picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Systemd/src/core/load-fragment.c

5001 lines
160 KiB
C
Raw Normal View History

Add SPDX license identifiers to source files under the LGPL This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
2017-11-18 17:09:20 +01:00
/* SPDX-License-Identifier: LGPL-2.1+ */
license: add GPLv2+ license blurbs everwhere
2010-02-03 13:03:47 +01:00
/***
This file is part of systemd.
Copyright 2010 Lennart Poettering
sched: Only setting CPUSchedulingPriority=rr doesn't work A service that only sets the scheduling policy to round-robin fails to be started. This is because the cpu_sched_priority is initialized to 0 and is not adjusted when the policy is changed. Clamp the cpu_sched_priority when the scheduler policy is set. Use the current policy to validate the new priority. Change the manual page to state that the given range only applies to the real-time scheduling policies. Add a testcase that verifies this change: $ make test-sched-prio; ./test-sched-prio [test/sched_idle_bad.service:6] CPU scheduling priority is out of range, ignoring: 1 [test/sched_rr_bad.service:7] CPU scheduling priority is out of range, ignoring: 0 [test/sched_rr_bad.service:8] CPU scheduling priority is out of range, ignoring: 100
2012-11-01 18:48:11 +01:00
Copyright 2012 Holger Hans Peter Freyther
license: add GPLv2+ license blurbs everwhere
2010-02-03 13:03:47 +01:00
systemd is free software; you can redistribute it and/or modify it
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
2012-04-12 00:20:58 +02:00
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
license: add GPLv2+ license blurbs everwhere
2010-02-03 13:03:47 +01:00
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
2012-04-12 00:20:58 +02:00
Lesser General Public License for more details.
license: add GPLv2+ license blurbs everwhere
2010-02-03 13:03:47 +01:00
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
2012-04-12 00:20:58 +02:00
You should have received a copy of the GNU Lesser General Public License
license: add GPLv2+ license blurbs everwhere
2010-02-03 13:03:47 +01:00
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
#include <errno.h>
s/name/unit
2010-01-26 21:39:06 +01:00
#include <fcntl.h>
build fix for opensuse
2010-04-24 05:05:01 +02:00
#include <linux/fs.h>
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include <linux/oom.h>
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SECCOMP
basic: split out cpu set specific APIs into cpu-set-util.[ch]
2015-09-30 21:50:22 +02:00
#include <seccomp.h>
#endif
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include <sched.h>
#include <string.h>
exec: support unlimited resources
2011-04-04 18:15:13 +02:00
#include <sys/resource.h>
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include <sys/stat.h>
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include "af-list.h"
tree-wide: sort includes Sort the includes accoding to the new coding style.
2015-11-16 22:09:36 +01:00
#include "alloc-util.h"
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include "bus-error.h"
#include "bus-internal.h"
#include "bus-util.h"
#include "cap-list.h"
capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.
2016-01-07 23:00:04 +01:00
#include "capability-util.h"
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include "cgroup.h"
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
#include "conf-parser.h"
basic: split out cpu set specific APIs into cpu-set-util.[ch]
2015-09-30 21:50:22 +02:00
#include "cpu-set-util.h"
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include "env-util.h"
#include "errno-list.h"
util: split out escaping code into escape.[ch] This really deserves its own file, given how much code this is now.
2015-10-23 18:52:53 +02:00
#include "escape.h"
util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.
2015-10-25 13:14:12 +01:00
#include "fd-util.h"
util-lib: move a number of fs operations into fs-util.[ch]
2015-10-26 21:16:26 +01:00
#include "fs-util.h"
core: add two new unit file settings: StandardInputData= + StandardInputText= Both permit configuring data to pass through STDIN to an invoked process. StandardInputText= accepts a line of text (possibly with embedded C-style escapes as well as unit specifiers), which is appended to the buffer to pass as stdin, followed by a single newline. StandardInputData= is similar, but accepts arbitrary base64 encoded data, and will not resolve specifiers or C-style escapes, nor append newlines. This may be used to pass input/configuration data to services, directly in-line from unit files, either in a cooked or in a more raw format.
2017-10-27 11:33:05 +02:00
#include "hexdecoct.h"
core: implement /run/systemd/units/-based path for passing unit info from PID 1 to journald And let's make use of it to implement two new unit settings with it: 1. LogLevelMax= is a new per-unit setting that may be used to configure log priority filtering: set it to LogLevelMax=notice and only messages of level "notice" and lower (i.e. more important) will be processed, all others are dropped. 2. LogExtraFields= is a new per-unit setting for configuring per-unit journal fields, that are implicitly included in every log record generated by the unit's processes. It takes field/value pairs in the form of FOO=BAR. Also, related to this, one exisiting unit setting is ported to this new facility: 3. The invocation ID is now pulled from /run/systemd/units/ instead of cgroupfs xattrs. This substantially relaxes requirements of systemd on the kernel version and the privileges it runs with (specifically, cgroupfs xattrs are not available in containers, since they are stored in kernel memory, and hence are unsafe to permit to lesser privileged code). /run/systemd/units/ is a new directory, which contains a number of files and symlinks encoding the above information. PID 1 creates and manages these files, and journald reads them from there. Note that this is supposed to be a direct path between PID 1 and the journal only, due to the special runtime environment the journal runs in. Normally, today we shouldn't introduce new interfaces that (mis-)use a file system as IPC framework, and instead just an IPC system, but this is very hard to do between the journal and PID 1, as long as the IPC system is a subject PID 1 manages, and itself a client to the journal. This patch cleans up a couple of types used in journal code: specifically we switch to size_t for a couple of memory-sizing values, as size_t is the right choice for everything that is memory. Fixes: #4089 Fixes: #3041 Fixes: #4441
2017-11-02 19:43:32 +01:00
#include "io-util.h"
support chrooting/setting of ioprio when spawning
2010-01-29 20:46:22 +01:00
#include "ioprio.h"
core: implement /run/systemd/units/-based path for passing unit info from PID 1 to journald And let's make use of it to implement two new unit settings with it: 1. LogLevelMax= is a new per-unit setting that may be used to configure log priority filtering: set it to LogLevelMax=notice and only messages of level "notice" and lower (i.e. more important) will be processed, all others are dropped. 2. LogExtraFields= is a new per-unit setting for configuring per-unit journal fields, that are implicitly included in every log record generated by the unit's processes. It takes field/value pairs in the form of FOO=BAR. Also, related to this, one exisiting unit setting is ported to this new facility: 3. The invocation ID is now pulled from /run/systemd/units/ instead of cgroupfs xattrs. This substantially relaxes requirements of systemd on the kernel version and the privileges it runs with (specifically, cgroupfs xattrs are not available in containers, since they are stored in kernel memory, and hence are unsafe to permit to lesser privileged code). /run/systemd/units/ is a new directory, which contains a number of files and symlinks encoding the above information. PID 1 creates and manages these files, and journald reads them from there. Note that this is supposed to be a direct path between PID 1 and the journal only, due to the special runtime environment the journal runs in. Normally, today we shouldn't introduce new interfaces that (mis-)use a file system as IPC framework, and instead just an IPC system, but this is very hard to do between the journal and PID 1, as long as the IPC system is a subject PID 1 manages, and itself a client to the journal. This patch cleans up a couple of types used in journal code: specifically we switch to size_t for a couple of memory-sizing values, as size_t is the right choice for everything that is memory. Fixes: #4089 Fixes: #3041 Fixes: #4441
2017-11-02 19:43:32 +01:00
#include "journal-util.h"
util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.
2015-10-25 13:14:12 +01:00
#include "load-fragment.h"
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include "log.h"
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
#include "missing.h"
core: hook up MountFlags= to the transient unit logic This makes "systemd-run -p MountFlags=shared -t /bin/sh" work, by making MountFlags= to the list of properties that may be accessed transiently.
2016-11-22 20:19:08 +01:00
#include "mount-util.h"
util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]
2015-10-26 16:18:16 +01:00
#include "parse-util.h"
util: split-out path-util.[ch]
2012-05-07 21:36:12 +02:00
#include "path-util.h"
process-util: move a couple of process-related calls over
2015-10-27 14:24:58 +01:00
#include "process-util.h"
core: move parsing of rlimits into rlimit-util.[ch] This way we can reuse it for parsing rlimit settings in "systemctl set-property" and related commands.
2016-02-01 21:07:09 +01:00
#include "rlimit-util.h"
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SECCOMP
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
#include "seccomp-util.h"
#endif
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include "securebits.h"
securebits-util: add secure_bits_{from_string,to_string_alloc}()
2017-08-07 16:40:25 +02:00
#include "securebits-util.h"
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include "signal-util.h"
basic: introduce socket_protocol_{from,to}_name() And use them where they can be applicable.
2017-12-23 11:32:04 +01:00
#include "socket-protocol-list.h"
util-lib: split stat()/statfs()/stavfs() related calls into stat-util.[ch]
2015-10-26 22:01:44 +01:00
#include "stat-util.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "string-util.h"
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include "strv.h"
#include "unit-name.h"
#include "unit-printf.h"
#include "unit.h"
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
#include "user-util.h"
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
#include "utf8.h"
util-lib: move web-related calls into web-util.[ch]
2015-10-27 00:41:29 +01:00
#include "web-util.h"
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
core: add a new unit file setting CollectMode= for tweaking the GC logic Right now, the option only takes one of two possible values "inactive" or "inactive-or-failed", the former being the default, and exposing same behaviour as the status quo ante. If set to "inactive-or-failed" units may be collected by the GC logic when in the "failed" state too. This logic should be a nicer alternative to using the "-" modifier for ExecStart= and friends, as the exit data is collected and logged about and only removed when the GC comes along. This should be useful in particular for per-connection socket-activated services, as well as "systemd-run" command lines that shall leave no artifacts in the system. I was thinking about whether to expose this as a boolean, but opted for an enum instead, as I have the suspicion other tweaks like this might be a added later on, in which case we extend this setting instead of having to add yet another one. Also, let's add some documentation for the GC logic.
2017-11-13 17:14:07 +01:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_collect_mode, collect_mode, CollectMode, "Failed to parse garbage collection mode");
core: remove support for RequiresOverridable= and RequisiteOverridable= As discussed at systemd.conf 2015 and on also raised on the ML: http://lists.freedesktop.org/archives/systemd-devel/2015-November/034880.html This removes the two XyzOverridable= unit dependencies, that were basically never used, and do not enhance user experience in any way. Most folks looking for the functionality this provides probably opt for the "ignore-dependencies" job mode, and that's probably a good idea. Hence, let's simplify systemd's dependency engine and remove these two dependency types (and their inverses). The unit file parser and the dbus property parser will now redirect the settings/properties to result in an equivalent non-overridable dependency. In the case of the unit file parser we generate a warning, to inform the user. The dbus properties for this unit type stay available on the unit objects, but they are now hidden from usual introspection and will always return the empty list when queried. This should provide enough compatibility for the few unit files that actually ever made use of this.
2015-11-12 19:21:47 +01:00
int config_parse_unit_deps(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
UnitDependency d = ltype;
s/name/unit
2010-01-26 21:39:06 +01:00
Unit *u = userdata;
core: unit deps port to extract_first_word
2015-11-05 06:26:13 +01:00
const char *p;
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
core: unit deps port to extract_first_word
2015-11-05 06:26:13 +01:00
p = rvalue;
tree-wide: minor formatting inconsistency cleanups
2016-02-23 18:52:52 +01:00
for (;;) {
core: unit deps port to extract_first_word
2015-11-05 06:26:13 +01:00
_cleanup_free_ char *word = NULL, *k = NULL;
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
int r;
core: fix dependency parsing 3d793d29059a7ddf5282efa6b32b953c183d7a4d broke parsing of unit file names that include backslashes, as extract_first_word() strips those. Fix this, by introducing a new EXTRACT_RETAIN_ESCAPE flag which disables looking at any flags, thus being compatible with the classic FOREACH_WORD() behaviour.
2015-11-11 22:53:05 +01:00
r = extract_first_word(&p, &word, NULL, EXTRACT_RETAIN_ESCAPE);
core: unit deps port to extract_first_word
2015-11-05 06:26:13 +01:00
if (r == 0)
break;
if (r == -ENOMEM)
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return log_oom();
core: unit deps port to extract_first_word
2015-11-05 06:26:13 +01:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
break;
}
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
core: unit deps port to extract_first_word
2015-11-05 06:26:13 +01:00
r = unit_name_printf(u, word, &k);
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %m");
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
continue;
}
core: add minimal templating system
2010-04-15 03:11:11 +02:00
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
r = unit_add_dependency_by_name(u, d, k, NULL, true, UNIT_DEPENDENCY_FILE);
unit: properly update references to units which are merged When we merge units that some kind of object points to, those pointers might become invalidated, and needs to be updated. Introduce a UnitRef struct which links up all the unit references, to ensure corrected references. At the same time, drop configured_sockets in the Service object, and replace it by proper UNIT_TRIGGERS resp. UNIT_TRIGGERED_BY dependencies, which allow us to simplify a lot of code.
2012-01-06 23:08:54 +01:00
if (r < 0)
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to add dependency on %s, ignoring: %m", k);
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
}
return 0;
}
core: remove support for RequiresOverridable= and RequisiteOverridable= As discussed at systemd.conf 2015 and on also raised on the ML: http://lists.freedesktop.org/archives/systemd-devel/2015-November/034880.html This removes the two XyzOverridable= unit dependencies, that were basically never used, and do not enhance user experience in any way. Most folks looking for the functionality this provides probably opt for the "ignore-dependencies" job mode, and that's probably a good idea. Hence, let's simplify systemd's dependency engine and remove these two dependency types (and their inverses). The unit file parser and the dbus property parser will now redirect the settings/properties to result in an equivalent non-overridable dependency. In the case of the unit file parser we generate a warning, to inform the user. The dbus properties for this unit type stay available on the unit objects, but they are now hidden from usual introspection and will always return the empty list when queried. This should provide enough compatibility for the few unit files that actually ever made use of this.
2015-11-12 19:21:47 +01:00
int config_parse_obsolete_unit_deps(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
log_syntax(unit, LOG_WARNING, filename, line, 0,
"Unit dependency type %s= is obsolete, replacing by %s=, please update your unit file", lvalue, unit_dependency_to_string(ltype));
return config_parse_unit_deps(unit, filename, line, section, section_line, lvalue, ltype, rvalue, data, userdata);
}
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
int config_parse_unit_string_printf(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
load-fragment: replace % specifiers in descriptions
2010-04-24 03:11:01 +02:00
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
_cleanup_free_ char *k = NULL;
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
Unit *u = userdata;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
int r;
load-fragment: replace % specifiers in descriptions
2010-04-24 03:11:01 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
execute: handle format strings in User= and other directives
2010-06-18 23:25:19 +02:00
assert(u);
load-fragment: replace % specifiers in descriptions
2010-04-24 03:11:01 +02:00
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(u, rvalue, &k);
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s, ignoring: %m", rvalue);
return 0;
}
load-fragment: replace % specifiers in descriptions
2010-04-24 03:11:01 +02:00
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
return config_parse_string(unit, filename, line, section, section_line, lvalue, ltype, k, data, userdata);
load-fragment: replace % specifiers in descriptions
2010-04-24 03:11:01 +02:00
}
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
int config_parse_unit_strv_printf(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
unit: support wildcards in Environment=, EnvironmentFile=
2011-07-01 01:13:47 +02:00
Unit *u = userdata;
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
_cleanup_free_ char *k = NULL;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
int r;
unit: support wildcards in Environment=, EnvironmentFile=
2011-07-01 01:13:47 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(u, rvalue, &k);
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s, ignoring: %m", rvalue);
return 0;
}
unit: support wildcards in Environment=, EnvironmentFile=
2011-07-01 01:13:47 +02:00
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
return config_parse_strv(unit, filename, line, section, section_line, lvalue, ltype, k, data, userdata);
unit: support wildcards in Environment=, EnvironmentFile=
2011-07-01 01:13:47 +02:00
}
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
int config_parse_unit_path_printf(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
exec: hangup/reset/deallocate VTs in gettys Explicitly disconnect all clients from a VT when a getty starts/finishes (requires TIOCVHANGUP, available in 2.6.29). Explicitly deallocate getty VTs in order to flush scrollback buffer. Explicitly reset terminals to a defined state before spawning getty.
2011-05-18 01:07:31 +02:00
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
_cleanup_free_ char *k = NULL;
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
Unit *u = userdata;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
int r;
core/load-fragment: refuse units with errors in RootDirectory/RootImage/DynamicUser Behaviour of the service is completely different with the option off, so the service would probably mess up state on disk and do unexpected things.
2017-07-06 19:54:42 +02:00
bool fatal = ltype;
exec: hangup/reset/deallocate VTs in gettys Explicitly disconnect all clients from a VT when a getty starts/finishes (requires TIOCVHANGUP, available in 2.6.29). Explicitly deallocate getty VTs in order to flush scrollback buffer. Explicitly reset terminals to a defined state before spawning getty.
2011-05-18 01:07:31 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
core/load-fragment: reject overly long paths early No need to go through the specifier_printf() if the path is already too long in the unexpanded form (since specifiers increase the length of the string in all practical cases). In the oss-fuzz test case, valgrind reports: total heap usage: 179,044 allocs, 179,044 frees, 72,687,755,703 bytes allocated and the original config file is ~500kb. This isn't really a security issue, since the config file has to be trusted any way, but just a matter of preventing accidental resource exhaustion. https://oss-fuzz.com/v2/issue/4651449704251392/6977 While at it, fix order of arguments in the neighbouring log_syntax() call.
2018-03-19 15:43:35 +01:00
/* Let's not bother with anything that is too long */
if (strlen(rvalue) >= PATH_MAX) {
log_syntax(unit, LOG_ERR, filename, line, 0,
"%s value too long%s.",
lvalue, fatal ? "" : ", ignoring");
return fatal ? -ENAMETOOLONG : 0;
}
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(u, rvalue, &k);
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
if (r < 0) {
core/load-fragment: refuse units with errors in RootDirectory/RootImage/DynamicUser Behaviour of the service is completely different with the option off, so the service would probably mess up state on disk and do unexpected things.
2017-07-06 19:54:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
core/load-fragment: reject overly long paths early No need to go through the specifier_printf() if the path is already too long in the unexpanded form (since specifiers increase the length of the string in all practical cases). In the oss-fuzz test case, valgrind reports: total heap usage: 179,044 allocs, 179,044 frees, 72,687,755,703 bytes allocated and the original config file is ~500kb. This isn't really a security issue, since the config file has to be trusted any way, but just a matter of preventing accidental resource exhaustion. https://oss-fuzz.com/v2/issue/4651449704251392/6977 While at it, fix order of arguments in the neighbouring log_syntax() call.
2018-03-19 15:43:35 +01:00
"Failed to resolve unit specifiers in \"%s\"%s: %m",
rvalue, fatal ? "" : ", ignoring");
core/load-fragment: refuse units with errors in RootDirectory/RootImage/DynamicUser Behaviour of the service is completely different with the option off, so the service would probably mess up state on disk and do unexpected things.
2017-07-06 19:54:42 +02:00
return fatal ? -ENOEXEC : 0;
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
}
exec: hangup/reset/deallocate VTs in gettys Explicitly disconnect all clients from a VT when a getty starts/finishes (requires TIOCVHANGUP, available in 2.6.29). Explicitly deallocate getty VTs in order to flush scrollback buffer. Explicitly reset terminals to a defined state before spawning getty.
2011-05-18 01:07:31 +02:00
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
return config_parse_path(unit, filename, line, section, section_line, lvalue, ltype, k, data, userdata);
}
int config_parse_unit_path_strv_printf(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Reject invalid quoted strings String which ended in an unfinished quote were accepted, potentially with bad memory accesses. Reject anything which ends in a unfished quote, or contains non-whitespace characters right after the closing quote. _FOREACH_WORD now returns the invalid character in *state. But this return value is not checked anywhere yet. Also, make 'word' and 'state' variables const pointers, and rename 'w' to 'word' in various places. Things are easier to read if the same name is used consistently. mbiebl_> am I correct that something like this doesn't work mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"' mbiebl_> systemd seems to strip of the quotes mbiebl_> systemctl status shows mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint mbiebl_> which is pretty weird
2014-07-30 04:01:36 +02:00
char ***x = data;
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
Unit *u = userdata;
int r;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
const char *p;
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
socket: Symlinks= with empty string resets the list of paths.
2017-09-05 08:08:59 +02:00
if (isempty(rvalue)) {
load-fragment: do not create empty array Originally added in 4589f5bb0a973e9a41be93de06c87072cea4dfb9. C.f. 8249bb728db6c2abaf12575d661b52571bdc1ab1 and #6746.
2017-10-04 08:21:12 +02:00
*x = strv_free(*x);
socket: Symlinks= with empty string resets the list of paths.
2017-09-05 08:08:59 +02:00
return 0;
}
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
for (p = rvalue;;) {
_cleanup_free_ char *word = NULL, *k = NULL;
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES);
if (r == 0)
return 0;
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax, ignoring: %s", rvalue);
return 0;
}
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
r = unit_full_printf(u, word, &k);
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
if (r < 0) {
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve unit specifiers on \"%s\", ignoring: %m", word);
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
return 0;
}
if (!utf8_is_valid(k)) {
log: move log_invalid_utf8() to log.h Also, make sure it follows the same scheme as log_syntax() does in its behaviour.
2015-09-30 20:07:24 +02:00
log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, rvalue);
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
return 0;
}
if (!path_is_absolute(k)) {
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0,
"Symlink path is not absolute: %s", k);
socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.
2014-06-04 16:19:00 +02:00
return 0;
}
path_kill_slashes(k);
r = strv_push(x, k);
if (r < 0)
return log_oom();
k = NULL;
}
exec: hangup/reset/deallocate VTs in gettys Explicitly disconnect all clients from a VT when a getty starts/finishes (requires TIOCVHANGUP, available in 2.6.29). Explicitly deallocate getty VTs in order to flush scrollback buffer. Explicitly reset terminals to a defined state before spawning getty.
2011-05-18 01:07:31 +02:00
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_socket_listen(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
parse socket files properly
2010-01-19 02:56:37 +01:00
Modernization
2014-10-11 17:37:37 +02:00
_cleanup_free_ SocketPort *p = NULL;
SocketPort *tail;
rework socket handling
2010-01-23 03:35:54 +01:00
Socket *s;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
int r;
make use of logging API wherever appropriate
2010-01-20 19:19:53 +01:00
parse socket files properly
2010-01-19 02:56:37 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
s = SOCKET(data);
rework socket handling
2010-01-23 03:35:54 +01:00
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* An empty assignment removes all ports */
socket_free_ports(s);
return 0;
}
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read.
2012-03-12 22:22:16 +01:00
p = new0(SocketPort, 1);
if (!p)
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return log_oom();
socket: add POSIX mqueue support
2011-05-17 19:37:03 +02:00
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (ltype != SOCKET_SOCKET) {
socket: add POSIX mqueue support
2011-05-17 19:37:03 +02:00
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
p->type = ltype;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(UNIT(s), rvalue, &p->path);
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s, ignoring: %m", rvalue);
return 0;
socket: add POSIX mqueue support
2011-05-17 19:37:03 +02:00
}
path_kill_slashes(p->path);
socket: support netlink sockets
2011-04-10 03:27:00 +02:00
} else if (streq(lvalue, "ListenNetlink")) {
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
_cleanup_free_ char *k = NULL;
unit: do wildcard expansion in ListenStream= and friends
2011-07-01 00:55:34 +02:00
socket: support netlink sockets
2011-04-10 03:27:00 +02:00
p->type = SOCKET_SOCKET;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(UNIT(s), rvalue, &k);
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s, ignoring: %m", rvalue);
return 0;
}
socket: support netlink sockets
2011-04-10 03:27:00 +02:00
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
r = socket_address_parse_netlink(&p->address, k);
unit: do wildcard expansion in ListenStream= and friends
2011-07-01 00:55:34 +02:00
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse address value, ignoring: %s", rvalue);
socket: support netlink sockets
2011-04-10 03:27:00 +02:00
return 0;
}
rework socket handling
2010-01-23 03:35:54 +01:00
} else {
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
_cleanup_free_ char *k = NULL;
unit: do wildcard expansion in ListenStream= and friends
2011-07-01 00:55:34 +02:00
rework socket handling
2010-01-23 03:35:54 +01:00
p->type = SOCKET_SOCKET;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(UNIT(s), rvalue, &k);
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,"Failed to resolve unit specifiers on %s, ignoring: %m", rvalue);
return 0;
}
rework socket handling
2010-01-23 03:35:54 +01:00
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
r = socket_address_parse_and_warn(&p->address, k);
unit: do wildcard expansion in ListenStream= and friends
2011-07-01 00:55:34 +02:00
if (r < 0) {
load-fragment: don't print error about incorrect syntax when IPv6 is disabled (#5791)
2017-04-25 09:31:52 +02:00
if (r != -EAFNOSUPPORT)
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse address value, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
rework socket handling
2010-01-23 03:35:54 +01:00
}
if (streq(lvalue, "ListenStream"))
p->address.type = SOCK_STREAM;
else if (streq(lvalue, "ListenDatagram"))
p->address.type = SOCK_DGRAM;
else {
assert(streq(lvalue, "ListenSequentialPacket"));
p->address.type = SOCK_SEQPACKET;
}
if (socket_address_family(&p->address) != AF_LOCAL && p->address.type == SOCK_SEQPACKET) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Address family not supported, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
rework socket handling
2010-01-23 03:35:54 +01:00
}
make use of logging API wherever appropriate
2010-01-20 19:19:53 +01:00
}
rework socket handling
2010-01-23 03:35:54 +01:00
p->fd = -1;
core: Add list of additional file descriptors to socket port Some additional files related to single socket may appear in the filesystem and they should be opened and passed to related service. This commit adds optional list of file descriptors, which are dynamically discovered and opened.
2015-09-21 16:30:41 +02:00
p->auxiliary_fds = NULL;
p->n_auxiliary_fds = 0;
socket: fix segfault
2013-11-21 00:06:11 +01:00
p->socket = s;
socket: guarantee order in which sockets are passed to be the one of the configuration file
2011-04-16 03:42:18 +02:00
load-fragment: simplify list insertion logic LIST_FIND_TAIL and LIST_INSERT_AFTER can work for empty list.
2017-12-23 11:16:49 +01:00
LIST_FIND_TAIL(port, s->ports, tail);
LIST_INSERT_AFTER(port, s->ports, tail, p);
Modernization
2014-10-11 17:37:37 +02:00
p = NULL;
rework socket handling
2010-01-23 03:35:54 +01:00
make use of logging API wherever appropriate
2010-01-20 19:19:53 +01:00
return 0;
parse socket files properly
2010-01-19 02:56:37 +01:00
}
socket: Add support for socket protcol Now we don't support the socket protocol like sctp and udplite . This patch add a new config param SocketProtocol: udplite/sctp With this now we can configure the protocol as udplite = IPPROTO_UDPLITE sctp = IPPROTO_SCTP Tested with nspawn:
2015-11-16 07:45:47 +01:00
int config_parse_socket_protocol(const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Socket *s;
basic: introduce socket_protocol_{from,to}_name() And use them where they can be applicable.
2017-12-23 11:32:04 +01:00
int r;
socket: Add support for socket protcol Now we don't support the socket protocol like sctp and udplite . This patch add a new config param SocketProtocol: udplite/sctp With this now we can configure the protocol as udplite = IPPROTO_UDPLITE sctp = IPPROTO_SCTP Tested with nspawn:
2015-11-16 07:45:47 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
s = SOCKET(data);
basic: introduce socket_protocol_{from,to}_name() And use them where they can be applicable.
