unit objects also interested. This scheme means arbitrary numbers of Units may now watch the same PID. Runtime and memory behaviour should not be impact by this change, as for the common case (i.e. each PID only watched by a single unit) behaviour stays the same, but for the uncommon case (a PID watched by more than one unit) we only pay with a single additional memory allocation for the array. Why this all? Primarily, because allowing exactly two units to watch a specific PID is not sufficient for some niche cases, as processes can belong to more than one unit these days: 1. sd_notify() with MAINPID= can be used to attach a process from a different cgroup to multiple units. 2. Similar, the PIDFile= setting in unit files can be used for similar setups, 3. By creating a scope unit a main process of a service may join a different unit, too. 4. On cgroupsv1 we frequently end up watching all processes remaining in a scope, and if a process opens lots of scopes one after the other it might thus end up being watch by many of them. This patch hence removes the 2-unit-per-PID limit. It also makes a couple of other changes, some of them quite relevant: - manager_get_unit_by_pid() (and the bus call wrapping it) when there's ambiguity will prefer returning the Unit the process belongs to based on cgroup membership, and only check the watch-pids hashmap if that fails. This change in logic is probably more in line with what people expect and makes things more stable as each process can belong to exactly one cgroup only. - Every SIGCHLD event is now dispatched to all units interested in its PID. Previously, there was some magic conditionalization: the SIGCHLD would only be dispatched to the unit if it was only interested in a single PID only, or the PID belonged to the control or main PID or we didn't dispatch a signle SIGCHLD to the unit in the current event loop iteration yet. These rules were quite arbitrary and also redundant as the the per-unit handlers would filter the PIDs anyway a second time. With this change we'll hence relax the rules: all we do now is dispatch every SIGCHLD event exactly once to each unit interested in it, and it's up to the unit to then use or ignore this. We use a generation counter in the unit to ensure that we only invoke the unit handler once for each event, protecting us from confusion if a unit is both associated with a specific PID through cgroup membership and through the "watch_pids" logic. It also protects us from being confused if the "watch_pids" hashmap is altered while we are dispatching to it (which is a very likely case). - sd_notify() message dispatching has been reworked to be very similar to SIGCHLD handling now. A generation counter is used for dispatching as well. This also adds a new test that validates that "watch_pid" registration and unregstration works correctly.
2018-01-12 13:41:05 +01:00
if (u2)
manager_invoke_sigchld_event(m, u2, &si);
if (array_copy)
for (size_t i = 0; array_copy[i]; i++)
manager_invoke_sigchld_event(m, array_copy[i], &si);
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
}
add simple event loop
2010-01-24 00:39:29 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
/* And now, we actually reap the zombie. */
if (waitid(P_PID, si.si_pid, &si, WEXITED) < 0) {
log_error_errno(errno, "Failed to dequeue child, ignoring: %m");
return 0;
}
add simple event loop
2010-01-24 00:39:29 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
return 0;
notify: add minimal readiness/status protocol for spawned daemons
2010-06-16 05:10:31 +02:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
turn_off:
/* All children processed for now, turn off event source */
manager: instead of using siginfo_t when reading SIGCHLD PIDs, run waitid() twice to avoid dropped signals
2010-04-13 02:05:27 +02:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
r = sd_event_source_set_enabled(m->sigchld_event_source, SD_EVENT_OFF);
if (r < 0)
return log_error_errno(r, "Failed to disable SIGCHLD event source: %m");
add simple event loop
2010-01-24 00:39:29 +01:00
return 0;
}
manager: remove fallback for user/exit.target The comment here was misleading: the job can fail to enqueue for reasons other than the target not existing. The fallback caused an error to be logged, and dates back to when the "user" directory was named "session". units/session/exit.target was added later the same year. This is consistent with the documentation (man systemd), and the handling of similar signals. It's also consistent with `systemctl exit`, which is what most people would expect.
2017-08-02 17:19:22 +02:00
static void manager_start_target(Manager *m, const char *name, JobMode mode) {
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.
2015-11-27 19:13:45 +01:00
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
manager: simplify startup of special targets
2010-04-13 01:59:06 +02:00
int r;
dbus: make errors reported via D-Bus more useful
2010-07-08 02:43:18 +02:00
core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters
2015-05-11 20:38:21 +02:00
log_debug("Activating special unit %s", name);
main: add a few more useful diagnostic log messages
2010-07-10 04:50:19 +02:00
core: add new API for enqueing a job with returning the transaction data
2019-03-22 20:57:30 +01:00
r = manager_add_job_by_name(m, JOB_START, name, mode, NULL, &error, NULL);
core/manager: modernize style
2013-01-02 22:03:35 +01:00
if (r < 0)
core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters
2015-05-11 20:38:21 +02:00
log_error("Failed to enqueue %s job: %s", name, bus_error_message(&error, r));
manager: simplify startup of special targets
2010-04-13 01:59:06 +02:00
}
core: add possibility to set action for ctrl-alt-del burst (#4105) For some certification, it should not be possible to reboot the machine through ctrl-alt-delete. Currently we suggest our customers to mask the ctrl-alt-delete target, but that is obviously not enough. Patching the keymaps to disable that is really not a way to go for them, because the settings need to be easily checked by some SCAP tools.
2016-10-07 03:08:21 +02:00
static void manager_handle_ctrl_alt_del(Manager *m) {
/* If the user presses C-A-D more than
* 7 times within 2s, we reboot/shutdown immediately,
* unless it was disabled in system.conf */
Rename ratelimit_test to ratelimit_below When I see "test", I have to think three times what the return value means. With "below" this is immediately clear. ratelimit_below(&limit) sounds almost like English and is imho immediately obvious. (I also considered ratelimit_ok, but this strongly implies that being under the limit is somehow better. Most of the times this is true, but then we use the ratelimit to detect triple-c-a-d, and "ok" doesn't fit so well there.) C.f. a1bcaa07.
2018-05-11 11:16:52 +02:00
if (ratelimit_below(&m->ctrl_alt_del_ratelimit) || m->cad_burst_action == EMERGENCY_ACTION_NONE)
core: add possibility to set action for ctrl-alt-del burst (#4105) For some certification, it should not be possible to reboot the machine through ctrl-alt-delete. Currently we suggest our customers to mask the ctrl-alt-delete target, but that is obviously not enough. Patching the keymaps to disable that is really not a way to go for them, because the settings need to be easily checked by some SCAP tools.
2016-10-07 03:08:21 +02:00
manager_start_target(m, SPECIAL_CTRL_ALT_DEL_TARGET, JOB_REPLACE_IRREVERSIBLY);
core: use emergency_action for ctr+alt+del burst Fixes #4306
2016-10-18 12:16:32 +02:00
else
core: allow to set exit status when using SuccessAction=/FailureAction=exit in units This adds SuccessActionExitStatus= and FailureActionExitStatus= that may be used to configure the exit status to propagate in when SuccessAction=exit or FailureAction=exit is used. When not specified let's also propagate the exit status of the main process we fork off for the unit.
2018-11-16 11:41:18 +01:00
emergency_action(m, m->cad_burst_action, EMERGENCY_ACTION_WARN, NULL, -1,
core: use emergency_action for ctr+alt+del burst Fixes #4306
2016-10-18 12:16:32 +02:00
"Ctrl-Alt-Del was pressed more than 7 times within 2s");
core: add possibility to set action for ctrl-alt-del burst (#4105) For some certification, it should not be possible to reboot the machine through ctrl-alt-delete. Currently we suggest our customers to mask the ctrl-alt-delete target, but that is obviously not enough. Patching the keymaps to disable that is really not a way to go for them, because the settings need to be easily checked by some SCAP tools.
2016-10-07 03:08:21 +02:00
}
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
Manager *m = userdata;
add simple event loop
2010-01-24 00:39:29 +01:00
ssize_t n;
struct signalfd_siginfo sfsi;
tree-wide: port everything over to fflush_and_check() Some places invoked fflush() directly with their own manual error checking, let's unify all that by using fflush_and_check(). This also unifies the general error paths of fflush()+rename() file writers.
2015-07-29 20:31:07 +02:00
int r;
add simple event loop
2010-01-24 00:39:29 +01:00
assert(m);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
assert(m->signal_fd == fd);
if (revents != EPOLLIN) {
log_warning("Got unexpected events from signal file descriptor.");
return 0;
}
add simple event loop
2010-01-24 00:39:29 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
n = read(m->signal_fd, &sfsi, sizeof(sfsi));
if (n != sizeof(sfsi)) {
if (n >= 0) {
log_warning("Truncated read from signal fd (%zu bytes), ignoring!", n);
return 0;
}
add simple event loop
2010-01-24 00:39:29 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
if (IN_SET(errno, EINTR, EAGAIN))
return 0;
add simple event loop
2010-01-24 00:39:29 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
/* We return an error here, which will kill this handler,
* to avoid a busy loop on read error. */
return log_error_errno(errno, "Reading from signal fd failed: %m");
}
add simple event loop
2010-01-24 00:39:29 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
log_received_signal(sfsi.ssi_signo == SIGCHLD ||
(sfsi.ssi_signo == SIGTERM && MANAGER_IS_USER(m))
? LOG_DEBUG : LOG_INFO,
&sfsi);
main: add a few more useful diagnostic log messages
2010-07-10 04:50:19 +02:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
switch (sfsi.ssi_signo) {
exit cleanly on SIGINT
2010-01-27 04:36:30 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
case SIGCHLD:
r = sd_event_source_set_enabled(m->sigchld_event_source, SD_EVENT_ON);
if (r < 0)
manager: avoid infinite loop for unexpected waitid() error (#8168) I think if we log the error as being _ignored_, we should also consider the event as handled and clear it. This was the behaviour prior to 575b300b (PR #7968). I don't think we particularly wanted to change behaviour and keep retrying. Sometimes that's useful, other times you cause more problems by filling the logs. Plus a nearby typo fix.
2018-02-13 19:04:31 +01:00
log_warning_errno(r, "Failed to enable SIGCHLD event source, ignoring: %m");
exit cleanly on SIGINT
2010-01-27 04:36:30 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
manager: run ctrl-alt-del/kbrequest targets on SIGINT/SIGWINCH when run in init mode
2010-02-13 01:17:08 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
case SIGTERM:
if (MANAGER_IS_SYSTEM(m)) {
core/manager: move some comments to a better place
2018-03-16 20:46:39 +01:00
/* This is for compatibility with the original sysvinit */
manager: normalize /run disk space checks Let's avoid using a variable needlessly. More importantly, special case the error, not the regular case.
2018-10-09 16:02:31 +02:00
if (verify_run_space_and_log("Refusing to reexecute") < 0)
break;
m->objective = MANAGER_REEXECUTE;
unit: introduce exit.service for exiting from session instances
2010-05-24 22:31:38 +02:00
break;
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
}
manager: run ctrl-alt-del/kbrequest targets on SIGINT/SIGWINCH when run in init mode
2010-02-13 01:17:08 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
_fallthrough_;
case SIGINT:
if (MANAGER_IS_SYSTEM(m))
manager_handle_ctrl_alt_del(m);
else
manager_start_target(m, SPECIAL_EXIT_TARGET,
JOB_REPLACE_IRREVERSIBLY);
break;
manager: run ctrl-alt-del/kbrequest targets on SIGINT/SIGWINCH when run in init mode
2010-02-13 01:17:08 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
case SIGWINCH:
core/manager: move some comments to a better place
2018-03-16 20:46:39 +01:00
/* This is a nop on non-init */
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
if (MANAGER_IS_SYSTEM(m))
manager_start_target(m, SPECIAL_KBREQUEST_TARGET, JOB_REPLACE);
manager: run ctrl-alt-del/kbrequest targets on SIGINT/SIGWINCH when run in init mode
2010-02-13 01:17:08 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
manager: run ctrl-alt-del/kbrequest targets on SIGINT/SIGWINCH when run in init mode
2010-02-13 01:17:08 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
case SIGPWR:
core/manager: move some comments to a better place
2018-03-16 20:46:39 +01:00
/* This is a nop on non-init */
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
if (MANAGER_IS_SYSTEM(m))
manager_start_target(m, SPECIAL_SIGPWR_TARGET, JOB_REPLACE);
trap some signals
2010-01-27 05:31:53 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
manager: start D-Bus on SIGUSR2
2010-04-13 03:20:22 +02:00
core: rework how we connect to the bus This removes the current bus_init() call, as it had multiple problems: it munged handling of the three bus connections we care about (private, "api" and system) into one, even though the conditions when which was ready are very different. It also added redundant logging, as the individual calls it called all logged on their own anyway. The three calls bus_init_api(), bus_init_private() and bus_init_system() are now made public. A new call manager_dbus_is_running() is added that works much like manager_journal_is_running() and is a lot more careful when checking whether dbus is around. Optionally it checks the unit's deserialized_state rather than state, in order to accomodate for cases where we cant to connect to the bus before deserializing the "subscribed" list, before coldplugging the units. manager_recheck_dbus() is added, that works a lot like manager_recheck_journal() and is invoked in unit_notify(), i.e. when units change state. All in all this should make handling a bit more alike to journal handling, and it also fixes one major bug: when running in user mode we'll now connect to the system bus early on, without conditionalizing this in anyway.
2018-02-07 14:52:22 +01:00
case SIGUSR1:
if (manager_dbus_is_running(m, false)) {
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
log_info("Trying to reconnect to bus...");
core: rework how we connect to the bus This removes the current bus_init() call, as it had multiple problems: it munged handling of the three bus connections we care about (private, "api" and system) into one, even though the conditions when which was ready are very different. It also added redundant logging, as the individual calls it called all logged on their own anyway. The three calls bus_init_api(), bus_init_private() and bus_init_system() are now made public. A new call manager_dbus_is_running() is added that works much like manager_journal_is_running() and is a lot more careful when checking whether dbus is around. Optionally it checks the unit's deserialized_state rather than state, in order to accomodate for cases where we cant to connect to the bus before deserializing the "subscribed" list, before coldplugging the units. manager_recheck_dbus() is added, that works a lot like manager_recheck_journal() and is invoked in unit_notify(), i.e. when units change state. All in all this should make handling a bit more alike to journal handling, and it also fixes one major bug: when running in user mode we'll now connect to the system bus early on, without conditionalizing this in anyway.
2018-02-07 14:52:22 +01:00
(void) bus_init_api(m);
if (MANAGER_IS_SYSTEM(m))
(void) bus_init_system(m);
} else {
log_info("Starting D-Bus service...");
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
manager_start_target(m, SPECIAL_DBUS_SERVICE, JOB_REPLACE);
}
manager: start D-Bus on SIGUSR2
2010-04-13 03:20:22 +02:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
case SIGUSR2: {
_cleanup_free_ char *dump = NULL;
r = manager_get_dump_string(m, &dump);
if (r < 0) {
log_warning_errno(errno, "Failed to acquire manager dump: %m");
manager: start D-Bus on SIGUSR2
2010-04-13 03:20:22 +02:00
break;
}
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
log_dump(LOG_INFO, dump);
break;
}
manager: dump to usual debug channel on SIGUSR2, don't rely on stdin
2010-06-04 19:45:53 +02:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
case SIGHUP:
manager: normalize /run disk space checks Let's avoid using a variable needlessly. More importantly, special case the error, not the regular case.
2018-10-09 16:02:31 +02:00
if (verify_run_space_and_log("Refusing to reload") < 0)
break;
m->objective = MANAGER_RELOAD;
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
default: {
/* Starting SIGRTMIN+0 */
static const struct {
const char *target;
JobMode mode;
} target_table[] = {
[0] = { SPECIAL_DEFAULT_TARGET, JOB_ISOLATE },
[1] = { SPECIAL_RESCUE_TARGET, JOB_ISOLATE },
[2] = { SPECIAL_EMERGENCY_TARGET, JOB_ISOLATE },
[3] = { SPECIAL_HALT_TARGET, JOB_REPLACE_IRREVERSIBLY },
[4] = { SPECIAL_POWEROFF_TARGET, JOB_REPLACE_IRREVERSIBLY },
[5] = { SPECIAL_REBOOT_TARGET, JOB_REPLACE_IRREVERSIBLY },
[6] = { SPECIAL_KEXEC_TARGET, JOB_REPLACE_IRREVERSIBLY },
};
/* Starting SIGRTMIN+13, so that target halt and system halt are 10 apart */
core: rename ManagerExitCode → ManagerObjective "ExitCode" is a bit of a misnomer in two ways: it suggests this was about the "exit code" concept that exit()/waitid() deal with, but really isn't. Moreover, it's not event just about exiting either, but more often about reloading/reexecing or rebooting. Let's hence pick a new name for this that is a bit more correct. I initially thought about naming this the "state", but that'd be a misnomer too, as the value really encodes a "goal" more than a current state. Also we already have the externally visible ManagerState. No actual changes in behaviour, just the rename.
2018-10-09 15:42:19 +02:00
static const ManagerObjective objective_table[] = {
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
[0] = MANAGER_HALT,
[1] = MANAGER_POWEROFF,
[2] = MANAGER_REBOOT,
[3] = MANAGER_KEXEC,
};
manager: flush memory stream before using the buffer When the manager receives a SIGUSR2 signal, it opens a memory stream with open_memstream(), uses the returned file handle for logging, and dumps the logged content with log_dump(). However, the char* buffer is only safe to use after the file handle has been flushed with fflush, as the man pages states: When the stream is closed (fclose(3)) or flushed (fflush(3)), the locations pointed to by ptr and sizeloc are updated to contain, respectively, a pointer to the buffer and the current size of the buffer. These values remain valid only as long as the caller performs no further output on the stream. If further output is performed, then the stream must again be flushed before trying to access these variables. Without that call, dump remains NULL and the daemon crashes in log_dump().
2014-03-07 14:43:59 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
if ((int) sfsi.ssi_signo >= SIGRTMIN+0 &&
(int) sfsi.ssi_signo < SIGRTMIN+(int) ELEMENTSOF(target_table)) {
int idx = (int) sfsi.ssi_signo - SIGRTMIN;
manager_start_target(m, target_table[idx].target,
target_table[idx].mode);
manager: switch SIGUSR1 and SIGSUR2, to follow upstart's scheme a little
2010-04-24 04:27:05 +02:00
break;
manager: dump to usual debug channel on SIGUSR2, don't rely on stdin
2010-06-04 19:45:53 +02:00
}
manager: switch SIGUSR1 and SIGSUR2, to follow upstart's scheme a little
2010-04-24 04:27:05 +02:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
if ((int) sfsi.ssi_signo >= SIGRTMIN+13 &&
core: rename ManagerExitCode → ManagerObjective "ExitCode" is a bit of a misnomer in two ways: it suggests this was about the "exit code" concept that exit()/waitid() deal with, but really isn't. Moreover, it's not event just about exiting either, but more often about reloading/reexecing or rebooting. Let's hence pick a new name for this that is a bit more correct. I initially thought about naming this the "state", but that'd be a misnomer too, as the value really encodes a "goal" more than a current state. Also we already have the externally visible ManagerState. No actual changes in behaviour, just the rename.
2018-10-09 15:42:19 +02:00
(int) sfsi.ssi_signo < SIGRTMIN+13+(int) ELEMENTSOF(objective_table)) {
m->objective = objective_table[sfsi.ssi_signo - SIGRTMIN - 13];
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
}
switch (sfsi.ssi_signo - SIGRTMIN) {
case 20:
pid1: rename manager_set_{show_status,watchdog}_overridden() into manager_override_(show_status,watchdog} No functional change.
2020-06-04 13:25:25 +02:00
manager_override_show_status(m, SHOW_STATUS_YES, "signal");
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
break;
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
case 21:
pid1: rename manager_set_{show_status,watchdog}_overridden() into manager_override_(show_status,watchdog} No functional change.
2020-06-04 13:25:25 +02:00
manager_override_show_status(m, SHOW_STATUS_NO, "signal");
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
manager: expose a few special units via SIGRTMIN+x signals
2010-06-17 23:22:56 +02:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
case 22:
pid1: preserve current value of log level across re-{load,execution} To make debugging easier, this patches allows one to change the log level and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log max level at runtime (via the bus or via signals), the change was lost on the next daemon reload/reexecution. In order to restore the original value back (set via system.conf, environment variables or any other means), the empty string in the "LogLevel" property is now supported as well as sending SIGRTMIN+23 signal.
2018-05-30 17:57:23 +02:00
manager_override_log_level(m, LOG_DEBUG);
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
case 23:
pid1: preserve current value of log level across re-{load,execution} To make debugging easier, this patches allows one to change the log level and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log max level at runtime (via the bus or via signals), the change was lost on the next daemon reload/reexecution. In order to restore the original value back (set via system.conf, environment variables or any other means), the empty string in the "LogLevel" property is now supported as well as sending SIGRTMIN+23 signal.
2018-05-30 17:57:23 +02:00
manager_restore_original_log_level(m);
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
manager: hookup shutdown helper and signals
2010-10-14 00:54:48 +02:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
case 24:
if (MANAGER_IS_USER(m)) {
core: rename ManagerExitCode → ManagerObjective "ExitCode" is a bit of a misnomer in two ways: it suggests this was about the "exit code" concept that exit()/waitid() deal with, but really isn't. Moreover, it's not event just about exiting either, but more often about reloading/reexecing or rebooting. Let's hence pick a new name for this that is a bit more correct. I initially thought about naming this the "state", but that'd be a misnomer too, as the value really encodes a "goal" more than a current state. Also we already have the externally visible ManagerState. No actual changes in behaviour, just the rename.
2018-10-09 15:42:19 +02:00
m->objective = MANAGER_EXIT;
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
return 0;
manager: if we receive SIGRTMIN+20/21 enable/disable showing of status on the console
2011-02-09 12:12:30 +01:00
}
add simple event loop
2010-01-24 00:39:29 +01:00
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
/* This is a nop on init */
break;
case 26:
case 29: /* compatibility: used to be mapped to LOG_TARGET_SYSLOG_OR_KMSG */
pid1: preserve current value of log target across re-{load,execution} To make debugging easier, this patches allows one to change the log target and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log target at runtime (via the bus or via signals), the change was lost on the next reload/reexecution. In order to restore back the default value (set via system.conf, environment variables or any other means ), the empty string in the "LogTarget" property is now supported as well as sending SIGTRMIN+26 signal.
2018-06-01 18:21:03 +02:00
manager_restore_original_log_target(m);
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
case 27:
pid1: preserve current value of log target across re-{load,execution} To make debugging easier, this patches allows one to change the log target and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log target at runtime (via the bus or via signals), the change was lost on the next reload/reexecution. In order to restore back the default value (set via system.conf, environment variables or any other means ), the empty string in the "LogTarget" property is now supported as well as sending SIGTRMIN+26 signal.
2018-06-01 18:21:03 +02:00
manager_override_log_target(m, LOG_TARGET_CONSOLE);
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
case 28:
pid1: preserve current value of log target across re-{load,execution} To make debugging easier, this patches allows one to change the log target and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log target at runtime (via the bus or via signals), the change was lost on the next reload/reexecution. In order to restore back the default value (set via system.conf, environment variables or any other means ), the empty string in the "LogTarget" property is now supported as well as sending SIGTRMIN+26 signal.
2018-06-01 18:21:03 +02:00
manager_override_log_target(m, LOG_TARGET_KMSG);
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
break;
default:
log_warning("Got unhandled signal <%s>.", signal_to_string(sfsi.ssi_signo));
}
}}
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
return 0;
}
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
static int manager_dispatch_time_change_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
Manager *m = userdata;
Iterator i;
Unit *u;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
assert(m);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
assert(m->time_change_fd == fd);
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
core: downgrade "Time has been changed" to debug (#4906) That message is emitted by every systemd instance on every resume: Dec 06 08:03:38 laptop systemd[1]: Time has been changed Dec 06 08:03:38 laptop systemd[823]: Time has been changed Dec 06 08:03:38 laptop systemd[916]: Time has been changed Dec 07 08:00:32 laptop systemd[1]: Time has been changed Dec 07 08:00:32 laptop systemd[823]: Time has been changed Dec 07 08:00:32 laptop systemd[916]: Time has been changed -- Reboot -- Dec 07 08:02:46 laptop systemd[836]: Time has been changed Dec 07 08:02:46 laptop systemd[1]: Time has been changed Dec 07 08:02:46 laptop systemd[926]: Time has been changed Dec 07 19:48:12 laptop systemd[1]: Time has been changed Dec 07 19:48:12 laptop systemd[836]: Time has been changed Dec 07 19:48:12 laptop systemd[926]: Time has been changed ... Fixes #4896.
2016-12-18 13:21:19 +01:00
log_struct(LOG_DEBUG,
tree-wide: add SD_ID128_MAKE_STR, remove LOG_MESSAGE_ID Embedding sd_id128_t's in constant strings was rather cumbersome. We had SD_ID128_CONST_STR which returned a const char[], but it had two problems: - it wasn't possible to statically concatanate this array with a normal string - gcc wasn't really able to optimize this, and generated code to perform the "conversion" at runtime. Because of this, even our own code in coredumpctl wasn't using SD_ID128_CONST_STR. Add a new macro to generate a constant string: SD_ID128_MAKE_STR. It is not as elegant as SD_ID128_CONST_STR, because it requires a repetition of the numbers, but in practice it is more convenient to use, and allows gcc to generate smarter code: $ size .libs/systemd{,-logind,-journald}{.old,} text data bss dec hex filename 1265204 149564 4808 1419576 15a938 .libs/systemd.old 1260268 149564 4808 1414640 1595f0 .libs/systemd 246805 13852 209 260866 3fb02 .libs/systemd-logind.old 240973 13852 209 255034 3e43a .libs/systemd-logind 146839 4984 34 151857 25131 .libs/systemd-journald.old 146391 4984 34 151409 24f71 .libs/systemd-journald It is also much easier to check if a certain binary uses a certain MESSAGE_ID: $ strings .libs/systemd.old|grep MESSAGE_ID MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x $ strings .libs/systemd|grep MESSAGE_ID MESSAGE_ID=c7a787079b354eaaa9e77b371893cd27 MESSAGE_ID=b07a249cd024414a82dd00cd181378ff MESSAGE_ID=641257651c1b4ec9a8624d7a40a9e1e7 MESSAGE_ID=de5b426a63be47a7b6ac3eaac82e2f6f MESSAGE_ID=d34d037fff1847e6ae669a370e694725 MESSAGE_ID=7d4958e842da4a758f6c1cdc7b36dcc5 MESSAGE_ID=1dee0369c7fc4736b7099b38ecb46ee7 MESSAGE_ID=39f53479d3a045ac8e11786248231fbf MESSAGE_ID=be02cf6855d2428ba40df7e9d022f03d MESSAGE_ID=7b05ebc668384222baa8881179cfda54 MESSAGE_ID=9d1aaa27d60140bd96365438aad20286
2016-11-06 18:48:23 +01:00
"MESSAGE_ID=" SD_MESSAGE_TIME_CHANGE_STR,
basic/log: add the log_struct terminator to macro This way all callers do not need to specify it. Exhaustively tested by running test-log under valgrind ;)
2018-06-04 12:59:22 +02:00
LOG_MESSAGE("Time has been changed"));
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
/* Restart the watch */
core: move destruction of old time event sources to manager_setup_time_change() It's a bit prettier that day as the function won't silently overwrite any possibly pre-initialized field, and destroy it right before we allocate a new event source.
2018-05-28 21:32:03 +02:00
(void) manager_setup_time_change(m);
swap: listen for POLLPRI events on /proc/swaps if available
2010-10-18 23:09:09 +02:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
HASHMAP_FOREACH(u, m->units, i)
if (UNIT_VTABLE(u)->time_change)
UNIT_VTABLE(u)->time_change(u);
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
return 0;
}
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
static int manager_dispatch_timezone_change(
sd_event_source *source,
const struct inotify_event *e,
void *userdata) {
Manager *m = userdata;
int changed;
Iterator i;
Unit *u;
assert(m);
log_debug("inotify event for /etc/localtime");
changed = manager_read_timezone_stat(m);
cocci: simplify some if checks
2018-11-16 14:42:14 +01:00
if (changed <= 0)
core: subscribe to /etc/localtime timezone changes and update timer elapsation accordingly Fixes: #8233 This is our first real-life usecase for the new sd_event_add_inotify() calls we just added.