2017-12-23 11:32:04 +01:00
r = socket_protocol_from_name(rvalue);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid socket protocol, ignoring: %s", rvalue);
return 0;
} else if (!IN_SET(r, IPPROTO_UDPLITE, IPPROTO_SCTP)) {
socket: Add support for socket protcol Now we don't support the socket protocol like sctp and udplite . This patch add a new config param SocketProtocol: udplite/sctp With this now we can configure the protocol as udplite = IPPROTO_UDPLITE sctp = IPPROTO_SCTP Tested with nspawn:
2015-11-16 07:45:47 +01:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Socket protocol not supported, ignoring: %s", rvalue);
return 0;
}
basic: introduce socket_protocol_{from,to}_name() And use them where they can be applicable.
2017-12-23 11:32:04 +01:00
s->socket_protocol = r;
socket: Add support for socket protcol Now we don't support the socket protocol like sctp and udplite . This patch add a new config param SocketProtocol: udplite/sctp With this now we can configure the protocol as udplite = IPPROTO_UDPLITE sctp = IPPROTO_SCTP Tested with nspawn:
2015-11-16 07:45:47 +01:00
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_socket_bind(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
parse socket files properly
2010-01-19 02:56:37 +01:00
rework socket handling
2010-01-23 03:35:54 +01:00
Socket *s;
socket: fix parsing of bind_ipv6_only
2010-05-21 23:41:25 +02:00
SocketAddressBindIPv6Only b;
parse socket files properly
2010-01-19 02:56:37 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
unit: use safe downcasts, remove pointless casts Always use the macros for downcasting. Remove a few obviously pointless casts.
2012-01-15 12:37:16 +01:00
s = SOCKET(data);
rework socket handling
2010-01-23 03:35:54 +01:00
socket-util: introduce parse_socket_address_bind_ipv6_only_or_bool()
2018-01-01 16:15:03 +01:00
b = parse_socket_address_bind_ipv6_only_or_bool(rvalue);
man: document behaviour of ListenStream= with only a port number in regards to IPv4/IPv6
2012-10-03 20:18:55 +02:00
if (b < 0) {
socket-util: introduce parse_socket_address_bind_ipv6_only_or_bool()
2018-01-01 16:15:03 +01:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse bind IPv6 only value, ignoring: %s", rvalue);
return 0;
}
parse socket files properly
2010-01-19 02:56:37 +01:00
socket-util: introduce parse_socket_address_bind_ipv6_only_or_bool()
2018-01-01 16:15:03 +01:00
s->bind_ipv6_only = b;
rework socket handling
2010-01-23 03:35:54 +01:00
parse socket files properly
2010-01-19 02:56:37 +01:00
return 0;
}
util-lib: unify parsing of nice level values This adds parse_nice() that parses a nice level and ensures it is in the right range, via a new nice_is_valid() helper. It then ports over a number of users to this. No functional changes.
2016-08-05 11:17:08 +02:00
int config_parse_exec_nice(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
set nice/oom_adjust only when asked for
2010-01-28 02:53:56 +01:00
ExecContext *c = data;
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int priority, r;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
util-lib: unify parsing of nice level values This adds parse_nice() that parses a nice level and ensures it is in the right range, via a new nice_is_valid() helper. It then ports over a number of users to this. No functional changes.
2016-08-05 11:17:08 +02:00
r = parse_nice(rvalue, &priority);
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
if (r < 0) {
util-lib: unify parsing of nice level values This adds parse_nice() that parses a nice level and ensures it is in the right range, via a new nice_is_valid() helper. It then ports over a number of users to this. No functional changes.
2016-08-05 11:17:08 +02:00
if (r == -ERANGE)
log_syntax(unit, LOG_ERR, filename, line, r, "Nice priority out of range, ignoring: %s", rvalue);
else
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse nice priority, ignoring: %s", rvalue);
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
}
set nice/oom_adjust only when asked for
2010-01-28 02:53:56 +01:00
c->nice = priority;
load-fragment: properly parse Nice= value Hello, i`ve been using systemd for a while now, and found out that when using NICE parameter for .service files the varible is not set correctly. i`ve found the problem in file *load-fragment.c* function *config_parse_nice* variable /*c->nice_set = false;*/ should be /*c->nice_set = true;*/ Problem is alsom manifesting on v17 but did not upgrade yet ...
2011-02-02 14:57:52 +01:00
c->nice_set = true;
set nice/oom_adjust only when asked for
2010-01-28 02:53:56 +01:00
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_exec_oom_score_adjust(const char* unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
set nice/oom_adjust only when asked for
2010-01-28 02:53:56 +01:00
ExecContext *c = data;
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int oa, r;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
r = safe_atoi(rvalue, &oa);
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse the OOM score adjust value, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
}
exec: replace OOMAdjust= by OOMScoreAdjust= to follow new kernel interface This replaces OOMAdjust= by OOMScoreAdjust= in the config files, breaking compatibility with older unit files. However, this keeps compat with older kernels which lack the new OOM rework.
2010-08-31 01:33:39 +02:00
if (oa < OOM_SCORE_ADJ_MIN || oa > OOM_SCORE_ADJ_MAX) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "OOM score adjust value out of range, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
}
exec: replace OOMAdjust= by OOMScoreAdjust= to follow new kernel interface This replaces OOMAdjust= by OOMScoreAdjust= in the config files, breaking compatibility with older unit files. However, this keeps compat with older kernels which lack the new OOM rework.
2010-08-31 01:33:39 +02:00
c->oom_score_adjust = oa;
c->oom_score_adjust_set = true;
set nice/oom_adjust only when asked for
2010-01-28 02:53:56 +01:00
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
return 0;
}
util: rework cunescape(), improve error handling Change cunescape() to return a normal error code, so that we can distuingish OOM errors from parse errors. This also adds a flags parameter to control whether "relaxed" or normal parsing shall be done. If set no parse failures are generated, and the only reason why cunescape() can fail is OOM.
2015-04-06 20:11:41 +02:00
int config_parse_exec(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
ExecCommand **e = data;
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
Unit *u = userdata;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
const char *p;
bool semicolon;
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read.
2012-03-12 22:22:16 +01:00
int r;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
service: allow configuration of more than one Exec command in one line
2010-07-07 20:59:20 +02:00
assert(e);
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
e += ltype;
load-fragment: reset the list on an ExecStart= containing only whitespace This is consistent with how an empty string works in an ExecStart= statement. We should not differentiate between an empty string and whitespace only (since they look the same.) Update the test case with whitespace only to reflect that the list is reset. Tested that `test-unit-file` passes and other test cases are not affected. Installed the patched systemd binaries on a machine, booted it, looked for out of the usual behavior but did not find any.
2015-06-06 08:12:25 +02:00
rvalue += strspn(rvalue, WHITESPACE);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* An empty assignment resets the list */
core: make exec_command_free_list return NULL
2014-12-18 18:29:24 +01:00
*e = exec_command_free_list(*e);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return 0;
}
core: revert "core: resolve specifier in config_parse_exec()" This reverts commit cb48dfca6a8bc15d9081651001a16bf51e03838a. Exec*-settings resolve specifiers twice: %%U -> config_parse_exec [cb48dfca6a8] -> %U -> service_spawn -> 0 Fixes #2637
2016-02-17 23:32:36 +01:00
p = rvalue;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
do {
util-lib: rework extract_first_word_and_warn() a bit - Really warn in all error cases, not just some. We need to make sure that all errors are logged to not confuse the user. - Explicitly check for EINVAL error code before claiming anything about invalid escapes, could be ENOMEM after all.
2015-10-23 18:20:54 +02:00
_cleanup_free_ char *path = NULL, *firstword = NULL;
core: add two new special ExecStart= character prefixes This patch adds two new special character prefixes to ExecStart= and friends, in addition to the existing "-", "@" and "+": "!" → much like "+", except with a much reduced effect as it only disables the actual setresuid()/setresgid()/setgroups() calls, but leaves all other security features on, including namespace options. This is very useful in combination with RuntimeDirectory= or DynamicUser= and similar option, as a user is still allocated and used for the runtime directory, but the actual UID/GID dropping is left to the daemon process itself. This should make RuntimeDirectory= a lot more useful for daemons which insist on doing their own privilege dropping. "!!" → Similar to "!", but on systems supporting ambient caps this becomes a NOP. This makes it relatively straightforward to write unit files that make use of ambient capabilities to let systemd drop all privs while retaining compatibility with systems that lack ambient caps, where priv dropping is the left to the daemon codes themselves. This is an alternative approach to #6564 and related PRs.
2017-08-09 16:09:04 +02:00
ExecCommandFlags flags = 0;
bool ignore = false, separate_argv0 = false;
util-lib: rework extract_first_word_and_warn() a bit - Really warn in all error cases, not just some. We need to make sure that all errors are logged to not confuse the user. - Explicitly check for EINVAL error code before claiming anything about invalid escapes, could be ENOMEM after all.
2015-10-23 18:20:54 +02:00
_cleanup_free_ ExecCommand *nce = NULL;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
_cleanup_strv_free_ char **n = NULL;
size_t nlen = 0, nbufsize = 0;
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
const char *f;
load-fragment: add support for overriding argv[0] in parsed command lines
2010-05-19 21:51:53 +02:00
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
semicolon = false;
tree-wide: drop unneded WHITESPACE param to extract_first_word It's the default, and NULL is shorter.
2016-10-28 02:06:44 +02:00
r = extract_first_word_and_warn(&p, &firstword, NULL, EXTRACT_QUOTES|EXTRACT_CUNESCAPE, unit, filename, line, rvalue);
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
if (r <= 0)
return 0;
load-fragment: add support for overriding argv[0] in parsed command lines
2010-05-19 21:51:53 +02:00
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
f = firstword;
pid1: remove unnecessary counter The loop must terminate after at most three iterations anyway.
2016-12-11 05:07:46 +01:00
for (;;) {
core: add two new special ExecStart= character prefixes This patch adds two new special character prefixes to ExecStart= and friends, in addition to the existing "-", "@" and "+": "!" → much like "+", except with a much reduced effect as it only disables the actual setresuid()/setresgid()/setgroups() calls, but leaves all other security features on, including namespace options. This is very useful in combination with RuntimeDirectory= or DynamicUser= and similar option, as a user is still allocated and used for the runtime directory, but the actual UID/GID dropping is left to the daemon process itself. This should make RuntimeDirectory= a lot more useful for daemons which insist on doing their own privilege dropping. "!!" → Similar to "!", but on systems supporting ambient caps this becomes a NOP. This makes it relatively straightforward to write unit files that make use of ambient capabilities to let systemd drop all privs while retaining compatibility with systems that lack ambient caps, where priv dropping is the left to the daemon codes themselves. This is an alternative approach to #6564 and related PRs.
2017-08-09 16:09:04 +02:00
/* We accept an absolute path as first argument. If it's prefixed with - and the path doesn't
* exist, we ignore it instead of erroring out; if it's prefixed with @, we allow overriding of
* argv[0]; if it's prefixed with +, it will be run with full privileges and no sandboxing; if
* it's prefixed with '!' we apply sandboxing, but do not change user/group credentials; if
* it's prefixed with '!!', then we apply user/group credentials if the kernel supports ambient
* capabilities -- if it doesn't we don't apply the credentials themselves, but do apply most
* other sandboxing, with some special exceptions for changing UID.
*
* The idea is that '!!' may be used to write services that can take benefit of systemd's
* UID/GID dropping if the kernel supports ambient creds, but provide an automatic fallback to
* privilege dropping within the daemon if the kernel does not offer that. */
if (*f == '-' && !(flags & EXEC_COMMAND_IGNORE_FAILURE)) {
flags |= EXEC_COMMAND_IGNORE_FAILURE;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
ignore = true;
core: add two new special ExecStart= character prefixes This patch adds two new special character prefixes to ExecStart= and friends, in addition to the existing "-", "@" and "+": "!" → much like "+", except with a much reduced effect as it only disables the actual setresuid()/setresgid()/setgroups() calls, but leaves all other security features on, including namespace options. This is very useful in combination with RuntimeDirectory= or DynamicUser= and similar option, as a user is still allocated and used for the runtime directory, but the actual UID/GID dropping is left to the daemon process itself. This should make RuntimeDirectory= a lot more useful for daemons which insist on doing their own privilege dropping. "!!" → Similar to "!", but on systems supporting ambient caps this becomes a NOP. This makes it relatively straightforward to write unit files that make use of ambient capabilities to let systemd drop all privs while retaining compatibility with systems that lack ambient caps, where priv dropping is the left to the daemon codes themselves. This is an alternative approach to #6564 and related PRs.
2017-08-09 16:09:04 +02:00
} else if (*f == '@' && !separate_argv0)
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
separate_argv0 = true;
core: add two new special ExecStart= character prefixes This patch adds two new special character prefixes to ExecStart= and friends, in addition to the existing "-", "@" and "+": "!" → much like "+", except with a much reduced effect as it only disables the actual setresuid()/setresgid()/setgroups() calls, but leaves all other security features on, including namespace options. This is very useful in combination with RuntimeDirectory= or DynamicUser= and similar option, as a user is still allocated and used for the runtime directory, but the actual UID/GID dropping is left to the daemon process itself. This should make RuntimeDirectory= a lot more useful for daemons which insist on doing their own privilege dropping. "!!" → Similar to "!", but on systems supporting ambient caps this becomes a NOP. This makes it relatively straightforward to write unit files that make use of ambient capabilities to let systemd drop all privs while retaining compatibility with systems that lack ambient caps, where priv dropping is the left to the daemon codes themselves. This is an alternative approach to #6564 and related PRs.
2017-08-09 16:09:04 +02:00
else if (*f == '+' && !(flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID|EXEC_COMMAND_AMBIENT_MAGIC)))
flags |= EXEC_COMMAND_FULLY_PRIVILEGED;
else if (*f == '!' && !(flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID|EXEC_COMMAND_AMBIENT_MAGIC)))
flags |= EXEC_COMMAND_NO_SETUID;
else if (*f == '!' && !(flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_AMBIENT_MAGIC))) {
flags &= ~EXEC_COMMAND_NO_SETUID;
flags |= EXEC_COMMAND_AMBIENT_MAGIC;
} else
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
break;
tree-wide: make ++/-- usage consistent WRT spacing Throughout the tree there's spurious use of spaces separating ++ and -- operators from their respective operands. Make ++ and -- operator consistent with the majority of existing uses; discard the spaces.
2016-02-23 05:32:04 +01:00
f++;
service: allow configuration of more than one Exec command in one line
2010-07-07 20:59:20 +02:00
}
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
r = unit_full_printf(u, f, &path);
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve unit specifiers on %s%s: %m",
f, ignore ? ", ignoring" : "");
return ignore ? 0 : -ENOEXEC;
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
}
if (isempty(path)) {
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
/* First word is either "-" or "@" with no command. */
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0,
"Empty path in command line%s: \"%s\"",
ignore ? ", ignoring" : "", rvalue);
return ignore ? 0 : -ENOEXEC;
Properly report invalid quoted strings $ systemd-analyze verify trailing-g.service [./trailing-g.service:2] Trailing garbage, ignoring. trailing-g.service lacks ExecStart setting. Refusing. Error: org.freedesktop.systemd1.LoadFailed: Unit trailing-g.service failed to load: Invalid argument. Failed to create trailing-g.service/start: Invalid argument
2014-07-31 09:28:37 +02:00
}
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
if (!string_is_safe(path)) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0,
"Executable path contains special characters%s: %s",
ignore ? ", ignoring" : "", rvalue);
return ignore ? 0 : -ENOEXEC;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
}
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
if (!path_is_absolute(path)) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0,
"Executable path is not absolute%s: %s",
ignore ? ", ignoring" : "", rvalue);
return ignore ? 0 : -ENOEXEC;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
}
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
if (endswith(path, "/")) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0,
"Executable path specifies a directory%s: %s",
ignore ? ", ignoring" : "", rvalue);
return ignore ? 0 : -ENOEXEC;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
}
service: allow configuration of more than one Exec command in one line
2010-07-07 20:59:20 +02:00
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
if (!separate_argv0) {
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
char *w = NULL;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
if (!GREEDY_REALLOC(n, nbufsize, nlen + 2))
return log_oom();
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
w = strdup(path);
if (!w)
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
return log_oom();
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
n[nlen++] = w;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
n[nlen] = NULL;
}
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read.
2012-03-12 22:22:16 +01:00
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
path_kill_slashes(path);
Convert unquote_*_word users to expect isempty(p) after the last entry This is so that, when called in a loop, unquote_first_word can distinguish between reaching the end of a string because it has consumed all the input before the end, and consuming all the input. This is important because we later add a flag that allows char *in = ""; char *out; unquote_first_word(&in, &out, flags); To put "" in out, and set in = NULL, so the trailing empty string of the input can be consumed, and mark that the input has been consumed.
2015-06-19 17:24:29 +02:00
while (!isempty(p)) {
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
_cleanup_free_ char *word = NULL, *resolved = NULL;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
/* Check explicitly for an unquoted semicolon as
* command separator token. */
if (p[0] == ';' && (!p[1] || strchr(WHITESPACE, p[1]))) {
tree-wide: make ++/-- usage consistent WRT spacing Throughout the tree there's spurious use of spaces separating ++ and -- operators from their respective operands. Make ++ and -- operator consistent with the majority of existing uses; discard the spaces.
2016-02-23 05:32:04 +01:00
p++;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
p += strspn(p, WHITESPACE);
semicolon = true;
break;
load-fragment: allow quoting in command name and document allowed escapes The handling of the command name and other arguments is unified. This simplifies things and should make them more predictable for users. Incidentally, this makes ExecStart handling match the .desktop file specification, apart for the requirment for an absolute path. https://bugs.freedesktop.org/show_bug.cgi?id=86171
2014-12-19 00:08:13 +01:00
}
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read.
2012-03-12 22:22:16 +01:00
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
/* Check for \; explicitly, to not confuse it with \\; or "\;" or "\\;" etc.
* extract_first_word() would return the same for all of those. */
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
if (p[0] == '\\' && p[1] == ';' && (!p[2] || strchr(WHITESPACE, p[2]))) {
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
char *w;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
p += 2;
p += strspn(p, WHITESPACE);
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
if (!GREEDY_REALLOC(n, nbufsize, nlen + 2))
return log_oom();
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
w = strdup(";");
if (!w)
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
return log_oom();
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
n[nlen++] = w;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
n[nlen] = NULL;
continue;
service: allow configuration of more than one Exec command in one line
2010-07-07 20:59:20 +02:00
}
load-fragment: allow quoting in command name and document allowed escapes The handling of the command name and other arguments is unified. This simplifies things and should make them more predictable for users. Incidentally, this makes ExecStart handling match the .desktop file specification, apart for the requirment for an absolute path. https://bugs.freedesktop.org/show_bug.cgi?id=86171
2014-12-19 00:08:13 +01:00
tree-wide: drop unneded WHITESPACE param to extract_first_word It's the default, and NULL is shorter.
2016-10-28 02:06:44 +02:00
r = extract_first_word_and_warn(&p, &word, NULL, EXTRACT_QUOTES|EXTRACT_CUNESCAPE, unit, filename, line, rvalue);
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
if (r == 0)
break;
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
if (r < 0)
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
return ignore ? 0 : -ENOEXEC;
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
r = unit_full_printf(u, word, &resolved);
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve unit specifiers on %s%s: %m",
word, ignore ? ", ignoring" : "");
return ignore ? 0 : -ENOEXEC;
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
}
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
if (!GREEDY_REALLOC(n, nbufsize, nlen + 2))
return log_oom();
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
n[nlen++] = resolved;
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
n[nlen] = NULL;
core: move specifier expansion out of service.c/socket.c This monopolizes unit file specifier expansion in load-fragment.c, and removes it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files. Previously specifiers were resolved for all settings during loading of unit files with the exception of ExecStart= and friends which were resolved in socket.c and service.c. With this change the latter is also moved to the loading of unit files. Fixes: #3061
2016-12-05 18:56:25 +01:00
resolved = NULL;
service: allow configuration of more than one Exec command in one line
2010-07-07 20:59:20 +02:00
}
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
if (!n || !n[0]) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0,
"Empty executable name or zeroeth argument%s: %s",
ignore ? ", ignoring" : "", rvalue);
return ignore ? 0 : -ENOEXEC;
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read.
2012-03-12 22:22:16 +01:00
}
load-fragment: add support for overriding argv[0] in parsed command lines
2010-05-19 21:51:53 +02:00
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read.
2012-03-12 22:22:16 +01:00
nce = new0(ExecCommand, 1);
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
if (!nce)
return log_oom();
service: allow configuration of more than one Exec command in one line
2010-07-07 20:59:20 +02:00
nce->argv = n;
nce->path = path;
core: add two new special ExecStart= character prefixes This patch adds two new special character prefixes to ExecStart= and friends, in addition to the existing "-", "@" and "+": "!" → much like "+", except with a much reduced effect as it only disables the actual setresuid()/setresgid()/setgroups() calls, but leaves all other security features on, including namespace options. This is very useful in combination with RuntimeDirectory= or DynamicUser= and similar option, as a user is still allocated and used for the runtime directory, but the actual UID/GID dropping is left to the daemon process itself. This should make RuntimeDirectory= a lot more useful for daemons which insist on doing their own privilege dropping. "!!" → Similar to "!", but on systems supporting ambient caps this becomes a NOP. This makes it relatively straightforward to write unit files that make use of ambient capabilities to let systemd drop all privs while retaining compatibility with systems that lack ambient caps, where priv dropping is the left to the daemon codes themselves. This is an alternative approach to #6564 and related PRs.
2017-08-09 16:09:04 +02:00
nce->flags = flags;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
service: allow configuration of more than one Exec command in one line
2010-07-07 20:59:20 +02:00
exec_command_append_list(e, nce);
path: add .path unit type for monitoring files
2010-05-24 05:25:33 +02:00
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
/* Do not _cleanup_free_ these. */
n = NULL;
path = NULL;
nce = NULL;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
rvalue = p;
} while (semicolon);
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
2015-05-31 07:48:52 +02:00
return 0;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
}
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_service_type, service_type, ServiceType, "Failed to parse service type");
DEFINE_CONFIG_PARSE_ENUM(config_parse_service_restart, service_restart, ServiceRestart, "Failed to parse service restart specifier");
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
tree-wide: port more code to use ifname_valid()
2016-05-06 21:20:59 +02:00
int config_parse_socket_bindtodevice(
const char* unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
yay, we can start socket units
2010-01-27 04:31:52 +01:00
Socket *s = data;
char *n;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (rvalue[0] && !streq(rvalue, "*")) {
tree-wide: port more code to use ifname_valid()
2016-05-06 21:20:59 +02:00
if (!ifname_valid(rvalue)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Interface name is invalid, ignoring: %s", rvalue);
return 0;
}
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
n = strdup(rvalue);
if (!n)
return log_oom();
yay, we can start socket units
2010-01-27 04:31:52 +01:00
} else
n = NULL;
free(s->bind_to_device);
s->bind_to_device = n;
return 0;
}
core: clean up config_parse_exec_input() a bit Mostly coding style fixes, but most importantly, initialize c->std_input only after we know the free_and_strdup() invocation succeeded, so that we don't leave half-initialized fields around on failure.
2017-10-26 20:06:42 +02:00
int config_parse_exec_input(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
ExecContext *c = data;
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
Unit *u = userdata;
const char *n;
ExecInput ei;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
int r;
assert(data);
assert(filename);
assert(line);
assert(rvalue);
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
n = startswith(rvalue, "fd:");
if (n) {
_cleanup_free_ char *resolved = NULL;
r = unit_full_printf(u, n, &resolved);
if (r < 0)
return log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s: %m", n);
if (isempty(resolved))
resolved = mfree(resolved);
else if (!fdname_is_valid(resolved)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid file descriptor name: %s", resolved);
return -EINVAL;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
}
core: clean up config_parse_exec_input() a bit Mostly coding style fixes, but most importantly, initialize c->std_input only after we know the free_and_strdup() invocation succeeded, so that we don't leave half-initialized fields around on failure.
2017-10-26 20:06:42 +02:00
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
free_and_replace(c->stdio_fdname[STDIN_FILENO], resolved);
ei = EXEC_INPUT_NAMED_FD;
} else if ((n = startswith(rvalue, "file:"))) {
_cleanup_free_ char *resolved = NULL;
r = unit_full_printf(u, n, &resolved);
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
if (r < 0)
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
return log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s: %m", n);
core: clean up config_parse_exec_input() a bit Mostly coding style fixes, but most importantly, initialize c->std_input only after we know the free_and_strdup() invocation succeeded, so that we don't leave half-initialized fields around on failure.
2017-10-26 20:06:42 +02:00
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
if (!path_is_absolute(resolved)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "file: requires an absolute path name: %s", resolved);
return -EINVAL;
}
fs-util: rename path_is_safe() → path_is_normalized() Already, path_is_safe() refused paths container the "." dir. Doing that isn't strictly necessary to be "safe" by most definitions of the word. But it is necessary in order to consider a path "normalized". Hence, "path_is_safe()" is slightly misleading a name, but "path_is_normalize()" is more descriptive, hence let's rename things accordingly. No functional changes.
2017-10-27 16:28:15 +02:00
if (!path_is_normalized(resolved)) {
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "file: requires a normalized path name: %s", resolved);
return -EINVAL;
}
free_and_replace(c->stdio_file[STDIN_FILENO], resolved);
ei = EXEC_INPUT_FILE;
core: clean up config_parse_exec_input() a bit Mostly coding style fixes, but most importantly, initialize c->std_input only after we know the free_and_strdup() invocation succeeded, so that we don't leave half-initialized fields around on failure.
2017-10-26 20:06:42 +02:00
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
} else {
core: clean up config_parse_exec_input() a bit Mostly coding style fixes, but most importantly, initialize c->std_input only after we know the free_and_strdup() invocation succeeded, so that we don't leave half-initialized fields around on failure.
2017-10-26 20:06:42 +02:00
ei = exec_input_from_string(rvalue);
if (ei < 0) {
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse input specifier, ignoring: %s", rvalue);
core: clean up config_parse_exec_input() a bit Mostly coding style fixes, but most importantly, initialize c->std_input only after we know the free_and_strdup() invocation succeeded, so that we don't leave half-initialized fields around on failure.
2017-10-26 20:06:42 +02:00
return 0;
}
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
}
core: clean up config_parse_exec_input() a bit Mostly coding style fixes, but most importantly, initialize c->std_input only after we know the free_and_strdup() invocation succeeded, so that we don't leave half-initialized fields around on failure.
2017-10-26 20:06:42 +02:00
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
c->std_input = ei;
core: clean up config_parse_exec_input() a bit Mostly coding style fixes, but most importantly, initialize c->std_input only after we know the free_and_strdup() invocation succeeded, so that we don't leave half-initialized fields around on failure.
2017-10-26 20:06:42 +02:00
return 0;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
}
core: add two new unit file settings: StandardInputData= + StandardInputText= Both permit configuring data to pass through STDIN to an invoked process. StandardInputText= accepts a line of text (possibly with embedded C-style escapes as well as unit specifiers), which is appended to the buffer to pass as stdin, followed by a single newline. StandardInputData= is similar, but accepts arbitrary base64 encoded data, and will not resolve specifiers or C-style escapes, nor append newlines. This may be used to pass input/configuration data to services, directly in-line from unit files, either in a cooked or in a more raw format.
2017-10-27 11:33:05 +02:00
int config_parse_exec_input_text(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *unescaped = NULL, *resolved = NULL;
ExecContext *c = data;
Unit *u = userdata;
size_t sz;
void *p;
int r;
assert(data);
assert(filename);
assert(line);
assert(rvalue);
if (isempty(rvalue)) {
/* Reset if the empty string is assigned */
c->stdin_data = mfree(c->stdin_data);
c->stdin_data_size = 0;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
return 0;
}
core: add two new unit file settings: StandardInputData= + StandardInputText= Both permit configuring data to pass through STDIN to an invoked process. StandardInputText= accepts a line of text (possibly with embedded C-style escapes as well as unit specifiers), which is appended to the buffer to pass as stdin, followed by a single newline. StandardInputData= is similar, but accepts arbitrary base64 encoded data, and will not resolve specifiers or C-style escapes, nor append newlines. This may be used to pass input/configuration data to services, directly in-line from unit files, either in a cooked or in a more raw format.
2017-10-27 11:33:05 +02:00
r = cunescape(rvalue, 0, &unescaped);
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
if (r < 0)
return log_syntax(unit, LOG_ERR, filename, line, r, "Failed to decode C escaped text: %s", rvalue);
core: add two new unit file settings: StandardInputData= + StandardInputText= Both permit configuring data to pass through STDIN to an invoked process. StandardInputText= accepts a line of text (possibly with embedded C-style escapes as well as unit specifiers), which is appended to the buffer to pass as stdin, followed by a single newline. StandardInputData= is similar, but accepts arbitrary base64 encoded data, and will not resolve specifiers or C-style escapes, nor append newlines. This may be used to pass input/configuration data to services, directly in-line from unit files, either in a cooked or in a more raw format.
2017-10-27 11:33:05 +02:00
r = unit_full_printf(u, unescaped, &resolved);
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
if (r < 0)
return log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers: %s", unescaped);
core: add two new unit file settings: StandardInputData= + StandardInputText= Both permit configuring data to pass through STDIN to an invoked process. StandardInputText= accepts a line of text (possibly with embedded C-style escapes as well as unit specifiers), which is appended to the buffer to pass as stdin, followed by a single newline. StandardInputData= is similar, but accepts arbitrary base64 encoded data, and will not resolve specifiers or C-style escapes, nor append newlines. This may be used to pass input/configuration data to services, directly in-line from unit files, either in a cooked or in a more raw format.
2017-10-27 11:33:05 +02:00
sz = strlen(resolved);
if (c->stdin_data_size + sz + 1 < c->stdin_data_size || /* check for overflow */
c->stdin_data_size + sz + 1 > EXEC_STDIN_DATA_MAX) {
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Standard input data too large (%zu), maximum of %zu permitted, ignoring.", c->stdin_data_size + sz, (size_t) EXEC_STDIN_DATA_MAX);
return -E2BIG;
core: add two new unit file settings: StandardInputData= + StandardInputText= Both permit configuring data to pass through STDIN to an invoked process. StandardInputText= accepts a line of text (possibly with embedded C-style escapes as well as unit specifiers), which is appended to the buffer to pass as stdin, followed by a single newline. StandardInputData= is similar, but accepts arbitrary base64 encoded data, and will not resolve specifiers or C-style escapes, nor append newlines. This may be used to pass input/configuration data to services, directly in-line from unit files, either in a cooked or in a more raw format.
2017-10-27 11:33:05 +02:00
}
p = realloc(c->stdin_data, c->stdin_data_size + sz + 1);
if (!p)
return log_oom();
*((char*) mempcpy((char*) p + c->stdin_data_size, resolved, sz)) = '\n';
c->stdin_data = p;
c->stdin_data_size += sz + 1;
return 0;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
}
core: add two new unit file settings: StandardInputData= + StandardInputText= Both permit configuring data to pass through STDIN to an invoked process. StandardInputText= accepts a line of text (possibly with embedded C-style escapes as well as unit specifiers), which is appended to the buffer to pass as stdin, followed by a single newline. StandardInputData= is similar, but accepts arbitrary base64 encoded data, and will not resolve specifiers or C-style escapes, nor append newlines. This may be used to pass input/configuration data to services, directly in-line from unit files, either in a cooked or in a more raw format.
2017-10-27 11:33:05 +02:00
int config_parse_exec_input_data(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ void *p = NULL;
ExecContext *c = data;
size_t sz;
void *q;
int r;
assert(data);
assert(filename);
assert(line);
assert(rvalue);
if (isempty(rvalue)) {
/* Reset if the empty string is assigned */
c->stdin_data = mfree(c->stdin_data);
c->stdin_data_size = 0;
return 0;
}
util-lib,tests: rework unbase64 so that we skip over whitespace automatically (#7522) Let's optimize things a bit, and instead of having to strip whitespace first before decoding base64, let's do that implicitly while doing so. Given that base64 was designed the way it was designed specifically to be tolerant to whitespace changes, it's a good idea to do this automatically and implicitly.
2017-12-03 20:57:24 +01:00
r = unbase64mem(rvalue, (size_t) -1, &p, &sz);
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
if (r < 0)
util-lib,tests: rework unbase64 so that we skip over whitespace automatically (#7522) Let's optimize things a bit, and instead of having to strip whitespace first before decoding base64, let's do that implicitly while doing so. Given that base64 was designed the way it was designed specifically to be tolerant to whitespace changes, it's a good idea to do this automatically and implicitly.
2017-12-03 20:57:24 +01:00
return log_syntax(unit, LOG_ERR, filename, line, r, "Failed to decode base64 data, ignoring: %s", rvalue);
core: add two new unit file settings: StandardInputData= + StandardInputText= Both permit configuring data to pass through STDIN to an invoked process. StandardInputText= accepts a line of text (possibly with embedded C-style escapes as well as unit specifiers), which is appended to the buffer to pass as stdin, followed by a single newline. StandardInputData= is similar, but accepts arbitrary base64 encoded data, and will not resolve specifiers or C-style escapes, nor append newlines. This may be used to pass input/configuration data to services, directly in-line from unit files, either in a cooked or in a more raw format.
2017-10-27 11:33:05 +02:00
assert(sz > 0);
if (c->stdin_data_size + sz < c->stdin_data_size || /* check for overflow */
c->stdin_data_size + sz > EXEC_STDIN_DATA_MAX) {
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Standard input data too large (%zu), maximum of %zu permitted, ignoring.", c->stdin_data_size + sz, (size_t) EXEC_STDIN_DATA_MAX);
return -E2BIG;
core: add two new unit file settings: StandardInputData= + StandardInputText= Both permit configuring data to pass through STDIN to an invoked process. StandardInputText= accepts a line of text (possibly with embedded C-style escapes as well as unit specifiers), which is appended to the buffer to pass as stdin, followed by a single newline. StandardInputData= is similar, but accepts arbitrary base64 encoded data, and will not resolve specifiers or C-style escapes, nor append newlines. This may be used to pass input/configuration data to services, directly in-line from unit files, either in a cooked or in a more raw format.
2017-10-27 11:33:05 +02:00
}
q = realloc(c->stdin_data, c->stdin_data_size + sz);
if (!q)
return log_oom();
memcpy((uint8_t*) q + c->stdin_data_size, p, sz);
c->stdin_data = q;
c->stdin_data_size += sz;
return 0;
}
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
int config_parse_exec_output(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *resolved = NULL;
const char *n;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
ExecContext *c = data;
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
Unit *u = userdata;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
ExecOutput eo;
int r;
assert(data);
assert(filename);
assert(line);
assert(lvalue);
assert(rvalue);
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
n = startswith(rvalue, "fd:");
if (n) {
r = unit_full_printf(u, n, &resolved);
if (r < 0)
return log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s: %m", n);
if (isempty(resolved))
resolved = mfree(resolved);
else if (!fdname_is_valid(resolved)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid file descriptor name: %s", resolved);
return -EINVAL;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
}
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
eo = EXEC_OUTPUT_NAMED_FD;
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
} else if ((n = startswith(rvalue, "file:"))) {
r = unit_full_printf(u, n, &resolved);
if (r < 0)
return log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s: %m", n);
if (!path_is_absolute(resolved)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "file: requires an absolute path name: %s", resolved);
return -EINVAL;
}
fs-util: rename path_is_safe() → path_is_normalized() Already, path_is_safe() refused paths container the "." dir. Doing that isn't strictly necessary to be "safe" by most definitions of the word. But it is necessary in order to consider a path "normalized". Hence, "path_is_safe()" is slightly misleading a name, but "path_is_normalize()" is more descriptive, hence let's rename things accordingly. No functional changes.
2017-10-27 16:28:15 +02:00
if (!path_is_normalized(resolved)) {
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "file: requires a normalized path name, ignoring: %s", resolved);
return -EINVAL;
}
eo = EXEC_OUTPUT_FILE;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
} else {
eo = exec_output_from_string(rvalue);
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
if (eo < 0) {
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse output specifier, ignoring: %s", rvalue);
return 0;
}
}
if (streq(lvalue, "StandardOutput")) {
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
if (eo == EXEC_OUTPUT_NAMED_FD)
free_and_replace(c->stdio_fdname[STDOUT_FILENO], resolved);
else
free_and_replace(c->stdio_file[STDOUT_FILENO], resolved);
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
c->std_output = eo;
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
} else {
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
assert(streq(lvalue, "StandardError"));
if (eo == EXEC_OUTPUT_NAMED_FD)
free_and_replace(c->stdio_fdname[STDERR_FILENO], resolved);
else
free_and_replace(c->stdio_file[STDERR_FILENO], resolved);
c->std_error = eo;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
}
core: add support for StandardInputFile= and friends These new settings permit specifiying arbitrary paths as stdin/stdout/stderr locations. We try to open/create them as necessary. Some special magic is applied: 1) if the same path is specified for both input and output/stderr, we'll open it only once O_RDWR, and duplicate them fd instead. 2) If we an AF_UNIX socket path is specified, we'll connect() to it, rather than open() it. This allows invoking systemd services with stdin/stdout/stderr connected to arbitrary foreign service sockets. Fixes: #3991
2017-10-27 16:09:57 +02:00
return 0;
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
}
s/name/unit
2010-01-26 21:39:06 +01:00
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_exec_io_class(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
ExecContext *c = data;
int x;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
shared, core: do not always accept numbers in string lookups The behaviour of the common name##_from_string conversion is surprising. It accepts not only the strings from name##_table but also any number that falls within the range of the table. The order of items in most of our tables is an internal affair. It should not be visible to the user. I know of a case where the surprising numeric conversion leads to a crash. We will allow the direct numeric conversion only for the tables where the mapping of strings to numeric values has an external meaning. This holds for the following lookup tables: - netlink_family, ioprio_class, ip_tos, sched_policy - their numeric values are stable as they are defined by the Linux kernel interface. - log_level, log_facility_unshifted - the well-known syslog interface. We allow the user to use numeric values whose string names systemd does not know. For instance, the user may want to test a new kernel featuring a scheduling policy that did not exist when his systemd version was released. A slightly unpleasant effect of this is that the name##_to_string conversion cannot return pointers to constant strings anymore. The strings have to be allocated on demand and freed by the caller.
2012-10-30 14:29:38 +01:00
x = ioprio_class_from_string(rvalue);
if (x < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse IO scheduling class, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
load-fragment: simplify fragment loading code by using macros
2010-04-13 02:22:41 +02:00
}
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
c->ioprio = IOPRIO_PRIO_VALUE(x, IOPRIO_PRIO_DATA(c->ioprio));
c->ioprio_set = true;
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_exec_io_priority(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
ExecContext *c = data;
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int i, r;
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
core: make IOSchedulingClass= and IOSchedulingPriority= settable for transient units This patch is a bit more complex thant I hoped. In particular the single IOScheduling= property exposed on the bus is split up into IOSchedulingClass= and IOSchedulingPriority= (though compat is retained). Otherwise the asymmetry between setting props and getting them is a bit too nasty. Fixes #5613
2017-06-26 17:40:08 +02:00
r = ioprio_parse_priority(rvalue, &i);
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse IO priority, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
implement proper logging for services
2010-01-28 02:06:20 +01:00
}
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_PRIO_CLASS(c->ioprio), i);
c->ioprio_set = true;
implement proper logging for services
2010-01-28 02:06:20 +01:00
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_exec_cpu_sched_policy(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
support chrooting/setting of ioprio when spawning
2010-01-29 20:46:22 +01:00
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
ExecContext *c = data;
int x;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
shared, core: do not always accept numbers in string lookups The behaviour of the common name##_from_string conversion is surprising. It accepts not only the strings from name##_table but also any number that falls within the range of the table. The order of items in most of our tables is an internal affair. It should not be visible to the user. I know of a case where the surprising numeric conversion leads to a crash. We will allow the direct numeric conversion only for the tables where the mapping of strings to numeric values has an external meaning. This holds for the following lookup tables: - netlink_family, ioprio_class, ip_tos, sched_policy - their numeric values are stable as they are defined by the Linux kernel interface. - log_level, log_facility_unshifted - the well-known syslog interface. We allow the user to use numeric values whose string names systemd does not know. For instance, the user may want to test a new kernel featuring a scheduling policy that did not exist when his systemd version was released. A slightly unpleasant effect of this is that the name##_to_string conversion cannot return pointers to constant strings anymore. The strings have to be allocated on demand and freed by the caller.
2012-10-30 14:29:38 +01:00
x = sched_policy_from_string(rvalue);
if (x < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse CPU scheduling policy, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
load-fragment: simplify fragment loading code by using macros
2010-04-13 02:22:41 +02:00
}
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
c->cpu_sched_policy = x;
sched: Only setting CPUSchedulingPriority=rr doesn't work A service that only sets the scheduling policy to round-robin fails to be started. This is because the cpu_sched_priority is initialized to 0 and is not adjusted when the policy is changed. Clamp the cpu_sched_priority when the scheduler policy is set. Use the current policy to validate the new priority. Change the manual page to state that the given range only applies to the real-time scheduling policies. Add a testcase that verifies this change: $ make test-sched-prio; ./test-sched-prio [test/sched_idle_bad.service:6] CPU scheduling priority is out of range, ignoring: 1 [test/sched_rr_bad.service:7] CPU scheduling priority is out of range, ignoring: 0 [test/sched_rr_bad.service:8] CPU scheduling priority is out of range, ignoring: 100
2012-11-01 18:48:11 +01:00
/* Moving to or from real-time policy? We need to adjust the priority */
c->cpu_sched_priority = CLAMP(c->cpu_sched_priority, sched_get_priority_min(x), sched_get_priority_max(x));
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
c->cpu_sched_set = true;
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_exec_cpu_sched_prio(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
support chrooting/setting of ioprio when spawning
2010-01-29 20:46:22 +01:00
ExecContext *c = data;
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int i, min, max, r;
support chrooting/setting of ioprio when spawning
2010-01-29 20:46:22 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
r = safe_atoi(rvalue, &i);
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse CPU scheduling policy, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
}
support chrooting/setting of ioprio when spawning
2010-01-29 20:46:22 +01:00
sched: Only setting CPUSchedulingPriority=rr doesn't work A service that only sets the scheduling policy to round-robin fails to be started. This is because the cpu_sched_priority is initialized to 0 and is not adjusted when the policy is changed. Clamp the cpu_sched_priority when the scheduler policy is set. Use the current policy to validate the new priority. Change the manual page to state that the given range only applies to the real-time scheduling policies. Add a testcase that verifies this change: $ make test-sched-prio; ./test-sched-prio [test/sched_idle_bad.service:6] CPU scheduling priority is out of range, ignoring: 1 [test/sched_rr_bad.service:7] CPU scheduling priority is out of range, ignoring: 0 [test/sched_rr_bad.service:8] CPU scheduling priority is out of range, ignoring: 100
2012-11-01 18:48:11 +01:00
/* On Linux RR/FIFO range from 1 to 99 and OTHER/BATCH may only be 0 */
min = sched_get_priority_min(c->cpu_sched_policy);
max = sched_get_priority_max(c->cpu_sched_policy);
if (i < min || i > max) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "CPU scheduling priority is out of range, ignoring: %s", rvalue);
sched: Only setting CPUSchedulingPriority=rr doesn't work A service that only sets the scheduling policy to round-robin fails to be started. This is because the cpu_sched_priority is initialized to 0 and is not adjusted when the policy is changed. Clamp the cpu_sched_priority when the scheduler policy is set. Use the current policy to validate the new priority. Change the manual page to state that the given range only applies to the real-time scheduling policies. Add a testcase that verifies this change: $ make test-sched-prio; ./test-sched-prio [test/sched_idle_bad.service:6] CPU scheduling priority is out of range, ignoring: 1 [test/sched_rr_bad.service:7] CPU scheduling priority is out of range, ignoring: 0 [test/sched_rr_bad.service:8] CPU scheduling priority is out of range, ignoring: 100
2012-11-01 18:48:11 +01:00
return 0;
}
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
c->cpu_sched_priority = i;
c->cpu_sched_set = true;
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_exec_cpu_affinity(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
ExecContext *c = data;
load-fragment: Use parse_cpu_set in CPUAffinity support Tested with a dummy service running 'sleep', modifying its CPUAffinity, restarting the service and checking the ^Cpus_allowed entries in the /proc/PID/status file.
2015-09-25 04:25:20 +02:00
_cleanup_cpu_free_ cpu_set_t *cpuset = NULL;
int ncpus;
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
util: rename parse_cpu_set() to parse_cpu_set_and_warn() It's pretty untypical for our parsing functions to log on their own. Clarify in the name that this one does.
2015-09-30 20:16:51 +02:00
ncpus = parse_cpu_set_and_warn(rvalue, &cpuset, unit, filename, line, lvalue);
load-fragment: Use parse_cpu_set in CPUAffinity support Tested with a dummy service running 'sleep', modifying its CPUAffinity, restarting the service and checking the ^Cpus_allowed entries in the /proc/PID/status file.
2015-09-25 04:25:20 +02:00
if (ncpus < 0)
return ncpus;
main: implement manager configuration file
2010-07-07 01:10:27 +02:00
core: merge multiple CPUAffinity= settings
2017-11-30 15:16:58 +01:00
if (ncpus == 0) {
load-fragment: Use parse_cpu_set in CPUAffinity support Tested with a dummy service running 'sleep', modifying its CPUAffinity, restarting the service and checking the ^Cpus_allowed entries in the /proc/PID/status file.
2015-09-25 04:25:20 +02:00
/* An empty assignment resets the CPU list */
core: merge multiple CPUAffinity= settings
2017-11-30 15:16:58 +01:00
c->cpuset = cpu_set_mfree(c->cpuset);
c->cpuset_ncpus = 0;
return 0;
}
if (!c->cpuset) {
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
c->cpuset = TAKE_PTR(cpuset);
core: merge multiple CPUAffinity= settings
2017-11-30 15:16:58 +01:00
c->cpuset_ncpus = (unsigned) ncpus;
return 0;
}
if (c->cpuset_ncpus < (unsigned) ncpus) {
CPU_OR_S(CPU_ALLOC_SIZE(c->cpuset_ncpus), cpuset, c->cpuset, cpuset);
CPU_FREE(c->cpuset);
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
c->cpuset = TAKE_PTR(cpuset);
core: merge multiple CPUAffinity= settings
2017-11-30 15:16:58 +01:00
c->cpuset_ncpus = (unsigned) ncpus;
return 0;
support chrooting/setting of ioprio when spawning
2010-01-29 20:46:22 +01:00
}
core: merge multiple CPUAffinity= settings
2017-11-30 15:16:58 +01:00
CPU_OR_S(CPU_ALLOC_SIZE((unsigned) ncpus), c->cpuset, c->cpuset, cpuset);
support chrooting/setting of ioprio when spawning
2010-01-29 20:46:22 +01:00
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_exec_secure_bits(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
ExecContext *c = data;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
int r;
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* An empty assignment resets the field */
c->secure_bits = 0;
return 0;
}
securebits-util: add secure_bits_{from_string,to_string_alloc}()
2017-08-07 16:40:25 +02:00
r = secure_bits_from_string(rvalue);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax, ignoring: %s", rvalue);
return 0;
}
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
securebits-util: add secure_bits_{from_string,to_string_alloc}()
2017-08-07 16:40:25 +02:00
c->secure_bits = r;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
securebits-util: add secure_bits_{from_string,to_string_alloc}()
2017-08-07 16:40:25 +02:00
return 0;
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
}
capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.
2016-01-07 23:00:04 +01:00
int config_parse_capability_set(
core: simplify parsing of capability bounding set settings Let's generate a simple error, and that's it. Let's not try to be smart and record the last word that failed. Also, let's make sure we don't compare numeric values with 0 by relying on C's downgrade-to-bool feature, as suggested in CODING_STYLE.
2015-11-10 16:08:03 +01:00
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.
2016-01-07 23:00:04 +01:00
uint64_t *capability_set = data;
uint64_t sum = 0, initial = 0;
exec: properly apply capability bounding set, add inverted bounding sets
2011-03-18 03:13:15 +01:00
bool invert = false;
cap-list: add capability_set_{from_string,to_string_alloc}()
2017-08-07 16:25:11 +02:00
int r;
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
exec: properly apply capability bounding set, add inverted bounding sets
2011-03-18 03:13:15 +01:00
if (rvalue[0] == '~') {
invert = true;
rvalue++;
}
core: replace strcmp() == 0 with streq()
2017-08-01 01:55:15 +02:00
if (streq(lvalue, "CapabilityBoundingSet"))
capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.
2016-01-07 23:00:04 +01:00
initial = CAP_ALL; /* initialized to all bits on */
capabilities: added support for ambient capabilities. This patch adds support for ambient capabilities in service files. The idea with ambient capabilities is that the execed processes can run with non-root user and get some inherited capabilities, without having any need to add the capabilities to the executable file. You need at least Linux 4.3 to use ambient capabilities. SecureBit keep-caps is automatically added when you use ambient capabilities and wish to change the user. An example system service file might look like this: [Unit] Description=Service for testing caps [Service] ExecStart=/usr/bin/sleep 10000 User=nobody AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW After starting the service it has these capabilities: CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000003fffffffff CapAmb: 0000000000003000
2015-12-31 13:54:44 +01:00
/* else "AmbientCapabilities" initialized to all bits off */
exec: properly apply capability bounding set, add inverted bounding sets
2011-03-18 03:13:15 +01:00
cap-list: add capability_set_{from_string,to_string_alloc}()
2017-08-07 16:25:11 +02:00
r = capability_set_from_string(rvalue, &sum);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse word: %s", rvalue);
return 0;
greatly extend what we enforce as process properties
2010-01-30 01:55:42 +01:00
}
support chrooting/setting of ioprio when spawning
2010-01-29 20:46:22 +01:00
capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.
2016-01-07 23:00:04 +01:00
if (sum == 0 || *capability_set == initial)
core: merge the second CapabilityBoundingSet= lines by AND when it is prefixed with tilde (#6724) If a unit file contains multiple CapabilityBoundingSet= or AmbientCapabilities= lines, e.g., === CapabilityBoundingSet=CAP_A CAP_B CapabilityBoundingSet=~CAP_B CAP_C === before this commit, it results all capabilities except CAP_C are set to CapabilityBoundingSet=, as each lines are always merged by OR. This commit makes lines prefixed with ~ are merged by AND. So, for the above example only CAP_A is set. This makes easier to drop capabilities with drop-in config files.
2017-09-04 05:12:27 +02:00
/* "", "~" or uninitialized data -> replace */
*capability_set = invert ? ~sum : sum;
else {
capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.
2016-01-07 23:00:04 +01:00
/* previous data -> merge */
core: merge the second CapabilityBoundingSet= lines by AND when it is prefixed with tilde (#6724) If a unit file contains multiple CapabilityBoundingSet= or AmbientCapabilities= lines, e.g., === CapabilityBoundingSet=CAP_A CAP_B CapabilityBoundingSet=~CAP_B CAP_C === before this commit, it results all capabilities except CAP_C are set to CapabilityBoundingSet=, as each lines are always merged by OR. This commit makes lines prefixed with ~ are merged by AND. So, for the above example only CAP_A is set. This makes easier to drop capabilities with drop-in config files.
2017-09-04 05:12:27 +02:00
if (invert)
*capability_set &= ~sum;
else
*capability_set |= sum;
}
exec: properly apply capability bounding set, add inverted bounding sets
2011-03-18 03:13:15 +01:00
support chrooting/setting of ioprio when spawning
2010-01-29 20:46:22 +01:00
return 0;
}
core: support <soft:hard> ranges for RLIMIT options The new parser supports: <value> - specify both limits to the same value <soft:hard> - specify both limits the size or time specific suffixes are supported, for example LimitRTTIME=1sec LimitAS=4G:16G The patch introduces parse_rlimit_range() and rlim type (size, sec, usec, etc.) specific parsers. No code is duplicated now. The patch also sync docs for DefaultLimitXXX= and LimitXXX=. References: https://github.com/systemd/systemd/issues/1769
2015-11-20 12:54:10 +01:00
int config_parse_limit(
core: when parsing resource limits, be more careful with types and corner cases Let's not convert RLIM_INFINITY to "unsigned long long" and then back to rlim_t, but let's leave it in the right type right-away. Parse resource limits as 64 bit in all cases, as according to the man page that's what libc does anyway. Make sure setting a resource limit to (uint64_t) -1 results in a parsing error, and isn't implicitly converted to RLIM_INFINITY.
2015-11-10 16:10:24 +01:00
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
core: support IEC suffixes for RLIMIT stuff Let's make things more user-friendly and support for example LimitAS=16G rather than force users to always use LimitAS=16106127360. The change is relevant for options: [Default]Limit{FSIZE,DATA,STACK,CORE,RSS,AS,MEMLOCK,MSGQUEUE} The patch introduces config_parse_bytes_limit(), it's the same as config_parse_limit() but uses parse_size() tu support the suffixes. Addresses: https://github.com/systemd/systemd/issues/1772
2015-11-06 11:06:52 +01:00
core: move parsing of rlimits into rlimit-util.[ch] This way we can reuse it for parsing rlimit settings in "systemctl set-property" and related commands.
2016-02-01 21:07:09 +01:00
struct rlimit **rl = data, d = {};
int r;
core: accept time units for time-based resource limits Let's make sure "LimitCPU=30min" can be parsed properly, following the usual logic how we parse time values. Similar for LimitRTTIME=. While we are at it, extend a bit on the man page section about resource limits. Fixes: #1772
2015-11-10 16:52:52 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
core: move parsing of rlimits into rlimit-util.[ch] This way we can reuse it for parsing rlimit settings in "systemctl set-property" and related commands.
2016-02-01 21:07:09 +01:00
r = rlimit_parse(ltype, rvalue, &d);
if (r == -EILSEQ) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Soft resource limit chosen higher than hard limit, ignoring: %s", rvalue);
return 0;
}
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse resource value, ignoring: %s", rvalue);
return 0;
}
core: accept time units for time-based resource limits Let's make sure "LimitCPU=30min" can be parsed properly, following the usual logic how we parse time values. Similar for LimitRTTIME=. While we are at it, extend a bit on the man page section about resource limits. Fixes: #1772
2015-11-10 16:52:52 +01:00
core: move parsing of rlimits into rlimit-util.[ch] This way we can reuse it for parsing rlimit settings in "systemctl set-property" and related commands.
2016-02-01 21:07:09 +01:00
if (rl[ltype])
*rl[ltype] = d;
else {
rl[ltype] = newdup(struct rlimit, &d, 1);
if (!rl[ltype])
return log_oom();
}
core: accept time units for time-based resource limits Let's make sure "LimitCPU=30min" can be parsed properly, following the usual logic how we parse time values. Similar for LimitRTTIME=. While we are at it, extend a bit on the man page section about resource limits. Fixes: #1772
2015-11-10 16:52:52 +01:00
core: move parsing of rlimits into rlimit-util.[ch] This way we can reuse it for parsing rlimit settings in "systemctl set-property" and related commands.