2018-05-28 21:33:10 +02:00
return changed;
/* Something changed, restart the watch, to ensure we watch the new /etc/localtime if it changed */
(void) manager_setup_timezone_change(m);
/* Read the new timezone */
tzset();
log_debug("Timezone has been changed (now: %s).", tzname[daylight]);
HASHMAP_FOREACH(u, m->units, i)
if (UNIT_VTABLE(u)->timezone_change)
UNIT_VTABLE(u)->timezone_change(u);
return 0;
}
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
static int manager_dispatch_idle_pipe_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
Manager *m = userdata;
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
assert(m);
assert(m->idle_pipe[2] == fd);
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
manager: add some explanatory comments to manager_dispatch_idle_pipe_fd()
2018-01-24 19:52:14 +01:00
/* There's at least one Type=idle child that just gave up on us waiting for the boot process to complete. Let's
* now turn off any further console output if there's at least one service that needs console access, so that
* from now on our own output should not spill into that service's output anymore. After all, we support
* Type=idle only to beautify console output and it generally is set on services that want to own the console
* exclusively without our interference. */
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
m->no_console_output = m->n_on_console > 0;
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
manager: add some explanatory comments to manager_dispatch_idle_pipe_fd()
2018-01-24 19:52:14 +01:00
/* Acknowledge the child's request, and let all all other children know too that they shouldn't wait any longer
* by closing the pipes towards them, which is what they are waiting for. */
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
manager_close_idle_pipe(m);
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
return 0;
}
systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/
2013-07-16 03:34:57 +02:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
static int manager_dispatch_jobs_in_progress(sd_event_source *source, usec_t usec, void *userdata) {
Manager *m = userdata;
manager: rearm jobs timer It would fire just once. Also fix units from sec to usec as appropriate. Decrease the switching interval to 1/3 s, so that when the time remaining is displayed with 1s precision, it doesn't jump by 2s every once in a while. Also, the system is feels noticably faster when the status changes couple of times per second instead of every few seconds.
2014-01-27 07:15:27 +01:00
int r;
systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/
2013-07-16 03:34:57 +02:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
assert(m);
manager: rearm jobs timer It would fire just once. Also fix units from sec to usec as appropriate. Decrease the switching interval to 1/3 s, so that when the time remaining is displayed with 1s precision, it doesn't jump by 2s every once in a while. Also, the system is feels noticably faster when the status changes couple of times per second instead of every few seconds.
2014-01-27 07:15:27 +01:00
assert(source);
add simple event loop
2010-01-24 00:39:29 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
manager_print_jobs_in_progress(m);
manager: rearm jobs timer It would fire just once. Also fix units from sec to usec as appropriate. Decrease the switching interval to 1/3 s, so that when the time remaining is displayed with 1s precision, it doesn't jump by 2s every once in a while. Also, the system is feels noticably faster when the status changes couple of times per second instead of every few seconds.
2014-01-27 07:15:27 +01:00
tree-wide: make use of new relative time events in sd-event.h
2020-07-28 11:18:26 +02:00
r = sd_event_source_set_time_relative(source, JOBS_IN_PROGRESS_PERIOD_USEC);
manager: rearm jobs timer It would fire just once. Also fix units from sec to usec as appropriate. Decrease the switching interval to 1/3 s, so that when the time remaining is displayed with 1s precision, it doesn't jump by 2s every once in a while. Also, the system is feels noticably faster when the status changes couple of times per second instead of every few seconds.
2014-01-27 07:15:27 +01:00
if (r < 0)
return r;
return sd_event_source_set_enabled(source, SD_EVENT_ONESHOT);
add simple event loop
2010-01-24 00:39:29 +01:00
}
int manager_loop(Manager *m) {
Drop RATELIMIT macros Using plain structure initialization is both shorter _and_ more clearer. We get type safety for free.
2019-09-19 17:41:20 +02:00
RateLimit rl = { .interval = 1*USEC_PER_SEC, .burst = 50000 };
add simple event loop
2010-01-24 00:39:29 +01:00
int r;
assert(m);
core: rework how we set the objective to MANAGER_OK Let's do so already when we are about to complete startup/reload, so that manager_catchup() is run in a context where MANAGER_IS_RUNNING() returns true, as the intention is. Fixes: #9518
2018-10-09 17:58:08 +02:00
assert(m->objective == MANAGER_OK); /* Ensure manager_startup() has been called */
add simple event loop
2010-01-24 00:39:29 +01:00
manager: measure startup times
2010-09-21 04:14:38 +02:00
manager_check_finished(m);
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
/* There might still be some zombies hanging around from before we were exec()'ed. Let's reap them. */
r = sd_event_source_set_enabled(m->sigchld_event_source, SD_EVENT_ON);
systemd: add hardware watchdog support This adds minimal hardware watchdog support to PID 1. The idea is that PID 1 supervises and watchdogs system services, while the hardware watchdog is used to supervise PID 1. This adds two hardware watchdog configuration options, for the runtime watchdog and for a shutdown watchdog. The former is active during normal operation, the latter only at reboots to ensure that if a clean reboot times out we reboot nonetheless. If the runtime watchdog is enabled PID 1 will automatically wake up at half the configured interval and write to the watchdog daemon. By default we enable the shutdown watchdog, but leave the runtime watchdog disabled in order not to break independent hardware watchdog daemons people might be using. This is only the most basic hookup. If necessary we can later on hook up the watchdog ping more closely with services deemed crucial.
2012-04-05 22:08:10 +02:00
if (r < 0)
pid1: rework how we dispatch SIGCHLD and other signals This fundamentally makes one change: we never process more than one signal or more than one waitid() event per event loop. We'll never tight loop around waitid() or around read() on our signalfd instead, but always return to the main event loop after processing one event. By doing this we put the event priorization handling into full power again, as we'll always check for higher priority events before looking at the next signal or waitid() again. This introduces a new "defer" event source "sigchld_event". It's enabled as soon as we see SIGCHLD, and disabled as soon as waitid() reported no further children pending. It's running at a relatively high priority, one step higher than signal handling itself, but lower than /proc/self/mountinfo event handling, so that the latter always takes precedence. Since we want to process sd_notify() events at an even higher priority than SIGCHLD (as before) it is moved one priority step up, too. Fixes: #7932 Possibly fixes: #7966
2018-01-23 18:18:13 +01:00
return log_error_errno(r, "Failed to enable SIGCHLD event source: %m");
manager: before entering loop dispatch queued up SIGCHLDs
2010-05-18 04:16:33 +02:00
core: rename ManagerExitCode → ManagerObjective "ExitCode" is a bit of a misnomer in two ways: it suggests this was about the "exit code" concept that exit()/waitid() deal with, but really isn't. Moreover, it's not event just about exiting either, but more often about reloading/reexecing or rebooting. Let's hence pick a new name for this that is a bit more correct. I initially thought about naming this the "state", but that'd be a misnomer too, as the value really encodes a "goal" more than a current state. Also we already have the externally visible ManagerState. No actual changes in behaviour, just the rename.
2018-10-09 15:42:19 +02:00
while (m->objective == MANAGER_OK) {
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
usec_t wait_usec, watchdog_usec;
add simple event loop
2010-01-24 00:39:29 +01:00
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
watchdog_usec = manager_get_watchdog(m, WATCHDOG_RUNTIME);
if (timestamp_is_set(watchdog_usec))
systemd: add hardware watchdog support This adds minimal hardware watchdog support to PID 1. The idea is that PID 1 supervises and watchdogs system services, while the hardware watchdog is used to supervise PID 1. This adds two hardware watchdog configuration options, for the runtime watchdog and for a shutdown watchdog. The former is active during normal operation, the latter only at reboots to ensure that if a clean reboot times out we reboot nonetheless. If the runtime watchdog is enabled PID 1 will automatically wake up at half the configured interval and write to the watchdog daemon. By default we enable the shutdown watchdog, but leave the runtime watchdog disabled in order not to break independent hardware watchdog daemons people might be using. This is only the most basic hookup. If necessary we can later on hook up the watchdog ping more closely with services deemed crucial.
2012-04-05 22:08:10 +02:00
watchdog_ping();
Rename ratelimit_test to ratelimit_below When I see "test", I have to think three times what the return value means. With "below" this is immediately clear. ratelimit_below(&limit) sounds almost like English and is imho immediately obvious. (I also considered ratelimit_ok, but this strongly implies that being under the limit is somehow better. Most of the times this is true, but then we use the ratelimit to detect triple-c-a-d, and "ok" doesn't fit so well there.) C.f. a1bcaa07.
2018-05-11 11:16:52 +02:00
if (!ratelimit_below(&rl)) {
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
/* Yay, something is going seriously wrong, pause a little */
log_warning("Looping too fast. Throttling execution a little.");
sleep(1);
}
manager: rearrange order of mainloop, put gc/cleanup last to maximize reusing
2010-05-16 03:57:56 +02:00
if (manager_dispatch_load_queue(m) > 0)
rework merging/loading logic
2010-04-06 02:43:58 +02:00
continue;
core: GC redundant device jobs from the run queue In contrast to all other unit types device units when queued just track external state, they cannot effect state changes on their own. Hence unless a client or other job waits for them there's no reason to keep them in the job queue. This adds a concept of GC'ing jobs of this type as soon as no client or other job waits for them anymore. To ensure this works correctly we need to track which clients actually reference a job (i.e. which ones enqueued it). Unfortunately that's pretty nasty to do for direct connections, as sd_bus_track doesn't work for them. For now, work around this, by simply remembering in a boolean that a job was requested by a direct connection, and reset it when we notice the direct connection is gone. This means the GC logic works fine, except that jobs are not immediately removed when direct connections disconnect. In the longer term, a rework of the bus logic should fix this properly. For now this should be good enough, as GC works for fine all cases except this one, and thus is a clear improvement over the previous behaviour. Fixes: #1921
2016-11-15 19:32:50 +01:00
if (manager_dispatch_gc_job_queue(m) > 0)
continue;
if (manager_dispatch_gc_unit_queue(m) > 0)
manager: automatically GC unreferenced units
2010-04-21 06:01:13 +02:00
continue;
core: make GC more aggressive Since we should allow registering/unregistering transient units with the same name in a tight-loop, we need to make the GC more aggressive, so that dead units are cleaned up immediately instead of later. hence, execute the GC sweep on every event loop iteration and clean up units. This of course, means we need to be careful with adding units to the GC queue, which we already are since we execute check_gc() of each unit type already when adding something to the queue.
2013-07-02 17:41:57 +02:00
if (manager_dispatch_cleanup_queue(m) > 0)
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
continue;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
core: rename cgroup_queue → cgroup_realize_queue We are about to add second cgroup-related queue, called "cgroup_empty_queue", hence let's rename "cgroup_queue" to "cgroup_realize_queue" (as that is its purpose) to minimize confusion about the two queues. Just a rename, no functional changes.
2017-09-26 22:15:02 +02:00
if (manager_dispatch_cgroup_realize_queue(m) > 0)
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
continue;
core: rework StopWhenUnneeded= logic Previously, we'd act immediately on StopWhenUnneeded= when a unit state changes. With this rework we'll maintain a queue instead: whenever there's the chance that StopWhenUneeded= might have an effect we enqueue the unit, and process it later when we have nothing better to do. This should make the implementation a bit more reliable, as the unit notify event cannot immediately enqueue tons of side-effect jobs that might contradict each other, but we do so only in a strictly ordered fashion, from the main event loop. This slightly changes the check when to consider a unit "unneeded". Previously, we'd assume that a unit in "deactivating" state could also be cleaned up. With this new logic we'll only consider units unneeded that are fully up and have no job queued. This means that whenever there's something pending for a unit we won't clean it up.
2018-08-09 16:26:27 +02:00
if (manager_dispatch_stop_when_unneeded_queue(m) > 0)
continue;
dbus: send out signals when units/jobs come, go and change
2010-02-05 00:38:41 +01:00
if (manager_dispatch_dbus_queue(m) > 0)
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
continue;
watchdog: reduce watchdog pings in timeout interval The watchdog ping is performed for every iteration of manager event loop. This results in a lot of ioctls on watchdog device driver especially during boot or if services are aggressively using sd_notify. Depending on the watchdog device driver this may have performance impact on embedded systems. The patch skips sending the watchdog to device driver if the ping is requested before half of the watchdog timeout.
2020-04-02 09:10:55 +02:00
/* Sleep for watchdog runtime wait time */
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
if (timestamp_is_set(watchdog_usec))
watchdog: reduce watchdog pings in timeout interval The watchdog ping is performed for every iteration of manager event loop. This results in a lot of ioctls on watchdog device driver especially during boot or if services are aggressively using sd_notify. Depending on the watchdog device driver this may have performance impact on embedded systems. The patch skips sending the watchdog to device driver if the ping is requested before half of the watchdog timeout.
2020-04-02 09:10:55 +02:00
wait_usec = watchdog_runtime_wait();
else
time-util: add and use USEC/NSEC_INFINIY
2014-07-29 12:23:31 +02:00
wait_usec = USEC_INFINITY;
add simple event loop
2010-01-24 00:39:29 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
r = sd_event_run(m->event, wait_usec);
treewide: more log_*_errno + return simplifications
2014-11-28 18:23:20 +01:00
if (r < 0)
return log_error_errno(r, "Failed to run event loop: %m");
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
}
process only one epoll event at a time if we ask for more than one from the kernel we might need to check for the validity of the ptr element since event might be processed after its ptr was already destructed.
2010-01-27 22:40:10 +01:00
core: rename ManagerExitCode → ManagerObjective "ExitCode" is a bit of a misnomer in two ways: it suggests this was about the "exit code" concept that exit()/waitid() deal with, but really isn't. Moreover, it's not event just about exiting either, but more often about reloading/reexecing or rebooting. Let's hence pick a new name for this that is a bit more correct. I initially thought about naming this the "state", but that'd be a misnomer too, as the value really encodes a "goal" more than a current state. Also we already have the externally visible ManagerState. No actual changes in behaviour, just the rename.
2018-10-09 15:42:19 +02:00
return m->objective;
implement proper binding on ports
2010-01-23 22:56:47 +01:00
}
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
int manager_load_unit_from_dbus_path(Manager *m, const char *s, sd_bus_error *e, Unit **_u) {
core: split out unit bus path unescaping into unit_name_from_dbus_path()
2013-07-02 01:35:08 +02:00
_cleanup_free_ char *n = NULL;
core: add "invocation ID" concept to service manager This adds a new invocation ID concept to the service manager. The invocation ID identifies each runtime cycle of a unit uniquely. A new randomized 128bit ID is generated each time a unit moves from and inactive to an activating or active state. The primary usecase for this concept is to connect the runtime data PID 1 maintains about a service with the offline data the journal stores about it. Previously we'd use the unit name plus start/stop times, which however is highly racy since the journal will generally process log data after the service already ended. The "invocation ID" kinda matches the "boot ID" concept of the Linux kernel, except that it applies to an individual unit instead of the whole system. The invocation ID is passed to the activated processes as environment variable. It is additionally stored as extended attribute on the cgroup of the unit. The latter is used by journald to automatically retrieve it for each log logged message and attach it to the log entry. The environment variable is very easily accessible, even for unprivileged services. OTOH the extended attribute is only accessible to privileged processes (this is because cgroupfs only supports the "trusted." xattr namespace, not "user."). The environment variable may be altered by services, the extended attribute may not be, hence is the better choice for the journal. Note that reading the invocation ID off the extended attribute from journald is racy, similar to the way reading the unit name for a logging process is. This patch adds APIs to read the invocation ID to sd-id128: sd_id128_get_invocation() may be used in a similar fashion to sd_id128_get_boot(). PID1's own logging is updated to always include the invocation ID when it logs information about a unit. A new bus call GetUnitByInvocationID() is added that allows retrieving a bus path to a unit by its invocation ID. The bus path is built using the invocation ID, thus providing a path for referring to a unit that is valid only for the current runtime cycleof it. Outlook for the future: should the kernel eventually allow passing of cgroup information along AF_UNIX/SOCK_DGRAM messages via a unique cgroup id, then we can alter the invocation ID to be generated as hash from that rather than entirely randomly. This way we can derive the invocation race-freely from the messages.
2016-08-30 23:18:46 +02:00
sd_id128_t invocation_id;
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
Unit *u;
dbus-unit: always load the unit before handling a message for it We need to be able to show the properties even of inactive units. systemctl loads the unit before getting its properties, but this is racy as the garbage collector may kick in right after the loading. Fix it by always loading the unit before handling a message for it. https://bugzilla.redhat.com/show_bug.cgi?id=814966#c6
2012-05-21 12:54:34 +02:00
int r;
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
assert(m);
assert(s);
assert(_u);
core: split out unit bus path unescaping into unit_name_from_dbus_path()
2013-07-02 01:35:08 +02:00
r = unit_name_from_dbus_path(s, &n);
if (r < 0)
return r;
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
core: add "invocation ID" concept to service manager This adds a new invocation ID concept to the service manager. The invocation ID identifies each runtime cycle of a unit uniquely. A new randomized 128bit ID is generated each time a unit moves from and inactive to an activating or active state. The primary usecase for this concept is to connect the runtime data PID 1 maintains about a service with the offline data the journal stores about it. Previously we'd use the unit name plus start/stop times, which however is highly racy since the journal will generally process log data after the service already ended. The "invocation ID" kinda matches the "boot ID" concept of the Linux kernel, except that it applies to an individual unit instead of the whole system. The invocation ID is passed to the activated processes as environment variable. It is additionally stored as extended attribute on the cgroup of the unit. The latter is used by journald to automatically retrieve it for each log logged message and attach it to the log entry. The environment variable is very easily accessible, even for unprivileged services. OTOH the extended attribute is only accessible to privileged processes (this is because cgroupfs only supports the "trusted." xattr namespace, not "user."). The environment variable may be altered by services, the extended attribute may not be, hence is the better choice for the journal. Note that reading the invocation ID off the extended attribute from journald is racy, similar to the way reading the unit name for a logging process is. This patch adds APIs to read the invocation ID to sd-id128: sd_id128_get_invocation() may be used in a similar fashion to sd_id128_get_boot(). PID1's own logging is updated to always include the invocation ID when it logs information about a unit. A new bus call GetUnitByInvocationID() is added that allows retrieving a bus path to a unit by its invocation ID. The bus path is built using the invocation ID, thus providing a path for referring to a unit that is valid only for the current runtime cycleof it. Outlook for the future: should the kernel eventually allow passing of cgroup information along AF_UNIX/SOCK_DGRAM messages via a unique cgroup id, then we can alter the invocation ID to be generated as hash from that rather than entirely randomly. This way we can derive the invocation race-freely from the messages.
2016-08-30 23:18:46 +02:00
/* Permit addressing units by invocation ID: if the passed bus path is suffixed by a 128bit ID then we use it
* as invocation ID. */
r = sd_id128_from_string(n, &invocation_id);
if (r >= 0) {
u = hashmap_get(m->units_by_invocation_id, &invocation_id);
if (u) {
*_u = u;
return 0;
}
pid1: do not write invalid utf-8 in error message We'd write a sequence that was invalid unicode and this caused the d-bus connection to be terminated: $ busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/dbus_2esocket org.freedesktop.systemd1.Unit SubState s "running" $ busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/dbus_e2socket org.freedesktop.systemd1.Unit SubState Remote peer disconnected $ busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/dbus_e2socket org.freedesktop.systemd1.Unit SubState (hangs) Fixes #8978.
2018-05-13 22:04:12 +02:00
return sd_bus_error_setf(e, BUS_ERROR_NO_UNIT_FOR_INVOCATION_ID,
"No unit with the specified invocation ID " SD_ID128_FORMAT_STR " known.",
SD_ID128_FORMAT_VAL(invocation_id));
core: add "invocation ID" concept to service manager This adds a new invocation ID concept to the service manager. The invocation ID identifies each runtime cycle of a unit uniquely. A new randomized 128bit ID is generated each time a unit moves from and inactive to an activating or active state. The primary usecase for this concept is to connect the runtime data PID 1 maintains about a service with the offline data the journal stores about it. Previously we'd use the unit name plus start/stop times, which however is highly racy since the journal will generally process log data after the service already ended. The "invocation ID" kinda matches the "boot ID" concept of the Linux kernel, except that it applies to an individual unit instead of the whole system. The invocation ID is passed to the activated processes as environment variable. It is additionally stored as extended attribute on the cgroup of the unit. The latter is used by journald to automatically retrieve it for each log logged message and attach it to the log entry. The environment variable is very easily accessible, even for unprivileged services. OTOH the extended attribute is only accessible to privileged processes (this is because cgroupfs only supports the "trusted." xattr namespace, not "user."). The environment variable may be altered by services, the extended attribute may not be, hence is the better choice for the journal. Note that reading the invocation ID off the extended attribute from journald is racy, similar to the way reading the unit name for a logging process is. This patch adds APIs to read the invocation ID to sd-id128: sd_id128_get_invocation() may be used in a similar fashion to sd_id128_get_boot(). PID1's own logging is updated to always include the invocation ID when it logs information about a unit. A new bus call GetUnitByInvocationID() is added that allows retrieving a bus path to a unit by its invocation ID. The bus path is built using the invocation ID, thus providing a path for referring to a unit that is valid only for the current runtime cycleof it. Outlook for the future: should the kernel eventually allow passing of cgroup information along AF_UNIX/SOCK_DGRAM messages via a unique cgroup id, then we can alter the invocation ID to be generated as hash from that rather than entirely randomly. This way we can derive the invocation race-freely from the messages.
2016-08-30 23:18:46 +02:00
}
core: return a friendlier error for a dbus path referring to a non-existent unit See: #6059
2017-06-21 20:45:23 +02:00
/* If this didn't work, we check if this is a unit name */
pid1: do not write invalid utf-8 in error message We'd write a sequence that was invalid unicode and this caused the d-bus connection to be terminated: $ busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/dbus_2esocket org.freedesktop.systemd1.Unit SubState s "running" $ busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/dbus_e2socket org.freedesktop.systemd1.Unit SubState Remote peer disconnected $ busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/dbus_e2socket org.freedesktop.systemd1.Unit SubState (hangs) Fixes #8978.
2018-05-13 22:04:12 +02:00
if (!unit_name_is_valid(n, UNIT_NAME_PLAIN|UNIT_NAME_INSTANCE)) {
_cleanup_free_ char *nn = NULL;
nn = cescape(n);
return sd_bus_error_setf(e, SD_BUS_ERROR_INVALID_ARGS,
"Unit name %s is neither a valid invocation ID nor unit name.", strnull(nn));
}
core: return a friendlier error for a dbus path referring to a non-existent unit See: #6059
2017-06-21 20:45:23 +02:00
dbus-unit: always load the unit before handling a message for it We need to be able to show the properties even of inactive units. systemctl loads the unit before getting its properties, but this is racy as the garbage collector may kick in right after the loading. Fix it by always loading the unit before handling a message for it. https://bugzilla.redhat.com/show_bug.cgi?id=814966#c6
2012-05-21 12:54:34 +02:00
r = manager_load_unit(m, n, NULL, e, &u);
if (r < 0)
return r;
add basic (and not very useful) D-Bus support
2010-02-01 03:33:24 +01:00
*_u = u;
return 0;
}
dbus: install some properties on the job objects
2010-02-02 12:42:08 +01:00
int manager_get_job_from_dbus_path(Manager *m, const char *s, Job **_j) {
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
const char *p;
dbus: install some properties on the job objects
2010-02-02 12:42:08 +01:00
unsigned id;
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
Job *j;
dbus: install some properties on the job objects
2010-02-02 12:42:08 +01:00
int r;
assert(m);
assert(s);
assert(_j);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
p = startswith(s, "/org/freedesktop/systemd1/job/");
if (!p)
dbus: install some properties on the job objects
2010-02-02 12:42:08 +01:00
return -EINVAL;
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
r = safe_atou(p, &id);
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
if (r < 0)
dbus: install some properties on the job objects
2010-02-02 12:42:08 +01:00
return r;
timer: recalculate next elapse for calendar timer units when the system clock is changed
2012-11-25 00:32:40 +01:00
j = manager_get_job(m, id);
if (!j)
dbus: install some properties on the job objects
2010-02-02 12:42:08 +01:00
return -ENOENT;
*_j = j;
return 0;
}
manager: identify the init/system/user mode we are running it and pick D-Bus bus accordingly
2010-02-12 21:57:39 +01:00
audit,utmp: implement audit logic and rip utmp stuff out of the main daemon and into a helper binary
2010-08-11 01:43:23 +02:00
void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_AUDIT
core: use automatic cleanup in two functions
2014-01-12 21:55:10 +01:00
_cleanup_free_ char *p = NULL;
audit: improve the audit messages we generate always pass along comm, as documented by audit. Always set the correct comm value.
2014-11-04 00:47:44 +01:00
const char *msg;
core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-30 20:21:00 +02:00
int audit_fd, r;
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
if (!MANAGER_IS_SYSTEM(m))
core: bail our earlier when doing audit Let's make sure we don't even try to create the audit socket
2015-10-28 18:23:26 +01:00
return;
audit: turn the audit fd into a static variable As audit is pretty much just a special kind of logging we should treat it similar, and manage the audit fd in a static variable. This simplifies the audit fd sharing with the SELinux access checking code quite a bit.
2012-10-02 23:40:09 +02:00
audit_fd = get_audit_fd();
if (audit_fd < 0)
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
return;
audit: suppress repeated audit events when deserializing
2010-08-12 03:51:58 +02:00
/* Don't generate audit events if the service was already
* started and we're just deserializing */
core: introduce MANAGER_IS_RELOADING() macro This replaces the old function call manager_is_reloading_or_reexecuting() which was used only at very few places. Use the new macro wherever we check whether we are reloading. This should hopefully make things a bit more readable, given the nature of Manager:n_reloading being a counter.
2016-02-24 21:36:09 +01:00
if (MANAGER_IS_RELOADING(m))
audit: suppress repeated audit events when deserializing
2010-08-12 03:51:58 +02:00
return;
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->type != UNIT_SERVICE)
syslog: rework syslog detection so that we need no compile-time option what the name of the syslog implementation is
2011-03-18 04:31:22 +01:00
return;
core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-30 20:21:00 +02:00
r = unit_name_to_prefix_and_instance(u->id, &p);
if (r < 0) {
log_error_errno(r, "Failed to extract prefix and instance of unit name: %m");
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
return;
}
util: rework strappenda(), and rename it strjoina() After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.
2015-02-03 02:05:59 +01:00
msg = strjoina("unit=", p);
audit: improve the audit messages we generate always pass along comm, as documented by audit. Always set the correct comm value.
2014-11-04 00:47:44 +01:00
if (audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
if (errno == EPERM)
audit: give up sending auditing messages when it failed due to EPERM
2011-03-14 17:48:34 +01:00
/* We aren't allowed to send audit messages?
audit: ignore if we get EPERM if auditing access is not available, then don't complain about it, in order to play nice with systems lacking CAP_SYS_AUDIT
2012-04-13 17:17:56 +02:00
* Then let's not retry again. */
audit: turn the audit fd into a static variable As audit is pretty much just a special kind of logging we should treat it similar, and manage the audit fd in a static variable. This simplifies the audit fd sharing with the SELinux access checking code quite a bit.
2012-10-02 23:40:09 +02:00
close_audit_fd();
audit: improve the audit messages we generate always pass along comm, as documented by audit. Always set the correct comm value.
2014-11-04 00:47:44 +01:00
else
treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:29:59 +01:00
log_warning_errno(errno, "Failed to send audit message: %m");
audit: give up sending auditing messages when it failed due to EPERM
2011-03-14 17:48:34 +01:00
}
audit,utmp: implement audit logic and rip utmp stuff out of the main daemon and into a helper binary
2010-08-11 01:43:23 +02:00
#endif
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
}
manager: notify plymouth about progress if it is running
2010-10-06 03:55:49 +02:00
void manager_send_unit_plymouth(Manager *m, Unit *u) {
tree-wide: introduce new SOCKADDR_UN_LEN() macro, and use it everywhere The macro determines the right length of a AF_UNIX "struct sockaddr_un" to pass to connect() or bind(). It automatically figures out if the socket refers to an abstract namespace socket, or a socket in the file system, and properly handles the full length of the path field. This macro is not only safer, but also simpler to use, than the usual offsetof() + strlen() logic.