2016-02-01 21:07:09 +01:00
return 0;
core: support <soft:hard> ranges for RLIMIT options The new parser supports: <value> - specify both limits to the same value <soft:hard> - specify both limits the size or time specific suffixes are supported, for example LimitRTTIME=1sec LimitAS=4G:16G The patch introduces parse_rlimit_range() and rlim type (size, sec, usec, etc.) specific parsers. No code is duplicated now. The patch also sync docs for DefaultLimitXXX= and LimitXXX=. References: https://github.com/systemd/systemd/issues/1769
2015-11-20 12:54:10 +01:00
}
core: accept time units for time-based resource limits Let's make sure "LimitCPU=30min" can be parsed properly, following the usual logic how we parse time values. Similar for LimitRTTIME=. While we are at it, extend a bit on the man page section about resource limits. Fixes: #1772
2015-11-10 16:52:52 +01:00
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SYSV_COMPAT
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_sysv_priority(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
sysv: allow configuration of SysV start priority from new-style service files, too
2010-04-06 02:40:10 +02:00
int *priority = data;
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int i, r;
sysv: allow configuration of SysV start priority from new-style service files, too
2010-04-06 02:40:10 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
r = safe_atoi(rvalue, &i);
if (r < 0 || i < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse SysV start priority, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
sysv: allow configuration of SysV start priority from new-style service files, too
2010-04-06 02:40:10 +02:00
}
*priority = (int) i;
return 0;
}
sysv: optionally disable of SysV init/rcN.d support at compile time This patch adds a cpp definition HAVE_SYSV_COMPAT that is used to isolate code dealing with /etc/init.d and /etc/rcN.d for systems where it does not make sense (one that does not use sysv or one that is fully systemd native). The patch tries to be as little intrusive as possible, however in order to minimize the number of #ifdef'ed regions I've reordered some code in path-lookup.c:lookup_paths_init() where all code dealing with sysv is now isolated under running_as == MANAGER_SYSTEM as well. Moreover, In struct Service, some fields were rearranged to reduce the number of ifdefs. Lennart's suggestions were fixed and squashed with the original patch, that was sent by Gustavo Sverzut Barbieri (barbieri@profusion.mobi).
2010-09-21 05:23:12 +02:00
#endif
sysv: allow configuration of SysV start priority from new-style service files, too
2010-04-06 02:40:10 +02:00
core: optionally create LOGIN_PROCESS or USER_PROCESS utmp entries When generating utmp/wtmp entries, optionally add both LOGIN_PROCESS and INIT_PROCESS entries or even all three of LOGIN_PROCESS, INIT_PROCESS and USER_PROCESS entries, instead of just a single INIT_PROCESS entry. With this change systemd may be used to not only invoke a getty directly in a SysV-compliant way but alternatively also a login(1) implementation or even forego getty and login entirely, and invoke arbitrary shells in a way that they appear in who(1) or w(1). This is preparation for a later commit that adds a "machinectl shell" operation to invoke a shell in a container, in a way that is compatible with who(1) and w(1).
2015-08-23 13:14:04 +02:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode, "Failed to parse utmp mode");
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_kill_mode, kill_mode, KillMode, "Failed to parse kill mode");
execute: make kill mode configurable
2010-04-08 00:52:14 +02:00
core: hook up MountFlags= to the transient unit logic This makes "systemd-run -p MountFlags=shared -t /bin/sh" work, by making MountFlags= to the list of properties that may be accessed transiently.
2016-11-22 20:19:08 +01:00
int config_parse_exec_mount_flags(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
core: mount flags remove FOREACH_WORD_SEPARATOR FOREACH_WORD_SEPARATOR is no need here since we only apply only one mount flag. The rvalue is sufficient for this.
2015-11-24 02:38:45 +01:00
ExecContext *c = data;
Modify mount_propagation_flags_from_string to return a normal int code This means that callers can distiguish an error from flags==0, and don't have to special-case the empty string.
2016-12-03 19:57:42 +01:00
int r;
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
Modify mount_propagation_flags_from_string to return a normal int code This means that callers can distiguish an error from flags==0, and don't have to special-case the empty string.
2016-12-03 19:57:42 +01:00
r = mount_propagation_flags_from_string(rvalue, &c->mount_flags);
if (r < 0)
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse mount flag %s, ignoring.", rvalue);
core: mount flags remove FOREACH_WORD_SEPARATOR FOREACH_WORD_SEPARATOR is no need here since we only apply only one mount flag. The rvalue is sufficient for this.
2015-11-24 02:38:45 +01:00
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
return 0;
}
core: store and expose SELinuxContext field normalized as bool + string
2014-02-17 16:52:52 +01:00
int config_parse_exec_selinux_context(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
Unit *u = userdata;
bool ignore;
char *k;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.
2015-09-08 18:43:11 +02:00
c->selinux_context = mfree(c->selinux_context);
core: store and expose SELinuxContext field normalized as bool + string
2014-02-17 16:52:52 +01:00
c->selinux_context_ignore = false;
return 0;
}
if (rvalue[0] == '-') {
ignore = true;
rvalue++;
} else
ignore = false;
core: use unit_full_printf() at a couple of locations we used unit_name_printf() before For settings that are not taking unit names there's no reason to use unit_name_printf(). Use unit_full_printf() instead, as the names are validated anyway in one form or another after expansion.
2016-12-05 19:25:44 +01:00
r = unit_full_printf(u, rvalue, &k);
core: store and expose SELinuxContext field normalized as bool + string
2014-02-17 16:52:52 +01:00
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve specifiers%s: %m",
ignore ? ", ignoring" : "");
return ignore ? 0 : -ENOEXEC;
core: store and expose SELinuxContext field normalized as bool + string
2014-02-17 16:52:52 +01:00
}
free(c->selinux_context);
c->selinux_context = k;
c->selinux_context_ignore = ignore;
return 0;
}
core: Add AppArmor profile switching This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.
2014-02-20 16:19:44 +01:00
int config_parse_exec_apparmor_profile(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
Unit *u = userdata;
bool ignore;
char *k;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.
2015-09-08 18:43:11 +02:00
c->apparmor_profile = mfree(c->apparmor_profile);
core: Add AppArmor profile switching This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.
2014-02-20 16:19:44 +01:00
c->apparmor_profile_ignore = false;
return 0;
}
if (rvalue[0] == '-') {
ignore = true;
rvalue++;
} else
ignore = false;
core: use unit_full_printf() at a couple of locations we used unit_name_printf() before For settings that are not taking unit names there's no reason to use unit_name_printf(). Use unit_full_printf() instead, as the names are validated anyway in one form or another after expansion.
2016-12-05 19:25:44 +01:00
r = unit_full_printf(u, rvalue, &k);
core: Add AppArmor profile switching This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.
2014-02-20 16:19:44 +01:00
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve specifiers%s: %m",
ignore ? ", ignoring" : "");
return ignore ? 0 : -ENOEXEC;
core: Add AppArmor profile switching This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.
2014-02-20 16:19:44 +01:00
}
free(c->apparmor_profile);
c->apparmor_profile = k;
c->apparmor_profile_ignore = ignore;
return 0;
}
smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]
2014-11-24 12:46:20 +01:00
int config_parse_exec_smack_process_label(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
Unit *u = userdata;
bool ignore;
char *k;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.
2015-09-08 18:43:11 +02:00
c->smack_process_label = mfree(c->smack_process_label);
smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]
2014-11-24 12:46:20 +01:00
c->smack_process_label_ignore = false;
return 0;
}
if (rvalue[0] == '-') {
ignore = true;
rvalue++;
} else
ignore = false;
core: use unit_full_printf() at a couple of locations we used unit_name_printf() before For settings that are not taking unit names there's no reason to use unit_name_printf(). Use unit_full_printf() instead, as the names are validated anyway in one form or another after expansion.
2016-12-05 19:25:44 +01:00
r = unit_full_printf(u, rvalue, &k);
smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]
2014-11-24 12:46:20 +01:00
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve specifiers%s: %m",
ignore ? ", ignoring" : "");
return ignore ? 0 : -ENOEXEC;
smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]
2014-11-24 12:46:20 +01:00
}
free(c->smack_process_label);
c->smack_process_label = k;
c->smack_process_label_ignore = ignore;
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_timer(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
Timer *t = data;
load-fragment: Resolve specifiers in OnCalendar and On*Sec Resolves #3534
2016-08-26 18:13:16 +02:00
usec_t usec = 0;
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
TimerValue *v;
TimerBase b;
timer: implement calendar time events
2012-11-23 21:37:58 +01:00
CalendarSpec *c = NULL;
load-fragment: Resolve specifiers in OnCalendar and On*Sec Resolves #3534
2016-08-26 18:13:16 +02:00
Unit *u = userdata;
_cleanup_free_ char *k = NULL;
int r;
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* Empty assignment resets list */
timer_free_values(t);
return 0;
}
timer: implement calendar time events
2012-11-23 21:37:58 +01:00
b = timer_base_from_string(lvalue);
if (b < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse timer base, ignoring: %s", lvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
}
load-fragment: Resolve specifiers in OnCalendar and On*Sec Resolves #3534
2016-08-26 18:13:16 +02:00
r = unit_full_printf(u, rvalue, &k);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in %s, ignoring: %m", rvalue);
return 0;
}
timer: implement calendar time events
2012-11-23 21:37:58 +01:00
if (b == TIMER_CALENDAR) {
load-fragment: Resolve specifiers in OnCalendar and On*Sec Resolves #3534
2016-08-26 18:13:16 +02:00
if (calendar_spec_from_string(k, &c) < 0) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse calendar specification, ignoring: %s", k);
timer: implement calendar time events
2012-11-23 21:37:58 +01:00
return 0;
}
} else {
load-fragment: Resolve specifiers in OnCalendar and On*Sec Resolves #3534
2016-08-26 18:13:16 +02:00
if (parse_sec(k, &usec) < 0) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse timer value, ignoring: %s", k);
timer: implement calendar time events
2012-11-23 21:37:58 +01:00
return 0;
}
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
}
timer: implement calendar time events
2012-11-23 21:37:58 +01:00
v = new0(TimerValue, 1);
core: fix a potential mem leak Found with Coverity. Fixes: CID#996438
2014-09-13 12:35:06 +02:00
if (!v) {
calendar: make freeing a calendar spec object deal fine with NULL In order to make object destruction easier (in particular in combination with _cleanup_) we usually make destructors deal with NULL objects as NOPs. Change the calendar spec destructor to follow the same scheme.
2014-10-24 18:33:29 +02:00
calendar_spec_free(c);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return log_oom();
core: fix a potential mem leak Found with Coverity. Fixes: CID#996438
2014-09-13 12:35:06 +02:00
}
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
v->base = b;
load-fragment: Resolve specifiers in OnCalendar and On*Sec Resolves #3534
2016-08-26 18:13:16 +02:00
v->value = usec;
timer: implement calendar time events
2012-11-23 21:37:58 +01:00
v->calendar_spec = c;
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.
2013-10-14 06:10:14 +02:00
LIST_PREPEND(value, t->values, v);
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
return 0;
}
unit: rework trigger dependency logic Instead of having explicit type-specific callbacks that inform the triggering unit when a triggered unit changes state, make this generic so that state changes are forwarded betwee any triggered and triggering unit. Also, get rid of UnitRef references from automount, timer, path units, to the units they trigger and rely exclsuively on UNIT_TRIGGER type dendencies.
2013-04-23 20:53:16 +02:00
int config_parse_trigger_unit(
const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
unit: rework trigger dependency logic Instead of having explicit type-specific callbacks that inform the triggering unit when a triggered unit changes state, make this generic so that state changes are forwarded betwee any triggered and triggering unit. Also, get rid of UnitRef references from automount, timer, path units, to the units they trigger and rely exclsuively on UNIT_TRIGGER type dendencies.
2013-04-23 20:53:16 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
_cleanup_free_ char *p = NULL;
unit: rework trigger dependency logic Instead of having explicit type-specific callbacks that inform the triggering unit when a triggered unit changes state, make this generic so that state changes are forwarded betwee any triggered and triggering unit. Also, get rid of UnitRef references from automount, timer, path units, to the units they trigger and rely exclsuively on UNIT_TRIGGER type dendencies.
2013-04-23 20:53:16 +02:00
Unit *u = data;
UnitType type;
int r;
dbus: make errors reported via D-Bus more useful
2010-07-08 02:43:18 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
if (!hashmap_isempty(u->dependencies[UNIT_TRIGGERS])) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Multiple units to trigger specified, ignoring: %s", rvalue);
unit: rework trigger dependency logic Instead of having explicit type-specific callbacks that inform the triggering unit when a triggered unit changes state, make this generic so that state changes are forwarded betwee any triggered and triggering unit. Also, get rid of UnitRef references from automount, timer, path units, to the units they trigger and rely exclsuively on UNIT_TRIGGER type dendencies.
2013-04-23 20:53:16 +02:00
return 0;
}
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_name_printf(u, rvalue, &p);
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %m");
return 0;
}
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
type = unit_name_to_type(p);
unit: rework trigger dependency logic Instead of having explicit type-specific callbacks that inform the triggering unit when a triggered unit changes state, make this generic so that state changes are forwarded betwee any triggered and triggering unit. Also, get rid of UnitRef references from automount, timer, path units, to the units they trigger and rely exclsuively on UNIT_TRIGGER type dendencies.
2013-04-23 20:53:16 +02:00
if (type < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Unit type not valid, ignoring: %s", rvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
}
Allow timers to trigger timers (#8043) Unlike any other unit type, it makes sense for a timer to start another timer. It is an easy way to crate logical "and" between time conditions for instance, every day but no less than 5' after boot can easily be implemented by a OnBootSec triggering an OnCalendar. This is particulary usefull with Persistant timers which tend to all fire together at startup
2018-02-14 14:10:07 +01:00
if (unit_has_name(u, p)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Units cannot trigger themselves, ignoring: %s", rvalue);
unit: rework trigger dependency logic Instead of having explicit type-specific callbacks that inform the triggering unit when a triggered unit changes state, make this generic so that state changes are forwarded betwee any triggered and triggering unit. Also, get rid of UnitRef references from automount, timer, path units, to the units they trigger and rely exclsuively on UNIT_TRIGGER type dendencies.
2013-04-23 20:53:16 +02:00
return 0;
}
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
r = unit_add_two_dependencies_by_name(u, UNIT_BEFORE, UNIT_TRIGGERS, p, NULL, true, UNIT_DEPENDENCY_FILE);
unit: properly update references to units which are merged When we merge units that some kind of object points to, those pointers might become invalidated, and needs to be updated. Introduce a UnitRef struct which links up all the unit references, to ensure corrected references. At the same time, drop configured_sockets in the Service object, and replace it by proper UNIT_TRIGGERS resp. UNIT_TRIGGERED_BY dependencies, which allow us to simplify a lot of code.
2012-01-06 23:08:54 +01:00
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to add trigger on %s, ignoring: %m", p);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
timer: fully implement timer units
2010-05-24 01:45:54 +02:00
}
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_path_spec(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
path: add .path unit type for monitoring files
2010-05-24 05:25:33 +02:00
Path *p = data;
PathSpec *s;
PathType b;
move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-18 09:11:22 +02:00
_cleanup_free_ char *k = NULL;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
int r;
path: add .path unit type for monitoring files
2010-05-24 05:25:33 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* Empty assignment clears list */
path_free_specs(p);
return 0;
}
path: support specifier resolvin in .path units
2012-09-19 20:09:27 +02:00
b = path_type_from_string(lvalue);
if (b < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse path type, ignoring: %s", lvalue);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
path: add .path unit type for monitoring files
2010-05-24 05:25:33 +02:00
}
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(UNIT(p), rvalue, &k);
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s. Ignoring.", rvalue);
return 0;
specifier: when resolving specifier strings when loading configuration, don't misunderstand parse failures as OOM http://lists.freedesktop.org/archives/systemd-devel/2013-February/009179.html
2013-03-01 14:54:55 +01:00
}
path: support specifier resolvin in .path units
2012-09-19 20:09:27 +02:00
if (!path_is_absolute(k)) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Path is not absolute, ignoring: %s", k);
load-fragment: make parser more forgiving
2010-08-17 03:30:53 +02:00
return 0;
path: add .path unit type for monitoring files
2010-05-24 05:25:33 +02:00
}
path: support specifier resolvin in .path units
2012-09-19 20:09:27 +02:00
s = new0(PathSpec, 1);
core/main: use _cleanup_
2013-04-16 03:58:22 +02:00
if (!s)
path: support specifier resolvin in .path units
2012-09-19 20:09:27 +02:00
return log_oom();
path: add .path unit type for monitoring files
2010-05-24 05:25:33 +02:00
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-19 21:12:59 +01:00
s->unit = UNIT(p);
path: support specifier resolvin in .path units
2012-09-19 20:09:27 +02:00
s->path = path_kill_slashes(k);
core/main: use _cleanup_
2013-04-16 03:58:22 +02:00
k = NULL;
path: add .path unit type for monitoring files
2010-05-24 05:25:33 +02:00
s->type = b;
s->inotify_fd = -1;
list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.
2013-10-14 06:10:14 +02:00
LIST_PREPEND(spec, p->specs, s);
path: add .path unit type for monitoring files
2010-05-24 05:25:33 +02:00
return 0;
}
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
int config_parse_socket_service(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
socket: make service to start on incoming traffic configurable
2010-09-30 02:19:12 +02:00
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.
2015-11-27 19:13:45 +01:00
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
core: add support for naming file descriptors passed using socket activation This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.
2015-10-04 17:36:19 +02:00
_cleanup_free_ char *p = NULL;
socket: make service to start on incoming traffic configurable
2010-09-30 02:19:12 +02:00
Socket *s = data;
load-fragment: fix parsing of Socket= setting
2012-01-07 01:21:40 +01:00
Unit *x;
core: add support for naming file descriptors passed using socket activation This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.
2015-10-04 17:36:19 +02:00
int r;
socket: make service to start on incoming traffic configurable
2010-09-30 02:19:12 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_name_printf(UNIT(s), rvalue, &p);
service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces
2013-11-27 20:23:18 +01:00
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers: %s", rvalue);
return -ENOEXEC;
service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces
2013-11-27 20:23:18 +01:00
}
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces
2013-11-27 20:23:18 +01:00
if (!endswith(p, ".service")) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Unit must be of type service: %s", rvalue);
return -ENOEXEC;
socket: make service to start on incoming traffic configurable
2010-09-30 02:19:12 +02:00
}
service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces
2013-11-27 20:23:18 +01:00
r = manager_load_unit(UNIT(s)->manager, p, NULL, &error, &x);
load-fragment: fix parsing of Socket= setting
2012-01-07 01:21:40 +01:00
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to load unit %s: %s", rvalue, bus_error_message(&error, r));
return -ENOEXEC;
socket: make service to start on incoming traffic configurable
2010-09-30 02:19:12 +02:00
}
pid1: include the source unit in UnitRef No functional change. The source unit manages the reference. It allocates the UnitRef structure and registers it in the target unit, and then the reference must be destroyed before the source unit is destroyed. Thus, is should be OK to include the pointer to the source unit, it should be live as long as the reference exists. v2: - rename refs to refs_by_target
2018-02-13 13:12:43 +01:00
unit_ref_set(&s->service, UNIT(s), x);
load-fragment: fix parsing of Socket= setting
2012-01-07 01:21:40 +01:00
socket: make service to start on incoming traffic configurable
2010-09-30 02:19:12 +02:00
return 0;
}
core: add support for naming file descriptors passed using socket activation This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.
2015-10-04 17:36:19 +02:00
int config_parse_fdname(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *p = NULL;
Socket *s = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
s->fdname = mfree(s->fdname);
return 0;
}
core: use unit_full_printf() at a couple of locations we used unit_name_printf() before For settings that are not taking unit names there's no reason to use unit_name_printf(). Use unit_full_printf() instead, as the names are validated anyway in one form or another after expansion.
2016-12-05 19:25:44 +01:00
r = unit_full_printf(UNIT(s), rvalue, &p);
core: add support for naming file descriptors passed using socket activation This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.
2015-10-04 17:36:19 +02:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %s", rvalue);
return 0;
}
if (!fdname_is_valid(p)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid file descriptor name, ignoring: %s", p);
return 0;
}
tree-wide: introduce free_and_replace helper It's a common pattern, so add a helper for it. A macro is necessary because a function that takes a pointer to a pointer would be type specific, similarly to cleanup functions. Seems better to use a macro.
2016-10-17 01:23:35 +02:00
return free_and_replace(s->fdname, p);
core: add support for naming file descriptors passed using socket activation This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.
2015-10-04 17:36:19 +02:00
}
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
int config_parse_service_sockets(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
socket: make sockets to pass to a service configurable
2010-10-05 19:49:15 +02:00
Service *s = data;
core: parse socket port to extract_first_word
2015-11-03 18:19:05 +01:00
const char *p;
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
int r;
socket: make sockets to pass to a service configurable
2010-10-05 19:49:15 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
core: parse socket port to extract_first_word
2015-11-03 18:19:05 +01:00
p = rvalue;
tree-wide: minor formatting inconsistency cleanups
2016-02-23 18:52:52 +01:00
for (;;) {
core: remove unused variable unused since 7b2313f5
2015-11-07 11:03:11 +01:00
_cleanup_free_ char *word = NULL, *k = NULL;
socket: make sockets to pass to a service configurable
2010-10-05 19:49:15 +02:00
core: parse socket port to extract_first_word
2015-11-03 18:19:05 +01:00
r = extract_first_word(&p, &word, NULL, 0);
if (r == 0)
break;
if (r == -ENOMEM)
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return log_oom();
core: parse socket port to extract_first_word
2015-11-03 18:19:05 +01:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Trailing garbage in sockets, ignoring: %s", rvalue);
break;
}
socket: make sockets to pass to a service configurable
2010-10-05 19:49:15 +02:00
core: parse socket port to extract_first_word
2015-11-03 18:19:05 +01:00
r = unit_name_printf(UNIT(s), word, &k);
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %m");
continue;
}
unit: properly update references to units which are merged When we merge units that some kind of object points to, those pointers might become invalidated, and needs to be updated. Introduce a UnitRef struct which links up all the unit references, to ensure corrected references. At the same time, drop configured_sockets in the Service object, and replace it by proper UNIT_TRIGGERS resp. UNIT_TRIGGERED_BY dependencies, which allow us to simplify a lot of code.
2012-01-06 23:08:54 +01:00
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
if (!endswith(k, ".socket")) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Unit must be of type socket, ignoring: %s", k);
socket: make sockets to pass to a service configurable
2010-10-05 19:49:15 +02:00
continue;
}
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_WANTS, UNIT_AFTER, k, NULL, true, UNIT_DEPENDENCY_FILE);
unit: properly update references to units which are merged When we merge units that some kind of object points to, those pointers might become invalidated, and needs to be updated. Introduce a UnitRef struct which links up all the unit references, to ensure corrected references. At the same time, drop configured_sockets in the Service object, and replace it by proper UNIT_TRIGGERS resp. UNIT_TRIGGERED_BY dependencies, which allow us to simplify a lot of code.
2012-01-06 23:08:54 +01:00
if (r < 0)
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to add dependency on %s, ignoring: %m", k);
socket: make sockets to pass to a service configurable
2010-10-05 19:49:15 +02:00
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
r = unit_add_dependency_by_name(UNIT(s), UNIT_TRIGGERED_BY, k, NULL, true, UNIT_DEPENDENCY_FILE);
unit: properly update references to units which are merged When we merge units that some kind of object points to, those pointers might become invalidated, and needs to be updated. Introduce a UnitRef struct which links up all the unit references, to ensure corrected references. At the same time, drop configured_sockets in the Service object, and replace it by proper UNIT_TRIGGERS resp. UNIT_TRIGGERED_BY dependencies, which allow us to simplify a lot of code.
2012-01-06 23:08:54 +01:00
if (r < 0)
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to add dependency on %s, ignoring: %m", k);
socket: make sockets to pass to a service configurable
2010-10-05 19:49:15 +02:00
}
return 0;
}
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
int config_parse_bus_name(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *k = NULL;
Unit *u = userdata;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
r = unit_full_printf(u, rvalue, &k);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s, ignoring: %m", rvalue);
return 0;
}
if (!service_name_is_valid(k)) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid bus name %s, ignoring.", k);
conf-parse: don't accept invalid bus names as BusName= arguments in service units
2015-01-07 22:07:09 +01:00
return 0;
}
return config_parse_string(unit, filename, line, section, section_line, lvalue, ltype, k, data, userdata);
}
core: simplify how we parse TimeoutSec=, TimeoutStartSec= and TimeoutStopSec= Let's make things more obvious by placing the parse_usec() invocation directly in config_parse_service_timeout().
2016-02-08 23:54:54 +01:00
int config_parse_service_timeout(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
service: timeout for oneshot services Add possibility to specify timeout for oneshot services. [ https://bugzilla.redhat.com/show_bug.cgi?id=761656 Added minor fixups. -- michich ]
2012-06-14 17:07:07 +02:00
Service *s = userdata;
core: simplify how we parse TimeoutSec=, TimeoutStartSec= and TimeoutStopSec= Let's make things more obvious by placing the parse_usec() invocation directly in config_parse_service_timeout().
2016-02-08 23:54:54 +01:00
usec_t usec;
service: timeout for oneshot services Add possibility to specify timeout for oneshot services. [ https://bugzilla.redhat.com/show_bug.cgi?id=761656 Added minor fixups. -- michich ]
2012-06-14 17:07:07 +02:00
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(s);
core: simplify how we parse TimeoutSec=, TimeoutStartSec= and TimeoutStopSec= Let's make things more obvious by placing the parse_usec() invocation directly in config_parse_service_timeout().
2016-02-08 23:54:54 +01:00
/* This is called for three cases: TimeoutSec=, TimeoutStopSec= and TimeoutStartSec=. */
service: timeout for oneshot services Add possibility to specify timeout for oneshot services. [ https://bugzilla.redhat.com/show_bug.cgi?id=761656 Added minor fixups. -- michich ]
2012-06-14 17:07:07 +02:00
core: simplify how we parse TimeoutSec=, TimeoutStartSec= and TimeoutStopSec= Let's make things more obvious by placing the parse_usec() invocation directly in config_parse_service_timeout().
2016-02-08 23:54:54 +01:00
r = parse_sec(rvalue, &usec);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse %s= parameter, ignoring: %s", lvalue, rvalue);
return 0;
}
systemd: introduced new timeout types Makes possible to specify separate timeout for start and stop of the service. [ Improved the manpage. Coding style fix. -- michich ]
2012-08-07 14:41:48 +02:00
core: rework unit timeout handling, and add new setting RuntimeMaxSec= This clean-ups timeout handling in PID 1. Specifically, instead of storing 0 in internal timeout variables as indication for a disabled timeout, use USEC_INFINITY which is in-line with how we do this in the rest of our code (following the logic that 0 means "no", and USEC_INFINITY means "never"). This also replace all usec_t additions with invocations to usec_add(), so that USEC_INFINITY is properly propagated, and sd-event considers it has indication for turning off the event source. This also alters the deserialization of the units to restart timeouts from the time they were originally started from. Before this patch timeouts would be restarted beginning with the time of the deserialization, which could lead to artificially prolonged timeouts if a daemon reload took place. Finally, a new RuntimeMaxSec= setting is introduced for service units, that specifies a maximum runtime after which a specific service is forcibly terminated. This is useful to put time limits on time-intensive processing jobs. This also simplifies the various xyz_spawn() calls of the various types in that explicit distruction of the timers is removed, as that is done anyway by the state change handlers, and a state change is always done when the xyz_spawn() calls fail. Fixes: #2249
2016-02-01 21:48:10 +01:00
/* Traditionally, these options accepted 0 to disable the timeouts. However, a timeout of 0 suggests it happens
* immediately, hence fix this to become USEC_INFINITY instead. This is in-line with how we internally handle
* all other timeouts. */
core: simplify how we parse TimeoutSec=, TimeoutStartSec= and TimeoutStopSec= Let's make things more obvious by placing the parse_usec() invocation directly in config_parse_service_timeout().
2016-02-08 23:54:54 +01:00
if (usec <= 0)
usec = USEC_INFINITY;
if (!streq(lvalue, "TimeoutStopSec")) {
s->start_timeout_defined = true;
s->timeout_start_usec = usec;
}
core: rework unit timeout handling, and add new setting RuntimeMaxSec= This clean-ups timeout handling in PID 1. Specifically, instead of storing 0 in internal timeout variables as indication for a disabled timeout, use USEC_INFINITY which is in-line with how we do this in the rest of our code (following the logic that 0 means "no", and USEC_INFINITY means "never"). This also replace all usec_t additions with invocations to usec_add(), so that USEC_INFINITY is properly propagated, and sd-event considers it has indication for turning off the event source. This also alters the deserialization of the units to restart timeouts from the time they were originally started from. Before this patch timeouts would be restarted beginning with the time of the deserialization, which could lead to artificially prolonged timeouts if a daemon reload took place. Finally, a new RuntimeMaxSec= setting is introduced for service units, that specifies a maximum runtime after which a specific service is forcibly terminated. This is useful to put time limits on time-intensive processing jobs. This also simplifies the various xyz_spawn() calls of the various types in that explicit distruction of the timers is removed, as that is done anyway by the state change handlers, and a state change is always done when the xyz_spawn() calls fail. Fixes: #2249
2016-02-01 21:48:10 +01:00
core: simplify how we parse TimeoutSec=, TimeoutStartSec= and TimeoutStopSec= Let's make things more obvious by placing the parse_usec() invocation directly in config_parse_service_timeout().