2016-05-05 22:24:36 +02:00
static const union sockaddr_union sa = PLYMOUTH_SOCKET;
core: use automatic cleanup in two functions
2014-01-12 21:55:10 +01:00
_cleanup_free_ char *message = NULL;
_cleanup_close_ int fd = -1;
tree-wide: introduce new SOCKADDR_UN_LEN() macro, and use it everywhere The macro determines the right length of a AF_UNIX "struct sockaddr_un" to pass to connect() or bind(). It automatically figures out if the socket refers to an abstract namespace socket, or a socket in the file system, and properly handles the full length of the path field. This macro is not only safer, but also simpler to use, than the usual offsetof() + strlen() logic.
2016-05-05 22:24:36 +02:00
int n = 0;
manager: notify plymouth about progress if it is running
2010-10-06 03:55:49 +02:00
/* Don't generate plymouth events if the service was already
* started and we're just deserializing */
core: introduce MANAGER_IS_RELOADING() macro This replaces the old function call manager_is_reloading_or_reexecuting() which was used only at very few places. Use the new macro wherever we check whether we are reloading. This should hopefully make things a bit more readable, given the nature of Manager:n_reloading being a counter.
2016-02-24 21:36:09 +01:00
if (MANAGER_IS_RELOADING(m))
manager: notify plymouth about progress if it is running
2010-10-06 03:55:49 +02:00
return;
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
if (!MANAGER_IS_SYSTEM(m))
manager: notify plymouth about progress if it is running
2010-10-06 03:55:49 +02:00
return;
basic: rework virtualization detection API Introduce a proper enum, and don't pass around string ids anymore. This simplifies things quite a bit, and makes virtualization detection more similar to architecture detection.
2015-09-07 13:42:47 +02:00
if (detect_container() > 0)
manager: don't do plymouth in a container Given that plymouth listens on an abstract namespace socket and if CLONE_NEWNET is not used the abstract namespace is shared with the host we might actually end up send plymouth data to the host.
2013-11-20 03:44:11 +01:00
return;
tree-wide: use `!IN_SET(..)` for `a != b && a != c && …` The included cocci was used to generate the changes. Thanks to @flo-wer for pointing this case out.
2017-09-29 09:58:22 +02:00
if (!IN_SET(u->type, UNIT_SERVICE, UNIT_MOUNT, UNIT_SWAP))
manager: notify plymouth about progress if it is running
2010-10-06 03:55:49 +02:00
return;
/* We set SOCK_NONBLOCK here so that we rather drop the
* message then wait for plymouth */
Modernization Use _cleanup_ and wrap lines to ~80 chars and such.
2013-03-25 00:45:16 +01:00
fd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
if (fd < 0) {
treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:29:59 +01:00
log_error_errno(errno, "socket() failed: %m");
manager: notify plymouth about progress if it is running
2010-10-06 03:55:49 +02:00
return;
}
tree-wide: introduce new SOCKADDR_UN_LEN() macro, and use it everywhere The macro determines the right length of a AF_UNIX "struct sockaddr_un" to pass to connect() or bind(). It automatically figures out if the socket refers to an abstract namespace socket, or a socket in the file system, and properly handles the full length of the path field. This macro is not only safer, but also simpler to use, than the usual offsetof() + strlen() logic.
2016-05-05 22:24:36 +02:00
if (connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0) {
tree-wide: use ERRNO_IS_DISCONNECT() at more places
2019-03-19 15:39:34 +01:00
if (!IN_SET(errno, EAGAIN, ENOENT) && !ERRNO_IS_DISCONNECT(errno))
treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:29:59 +01:00
log_error_errno(errno, "connect() failed: %m");
core: use automatic cleanup in two functions
2014-01-12 21:55:10 +01:00
return;
manager: notify plymouth about progress if it is running
2010-10-06 03:55:49 +02:00
}
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (asprintf(&message, "U\002%c%s%n", (int) (strlen(u->id) + 1), u->id, &n) < 0) {
log.h: new log_oom() -> int -ENOMEM, use it also a number of minor fixups and bug fixes: spelling, oom errors that didn't print errors, not properly forwarding error codes, few more consistency issues, et cetera
2012-07-25 23:55:59 +02:00
log_oom();
core: use automatic cleanup in two functions
2014-01-12 21:55:10 +01:00
return;
manager: notify plymouth about progress if it is running
2010-10-06 03:55:49 +02:00
}
errno = 0;
core: use automatic cleanup in two functions
2014-01-12 21:55:10 +01:00
if (write(fd, message, n + 1) != n + 1)
tree-wide: use ERRNO_IS_DISCONNECT() at more places
2019-03-19 15:39:34 +01:00
if (!IN_SET(errno, EAGAIN, ENOENT) && !ERRNO_IS_DISCONNECT(errno))
treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:29:59 +01:00
log_error_errno(errno, "Failed to write Plymouth message: %m");
manager: notify plymouth about progress if it is running
2010-10-06 03:55:49 +02:00
}
manager: write serialization to /dev/.systemd/ instead of /dev/shm
2010-07-20 20:54:33 +02:00
int manager_open_serialization(Manager *m, FILE **_f) {
*: use _cleanup_close_ with fdopen() where trivial Also convert these to use take_fdopen().
2020-03-31 11:29:37 +02:00
_cleanup_close_ int fd = -1;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
FILE *f;
assert(_f);
core/manager: split out creation of serialization fd out to a helper There is a slight change in behaviour: the user manager for root will create a temporary file in /run/systemd, not /tmp. I don't think this matters, but simplifies implementation.
2017-02-12 00:33:16 +01:00
fd = open_serialization_fd("systemd-state");
if (fd < 0)
return fd;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
*: use _cleanup_close_ with fdopen() where trivial Also convert these to use take_fdopen().
2020-03-31 11:29:37 +02:00
f = take_fdopen(&fd, "w+");
if (!f)
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
return -errno;
*_f = f;
return 0;
}
core: make manager_serialize() a bit easier to read by adding predicate function The predicate function manager_timestamp_shall_serialize() simply says whether to serialize or not serialize a timestamp, and should make things a bit easier to read.
2018-10-17 20:35:28 +02:00
static bool manager_timestamp_shall_serialize(ManagerTimestamp t) {
if (!in_initrd())
return true;
/* The following timestamps only apply to the host system, hence only serialize them there */
return !IN_SET(t,
MANAGER_TIMESTAMP_USERSPACE, MANAGER_TIMESTAMP_FINISH,
MANAGER_TIMESTAMP_SECURITY_START, MANAGER_TIMESTAMP_SECURITY_FINISH,
MANAGER_TIMESTAMP_GENERATORS_START, MANAGER_TIMESTAMP_GENERATORS_FINISH,
MANAGER_TIMESTAMP_UNITS_LOAD_START, MANAGER_TIMESTAMP_UNITS_LOAD_FINISH);
}
pid1: make manager_serialize_{uid,gid}_refs() static No functional change.
2020-04-27 08:59:43 +02:00
#define DESTROY_IPC_FLAG (UINT32_C(1) << 31)
static void manager_serialize_uid_refs_internal(
Manager *m,
FILE *f,
Hashmap **uid_refs,
const char *field_name) {
Iterator i;
void *p, *k;
assert(m);
assert(f);
assert(uid_refs);
assert(field_name);
/* Serialize the UID reference table. Or actually, just the IPC destruction flag of it, as
* the actual counter of it is better rebuild after a reload/reexec. */
HASHMAP_FOREACH_KEY(p, k, *uid_refs, i) {
uint32_t c;
uid_t uid;
uid = PTR_TO_UID(k);
c = PTR_TO_UINT32(p);
if (!(c & DESTROY_IPC_FLAG))
continue;
(void) serialize_item_format(f, field_name, UID_FMT, uid);
}
}
static void manager_serialize_uid_refs(Manager *m, FILE *f) {
manager_serialize_uid_refs_internal(m, f, &m->uid_refs, "destroy-ipc-uid");
}
static void manager_serialize_gid_refs(Manager *m, FILE *f) {
manager_serialize_uid_refs_internal(m, f, &m->gid_refs, "destroy-ipc-gid");
}
core: allow manager_serialize() to fail correctly If manager_serialize() fails in the middle (which it hopefully doesn't) make sure to fix up m->n_reloading correctly again so that we don't leave it > 0 when it really shouldn't be.
2018-10-09 16:45:33 +02:00
int manager_serialize(
Manager *m,
FILE *f,
FDSet *fds,
bool switching_root) {
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
ManagerTimestamp q;
const char *t;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
Iterator i;
Unit *u;
int r;
assert(m);
assert(f);
assert(fds);
core: set _unused_ attribute to 'reloading' Follow-up for 4df7d537c8203557d330b68ba7833515ddd4e985.
2018-10-13 16:50:04 +02:00
_cleanup_(manager_reloading_stopp) _unused_ Manager *reloading = manager_reloading_start(m);
cgroup: don't accidentaly trim on reload https://bugzilla.redhat.com/show_bug.cgi?id=678555
2011-04-20 03:53:12 +02:00
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
(void) serialize_item_format(f, "current-job-id", "%" PRIu32, m->current_job_id);
(void) serialize_item_format(f, "n-installed-jobs", "%u", m->n_installed_jobs);
(void) serialize_item_format(f, "n-failed-jobs", "%u", m->n_failed_jobs);
(void) serialize_bool(f, "taint-usr", m->taint_usr);
(void) serialize_bool(f, "ready-sent", m->ready_sent);
(void) serialize_bool(f, "taint-logged", m->taint_logged);
(void) serialize_bool(f, "service-watchdogs", m->service_watchdogs);
manager: serialize/deserialize max job id and /usr taint flag
2011-04-07 18:46:39 +02:00
core: add Manager::honor_device_enumeration flag When system manager is started first time or after switching root, then the udev's device tag data do not exist yet. So, let's not honor the enumeration results. Fixes #11997.
2019-03-15 11:37:43 +01:00
/* After switching root, udevd has not been started yet. So, enumeration results should not be emitted. */
(void) serialize_bool(f, "honor-device-enumeration", !switching_root);
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
if (m->show_status_overridden != _SHOW_STATUS_INVALID)
(void) serialize_item(f, "show-status-overridden",
show_status_to_string(m->show_status_overridden));
core: serialize and deserialize current ShowStatus Fixes #9663.
2018-07-23 14:55:42 +02:00
pid1: preserve current value of log level across re-{load,execution} To make debugging easier, this patches allows one to change the log level and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log max level at runtime (via the bus or via signals), the change was lost on the next daemon reload/reexecution. In order to restore the original value back (set via system.conf, environment variables or any other means), the empty string in the "LogLevel" property is now supported as well as sending SIGRTMIN+23 signal.
2018-05-30 17:57:23 +02:00
if (m->log_level_overridden)
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
(void) serialize_item_format(f, "log-level-override", "%i", log_get_max_level());
pid1: preserve current value of log target across re-{load,execution} To make debugging easier, this patches allows one to change the log target and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log target at runtime (via the bus or via signals), the change was lost on the next reload/reexecution. In order to restore back the default value (set via system.conf, environment variables or any other means ), the empty string in the "LogTarget" property is now supported as well as sending SIGTRMIN+26 signal.
2018-06-01 18:21:03 +02:00
if (m->log_target_overridden)
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
(void) serialize_item(f, "log-target-override", log_target_to_string(log_get_target()));
pid1: preserve current value of log level across re-{load,execution} To make debugging easier, this patches allows one to change the log level and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log max level at runtime (via the bus or via signals), the change was lost on the next daemon reload/reexecution. In order to restore the original value back (set via system.conf, environment variables or any other means), the empty string in the "LogLevel" property is now supported as well as sending SIGRTMIN+23 signal.
2018-05-30 17:57:23 +02:00
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
(void) serialize_usec(f, "runtime-watchdog-overridden", m->watchdog_overridden[WATCHDOG_RUNTIME]);
(void) serialize_usec(f, "reboot-watchdog-overridden", m->watchdog_overridden[WATCHDOG_REBOOT]);
(void) serialize_usec(f, "kexec-watchdog-overridden", m->watchdog_overridden[WATCHDOG_KEXEC]);
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
for (q = 0; q < _MANAGER_TIMESTAMP_MAX; q++) {
core: strjoina() in a loop is never OK Let's use plain strjoin() instead.
2018-10-17 20:32:20 +02:00
_cleanup_free_ char *joined = NULL;
core: make manager_serialize() a bit easier to read by adding predicate function The predicate function manager_timestamp_shall_serialize() simply says whether to serialize or not serialize a timestamp, and should make things a bit easier to read.
2018-10-17 20:35:28 +02:00
if (!manager_timestamp_shall_serialize(q))
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
continue;
manager: only serialize the timestamps for the initramfs if in_initrd()
2012-05-16 14:22:41 +02:00
core: strjoina() in a loop is never OK Let's use plain strjoin() instead.
2018-10-17 20:32:20 +02:00
joined = strjoin(manager_timestamp_to_string(q), "-timestamp");
if (!joined)
return log_oom();
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
(void) serialize_dual_timestamp(f, joined, m->timestamps + q);
manager: only serialize the timestamps for the initramfs if in_initrd()
2012-05-16 14:22:41 +02:00
}
manager: serialize/deserialize finish timestamp
2010-10-18 22:39:06 +02:00
core/manager: move environment serialization out to basic/env-util.c This protocol is generally useful, we might just as well reuse it for the env. generators. The implementation is changed a bit: instead of making a new strv and freeing the old one, just mutate the original. This is much faster with larger arrays, while in fact atomicity is preserved, since we only either insert the new entry or not, without being in inconsistent state. v2: - fix confusion with return value
2017-02-11 03:44:21 +01:00
if (!switching_root)
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
(void) serialize_strv(f, "env", m->client_environment);
manager: pass environment over daemon-reexec Fixes this bug: alxchk > systemctl --user set-environment A=B alxchk > systemctl --user show-environment | grep ^A= A=B alxchk > systemctl --user daemon-reexec alxchk > systemctl --user show-environment | grep ^A= alxchk >
2013-02-12 00:14:39 +01:00
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
if (m->notify_fd >= 0) {
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
r = serialize_fd(f, fds, "notify-fd", m->notify_fd);
if (r < 0)
return r;
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
(void) serialize_item(f, "notify-socket", m->notify_socket);
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
}
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
if (m->cgroups_agent_fd >= 0) {
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
r = serialize_fd(f, fds, "cgroups-agent-fd", m->cgroups_agent_fd);
if (r < 0)
return r;
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
}
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
if (m->user_lookup_fds[0] >= 0) {
int copy0, copy1;
copy0 = fdset_put_dup(fds, m->user_lookup_fds[0]);
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
if (copy0 < 0)
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
return log_error_errno(copy0, "Failed to add user lookup fd to serialization: %m");
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
copy1 = fdset_put_dup(fds, m->user_lookup_fds[1]);
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
if (copy1 < 0)
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
return log_error_errno(copy1, "Failed to add user lookup fd to serialization: %m");
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
(void) serialize_item_format(f, "user-lookup", "%i %i", copy0, copy1);
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
}
core: add Ref()/Unref() bus calls for units This adds two (privileged) bus calls Ref() and Unref() to the Unit interface. The two calls may be used by clients to pin a unit into memory, so that various runtime properties aren't flushed out by the automatic GC. This is necessary to permit clients to race-freely acquire runtime results (such as process exit status/code or accumulated CPU time) on successful service termination. Ref() and Unref() are fully recursive, hence act like the usual reference counting concept in C. Taking a reference is a privileged operation, as this allows pinning units into memory which consumes resources. Transient units may also gain a reference at the time of creation, via the new AddRef property (that is only defined for transient units at the time of creation).
2016-08-15 18:12:01 +02:00
bus_track_serialize(m->subscribed, f, "subscribed");
core: serialize/deserialize bus subscribers
2013-07-10 19:24:03 +02:00
core: add a concept of "dynamic" user ids, that are allocated as long as a service is running This adds a new boolean setting DynamicUser= to service files. If set, a new user will be allocated dynamically when the unit is started, and released when it is stopped. The user ID is allocated from the range 61184..65519. The user will not be added to /etc/passwd (but an NSS module to be added later should make it show up in getent passwd). For now, care should be taken that the service writes no files to disk, since this might result in files owned by UIDs that might get assigned dynamically to a different service later on. Later patches will tighten sandboxing in order to ensure that this cannot happen, except for a few selected directories. A simple way to test this is: systemd-run -p DynamicUser=1 /bin/sleep 99999
2016-07-14 12:37:28 +02:00
r = dynamic_user_serialize(m, f, fds);
if (r < 0)
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
return r;
core: add a concept of "dynamic" user ids, that are allocated as long as a service is running This adds a new boolean setting DynamicUser= to service files. If set, a new user will be allocated dynamically when the unit is started, and released when it is stopped. The user ID is allocated from the range 61184..65519. The user will not be added to /etc/passwd (but an NSS module to be added later should make it show up in getent passwd). For now, care should be taken that the service writes no files to disk, since this might result in files owned by UIDs that might get assigned dynamically to a different service later on. Later patches will tighten sandboxing in order to ensure that this cannot happen, except for a few selected directories. A simple way to test this is: systemd-run -p DynamicUser=1 /bin/sleep 99999
2016-07-14 12:37:28 +02:00
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
manager_serialize_uid_refs(m, f);
manager_serialize_gid_refs(m, f);
core: make ExecRuntime be manager managed object Before this, each ExecRuntime object is owned by a unit. However, it may be shared with other units which enable JoinsNamespaceOf=. Thus, by the serialization/deserialization process, its sharing information, more specifically, reference counter is lost, and causes issue #7790. This makes ExecRuntime objects be managed by manager, and changes the serialization/deserialization process. Fixes #7790.
2018-02-06 08:00:34 +01:00
r = exec_runtime_serialize(m, f, fds);
if (r < 0)
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
return r;
core: make ExecRuntime be manager managed object Before this, each ExecRuntime object is owned by a unit. However, it may be shared with other units which enable JoinsNamespaceOf=. Thus, by the serialization/deserialization process, its sharing information, more specifically, reference counter is lost, and causes issue #7790. This makes ExecRuntime objects be managed by manager, and changes the serialization/deserialization process. Fixes #7790.
2018-02-06 08:00:34 +01:00
tree-wide: use __fsetlocking() instead of fxyz_unlocked() Let's replace usage of fputc_unlocked() and friends by __fsetlocking(f, FSETLOCKING_BYCALLER). This turns off locking for the entire FILE*, instead of doing individual per-call decision whether to use normal calls or _unlocked() calls. This has various benefits: 1. It's easier to read and easier not to forget 2. It's more comprehensive, as fprintf() and friends are covered too (as these functions have no _unlocked() counterpart) 3. Philosophically, it's a bit more correct, because it's more a property of the file handle really whether we ever pass it on to another thread, not of the operations we then apply to it. This patch reworks all pieces of codes that so far used fxyz_unlocked() calls to use __fsetlocking() instead. It also reworks all places that use open_memstream(), i.e. use stdio FILE* for string manipulations. Note that this in some way a revert of 4b61c8751135c58be043d86b9fef4c8ec7aadf18.
2017-12-11 19:50:30 +01:00
(void) fputc('\n', f);
manager: properly write header marker on serialization
2010-10-20 14:40:44 +02:00
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
HASHMAP_FOREACH_KEY(u, t, m->units, i) {
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->id != t)
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
continue;
/* Start marker */
tree-wide: use __fsetlocking() instead of fxyz_unlocked() Let's replace usage of fputc_unlocked() and friends by __fsetlocking(f, FSETLOCKING_BYCALLER). This turns off locking for the entire FILE*, instead of doing individual per-call decision whether to use normal calls or _unlocked() calls. This has various benefits: 1. It's easier to read and easier not to forget 2. It's more comprehensive, as fprintf() and friends are covered too (as these functions have no _unlocked() counterpart) 3. Philosophically, it's a bit more correct, because it's more a property of the file handle really whether we ever pass it on to another thread, not of the operations we then apply to it. This patch reworks all pieces of codes that so far used fxyz_unlocked() calls to use __fsetlocking() instead. It also reworks all places that use open_memstream(), i.e. use stdio FILE* for string manipulations. Note that this in some way a revert of 4b61c8751135c58be043d86b9fef4c8ec7aadf18.
2017-12-11 19:50:30 +01:00
fputs(u->id, f);
fputc('\n', f);
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
core: serialize/deserialize bus subscribers
2013-07-10 19:24:03 +02:00
r = unit_serialize(u, f, fds, !switching_root);
core: allow manager_serialize() to fail correctly If manager_serialize() fails in the middle (which it hopefully doesn't) make sure to fix up m->n_reloading correctly again so that we don't leave it > 0 when it really shouldn't be.
2018-10-09 16:45:33 +02:00
if (r < 0)
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
return r;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
}
core: use fflush_and_check() where appropriate
2018-06-20 19:38:30 +02:00
r = fflush_and_check(f);
if (r < 0)
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
return log_error_errno(r, "Failed to flush serialization: %m");
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
dbus: make daemon reexecution synchronous We simply keep open copies of the dbus connections across the reexecution and close them as last step of it. A client can thus simply wait until its connection is dropped to know when the reexecution is finished. https://bugzilla.redhat.com/show_bug.cgi?id=698198
2011-04-28 22:07:01 +02:00
r = bus_fdset_add_all(m, fds);
if (r < 0)
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
return log_error_errno(r, "Failed to add bus sockets to serialization: %m");
core: allow manager_serialize() to fail correctly If manager_serialize() fails in the middle (which it hopefully doesn't) make sure to fix up m->n_reloading correctly again so that we don't leave it > 0 when it really shouldn't be.
2018-10-09 16:45:33 +02:00
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
return 0;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
}
core: skip unit deserialization and move to the next one when unit_deserialize() fails If unit_deserialize() fails (because one read line is overly long), it returns an error and we would have assumed that the next read would point to the next unit to deserialize. But instead unit_deserialize() can leave the file offset in the middle of a line. Therefore we need to ignore and skip the current unit in this case too. While at it, move unit deserialization in a dedicated functions. That should make the code easier to read.
2018-10-30 08:05:02 +01:00
static int manager_deserialize_one_unit(Manager *m, const char *name, FILE *f, FDSet *fds) {
Unit *u;
int r;
r = manager_load_unit(m, name, NULL, NULL, &u);
if (r < 0) {
if (r == -ENOMEM)
return r;
return log_notice_errno(r, "Failed to load unit \"%s\", skipping deserialization: %m", name);
}
r = unit_deserialize(u, f, fds);
if (r < 0) {
if (r == -ENOMEM)
return r;
return log_notice_errno(r, "Failed to deserialize unit \"%s\", skipping: %m", name);
}
return 0;
}
static int manager_deserialize_units(Manager *m, FILE *f, FDSet *fds) {
const char *unit_name;
int r;
for (;;) {
core: free lines after reading them Closes https://github.com/systemd/systemd/issues/11251.
2018-12-23 15:01:03 +01:00
_cleanup_free_ char *line = NULL;
core: skip unit deserialization and move to the next one when unit_deserialize() fails If unit_deserialize() fails (because one read line is overly long), it returns an error and we would have assumed that the next read would point to the next unit to deserialize. But instead unit_deserialize() can leave the file offset in the middle of a line. Therefore we need to ignore and skip the current unit in this case too. While at it, move unit deserialization in a dedicated functions. That should make the code easier to read.
2018-10-30 08:05:02 +01:00
/* Start marker */
r = read_line(f, LONG_LINE_MAX, &line);
if (r < 0)
return log_error_errno(r, "Failed to read serialization line: %m");
if (r == 0)
break;
unit_name = strstrip(line);
r = manager_deserialize_one_unit(m, unit_name, f, fds);
if (r == -ENOMEM)
return r;
if (r < 0) {
r = unit_deserialize_skip(f);
if (r < 0)
return r;
}
}
return 0;
}
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
usec_t manager_get_watchdog(Manager *m, WatchdogType t) {
assert(m);
if (MANAGER_IS_USER(m))
return USEC_INFINITY;
if (timestamp_is_set(m->watchdog_overridden[t]))
return m->watchdog_overridden[t];
return m->watchdog[t];
}
void manager_set_watchdog(Manager *m, WatchdogType t, usec_t timeout) {
int r = 0;
assert(m);
if (MANAGER_IS_USER(m))
return;
if (m->watchdog[t] == timeout)
return;
if (t == WATCHDOG_RUNTIME)
if (!timestamp_is_set(m->watchdog_overridden[WATCHDOG_RUNTIME])) {
if (timestamp_is_set(timeout))
r = watchdog_set_timeout(&timeout);
else
watchdog_close(true);
}
if (r >= 0)
m->watchdog[t] = timeout;
}
pid1: rename manager_set_{show_status,watchdog}_overridden() into manager_override_(show_status,watchdog} No functional change.
2020-06-04 13:25:25 +02:00
int manager_override_watchdog(Manager *m, WatchdogType t, usec_t timeout) {
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
int r = 0;
assert(m);
if (MANAGER_IS_USER(m))
return 0;
if (m->watchdog_overridden[t] == timeout)
return 0;
if (t == WATCHDOG_RUNTIME) {
usec_t *p;
p = timestamp_is_set(timeout) ? &timeout : &m->watchdog[t];
if (timestamp_is_set(*p))
r = watchdog_set_timeout(p);
else
watchdog_close(true);
}
if (r >= 0)
m->watchdog_overridden[t] = timeout;
return 0;
}
pid1: make manager_deserialize_{uid,gid}_refs() static No functional change.
2020-04-27 09:01:18 +02:00
static void manager_deserialize_uid_refs_one_internal(
Manager *m,
Hashmap** uid_refs,
const char *value) {
uid_t uid;
uint32_t c;
int r;
assert(m);
assert(uid_refs);
assert(value);
r = parse_uid(value, &uid);
if (r < 0 || uid == 0) {
log_debug("Unable to parse UID reference serialization: " UID_FMT, uid);
return;
}
r = hashmap_ensure_allocated(uid_refs, &trivial_hash_ops);
if (r < 0) {
log_oom();
return;
}
c = PTR_TO_UINT32(hashmap_get(*uid_refs, UID_TO_PTR(uid)));
if (c & DESTROY_IPC_FLAG)
return;
c |= DESTROY_IPC_FLAG;
r = hashmap_replace(*uid_refs, UID_TO_PTR(uid), UINT32_TO_PTR(c));
if (r < 0) {
log_debug_errno(r, "Failed to add UID reference entry: %m");
return;
}
}
static void manager_deserialize_uid_refs_one(Manager *m, const char *value) {
manager_deserialize_uid_refs_one_internal(m, &m->uid_refs, value);
}
static void manager_deserialize_gid_refs_one(Manager *m, const char *value) {
manager_deserialize_uid_refs_one_internal(m, &m->gid_refs, value);
}
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
int r = 0;
assert(m);
assert(f);
log_debug("Deserializing state...");
core: add comments about n_reloading to manager_deserialize()
2018-10-09 16:59:16 +02:00
/* If we are not in reload mode yet, enter it now. Not that this is recursive, a caller might already have
* increased it to non-zero, which is why we just increase it by one here and down again at the end of this
* call. */
core: set _unused_ attribute to 'reloading' Follow-up for 4df7d537c8203557d330b68ba7833515ddd4e985.