2016-02-08 23:54:54 +01:00
if (!streq(lvalue, "TimeoutStartSec"))
s->timeout_stop_usec = usec;
core: rework unit timeout handling, and add new setting RuntimeMaxSec= This clean-ups timeout handling in PID 1. Specifically, instead of storing 0 in internal timeout variables as indication for a disabled timeout, use USEC_INFINITY which is in-line with how we do this in the rest of our code (following the logic that 0 means "no", and USEC_INFINITY means "never"). This also replace all usec_t additions with invocations to usec_add(), so that USEC_INFINITY is properly propagated, and sd-event considers it has indication for turning off the event source. This also alters the deserialization of the units to restart timeouts from the time they were originally started from. Before this patch timeouts would be restarted beginning with the time of the deserialization, which could lead to artificially prolonged timeouts if a daemon reload took place. Finally, a new RuntimeMaxSec= setting is introduced for service units, that specifies a maximum runtime after which a specific service is forcibly terminated. This is useful to put time limits on time-intensive processing jobs. This also simplifies the various xyz_spawn() calls of the various types in that explicit distruction of the timers is removed, as that is done anyway by the state change handlers, and a state change is always done when the xyz_spawn() calls fail. Fixes: #2249
2016-02-01 21:48:10 +01:00
systemd: introduced new timeout types Makes possible to specify separate timeout for start and stop of the service. [ Improved the manpage. Coding style fix. -- michich ]
2012-08-07 14:41:48 +02:00
return 0;
service: timeout for oneshot services Add possibility to specify timeout for oneshot services. [ https://bugzilla.redhat.com/show_bug.cgi?id=761656 Added minor fixups. -- michich ]
2012-06-14 17:07:07 +02:00
}
core: treat JobTimeout=0 as equivalent to JobTimeout=infinity Corrects an incompatibility introduced with 36c16a7cdd6c33d7980efc2cd6a2211941f302b4. Fixes: #2537
2016-02-08 23:56:30 +01:00
int config_parse_sec_fix_0(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
usec_t *usec = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(usec);
/* This is pretty much like config_parse_sec(), except that this treats a time of 0 as infinity, for
* compatibility with older versions of systemd where 0 instead of infinity was used as indicator to turn off a
* timeout. */
Parse "timeout=0" as infinity in various generators (#6264) This extends 2d79a0bbb9f651656384a0a86ed814e6306fb5dd to the kernel command line parsing. The parsing is changed a bit to only understand "0" as infinity. If units are specified, parse normally, e.g. "0s" is just 0. This makes it possible to provide a zero timeout if necessary. Simple test is added. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1462378.
2017-07-03 14:29:32 +02:00
r = parse_sec_fix_0(rvalue, usec);
core: treat JobTimeout=0 as equivalent to JobTimeout=infinity Corrects an incompatibility introduced with 36c16a7cdd6c33d7980efc2cd6a2211941f302b4. Fixes: #2537
2016-02-08 23:56:30 +01:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse %s= parameter, ignoring: %s", lvalue, rvalue);
return 0;
}
return 0;
}
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
int config_parse_user_group(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
char **user = data, *n;
Unit *u = userdata;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
if (isempty(rvalue))
n = NULL;
else {
_cleanup_free_ char *k = NULL;
r = unit_full_printf(u, rvalue, &k);
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in %s: %m", rvalue);
return -ENOEXEC;
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
}
if (!valid_user_group_name_or_id(k)) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid user/group name or numeric ID: %s", k);
return -ENOEXEC;
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
}
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
n = TAKE_PTR(k);
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
}
free(*user);
*user = n;
return 0;
}
int config_parse_user_group_strv(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
char ***users = data;
Unit *u = userdata;
const char *p;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
if (isempty(rvalue)) {
load-fragment: do not create empty array Originally added in 4589f5bb0a973e9a41be93de06c87072cea4dfb9. C.f. 8249bb728db6c2abaf12575d661b52571bdc1ab1 and #6746.
2017-10-04 08:21:12 +02:00
*users = strv_free(*users);
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
return 0;
}
p = rvalue;
for (;;) {
_cleanup_free_ char *word = NULL, *k = NULL;
tree-wide: drop unneded WHITESPACE param to extract_first_word It's the default, and NULL is shorter.
2016-10-28 02:06:44 +02:00
r = extract_first_word(&p, &word, NULL, 0);
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
if (r == 0)
break;
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Invalid syntax: %s", rvalue);
return -ENOEXEC;
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
}
r = unit_full_printf(u, word, &k);
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in %s: %m", word);
return -ENOEXEC;
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
}
if (!valid_user_group_name_or_id(k)) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid user/group name or numeric ID: %s", k);
return -ENOEXEC;
core: be stricter when parsing User=/Group= fields Let's verify the validity of the syntax of the user/group names set.
2016-07-14 12:28:06 +02:00
}
r = strv_push(users, k);
if (r < 0)
return log_oom();
k = NULL;
}
return 0;
}
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
int config_parse_working_directory(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
Unit *u = userdata;
bool missing_ok;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(c);
assert(u);
if (rvalue[0] == '-') {
missing_ok = true;
rvalue++;
} else
missing_ok = false;
if (streq(rvalue, "~")) {
c->working_directory_home = true;
c->working_directory = mfree(c->working_directory);
} else {
_cleanup_free_ char *k = NULL;
r = unit_full_printf(u, rvalue, &k);
if (r < 0) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve unit specifiers in working directory path '%s'%s: %m",
rvalue, missing_ok ? ", ignoring" : "");
return missing_ok ? 0 : -ENOEXEC;
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
}
path_kill_slashes(k);
if (!utf8_is_valid(k)) {
log: move log_invalid_utf8() to log.h Also, make sure it follows the same scheme as log_syntax() does in its behaviour.
2015-09-30 20:07:24 +02:00
log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, rvalue);
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
return missing_ok ? 0 : -ENOEXEC;
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
}
if (!path_is_absolute(k)) {
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0,
"Working directory path '%s' is not absolute%s.",
rvalue, missing_ok ? ", ignoring" : "");
return missing_ok ? 0 : -ENOEXEC;
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
}
c->working_directory_home = false;
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
free_and_replace(c->working_directory, k);
core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.
2015-09-23 19:46:23 +02:00
}
c->working_directory_missing_ok = missing_ok;
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_unit_env_file(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
execute: add EnvironmentFile= option
2010-06-18 06:06:24 +02:00
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
char ***env = data;
unit: support wildcards in Environment=, EnvironmentFile=
2011-07-01 01:13:47 +02:00
Unit *u = userdata;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
_cleanup_free_ char *n = NULL;
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
int r;
execute: add EnvironmentFile= option
2010-06-18 06:06:24 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* Empty assignment frees the list */
tree-wide: make use of the fact that strv_free() returns NULL Another Coccinelle patch.
2015-09-09 23:05:10 +02:00
*env = strv_free(*env);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return 0;
}
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(u, rvalue, &n);
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %s", rvalue);
return 0;
}
unit: support wildcards in Environment=, EnvironmentFile=
2011-07-01 01:13:47 +02:00
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
if (!path_is_absolute(n[0] == '-' ? n + 1 : n)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Path '%s' is not absolute, ignoring.", n);
fragment: allow prefixing of the EnvironmentFile= path with - to ignore errors
2011-01-06 01:39:08 +01:00
return 0;
}
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
r = strv_extend(env, n);
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
if (r < 0)
return log_oom();
return 0;
}
core: print the right string when we fail to replace specifiers in config_parse_environ()
2017-09-12 19:47:58 +02:00
int config_parse_environ(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
Unit *u = userdata;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
char ***env = data;
const char *p;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
int r;
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
manager: add DefaultEnvironment option This complements existing functionality of setting variables through 'systemctl set-environment', the kernel command line, and through normal environment variables for systemd in session mode.
2013-06-09 07:08:46 +02:00
assert(data);
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
if (isempty(rvalue)) {
/* Empty assignment resets the list */
tree-wide: make use of the fact that strv_free() returns NULL Another Coccinelle patch.
2015-09-09 23:05:10 +02:00
*env = strv_free(*env);
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
return 0;
}
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
for (p = rvalue;; ) {
_cleanup_free_ char *word = NULL, *k = NULL;
r = extract_first_word(&p, &word, NULL, EXTRACT_CUNESCAPE|EXTRACT_QUOTES);
if (r == 0)
return 0;
if (r == -ENOMEM)
return log_oom();
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
if (r < 0) {
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax, ignoring: %s", rvalue);
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
return 0;
}
manager: add DefaultEnvironment option This complements existing functionality of setting variables through 'systemctl set-environment', the kernel command line, and through normal environment variables for systemd in session mode.
2013-06-09 07:08:46 +02:00
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
if (u) {
r = unit_full_printf(u, word, &k);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,
core: print the right string when we fail to replace specifiers in config_parse_environ()
2017-09-12 19:47:58 +02:00
"Failed to resolve specifiers, ignoring: %s", word);
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
continue;
}
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
} else
k = TAKE_PTR(word);
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
if (!env_assignment_is_valid(k)) {
log_syntax(unit, LOG_ERR, filename, line, 0,
"Invalid environment assignment, ignoring: %s", k);
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
continue;
}
core/load-fragment: modify existing environment instead of copying strv over and over
2016-10-28 03:15:59 +02:00
r = strv_env_replace(env, k);
if (r < 0)
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
return log_oom();
core: print the right string when we fail to replace specifiers in config_parse_environ()
2017-09-12 19:47:58 +02:00
core/load-fragment: modify existing environment instead of copying strv over and over
2016-10-28 03:15:59 +02:00
k = NULL;
core: properly validate environment data from Environment= lines in unit files
2013-02-11 23:45:59 +01:00
}
execute: add EnvironmentFile= option
2010-06-18 06:06:24 +02:00
}
core: add new UnsetEnvironment= setting for unit files With this setting we can explicitly unset specific variables for processes of a unit, as last step of assembling the environment block for them. This is useful to fix #6407. While we are at it, greatly expand the documentation on how the environment block for forked off processes is assembled.
2017-09-10 12:16:44 +02:00
int config_parse_pass_environ(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.
2015-09-07 08:06:53 +02:00
const char *whole_rvalue = rvalue;
_cleanup_strv_free_ char **n = NULL;
size_t nlen = 0, nbufsize = 0;
core: support specifier expansion in PassEnvironment= I can't come up with any usecase for this, but let's add this here, to match what we support for Environment=. It's kind surprising if we support specifier expansion for some environment related settings, but not for others.
2017-09-12 19:48:29 +02:00
char*** passenv = data;
Unit *u = userdata;
execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.
2015-09-07 08:06:53 +02:00
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
/* Empty assignment resets the list */
*passenv = strv_free(*passenv);
return 0;
}
for (;;) {
core: support specifier expansion in PassEnvironment= I can't come up with any usecase for this, but let's add this here, to match what we support for Environment=. It's kind surprising if we support specifier expansion for some environment related settings, but not for others.
2017-09-12 19:48:29 +02:00
_cleanup_free_ char *word = NULL, *k = NULL;
execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.
2015-09-07 08:06:53 +02:00
tree-wide: drop unneded WHITESPACE param to extract_first_word It's the default, and NULL is shorter.
2016-10-28 02:06:44 +02:00
r = extract_first_word(&rvalue, &word, NULL, EXTRACT_QUOTES);
execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.
2015-09-07 08:06:53 +02:00
if (r == 0)
break;
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,
"Trailing garbage in %s, ignoring: %s", lvalue, whole_rvalue);
break;
}
core: support specifier expansion in PassEnvironment= I can't come up with any usecase for this, but let's add this here, to match what we support for Environment=. It's kind surprising if we support specifier expansion for some environment related settings, but not for others.
2017-09-12 19:48:29 +02:00
if (u) {
r = unit_full_printf(u, word, &k);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve specifiers, ignoring: %s", word);
continue;
}
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
} else
k = TAKE_PTR(word);
core: support specifier expansion in PassEnvironment= I can't come up with any usecase for this, but let's add this here, to match what we support for Environment=. It's kind surprising if we support specifier expansion for some environment related settings, but not for others.
2017-09-12 19:48:29 +02:00
if (!env_name_is_valid(k)) {
log_syntax(unit, LOG_ERR, filename, line, 0,
"Invalid environment name for %s, ignoring: %s", lvalue, k);
execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.
2015-09-07 08:06:53 +02:00
continue;
}
if (!GREEDY_REALLOC(n, nbufsize, nlen + 2))
return log_oom();
core: support specifier expansion in PassEnvironment= I can't come up with any usecase for this, but let's add this here, to match what we support for Environment=. It's kind surprising if we support specifier expansion for some environment related settings, but not for others.
2017-09-12 19:48:29 +02:00
n[nlen++] = k;
execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.
2015-09-07 08:06:53 +02:00
n[nlen] = NULL;
core: support specifier expansion in PassEnvironment= I can't come up with any usecase for this, but let's add this here, to match what we support for Environment=. It's kind surprising if we support specifier expansion for some environment related settings, but not for others.
2017-09-12 19:48:29 +02:00
k = NULL;
execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.
2015-09-07 08:06:53 +02:00
}
if (n) {
r = strv_extend_strv(passenv, n, true);
if (r < 0)
return r;
}
return 0;
}
core: add new UnsetEnvironment= setting for unit files With this setting we can explicitly unset specific variables for processes of a unit, as last step of assembling the environment block for them. This is useful to fix #6407. While we are at it, greatly expand the documentation on how the environment block for forked off processes is assembled.
2017-09-10 12:16:44 +02:00
int config_parse_unset_environ(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_strv_free_ char **n = NULL;
const char *whole_rvalue = rvalue;
size_t nlen = 0, nbufsize = 0;
char*** unsetenv = data;
Unit *u = userdata;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
/* Empty assignment resets the list */
*unsetenv = strv_free(*unsetenv);
return 0;
}
for (;;) {
_cleanup_free_ char *word = NULL, *k = NULL;
core: process C-style escapes in UnsetEnvironment= We process C-style escapes in Environment=, hence we should process it in UnsetEnvironment= too, as the latter accepts assignments much like the former, including arbitrary values specified by the user.
2017-11-21 19:50:52 +01:00
r = extract_first_word(&rvalue, &word, NULL, EXTRACT_CUNESCAPE|EXTRACT_QUOTES);
core: add new UnsetEnvironment= setting for unit files With this setting we can explicitly unset specific variables for processes of a unit, as last step of assembling the environment block for them. This is useful to fix #6407. While we are at it, greatly expand the documentation on how the environment block for forked off processes is assembled.
2017-09-10 12:16:44 +02:00
if (r == 0)
break;
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,
"Trailing garbage in %s, ignoring: %s", lvalue, whole_rvalue);
break;
}
if (u) {
r = unit_full_printf(u, word, &k);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve specifiers, ignoring: %s", word);
continue;
}
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
} else
k = TAKE_PTR(word);
core: add new UnsetEnvironment= setting for unit files With this setting we can explicitly unset specific variables for processes of a unit, as last step of assembling the environment block for them. This is useful to fix #6407. While we are at it, greatly expand the documentation on how the environment block for forked off processes is assembled.
2017-09-10 12:16:44 +02:00
if (!env_assignment_is_valid(k) && !env_name_is_valid(k)) {
log_syntax(unit, LOG_ERR, filename, line, 0,
"Invalid environment name or assignment %s, ignoring: %s", lvalue, k);
continue;
}
if (!GREEDY_REALLOC(n, nbufsize, nlen + 2))
return log_oom();
n[nlen++] = k;
n[nlen] = NULL;
k = NULL;
}
if (n) {
r = strv_extend_strv(unsetenv, n, true);
if (r < 0)
return r;
}
return 0;
}
core: implement /run/systemd/units/-based path for passing unit info from PID 1 to journald And let's make use of it to implement two new unit settings with it: 1. LogLevelMax= is a new per-unit setting that may be used to configure log priority filtering: set it to LogLevelMax=notice and only messages of level "notice" and lower (i.e. more important) will be processed, all others are dropped. 2. LogExtraFields= is a new per-unit setting for configuring per-unit journal fields, that are implicitly included in every log record generated by the unit's processes. It takes field/value pairs in the form of FOO=BAR. Also, related to this, one exisiting unit setting is ported to this new facility: 3. The invocation ID is now pulled from /run/systemd/units/ instead of cgroupfs xattrs. This substantially relaxes requirements of systemd on the kernel version and the privileges it runs with (specifically, cgroupfs xattrs are not available in containers, since they are stored in kernel memory, and hence are unsafe to permit to lesser privileged code). /run/systemd/units/ is a new directory, which contains a number of files and symlinks encoding the above information. PID 1 creates and manages these files, and journald reads them from there. Note that this is supposed to be a direct path between PID 1 and the journal only, due to the special runtime environment the journal runs in. Normally, today we shouldn't introduce new interfaces that (mis-)use a file system as IPC framework, and instead just an IPC system, but this is very hard to do between the journal and PID 1, as long as the IPC system is a subject PID 1 manages, and itself a client to the journal. This patch cleans up a couple of types used in journal code: specifically we switch to size_t for a couple of memory-sizing values, as size_t is the right choice for everything that is memory. Fixes: #4089 Fixes: #3041 Fixes: #4441
2017-11-02 19:43:32 +01:00
int config_parse_log_extra_fields(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
Unit *u = userdata;
const char *p;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(c);
if (isempty(rvalue)) {
exec_context_free_log_extra_fields(c);
return 0;
}
for (p = rvalue;; ) {
_cleanup_free_ char *word = NULL, *k = NULL;
struct iovec *t;
const char *eq;
r = extract_first_word(&p, &word, NULL, EXTRACT_CUNESCAPE|EXTRACT_QUOTES);
if (r == 0)
break;
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
return 0;
}
r = unit_full_printf(u, word, &k);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s, ignoring field: %m", word);
continue;
}
eq = strchr(k, '=');
if (!eq) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Log field lacks '=' character, ignoring field: %s", k);
continue;
}
if (!journal_field_valid(k, eq-k, false)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Log field name is invalid, ignoring field: %s", k);
continue;
}
tree-wide: use reallocarray instead of our home-grown realloc_multiply (#8279) There isn't much difference, but in general we prefer to use the standard functions. glibc provides reallocarray since version 2.26. I moved explicit_bzero is configure test to the bottom, so that the two stdlib functions are at the bottom.
2018-02-26 21:20:00 +01:00
t = reallocarray(c->log_extra_fields, c->n_log_extra_fields+1, sizeof(struct iovec));
core: implement /run/systemd/units/-based path for passing unit info from PID 1 to journald And let's make use of it to implement two new unit settings with it: 1. LogLevelMax= is a new per-unit setting that may be used to configure log priority filtering: set it to LogLevelMax=notice and only messages of level "notice" and lower (i.e. more important) will be processed, all others are dropped. 2. LogExtraFields= is a new per-unit setting for configuring per-unit journal fields, that are implicitly included in every log record generated by the unit's processes. It takes field/value pairs in the form of FOO=BAR. Also, related to this, one exisiting unit setting is ported to this new facility: 3. The invocation ID is now pulled from /run/systemd/units/ instead of cgroupfs xattrs. This substantially relaxes requirements of systemd on the kernel version and the privileges it runs with (specifically, cgroupfs xattrs are not available in containers, since they are stored in kernel memory, and hence are unsafe to permit to lesser privileged code). /run/systemd/units/ is a new directory, which contains a number of files and symlinks encoding the above information. PID 1 creates and manages these files, and journald reads them from there. Note that this is supposed to be a direct path between PID 1 and the journal only, due to the special runtime environment the journal runs in. Normally, today we shouldn't introduce new interfaces that (mis-)use a file system as IPC framework, and instead just an IPC system, but this is very hard to do between the journal and PID 1, as long as the IPC system is a subject PID 1 manages, and itself a client to the journal. This patch cleans up a couple of types used in journal code: specifically we switch to size_t for a couple of memory-sizing values, as size_t is the right choice for everything that is memory. Fixes: #4089 Fixes: #3041 Fixes: #4441
2017-11-02 19:43:32 +01:00
if (!t)
return log_oom();
c->log_extra_fields = t;
c->log_extra_fields[c->n_log_extra_fields++] = IOVEC_MAKE_STRING(k);
k = NULL;
}
return 0;
}
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_ip_tos(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
socket: make various socket/pipe options configurable
2010-07-01 00:29:17 +02:00
int *ip_tos = data, x;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
shared, core: do not always accept numbers in string lookups The behaviour of the common name##_from_string conversion is surprising. It accepts not only the strings from name##_table but also any number that falls within the range of the table. The order of items in most of our tables is an internal affair. It should not be visible to the user. I know of a case where the surprising numeric conversion leads to a crash. We will allow the direct numeric conversion only for the tables where the mapping of strings to numeric values has an external meaning. This holds for the following lookup tables: - netlink_family, ioprio_class, ip_tos, sched_policy - their numeric values are stable as they are defined by the Linux kernel interface. - log_level, log_facility_unshifted - the well-known syslog interface. We allow the user to use numeric values whose string names systemd does not know. For instance, the user may want to test a new kernel featuring a scheduling policy that did not exist when his systemd version was released. A slightly unpleasant effect of this is that the name##_to_string conversion cannot return pointers to constant strings anymore. The strings have to be allocated on demand and freed by the caller.
2012-10-30 14:29:38 +01:00
x = ip_tos_from_string(rvalue);
if (x < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse IP TOS value, ignoring: %s", rvalue);
shared, core: do not always accept numbers in string lookups The behaviour of the common name##_from_string conversion is surprising. It accepts not only the strings from name##_table but also any number that falls within the range of the table. The order of items in most of our tables is an internal affair. It should not be visible to the user. I know of a case where the surprising numeric conversion leads to a crash. We will allow the direct numeric conversion only for the tables where the mapping of strings to numeric values has an external meaning. This holds for the following lookup tables: - netlink_family, ioprio_class, ip_tos, sched_policy - their numeric values are stable as they are defined by the Linux kernel interface. - log_level, log_facility_unshifted - the well-known syslog interface. We allow the user to use numeric values whose string names systemd does not know. For instance, the user may want to test a new kernel featuring a scheduling policy that did not exist when his systemd version was released. A slightly unpleasant effect of this is that the name##_to_string conversion cannot return pointers to constant strings anymore. The strings have to be allocated on demand and freed by the caller.
2012-10-30 14:29:38 +01:00
return 0;
}
socket: make various socket/pipe options configurable
2010-07-01 00:29:17 +02:00
*ip_tos = x;
return 0;
}
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
int config_parse_unit_condition_path(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
unit: add minimal condition checker for unit startup
2010-10-13 02:15:41 +02:00
macro: introduce _cleanup_free_ macro for automatic freeing of scoped vars and make use of it
2012-09-13 22:30:26 +02:00
_cleanup_free_ char *p = NULL;
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
Condition **list = data, *c;
ConditionType t = ltype;
bool trigger, negate;
Unit *u = userdata;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
int r;
unit: add minimal condition checker for unit startup
2010-10-13 02:15:41 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* Empty assignment resets the list */
tree-wide: make condition_free_list return NULL
2014-12-18 18:33:05 +01:00
*list = condition_free_list(*list);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return 0;
}
unit: introduce ConditionPathIsMountPoint=
2011-09-21 00:44:51 +02:00
trigger = rvalue[0] == '|';
if (trigger)
unit: distuingish mandatory from triggering conditions
2011-03-08 03:04:47 +01:00
rvalue++;
unit: introduce ConditionPathIsMountPoint=
2011-09-21 00:44:51 +02:00
negate = rvalue[0] == '!';
if (negate)
unit: add minimal condition checker for unit startup
2010-10-13 02:15:41 +02:00
rvalue++;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(u, rvalue, &p);
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %s", rvalue);
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
return 0;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
}
load-fragment: Expand specifiers in conditions. Add specifier expansion to Path and String conditions. Specifier expansion for conditions will help create instance and user session units by allowing us to template conditions based on the instance or user session parameters. An example would be a system-wide user session service file that conditionally runs based on whether a user has the service configured through a configuration file in ~/.config/.
2012-09-13 21:34:25 +02:00
if (!path_is_absolute(p)) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Path in condition not absolute, ignoring: %s", p);
unit: add minimal condition checker for unit startup
2010-10-13 02:15:41 +02:00
return 0;
}
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
c = condition_new(t, p, trigger, negate);
unit: introduce ConditionPathIsMountPoint=
2011-09-21 00:44:51 +02:00
if (!c)
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return log_oom();
unit: add minimal condition checker for unit startup
2010-10-13 02:15:41 +02:00
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
LIST_PREPEND(conditions, *list, c);
unit: add minimal condition checker for unit startup
2010-10-13 02:15:41 +02:00
return 0;
}
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
int config_parse_unit_condition_string(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
unit: introduce ConditionVirtualization=
2011-02-21 22:07:55 +01:00
macro: introduce _cleanup_free_ macro for automatic freeing of scoped vars and make use of it
2012-09-13 22:30:26 +02:00
_cleanup_free_ char *s = NULL;
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
Condition **list = data, *c;
ConditionType t = ltype;
bool trigger, negate;
Unit *u = userdata;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
int r;
unit: introduce ConditionVirtualization=
2011-02-21 22:07:55 +01:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* Empty assignment resets the list */
tree-wide: make condition_free_list return NULL
2014-12-18 18:33:05 +01:00
*list = condition_free_list(*list);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return 0;
}
unit: add new ConditionHost= condition type
2012-08-22 01:51:53 +02:00
trigger = rvalue[0] == '|';
if (trigger)
unit: distuingish mandatory from triggering conditions
2011-03-08 03:04:47 +01:00
rvalue++;
unit: add new ConditionHost= condition type
2012-08-22 01:51:53 +02:00
negate = rvalue[0] == '!';
if (negate)
unit: introduce ConditionVirtualization=
2011-02-21 22:07:55 +01:00
rvalue++;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_full_printf(u, rvalue, &s);
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %s", rvalue);
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
return 0;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
}
load-fragment: Expand specifiers in conditions. Add specifier expansion to Path and String conditions. Specifier expansion for conditions will help create instance and user session units by allowing us to template conditions based on the instance or user session parameters. An example would be a system-wide user session service file that conditionally runs based on whether a user has the service configured through a configuration file in ~/.config/.