2018-10-13 16:50:04 +02:00
_cleanup_(manager_reloading_stopp) _unused_ Manager *reloading = manager_reloading_start(m);
snapshot: fix deserialization
2010-07-10 04:51:03 +02:00
manager: serialize/deserialize startup time, too
2010-08-11 20:19:27 +02:00
for (;;) {
core: when deserializing state always use read_line(…, LONG_LINE_MAX, …) This should be much better than fgets(), as we can read substantially longer lines and overly long lines result in proper errors. Fixes a vulnerability discovered by Jann Horn at Google. CVE-2018-15686 LP: #1796402 https://bugzilla.redhat.com/show_bug.cgi?id=1639071
2018-10-17 18:36:24 +02:00
_cleanup_free_ char *line = NULL;
manager: just warn about an invalid environment entry Apart from bugs (as in #6152), this can happen if we ever make our requirements for environment entries more stringent. As with the rest of deserialization, we should just warn and continue.
2017-06-24 01:20:54 +02:00
const char *val, *l;
manager: serialize/deserialize startup time, too
2010-08-11 20:19:27 +02:00
core: when deserializing state always use read_line(…, LONG_LINE_MAX, …) This should be much better than fgets(), as we can read substantially longer lines and overly long lines result in proper errors. Fixes a vulnerability discovered by Jann Horn at Google. CVE-2018-15686 LP: #1796402 https://bugzilla.redhat.com/show_bug.cgi?id=1639071
2018-10-17 18:36:24 +02:00
r = read_line(f, LONG_LINE_MAX, &line);
if (r < 0)
return log_error_errno(r, "Failed to read serialization line: %m");
if (r == 0)
break;
manager: serialize/deserialize startup time, too
2010-08-11 20:19:27 +02:00
l = strstrip(line);
core: when deserializing state always use read_line(…, LONG_LINE_MAX, …) This should be much better than fgets(), as we can read substantially longer lines and overly long lines result in proper errors. Fixes a vulnerability discovered by Jann Horn at Google. CVE-2018-15686 LP: #1796402 https://bugzilla.redhat.com/show_bug.cgi?id=1639071
2018-10-17 18:36:24 +02:00
if (isempty(l)) /* end marker */
manager: serialize/deserialize startup time, too
2010-08-11 20:19:27 +02:00
break;
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
if ((val = startswith(l, "current-job-id="))) {
manager: serialize/deserialize max job id and /usr taint flag
2011-04-07 18:46:39 +02:00
uint32_t id;
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
if (safe_atou32(val, &id) < 0)
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse current job id value '%s', ignoring.", val);
manager: serialize/deserialize max job id and /usr taint flag
2011-04-07 18:46:39 +02:00
else
m->current_job_id = MAX(m->current_job_id, id);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
} else if ((val = startswith(l, "n-installed-jobs="))) {
manager: serialize/deserialize job counters across reexec/reload
2012-06-29 19:47:38 +02:00
uint32_t n;
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
if (safe_atou32(val, &n) < 0)
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse installed jobs counter '%s', ignoring.", val);
manager: serialize/deserialize job counters across reexec/reload
2012-06-29 19:47:38 +02:00
else
m->n_installed_jobs += n;
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
} else if ((val = startswith(l, "n-failed-jobs="))) {
manager: serialize/deserialize job counters across reexec/reload
2012-06-29 19:47:38 +02:00
uint32_t n;
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
if (safe_atou32(val, &n) < 0)
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse failed jobs counter '%s', ignoring.", val);
manager: serialize/deserialize job counters across reexec/reload
2012-06-29 19:47:38 +02:00
else
m->n_failed_jobs += n;
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
} else if ((val = startswith(l, "taint-usr="))) {
manager: serialize/deserialize max job id and /usr taint flag
2011-04-07 18:46:39 +02:00
int b;
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
b = parse_boolean(val);
core: allocate a kdbus bus for each systemd instance, if we can
2013-11-30 03:53:42 +01:00
if (b < 0)
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse taint /usr flag '%s', ignoring.", val);
manager: serialize/deserialize max job id and /usr taint flag
2011-04-07 18:46:39 +02:00
else
m->taint_usr = m->taint_usr || b;
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
core: in --user mode, report READY=1 as soon as basic.target is reached (#7102) When a user logs in, systemd-pam will wait for the user manager instance to report readiness. We don't need to wait for all the jobs to finish, it is enough if the basic startup is done and the user manager is responsive. systemd --user will now send out a READY=1 notification when either of two conditions becomes true: - basic.target/start job is gone, - the initial transaction is done. Also fixes #2863.
2017-10-24 14:48:54 +02:00
} else if ((val = startswith(l, "ready-sent="))) {
int b;
b = parse_boolean(val);
if (b < 0)
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse ready-sent flag '%s', ignoring.", val);
core: in --user mode, report READY=1 as soon as basic.target is reached (#7102) When a user logs in, systemd-pam will wait for the user manager instance to report readiness. We don't need to wait for all the jobs to finish, it is enough if the basic startup is done and the user manager is responsive. systemd --user will now send out a READY=1 notification when either of two conditions becomes true: - basic.target/start job is gone, - the initial transaction is done. Also fixes #2863.
2017-10-24 14:48:54 +02:00
else
m->ready_sent = m->ready_sent || b;
core: delay logging the taint string until after basic.target is reached (#7935) This happens to be almost the same moment as when we send READY=1 in the user instance, but the logic is slightly different, since we log taint when basic.target is reached in the system manager, but we send the notification only in the user manager. So add a separate flag for this and propagate it across reloads. Fixes #7683.
2018-01-21 13:17:54 +01:00
} else if ((val = startswith(l, "taint-logged="))) {
int b;
b = parse_boolean(val);
if (b < 0)
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse taint-logged flag '%s', ignoring.", val);
core: delay logging the taint string until after basic.target is reached (#7935) This happens to be almost the same moment as when we send READY=1 in the user instance, but the logic is slightly different, since we log taint when basic.target is reached in the system manager, but we send the notification only in the user manager. So add a separate flag for this and propagate it across reloads. Fixes #7683.
2018-01-21 13:17:54 +01:00
else
m->taint_logged = m->taint_logged || b;
pid1: add option to disable service watchdogs Add a "systemd.service_watchdogs=" option to the command line which disables all service runtime watchdogs and emergency actions.
2017-03-20 13:10:43 +01:00
} else if ((val = startswith(l, "service-watchdogs="))) {
int b;
b = parse_boolean(val);
if (b < 0)
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse service-watchdogs flag '%s', ignoring.", val);
pid1: add option to disable service watchdogs Add a "systemd.service_watchdogs=" option to the command line which disables all service runtime watchdogs and emergency actions.
2017-03-20 13:10:43 +01:00
else
m->service_watchdogs = b;
core: add Manager::honor_device_enumeration flag When system manager is started first time or after switching root, then the udev's device tag data do not exist yet. So, let's not honor the enumeration results. Fixes #11997.
2019-03-15 11:37:43 +01:00
} else if ((val = startswith(l, "honor-device-enumeration="))) {
int b;
b = parse_boolean(val);
if (b < 0)
log_notice("Failed to parse honor-device-enumeration flag '%s', ignoring.", val);
else
m->honor_device_enumeration = b;
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
} else if ((val = startswith(l, "show-status-overridden="))) {
core: serialize and deserialize current ShowStatus Fixes #9663.
2018-07-23 14:55:42 +02:00
ShowStatus s;
s = show_status_from_string(val);
if (s < 0)
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
log_notice("Failed to parse show-status-overridden flag '%s', ignoring.", val);
core: serialize and deserialize current ShowStatus Fixes #9663.
2018-07-23 14:55:42 +02:00
else
pid1: rename manager_set_{show_status,watchdog}_overridden() into manager_override_(show_status,watchdog} No functional change.
2020-06-04 13:25:25 +02:00
manager_override_show_status(m, s, "deserialize");
core: serialize and deserialize current ShowStatus Fixes #9663.
2018-07-23 14:55:42 +02:00
pid1: preserve current value of log level across re-{load,execution} To make debugging easier, this patches allows one to change the log level and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log max level at runtime (via the bus or via signals), the change was lost on the next daemon reload/reexecution. In order to restore the original value back (set via system.conf, environment variables or any other means), the empty string in the "LogLevel" property is now supported as well as sending SIGRTMIN+23 signal.
2018-05-30 17:57:23 +02:00
} else if ((val = startswith(l, "log-level-override="))) {
int level;
level = log_level_from_string(val);
if (level < 0)
log_notice("Failed to parse log-level-override value '%s', ignoring.", val);
else
manager_override_log_level(m, level);
pid1: preserve current value of log target across re-{load,execution} To make debugging easier, this patches allows one to change the log target and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log target at runtime (via the bus or via signals), the change was lost on the next reload/reexecution. In order to restore back the default value (set via system.conf, environment variables or any other means ), the empty string in the "LogTarget" property is now supported as well as sending SIGTRMIN+26 signal.
2018-06-01 18:21:03 +02:00
} else if ((val = startswith(l, "log-target-override="))) {
LogTarget target;
target = log_target_from_string(val);
if (target < 0)
log_notice("Failed to parse log-target-override value '%s', ignoring.", val);
else
manager_override_log_target(m, target);
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
} else if ((val = startswith(l, "runtime-watchdog-overridden="))) {
usec_t t;
if (deserialize_usec(val, &t) < 0)
log_notice("Failed to parse runtime-watchdog-overridden value '%s', ignoring.", val);
else
pid1: rename manager_set_{show_status,watchdog}_overridden() into manager_override_(show_status,watchdog} No functional change.
2020-06-04 13:25:25 +02:00
manager_override_watchdog(m, WATCHDOG_RUNTIME, t);
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
} else if ((val = startswith(l, "reboot-watchdog-overridden="))) {
usec_t t;
if (deserialize_usec(val, &t) < 0)
log_notice("Failed to parse reboot-watchdog-overridden value '%s', ignoring.", val);
else
pid1: rename manager_set_{show_status,watchdog}_overridden() into manager_override_(show_status,watchdog} No functional change.
2020-06-04 13:25:25 +02:00
manager_override_watchdog(m, WATCHDOG_REBOOT, t);
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
} else if ((val = startswith(l, "kexec-watchdog-overridden="))) {
usec_t t;
if (deserialize_usec(val, &t) < 0)
log_notice("Failed to parse kexec-watchdog-overridden value '%s', ignoring.", val);
else
pid1: rename manager_set_{show_status,watchdog}_overridden() into manager_override_(show_status,watchdog} No functional change.
2020-06-04 13:25:25 +02:00
manager_override_watchdog(m, WATCHDOG_KEXEC, t);
pid1: update manager settings on reload too Most complexity of this patch is due to the fact that some manager settings (basically the watchdog properties) can be set at runtime and in this case the runtime values must be retained over daemon-reload or daemon-reexec. For consistency sake, all watchdog properties behaves now the same way, that is: - Values defined by config files can be overridden by writing the new value through their respective D-BUS properties. In this case, these values are preserved over reload/reexec until the special value '0' or USEC_INFINITY is written, which will then restore the last values loaded from the config files. If the restored value is '0' or 'USEC_INFINITY', the watchdogs will be disabled and the corresponding device will be closed. - Reading the properties from a user instance will return the USEC_INFINITY value as these properties are only meaningful for PID1. - Writing to one of the watchdog properties of a user instance's will be a NOP. Fixes: #15453
2020-04-22 16:16:47 +02:00
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
} else if (startswith(l, "env=")) {
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
r = deserialize_environment(l + 4, &m->client_environment);
util: rework cunescape(), improve error handling Change cunescape() to return a normal error code, so that we can distuingish OOM errors from parse errors. This also adds a flags parameter to control whether "relaxed" or normal parsing shall be done. If set no parse failures are generated, and the only reason why cunescape() can fail is OOM.
2015-04-06 20:11:41 +02:00
if (r < 0)
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice_errno(r, "Failed to parse environment entry: \"%s\", ignoring: %m", l);
core: allocate a kdbus bus for each systemd instance, if we can
2013-11-30 03:53:42 +01:00
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
} else if ((val = startswith(l, "notify-fd="))) {
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
int fd;
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
if (safe_atoi(val, &fd) < 0 || fd < 0 || !fdset_contains(fds, fd))
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse notify fd, ignoring: \"%s\"", val);
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
else {
util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.
2014-03-18 19:22:43 +01:00
m->notify_event_source = sd_event_source_unref(m->notify_event_source);
safe_close(m->notify_fd);
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
m->notify_fd = fdset_remove(fds, fd);
}
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
} else if ((val = startswith(l, "notify-socket="))) {
manager: simplify error handling in manager_deserialize() If a memory error occurred, we would still go through the path which sets the error on ferror(). It is unlikely that ferror() returns true, but it's seems cleaner to just propagate the error we already have. The handling of fgets() returning NULL is also simplified: according to the man page, it returns NULL only on EOF or error. So if feof() returns true, I don't think we should call ferror() again. While at it, let's set errno to 0 and check that it is set before returning it as an error. The man pages for fgets() and feof() do not say anything about setting errno.
2018-10-10 13:54:13 +02:00
r = free_and_strdup(&m->notify_socket, val);
if (r < 0)
return r;
core: pass notify fd across reexecs That way we the random socket name stays stable across reexec and we won't lose client messages.
2013-12-21 00:19:37 +01:00
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
} else if ((val = startswith(l, "cgroups-agent-fd="))) {
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
int fd;
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
if (safe_atoi(val, &fd) < 0 || fd < 0 || !fdset_contains(fds, fd))
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse cgroups agent fd, ignoring.: %s", val);
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification dbus-daemon currently uses a backlog of 30 on its D-bus system bus socket. On overloaded systems this means that only 30 connections may be queued without dbus-daemon processing them before further connection attempts fail. Our cgroups-agent binary so far used D-Bus for its messaging, and hitting this limit hence may result in us losing cgroup empty messages. This patch adds a seperate cgroup agent socket of type AF_UNIX/SOCK_DGRAM. Since sockets of these types need no connection set up, no listen() backlog applies. Our cgroup-agent binary will hence simply block as long as it can't enqueue its datagram message, so that we won't lose cgroup empty messages as likely anymore. This also rearranges the ordering of the processing of SIGCHLD signals, service notification messages (sd_notify()...) and the two types of cgroup notifications (inotify for the unified hierarchy support, and agent for the classic hierarchy support). We now always process events for these in the following order: 1. service notification messages (SD_EVENT_PRIORITY_NORMAL-7) 2. SIGCHLD signals (SD_EVENT_PRIORITY_NORMAL-6) 3. cgroup inotify and cgroup agent (SD_EVENT_PRIORITY_NORMAL-5) This is because when receiving SIGCHLD we invalidate PID information, which we need to process the service notification messages which are bound to PIDs. Hence the order between the first two items. And we want to process SIGCHLD metadata to detect whether a service is gone, before using cgroup notifications, to decide when a service is gone, since the former carries more useful metadata. Related to this: https://bugs.freedesktop.org/show_bug.cgi?id=95264 https://github.com/systemd/systemd/issues/1961
2016-05-04 20:43:23 +02:00
else {
m->cgroups_agent_event_source = sd_event_source_unref(m->cgroups_agent_event_source);
safe_close(m->cgroups_agent_fd);
m->cgroups_agent_fd = fdset_remove(fds, fd);
}
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
} else if ((val = startswith(l, "user-lookup="))) {
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
int fd0, fd1;
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
if (sscanf(val, "%i %i", &fd0, &fd1) != 2 || fd0 < 0 || fd1 < 0 || fd0 == fd1 || !fdset_contains(fds, fd0) || !fdset_contains(fds, fd1))
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Failed to parse user lookup fd, ignoring: %s", val);
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
else {
m->user_lookup_event_source = sd_event_source_unref(m->user_lookup_event_source);
safe_close_pair(m->user_lookup_fds);
m->user_lookup_fds[0] = fdset_remove(fds, fd0);
m->user_lookup_fds[1] = fdset_remove(fds, fd1);
}
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
} else if ((val = startswith(l, "dynamic-user=")))
dynamic_user_deserialize_one(m, val, fds);
else if ((val = startswith(l, "destroy-ipc-uid=")))
manager_deserialize_uid_refs_one(m, val);
else if ((val = startswith(l, "destroy-ipc-gid=")))
manager_deserialize_gid_refs_one(m, val);
core: make ExecRuntime be manager managed object Before this, each ExecRuntime object is owned by a unit. However, it may be shared with other units which enable JoinsNamespaceOf=. Thus, by the serialization/deserialization process, its sharing information, more specifically, reference counter is lost, and causes issue #7790. This makes ExecRuntime objects be managed by manager, and changes the serialization/deserialization process. Fixes #7790.
2018-02-06 08:00:34 +01:00
else if ((val = startswith(l, "exec-runtime=")))
pid1: create ro private tmp dirs when /tmp or /var/tmp is read-only Read-only /var/tmp is more likely, because it's backed by a real device. /tmp is (by default) backed by tmpfs, but it doesn't have to be. In both cases the same consideration applies. If we boot with read-only /var/tmp, any unit with PrivateTmp=yes would fail because we cannot create the subdir under /var/tmp to mount the private directory. But many services actually don't require /var/tmp (either because they only use it occasionally, or because they only use /tmp, or even because they don't use the temporary directories at all, and PrivateTmp=yes is used to isolate them from the rest of the system). To handle both cases let's create a read-only directory under /run/systemd and mount it as the private /tmp or /var/tmp. (Read-only to not fool the service into dumping too much data in /run.) $ sudo systemd-run -t -p PrivateTmp=yes bash Running as unit: run-u14.service Press ^] three times within 1s to disconnect TTY. [root@workstation /]# ls -l /tmp/ total 0 [root@workstation /]# ls -l /var/tmp/ total 0 [root@workstation /]# touch /tmp/f [root@workstation /]# touch /var/tmp/f touch: cannot touch '/var/tmp/f': Read-only file system This commit has more changes than I like to put in one commit, but it's touching all the same paths so it's hard to split. exec_runtime_make() was using the wrong cleanup function, so the directory would be left behind on error.
2020-06-28 19:54:49 +02:00
(void) exec_runtime_deserialize_one(m, val, fds);
tree-wide: use startswith return value to avoid hardcoded offset I think it's an antipattern to have to count the number of bytes in the prefix by hand. We should do this automatically to avoid wasting programmer time, and possible errors. I didn't any offsets that were wrong, so this change is mostly to make future development easier.
2016-10-22 22:11:41 +02:00
else if ((val = startswith(l, "subscribed="))) {
core: add Ref()/Unref() bus calls for units This adds two (privileged) bus calls Ref() and Unref() to the Unit interface. The two calls may be used by clients to pin a unit into memory, so that various runtime properties aren't flushed out by the automatic GC. This is necessary to permit clients to race-freely acquire runtime results (such as process exit status/code or accumulated CPU time) on successful service termination. Ref() and Unref() are fully recursive, hence act like the usual reference counting concept in C. Taking a reference is a privileged operation, as this allows pinning units into memory which consumes resources. Transient units may also gain a reference at the time of creation, via the new AddRef property (that is only defined for transient units at the time of creation).
2016-08-15 18:12:01 +02:00
manager: simplify error handling in manager_deserialize() If a memory error occurred, we would still go through the path which sets the error on ferror(). It is unlikely that ferror() returns true, but it's seems cleaner to just propagate the error we already have. The handling of fgets() returning NULL is also simplified: according to the man page, it returns NULL only on EOF or error. So if feof() returns true, I don't think we should call ferror() again. While at it, let's set errno to 0 and check that it is set before returning it as an error. The man pages for fgets() and feof() do not say anything about setting errno.
2018-10-10 13:54:13 +02:00
if (strv_extend(&m->deserialized_subscribed, val) < 0)
return -ENOMEM;
core: handle OOM during deserialization always the same way OOM failures we consider fatal, while other failures we generally skip over.
2018-10-09 16:54:40 +02:00
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
} else {
ManagerTimestamp q;
for (q = 0; q < _MANAGER_TIMESTAMP_MAX; q++) {
val = startswith(l, manager_timestamp_to_string(q));
if (!val)
continue;
core: add Ref()/Unref() bus calls for units This adds two (privileged) bus calls Ref() and Unref() to the Unit interface. The two calls may be used by clients to pin a unit into memory, so that various runtime properties aren't flushed out by the automatic GC. This is necessary to permit clients to race-freely acquire runtime results (such as process exit status/code or accumulated CPU time) on successful service termination. Ref() and Unref() are fully recursive, hence act like the usual reference counting concept in C. Taking a reference is a privileged operation, as this allows pinning units into memory which consumes resources. Transient units may also gain a reference at the time of creation, via the new AddRef property (that is only defined for transient units at the time of creation).
2016-08-15 18:12:01 +02:00
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
val = startswith(val, "-timestamp=");
if (val)
break;
}
core: add Ref()/Unref() bus calls for units This adds two (privileged) bus calls Ref() and Unref() to the Unit interface. The two calls may be used by clients to pin a unit into memory, so that various runtime properties aren't flushed out by the automatic GC. This is necessary to permit clients to race-freely acquire runtime results (such as process exit status/code or accumulated CPU time) on successful service termination. Ref() and Unref() are fully recursive, hence act like the usual reference counting concept in C. Taking a reference is a privileged operation, as this allows pinning units into memory which consumes resources. Transient units may also gain a reference at the time of creation, via the new AddRef property (that is only defined for transient units at the time of creation).
2016-08-15 18:12:01 +02:00
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
if (q < _MANAGER_TIMESTAMP_MAX) /* found it */
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
(void) deserialize_dual_timestamp(val, m->timestamps + q);
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
else if (!startswith(l, "kdbus-fd=")) /* ignore kdbus */
core: clean up deserialization log messages a bit Always, say that we ignore these kind of issues. We already say that for many fields, but for a few this was missing.
2018-10-09 16:53:35 +02:00
log_notice("Unknown serialization item '%s', ignoring.", l);
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
}
manager: serialize/deserialize startup time, too
2010-08-11 20:19:27 +02:00
}
core: skip unit deserialization and move to the next one when unit_deserialize() fails If unit_deserialize() fails (because one read line is overly long), it returns an error and we would have assumed that the next read would point to the next unit to deserialize. But instead unit_deserialize() can leave the file offset in the middle of a line. Therefore we need to ignore and skip the current unit in this case too. While at it, move unit deserialization in a dedicated functions. That should make the code easier to read.
2018-10-30 08:05:02 +01:00
return manager_deserialize_units(m, f, fds);
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
}
int manager_reload(Manager *m) {
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
_cleanup_(manager_reloading_stopp) Manager *reloading = NULL;
Introduce _cleanup_fdset_free_
2013-10-12 01:33:48 +02:00
_cleanup_fdset_free_ FDSet *fds = NULL;
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
_cleanup_fclose_ FILE *f = NULL;
int r;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
assert(m);
manager: rework generator logic Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-23 03:43:29 +02:00
r = manager_open_serialization(m, &f);
if (r < 0)
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
return log_error_errno(r, "Failed to create serialization file: %m");
cgroup: don't accidentaly trim on reload https://bugzilla.redhat.com/show_bug.cgi?id=678555
2011-04-20 03:53:12 +02:00
manager: rework generator logic Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-23 03:43:29 +02:00
fds = fdset_new();
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
if (!fds)
return log_oom();
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
/* We are officially in reload mode from here on. */
reloading = manager_reloading_start(m);
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
Do not serialize environment, when switching root When switching root, i.e. LANG can be set to the locale of the initramfs or "C", if it was unset. When systemd deserializes LANG in the real root this would overwrite the setting previously gathered by locale_set(). To reproduce, boot with an initramfs without locale.conf or change /etc/locale.conf to a different language than the initramfs and check a daemon started by systemd: $ tr "$\000" '\n' </proc/$(pidof sshd)/environ | grep LANG LANG=C To prevent that, serialization of environment variables is skipped, when serializing for switching root. https://bugzilla.redhat.com/show_bug.cgi?id=949525
2013-04-08 14:05:24 +02:00
r = manager_serialize(m, f, fds, false);
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
if (r < 0)
core: rework serialization Let's be more careful with what we serialize: let's ensure we never serialize strings that are longer than LONG_LINE_MAX, so that we know we can read them back with read_line(…, LONG_LINE_MAX, …) safely. In order to implement this all serialization functions are move to serialize.[ch], and internally will do line size checks. We'd rather skip a serialization line (with a loud warning) than write an overly long line out. Of course, this is just a second level protection, after all the data we serialize shouldn't be this long in the first place. While we are at it also clean up logging: while serializing make sure to always log about errors immediately. Also, (void)ify all calls we don't expect errors in (or catch errors as part of the general fflush_and_check() at the end.
2018-10-17 20:40:09 +02:00
return r;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
if (fseeko(f, 0, SEEK_SET) < 0)
return log_error_errno(errno, "Failed to seek to beginning of serialization: %m");
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
/* 💀 This is the point of no return, from here on there is no way back. 💀 */
manager: use the _cleanup_ mechanism to do n_reloading counter handling No functional change.
2018-10-10 13:33:49 +02:00
reloading = NULL;
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
bus_manager_send_reloading(m, true);
/* Start by flushing out all jobs and units, all generated units, all runtime environments, all dynamic users
* and everything else that is worth flushing out. We'll get it all back from the serialization if we need
* it.*/
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
manager_clear_jobs_and_units(m);
core: move flushing of generated unit files to path-lookup.c It's very similar to the mkdir and trim operations for the generator dirs, hence let's unify this at a single place.
2016-04-06 20:47:44 +02:00
lookup_paths_flush_generator(&m->lookup_paths);
manager: split off path lookup logic into own .c file
2010-06-15 14:45:15 +02:00
lookup_paths_free(&m->lookup_paths);
core: make ExecRuntime be manager managed object Before this, each ExecRuntime object is owned by a unit. However, it may be shared with other units which enable JoinsNamespaceOf=. Thus, by the serialization/deserialization process, its sharing information, more specifically, reference counter is lost, and causes issue #7790. This makes ExecRuntime objects be managed by manager, and changes the serialization/deserialization process. Fixes #7790.
2018-02-06 08:00:34 +01:00
exec_runtime_vacuum(m);
core: add a concept of "dynamic" user ids, that are allocated as long as a service is running This adds a new boolean setting DynamicUser= to service files. If set, a new user will be allocated dynamically when the unit is started, and released when it is stopped. The user ID is allocated from the range 61184..65519. The user will not be added to /etc/passwd (but an NSS module to be added later should make it show up in getent passwd). For now, care should be taken that the service writes no files to disk, since this might result in files owned by UIDs that might get assigned dynamically to a different service later on. Later patches will tighten sandboxing in order to ensure that this cannot happen, except for a few selected directories. A simple way to test this is: systemd-run -p DynamicUser=1 /bin/sleep 99999
2016-07-14 12:37:28 +02:00
dynamic_user_vacuum(m, false);
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
m->uid_refs = hashmap_free(m->uid_refs);
m->gid_refs = hashmap_free(m->gid_refs);
manager: recheck unit paths on daemon reload
2010-06-15 14:32:26 +02:00
pid1: remove unnecessary error reassignment LGTM was complaining: > Comparison is always true because r >= 0.
2018-10-02 12:35:37 +02:00
r = lookup_paths_init(&m->lookup_paths, m->unit_file_scope, 0, NULL);
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
if (r < 0)
log_warning_errno(r, "Failed to initialize path lookup table, ignoring: %m");
manager: hookup generators
2010-11-11 21:28:33 +01:00
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
(void) manager_run_environment_generators(m);
(void) manager_run_generators(m);
manager: run environment generators Environment file generators are a lot like unit file generators, but not exactly: 1. environment file generators are run for each manager instance, and their output is (or at least can be) individualized. The generators themselves are system-wide, the same for all users. 2. environment file generators are run sequentially, in priority order. Thus, the lifetime of those files is tied to lifecycle of the manager instance. Because generators are run sequentially, later generators can use or modify the output of earlier generators. Each generator is run with no arguments, and the whole state is stored in the environment variables. The generator can echo a set of variable assignments to standard output: VAR_A=something VAR_B=something else This output is parsed, and the next and subsequent generators run with those updated variables in the environment. After the last generator is done, the environment that the manager itself exports is updated. Each generator must return 0, otherwise the output is ignored. The generators in */user-env-generator are for the user session managers, including root, and the ones in */system-env-generator are for pid1.
2017-01-22 07:13:47 +01:00
core: stop removing non-existent and duplicate lookup paths When we would iterate over the lookup paths for each unit, making the list as short as possible was important for performance. With the current cache, it doesn't matter much. Two classes of paths were being removed: - paths which don't exist in the filesystem - paths which symlink to a path earlier in the search list Both of those points cause problems with the caching code: - if a user creates a directory that didn't exist before and puts units there, now we will notice the new mtime an properly load the unit. When the path was removed from list, we wouldn't. - we now properly detect whether a unit path is on the path or not. Before, if e.g. /lib/systemd/system, /usr/lib/systemd/systemd were both on the path, and /lib was a symlink to /usr/lib, the second directory would be pruned from the path. Then, the code would think that a symlink /etc/systemd/system/foo.service→/lib/systemd/system/foo.service is an alias, but /etc/systemd/system/foo.service→/usr/lib/systemd/system/foo.service would be considered a link (in the systemctl link sense). Removing the pruning has a slight negative performance impact in case of usr-merge systems which have systemd compiled with non-usr-merge paths. Non-usr-merge systems are deprecated, and this impact should be very small, so I think it's OK. If it turns out to be an issue, the loop in function that builds the cache could be improved to skip over "duplicate" directories with same logic that the cache pruning did before. I didn't want to add this, becuase it complicates the code to improve a corner case. Fixes #13272.
2019-08-26 08:58:41 +02:00
lookup_paths_log(&m->lookup_paths);
manager: rework generator logic Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-23 03:43:29 +02:00
pid1: drop unit caches only based on mtime v2: - do not watch mtime of transient and generated dirs We'd reload the map after every transient unit we created, which we don't need to do, since we create those units ourselves and know their fragment path.
2019-07-10 18:01:13 +02:00
/* We flushed out generated files, for which we don't watch mtime, so we should flush the old map. */
pid1: use a cache for all unit aliases This reworks how we load units from disk. Instead of chasing symlinks every time we are asked to load a unit by name, we slurp all symlinks from disk and build two hashmaps: 1. from unit name to either alias target, or fragment on disk (if an alias, we put just the target name in the hashmap, if a fragment we put an absolute path, so we can distinguish both). 2. from a unit name to all aliases Reading all this data can be pretty costly (40 ms) on my machine, so we keep it around for reuse. The advantage is that we can reliably know what all the aliases of a given unit are. This means we can reliably load dropins under all names. This fixes #11972.
2019-07-18 13:11:28 +02:00
manager_free_unit_name_maps(m);
manager: hookup generators
2010-11-11 21:28:33 +01:00
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
/* First, enumerate what we can from kernel and suchlike */
core: bring manager_startup() and manager_reload() more inline Both functions do partly the same, let's make sure they do it in the same order, and that we don't miss some calls. This makes a number of changes: 1. Moves exec_runtime_vacuum() two calls down in manager_startup(). This should not have any effect but makes manager_startup() more like manager_reload(). 2. Calls manager_recheck_journal(), manager_recheck_dbus(), manager_enqueue_sync_bus_names() in manager_startup() too. This is a good idea since during reeexec we pass through manager_startup() and hence can't assume dbus and journald weren't up yet, hence let's check if they are ready to be connected to. 3. Include manager_enumerate_perpetual() in manager_reload(), too. This is not strictly necessary, since these units are included in the serialization anyway, but it's still a nice thing, in particular as theoretically the deserialization could fail.
2018-10-09 17:37:57 +02:00
manager_enumerate_perpetual(m);
core: change return value of the unit's enumerate() call to void We cannot handle enumeration failures in a sensible way, hence let's try hard to continue without making such failures fatal, and log about it with precise error messages.
2015-11-10 20:36:37 +01:00
manager_enumerate(m);
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
/* Second, deserialize our stored data */
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
r = manager_deserialize(m, f, fds);
if (r < 0)
log_warning_errno(r, "Deserialization failed, proceeding anyway: %m");
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
/* We don't need the serialization anymore */
core: use safe_fclose() where appropriate
2018-06-04 23:05:39 +02:00
f = safe_fclose(f);
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
/* Re-register notify_fd as event source, and set up other sockets/communication channels we might need */
(void) manager_setup_notify(m);
(void) manager_setup_cgroups_agent(m);
(void) manager_setup_user_lookup_fd(m);
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
/* Third, fire things up! */
manager: don't fail fatally if we cannot coldplug a unit It's better to continue as good as we can, than to totally fail. Hence, let's log about the failure and continue.
2015-04-24 16:09:15 +02:00
manager_coldplug(m);
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
core: turn our four vacuum calls into a new helper function Just share some code. No functional changes.
2018-10-09 19:34:23 +02:00
/* Clean up runtime objects no longer referenced */
manager_vacuum(m);
core: make ExecRuntime be manager managed object Before this, each ExecRuntime object is owned by a unit. However, it may be shared with other units which enable JoinsNamespaceOf=. Thus, by the serialization/deserialization process, its sharing information, more specifically, reference counter is lost, and causes issue #7790. This makes ExecRuntime objects be managed by manager, and changes the serialization/deserialization process. Fixes #7790.
2018-02-06 08:00:34 +01:00
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
/* Consider the reload process complete now. */
move MANAGER_IS_RELOADING() check into manager_recheck_{dbus|journal}() (#8510) Let's better check this inside of the call than before it, so that we never issue this while reloading, even should these calls be called due to other reasons than just the unit notify. This makes sure the reload state is unset a bit earlier in manager_reload() so that we can safely call this function from there and they do the right thing. Follow-up for e63ebf71edd7947f29389c72e851d8df5c7bedda.
2018-03-21 12:03:45 +01:00
assert(m->n_reloading > 0);
m->n_reloading--;
core: add Manager::honor_device_enumeration flag When system manager is started first time or after switching root, then the udev's device tag data do not exist yet. So, let's not honor the enumeration results. Fixes #11997.
2019-03-15 11:37:43 +01:00
/* On manager reloading, device tag data should exists, thus, we should honor the results of device
* enumeration. The flag should be always set correctly by the serialized data, but it may fail. So,
* let's always set the flag here for safety. */
m->honor_device_enumeration = true;
core: add a common helper call manager_ready() sharing some common code between manager_reload() and manager_startup() Just sharing some common code. No functional changes
2018-10-09 19:41:24 +02:00
manager_ready(m);
core: re-sync bus name list after deserializing during daemon-reload When the daemon reloads, it doesn not actually give up its DBus connection, as wrongly stated in an earlier commit. However, even though the bus connection stays open, the daemon flushes out all its internal state. Hence, if there is a NameOwnerChanged signal after the flush and before the deserialization, it cannot be matched against any pending unit. To fix this, rename bus_list_names() to manager_sync_bus_names() and call it explicitly at the end of the daemon reload operation.
2015-12-22 11:37:09 +01:00
core: send out "Reloading" signal before and after doing a full reload/reexec of PID 1 Since we'll unload all units/job during a reload, and then readd them it is really useful for clients to be aware of this phase hence sent a signal out before and after. This signal is called "Reloading" (despite the fact that it is also sent out during reexecution, which we consider a special case in this context) and has one boolean parameter which is true for the signal sent before the reload, and false for the signal after the reload. The UnitRemoved/JobRremoved and UnitNew/JobNew due to the reloading are guranteed to be between the pair of Reloading messages.
2013-07-10 21:10:53 +02:00
m->send_reloading_done = true;
manager: rework error handling and logging in manager_reload() let's clean up error handling and logging in manager_reload() a bit. Specifically: make sure we log about every error we might encounter at least and at most once. When we encounter an error before the "point of no return" then log at LOG_ERR about it and propagate it. Otherwise, eat it up, but warn about it and proceed, it's the best we can do.
2018-10-09 17:02:14 +02:00
return 0;
reload: implement reload/reexec logic
2010-04-21 03:27:44 +02:00
}
manager: add missing second part of s/maintenance/failed/
2010-08-31 00:23:34 +02:00
void manager_reset_failed(Manager *m) {
systemctl: introduce reset-maintenance command
2010-07-18 04:58:01 +02:00
Unit *u;
Iterator i;
assert(m);
HASHMAP_FOREACH(u, m->units, i)
manager: add missing second part of s/maintenance/failed/
2010-08-31 00:23:34 +02:00
unit_reset_failed(u);
systemctl: introduce reset-maintenance command
2010-07-18 04:58:01 +02:00
}
unit: rework stop pending logic When a trigger unit wants to know if a stop is queued for it, we should just check precisely that and do not check whether it is actually stopped already. This is because we use these checks usually from state change calls where the state variables are not updated yet. This change splits unit_pending_inactive() into two calls unit_inactive_or_pending() and unit_stop_pending(). The former checks state and pending jobs, the latter only pending jobs.
2013-04-26 02:57:41 +02:00
bool manager_unit_inactive_or_pending(Manager *m, const char *name) {
dbus: don't accept activation requests anymore if we are going down anyway
2010-09-01 03:30:59 +02:00
Unit *u;
assert(m);
assert(name);
/* Returns true if the unit is inactive or going down */
core/manager: modernize style
2013-01-02 22:03:35 +01:00
u = manager_get_unit(m, name);
if (!u)
dbus: don't accept activation requests anymore if we are going down anyway
2010-09-01 03:30:59 +02:00
return true;
unit: rework stop pending logic When a trigger unit wants to know if a stop is queued for it, we should just check precisely that and do not check whether it is actually stopped already. This is because we use these checks usually from state change calls where the state variables are not updated yet. This change splits unit_pending_inactive() into two calls unit_inactive_or_pending() and unit_stop_pending(). The former checks state and pending jobs, the latter only pending jobs.
2013-04-26 02:57:41 +02:00
return unit_inactive_or_pending(u);
dbus: don't accept activation requests anymore if we are going down anyway
2010-09-01 03:30:59 +02:00
}
core: delay logging the taint string until after basic.target is reached (#7935) This happens to be almost the same moment as when we send READY=1 in the user instance, but the logic is slightly different, since we log taint when basic.target is reached in the system manager, but we send the notification only in the user manager. So add a separate flag for this and propagate it across reloads. Fixes #7683.
2018-01-21 13:17:54 +01:00
static void log_taint_string(Manager *m) {
_cleanup_free_ char *taint = NULL;
assert(m);
if (MANAGER_IS_USER(m) || m->taint_logged)
return;
m->taint_logged = true; /* only check for taint once */
taint = manager_taint_string(m);
if (isempty(taint))
return;
log_struct(LOG_NOTICE,
LOG_MESSAGE("System is tainted: %s", taint),
"TAINT=%s", taint,
basic/log: add the log_struct terminator to macro This way all callers do not need to specify it. Exhaustively tested by running test-log under valgrind ;)
2018-06-04 12:59:22 +02:00
"MESSAGE_ID=" SD_MESSAGE_TAINTED_STR);
core: delay logging the taint string until after basic.target is reached (#7935) This happens to be almost the same moment as when we send READY=1 in the user instance, but the logic is slightly different, since we log taint when basic.target is reached in the system manager, but we send the notification only in the user manager. So add a separate flag for this and propagate it across reloads. Fixes #7683.
2018-01-21 13:17:54 +01:00
}
manager: do not print timing when running in test mode
2014-11-02 18:19:38 +01:00
static void manager_notify_finished(Manager *m) {
manager: fix the build
2012-09-13 19:29:46 +02:00
char userspace[FORMAT_TIMESPAN_MAX], initrd[FORMAT_TIMESPAN_MAX], kernel[FORMAT_TIMESPAN_MAX], sum[FORMAT_TIMESPAN_MAX];
manager: extend performance measurement interface to include firmware/loader times This only adds the fields to the D-Bus interfaces but doesn't fill them in with anything useful yet. Gummiboot exposes the necessary bits of information to use however and as soon as I get my fingers on a proper UEFI laptop I'll hook up the remaining bits. Since we want to stabilize the D-Bus interface soon and include it in the stability promise we should get the last fixes in, hence this change now.
2012-09-13 18:54:32 +02:00
usec_t firmware_usec, loader_usec, kernel_usec, initrd_usec, userspace_usec, total_usec;
manager: measure startup times
2010-09-21 04:14:38 +02:00
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m))
manager: measure startup times
2010-09-21 04:14:38 +02:00
return;
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
if (MANAGER_IS_SYSTEM(m) && detect_container() <= 0) {
core: manager logs firmware and loader time when startup finished
2017-12-25 05:08:23 +01:00
char ts[FORMAT_TIMESPAN_MAX];
core: initalize buffer
2018-01-20 01:06:34 +01:00
char buf[FORMAT_TIMESPAN_MAX + STRLEN(" (firmware) + ") + FORMAT_TIMESPAN_MAX + STRLEN(" (loader) + ")]
= {};
char *p = buf;
size_t size = sizeof buf;
manager: don't show kernel boot-up time for containers
2011-03-14 21:47:41 +01:00
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
/* Note that MANAGER_TIMESTAMP_KERNEL's monotonic value is always at 0, and
* MANAGER_TIMESTAMP_FIRMWARE's and MANAGER_TIMESTAMP_LOADER's monotonic value should be considered
manager: extend performance measurement interface to include firmware/loader times This only adds the fields to the D-Bus interfaces but doesn't fill them in with anything useful yet. Gummiboot exposes the necessary bits of information to use however and as soon as I get my fingers on a proper UEFI laptop I'll hook up the remaining bits. Since we want to stabilize the D-Bus interface soon and include it in the stability promise we should get the last fixes in, hence this change now.
2012-09-13 18:54:32 +02:00
* negative values. */
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
firmware_usec = m->timestamps[MANAGER_TIMESTAMP_FIRMWARE].monotonic - m->timestamps[MANAGER_TIMESTAMP_LOADER].monotonic;
loader_usec = m->timestamps[MANAGER_TIMESTAMP_LOADER].monotonic - m->timestamps[MANAGER_TIMESTAMP_KERNEL].monotonic;
userspace_usec = m->timestamps[MANAGER_TIMESTAMP_FINISH].monotonic - m->timestamps[MANAGER_TIMESTAMP_USERSPACE].monotonic;
total_usec = m->timestamps[MANAGER_TIMESTAMP_FIRMWARE].monotonic + m->timestamps[MANAGER_TIMESTAMP_FINISH].monotonic;
dbus: send our finished signal when we are finished booting
2011-06-27 13:47:03 +02:00
core: manager logs firmware and loader time when startup finished
2017-12-25 05:08:23 +01:00
if (firmware_usec > 0)
size = strpcpyf(&p, size, "%s (firmware) + ", format_timespan(ts, sizeof(ts), firmware_usec, USEC_PER_MSEC));
if (loader_usec > 0)
size = strpcpyf(&p, size, "%s (loader) + ", format_timespan(ts, sizeof(ts), loader_usec, USEC_PER_MSEC));
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
if (dual_timestamp_is_set(&m->timestamps[MANAGER_TIMESTAMP_INITRD])) {
dbus: send our finished signal when we are finished booting
2011-06-27 13:47:03 +02:00
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
/* The initrd case on bare-metal*/
kernel_usec = m->timestamps[MANAGER_TIMESTAMP_INITRD].monotonic - m->timestamps[MANAGER_TIMESTAMP_KERNEL].monotonic;
initrd_usec = m->timestamps[MANAGER_TIMESTAMP_USERSPACE].monotonic - m->timestamps[MANAGER_TIMESTAMP_INITRD].monotonic;
dbus: send our finished signal when we are finished booting
2011-06-27 13:47:03 +02:00
core: print 'startup finished' messages even if we log to console
2014-08-22 16:41:00 +02:00
log_struct(LOG_INFO,
tree-wide: add SD_ID128_MAKE_STR, remove LOG_MESSAGE_ID Embedding sd_id128_t's in constant strings was rather cumbersome. We had SD_ID128_CONST_STR which returned a const char[], but it had two problems: - it wasn't possible to statically concatanate this array with a normal string - gcc wasn't really able to optimize this, and generated code to perform the "conversion" at runtime. Because of this, even our own code in coredumpctl wasn't using SD_ID128_CONST_STR. Add a new macro to generate a constant string: SD_ID128_MAKE_STR. It is not as elegant as SD_ID128_CONST_STR, because it requires a repetition of the numbers, but in practice it is more convenient to use, and allows gcc to generate smarter code: $ size .libs/systemd{,-logind,-journald}{.old,} text data bss dec hex filename 1265204 149564 4808 1419576 15a938 .libs/systemd.old 1260268 149564 4808 1414640 1595f0 .libs/systemd 246805 13852 209 260866 3fb02 .libs/systemd-logind.old 240973 13852 209 255034 3e43a .libs/systemd-logind 146839 4984 34 151857 25131 .libs/systemd-journald.old 146391 4984 34 151409 24f71 .libs/systemd-journald It is also much easier to check if a certain binary uses a certain MESSAGE_ID: $ strings .libs/systemd.old|grep MESSAGE_ID MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x $ strings .libs/systemd|grep MESSAGE_ID MESSAGE_ID=c7a787079b354eaaa9e77b371893cd27 MESSAGE_ID=b07a249cd024414a82dd00cd181378ff MESSAGE_ID=641257651c1b4ec9a8624d7a40a9e1e7 MESSAGE_ID=de5b426a63be47a7b6ac3eaac82e2f6f MESSAGE_ID=d34d037fff1847e6ae669a370e694725 MESSAGE_ID=7d4958e842da4a758f6c1cdc7b36dcc5 MESSAGE_ID=1dee0369c7fc4736b7099b38ecb46ee7 MESSAGE_ID=39f53479d3a045ac8e11786248231fbf MESSAGE_ID=be02cf6855d2428ba40df7e9d022f03d MESSAGE_ID=7b05ebc668384222baa8881179cfda54 MESSAGE_ID=9d1aaa27d60140bd96365438aad20286
2016-11-06 18:48:23 +01:00
"MESSAGE_ID=" SD_MESSAGE_STARTUP_FINISHED_STR,
core: print 'startup finished' messages even if we log to console
2014-08-22 16:41:00 +02:00
"KERNEL_USEC="USEC_FMT, kernel_usec,
"INITRD_USEC="USEC_FMT, initrd_usec,
"USERSPACE_USEC="USEC_FMT, userspace_usec,
core: manager logs firmware and loader time when startup finished
2017-12-25 05:08:23 +01:00
LOG_MESSAGE("Startup finished in %s%s (kernel) + %s (initrd) + %s (userspace) = %s.",
buf,
log: fix order of log_unit_struct() to match other logging calls Also, while we are at it, introduce some syntactic sugar for creating ERRNO= and MESSAGE= structured logging fields.
2014-11-28 02:05:14 +01:00
format_timespan(kernel, sizeof(kernel), kernel_usec, USEC_PER_MSEC),
format_timespan(initrd, sizeof(initrd), initrd_usec, USEC_PER_MSEC),
format_timespan(userspace, sizeof(userspace), userspace_usec, USEC_PER_MSEC),
basic/log: add the log_struct terminator to macro This way all callers do not need to specify it. Exhaustively tested by running test-log under valgrind ;)
2018-06-04 12:59:22 +02:00
format_timespan(sum, sizeof(sum), total_usec, USEC_PER_MSEC)));
dbus: send our finished signal when we are finished booting
2011-06-27 13:47:03 +02:00
} else {
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
/* The initrd-less case on bare-metal*/
kernel_usec = m->timestamps[MANAGER_TIMESTAMP_USERSPACE].monotonic - m->timestamps[MANAGER_TIMESTAMP_KERNEL].monotonic;
dbus: send our finished signal when we are finished booting
2011-06-27 13:47:03 +02:00
initrd_usec = 0;
journal: suppress structured messages if they'd go to the console
2012-08-24 22:43:33 +02:00
log_struct(LOG_INFO,
tree-wide: add SD_ID128_MAKE_STR, remove LOG_MESSAGE_ID Embedding sd_id128_t's in constant strings was rather cumbersome. We had SD_ID128_CONST_STR which returned a const char[], but it had two problems: - it wasn't possible to statically concatanate this array with a normal string - gcc wasn't really able to optimize this, and generated code to perform the "conversion" at runtime. Because of this, even our own code in coredumpctl wasn't using SD_ID128_CONST_STR. Add a new macro to generate a constant string: SD_ID128_MAKE_STR. It is not as elegant as SD_ID128_CONST_STR, because it requires a repetition of the numbers, but in practice it is more convenient to use, and allows gcc to generate smarter code: $ size .libs/systemd{,-logind,-journald}{.old,} text data bss dec hex filename 1265204 149564 4808 1419576 15a938 .libs/systemd.old 1260268 149564 4808 1414640 1595f0 .libs/systemd 246805 13852 209 260866 3fb02 .libs/systemd-logind.old 240973 13852 209 255034 3e43a .libs/systemd-logind 146839 4984 34 151857 25131 .libs/systemd-journald.old 146391 4984 34 151409 24f71 .libs/systemd-journald It is also much easier to check if a certain binary uses a certain MESSAGE_ID: $ strings .libs/systemd.old|grep MESSAGE_ID MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x $ strings .libs/systemd|grep MESSAGE_ID MESSAGE_ID=c7a787079b354eaaa9e77b371893cd27 MESSAGE_ID=b07a249cd024414a82dd00cd181378ff MESSAGE_ID=641257651c1b4ec9a8624d7a40a9e1e7 MESSAGE_ID=de5b426a63be47a7b6ac3eaac82e2f6f MESSAGE_ID=d34d037fff1847e6ae669a370e694725 MESSAGE_ID=7d4958e842da4a758f6c1cdc7b36dcc5 MESSAGE_ID=1dee0369c7fc4736b7099b38ecb46ee7 MESSAGE_ID=39f53479d3a045ac8e11786248231fbf MESSAGE_ID=be02cf6855d2428ba40df7e9d022f03d MESSAGE_ID=7b05ebc668384222baa8881179cfda54 MESSAGE_ID=9d1aaa27d60140bd96365438aad20286
2016-11-06 18:48:23 +01:00
"MESSAGE_ID=" SD_MESSAGE_STARTUP_FINISHED_STR,
core: print 'startup finished' messages even if we log to console
2014-08-22 16:41:00 +02:00
"KERNEL_USEC="USEC_FMT, kernel_usec,
Use format patterns for usec_t, pid_t, nsec_t, usec_t It is nicer to predefine patterns using configure time check instead of using casts everywhere. Since we do not need to use any flags, include "%" in the format instead of excluding it like PRI* macros.
2013-12-30 23:22:26 +01:00
"USERSPACE_USEC="USEC_FMT, userspace_usec,
core: manager logs firmware and loader time when startup finished
2017-12-25 05:08:23 +01:00
LOG_MESSAGE("Startup finished in %s%s (kernel) + %s (userspace) = %s.",
buf,
log: fix order of log_unit_struct() to match other logging calls Also, while we are at it, introduce some syntactic sugar for creating ERRNO= and MESSAGE= structured logging fields.
2014-11-28 02:05:14 +01:00
format_timespan(kernel, sizeof(kernel), kernel_usec, USEC_PER_MSEC),
format_timespan(userspace, sizeof(userspace), userspace_usec, USEC_PER_MSEC),
basic/log: add the log_struct terminator to macro This way all callers do not need to specify it. Exhaustively tested by running test-log under valgrind ;)
2018-06-04 12:59:22 +02:00
format_timespan(sum, sizeof(sum), total_usec, USEC_PER_MSEC)));
core: print 'startup finished' messages even if we log to console
2014-08-22 16:41:00 +02:00
}
} else {
manager: split out send_ready and basic.target checking into functions of their own Let's shorten manager_check_finished() a bit by splitting out checking of basic.target and the two things we do when we reach it. This should not change behaviour, except for one thing: we now check basic.target's actual state for figuring out whether it is up, instead of generically checking whether it has any job queued. This is arguably more correct, and is what other code does too for similar purposes, for example manager_state()
2018-01-23 16:32:06 +01:00
/* The container and --user case */
core: print 'startup finished' messages even if we log to console
2014-08-22 16:41:00 +02:00
firmware_usec = loader_usec = initrd_usec = kernel_usec = 0;
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
total_usec = userspace_usec = m->timestamps[MANAGER_TIMESTAMP_FINISH].monotonic - m->timestamps[MANAGER_TIMESTAMP_USERSPACE].monotonic;
core: print 'startup finished' messages even if we log to console
2014-08-22 16:41:00 +02:00
log_struct(LOG_INFO,
tree-wide: add SD_ID128_MAKE_STR, remove LOG_MESSAGE_ID Embedding sd_id128_t's in constant strings was rather cumbersome. We had SD_ID128_CONST_STR which returned a const char[], but it had two problems: - it wasn't possible to statically concatanate this array with a normal string - gcc wasn't really able to optimize this, and generated code to perform the "conversion" at runtime. Because of this, even our own code in coredumpctl wasn't using SD_ID128_CONST_STR. Add a new macro to generate a constant string: SD_ID128_MAKE_STR. It is not as elegant as SD_ID128_CONST_STR, because it requires a repetition of the numbers, but in practice it is more convenient to use, and allows gcc to generate smarter code: $ size .libs/systemd{,-logind,-journald}{.old,} text data bss dec hex filename 1265204 149564 4808 1419576 15a938 .libs/systemd.old 1260268 149564 4808 1414640 1595f0 .libs/systemd 246805 13852 209 260866 3fb02 .libs/systemd-logind.old 240973 13852 209 255034 3e43a .libs/systemd-logind 146839 4984 34 151857 25131 .libs/systemd-journald.old 146391 4984 34 151409 24f71 .libs/systemd-journald It is also much easier to check if a certain binary uses a certain MESSAGE_ID: $ strings .libs/systemd.old|grep MESSAGE_ID MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x $ strings .libs/systemd|grep MESSAGE_ID MESSAGE_ID=c7a787079b354eaaa9e77b371893cd27 MESSAGE_ID=b07a249cd024414a82dd00cd181378ff MESSAGE_ID=641257651c1b4ec9a8624d7a40a9e1e7 MESSAGE_ID=de5b426a63be47a7b6ac3eaac82e2f6f MESSAGE_ID=d34d037fff1847e6ae669a370e694725 MESSAGE_ID=7d4958e842da4a758f6c1cdc7b36dcc5 MESSAGE_ID=1dee0369c7fc4736b7099b38ecb46ee7 MESSAGE_ID=39f53479d3a045ac8e11786248231fbf MESSAGE_ID=be02cf6855d2428ba40df7e9d022f03d MESSAGE_ID=7b05ebc668384222baa8881179cfda54 MESSAGE_ID=9d1aaa27d60140bd96365438aad20286
2016-11-06 18:48:23 +01:00
"MESSAGE_ID=" SD_MESSAGE_USER_STARTUP_FINISHED_STR,
core: print 'startup finished' messages even if we log to console
2014-08-22 16:41:00 +02:00
"USERSPACE_USEC="USEC_FMT, userspace_usec,
log: fix order of log_unit_struct() to match other logging calls Also, while we are at it, introduce some syntactic sugar for creating ERRNO= and MESSAGE= structured logging fields.
2014-11-28 02:05:14 +01:00
LOG_MESSAGE("Startup finished in %s.",
basic/log: add the log_struct terminator to macro This way all callers do not need to specify it. Exhaustively tested by running test-log under valgrind ;)
2018-06-04 12:59:22 +02:00
format_timespan(sum, sizeof(sum), total_usec, USEC_PER_MSEC)));
dbus: send our finished signal when we are finished booting
2011-06-27 13:47:03 +02:00
}
manager: measure startup times
2010-09-21 04:14:38 +02:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
bus_manager_send_finished(m, firmware_usec, loader_usec, kernel_usec, initrd_usec, userspace_usec, total_usec);
manager: use sd_notify() to notify parent systemd that we have finished startup
2011-06-30 02:15:41 +02:00
sd_notifyf(false,
core: in --user mode, report READY=1 as soon as basic.target is reached (#7102) When a user logs in, systemd-pam will wait for the user manager instance to report readiness. We don't need to wait for all the jobs to finish, it is enough if the basic startup is done and the user manager is responsive. systemd --user will now send out a READY=1 notification when either of two conditions becomes true: - basic.target/start job is gone, - the initial transaction is done. Also fixes #2863.
2017-10-24 14:48:54 +02:00
m->ready_sent ? "STATUS=Startup finished in %s."