2012-09-13 21:34:25 +02:00
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
c = condition_new(t, s, trigger, negate);
unit: add new ConditionHost= condition type
2012-08-22 01:51:53 +02:00
if (!c)
return log_oom();
unit: introduce ConditionVirtualization=
2011-02-21 22:07:55 +01:00
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
LIST_PREPEND(conditions, *list, c);
unit: introduce ConditionVirtualization=
2011-02-21 22:07:55 +01:00
return 0;
}
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
int config_parse_unit_condition_null(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
unit: add ConditionNull= condition
2010-11-10 22:28:19 +01:00
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
Condition **list = data, *c;
unit: distuingish mandatory from triggering conditions
2011-03-08 03:04:47 +01:00
bool trigger, negate;
unit: add ConditionNull= condition
2010-11-10 22:28:19 +01:00
int b;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* Empty assignment resets the list */
tree-wide: make condition_free_list return NULL
2014-12-18 18:33:05 +01:00
*list = condition_free_list(*list);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return 0;
}
trigger = rvalue[0] == '|';
if (trigger)
unit: distuingish mandatory from triggering conditions
2011-03-08 03:04:47 +01:00
rvalue++;
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
negate = rvalue[0] == '!';
if (negate)
unit: add ConditionNull= condition
2010-11-10 22:28:19 +01:00
rvalue++;
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
b = parse_boolean(rvalue);
if (b < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, b, "Failed to parse boolean value in condition, ignoring: %s", rvalue);
unit: add ConditionNull= condition
2010-11-10 22:28:19 +01:00
return 0;
}
if (!b)
negate = !negate;
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
c = condition_new(CONDITION_NULL, NULL, trigger, negate);
if (!c)
return log_oom();
unit: add ConditionNull= condition
2010-11-10 22:28:19 +01:00
core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met
2014-11-06 13:43:45 +01:00
LIST_PREPEND(conditions, *list, c);
unit: add ConditionNull= condition
2010-11-10 22:28:19 +01:00
return 0;
}
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_notify_access, notify_access, NotifyAccess, "Failed to parse notify access specifier");
failure-action: generalize failure action to emergency action
2016-10-20 15:27:37 +02:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_emergency_action, emergency_action, EmergencyAction, "Failed to parse failure action specifier");
service: add minimal access control logic for notifcation socket
2010-06-18 23:12:48 +02:00
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
int config_parse_unit_requires_mounts_for(
const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
unit: add new dependency type RequiresMountsFor= RequiresMountsFor= is a shortcut for adding requires and after dependencies to all mount units neeed for the specified paths. This solves a couple of issues regarding dep loop cycles for encrypted swap.
2012-04-29 14:26:07 +02:00
Unit *u = userdata;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
const char *p;
int r;
unit: add new dependency type RequiresMountsFor= RequiresMountsFor= is a shortcut for adding requires and after dependencies to all mount units neeed for the specified paths. This solves a couple of issues regarding dep loop cycles for encrypted swap.
2012-04-29 14:26:07 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
for (p = rvalue;; ) {
core: add specifier expansion to RequiresMountsFor= This might be useful for some people, for example to pull in mounts for paths including the machine ID or hostname.
2016-12-05 19:40:13 +01:00
_cleanup_free_ char *word = NULL, *resolved = NULL;
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES);
if (r == 0)
return 0;
if (r == -ENOMEM)
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
return log_oom();
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax, ignoring: %s", rvalue);
return 0;
}
unit: add new dependency type RequiresMountsFor= RequiresMountsFor= is a shortcut for adding requires and after dependencies to all mount units neeed for the specified paths. This solves a couple of issues regarding dep loop cycles for encrypted swap.
2012-04-29 14:26:07 +02:00
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
if (!utf8_is_valid(word)) {
log: move log_invalid_utf8() to log.h Also, make sure it follows the same scheme as log_syntax() does in its behaviour.
2015-09-30 20:07:24 +02:00
log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, rvalue);
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
continue;
}
unit: add new dependency type RequiresMountsFor= RequiresMountsFor= is a shortcut for adding requires and after dependencies to all mount units neeed for the specified paths. This solves a couple of issues regarding dep loop cycles for encrypted swap.
2012-04-29 14:26:07 +02:00
core: add specifier expansion to RequiresMountsFor= This might be useful for some people, for example to pull in mounts for paths including the machine ID or hostname.
2016-12-05 19:40:13 +01:00
r = unit_full_printf(u, word, &resolved);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit name \"%s\", ignoring: %m", word);
continue;
}
core: track why unit dependencies came to be This replaces the dependencies Set* objects by Hashmap* objects, where the key is the depending Unit, and the value is a bitmask encoding why the specific dependency was created. The bitmask contains a number of different, defined bits, that indicate why dependencies exist, for example whether they are created due to explicitly configured deps in files, by udev rules or implicitly. Note that memory usage is not increased by this change, even though we store more information, as we manage to encode the bit mask inside the value pointer each Hashmap entry contains. Why this all? When we know how a dependency came to be, we can update dependencies correctly when a configuration source changes but others are left unaltered. Specifically: 1. We can fix UDEV_WANTS dependency generation: so far we kept adding dependencies configured that way, but if a device lost such a dependency we couldn't them again as there was no scheme for removing of dependencies in place. 2. We can implement "pin-pointed" reload of unit files. If we know what dependencies were created as result of configuration in a unit file, then we know what to flush out when we want to reload it. 3. It's useful for debugging: "systemd-analyze dump" now shows this information, helping substantially with understanding how systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
r = unit_require_mounts_for(u, resolved, UNIT_DEPENDENCY_FILE);
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
if (r < 0) {
core: add specifier expansion to RequiresMountsFor= This might be useful for some people, for example to pull in mounts for paths including the machine ID or hostname.
2016-12-05 19:40:13 +01:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to add required mount \"%s\", ignoring: %m", resolved);
core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740
2013-09-26 20:14:24 +02:00
continue;
}
}
unit: add new dependency type RequiresMountsFor= RequiresMountsFor= is a shortcut for adding requires and after dependencies to all mount units neeed for the specified paths. This solves a couple of issues regarding dep loop cycles for encrypted swap.
2012-04-29 14:26:07 +02:00
}
exec: add high-level controls for blkio cgroup attributes
2011-08-20 01:38:10 +02:00
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
int config_parse_documentation(const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
units: introduce new Documentation= field and make use of it everywhere This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them.
2012-05-21 15:12:18 +02:00
Unit *u = userdata;
int r;
char **a, **b;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* Empty assignment resets the list */
tree-wide: make use of the fact that strv_free() returns NULL Another Coccinelle patch.
2015-09-09 23:05:10 +02:00
u->documentation = strv_free(u->documentation);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return 0;
}
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
r = config_parse_unit_strv_printf(unit, filename, line, section, section_line, lvalue, ltype,
Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>
2013-04-16 04:25:58 +02:00
rvalue, data, userdata);
units: introduce new Documentation= field and make use of it everywhere This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them.
2012-05-21 15:12:18 +02:00
if (r < 0)
return r;
for (a = b = u->documentation; a && *a; a++) {
util: make http url validity checks more generic, and move them to util.c
2015-01-19 20:45:27 +01:00
if (documentation_url_is_valid(*a))
units: introduce new Documentation= field and make use of it everywhere This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them.
2012-05-21 15:12:18 +02:00
*(b++) = *a;
else {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid URL, ignoring: %s", *a);
units: introduce new Documentation= field and make use of it everywhere This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them.
2012-05-21 15:12:18 +02:00
free(*a);
}
}
Make sure that we don't dereference NULL The code was actually safe, because b should never be null, because if rvalue is empty, a different branch is taken. But we *do* check for NULL in the loop above, so it's better to also check here for symmetry.
2013-10-12 19:43:07 +02:00
if (b)
*b = NULL;
units: introduce new Documentation= field and make use of it everywhere This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them.
2012-05-21 15:12:18 +02:00
return r;
}
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SECCOMP
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
int config_parse_syscall_filter(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
ExecContext *c = data;
Unit *u = userdata;
load-fragment: initialize bool invert before use
2012-08-20 14:33:21 +02:00
bool invert = false;
core: rework syscall filter set handling A variety of fixes: - rename the SystemCallFilterSet structure to SyscallFilterSet. So far the main instance of it (the syscall_filter_sets[] array) used to abbreviate "SystemCall" as "Syscall". Let's stick to one of the two syntaxes, and not mix and match too wildly. Let's pick the shorter name in this case, as it is sufficiently well established to not confuse hackers reading this. - Export explicit indexes into the syscall_filter_sets[] array via an enum. This way, code that wants to make use of a specific filter set, can index it directly via the enum, instead of having to search for it. This makes apply_private_devices() in particular a lot simpler. - Provide two new helper calls in seccomp-util.c: syscall_filter_set_find() to find a set by its name, seccomp_add_syscall_filter_set() to add a set to a seccomp object. - Update SystemCallFilter= parser to use extract_first_word(). Let's work on deprecating FOREACH_WORD_QUOTED(). - Simplify apply_private_devices() using this functionality
2016-10-21 21:50:05 +02:00
const char *p;
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
int r;
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
if (isempty(rvalue)) {
/* Empty assignment resets the list */
core: add support to specify errno in SystemCallFilter= This makes each system call in SystemCallFilter= blacklist optionally takes errno name or number after a colon. The errno takes precedence over the one given by SystemCallErrorNumber=. C.f. #7173. Closes #7169.
2017-11-11 13:35:49 +01:00
c->syscall_filter = hashmap_free(c->syscall_filter);
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
c->syscall_whitelist = false;
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return 0;
}
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
if (rvalue[0] == '~') {
invert = true;
rvalue++;
}
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
if (!c->syscall_filter) {
core: add support to specify errno in SystemCallFilter= This makes each system call in SystemCallFilter= blacklist optionally takes errno name or number after a colon. The errno takes precedence over the one given by SystemCallErrorNumber=. C.f. #7173. Closes #7169.
2017-11-11 13:35:49 +01:00
c->syscall_filter = hashmap_new(NULL);
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
if (!c->syscall_filter)
return log_oom();
syscallfilter: port to libseccomp
2014-02-12 01:29:54 +01:00
if (invert)
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
/* Allow everything but the ones listed */
c->syscall_whitelist = false;
syscallfilter: port to libseccomp
2014-02-12 01:29:54 +01:00
else {
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
/* Allow nothing but the ones listed */
c->syscall_whitelist = true;
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
/* Accept default syscalls if we are on a whitelist */
seccomp: rework functions for parsing system call filters This reworks system call filter parsing, and replaces a couple of "bool" function arguments by a single flags parameter. This shouldn't change behaviour, except for one case: when we recursively call our parsing function on our own syscall list, then we'll lower the log level to LOG_DEBUG from LOG_WARNING, because at that point things are just a problem in our own code rather than in the user configuration we are parsing, and we shouldn't hence generate confusing warnings about syntax errors. Fixes: #8261
2018-02-26 12:51:35 +01:00
r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST);
core: add pre-defined syscall groups to SystemCallFilter= (#3053) (#3157) Implement sets of system calls to help constructing system call filters. A set starts with '@' to distinguish from a system call. Closes: #3053, #3157
2016-06-01 11:56:01 +02:00
if (r < 0)
return r;
syscallfilter: port to libseccomp
2014-02-12 01:29:54 +01:00
}
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
}
core: rework syscall filter set handling A variety of fixes: - rename the SystemCallFilterSet structure to SyscallFilterSet. So far the main instance of it (the syscall_filter_sets[] array) used to abbreviate "SystemCall" as "Syscall". Let's stick to one of the two syntaxes, and not mix and match too wildly. Let's pick the shorter name in this case, as it is sufficiently well established to not confuse hackers reading this. - Export explicit indexes into the syscall_filter_sets[] array via an enum. This way, code that wants to make use of a specific filter set, can index it directly via the enum, instead of having to search for it. This makes apply_private_devices() in particular a lot simpler. - Provide two new helper calls in seccomp-util.c: syscall_filter_set_find() to find a set by its name, seccomp_add_syscall_filter_set() to add a set to a seccomp object. - Update SystemCallFilter= parser to use extract_first_word(). Let's work on deprecating FOREACH_WORD_QUOTED(). - Simplify apply_private_devices() using this functionality
2016-10-21 21:50:05 +02:00
p = rvalue;
for (;;) {
core: add support to specify errno in SystemCallFilter= This makes each system call in SystemCallFilter= blacklist optionally takes errno name or number after a colon. The errno takes precedence over the one given by SystemCallErrorNumber=. C.f. #7173. Closes #7169.
2017-11-11 13:35:49 +01:00
_cleanup_free_ char *word = NULL, *name = NULL;
int num;
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
core: rework syscall filter set handling A variety of fixes: - rename the SystemCallFilterSet structure to SyscallFilterSet. So far the main instance of it (the syscall_filter_sets[] array) used to abbreviate "SystemCall" as "Syscall". Let's stick to one of the two syntaxes, and not mix and match too wildly. Let's pick the shorter name in this case, as it is sufficiently well established to not confuse hackers reading this. - Export explicit indexes into the syscall_filter_sets[] array via an enum. This way, code that wants to make use of a specific filter set, can index it directly via the enum, instead of having to search for it. This makes apply_private_devices() in particular a lot simpler. - Provide two new helper calls in seccomp-util.c: syscall_filter_set_find() to find a set by its name, seccomp_add_syscall_filter_set() to add a set to a seccomp object. - Update SystemCallFilter= parser to use extract_first_word(). Let's work on deprecating FOREACH_WORD_QUOTED(). - Simplify apply_private_devices() using this functionality
2016-10-21 21:50:05 +02:00
r = extract_first_word(&p, &word, NULL, 0);
if (r == 0)
break;
if (r == -ENOMEM)
units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-17 02:27:06 +01:00
return log_oom();
core: rework syscall filter set handling A variety of fixes: - rename the SystemCallFilterSet structure to SyscallFilterSet. So far the main instance of it (the syscall_filter_sets[] array) used to abbreviate "SystemCall" as "Syscall". Let's stick to one of the two syntaxes, and not mix and match too wildly. Let's pick the shorter name in this case, as it is sufficiently well established to not confuse hackers reading this. - Export explicit indexes into the syscall_filter_sets[] array via an enum. This way, code that wants to make use of a specific filter set, can index it directly via the enum, instead of having to search for it. This makes apply_private_devices() in particular a lot simpler. - Provide two new helper calls in seccomp-util.c: syscall_filter_set_find() to find a set by its name, seccomp_add_syscall_filter_set() to add a set to a seccomp object. - Update SystemCallFilter= parser to use extract_first_word(). Let's work on deprecating FOREACH_WORD_QUOTED(). - Simplify apply_private_devices() using this functionality
2016-10-21 21:50:05 +02:00
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
break;
}
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
core: add support to specify errno in SystemCallFilter= This makes each system call in SystemCallFilter= blacklist optionally takes errno name or number after a colon. The errno takes precedence over the one given by SystemCallErrorNumber=. C.f. #7173. Closes #7169.
2017-11-11 13:35:49 +01:00
r = parse_syscall_and_errno(word, &name, &num);
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse syscall:errno, ignoring: %s", word);
continue;
}
seccomp: rework functions for parsing system call filters This reworks system call filter parsing, and replaces a couple of "bool" function arguments by a single flags parameter. This shouldn't change behaviour, except for one case: when we recursively call our parsing function on our own syscall list, then we'll lower the log level to LOG_DEBUG from LOG_WARNING, because at that point things are just a problem in our own code rather than in the user configuration we are parsing, and we shouldn't hence generate confusing warnings about syntax errors. Fixes: #8261
2018-02-26 12:51:35 +01:00
r = seccomp_parse_syscall_filter_full(name, num, c->syscall_filter,
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|(invert ? SECCOMP_PARSE_INVERT : 0)|(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
unit, filename, line);
core: add pre-defined syscall groups to SystemCallFilter= (#3053) (#3157) Implement sets of system calls to help constructing system call filters. A set starts with '@' to distinguish from a system call. Closes: #3053, #3157
2016-06-01 11:56:01 +02:00
if (r < 0)
return r;
syscallfilter: port to libseccomp
2014-02-12 01:29:54 +01:00
}
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
return 0;
}
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
int config_parse_syscall_archs(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
core: add a system-wide SystemCallArchitectures= setting This is useful to prohibit execution of non-native processes on systems, for example 32bit binaries on 64bit systems, this lowering the attack service on incorrect syscall and ioctl 32→64bit mappings.
2014-02-13 01:35:27 +01:00
Set **archs = data;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
const char *p;
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
int r;
if (isempty(rvalue)) {
tree-wide: take benefit of the fact that hashmap_free() returns NULL And set_free() too. Another Coccinelle patch.
2015-09-09 23:12:07 +02:00
*archs = set_free(*archs);
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
return 0;
}
hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-13 01:00:18 +02:00
r = set_ensure_allocated(archs, NULL);
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
if (r < 0)
return log_oom();
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
for (p = rvalue;;) {
_cleanup_free_ char *word = NULL;
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
uint32_t a;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES);
if (r == 0)
return 0;
if (r == -ENOMEM)
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
return log_oom();
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax, ignoring: %s", rvalue);
return 0;
}
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
r = seccomp_arch_from_string(word, &a);
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
if (r < 0) {
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to parse system call architecture \"%s\", ignoring: %m", word);
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
continue;
}
core: add a system-wide SystemCallArchitectures= setting This is useful to prohibit execution of non-native processes on systems, for example 32bit binaries on 64bit systems, this lowering the attack service on incorrect syscall and ioctl 32→64bit mappings.
2014-02-13 01:35:27 +01:00
r = set_put(*archs, UINT32_TO_PTR(a + 1));
core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-13 00:24:00 +01:00
if (r < 0)
return log_oom();
}
}
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
int config_parse_syscall_errno(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
int e;
assert(filename);
assert(lvalue);
assert(rvalue);
if (isempty(rvalue)) {
/* Empty assignment resets to KILL */
c->syscall_errno = 0;
return 0;
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
}
core: allow to specify errno number in SystemCallErrorNumber=
2017-11-11 13:40:20 +01:00
e = parse_errno(rvalue);
if (e <= 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse error number, ignoring: %s", rvalue);
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
return 0;
}
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
c->syscall_errno = e;
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
return 0;
}
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
int config_parse_address_families(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
bool invert = false;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
const char *p;
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
if (isempty(rvalue)) {
/* Empty assignment resets the list */
tree-wide: take benefit of the fact that hashmap_free() returns NULL And set_free() too. Another Coccinelle patch.
2015-09-09 23:12:07 +02:00
c->address_families = set_free(c->address_families);
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
c->address_families_whitelist = false;
return 0;
}
if (rvalue[0] == '~') {
invert = true;
rvalue++;
}
if (!c->address_families) {
hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-13 01:00:18 +02:00
c->address_families = set_new(NULL);
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
if (!c->address_families)
return log_oom();
c->address_families_whitelist = !invert;
}
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
for (p = rvalue;;) {
_cleanup_free_ char *word = NULL;
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
int af;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES);
if (r == 0)
return 0;
if (r == -ENOMEM)
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
return log_oom();
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax, ignoring: %s", rvalue);
return 0;
}
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
af = af_from_name(word);
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
if (af <= 0) {
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0,
"Failed to parse address family \"%s\", ignoring: %m", word);
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
continue;
}
/* If we previously wanted to forbid an address family and now
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
* we want to allow it, then just remove it from the list.
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
*/
if (!invert == c->address_families_whitelist) {
r = set_put(c->address_families, INT_TO_PTR(af));
if (r < 0)
return log_oom();
} else
set_remove(c->address_families, INT_TO_PTR(af));
}
}
core: add new RestrictNamespaces= unit file setting This new setting permits restricting whether namespaces may be created and managed by processes started by a unit. It installs a seccomp filter blocking certain invocations of unshare(), clone() and setns(). RestrictNamespaces=no is the default, and does not restrict namespaces in any way. RestrictNamespaces=yes takes away the ability to create or manage any kind of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces so that only mount and IPC namespaces may be created/managed, but no other kind of namespaces. This setting should be improve security quite a bit as in particular user namespacing was a major source of CVEs in the kernel in the past, and is accessible to unprivileged processes. With this setting the entire attack surface may be removed for system services that do not make use of namespaces.
2016-11-02 03:25:19 +01:00
int config_parse_restrict_namespaces(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
bool invert = false;
int r;
if (isempty(rvalue)) {
/* Reset to the default. */
c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
return 0;
}
if (rvalue[0] == '~') {
invert = true;
rvalue++;
}
r = parse_boolean(rvalue);
if (r > 0)
c->restrict_namespaces = 0;
else if (r == 0)
c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
else {
/* Not a boolean argument, in this case it's a list of namespace types. */
r = namespace_flag_from_string_many(rvalue, &c->restrict_namespaces);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue);
return 0;
}
}
if (invert)
c->restrict_namespaces = (~c->restrict_namespaces) & NAMESPACE_FLAGS_ALL;
return 0;
}
syscallfilter: port to libseccomp
2014-02-12 01:29:54 +01:00
#endif
execute: support syscall filtering using seccomp filters
2012-07-17 04:17:53 +02:00
core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.
2013-06-17 21:33:26 +02:00
int config_parse_unit_slice(
const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.
2013-06-17 21:33:26 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *k = NULL;
unit: unify how we assing slices to units This adds a new call unit_set_slice(), and simplifies unit_add_default_slice(). THis should make our code a bit more robust and simpler.
2015-08-28 17:36:39 +02:00
Unit *u = userdata, *slice = NULL;
core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.
2013-06-17 21:33:26 +02:00
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = unit_name_printf(u, rvalue, &k);
unit: unify how we assing slices to units This adds a new call unit_set_slice(), and simplifies unit_add_default_slice(). THis should make our code a bit more robust and simpler.
2015-08-28 17:36:39 +02:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s. Ignoring.", rvalue);
return 0;
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
}
core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.
2013-06-17 21:33:26 +02:00
specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.
2013-09-17 17:03:46 +02:00
r = manager_load_unit(u->manager, k, NULL, NULL, &slice);
core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.
2013-06-17 21:33:26 +02:00
if (r < 0) {
unit: unify how we assing slices to units This adds a new call unit_set_slice(), and simplifies unit_add_default_slice(). THis should make our code a bit more robust and simpler.
2015-08-28 17:36:39 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to load slice unit %s. Ignoring.", k);
core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.
2013-06-17 21:33:26 +02:00
return 0;
}
unit: unify how we assing slices to units This adds a new call unit_set_slice(), and simplifies unit_add_default_slice(). THis should make our code a bit more robust and simpler.
2015-08-28 17:36:39 +02:00
r = unit_set_slice(u, slice);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to assign slice %s to unit %s. Ignoring.", slice->id, u->id);
core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.
2013-06-17 21:33:26 +02:00
return 0;
}
return 0;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_device_policy, cgroup_device_policy, CGroupDevicePolicy, "Failed to parse device policy");
core: add cgroup CPU controller support on the unified hierarchy Unfortunately, due to the disagreements in the kernel development community, CPU controller cgroup v2 support has not been merged and enabling it requires applying two small out-of-tree kernel patches. The situation is explained in the following documentation. https://git.kernel.org/cgit/linux/kernel/git/tj/cgroup.git/tree/Documentation/cgroup-v2-cpu.txt?h=cgroup-v2-cpu While it isn't clear what will happen with CPU controller cgroup v2 support, there are critical features which are possible only on cgroup v2 such as buffered write control making cgroup v2 essential for a lot of workloads. This commit implements systemd CPU controller support on the unified hierarchy so that users who choose to deploy CPU controller cgroup v2 support can easily take advantage of it. On the unified hierarchy, "cpu.weight" knob replaces "cpu.shares" and "cpu.max" replaces "cpu.cfs_period_us" and "cpu.cfs_quota_us". [Startup]CPUWeight config options are added with the usual compat translation. CPU quota settings remain unchanged and apply to both legacy and unified hierarchies. v2: - Error in man page corrected. - CPU config application in cgroup_context_apply() refactored. - CPU accounting now works on unified hierarchy.
2016-08-07 15:45:39 +02:00
int config_parse_cpu_weight(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
uint64_t *weight = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
r = cg_weight_parse(rvalue, weight);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "CPU weight '%s' invalid. Ignoring.", rvalue);
return 0;
}
return 0;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
int config_parse_cpu_shares(
const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.
2015-09-11 16:48:24 +02:00
uint64_t *shares = data;
core: add startup resource control option Similar to CPUShares= and BlockIOWeight= respectively. However only assign the specified weight during startup. Each control group attribute is re-assigned as weight by CPUShares=weight and BlockIOWeight=weight after startup. If not CPUShares= or BlockIOWeight= be specified, then the attribute is re-assigned to each default attribute value. (default cpu.shares=1024, blkio.weight=1000) If only CPUShares=weight or BlockIOWeight=weight be specified, then that implies StartupCPUShares=weight and StartupBlockIOWeight=weight.
2014-05-15 17:09:34 +02:00
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.
2015-09-11 16:48:24 +02:00
r = cg_cpu_shares_parse(rvalue, shares);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "CPU shares '%s' invalid. Ignoring.", rvalue);
core: add startup resource control option Similar to CPUShares= and BlockIOWeight= respectively. However only assign the specified weight during startup. Each control group attribute is re-assigned as weight by CPUShares=weight and BlockIOWeight=weight after startup. If not CPUShares= or BlockIOWeight= be specified, then the attribute is re-assigned to each default attribute value. (default cpu.shares=1024, blkio.weight=1000) If only CPUShares=weight or BlockIOWeight=weight be specified, then that implies StartupCPUShares=weight and StartupBlockIOWeight=weight.
2014-05-15 17:09:34 +02:00
return 0;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
core: expose CFS CPU time quota as high-level unit properties
2014-04-25 13:27:25 +02:00
int config_parse_cpu_quota(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
CGroupContext *c = data;
util-lib: introduce parse_percent() for parsing percent specifications And port a couple of users over to it.
2016-06-08 19:25:38 +02:00
int r;
core: expose CFS CPU time quota as high-level unit properties
2014-04-25 13:27:25 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
if (isempty(rvalue)) {
time-util: add and use USEC/NSEC_INFINIY
2014-07-29 12:23:31 +02:00
c->cpu_quota_per_sec_usec = USEC_INFINITY;
core: expose CFS CPU time quota as high-level unit properties
2014-04-25 13:27:25 +02:00
return 0;
}
util-lib: add parse_percent_unbounded() for percentages over 100% (#3886) This permits CPUQuota to accept greater values as documented.
2016-08-04 13:09:54 +02:00
r = parse_percent_unbounded(rvalue);
util-lib: introduce parse_percent() for parsing percent specifications And port a couple of users over to it.
2016-06-08 19:25:38 +02:00
if (r <= 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "CPU quota '%s' invalid. Ignoring.", rvalue);
cgroups: simplify CPUQuota= logic Only accept cpu quota values in percentages, get rid of period definition. It's not clear whether the CFS period controllable per-cgroup even has a future in the kernel, hence let's simplify all this, hardcode the period to 100ms and only accept percentage based quota values.
2014-05-22 04:53:12 +02:00
return 0;
core: expose CFS CPU time quota as high-level unit properties
2014-04-25 13:27:25 +02:00
}
util-lib: introduce parse_percent() for parsing percent specifications And port a couple of users over to it.
2016-06-08 19:25:38 +02:00
c->cpu_quota_per_sec_usec = ((usec_t) r * USEC_PER_SEC) / 100U;
core: expose CFS CPU time quota as high-level unit properties
2014-04-25 13:27:25 +02:00
return 0;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
int config_parse_memory_limit(
const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
CGroupContext *c = data;
core: add cgroup memory controller support on the unified hierarchy (#3315) On the unified hierarchy, memory controller implements three control knobs - low, high and max which enables more useable and versatile control over memory usage. This patch implements support for the three control knobs. * MemoryLow, MemoryHigh and MemoryMax are added for memory.low, memory.high and memory.max, respectively. * As all absolute limits on the unified hierarchy use "max" for no limit, make memory limit parse functions accept "max" in addition to "infinity" and document "max" for the new knobs. * Implement compatibility translation between MemoryMax and MemoryLimit. v2: - Fixed missing else's in config_parse_memory_limit(). - Fixed missing newline when writing out drop-ins. - Coding style updates to use "val > 0" instead of "val". - Minor updates to documentation.
2016-05-27 18:10:18 +02:00
uint64_t bytes = CGROUP_LIMIT_MAX;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
int r;
core: always use "infinity" for no upper limit instead of "max" (#3417) Recently added cgroup unified hierarchy support uses "max" in configurations for no upper limit. While consistent with what the kernel uses for no upper limit, it is inconsistent with what systemd uses for other controllers such as memory or pids. There's no point in introducing another term. Update cgroup unified hierarchy support so that "infinity" is the only term that systemd uses for no upper limit.
2016-06-03 17:49:05 +02:00
if (!isempty(rvalue) && !streq(rvalue, "infinity")) {
core: optionally, accept a percentage value for MemoryLimit= and related settings If a percentage is used, it is taken relative to the installed RAM size. This should make it easier to write generic unit files that adapt to the local system.