: "READY=1\n"
"STATUS=Startup finished in %s.",
util: make time formatting a bit smarter Instead of outputting "5h 55s 50ms 3us" we'll now output "5h 55.050003s". Also, while outputting the accuracy is configurable. Basically we now try use "dot notation" for all time values > 1min. For >= 1s we use 's' as unit, otherwise for >= 1ms we use 'ms' as unit, and finally 'us'. This should give reasonably values in most cases.
2013-04-04 02:56:56 +02:00
format_timespan(sum, sizeof(sum), total_usec, USEC_PER_MSEC));
core: in --user mode, report READY=1 as soon as basic.target is reached (#7102) When a user logs in, systemd-pam will wait for the user manager instance to report readiness. We don't need to wait for all the jobs to finish, it is enough if the basic startup is done and the user manager is responsive. systemd --user will now send out a READY=1 notification when either of two conditions becomes true: - basic.target/start job is gone, - the initial transaction is done. Also fixes #2863.
2017-10-24 14:48:54 +02:00
m->ready_sent = true;
core: delay logging the taint string until after basic.target is reached (#7935) This happens to be almost the same moment as when we send READY=1 in the user instance, but the logic is slightly different, since we log taint when basic.target is reached in the system manager, but we send the notification only in the user manager. So add a separate flag for this and propagate it across reloads. Fixes #7683.
2018-01-21 13:17:54 +01:00
log_taint_string(m);
manager: measure startup times
2010-09-21 04:14:38 +02:00
}
manager: split out send_ready and basic.target checking into functions of their own Let's shorten manager_check_finished() a bit by splitting out checking of basic.target and the two things we do when we reach it. This should not change behaviour, except for one thing: we now check basic.target's actual state for figuring out whether it is up, instead of generically checking whether it has any job queued. This is arguably more correct, and is what other code does too for similar purposes, for example manager_state()
2018-01-23 16:32:06 +01:00
static void manager_send_ready(Manager *m) {
assert(m);
/* We send READY=1 on reaching basic.target only when running in --user mode. */
if (!MANAGER_IS_USER(m) || m->ready_sent)
return;
m->ready_sent = true;
sd_notifyf(false,
"READY=1\n"
"STATUS=Reached " SPECIAL_BASIC_TARGET ".");
}
static void manager_check_basic_target(Manager *m) {
Unit *u;
assert(m);
/* Small shortcut */
if (m->ready_sent && m->taint_logged)
return;
u = manager_get_unit(m, SPECIAL_BASIC_TARGET);
if (!u || !UNIT_IS_ACTIVE_OR_RELOADING(unit_active_state(u)))
return;
/* For user managers, send out READY=1 as soon as we reach basic.target */
manager_send_ready(m);
/* Log the taint string as soon as we reach basic.target */
log_taint_string(m);
}
manager: do not print timing when running in test mode
2014-11-02 18:19:38 +01:00
void manager_check_finished(Manager *m) {
assert(m);
core: introduce MANAGER_IS_RELOADING() macro This replaces the old function call manager_is_reloading_or_reexecuting() which was used only at very few places. Use the new macro wherever we check whether we are reloading. This should hopefully make things a bit more readable, given the nature of Manager:n_reloading being a counter.
2016-02-24 21:36:09 +01:00
if (MANAGER_IS_RELOADING(m))
core: don't consider boot-up finished if we are still reloading http://lists.freedesktop.org/archives/systemd-devel/2015-May/032025.html
2015-05-19 19:09:03 +02:00
return;
manager: add MANAGER_IS_RUNNING() for checking whether the manager is running This macro is useful as the check is not obvious, and we better abstract this away.
2018-01-23 16:43:56 +01:00
/* Verify that we have entered the event loop already, and not left it again. */
if (!MANAGER_IS_RUNNING(m))
manager: fix finish_timestamp calculation http://lists.freedesktop.org/archives/systemd-devel/2015-May/032100.html
2015-05-21 21:34:36 +02:00
return;
manager: split out send_ready and basic.target checking into functions of their own Let's shorten manager_check_finished() a bit by splitting out checking of basic.target and the two things we do when we reach it. This should not change behaviour, except for one thing: we now check basic.target's actual state for figuring out whether it is up, instead of generically checking whether it has any job queued. This is arguably more correct, and is what other code does too for similar purposes, for example manager_state()
2018-01-23 16:32:06 +01:00
manager_check_basic_target(m);
core: in --user mode, report READY=1 as soon as basic.target is reached (#7102) When a user logs in, systemd-pam will wait for the user manager instance to report readiness. We don't need to wait for all the jobs to finish, it is enough if the basic startup is done and the user manager is responsive. systemd --user will now send out a READY=1 notification when either of two conditions becomes true: - basic.target/start job is gone, - the initial transaction is done. Also fixes #2863.
2017-10-24 14:48:54 +02:00
manager: do not print timing when running in test mode
2014-11-02 18:19:38 +01:00
if (hashmap_size(m->jobs) > 0) {
if (m->jobs_in_progress_event_source)
core: ignore any issues with setting time on jobs_in_progress_event_source CID #1237559.
2015-03-14 03:11:09 +01:00
/* Ignore any failure, this is only for feedback */
pid1: make cylon timeout significantly bigger when not showing any messages When we are booting with show-status=on, normally new status updates happen a few times per second. Thus, it is reasonable to start showing the cylon eye after 5 s, because that means a significant delay has happened. When we are running with show-status=off or show-status=auto (and no error had occured), the user is expecting maybe 15 to 90 seconds with no output (because that's usually how long the whole boot takes). So we shouldn't bother the user with information about a few seconds of delay. Let's make the timeout 25s if we are not showing any messages. Conversly, when we are outputting status messages, we can show the cylon eye with a shorter delay, now that we removed the connection to enablement status. Let's make this 2s, so users get feedback about delays more quickly.
2020-02-29 16:29:42 +01:00
(void) sd_event_source_set_time(m->jobs_in_progress_event_source,
manager_watch_jobs_next_time(m));
manager: do not print timing when running in test mode
2014-11-02 18:19:38 +01:00
return;
}
manager: free the jobs hashmap after we have no jobs After a larger transaction, e.g. after bootup, we're left with an empty hashmap with hundreds of buckets. Long-term, it'd be better to size hashmaps down when they are less than 1/4 full, but even if we implement that, jobs hashmap is likely to be empty almost always, so it seems useful to deallocate it once the jobs count reaches 0.
2020-05-28 18:39:27 +02:00
/* The jobs hashmap tends to grow a lot during boot, and then it's not reused until shutdown. Let's
kill the hashmap if it is relatively large. */
if (hashmap_buckets(m->jobs) > hashmap_size(m->units) / 10)
m->jobs = hashmap_free(m->jobs);
pid1: when printing status message status, give reason
2020-02-29 10:59:27 +01:00
manager_flip_auto_status(m, false, "boot finished");
manager: do not print timing when running in test mode
2014-11-02 18:19:38 +01:00
/* Notify Type=idle units that we are done now */
manager_close_idle_pipe(m);
/* Turn off confirm spawn now */
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
m->confirm_spawn = NULL;
manager: do not print timing when running in test mode
2014-11-02 18:19:38 +01:00
/* No need to update ask password status when we're going non-interactive */
manager_close_ask_password(m);
/* This is no longer the first boot */
manager_set_first_boot(m, false);
manager: introduce MANAGER_IS_FINISHED() macro Let's make our finished checks a bit more readable. Checking the timestamp is not entirely obvious, hence let's abstract that a bit by adding a macro that shows what we are doing here, not how we doing it. This is particularly useful if we want to change the definition of "finished" later on, in particular, when we try to fix #7023.
2017-11-20 21:24:59 +01:00
if (MANAGER_IS_FINISHED(m))
manager: do not print timing when running in test mode
2014-11-02 18:19:38 +01:00
return;
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
dual_timestamp_get(m->timestamps + MANAGER_TIMESTAMP_FINISH);
manager: do not print timing when running in test mode
2014-11-02 18:19:38 +01:00
manager_notify_finished(m);
cgroup: unify how we invalidate cgroup controller settings Let's make sure that we follow the same codepaths when adjusting a cgroup property via the dbus SetProperty() call, and when we execute the StartupCPUShares= effect.
2015-09-11 18:21:53 +02:00
manager_invalidate_startup_units(m);
manager: do not print timing when running in test mode
2014-11-02 18:19:38 +01:00
}
manager: run environment generators Environment file generators are a lot like unit file generators, but not exactly: 1. environment file generators are run for each manager instance, and their output is (or at least can be) individualized. The generators themselves are system-wide, the same for all users. 2. environment file generators are run sequentially, in priority order. Thus, the lifetime of those files is tied to lifecycle of the manager instance. Because generators are run sequentially, later generators can use or modify the output of earlier generators. Each generator is run with no arguments, and the whole state is stored in the environment variables. The generator can echo a set of variable assignments to standard output: VAR_A=something VAR_B=something else This output is parsed, and the next and subsequent generators run with those updated variables in the environment. After the last generator is done, the environment that the manager itself exports is updated. Each generator must return 0, otherwise the output is ignored. The generators in */user-env-generator are for the user session managers, including root, and the ones in */system-env-generator are for pid1.
2017-01-22 07:13:47 +01:00
static bool generator_path_any(const char* const* paths) {
char **path;
bool found = false;
/* Optimize by skipping the whole process by not creating output directories
* if no generators are found. */
STRV_FOREACH(path, (char**) paths)
if (access(*path, F_OK) == 0)
found = true;
else if (errno != ENOENT)
log_warning_errno(errno, "Failed to open generator directory %s: %m", *path);
return found;
}
static int manager_run_environment_generators(Manager *m) {
char **tmp = NULL; /* this is only used in the forked process, no cleanup here */
core: Move environment generator path lookup into path-lookup.c
2020-02-14 22:43:38 +01:00
_cleanup_strv_free_ char **paths = NULL;
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
void* args[] = {
[STDOUT_GENERATE] = &tmp,
[STDOUT_COLLECT] = &tmp,
[STDOUT_CONSUME] = &m->transient_environment,
};
core: run env generators with non-zero umask For PID 1 we adjust the umask to 0, but generators should not run that way, given that they might be implemented as shell scripts and such. Let's hence explicitly adjust the umask for them. We already do this for unit generators. Let's do this for env generators, too.
2018-11-20 19:14:24 +01:00
int r;
manager: run environment generators Environment file generators are a lot like unit file generators, but not exactly: 1. environment file generators are run for each manager instance, and their output is (or at least can be) individualized. The generators themselves are system-wide, the same for all users. 2. environment file generators are run sequentially, in priority order. Thus, the lifetime of those files is tied to lifecycle of the manager instance. Because generators are run sequentially, later generators can use or modify the output of earlier generators. Each generator is run with no arguments, and the whole state is stored in the environment variables. The generator can echo a set of variable assignments to standard output: VAR_A=something VAR_B=something else This output is parsed, and the next and subsequent generators run with those updated variables in the environment. After the last generator is done, the environment that the manager itself exports is updated. Each generator must return 0, otherwise the output is ignored. The generators in */user-env-generator are for the user session managers, including root, and the ones in */system-env-generator are for pid1.
2017-01-22 07:13:47 +01:00
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m) && !(m->test_run_flags & MANAGER_TEST_RUN_ENV_GENERATORS))
Make test_run into a flags field and disable generators again Now generators are only run in systemd --test mode, where this makes most sense (how are you going to test what would happen otherwise?). Fixes #6842. v2: - rename test_run to test_run_flags
2017-09-16 11:19:43 +02:00
return 0;
core: Move environment generator path lookup into path-lookup.c
2020-02-14 22:43:38 +01:00
paths = env_generator_binary_paths(MANAGER_IS_SYSTEM(m));
if (!paths)
return log_oom();
manager: run environment generators Environment file generators are a lot like unit file generators, but not exactly: 1. environment file generators are run for each manager instance, and their output is (or at least can be) individualized. The generators themselves are system-wide, the same for all users. 2. environment file generators are run sequentially, in priority order. Thus, the lifetime of those files is tied to lifecycle of the manager instance. Because generators are run sequentially, later generators can use or modify the output of earlier generators. Each generator is run with no arguments, and the whole state is stored in the environment variables. The generator can echo a set of variable assignments to standard output: VAR_A=something VAR_B=something else This output is parsed, and the next and subsequent generators run with those updated variables in the environment. After the last generator is done, the environment that the manager itself exports is updated. Each generator must return 0, otherwise the output is ignored. The generators in */user-env-generator are for the user session managers, including root, and the ones in */system-env-generator are for pid1.
2017-01-22 07:13:47 +01:00
core: Move environment generator path lookup into path-lookup.c
2020-02-14 22:43:38 +01:00
if (!generator_path_any((const char* const*) paths))
manager: run environment generators Environment file generators are a lot like unit file generators, but not exactly: 1. environment file generators are run for each manager instance, and their output is (or at least can be) individualized. The generators themselves are system-wide, the same for all users. 2. environment file generators are run sequentially, in priority order. Thus, the lifetime of those files is tied to lifecycle of the manager instance. Because generators are run sequentially, later generators can use or modify the output of earlier generators. Each generator is run with no arguments, and the whole state is stored in the environment variables. The generator can echo a set of variable assignments to standard output: VAR_A=something VAR_B=something else This output is parsed, and the next and subsequent generators run with those updated variables in the environment. After the last generator is done, the environment that the manager itself exports is updated. Each generator must return 0, otherwise the output is ignored. The generators in */user-env-generator are for the user session managers, including root, and the ones in */system-env-generator are for pid1.
2017-01-22 07:13:47 +01:00
return 0;
core: run env generators with non-zero umask For PID 1 we adjust the umask to 0, but generators should not run that way, given that they might be implemented as shell scripts and such. Let's hence explicitly adjust the umask for them. We already do this for unit generators. Let's do this for env generators, too.
2018-11-20 19:14:24 +01:00
RUN_WITH_UMASK(0022)
core: Move environment generator path lookup into path-lookup.c
2020-02-14 22:43:38 +01:00
r = execute_directories((const char* const*) paths, DEFAULT_TIMEOUT_USEC, gather_environment,
core: Allow to configure execute_directories execution behavior This adds a new bitfield to `execute_directories()` which allows to configure whether to ignore non-zero exit statuses of binaries run and whether to allow parallel execution of commands. In case errors are not ignored, the exit status of the failed script will now be returned for error reposrting purposes or other further future use.
2018-09-09 03:18:45 +02:00
args, NULL, m->transient_environment, EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS);
core: run env generators with non-zero umask For PID 1 we adjust the umask to 0, but generators should not run that way, given that they might be implemented as shell scripts and such. Let's hence explicitly adjust the umask for them. We already do this for unit generators. Let's do this for env generators, too.
2018-11-20 19:14:24 +01:00
return r;
manager: run environment generators Environment file generators are a lot like unit file generators, but not exactly: 1. environment file generators are run for each manager instance, and their output is (or at least can be) individualized. The generators themselves are system-wide, the same for all users. 2. environment file generators are run sequentially, in priority order. Thus, the lifetime of those files is tied to lifecycle of the manager instance. Because generators are run sequentially, later generators can use or modify the output of earlier generators. Each generator is run with no arguments, and the whole state is stored in the environment variables. The generator can echo a set of variable assignments to standard output: VAR_A=something VAR_B=something else This output is parsed, and the next and subsequent generators run with those updated variables in the environment. After the last generator is done, the environment that the manager itself exports is updated. Each generator must return 0, otherwise the output is ignored. The generators in */user-env-generator are for the user session managers, including root, and the ones in */system-env-generator are for pid1.
2017-01-22 07:13:47 +01:00
}
Implement masking and overriding of generators Sometimes it is necessary to stop a generator from running. Either because of a bug, or for testing, or some other reason. The only way to do that would be to rename or chmod the generator binary, which is inconvenient and does not survive upgrades. Allow masking and overriding generators similarly to units and other configuration files. For the systemd instance, masking would be more common, rather than overriding generators. For the user instances, it may also be useful for users to have generators in $XDG_CONFIG_HOME to augment or override system-wide generators. Directories are searched according to the usual scheme (/usr/lib, /usr/local/lib, /run, /etc), and files with the same name in higher priority directories override files with the same name in lower priority directories. Empty files and links to /dev/null mask a given name. https://bugs.freedesktop.org/show_bug.cgi?id=87230
2015-01-09 02:47:25 +01:00
static int manager_run_generators(Manager *m) {
core: fix memory leak in manager_run_generators() If systemd is built with GCC address sanitizer or leak sanitizer the following memory leak ocurs: May 12 02:02:46 linux.site systemd[326]: ================================================================= May 12 02:02:46 linux.site systemd[326]: ==326==ERROR: LeakSanitizer: detected memory leaks May 12 02:02:46 linux.site systemd[326]: Direct leak of 101 byte(s) in 3 object(s) allocated from: May 12 02:02:46 linux.site systemd[326]: #0 0x7fd1f504993f in strdup (/usr/lib64/libasan.so.2+0x6293f) May 12 02:02:46 linux.site systemd[326]: #1 0x55d6ffac5336 in strv_new_ap src/shared/strv.c:163 May 12 02:02:46 linux.site systemd[326]: #2 0x55d6ffac56a9 in strv_new src/shared/strv.c:185 May 12 02:02:46 linux.site systemd[326]: #3 0x55d6ffa80272 in generator_paths src/shared/path-lookup.c:223 May 12 02:02:46 linux.site systemd[326]: #4 0x55d6ff9bdb0f in manager_run_generators src/core/manager.c:2828 May 12 02:02:46 linux.site systemd[326]: #5 0x55d6ff9b1a10 in manager_startup src/core/manager.c:1121 May 12 02:02:46 linux.site systemd[326]: #6 0x55d6ff9a78e3 in main src/core/main.c:1667 May 12 02:02:46 linux.site systemd[326]: #7 0x7fd1f394e8c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) May 12 02:02:46 linux.site systemd[326]: Direct leak of 29 byte(s) in 1 object(s) allocated from: May 12 02:02:46 linux.site systemd[326]: #0 0x7fd1f504993f in strdup (/usr/lib64/libasan.so.2+0x6293f) May 12 02:02:46 linux.site systemd[326]: #1 0x55d6ffac5288 in strv_new_ap src/shared/strv.c:152 May 12 02:02:46 linux.site systemd[326]: #2 0x55d6ffac56a9 in strv_new src/shared/strv.c:185 May 12 02:02:46 linux.site systemd[326]: #3 0x55d6ffa80272 in generator_paths src/shared/path-lookup.c:223 May 12 02:02:46 linux.site systemd[326]: #4 0x55d6ff9bdb0f in manager_run_generators src/core/manager.c:2828 May 12 02:02:46 linux.site systemd[326]: #5 0x55d6ff9b1a10 in manager_startup src/core/manager.c:1121 May 12 02:02:46 linux.site systemd[326]: #6 0x55d6ff9a78e3 in main src/core/main.c:1667 May 12 02:02:46 linux.site systemd[326]: #7 0x7fd1f394e8c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) May 12 02:02:46 linux.site systemd[326]: SUMMARY: AddressSanitizer: 130 byte(s) leaked in 4 allocation(s). There is a leak due to the the use of cleanup_free instead _cleanup_strv_free_
2015-05-12 04:30:38 +02:00
_cleanup_strv_free_ char **paths = NULL;
manager: rework generator logic Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-23 03:43:29 +02:00
const char *argv[5];
int r;
manager: hookup generators
2010-11-11 21:28:33 +01:00
assert(m);
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m) && !(m->test_run_flags & MANAGER_TEST_RUN_GENERATORS))
Make test_run into a flags field and disable generators again Now generators are only run in systemd --test mode, where this makes most sense (how are you going to test what would happen otherwise?). Fixes #6842. v2: - rename test_run to test_run_flags
2017-09-16 11:19:43 +02:00
return 0;
install: rename generator_paths() → generator_binary_paths() This is too confusing, as this funciton returns the paths to the generator binaries, while usually when we refer to the just the "generator path" we mean the generated unit files. Let's clean this up.
2016-04-06 20:48:58 +02:00
paths = generator_binary_paths(m->unit_file_scope);
Implement masking and overriding of generators Sometimes it is necessary to stop a generator from running. Either because of a bug, or for testing, or some other reason. The only way to do that would be to rename or chmod the generator binary, which is inconvenient and does not survive upgrades. Allow masking and overriding generators similarly to units and other configuration files. For the systemd instance, masking would be more common, rather than overriding generators. For the user instances, it may also be useful for users to have generators in $XDG_CONFIG_HOME to augment or override system-wide generators. Directories are searched according to the usual scheme (/usr/lib, /usr/local/lib, /run, /etc), and files with the same name in higher priority directories override files with the same name in lower priority directories. Empty files and links to /dev/null mask a given name. https://bugs.freedesktop.org/show_bug.cgi?id=87230
2015-01-09 02:47:25 +01:00
if (!paths)
return log_oom();
manager: hookup generators
2010-11-11 21:28:33 +01:00
manager: run environment generators Environment file generators are a lot like unit file generators, but not exactly: 1. environment file generators are run for each manager instance, and their output is (or at least can be) individualized. The generators themselves are system-wide, the same for all users. 2. environment file generators are run sequentially, in priority order. Thus, the lifetime of those files is tied to lifecycle of the manager instance. Because generators are run sequentially, later generators can use or modify the output of earlier generators. Each generator is run with no arguments, and the whole state is stored in the environment variables. The generator can echo a set of variable assignments to standard output: VAR_A=something VAR_B=something else This output is parsed, and the next and subsequent generators run with those updated variables in the environment. After the last generator is done, the environment that the manager itself exports is updated. Each generator must return 0, otherwise the output is ignored. The generators in */user-env-generator are for the user session managers, including root, and the ones in */system-env-generator are for pid1.
2017-01-22 07:13:47 +01:00
if (!generator_path_any((const char* const*) paths))
return 0;
manager: hookup generators
2010-11-11 21:28:33 +01:00
path-lookup: split out logic for mkdir/rmdir of generator dirs in their own functions
2016-02-25 01:44:30 +01:00
r = lookup_paths_mkdir_generator(&m->lookup_paths);
core: make sure manager_run_generators() logs about all errors Since it's mostly a wrapper around execute_directories() it already logs in most cases, but a few were missing. Fix that.
2018-10-09 16:47:30 +02:00
if (r < 0) {
log_error_errno(r, "Failed to create generator directories: %m");
manager: rework generator logic Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-23 03:43:29 +02:00
goto finish;
core: make sure manager_run_generators() logs about all errors Since it's mostly a wrapper around execute_directories() it already logs in most cases, but a few were missing. Fix that.
2018-10-09 16:47:30 +02:00
}
manager: hookup generators
2010-11-11 21:28:33 +01:00
shutdown: execute all binaries in /lib/systemd/system-shutdown as last step before invoking reboot()
2011-02-15 00:30:11 +01:00
argv[0] = NULL; /* Leave this empty, execute_directory() will fill something in */
core: rework generator dir logic, move the dirs into LookupPaths structure A long time ago – when generators where first introduced – the directories for them were randomly created via mkdtemp(). This was changed later so that they use fixed name directories now. Let's make use of this, and add the genrator dirs to the LookupPaths structure and into the unit file search path maintained in it. This has the benefit that the generator dirs are now normal part of the search path for all tools, and thus are shown in "systemctl list-unit-files" too.
2016-02-24 15:31:33 +01:00
argv[1] = m->lookup_paths.generator;
argv[2] = m->lookup_paths.generator_early;
argv[3] = m->lookup_paths.generator_late;
manager: rework generator logic Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-23 03:43:29 +02:00
argv[4] = NULL;
manager: hookup generators
2010-11-11 21:28:33 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
RUN_WITH_UMASK(0022)
core: Allow to configure execute_directories execution behavior This adds a new bitfield to `execute_directories()` which allows to configure whether to ignore non-zero exit statuses of binaries run and whether to allow parallel execution of commands. In case errors are not ignored, the exit status of the failed script will now be returned for error reposrting purposes or other further future use.
2018-09-09 03:18:45 +02:00
(void) execute_directories((const char* const*) paths, DEFAULT_TIMEOUT_USEC, NULL, NULL,
(char**) argv, m->transient_environment, EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS);
core: make sure manager_run_generators() logs about all errors Since it's mostly a wrapper around execute_directories() it already logs in most cases, but a few were missing. Fix that.
2018-10-09 16:47:30 +02:00
r = 0;
manager: hookup generators
2010-11-11 21:28:33 +01:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
finish:
path-lookup: split out logic for mkdir/rmdir of generator dirs in their own functions
2016-02-25 01:44:30 +01:00
lookup_paths_trim_generator(&m->lookup_paths);
Implement masking and overriding of generators Sometimes it is necessary to stop a generator from running. Either because of a bug, or for testing, or some other reason. The only way to do that would be to rename or chmod the generator binary, which is inconvenient and does not survive upgrades. Allow masking and overriding generators similarly to units and other configuration files. For the systemd instance, masking would be more common, rather than overriding generators. For the user instances, it may also be useful for users to have generators in $XDG_CONFIG_HOME to augment or override system-wide generators. Directories are searched according to the usual scheme (/usr/lib, /usr/local/lib, /run, /etc), and files with the same name in higher priority directories override files with the same name in lower priority directories. Empty files and links to /dev/null mask a given name. https://bugs.freedesktop.org/show_bug.cgi?id=87230
2015-01-09 02:47:25 +01:00
return r;
manager: hookup generators
2010-11-11 21:28:33 +01:00
}
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
int manager_transient_environment_add(Manager *m, char **plus) {
char **a;
assert(m);
if (strv_isempty(plus))
return 0;
a = strv_env_merge(2, m->transient_environment, plus);
if (!a)
manager: log on two OOM occasions
2018-11-19 12:22:56 +01:00
return log_oom();
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
sanitize_environment(a);
return strv_free_and_replace(m->transient_environment, a);
}
int manager_client_environment_modify(
Manager *m,
char **minus,
char **plus) {
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
char **a = NULL, **b = NULL, **l;
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
manager: add DefaultEnvironment option This complements existing functionality of setting variables through 'systemctl set-environment', the kernel command line, and through normal environment variables for systemd in session mode.
2013-06-09 07:08:46 +02:00
assert(m);
local: fix memory leak when putting together locale settings Also, we need to use proper strv_env_xyz() calls when putting together the environment array, since otherwise settings won't be properly overriden. And let's get rid of strv_appendf(), is overkill and there was only one user.
2013-10-01 00:08:30 +02:00
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
if (strv_isempty(minus) && strv_isempty(plus))
return 0;
l = m->client_environment;
local: fix memory leak when putting together locale settings Also, we need to use proper strv_env_xyz() calls when putting together the environment array, since otherwise settings won't be properly overriden. And let's get rid of strv_appendf(), is overkill and there was only one user.
2013-10-01 00:08:30 +02:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
if (!strv_isempty(minus)) {
a = strv_env_delete(l, 1, minus);
if (!a)
return -ENOMEM;
l = a;
}
if (!strv_isempty(plus)) {
b = strv_env_merge(2, l, plus);
core: fix resource leak in manager_environment_add Second error path must free the (potentially) allocated memory in the first code chunk before returning. Found by coverity. Fixes: CID#1237750
2014-09-16 21:11:02 +02:00
if (!b) {
strv_free(a);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
return -ENOMEM;
core: fix resource leak in manager_environment_add Second error path must free the (potentially) allocated memory in the first code chunk before returning. Found by coverity. Fixes: CID#1237750
2014-09-16 21:11:02 +02:00
}
local: fix memory leak when putting together locale settings Also, we need to use proper strv_env_xyz() calls when putting together the environment array, since otherwise settings won't be properly overriden. And let's get rid of strv_appendf(), is overkill and there was only one user.
2013-10-01 00:08:30 +02:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
l = b;
}
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
if (m->client_environment != l)
strv_free(m->client_environment);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
if (a != l)
strv_free(a);
if (b != l)
strv_free(b);
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
m->client_environment = sanitize_environment(l);
return 0;
}
int manager_get_effective_environment(Manager *m, char ***ret) {
char **l;
assert(m);
assert(ret);
l = strv_env_merge(2, m->transient_environment, m->client_environment);
if (!l)
return -ENOMEM;
core: don't allow setting NOTIFY_SOCKET and similar env vars we need ourselves via SetEnvironment bus calls We just quietly eat them up, so that simple environment importing still works without error.