2016-06-08 19:36:09 +02:00
r = parse_percent(rvalue);
if (r < 0) {
r = parse_size(rvalue, 1024, &bytes);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Memory limit '%s' invalid. Ignoring.", rvalue);
return 0;
}
} else
util: introduce physical_memory_scale() to unify how we scale by physical memory The various bits of code did the scaling all different, let's unify this, given that the code is not trivial.
2016-06-08 20:45:32 +02:00
bytes = physical_memory_scale(r, 100U);
core: optionally, accept a percentage value for MemoryLimit= and related settings If a percentage is used, it is taken relative to the installed RAM size. This should make it easier to write generic unit files that adapt to the local system.
2016-06-08 19:36:09 +02:00
core/cgroup: accepts MemorySwapMax=0 (#8366) Also, this moves two macros from dbus-util.h to dbus-cgroup.c, as they are only used in dbus-cgroup.c. Fixes #8363.
2018-03-09 11:34:50 +01:00
if (bytes >= UINT64_MAX ||
(bytes <= 0 && !streq(lvalue, "MemorySwapMax"))) {
core: check for overflow when handling scaled MemoryLimit= settings Just in case...
2016-07-22 15:30:23 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Memory limit '%s' out of range. Ignoring.", rvalue);
core: add cgroup memory controller support on the unified hierarchy (#3315) On the unified hierarchy, memory controller implements three control knobs - low, high and max which enables more useable and versatile control over memory usage. This patch implements support for the three control knobs. * MemoryLow, MemoryHigh and MemoryMax are added for memory.low, memory.high and memory.max, respectively. * As all absolute limits on the unified hierarchy use "max" for no limit, make memory limit parse functions accept "max" in addition to "infinity" and document "max" for the new knobs. * Implement compatibility translation between MemoryMax and MemoryLimit. v2: - Fixed missing else's in config_parse_memory_limit(). - Fixed missing newline when writing out drop-ins. - Coding style updates to use "val > 0" instead of "val". - Minor updates to documentation.
2016-05-27 18:10:18 +02:00
return 0;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
}
core: add cgroup memory controller support on the unified hierarchy (#3315) On the unified hierarchy, memory controller implements three control knobs - low, high and max which enables more useable and versatile control over memory usage. This patch implements support for the three control knobs. * MemoryLow, MemoryHigh and MemoryMax are added for memory.low, memory.high and memory.max, respectively. * As all absolute limits on the unified hierarchy use "max" for no limit, make memory limit parse functions accept "max" in addition to "infinity" and document "max" for the new knobs. * Implement compatibility translation between MemoryMax and MemoryLimit. v2: - Fixed missing else's in config_parse_memory_limit(). - Fixed missing newline when writing out drop-ins. - Coding style updates to use "val > 0" instead of "val". - Minor updates to documentation.
2016-05-27 18:10:18 +02:00
if (streq(lvalue, "MemoryLow"))
c->memory_low = bytes;
else if (streq(lvalue, "MemoryHigh"))
c->memory_high = bytes;
else if (streq(lvalue, "MemoryMax"))
c->memory_max = bytes;
core: introduce MemorySwapMax= Similar to MemoryMax=, MemorySwapMax= limits swap usage. This controls controls "memory.swap.max" attribute in unified cgroup.
2016-07-04 09:03:54 +02:00
else if (streq(lvalue, "MemorySwapMax"))
c->memory_swap_max = bytes;
else if (streq(lvalue, "MemoryLimit"))
core: add cgroup memory controller support on the unified hierarchy (#3315) On the unified hierarchy, memory controller implements three control knobs - low, high and max which enables more useable and versatile control over memory usage. This patch implements support for the three control knobs. * MemoryLow, MemoryHigh and MemoryMax are added for memory.low, memory.high and memory.max, respectively. * As all absolute limits on the unified hierarchy use "max" for no limit, make memory limit parse functions accept "max" in addition to "infinity" and document "max" for the new knobs. * Implement compatibility translation between MemoryMax and MemoryLimit. v2: - Fixed missing else's in config_parse_memory_limit(). - Fixed missing newline when writing out drop-ins. - Coding style updates to use "val > 0" instead of "val". - Minor updates to documentation.
2016-05-27 18:10:18 +02:00
c->memory_limit = bytes;
core: introduce MemorySwapMax= Similar to MemoryMax=, MemorySwapMax= limits swap usage. This controls controls "memory.swap.max" attribute in unified cgroup.
2016-07-04 09:03:54 +02:00
else
return -EINVAL;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
core: add support for the "pids" cgroup controller This adds support for the new "pids" cgroup controller of 4.3 kernels. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a gloabl option DefaultTasksAccounting=. This also updated "cgtop" to optionally make use of the new kernel-provided accounting. systemctl has been updated to show the number of tasks for each service if it is available. This patch also adds correct support for undoing memory limits for units using a MemoryLimit=infinity syntax. We do the same for TasksMax= now and hence keep things in sync here.
2015-09-10 12:32:16 +02:00
int config_parse_tasks_max(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
logind: update empty and "infinity" handling for [User]TasksMax (#3835) The parsing functions for [User]TasksMax were inconsistent. Empty string and "infinity" were interpreted as no limit for TasksMax but not accepted for UserTasksMax. Update them so that they're consistent with other knobs. * Empty string indicates the default value. * "infinity" indicates no limit. While at it, replace opencoded (uint64_t) -1 with CGROUP_LIMIT_MAX in TasksMax handling. v2: Update empty string to indicate the default value as suggested by Zbigniew Jędrzejewski-Szmek. v3: Fixed empty UserTasksMax handling.
2016-08-19 04:57:53 +02:00
uint64_t *tasks_max = data, v;
Unit *u = userdata;
core: add support for the "pids" cgroup controller This adds support for the new "pids" cgroup controller of 4.3 kernels. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a gloabl option DefaultTasksAccounting=. This also updated "cgtop" to optionally make use of the new kernel-provided accounting. systemctl has been updated to show the number of tasks for each service if it is available. This patch also adds correct support for undoing memory limits for units using a MemoryLimit=infinity syntax. We do the same for TasksMax= now and hence keep things in sync here.
2015-09-10 12:32:16 +02:00
int r;
logind: update empty and "infinity" handling for [User]TasksMax (#3835) The parsing functions for [User]TasksMax were inconsistent. Empty string and "infinity" were interpreted as no limit for TasksMax but not accepted for UserTasksMax. Update them so that they're consistent with other knobs. * Empty string indicates the default value. * "infinity" indicates no limit. While at it, replace opencoded (uint64_t) -1 with CGROUP_LIMIT_MAX in TasksMax handling. v2: Update empty string to indicate the default value as suggested by Zbigniew Jędrzejewski-Szmek. v3: Fixed empty UserTasksMax handling.
2016-08-19 04:57:53 +02:00
if (isempty(rvalue)) {
*tasks_max = u->manager->default_tasks_max;
return 0;
}
if (streq(rvalue, "infinity")) {
*tasks_max = CGROUP_LIMIT_MAX;
core: add support for the "pids" cgroup controller This adds support for the new "pids" cgroup controller of 4.3 kernels. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a gloabl option DefaultTasksAccounting=. This also updated "cgtop" to optionally make use of the new kernel-provided accounting. systemctl has been updated to show the number of tasks for each service if it is available. This patch also adds correct support for undoing memory limits for units using a MemoryLimit=infinity syntax. We do the same for TasksMax= now and hence keep things in sync here.
2015-09-10 12:32:16 +02:00
return 0;
}
core: support percentage specifications on TasksMax= This adds support for a TasksMax=40% syntax for specifying values relative to the system's configured maximum number of processes. This is useful in order to neatly subdivide the available room for tasks within containers.
2016-07-19 15:58:49 +02:00
r = parse_percent(rvalue);
if (r < 0) {
logind: update empty and "infinity" handling for [User]TasksMax (#3835) The parsing functions for [User]TasksMax were inconsistent. Empty string and "infinity" were interpreted as no limit for TasksMax but not accepted for UserTasksMax. Update them so that they're consistent with other knobs. * Empty string indicates the default value. * "infinity" indicates no limit. While at it, replace opencoded (uint64_t) -1 with CGROUP_LIMIT_MAX in TasksMax handling. v2: Update empty string to indicate the default value as suggested by Zbigniew Jędrzejewski-Szmek. v3: Fixed empty UserTasksMax handling.
2016-08-19 04:57:53 +02:00
r = safe_atou64(rvalue, &v);
core: support percentage specifications on TasksMax= This adds support for a TasksMax=40% syntax for specifying values relative to the system's configured maximum number of processes. This is useful in order to neatly subdivide the available room for tasks within containers.
2016-07-19 15:58:49 +02:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Maximum tasks value '%s' invalid. Ignoring.", rvalue);
return 0;
}
} else
logind: update empty and "infinity" handling for [User]TasksMax (#3835) The parsing functions for [User]TasksMax were inconsistent. Empty string and "infinity" were interpreted as no limit for TasksMax but not accepted for UserTasksMax. Update them so that they're consistent with other knobs. * Empty string indicates the default value. * "infinity" indicates no limit. While at it, replace opencoded (uint64_t) -1 with CGROUP_LIMIT_MAX in TasksMax handling. v2: Update empty string to indicate the default value as suggested by Zbigniew Jędrzejewski-Szmek. v3: Fixed empty UserTasksMax handling.
2016-08-19 04:57:53 +02:00
v = system_tasks_max_scale(r, 100U);
core: support percentage specifications on TasksMax= This adds support for a TasksMax=40% syntax for specifying values relative to the system's configured maximum number of processes. This is useful in order to neatly subdivide the available room for tasks within containers.
2016-07-19 15:58:49 +02:00
logind: update empty and "infinity" handling for [User]TasksMax (#3835) The parsing functions for [User]TasksMax were inconsistent. Empty string and "infinity" were interpreted as no limit for TasksMax but not accepted for UserTasksMax. Update them so that they're consistent with other knobs. * Empty string indicates the default value. * "infinity" indicates no limit. While at it, replace opencoded (uint64_t) -1 with CGROUP_LIMIT_MAX in TasksMax handling. v2: Update empty string to indicate the default value as suggested by Zbigniew Jędrzejewski-Szmek. v3: Fixed empty UserTasksMax handling.
2016-08-19 04:57:53 +02:00
if (v <= 0 || v >= UINT64_MAX) {
core: support percentage specifications on TasksMax= This adds support for a TasksMax=40% syntax for specifying values relative to the system's configured maximum number of processes. This is useful in order to neatly subdivide the available room for tasks within containers.
2016-07-19 15:58:49 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Maximum tasks value '%s' out of range. Ignoring.", rvalue);
core: add support for the "pids" cgroup controller This adds support for the new "pids" cgroup controller of 4.3 kernels. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a gloabl option DefaultTasksAccounting=. This also updated "cgtop" to optionally make use of the new kernel-provided accounting. systemctl has been updated to show the number of tasks for each service if it is available. This patch also adds correct support for undoing memory limits for units using a MemoryLimit=infinity syntax. We do the same for TasksMax= now and hence keep things in sync here.
2015-09-10 12:32:16 +02:00
return 0;
}
logind: update empty and "infinity" handling for [User]TasksMax (#3835) The parsing functions for [User]TasksMax were inconsistent. Empty string and "infinity" were interpreted as no limit for TasksMax but not accepted for UserTasksMax. Update them so that they're consistent with other knobs. * Empty string indicates the default value. * "infinity" indicates no limit. While at it, replace opencoded (uint64_t) -1 with CGROUP_LIMIT_MAX in TasksMax handling. v2: Update empty string to indicate the default value as suggested by Zbigniew Jędrzejewski-Szmek. v3: Fixed empty UserTasksMax handling.
2016-08-19 04:57:53 +02:00
*tasks_max = v;
core: add support for the "pids" cgroup controller This adds support for the new "pids" cgroup controller of 4.3 kernels. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a gloabl option DefaultTasksAccounting=. This also updated "cgtop" to optionally make use of the new kernel-provided accounting. systemctl has been updated to show the number of tasks for each service if it is available. This patch also adds correct support for undoing memory limits for units using a MemoryLimit=infinity syntax. We do the same for TasksMax= now and hence keep things in sync here.
2015-09-10 12:32:16 +02:00
return 0;
}
core: rework the Delegate= unit file setting to take a list of controller names Previously it was not possible to select which controllers to enable for a unit where Delegate=yes was set, as all controllers were enabled. With this change, this is made configurable, and thus delegation units can pick specifically what they want to manage themselves, and what they don't care about.
2017-11-09 15:29:34 +01:00
int config_parse_delegate(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
CGroupContext *c = data;
int r;
/* We either accept a boolean value, which may be used to turn on delegation for all controllers, or turn it
* off for all. Or it takes a list of controller names, in which case we add the specified controllers to the
* mask to delegate. */
core/cgroup: assigning empty string to Delegate= resets list of controllers (#7336) Before this, assigning empty string to Delegate= makes no change to the controller list. This is inconsistent to the other options that take list of strings. After this, when empty string is assigned to Delegate=, the list of controllers is reset. Such behavior is consistent to other options and useful for drop-in configs. Closes #7334.
2017-11-17 10:04:25 +01:00
if (isempty(rvalue)) {
c->delegate = true;
c->delegate_controllers = 0;
return 0;
}
core: rework the Delegate= unit file setting to take a list of controller names Previously it was not possible to select which controllers to enable for a unit where Delegate=yes was set, as all controllers were enabled. With this change, this is made configurable, and thus delegation units can pick specifically what they want to manage themselves, and what they don't care about.
2017-11-09 15:29:34 +01:00
r = parse_boolean(rvalue);
if (r < 0) {
const char *p = rvalue;
CGroupMask mask = 0;
for (;;) {
_cleanup_free_ char *word = NULL;
CGroupController cc;
r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES);
if (r == 0)
break;
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
return r;
}
cc = cgroup_controller_from_string(word);
if (cc < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Invalid controller name '%s', ignoring", rvalue);
continue;
}
mask |= CGROUP_CONTROLLER_TO_MASK(cc);
}
c->delegate = true;
c->delegate_controllers |= mask;
} else if (r > 0) {
c->delegate = true;
c->delegate_controllers = _CGROUP_MASK_ALL;
} else {
c->delegate = false;
c->delegate_controllers = 0;
}
return 0;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
int config_parse_device_allow(
const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
load-fragment: Resolve specifiers in DeviceAllow (#3019) Closes #1602
2016-04-12 18:00:19 +02:00
_cleanup_free_ char *path = NULL, *t = NULL;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
CGroupContext *c = data;
CGroupDeviceAllow *a;
load-fragment: Resolve specifiers in DeviceAllow (#3019) Closes #1602
2016-04-12 18:00:19 +02:00
const char *m = NULL;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
size_t n;
load-fragment: Resolve specifiers in DeviceAllow (#3019) Closes #1602
2016-04-12 18:00:19 +02:00
int r;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
if (isempty(rvalue)) {
while (c->device_allow)
cgroup_context_free_device_allow(c, c->device_allow);
return 0;
}
load-fragment: Resolve specifiers in DeviceAllow (#3019) Closes #1602
2016-04-12 18:00:19 +02:00
r = unit_full_printf(userdata, rvalue, &t);
*: fix some inconsistent control statement style
2017-12-02 01:49:52 +01:00
if (r < 0) {
load-fragment: Resolve specifiers in DeviceAllow (#3019) Closes #1602
2016-04-12 18:00:19 +02:00
log_syntax(unit, LOG_WARNING, filename, line, r,
"Failed to resolve specifiers in %s, ignoring: %m",
rvalue);
shared/conf-parser: fix crash when specifiers cannot be resolved in config_parse_device_allow() oss-fuzz #6885.
2018-03-13 12:25:06 +01:00
return 0;
load-fragment: Resolve specifiers in DeviceAllow (#3019) Closes #1602
2016-04-12 18:00:19 +02:00
}
n = strcspn(t, WHITESPACE);
path = strndup(t, n);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
if (!path)
return log_oom();
cgroup: IODeviceWeight= or friends can take device node files in /run/systemd/inaccessible/ systemd creates several device nodes in /run/systemd/inaccessible/. This makes CGroup's settings related to IO can take device node files in the directory.
2017-12-23 11:10:24 +01:00
if (!is_deviceallow_pattern(path) &&
!path_startswith(path, "/run/systemd/inaccessible/")) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid device node path '%s'. Ignoring.", path);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
load-fragment: Resolve specifiers in DeviceAllow (#3019) Closes #1602
2016-04-12 18:00:19 +02:00
m = t + n + strspn(t + n, WHITESPACE);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
if (isempty(m))
m = "rwm";
if (!in_charset(m, "rwm")) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid device rights '%s'. Ignoring.", m);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
a = new0(CGroupDeviceAllow, 1);
if (!a)
return log_oom();
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
a->path = TAKE_PTR(path);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
a->r = !!strchr(m, 'r');
a->w = !!strchr(m, 'w');
a->m = !!strchr(m, 'm');
list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.
2013-10-14 06:10:14 +02:00
LIST_PREPEND(device_allow, c->device_allow, a);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
int config_parse_io_weight(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
uint64_t *weight = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
r = cg_weight_parse(rvalue, weight);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "IO weight '%s' invalid. Ignoring.", rvalue);
return 0;
}
return 0;
}
int config_parse_io_device_weight(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *path = NULL;
CGroupIODeviceWeight *w;
CGroupContext *c = data;
const char *weight;
uint64_t u;
size_t n;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
if (isempty(rvalue)) {
while (c->io_device_weights)
cgroup_context_free_io_device_weight(c, c->io_device_weights);
return 0;
}
n = strcspn(rvalue, WHITESPACE);
weight = rvalue + n;
weight += strspn(weight, WHITESPACE);
if (isempty(weight)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Expected block device and device weight. Ignoring.");
return 0;
}
path = strndup(rvalue, n);
if (!path)
return log_oom();
cgroup: IODeviceWeight= or friends can take device node files in /run/systemd/inaccessible/ systemd creates several device nodes in /run/systemd/inaccessible/. This makes CGroup's settings related to IO can take device node files in the directory.
2017-12-23 11:10:24 +01:00
if (!path_startswith(path, "/dev") &&
!path_startswith(path, "/run/systemd/inaccessible/")) {
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid device node path '%s'. Ignoring.", path);
return 0;
}
r = cg_weight_parse(weight, &u);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "IO weight '%s' invalid. Ignoring.", weight);
return 0;
}
assert(u != CGROUP_WEIGHT_INVALID);
w = new0(CGroupIODeviceWeight, 1);
if (!w)
return log_oom();
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
w->path = TAKE_PTR(path);
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
w->weight = u;
LIST_PREPEND(device_weights, c->io_device_weights, w);
return 0;
}
int config_parse_io_limit(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *path = NULL;
CGroupIODeviceLimit *l = NULL, *t;
CGroupContext *c = data;
core: introduce CGroupIOLimitType enums Currently, there are two cgroup IO limits, bandwidth max for read and write, and they are hard-coded in various places. This is fine for two limits but IO is expected to grow more limits - low, high and max limits for bandwidth and IOPS - and hard-coding each limit won't make sense. This patch replaces hard-coded limits with an array indexed by CGroupIOLimitType and accompanying string and default value tables so that new limits can be added trivially.
2016-05-18 22:50:56 +02:00
CGroupIOLimitType type;
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
const char *limit;
uint64_t num;
size_t n;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
core: introduce CGroupIOLimitType enums Currently, there are two cgroup IO limits, bandwidth max for read and write, and they are hard-coded in various places. This is fine for two limits but IO is expected to grow more limits - low, high and max limits for bandwidth and IOPS - and hard-coding each limit won't make sense. This patch replaces hard-coded limits with an array indexed by CGroupIOLimitType and accompanying string and default value tables so that new limits can be added trivially.
2016-05-18 22:50:56 +02:00
type = cgroup_io_limit_type_from_string(lvalue);
assert(type >= 0);
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
if (isempty(rvalue)) {
LIST_FOREACH(device_limits, l, c->io_device_limits)
core: introduce CGroupIOLimitType enums Currently, there are two cgroup IO limits, bandwidth max for read and write, and they are hard-coded in various places. This is fine for two limits but IO is expected to grow more limits - low, high and max limits for bandwidth and IOPS - and hard-coding each limit won't make sense. This patch replaces hard-coded limits with an array indexed by CGroupIOLimitType and accompanying string and default value tables so that new limits can be added trivially.
2016-05-18 22:50:56 +02:00
l->limits[type] = cgroup_io_limit_defaults[type];
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
return 0;
}
n = strcspn(rvalue, WHITESPACE);
limit = rvalue + n;
limit += strspn(limit, WHITESPACE);
if (!*limit) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Expected space separated pair of device node and bandwidth. Ignoring.");
return 0;
}
path = strndup(rvalue, n);
if (!path)
return log_oom();
cgroup: IODeviceWeight= or friends can take device node files in /run/systemd/inaccessible/ systemd creates several device nodes in /run/systemd/inaccessible/. This makes CGroup's settings related to IO can take device node files in the directory.
2017-12-23 11:10:24 +01:00
if (!path_startswith(path, "/dev") &&
!path_startswith(path, "/run/systemd/inaccessible/")) {
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid device node path '%s'. Ignoring.", path);
return 0;
}
core: always use "infinity" for no upper limit instead of "max" (#3417) Recently added cgroup unified hierarchy support uses "max" in configurations for no upper limit. While consistent with what the kernel uses for no upper limit, it is inconsistent with what systemd uses for other controllers such as memory or pids. There's no point in introducing another term. Update cgroup unified hierarchy support so that "infinity" is the only term that systemd uses for no upper limit.
2016-06-03 17:49:05 +02:00
if (streq("infinity", limit)) {
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
num = CGROUP_LIMIT_MAX;
} else {
r = parse_size(limit, 1000, &num);
if (r < 0 || num <= 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "IO Limit '%s' invalid. Ignoring.", rvalue);
return 0;
}
}
LIST_FOREACH(device_limits, t, c->io_device_limits) {
if (path_equal(path, t->path)) {
l = t;
break;
}
}
if (!l) {
core: introduce CGroupIOLimitType enums Currently, there are two cgroup IO limits, bandwidth max for read and write, and they are hard-coded in various places. This is fine for two limits but IO is expected to grow more limits - low, high and max limits for bandwidth and IOPS - and hard-coding each limit won't make sense. This patch replaces hard-coded limits with an array indexed by CGroupIOLimitType and accompanying string and default value tables so that new limits can be added trivially.
2016-05-18 22:50:56 +02:00
CGroupIOLimitType ttype;
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
l = new0(CGroupIODeviceLimit, 1);
if (!l)
return log_oom();
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
l->path = TAKE_PTR(path);
core: introduce CGroupIOLimitType enums Currently, there are two cgroup IO limits, bandwidth max for read and write, and they are hard-coded in various places. This is fine for two limits but IO is expected to grow more limits - low, high and max limits for bandwidth and IOPS - and hard-coding each limit won't make sense. This patch replaces hard-coded limits with an array indexed by CGroupIOLimitType and accompanying string and default value tables so that new limits can be added trivially.
2016-05-18 22:50:56 +02:00
for (ttype = 0; ttype < _CGROUP_IO_LIMIT_TYPE_MAX; ttype++)
l->limits[ttype] = cgroup_io_limit_defaults[ttype];
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
LIST_PREPEND(device_limits, c->io_device_limits, l);
}
core: introduce CGroupIOLimitType enums Currently, there are two cgroup IO limits, bandwidth max for read and write, and they are hard-coded in various places. This is fine for two limits but IO is expected to grow more limits - low, high and max limits for bandwidth and IOPS - and hard-coding each limit won't make sense. This patch replaces hard-coded limits with an array indexed by CGroupIOLimitType and accompanying string and default value tables so that new limits can be added trivially.
2016-05-18 22:50:56 +02:00
l->limits[type] = num;
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
return 0;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
int config_parse_blockio_weight(
const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.
2015-09-11 16:48:24 +02:00
uint64_t *weight = data;
core: add startup resource control option Similar to CPUShares= and BlockIOWeight= respectively. However only assign the specified weight during startup. Each control group attribute is re-assigned as weight by CPUShares=weight and BlockIOWeight=weight after startup. If not CPUShares= or BlockIOWeight= be specified, then the attribute is re-assigned to each default attribute value. (default cpu.shares=1024, blkio.weight=1000) If only CPUShares=weight or BlockIOWeight=weight be specified, then that implies StartupCPUShares=weight and StartupBlockIOWeight=weight.
2014-05-15 17:09:34 +02:00
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.
2015-09-11 16:48:24 +02:00
r = cg_blkio_weight_parse(rvalue, weight);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Block IO weight '%s' invalid. Ignoring.", rvalue);
core: add startup resource control option Similar to CPUShares= and BlockIOWeight= respectively. However only assign the specified weight during startup. Each control group attribute is re-assigned as weight by CPUShares=weight and BlockIOWeight=weight after startup. If not CPUShares= or BlockIOWeight= be specified, then the attribute is re-assigned to each default attribute value. (default cpu.shares=1024, blkio.weight=1000) If only CPUShares=weight or BlockIOWeight=weight be specified, then that implies StartupCPUShares=weight and StartupBlockIOWeight=weight.
2014-05-15 17:09:34 +02:00
return 0;
}
cgroup: split out per-device BlockIOWeight= setting into BlockIODeviceWeight= This way we can nicely map the configuration directive to properties and back, without requiring two different signatures for the same property.
2013-07-11 20:40:18 +02:00
return 0;
}
int config_parse_blockio_device_weight(
const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
cgroup: split out per-device BlockIOWeight= setting into BlockIODeviceWeight= This way we can nicely map the configuration directive to properties and back, without requiring two different signatures for the same property.
2013-07-11 20:40:18 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
_cleanup_free_ char *path = NULL;
cgroup: split out per-device BlockIOWeight= setting into BlockIODeviceWeight= This way we can nicely map the configuration directive to properties and back, without requiring two different signatures for the same property.
2013-07-11 20:40:18 +02:00
CGroupBlockIODeviceWeight *w;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
CGroupContext *c = data;
const char *weight;
core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.
2015-09-11 16:48:24 +02:00
uint64_t u;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
size_t n;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
if (isempty(rvalue)) {
while (c->blockio_device_weights)
cgroup_context_free_blockio_device_weight(c, c->blockio_device_weights);
return 0;
}
n = strcspn(rvalue, WHITESPACE);
weight = rvalue + n;
core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.
2015-09-11 16:48:24 +02:00
weight += strspn(weight, WHITESPACE);
if (isempty(weight)) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Expected block device and device weight. Ignoring.");
cgroup: split out per-device BlockIOWeight= setting into BlockIODeviceWeight= This way we can nicely map the configuration directive to properties and back, without requiring two different signatures for the same property.
2013-07-11 20:40:18 +02:00
return 0;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
cgroup: split out per-device BlockIOWeight= setting into BlockIODeviceWeight= This way we can nicely map the configuration directive to properties and back, without requiring two different signatures for the same property.
2013-07-11 20:40:18 +02:00
path = strndup(rvalue, n);
if (!path)
return log_oom();
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
cgroup: IODeviceWeight= or friends can take device node files in /run/systemd/inaccessible/ systemd creates several device nodes in /run/systemd/inaccessible/. This makes CGroup's settings related to IO can take device node files in the directory.
2017-12-23 11:10:24 +01:00
if (!path_startswith(path, "/dev") &&
!path_startswith(path, "/run/systemd/inaccessible/")) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid device node path '%s'. Ignoring.", path);
cgroup: split out per-device BlockIOWeight= setting into BlockIODeviceWeight= This way we can nicely map the configuration directive to properties and back, without requiring two different signatures for the same property.
2013-07-11 20:40:18 +02:00
return 0;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.
2015-09-11 16:48:24 +02:00
r = cg_blkio_weight_parse(weight, &u);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Block IO weight '%s' invalid. Ignoring.", weight);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.