2014-01-12 13:10:40 +01:00
core: split environment block mantained by PID 1's Manager object in two This splits the "environment" field of Manager into two: transient_environment and client_environment. The former is generated from configuration file, kernel cmdline, environment generators. The latter is the one the user can control with "systemctl set-environment" and similar. Both sets are merged transparently whenever needed. Separating the two sets has the benefit that we can safely flush out the former while keeping the latter during daemon reload cycles, so that env var settings from env generators or configuration files do not accumulate, but dynamic API changes are kept around. Note that this change is not entirely transparent to users: if the user first uses "set-environment" to override a transient variable, and then uses "unset-environment" to unset it again things will revert to the original transient variable now, while previously the variable was fully removed. This change in behaviour should not matter too much though I figure. Fixes: #9972
2018-10-31 15:49:19 +01:00
*ret = l;
manager: add DefaultEnvironment option This complements existing functionality of setting variables through 'systemctl set-environment', the kernel command line, and through normal environment variables for systemd in session mode.
2013-06-09 07:08:46 +02:00
return 0;
}
main: allow system wide limits for services
2012-03-21 18:03:40 +01:00
int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit) {
int i;
assert(m);
missing: if RLIMIT_RTTIME is not defined by the libc, then we need a new define for the max number of rlimits, too
2014-03-05 02:29:58 +01:00
for (i = 0; i < _RLIMIT_MAX; i++) {
core: fix memory leak on reload ==1== HEAP SUMMARY: ==1== in use at exit: 61,728 bytes in 22 blocks ==1== total heap usage: 258,122 allocs, 258,100 frees, 78,219,628 bytes allocated ==1== ==1== 16 bytes in 1 blocks are definitely lost in loss record 1 of 6 ==1== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==1== by 0x1E350E: memdup (alloc-util.c:34) ==1== by 0x135AFB: memdup_multiply (alloc-util.h:74) ==1== by 0x140F97: manager_set_default_rlimits (manager.c:2929) ==1== by 0x1303DA: manager_set_defaults (main.c:737) ==1== by 0x133A02: main (main.c:1718) ==1== ==1== 272 bytes in 17 blocks are definitely lost in loss record 2 of 6 ==1== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==1== by 0x1E350E: memdup (alloc-util.c:34) ==1== by 0x135AFB: memdup_multiply (alloc-util.h:74) ==1== by 0x140F97: manager_set_default_rlimits (manager.c:2929) ==1== by 0x1303DA: manager_set_defaults (main.c:737) ==1== by 0x13480D: main (main.c:1828) ==1== ==1== LEAK SUMMARY: ==1== definitely lost: 288 bytes in 18 blocks ==1== indirectly lost: 0 bytes in 0 blocks ==1== possibly lost: 0 bytes in 0 blocks ==1== still reachable: 61,440 bytes in 4 blocks ==1== suppressed: 0 bytes in 0 blocks ==1== Reachable blocks (those to which a pointer was found) are not shown. ==1== To see them, rerun with: --leak-check=full --show-leak-kinds=all
2016-01-14 08:38:12 +01:00
m->rlimit[i] = mfree(m->rlimit[i]);
manager: rework generator logic Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-23 03:43:29 +02:00
if (!default_rlimit[i])
continue;
main: allow system wide limits for services
2012-03-21 18:03:40 +01:00
manager: rework generator logic Previously generated units were always placed at the end of the search path. With this change there will be three unit dirs instead of one, to place generated entries at the beginning, in the middle and at the end of the search path: beginning: for units that need to override all configuration, regardless of user or vendor. Example use: system-update-generator uses this to temporarily redirect default.target. middle: for units that need to override vendor configuration, but not vendor configuration. Example use: /etc/fstab should override vendor supplied configuration (think /tmp), but should not override native user configuration. end: does not override anything but is available as well. Possible usage might be to convert D-Bus bus service files to native units but allowing vendor supplied native units to win.
2012-05-23 03:43:29 +02:00
m->rlimit[i] = newdup(struct rlimit, default_rlimit[i], 1);
if (!m->rlimit[i])
pid1: downgrade some rlimit warnings Since we ignore the result anyway, downgrade errors to warning. log_oom() will still emit an error, but that's mostly theoretical, so it is not worth complicating the code to avoid the small inconsistency
2016-10-18 19:38:41 +02:00
return log_oom();
main: allow system wide limits for services
2012-03-21 18:03:40 +01:00
}
return 0;
}
core: rework how we connect to the bus This removes the current bus_init() call, as it had multiple problems: it munged handling of the three bus connections we care about (private, "api" and system) into one, even though the conditions when which was ready are very different. It also added redundant logging, as the individual calls it called all logged on their own anyway. The three calls bus_init_api(), bus_init_private() and bus_init_system() are now made public. A new call manager_dbus_is_running() is added that works much like manager_journal_is_running() and is a lot more careful when checking whether dbus is around. Optionally it checks the unit's deserialized_state rather than state, in order to accomodate for cases where we cant to connect to the bus before deserializing the "subscribed" list, before coldplugging the units. manager_recheck_dbus() is added, that works a lot like manager_recheck_journal() and is invoked in unit_notify(), i.e. when units change state. All in all this should make handling a bit more alike to journal handling, and it also fixes one major bug: when running in user mode we'll now connect to the system bus early on, without conditionalizing this in anyway.
2018-02-07 14:52:22 +01:00
void manager_recheck_dbus(Manager *m) {
assert(m);
/* Connects to the bus if the dbus service and socket are running. If we are running in user mode this is all
* it does. In system mode we'll also connect to the system bus (which will most likely just reuse the
* connection of the API bus). That's because the system bus after all runs as service of the system instance,
* while in the user instance we can assume it's already there. */
move MANAGER_IS_RELOADING() check into manager_recheck_{dbus|journal}() (#8510) Let's better check this inside of the call than before it, so that we never issue this while reloading, even should these calls be called due to other reasons than just the unit notify. This makes sure the reload state is unset a bit earlier in manager_reload() so that we can safely call this function from there and they do the right thing. Follow-up for e63ebf71edd7947f29389c72e851d8df5c7bedda.
2018-03-21 12:03:45 +01:00
if (MANAGER_IS_RELOADING(m))
return; /* don't check while we are reloading… */
core: rework how we connect to the bus This removes the current bus_init() call, as it had multiple problems: it munged handling of the three bus connections we care about (private, "api" and system) into one, even though the conditions when which was ready are very different. It also added redundant logging, as the individual calls it called all logged on their own anyway. The three calls bus_init_api(), bus_init_private() and bus_init_system() are now made public. A new call manager_dbus_is_running() is added that works much like manager_journal_is_running() and is a lot more careful when checking whether dbus is around. Optionally it checks the unit's deserialized_state rather than state, in order to accomodate for cases where we cant to connect to the bus before deserializing the "subscribed" list, before coldplugging the units. manager_recheck_dbus() is added, that works a lot like manager_recheck_journal() and is invoked in unit_notify(), i.e. when units change state. All in all this should make handling a bit more alike to journal handling, and it also fixes one major bug: when running in user mode we'll now connect to the system bus early on, without conditionalizing this in anyway.
2018-02-07 14:52:22 +01:00
if (manager_dbus_is_running(m, false)) {
(void) bus_init_api(m);
if (MANAGER_IS_SYSTEM(m))
(void) bus_init_system(m);
} else {
(void) bus_done_api(m);
if (MANAGER_IS_SYSTEM(m))
(void) bus_done_system(m);
}
}
pid1: make use of new "prohibit_ipc" logging flag in PID 1 Let's set it initially, and then toggle it only when we know its safe.
2018-01-24 17:42:12 +01:00
static bool manager_journal_is_running(Manager *m) {
syslog: rework syslog detection so that we need no compile-time option what the name of the syslog implementation is
2011-03-18 04:31:22 +01:00
Unit *u;
assert(m);
core: clean up test run flags Let's make them typesafe, and let's add a nice macro helper for checking if we are in a test run, which should make testing for this much easier to read for most cases.
2018-10-09 16:15:54 +02:00
if (MANAGER_IS_TEST_RUN(m))
manager: tweak manager_journal_is_running() a bit regarding test mode In test mode, let's not consider the journal to be up ever: we want all output to go to stderr.
2018-02-07 15:06:15 +01:00
return false;
pid1: make use of new "prohibit_ipc" logging flag in PID 1 Let's set it initially, and then toggle it only when we know its safe.
2018-01-24 17:42:12 +01:00
/* If we are the user manager we can safely assume that the journal is up */
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
if (!MANAGER_IS_SYSTEM(m))
pid1: make use of new "prohibit_ipc" logging flag in PID 1 Let's set it initially, and then toggle it only when we know its safe.
2018-01-24 17:42:12 +01:00
return true;
syslog: rework syslog detection so that we need no compile-time option what the name of the syslog implementation is
2011-03-18 04:31:22 +01:00
pid1: make use of new "prohibit_ipc" logging flag in PID 1 Let's set it initially, and then toggle it only when we know its safe.
2018-01-24 17:42:12 +01:00
/* Check that the socket is not only up, but in RUNNING state */
systemd: reconnect to syslog as soon as the journal is fully up
2012-01-11 03:16:24 +01:00
u = manager_get_unit(m, SPECIAL_JOURNALD_SOCKET);
pid1: make use of new "prohibit_ipc" logging flag in PID 1 Let's set it initially, and then toggle it only when we know its safe.
2018-01-24 17:42:12 +01:00
if (!u)
return false;
if (SOCKET(u)->state != SOCKET_RUNNING)
return false;
syslog: rework syslog detection so that we need no compile-time option what the name of the syslog implementation is
2011-03-18 04:31:22 +01:00
pid1: make use of new "prohibit_ipc" logging flag in PID 1 Let's set it initially, and then toggle it only when we know its safe.
2018-01-24 17:42:12 +01:00
/* Similar, check if the daemon itself is fully up, too */
systemd: reconnect to syslog as soon as the journal is fully up
2012-01-11 03:16:24 +01:00
u = manager_get_unit(m, SPECIAL_JOURNALD_SERVICE);
pid1: make use of new "prohibit_ipc" logging flag in PID 1 Let's set it initially, and then toggle it only when we know its safe.
2018-01-24 17:42:12 +01:00
if (!u)
return false;
core: tweak manager_journal_is_running() a bit more Let's also use the journal if it is currently reloading. In that state it should also be able to process our requests. Moreover, we might otherwise end up disconnecting/reconnecting from the journal without really any need to hence, relax the check accordingly.
2018-02-07 15:07:00 +01:00
if (!IN_SET(SERVICE(u)->state, SERVICE_RELOAD, SERVICE_RUNNING))
pid1: make use of new "prohibit_ipc" logging flag in PID 1 Let's set it initially, and then toggle it only when we know its safe.
2018-01-24 17:42:12 +01:00
return false;
return true;
}
pid1: disable printk ratelimit in early boot We have the problem that many early boot or late shutdown issues are harder to solve than they could be because we have no logs. When journald is not running, messages are redirected to /dev/kmsg. It is also the time when many things happen in a rapid succession, so we tend to hit the kernel printk ratelimit fairly reliably. The end result is that we get no logs from the time where they would be most useful. Thus let's disable the kernels ratelimit. Once the system is up and running, the ratelimit is not a problem. But during normal runtime, things also log to journald, and not to /dev/kmsg, so the ratelimit is not useful. Hence, there doesn't seem to be much point in trying to restore the ratelimit after boot is finished and journald is up and running. See kernel's commit 750afe7babd117daabebf4855da18e4418ea845e for the description of the kenrel interface. Our setting has lower precedence than explicit configuration on the kenrel command line.
2019-09-18 21:02:07 +02:00
void disable_printk_ratelimit(void) {
/* Disable kernel's printk ratelimit.
*
* Logging to /dev/kmsg is most useful during early boot and shutdown, where normal logging
* mechanisms are not available. The semantics of this sysctl are such that any kernel command-line
* setting takes precedence. */
int r;
r = sysctl_write("kernel/printk_devkmsg", "on");
if (r < 0)
log_debug_errno(r, "Failed to set sysctl kernel.printk_devkmsg=on: %m");
}
pid1: make use of new "prohibit_ipc" logging flag in PID 1 Let's set it initially, and then toggle it only when we know its safe.
2018-01-24 17:42:12 +01:00
void manager_recheck_journal(Manager *m) {
assert(m);
/* Don't bother with this unless we are in the special situation of being PID 1 */
if (getpid_cached() != 1)
systemd: reconnect to syslog as soon as the journal is fully up
2012-01-11 03:16:24 +01:00
return;
syslog: rework syslog detection so that we need no compile-time option what the name of the syslog implementation is
2011-03-18 04:31:22 +01:00
move MANAGER_IS_RELOADING() check into manager_recheck_{dbus|journal}() (#8510) Let's better check this inside of the call than before it, so that we never issue this while reloading, even should these calls be called due to other reasons than just the unit notify. This makes sure the reload state is unset a bit earlier in manager_reload() so that we can safely call this function from there and they do the right thing. Follow-up for e63ebf71edd7947f29389c72e851d8df5c7bedda.
2018-03-21 12:03:45 +01:00
/* Don't check this while we are reloading, things might still change */
if (MANAGER_IS_RELOADING(m))
return;
core: simplify manager_recheck_journal() a bit No need for an if check if we just pass along a bool anyway.
2018-02-07 15:08:18 +01:00
/* The journal is fully and entirely up? If so, let's permit logging to it, if that's configured. If the
* journal is down, don't ever log to it, otherwise we might end up deadlocking ourselves as we might trigger
* an activation ourselves we can't fulfill. */
log_set_prohibit_ipc(!manager_journal_is_running(m));
rationalize interface for opening/closing logging log_open_console() did not switch from stderr to /dev/console, when "always_reopen_console" was set. It was necessary to call log_close_console() first. By contrast, log_open() did switch between e.g. journald and kmsg according to the value of "prohibit_ipc". Let's fix log_open() to respect the values of all the log options, and we can make log_close_*() private. Also log_close_console() is changed. There was some precaution, avoiding closing the console fd if we are not PID 1. I think commit 48a601fe made a little mistake in leaving this in, and it only served to confuse readers :). Also I changed systemd-shutdown. Now we have log_set_prohibit_ipc(), let's use it to clarify that systemd-shutdown is not expected to try and log via journald (which it is about to kill). We avoided ever asking it to, but it's more convenient for the reader if they don't have to think about that. In that sense, it's similar to using assert() to validate a function's arguments.
2018-01-26 14:42:53 +01:00
log_open();
syslog: rework syslog detection so that we need no compile-time option what the name of the syslog implementation is
2011-03-18 04:31:22 +01:00
}
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
static ShowStatus manager_get_show_status(Manager *m) {
assert(m);
if (MANAGER_IS_USER(m))
return _SHOW_STATUS_INVALID;
if (m->show_status_overridden != _SHOW_STATUS_INVALID)
return m->show_status_overridden;
return m->show_status;
}
bool manager_get_show_status_on(Manager *m) {
assert(m);
return show_status_on(manager_get_show_status(m));
}
pid1: make more use of show_status_on() No functional change.
2020-04-27 18:14:44 +02:00
pid1: introduce an helper to handle the show-status marker No functional change.
2020-06-11 11:56:11 +02:00
static void set_show_status_marker(bool b) {
if (b)
(void) touch("/run/systemd/show-status");
else
(void) unlink("/run/systemd/show-status");
}
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
void manager_set_show_status(Manager *m, ShowStatus mode, const char *reason) {
fsck: show progress while fscking at boot
2011-09-01 21:05:06 +02:00
assert(m);
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
assert(reason);
pid1: add new mode systemd.show-status=error and use it when 'quiet' is passed systemd.show-status=error is useful for the case where people care about errors only. If people want to have a quiet boot, they most likely don't want to see all status output even if there is a delay in boot, so make "quiet" imply systemd.show-status=error instead of systemd.show-status=auto. Fixes #14976.
2020-02-29 17:49:50 +01:00
assert(mode >= 0 && mode < _SHOW_STATUS_MAX);
fsck: show progress while fscking at boot
2011-09-01 21:05:06 +02:00
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
if (MANAGER_IS_USER(m))
fsck: show progress while fscking at boot
2011-09-01 21:05:06 +02:00
return;
pid1: touch the /run/systemd/show-status just once We know if we created the file before, no need to repeat the operation. The state in /run should always match our internal state. Since we call manager_set_show_status() quite often internally, this saves quite a few pointless syscalls.
2020-02-29 11:30:16 +01:00
if (mode == m->show_status)
return;
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
if (m->show_status_overridden == _SHOW_STATUS_INVALID) {
bool enabled;
enabled = show_status_on(mode);
log_debug("%s (%s) showing of status (%s).",
enabled ? "Enabling" : "Disabling",
strna(show_status_to_string(mode)),
reason);
pid1: introduce an helper to handle the show-status marker No functional change.
2020-06-11 11:56:11 +02:00
set_show_status_marker(enabled);
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
}
m->show_status = mode;
}
pid1: rename manager_set_{show_status,watchdog}_overridden() into manager_override_(show_status,watchdog} No functional change.
2020-06-04 13:25:25 +02:00
void manager_override_show_status(Manager *m, ShowStatus mode, const char *reason) {
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
assert(m);
assert(mode < _SHOW_STATUS_MAX);
if (MANAGER_IS_USER(m))
return;
if (mode == m->show_status_overridden)
return;
m->show_status_overridden = mode;
if (mode == _SHOW_STATUS_INVALID)
mode = m->show_status;
pid1: touch the /run/systemd/show-status just once We know if we created the file before, no need to repeat the operation. The state in /run should always match our internal state. Since we call manager_set_show_status() quite often internally, this saves quite a few pointless syscalls.
2020-02-29 11:30:16 +01:00
log_debug("%s (%s) showing of status (%s).",
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
m->show_status_overridden != _SHOW_STATUS_INVALID ? "Overriding" : "Restoring",
pid1: touch the /run/systemd/show-status just once We know if we created the file before, no need to repeat the operation. The state in /run should always match our internal state. Since we call manager_set_show_status() quite often internally, this saves quite a few pointless syscalls.
2020-02-29 11:30:16 +01:00
strna(show_status_to_string(mode)),
reason);
pid1: make more use of show_status_on() No functional change.
2020-04-27 18:14:44 +02:00
pid1: introduce an helper to handle the show-status marker No functional change.
2020-06-11 11:56:11 +02:00
set_show_status_marker(show_status_on(mode));
fsck: show progress while fscking at boot
2011-09-01 21:05:06 +02:00
}
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
const char *manager_get_confirm_spawn(Manager *m) {
static int last_errno = 0;
struct stat st;
int r;
manager: simplify manager_get_confirm_spawn() a bit Let's use our usual way of storing error codes. Let's remove a redundant temporary variable we never change
2019-08-20 17:34:16 +02:00
assert(m);
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
/* Here's the deal: we want to test the validity of the console but don't want
* PID1 to go through the whole console process which might block. But we also
* want to warn the user only once if something is wrong with the console so we
* cannot do the sanity checks after spawning our children. So here we simply do
* really basic tests to hopefully trap common errors.
*
* If the console suddenly disappear at the time our children will really it
* then they will simply fail to acquire it and a positive answer will be
tree-wide: fix spelling of "fallback" Similarly to "setup" vs. "set up", "fallback" is a noun, and "fall back" is the verb. (This is pretty clear when we construct a sentence in the present continous: "we are falling back" not "we are fallbacking").
2020-08-20 11:23:26 +02:00
* assumed. New children will fall back to /dev/console though.
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
*
* Note: TTYs are devices that can come and go any time, and frequently aren't
* available yet during early boot (consider a USB rs232 dongle...). If for any
tree-wide: fix spelling of "fallback" Similarly to "setup" vs. "set up", "fallback" is a noun, and "fall back" is the verb. (This is pretty clear when we construct a sentence in the present continous: "we are falling back" not "we are fallbacking").
2020-08-20 11:23:26 +02:00
* reason the configured console is not ready, we fall back to the default
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
* console. */
manager: simplify manager_get_confirm_spawn() a bit Let's use our usual way of storing error codes. Let's remove a redundant temporary variable we never change
2019-08-20 17:34:16 +02:00
if (!m->confirm_spawn || path_equal(m->confirm_spawn, "/dev/console"))
return m->confirm_spawn;
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
manager: simplify manager_get_confirm_spawn() a bit Let's use our usual way of storing error codes. Let's remove a redundant temporary variable we never change
2019-08-20 17:34:16 +02:00
if (stat(m->confirm_spawn, &st) < 0) {
r = -errno;
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
goto fail;
manager: simplify manager_get_confirm_spawn() a bit Let's use our usual way of storing error codes. Let's remove a redundant temporary variable we never change
2019-08-20 17:34:16 +02:00
}
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
if (!S_ISCHR(st.st_mode)) {
manager: simplify manager_get_confirm_spawn() a bit Let's use our usual way of storing error codes. Let's remove a redundant temporary variable we never change
2019-08-20 17:34:16 +02:00
r = -ENOTTY;
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
goto fail;
}
last_errno = 0;
manager: simplify manager_get_confirm_spawn() a bit Let's use our usual way of storing error codes. Let's remove a redundant temporary variable we never change
2019-08-20 17:34:16 +02:00
return m->confirm_spawn;
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
fail:
manager: simplify manager_get_confirm_spawn() a bit Let's use our usual way of storing error codes. Let's remove a redundant temporary variable we never change
2019-08-20 17:34:16 +02:00
if (last_errno != r)
last_errno = log_warning_errno(r, "Failed to open %s, using default console: %m", m->confirm_spawn);
core: allow to redirect confirmation messages to a different console It's rather hard to parse the confirmation messages (enabled with systemd.confirm_spawn=true) amongst the status messages and the kernel ones (if enabled). This patch gives the possibility to the user to redirect the confirmation message to a different virtual console, either by giving its name or its path, so those messages are separated from the other ones and easier to read.
2016-11-02 10:38:22 +01:00
return "/dev/console";
}
firstboot: get rid of firstboot generator again, introduce ConditionFirstBoot= instead As Zbigniew pointed out a new ConditionFirstBoot= appears like the nicer way to hook in systemd-firstboot.service on first boots (those with /etc unpopulated), so let's do this, and get rid of the generator again.
2014-07-07 19:25:31 +02:00
void manager_set_first_boot(Manager *m, bool b) {
assert(m);
core: remove ManagerRunningAs enum Previously, we had two enums ManagerRunningAs and UnitFileScope, that were mostly identical and converted from one to the other all the time. The latter had one more value UNIT_FILE_GLOBAL however. Let's simplify things, and remove ManagerRunningAs and replace it by UnitFileScope everywhere, thus making the translation unnecessary. Introduce two new macros MANAGER_IS_SYSTEM() and MANAGER_IS_USER() to simplify checking if we are running in one or the user context.
2016-02-24 21:24:23 +01:00
if (!MANAGER_IS_SYSTEM(m))
firstboot: get rid of firstboot generator again, introduce ConditionFirstBoot= instead As Zbigniew pointed out a new ConditionFirstBoot= appears like the nicer way to hook in systemd-firstboot.service on first boots (those with /etc unpopulated), so let's do this, and get rid of the generator again.
2014-07-07 19:25:31 +02:00
return;
manager: don't write first-boot flag file all the time Instead, remember that we have already written it.
2015-09-01 02:34:19 +02:00
if (m->first_boot != (int) b) {
if (b)
(void) touch("/run/systemd/first-boot");
else
(void) unlink("/run/systemd/first-boot");
}
firstboot: get rid of firstboot generator again, introduce ConditionFirstBoot= instead As Zbigniew pointed out a new ConditionFirstBoot= appears like the nicer way to hook in systemd-firstboot.service on first boots (those with /etc unpopulated), so let's do this, and get rid of the generator again.
2014-07-07 19:25:31 +02:00
manager: don't write first-boot flag file all the time Instead, remember that we have already written it.
2015-09-01 02:34:19 +02:00
m->first_boot = b;
firstboot: get rid of firstboot generator again, introduce ConditionFirstBoot= instead As Zbigniew pointed out a new ConditionFirstBoot= appears like the nicer way to hook in systemd-firstboot.service on first boots (those with /etc unpopulated), so let's do this, and get rid of the generator again.
2014-07-07 19:25:31 +02:00
}
core: add 'c' in confirmation_spawn to resume the boot process
2016-11-15 09:29:04 +01:00
void manager_disable_confirm_spawn(void) {
(void) touch("/run/systemd/confirm_spawn_disabled");
}
bool manager_is_confirm_spawn_disabled(Manager *m) {
if (!m->confirm_spawn)
return true;
return access("/run/systemd/confirm_spawn_disabled", F_OK) >= 0;
}
pid1: rename manager_get_show_status() to manager_should_show_status() The name 'manager_get_show_status()' suggests that the function simply reads the property 'show_status' of the manager and hence returns a 'StatusType' value. However it was doing more than that since it contained the logic (based on 'show_status' but also on the state of the manager) to figure out if status message could be emitted to the console. Hence this patch renames the function to 'manager_should_show_status()'. The previous name will be reused in a later patch to effectively return the value of 'show_status' property. No functional change.
2020-05-26 10:20:44 +02:00
static bool manager_should_show_status(Manager *m, StatusType type) {
assert(m);
if (!MANAGER_IS_SYSTEM(m))
return false;
if (m->no_console_output)
return false;
if (!IN_SET(manager_state(m), MANAGER_INITIALIZING, MANAGER_STARTING, MANAGER_STOPPING))
return false;
/* If we cannot find out the status properly, just proceed. */
if (type != STATUS_TYPE_EMERGENCY && manager_check_ask_password(m) > 0)
return false;
if (type == STATUS_TYPE_NOTICE && m->show_status != SHOW_STATUS_NO)
return true;
pid1: rework handling of m->show_status The fact that m->show_status was serialized/deserialized made impossible any further customisation of this setting via system.conf. IOW the value was basically always locked unless it was changed via signals. This patch reworks the handling of m->show_status but also makes sure that if a new value was changed via the signal API then this value is kept and preserved accross PID1 reexecuting or reloading. Note: this effectively means that once the value is set via the signal interface, it can be changed again only through the signal API.
2020-04-27 11:06:34 +02:00
return manager_get_show_status_on(m);
pid1: rename manager_get_show_status() to manager_should_show_status() The name 'manager_get_show_status()' suggests that the function simply reads the property 'show_status' of the manager and hence returns a 'StatusType' value. However it was doing more than that since it contained the logic (based on 'show_status' but also on the state of the manager) to figure out if status message could be emitted to the console. Hence this patch renames the function to 'manager_should_show_status()'. The previous name will be reused in a later patch to effectively return the value of 'show_status' property. No functional change.
2020-05-26 10:20:44 +02:00
}
manager: convert ephemeral to enum In preparation for subsequent changes.
2014-10-28 04:02:54 +01:00
void manager_status_printf(Manager *m, StatusType type, const char *status, const char *format, ...) {
core: add manager_status_printf() unit_status_printf() checks the state of the manager, not of the unit as such. Move it to manager.c and rename it to manager_status_printf(). Temporarily keep unit_status_printf as a wrapper macro.
2013-02-28 00:14:40 +01:00
va_list ap;
manager: print fatal errors on the console too When booting in quiet mode, fatal messages would not be shown at all to the user. https://bugzilla.redhat.com/show_bug.cgi?id=1155468
2014-11-06 06:05:38 +01:00
/* If m is NULL, assume we're after shutdown and let the messages through. */
pid1: rename manager_get_show_status() to manager_should_show_status() The name 'manager_get_show_status()' suggests that the function simply reads the property 'show_status' of the manager and hence returns a 'StatusType' value. However it was doing more than that since it contained the logic (based on 'show_status' but also on the state of the manager) to figure out if status message could be emitted to the console. Hence this patch renames the function to 'manager_should_show_status()'. The previous name will be reused in a later patch to effectively return the value of 'show_status' property. No functional change.
2020-05-26 10:20:44 +02:00
if (m && !manager_should_show_status(m, type))
core: add manager_status_printf() unit_status_printf() checks the state of the manager, not of the unit as such. Move it to manager.c and rename it to manager_status_printf(). Temporarily keep unit_status_printf as a wrapper macro.
2013-02-28 00:14:40 +01:00
return;
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
/* XXX We should totally drop the check for ephemeral here
* and thus effectively make 'Type=idle' pointless. */
manager: print fatal errors on the console too When booting in quiet mode, fatal messages would not be shown at all to the user. https://bugzilla.redhat.com/show_bug.cgi?id=1155468
2014-11-06 06:05:38 +01:00
if (type == STATUS_TYPE_EPHEMERAL && m && m->n_on_console > 0)
core/manager: print status messages about running jobs Sometimes the boot gets stuck until a timeout hits. The usual timeouts are on the order of minutes, so users may lose patience. Print animated status messages telling the names of units with running jobs to make it easy to see what systemd is waiting for. The animation looks cooler with a shorter interval, but 1 s is OK and should not be too hard on slow serial console users.
2013-02-28 00:03:22 +01:00
return;
core: add manager_status_printf() unit_status_printf() checks the state of the manager, not of the unit as such. Move it to manager.c and rename it to manager_status_printf(). Temporarily keep unit_status_printf as a wrapper macro.
2013-02-28 00:14:40 +01:00
va_start(ap, format);
show-status: fold two bool flags function arguments into a flags parameter
2018-11-23 17:18:48 +01:00
status_vprintf(status, SHOW_STATUS_ELLIPSIZE|(type == STATUS_TYPE_EPHEMERAL ? SHOW_STATUS_EPHEMERAL : 0), format, ap);
core: add manager_status_printf() unit_status_printf() checks the state of the manager, not of the unit as such. Move it to manager.c and rename it to manager_status_printf(). Temporarily keep unit_status_printf as a wrapper macro.
2013-02-28 00:14:40 +01:00
va_end(ap);
}
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
Set *manager_get_units_requiring_mounts_for(Manager *m, const char *path) {
char p[strlen(path)+1];
assert(m);
assert(path);
strcpy(p, path);
path-util: introduce path_simplify() The function is similar to path_kill_slashes() but also removes initial './', trailing '/.', and '/./' in the path. When the second argument of path_simplify() is false, then it behaves as the same as path_kill_slashes(). Hence, this also replaces path_kill_slashes() with path_simplify().
2018-05-31 16:39:31 +02:00
path_simplify(p, false);
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
return hashmap_get(m->units_requiring_mounts_for, streq(p, "/") ? "" : p);
}
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
core: allocate sets of startup and failed units on-demand There's a good chance we never needs these sets, hence allocate them only when needed.
2015-09-11 17:25:35 +02:00
int manager_update_failed_units(Manager *m, Unit *u, bool failed) {
core: emit changes for NFailedUnits property By notifying the clients when this property is changed it's possible to allow "system health monitor" tools to get transitions like running<->degraded. This is an alternative to send changes on the SystemState property since the latter is more difficult to derive.
2015-02-18 17:22:37 +01:00
unsigned size;
core: allocate sets of startup and failed units on-demand There's a good chance we never needs these sets, hence allocate them only when needed.
2015-09-11 17:25:35 +02:00
int r;
core: emit changes for NFailedUnits property By notifying the clients when this property is changed it's possible to allow "system health monitor" tools to get transitions like running<->degraded. This is an alternative to send changes on the SystemState property since the latter is more difficult to derive.
2015-02-18 17:22:37 +01:00
assert(m);
assert(u->manager == m);
size = set_size(m->failed_units);
core: issue error on oom we can do nothing about CID #1287142.
2015-03-14 03:10:06 +01:00
if (failed) {
tree-wide: use set_ensure_put() Patch contains a coccinelle script, but it only works in some cases. Many parts were converted by hand. Note: I did not fix errors in return value handing. This will be done separate to keep the patch comprehensible. No functional change is intended in this patch.
2020-06-05 15:12:29 +02:00
r = set_ensure_put(&m->failed_units, NULL, u);
core: allocate sets of startup and failed units on-demand There's a good chance we never needs these sets, hence allocate them only when needed.
2015-09-11 17:25:35 +02:00
if (r < 0)
return log_oom();
core: issue error on oom we can do nothing about CID #1287142.
2015-03-14 03:10:06 +01:00
} else
core: allocate sets of startup and failed units on-demand There's a good chance we never needs these sets, hence allocate them only when needed.
2015-09-11 17:25:35 +02:00
(void) set_remove(m->failed_units, u);
core: emit changes for NFailedUnits property By notifying the clients when this property is changed it's possible to allow "system health monitor" tools to get transitions like running<->degraded. This is an alternative to send changes on the SystemState property since the latter is more difficult to derive.
2015-02-18 17:22:37 +01:00
if (set_size(m->failed_units) != size)
bus_manager_send_change_signal(m);
core: allocate sets of startup and failed units on-demand There's a good chance we never needs these sets, hence allocate them only when needed.
2015-09-11 17:25:35 +02:00
return 0;
core: emit changes for NFailedUnits property By notifying the clients when this property is changed it's possible to allow "system health monitor" tools to get transitions like running<->degraded. This is an alternative to send changes on the SystemState property since the latter is more difficult to derive.
2015-02-18 17:22:37 +01:00
}
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
ManagerState manager_state(Manager *m) {
Unit *u;
assert(m);
fix manager_state
2020-04-04 05:35:22 +02:00
/* Is the special shutdown target active or queued? If so, we are in shutdown state */
u = manager_get_unit(m, SPECIAL_SHUTDOWN_TARGET);
if (u && unit_active_or_pending(u))
return MANAGER_STOPPING;
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
/* Did we ever finish booting? If not then we are still starting up */
manager: introduce MANAGER_IS_FINISHED() macro Let's make our finished checks a bit more readable. Checking the timestamp is not entirely obvious, hence let's abstract that a bit by adding a macro that shows what we are doing here, not how we doing it. This is particularly useful if we want to change the definition of "finished" later on, in particular, when we try to fix #7023.
2017-11-20 21:24:59 +01:00
if (!MANAGER_IS_FINISHED(m)) {
core: split up "starting" manager state into "initializing" and "starting" We'll stay in "initializing" until basic.target has reached, at which point we will enter "starting". This is preparation so that we can change the startip timeout to only apply to the first phase of startup, not the full procedure.
2014-08-22 18:07:18 +02:00
u = manager_get_unit(m, SPECIAL_BASIC_TARGET);
if (!u || !UNIT_IS_ACTIVE_OR_RELOADING(unit_active_state(u)))
return MANAGER_INITIALIZING;
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
return MANAGER_STARTING;
core: split up "starting" manager state into "initializing" and "starting" We'll stay in "initializing" until basic.target has reached, at which point we will enter "starting". This is preparation so that we can change the startip timeout to only apply to the first phase of startup, not the full procedure.
2014-08-22 18:07:18 +02:00
}
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
core: don't reference rescue/emergency targets in --user mode They are only defined for system mode, hence let's not check for them in --user mode. Follow-up for #7433
2017-11-23 17:39:53 +01:00
if (MANAGER_IS_SYSTEM(m)) {
/* Are the rescue or emergency targets active or queued? If so we are in maintenance state */
u = manager_get_unit(m, SPECIAL_RESCUE_TARGET);
if (u && unit_active_or_pending(u))
return MANAGER_MAINTENANCE;
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
core: don't reference rescue/emergency targets in --user mode They are only defined for system mode, hence let's not check for them in --user mode. Follow-up for #7433
2017-11-23 17:39:53 +01:00
u = manager_get_unit(m, SPECIAL_EMERGENCY_TARGET);
if (u && unit_active_or_pending(u))
return MANAGER_MAINTENANCE;
}
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
/* Are there any failed units? If so, we are in degraded mode */
if (set_size(m->failed_units) > 0)
return MANAGER_DEGRADED;
return MANAGER_RUNNING;
}
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
static void manager_unref_uid_internal(
Manager *m,
Hashmap **uid_refs,
uid_t uid,
bool destroy_now,
int (*_clean_ipc)(uid_t uid)) {
uint32_t c, n;
assert(m);
assert(uid_refs);
assert(uid_is_valid(uid));
assert(_clean_ipc);
/* A generic implementation, covering both manager_unref_uid() and manager_unref_gid(), under the assumption
* that uid_t and gid_t are actually defined the same way, with the same validity rules.
*
* We store a hashmap where the UID/GID is they key and the value is a 32bit reference counter, whose highest
* bit is used as flag for marking UIDs/GIDs whose IPC objects to remove when the last reference to the UID/GID
* is dropped. The flag is set to on, once at least one reference from a unit where RemoveIPC= is set is added
* on a UID/GID. It is reset when the UID's/GID's reference counter drops to 0 again. */
assert_cc(sizeof(uid_t) == sizeof(gid_t));
assert_cc(UID_INVALID == (uid_t) GID_INVALID);
if (uid == 0) /* We don't keep track of root, and will never destroy it */
return;
c = PTR_TO_UINT32(hashmap_get(*uid_refs, UID_TO_PTR(uid)));
n = c & ~DESTROY_IPC_FLAG;
assert(n > 0);
n--;
if (destroy_now && n == 0) {
hashmap_remove(*uid_refs, UID_TO_PTR(uid));
if (c & DESTROY_IPC_FLAG) {
log_debug("%s " UID_FMT " is no longer referenced, cleaning up its IPC.",
_clean_ipc == clean_ipc_by_uid ? "UID" : "GID",
uid);
(void) _clean_ipc(uid);
}
} else {
c = n | (c & DESTROY_IPC_FLAG);
assert_se(hashmap_update(*uid_refs, UID_TO_PTR(uid), UINT32_TO_PTR(c)) >= 0);
}
}
void manager_unref_uid(Manager *m, uid_t uid, bool destroy_now) {
manager_unref_uid_internal(m, &m->uid_refs, uid, destroy_now, clean_ipc_by_uid);
}
void manager_unref_gid(Manager *m, gid_t gid, bool destroy_now) {
manager_unref_uid_internal(m, &m->gid_refs, (uid_t) gid, destroy_now, clean_ipc_by_gid);
}
static int manager_ref_uid_internal(
Manager *m,
Hashmap **uid_refs,
uid_t uid,
bool clean_ipc) {
uint32_t c, n;
int r;
assert(m);
assert(uid_refs);
assert(uid_is_valid(uid));
/* A generic implementation, covering both manager_ref_uid() and manager_ref_gid(), under the assumption
* that uid_t and gid_t are actually defined the same way, with the same validity rules. */
assert_cc(sizeof(uid_t) == sizeof(gid_t));
assert_cc(UID_INVALID == (uid_t) GID_INVALID);
if (uid == 0) /* We don't keep track of root, and will never destroy it */
return 0;
r = hashmap_ensure_allocated(uid_refs, &trivial_hash_ops);
if (r < 0)
return r;
c = PTR_TO_UINT32(hashmap_get(*uid_refs, UID_TO_PTR(uid)));
n = c & ~DESTROY_IPC_FLAG;
n++;
if (n & DESTROY_IPC_FLAG) /* check for overflow */
return -EOVERFLOW;
c = n | (c & DESTROY_IPC_FLAG) | (clean_ipc ? DESTROY_IPC_FLAG : 0);
return hashmap_replace(*uid_refs, UID_TO_PTR(uid), UINT32_TO_PTR(c));
}
int manager_ref_uid(Manager *m, uid_t uid, bool clean_ipc) {
return manager_ref_uid_internal(m, &m->uid_refs, uid, clean_ipc);
}
int manager_ref_gid(Manager *m, gid_t gid, bool clean_ipc) {
return manager_ref_uid_internal(m, &m->gid_refs, (uid_t) gid, clean_ipc);
}
static void manager_vacuum_uid_refs_internal(
Manager *m,
Hashmap **uid_refs,
int (*_clean_ipc)(uid_t uid)) {
Iterator i;
void *p, *k;
assert(m);
assert(uid_refs);
assert(_clean_ipc);
HASHMAP_FOREACH_KEY(p, k, *uid_refs, i) {
uint32_t c, n;
uid_t uid;
uid = PTR_TO_UID(k);
c = PTR_TO_UINT32(p);
n = c & ~DESTROY_IPC_FLAG;
if (n > 0)
continue;
if (c & DESTROY_IPC_FLAG) {
log_debug("Found unreferenced %s " UID_FMT " after reload/reexec. Cleaning up.",
_clean_ipc == clean_ipc_by_uid ? "UID" : "GID",
uid);
(void) _clean_ipc(uid);
}
assert_se(hashmap_remove(*uid_refs, k) == p);
}
}
pid1: make manager_vacuum_{uid,gid}_refs() static No functional change.
2020-04-27 08:54:44 +02:00
static void manager_vacuum_uid_refs(Manager *m) {
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
manager_vacuum_uid_refs_internal(m, &m->uid_refs, clean_ipc_by_uid);
}
pid1: make manager_vacuum_{uid,gid}_refs() static No functional change.
2020-04-27 08:54:44 +02:00
static void manager_vacuum_gid_refs(Manager *m) {
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
manager_vacuum_uid_refs_internal(m, &m->gid_refs, clean_ipc_by_gid);
}
pid1: make manager_vacuum_{uid,gid}_refs() static No functional change.
2020-04-27 08:54:44 +02:00
static void manager_vacuum(Manager *m) {
assert(m);
/* Release any dynamic users no longer referenced */
dynamic_user_vacuum(m, true);
/* Release any references to UIDs/GIDs no longer referenced, and destroy any IPC owned by them */
manager_vacuum_uid_refs(m);
manager_vacuum_gid_refs(m);
/* Release any runtimes no longer referenced */
exec_runtime_vacuum(m);
}
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
int manager_dispatch_user_lookup_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
struct buffer {
uid_t uid;
gid_t gid;
char unit_name[UNIT_NAME_MAX+1];
} _packed_ buffer;
Manager *m = userdata;
ssize_t l;
size_t n;
Unit *u;
assert_se(source);
assert_se(m);
/* Invoked whenever a child process succeeded resolving its user/group to use and sent us the resulting UID/GID
* in a datagram. We parse the datagram here and pass it off to the unit, so that it can add a reference to the
* UID/GID so that it can destroy the UID/GID's IPC objects when the reference counter drops to 0. */
l = recv(fd, &buffer, sizeof(buffer), MSG_DONTWAIT);
if (l < 0) {
tree-wide: use IN_SET macro (#6977)
2017-10-04 16:01:32 +02:00
if (IN_SET(errno, EINTR, EAGAIN))
core: add RemoveIPC= setting This adds the boolean RemoveIPC= setting to service, socket, mount and swap units (i.e. all unit types that may invoke processes). if turned on, and the unit's user/group is not root, all IPC objects of the user/group are removed when the service is shut down. The life-cycle of the IPC objects is hence bound to the unit life-cycle. This is particularly relevant for units with dynamic users, as it is essential that no objects owned by the dynamic users survive the service exiting. In fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set. In order to communicate the UID/GID of an executed process back to PID 1 this adds a new "user lookup" socket pair, that is inherited into the forked processes, and closed before the exec(). This is needed since we cannot do NSS from PID 1 due to deadlock risks, However need to know the used UID/GID in order to clean up IPC owned by it if the unit shuts down.
2016-08-01 19:24:40 +02:00
return 0;
return log_error_errno(errno, "Failed to read from user lookup fd: %m");
}
if ((size_t) l <= offsetof(struct buffer, unit_name)) {
log_warning("Received too short user lookup message, ignoring.");
return 0;
}
if ((size_t) l > offsetof(struct buffer, unit_name) + UNIT_NAME_MAX) {
log_warning("Received too long user lookup message, ignoring.");
return 0;
}
if (!uid_is_valid(buffer.uid) && !gid_is_valid(buffer.gid)) {
log_warning("Got user lookup message with invalid UID/GID pair, ignoring.");
return 0;
}
n = (size_t) l - offsetof(struct buffer, unit_name);
if (memchr(buffer.unit_name, 0, n)) {
log_warning("Received lookup message with embedded NUL character, ignoring.");
return 0;
}
buffer.unit_name[n] = 0;
u = manager_get_unit(m, buffer.unit_name);
if (!u) {
log_debug("Got user lookup message but unit doesn't exist, ignoring.");
return 0;
}
log_unit_debug(u, "User lookup succeeded: uid=" UID_FMT " gid=" GID_FMT, buffer.uid, buffer.gid);
unit_notify_user_lookup(u, buffer.uid, buffer.gid);
return 0;
}
core: make "taint" string logic a bit more generic and output it at boot The tainting logic existed for a long time, but was hidden inside the bus interfaces. Let's give it a small bit more coverage, by logging its value early at boot during initialization.
2017-12-07 11:27:07 +01:00
char *manager_taint_string(Manager *m) {
manager: taint the manager if the overflowuid/overflowgid aren't set to 65534
2017-12-07 11:35:02 +01:00
_cleanup_free_ char *destination = NULL, *overflowuid = NULL, *overflowgid = NULL;
core: make "taint" string logic a bit more generic and output it at boot The tainting logic existed for a long time, but was hidden inside the bus interfaces. Let's give it a small bit more coverage, by logging its value early at boot during initialization.
2017-12-07 11:27:07 +01:00
char *buf, *e;
int r;
core: drop taints for nobody user/group names We have a check and warning at compile time. The user cannot do anything about this at runtime, and all other taints are about checks that happen at runtime and are specific to that system (and at least potentially correctable). (The logic in the compilation-time check was updated to treat "nogroup" as OK, but not the runtime check. But I think it's better to remove the runtime check for this altogether, so this becomes moot.)
2017-12-14 12:44:21 +01:00
/* Returns a "taint string", e.g. "local-hwclock:var-run-bad".
* Only things that are detected at runtime should be tagged
* here. For stuff that is set during compilation, emit a warning
* in the configuration phase. */
core: make "taint" string logic a bit more generic and output it at boot The tainting logic existed for a long time, but was hidden inside the bus interfaces. Let's give it a small bit more coverage, by logging its value early at boot during initialization.
2017-12-07 11:27:07 +01:00
assert(m);
buf = new(char, sizeof("split-usr:"
"cgroups-missing:"
"local-hwclock:"
"var-run-bad:"
manager: taint the manager if the overflowuid/overflowgid aren't set to 65534
2017-12-07 11:35:02 +01:00
"overflowuid-not-65534:"
"overflowgid-not-65534:"));
core: make "taint" string logic a bit more generic and output it at boot The tainting logic existed for a long time, but was hidden inside the bus interfaces. Let's give it a small bit more coverage, by logging its value early at boot during initialization.
2017-12-07 11:27:07 +01:00
if (!buf)
return NULL;
e = buf;
core: fix undefined behaviour due to uninitialized string buffer (#7597) Failure of systemd to respond on the bus interface was bisected to af6b0ecc "core: make "taint" string logic a bit more generic and output it at boot". Failure was presumably caused by trying to append strings to an unintialized buffer, leading to writing outside the unterminated buffer and hence undefined behaviour.
2017-12-10 11:58:01 +01:00
buf[0] = 0;
core: make "taint" string logic a bit more generic and output it at boot The tainting logic existed for a long time, but was hidden inside the bus interfaces. Let's give it a small bit more coverage, by logging its value early at boot during initialization.
2017-12-07 11:27:07 +01:00
if (m->taint_usr)
e = stpcpy(e, "split-usr:");
if (access("/proc/cgroups", F_OK) < 0)
e = stpcpy(e, "cgroups-missing:");
if (clock_is_localtime(NULL) > 0)
e = stpcpy(e, "local-hwclock:");
r = readlink_malloc("/var/run", &destination);
if (r < 0 || !PATH_IN_SET(destination, "../run", "/run"))
e = stpcpy(e, "var-run-bad:");
manager: taint the manager if the overflowuid/overflowgid aren't set to 65534
2017-12-07 11:35:02 +01:00
r = read_one_line_file("/proc/sys/kernel/overflowuid", &overflowuid);
if (r >= 0 && !streq(overflowuid, "65534"))
e = stpcpy(e, "overflowuid-not-65534:");
r = read_one_line_file("/proc/sys/kernel/overflowgid", &overflowgid);
if (r >= 0 && !streq(overflowgid, "65534"))
e = stpcpy(e, "overflowgid-not-65534:");
core: make "taint" string logic a bit more generic and output it at boot The tainting logic existed for a long time, but was hidden inside the bus interfaces. Let's give it a small bit more coverage, by logging its value early at boot during initialization.
2017-12-07 11:27:07 +01:00
/* remove the last ':' */
if (e != buf)
e[-1] = 0;
return buf;
}
core: rework how we count the n_on_console counter Let's add a per-unit boolean that tells us whether our unit is currently counted or not. This way it's unlikely we get out of sync again and things are generally more robust. This also allows us to remove the counting logic specific to service units (which was in fact mostly a copy from the generic implementation), in favour of fully generic code. Replaces: #7824
2018-01-24 19:59:55 +01:00
void manager_ref_console(Manager *m) {
assert(m);
m->n_on_console++;
}
void manager_unref_console(Manager *m) {
assert(m->n_on_console > 0);
m->n_on_console--;
if (m->n_on_console == 0)
m->no_console_output = false; /* unset no_console_output flag, since the console is definitely free now */
}
pid1: preserve current value of log level across re-{load,execution} To make debugging easier, this patches allows one to change the log level and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log max level at runtime (via the bus or via signals), the change was lost on the next daemon reload/reexecution. In order to restore the original value back (set via system.conf, environment variables or any other means), the empty string in the "LogLevel" property is now supported as well as sending SIGRTMIN+23 signal.
2018-05-30 17:57:23 +02:00
void manager_override_log_level(Manager *m, int level) {
_cleanup_free_ char *s = NULL;
assert(m);
if (!m->log_level_overridden) {
m->original_log_level = log_get_max_level();
m->log_level_overridden = true;
}
(void) log_level_to_string_alloc(level, &s);
log_info("Setting log level to %s.", strna(s));
log_set_max_level(level);
}
void manager_restore_original_log_level(Manager *m) {
_cleanup_free_ char *s = NULL;
assert(m);
if (!m->log_level_overridden)
return;
(void) log_level_to_string_alloc(m->original_log_level, &s);
log_info("Restoring log level to original (%s).", strna(s));
log_set_max_level(m->original_log_level);
m->log_level_overridden = false;
}
pid1: preserve current value of log target across re-{load,execution} To make debugging easier, this patches allows one to change the log target and do reload/reexec without modifying configuration permanently, which makes debugging easier. Indeed if one changed the log target at runtime (via the bus or via signals), the change was lost on the next reload/reexecution. In order to restore back the default value (set via system.conf, environment variables or any other means ), the empty string in the "LogTarget" property is now supported as well as sending SIGTRMIN+26 signal.
2018-06-01 18:21:03 +02:00
void manager_override_log_target(Manager *m, LogTarget target) {
assert(m);
if (!m->log_target_overridden) {
m->original_log_target = log_get_target();
m->log_target_overridden = true;
}
log_info("Setting log target to %s.", log_target_to_string(target));
log_set_target(target);
}
void manager_restore_original_log_target(Manager *m) {
assert(m);
if (!m->log_target_overridden)
return;
log_info("Restoring log target to original %s.", log_target_to_string(m->original_log_target));
log_set_target(m->original_log_target);
m->log_target_overridden = false;
}
core: serialize/deserialize several timestamps on initrd in different names
2018-07-22 06:41:44 +02:00
ManagerTimestamp manager_timestamp_initrd_mangle(ManagerTimestamp s) {
if (in_initrd() &&
s >= MANAGER_TIMESTAMP_SECURITY_START &&
s <= MANAGER_TIMESTAMP_UNITS_LOAD_FINISH)
return s - MANAGER_TIMESTAMP_SECURITY_START + MANAGER_TIMESTAMP_INITRD_SECURITY_START;
return s;
}
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
static const char *const manager_state_table[_MANAGER_STATE_MAX] = {
core: split up "starting" manager state into "initializing" and "starting" We'll stay in "initializing" until basic.target has reached, at which point we will enter "starting". This is preparation so that we can change the startip timeout to only apply to the first phase of startup, not the full procedure.
2014-08-22 18:07:18 +02:00
[MANAGER_INITIALIZING] = "initializing",
core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown
2014-03-12 20:55:13 +01:00
[MANAGER_STARTING] = "starting",
[MANAGER_RUNNING] = "running",
[MANAGER_DEGRADED] = "degraded",
[MANAGER_MAINTENANCE] = "maintenance",
[MANAGER_STOPPING] = "stopping",
};
DEFINE_STRING_TABLE_LOOKUP(manager_state, ManagerState);
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
static const char *const manager_timestamp_table[_MANAGER_TIMESTAMP_MAX] = {
[MANAGER_TIMESTAMP_FIRMWARE] = "firmware",
[MANAGER_TIMESTAMP_LOADER] = "loader",
[MANAGER_TIMESTAMP_KERNEL] = "kernel",
[MANAGER_TIMESTAMP_INITRD] = "initrd",
[MANAGER_TIMESTAMP_USERSPACE] = "userspace",
[MANAGER_TIMESTAMP_FINISH] = "finish",
[MANAGER_TIMESTAMP_SECURITY_START] = "security-start",
[MANAGER_TIMESTAMP_SECURITY_FINISH] = "security-finish",
[MANAGER_TIMESTAMP_GENERATORS_START] = "generators-start",
[MANAGER_TIMESTAMP_GENERATORS_FINISH] = "generators-finish",
[MANAGER_TIMESTAMP_UNITS_LOAD_START] = "units-load-start",
[MANAGER_TIMESTAMP_UNITS_LOAD_FINISH] = "units-load-finish",
core: serialize/deserialize several timestamps on initrd in different names
2018-07-22 06:41:44 +02:00
[MANAGER_TIMESTAMP_INITRD_SECURITY_START] = "initrd-security-start",
[MANAGER_TIMESTAMP_INITRD_SECURITY_FINISH] = "initrd-security-finish",
[MANAGER_TIMESTAMP_INITRD_GENERATORS_START] = "initrd-generators-start",
[MANAGER_TIMESTAMP_INITRD_GENERATORS_FINISH] = "initrd-generators-finish",
[MANAGER_TIMESTAMP_INITRD_UNITS_LOAD_START] = "initrd-units-load-start",
[MANAGER_TIMESTAMP_INITRD_UNITS_LOAD_FINISH] = "initrd-units-load-finish",
manager: rework the timestamps logic, so that they are an enum-index array This makes things quite a bit more systematic I think, as we can systematically operate on all timestamps, for example for the purpose of serialization/deserialization. This rework doesn't necessarily make things shorter in the individual lines, but it does reduce the line count a bit. (This is useful particularly when we want to add additional timestamps, for example to solve #7023)
2017-11-20 21:01:13 +01:00
};
DEFINE_STRING_TABLE_LOOKUP(manager_timestamp, ManagerTimestamp);
core: implement OOMPolicy= and watch cgroups for OOM killings This adds a new per-service OOMPolicy= (along with a global DefaultOOMPolicy=) that controls what to do if a process of the service is killed by the kernel's OOM killer. It has three different values: "continue" (old behaviour), "stop" (terminate the service), "kill" (let the kernel kill all the service's processes). On top of that, track OOM killer events per unit: generate a per-unit structured, recognizable log message when we see an OOM killer event, and put the service in a failure state if an OOM killer event was seen and the selected policy was not "continue". A new "result" is defined for this case: "oom-kill". All of this relies on new cgroupv2 kernel functionality: the "memory.events" notification interface and the "memory.oom.group" attribute (which makes the kernel kill all cgroup processes automatically).
2019-03-19 19:05:19 +01:00
static const char* const oom_policy_table[_OOM_POLICY_MAX] = {
[OOM_CONTINUE] = "continue",
[OOM_STOP] = "stop",
[OOM_KILL] = "kill",
};
DEFINE_STRING_TABLE_LOOKUP(oom_policy, OOMPolicy);