2015-09-11 16:48:24 +02:00
assert(u != CGROUP_BLKIO_WEIGHT_INVALID);
cgroup: split out per-device BlockIOWeight= setting into BlockIODeviceWeight= This way we can nicely map the configuration directive to properties and back, without requiring two different signatures for the same property.
2013-07-11 20:40:18 +02:00
w = new0(CGroupBlockIODeviceWeight, 1);
if (!w)
return log_oom();
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
w->path = TAKE_PTR(path);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.
2015-09-11 16:48:24 +02:00
w->weight = u;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.
2013-10-14 06:10:14 +02:00
LIST_PREPEND(device_weights, c->blockio_device_weights, w);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
int config_parse_blockio_bandwidth(
const char *unit,
const char *filename,
unsigned line,
const char *section,
conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-19 16:17:55 +01:00
unsigned section_line,
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *path = NULL;
core: update CGroupBlockIODeviceBandwidth to record both rbps and wbps CGroupBlockIODeviceBandwith is used to keep track of IO bandwidth limits for legacy cgroup hierarchies. Unlike the unified hierarchy counterpart CGroupIODeviceLimit, a CGroupBlockIODeviceBandwiddth records either a read or write limit and has a couple issues. * There's no way to clear specific config entry. * When configs are cleared for an IO direction of a unit, the kernel settings aren't cleared accordingly creating discrepancies. This patch updates CGroupBlockIODeviceBandwidth so that it behaves similarly to CGroupIODeviceLimit - each entry records both rbps and wbps limits and is cleared if both are at default values after kernel settings are updated.
2016-05-18 22:51:46 +02:00
CGroupBlockIODeviceBandwidth *b = NULL, *t;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
CGroupContext *c = data;
const char *bandwidth;
tree-wide: never use the off_t unless glibc makes us use it off_t is a really weird type as it is usually 64bit these days (at least in sane programs), but could theoretically be 32bit. We don't support off_t as 32bit builds though, but still constantly deal with safely converting from off_t to other types and back for no point. Hence, never use the type anymore. Always use uint64_t instead. This has various benefits, including that we can expose these values directly as D-Bus properties, and also that the values parse the same in all cases.
2015-09-10 18:16:18 +02:00
uint64_t bytes;
blkio bandwidth: don't clean up all of entries in blockio_device_bandwidths list if we get BlockIOReadBandwidth="", we should only remove the read-bandwidth-entries in blockio_device_bandwidths list.
2013-08-30 04:56:00 +02:00
bool read;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
size_t n;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
blkio bandwidth: don't clean up all of entries in blockio_device_bandwidths list if we get BlockIOReadBandwidth="", we should only remove the read-bandwidth-entries in blockio_device_bandwidths list.
2013-08-30 04:56:00 +02:00
read = streq("BlockIOReadBandwidth", lvalue);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
if (isempty(rvalue)) {
core: update CGroupBlockIODeviceBandwidth to record both rbps and wbps CGroupBlockIODeviceBandwith is used to keep track of IO bandwidth limits for legacy cgroup hierarchies. Unlike the unified hierarchy counterpart CGroupIODeviceLimit, a CGroupBlockIODeviceBandwiddth records either a read or write limit and has a couple issues. * There's no way to clear specific config entry. * When configs are cleared for an IO direction of a unit, the kernel settings aren't cleared accordingly creating discrepancies. This patch updates CGroupBlockIODeviceBandwidth so that it behaves similarly to CGroupIODeviceLimit - each entry records both rbps and wbps limits and is cleared if both are at default values after kernel settings are updated.
2016-05-18 22:51:46 +02:00
LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths) {
b->rbps = CGROUP_LIMIT_MAX;
b->wbps = CGROUP_LIMIT_MAX;
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
n = strcspn(rvalue, WHITESPACE);
bandwidth = rvalue + n;
bandwidth += strspn(bandwidth, WHITESPACE);
if (!*bandwidth) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Expected space separated pair of device node and bandwidth. Ignoring.");
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
path = strndup(rvalue, n);
if (!path)
return log_oom();
cgroup: IODeviceWeight= or friends can take device node files in /run/systemd/inaccessible/ systemd creates several device nodes in /run/systemd/inaccessible/. This makes CGroup's settings related to IO can take device node files in the directory.
2017-12-23 11:10:24 +01:00
if (!path_startswith(path, "/dev") &&
!path_startswith(path, "/run/systemd/inaccessible/")) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid device node path '%s'. Ignoring.", path);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
core: clean up some confusing regarding SI decimal and IEC binary suffixes for sizes According to Wikipedia it is customary to specify hardware metrics and transfer speeds to the basis 1000 (SI decimal), while software metrics and physical volatile memory (RAM) sizes to the basis 1024 (IEC binary). So far we specified everything in IEC, let's fix that and be more true to what's otherwise customary. Since we don't want to parse "Mi" instead of "M" we document each time what the context used is.
2014-02-23 03:13:54 +01:00
r = parse_size(bandwidth, 1000, &bytes);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
if (r < 0 || bytes <= 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Block IO Bandwidth '%s' invalid. Ignoring.", rvalue);
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
core: update CGroupBlockIODeviceBandwidth to record both rbps and wbps CGroupBlockIODeviceBandwith is used to keep track of IO bandwidth limits for legacy cgroup hierarchies. Unlike the unified hierarchy counterpart CGroupIODeviceLimit, a CGroupBlockIODeviceBandwiddth records either a read or write limit and has a couple issues. * There's no way to clear specific config entry. * When configs are cleared for an IO direction of a unit, the kernel settings aren't cleared accordingly creating discrepancies. This patch updates CGroupBlockIODeviceBandwidth so that it behaves similarly to CGroupIODeviceLimit - each entry records both rbps and wbps limits and is cleared if both are at default values after kernel settings are updated.
2016-05-18 22:51:46 +02:00
LIST_FOREACH(device_bandwidths, t, c->blockio_device_bandwidths) {
if (path_equal(path, t->path)) {
b = t;
break;
}
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
core: update CGroupBlockIODeviceBandwidth to record both rbps and wbps CGroupBlockIODeviceBandwith is used to keep track of IO bandwidth limits for legacy cgroup hierarchies. Unlike the unified hierarchy counterpart CGroupIODeviceLimit, a CGroupBlockIODeviceBandwiddth records either a read or write limit and has a couple issues. * There's no way to clear specific config entry. * When configs are cleared for an IO direction of a unit, the kernel settings aren't cleared accordingly creating discrepancies. This patch updates CGroupBlockIODeviceBandwidth so that it behaves similarly to CGroupIODeviceLimit - each entry records both rbps and wbps limits and is cleared if both are at default values after kernel settings are updated.
2016-05-18 22:51:46 +02:00
if (!t) {
b = new0(CGroupBlockIODeviceBandwidth, 1);
if (!b)
return log_oom();
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
b->path = TAKE_PTR(path);
core: update CGroupBlockIODeviceBandwidth to record both rbps and wbps CGroupBlockIODeviceBandwith is used to keep track of IO bandwidth limits for legacy cgroup hierarchies. Unlike the unified hierarchy counterpart CGroupIODeviceLimit, a CGroupBlockIODeviceBandwiddth records either a read or write limit and has a couple issues. * There's no way to clear specific config entry. * When configs are cleared for an IO direction of a unit, the kernel settings aren't cleared accordingly creating discrepancies. This patch updates CGroupBlockIODeviceBandwidth so that it behaves similarly to CGroupIODeviceLimit - each entry records both rbps and wbps limits and is cleared if both are at default values after kernel settings are updated.
2016-05-18 22:51:46 +02:00
b->rbps = CGROUP_LIMIT_MAX;
b->wbps = CGROUP_LIMIT_MAX;
LIST_PREPEND(device_bandwidths, c->blockio_device_bandwidths, b);
}
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
core: update CGroupBlockIODeviceBandwidth to record both rbps and wbps CGroupBlockIODeviceBandwith is used to keep track of IO bandwidth limits for legacy cgroup hierarchies. Unlike the unified hierarchy counterpart CGroupIODeviceLimit, a CGroupBlockIODeviceBandwiddth records either a read or write limit and has a couple issues. * There's no way to clear specific config entry. * When configs are cleared for an IO direction of a unit, the kernel settings aren't cleared accordingly creating discrepancies. This patch updates CGroupBlockIODeviceBandwidth so that it behaves similarly to CGroupIODeviceLimit - each entry records both rbps and wbps limits and is cleared if both are at default values after kernel settings are updated.
2016-05-18 22:51:46 +02:00
if (read)
b->rbps = bytes;
else
b->wbps = bytes;
core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-27 04:14:27 +02:00
return 0;
}
core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable
2013-11-26 01:39:53 +01:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_job_mode, job_mode, JobMode, "Failed to parse job mode");
int config_parse_job_mode_isolate(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
JobMode *m = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
r = parse_boolean(rvalue);
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse boolean, ignoring: %s", rvalue);
core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable
2013-11-26 01:39:53 +01:00
return 0;
}
load-fragment: obsolete OnFailureIsolate=
2017-12-29 09:00:40 +01:00
log_notice("%s is deprecated. Please use OnFailureJobMode= instead", lvalue);
core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable
2013-11-26 01:39:53 +01:00
*m = r ? JOB_ISOLATE : JOB_REPLACE;
return 0;
}
core: allow preserving contents of RuntimeDirectory= over process restart This introduces RuntimeDirectoryPreserve= option which takes a boolean argument or 'restart'. Closes #6087.
2017-07-17 09:22:25 +02:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_runtime_preserve_mode, exec_preserve_mode, ExecPreserveMode, "Failed to parse runtime directory preserve mode");
core: add {State,Cache,Log,Configuration}Directory= (#6384) This introduces {State,Cache,Log,Configuration}Directory= those are similar to RuntimeDirectory=. They create the directories under /var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode specified in {State,Cache,Log,Configuration}DirectoryMode=. This also fixes #6391.
2017-07-18 14:34:52 +02:00
int config_parse_exec_directories(
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Reject invalid quoted strings String which ended in an unfinished quote were accepted, potentially with bad memory accesses. Reject anything which ends in a unfished quote, or contains non-whitespace characters right after the closing quote. _FOREACH_WORD now returns the invalid character in *state. But this return value is not checked anywhere yet. Also, make 'word' and 'state' variables const pointers, and rename 'w' to 'word' in various places. Things are easier to read if the same name is used consistently. mbiebl_> am I correct that something like this doesn't work mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"' mbiebl_> systemd seems to strip of the quotes mbiebl_> systemctl status shows mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint mbiebl_> which is pretty weird
2014-07-30 04:01:36 +02:00
char***rt = data;
load-fragment: resolve specifiers in RuntimeDirectory
2015-09-17 22:54:13 +02:00
Unit *u = userdata;
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
const char *p;
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
/* Empty assignment resets the list */
tree-wide: make use of the fact that strv_free() returns NULL Another Coccinelle patch.
2015-09-09 23:05:10 +02:00
*rt = strv_free(*rt);
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
return 0;
}
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
for (p = rvalue;;) {
_cleanup_free_ char *word = NULL, *k = NULL;
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES);
if (r == -ENOMEM)
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
return log_oom();
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax, ignoring: %s", rvalue);
return 0;
}
core: fix StateDirectory= (and friends) safety checks when decoding transient unit properties Let's make sure relative directories such as "foo/bar" are accepted, by using the same validation checks as in unit file parsing.
2017-10-02 10:50:07 +02:00
if (r == 0)
return 0;
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
core: use unit_full_printf() at a couple of locations we used unit_name_printf() before For settings that are not taking unit names there's no reason to use unit_name_printf(). Use unit_full_printf() instead, as the names are validated anyway in one form or another after expansion.
2016-12-05 19:25:44 +01:00
r = unit_full_printf(u, word, &k);
load-fragment: resolve specifiers in RuntimeDirectory
2015-09-17 22:54:13 +02:00
if (r < 0) {
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve specifiers in \"%s\", ignoring: %m", word);
load-fragment: resolve specifiers in RuntimeDirectory
2015-09-17 22:54:13 +02:00
continue;
}
fs-util: rename path_is_safe() → path_is_normalized() Already, path_is_safe() refused paths container the "." dir. Doing that isn't strictly necessary to be "safe" by most definitions of the word. But it is necessary in order to consider a path "normalized". Hence, "path_is_safe()" is slightly misleading a name, but "path_is_normalize()" is more descriptive, hence let's rename things accordingly. No functional changes.
2017-10-27 16:28:15 +02:00
if (!path_is_normalized(k) || path_is_absolute(k)) {
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0,
core: fix StateDirectory= (and friends) safety checks when decoding transient unit properties Let's make sure relative directories such as "foo/bar" are accepted, by using the same validation checks as in unit file parsing.
2017-10-02 10:50:07 +02:00
"%s= path is not valid, ignoring assignment: %s", lvalue, rvalue);
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
continue;
}
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
r = strv_push(rt, k);
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
if (r < 0)
return log_oom();
core/load-fragment: port to extract_first_word
2016-10-28 02:15:22 +02:00
k = NULL;
core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03 17:14:07 +01:00
}
}
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
int config_parse_set_status(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
size_t l;
Reject invalid quoted strings String which ended in an unfinished quote were accepted, potentially with bad memory accesses. Reject anything which ends in a unfished quote, or contains non-whitespace characters right after the closing quote. _FOREACH_WORD now returns the invalid character in *state. But this return value is not checked anywhere yet. Also, make 'word' and 'state' variables const pointers, and rename 'w' to 'word' in various places. Things are easier to read if the same name is used consistently. mbiebl_> am I correct that something like this doesn't work mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"' mbiebl_> systemd seems to strip of the quotes mbiebl_> systemctl status shows mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint mbiebl_> which is pretty weird
2014-07-30 04:01:36 +02:00
const char *word, *state;
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
int r;
ExitStatusSet *status_set = data;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
exit-status: rename ExitStatusSet's "code" field to "status" We should follow the naming scheme waitid() uses, not come up with our own reversed one...
2014-07-03 15:36:50 +02:00
/* Empty assignment resets the list */
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
if (isempty(rvalue)) {
exit-status: rename ExitStatusSet's "code" field to "status" We should follow the naming scheme waitid() uses, not come up with our own reversed one...
2014-07-03 15:36:50 +02:00
exit_status_set_free(status_set);
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
return 0;
}
Reject invalid quoted strings String which ended in an unfinished quote were accepted, potentially with bad memory accesses. Reject anything which ends in a unfished quote, or contains non-whitespace characters right after the closing quote. _FOREACH_WORD now returns the invalid character in *state. But this return value is not checked anywhere yet. Also, make 'word' and 'state' variables const pointers, and rename 'w' to 'word' in various places. Things are easier to read if the same name is used consistently. mbiebl_> am I correct that something like this doesn't work mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"' mbiebl_> systemd seems to strip of the quotes mbiebl_> systemctl status shows mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint mbiebl_> which is pretty weird
2014-07-30 04:01:36 +02:00
FOREACH_WORD(word, l, rvalue, state) {
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
_cleanup_free_ char *temp;
int val;
config_parse_set_status: put signals in the correct set This was broken when the code was rearranged in "1e2fd62d70ff core/load-fragment.c: correct argument sign and split up long lines"
2015-01-30 09:49:55 +01:00
Set **set;
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
Reject invalid quoted strings String which ended in an unfinished quote were accepted, potentially with bad memory accesses. Reject anything which ends in a unfished quote, or contains non-whitespace characters right after the closing quote. _FOREACH_WORD now returns the invalid character in *state. But this return value is not checked anywhere yet. Also, make 'word' and 'state' variables const pointers, and rename 'w' to 'word' in various places. Things are easier to read if the same name is used consistently. mbiebl_> am I correct that something like this doesn't work mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"' mbiebl_> systemd seems to strip of the quotes mbiebl_> systemctl status shows mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint mbiebl_> which is pretty weird
2014-07-30 04:01:36 +02:00
temp = strndup(word, l);
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
if (!temp)
return log_oom();
r = safe_atoi(temp, &val);
if (r < 0) {
val = signal_from_string_try_harder(temp);
core/load-fragment.c: correct argument sign and split up long lines With everything on one line they are just harder to read.
2014-07-31 09:38:05 +02:00
if (val <= 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse value, ignoring: %s", word);
config_parse_set_status: put signals in the correct set This was broken when the code was rearranged in "1e2fd62d70ff core/load-fragment.c: correct argument sign and split up long lines"
2015-01-30 09:49:55 +01:00
continue;
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
}
config_parse_set_status: put signals in the correct set This was broken when the code was rearranged in "1e2fd62d70ff core/load-fragment.c: correct argument sign and split up long lines"
2015-01-30 09:49:55 +01:00
set = &status_set->signal;
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
} else {
core/load-fragment.c: correct argument sign and split up long lines With everything on one line they are just harder to read.
2014-07-31 09:38:05 +02:00
if (val < 0 || val > 255) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Value %d is outside range 0-255, ignoring", val);
core/load-fragment.c: correct argument sign and split up long lines With everything on one line they are just harder to read.
2014-07-31 09:38:05 +02:00
continue;
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
}
config_parse_set_status: put signals in the correct set This was broken when the code was rearranged in "1e2fd62d70ff core/load-fragment.c: correct argument sign and split up long lines"
2015-01-30 09:49:55 +01:00
set = &status_set->status;
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
}
core/load-fragment.c: correct argument sign and split up long lines With everything on one line they are just harder to read.
2014-07-31 09:38:05 +02:00
config_parse_set_status: put signals in the correct set This was broken when the code was rearranged in "1e2fd62d70ff core/load-fragment.c: correct argument sign and split up long lines"
2015-01-30 09:49:55 +01:00
r = set_ensure_allocated(set, NULL);
core/load-fragment.c: correct argument sign and split up long lines With everything on one line they are just harder to read.
2014-07-31 09:38:05 +02:00
if (r < 0)
return log_oom();
config_parse_set_status: put signals in the correct set This was broken when the code was rearranged in "1e2fd62d70ff core/load-fragment.c: correct argument sign and split up long lines"
2015-01-30 09:49:55 +01:00
r = set_put(*set, INT_TO_PTR(val));
core/load-fragment.c: correct argument sign and split up long lines With everything on one line they are just harder to read.
2014-07-31 09:38:05 +02:00
if (r < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, r, "Unable to store: %s", word);
core/load-fragment.c: correct argument sign and split up long lines With everything on one line they are just harder to read.
2014-07-31 09:38:05 +02:00
return r;
}
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
}
Properly report invalid quoted strings $ systemd-analyze verify trailing-g.service [./trailing-g.service:2] Trailing garbage, ignoring. trailing-g.service lacks ExecStart setting. Refusing. Error: org.freedesktop.systemd1.LoadFailed: Unit trailing-g.service failed to load: Invalid argument. Failed to create trailing-g.service/start: Invalid argument
2014-07-31 09:28:37 +02:00
if (!isempty(state))
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring.");
core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].
2014-03-03 21:26:53 +01:00
return 0;
}
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
int config_parse_namespace_path_strv(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
core: add specifier expansion to ReadOnlyPaths= and friends Expanding specifiers here definitely makes sense. Also simplifies the loop a bit, as there's no reason to keep "prev" around...
2016-12-05 19:42:25 +01:00
Unit *u = userdata;
Reject invalid quoted strings String which ended in an unfinished quote were accepted, potentially with bad memory accesses. Reject anything which ends in a unfished quote, or contains non-whitespace characters right after the closing quote. _FOREACH_WORD now returns the invalid character in *state. But this return value is not checked anywhere yet. Also, make 'word' and 'state' variables const pointers, and rename 'w' to 'word' in various places. Things are easier to read if the same name is used consistently. mbiebl_> am I correct that something like this doesn't work mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"' mbiebl_> systemd seems to strip of the quotes mbiebl_> systemctl status shows mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint mbiebl_> which is pretty weird
2014-07-30 04:01:36 +02:00
char*** sv = data;
core: use extract_first_word for namespace parsing see https://github.com/systemd/systemd/pull/1632#issuecomment-149903791 We should port this loop over to extract_first_word(), too.
2015-10-22 22:28:28 +02:00
const char *cur;
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
/* Empty assignment resets the list */
tree-wide: make use of the fact that strv_free() returns NULL Another Coccinelle patch.
2015-09-09 23:05:10 +02:00
*sv = strv_free(*sv);
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
return 0;
}
core: add specifier expansion to ReadOnlyPaths= and friends Expanding specifiers here definitely makes sense. Also simplifies the loop a bit, as there's no reason to keep "prev" around...
2016-12-05 19:42:25 +01:00
cur = rvalue;
core: use extract_first_word for namespace parsing see https://github.com/systemd/systemd/pull/1632#issuecomment-149903791 We should port this loop over to extract_first_word(), too.
2015-10-22 22:28:28 +02:00
for (;;) {
core: add specifier expansion to ReadOnlyPaths= and friends Expanding specifiers here definitely makes sense. Also simplifies the loop a bit, as there's no reason to keep "prev" around...
2016-12-05 19:42:25 +01:00
_cleanup_free_ char *word = NULL, *resolved = NULL, *joined = NULL;
core: actually make "+" prefix in ReadOnlyPaths=, InaccessiblePaths=, ReadWritablePaths= work 5327c910d2fc1ae91bd0b891be92b30379c7467b claimed to add support for "+" for prefixing paths with the configured RootDirectory=. But actually it only implemented it in the backend, it did not add support for it to the configuration file parsers. Fix that now.
2016-12-23 01:16:43 +01:00
const char *w;
bool ignore_enoent = false, shall_prefix = false;
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
core: use extract_first_word for namespace parsing see https://github.com/systemd/systemd/pull/1632#issuecomment-149903791 We should port this loop over to extract_first_word(), too.
2015-10-22 22:28:28 +02:00
r = extract_first_word(&cur, &word, NULL, EXTRACT_QUOTES);
core: small fixes to parse_namespace * don't hide ENOMEM * log r instead of 0
2015-11-03 22:32:34 +01:00
if (r == 0)
break;
if (r == -ENOMEM)
return log_oom();
core: use extract_first_word for namespace parsing see https://github.com/systemd/systemd/pull/1632#issuecomment-149903791 We should port this loop over to extract_first_word(), too.
2015-10-22 22:28:28 +02:00
if (r < 0) {
core: add specifier expansion to ReadOnlyPaths= and friends Expanding specifiers here definitely makes sense. Also simplifies the loop a bit, as there's no reason to keep "prev" around...
2016-12-05 19:42:25 +01:00
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to extract first word, ignoring: %s", rvalue);
core: use extract_first_word for namespace parsing see https://github.com/systemd/systemd/pull/1632#issuecomment-149903791 We should port this loop over to extract_first_word(), too.
2015-10-22 22:28:28 +02:00
return 0;
}
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
core: use extract_first_word for namespace parsing see https://github.com/systemd/systemd/pull/1632#issuecomment-149903791 We should port this loop over to extract_first_word(), too.
2015-10-22 22:28:28 +02:00
if (!utf8_is_valid(word)) {
log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, word);
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
continue;
}
core: actually make "+" prefix in ReadOnlyPaths=, InaccessiblePaths=, ReadWritablePaths= work 5327c910d2fc1ae91bd0b891be92b30379c7467b claimed to add support for "+" for prefixing paths with the configured RootDirectory=. But actually it only implemented it in the backend, it did not add support for it to the configuration file parsers. Fix that now.
2016-12-23 01:16:43 +01:00
w = word;
if (startswith(w, "-")) {
ignore_enoent = true;
w++;
}
if (startswith(w, "+")) {
shall_prefix = true;
w++;
}
core: add specifier expansion to ReadOnlyPaths= and friends Expanding specifiers here definitely makes sense. Also simplifies the loop a bit, as there's no reason to keep "prev" around...
2016-12-05 19:42:25 +01:00
core: actually make "+" prefix in ReadOnlyPaths=, InaccessiblePaths=, ReadWritablePaths= work 5327c910d2fc1ae91bd0b891be92b30379c7467b claimed to add support for "+" for prefixing paths with the configured RootDirectory=. But actually it only implemented it in the backend, it did not add support for it to the configuration file parsers. Fix that now.
2016-12-23 01:16:43 +01:00
r = unit_full_printf(u, w, &resolved);
core: add specifier expansion to ReadOnlyPaths= and friends Expanding specifiers here definitely makes sense. Also simplifies the loop a bit, as there's no reason to keep "prev" around...
2016-12-05 19:42:25 +01:00
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers in %s: %m", word);
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
continue;
}
core: add specifier expansion to ReadOnlyPaths= and friends Expanding specifiers here definitely makes sense. Also simplifies the loop a bit, as there's no reason to keep "prev" around...
2016-12-05 19:42:25 +01:00
if (!path_is_absolute(resolved)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Not an absolute path, ignoring: %s", resolved);
continue;
}
path_kill_slashes(resolved);
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
core: actually make "+" prefix in ReadOnlyPaths=, InaccessiblePaths=, ReadWritablePaths= work 5327c910d2fc1ae91bd0b891be92b30379c7467b claimed to add support for "+" for prefixing paths with the configured RootDirectory=. But actually it only implemented it in the backend, it did not add support for it to the configuration file parsers. Fix that now.
2016-12-23 01:16:43 +01:00
joined = strjoin(ignore_enoent ? "-" : "",
shall_prefix ? "+" : "",
resolved);
core: add specifier expansion to ReadOnlyPaths= and friends Expanding specifiers here definitely makes sense. Also simplifies the loop a bit, as there's no reason to keep "prev" around...
2016-12-05 19:42:25 +01:00
r = strv_push(sv, joined);
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
if (r < 0)
return log_oom();
core: add specifier expansion to ReadOnlyPaths= and friends Expanding specifiers here definitely makes sense. Also simplifies the loop a bit, as there's no reason to keep "prev" around...
2016-12-05 19:42:25 +01:00
joined = NULL;
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
}
return 0;
}
core: add new setting TemporaryFileSystem= This introduces a new setting TemporaryFileSystem=. This is useful to hide files not relevant to the processes invoked by unit, while necessary files or directories can be still accessed by combining with Bind{,ReadOnly}Paths=.
2018-02-21 01:17:52 +01:00
int config_parse_temporary_filesystems(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Unit *u = userdata;
ExecContext *c = data;
const char *cur;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
/* Empty assignment resets the list */
temporary_filesystem_free_many(c->temporary_filesystems, c->n_temporary_filesystems);
c->temporary_filesystems = NULL;
c->n_temporary_filesystems = 0;
return 0;
}
cur = rvalue;
for (;;) {
_cleanup_free_ char *word = NULL, *path = NULL, *resolved = NULL;
const char *w;
r = extract_first_word(&cur, &word, NULL, EXTRACT_QUOTES);
if (r == 0)
break;
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to extract first word, ignoring: %s", rvalue);
return 0;
}
w = word;
r = extract_first_word(&w, &path, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
if (r < 0)
return r;
if (r == 0)
return -EINVAL;
r = unit_full_printf(u, path, &resolved);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers in %s, ignoring: %m", word);
continue;
}
if (!path_is_absolute(resolved)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Not an absolute path, ignoring: %s", resolved);
continue;
}
path_kill_slashes(resolved);
r = temporary_filesystem_add(&c->temporary_filesystems, &c->n_temporary_filesystems, path, w);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse mount options, ignoring: %s", word);
continue;
}
}
return 0;
}
core: add ability to define arbitrary bind mounts for services This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
2016-11-23 22:21:40 +01:00
int config_parse_bind_paths(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
load-fragment: resolve specifiers in BindPaths/BindReadOnlyPaths (#5687)
2017-04-24 18:23:35 +02:00
Unit *u = userdata;
core: add ability to define arbitrary bind mounts for services This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
2016-11-23 22:21:40 +01:00
const char *p;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
/* Empty assignment resets the list */
bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
c->bind_mounts = NULL;
c->n_bind_mounts = 0;
return 0;
}
p = rvalue;
for (;;) {
_cleanup_free_ char *source = NULL, *destination = NULL;
load-fragment: resolve specifiers in BindPaths/BindReadOnlyPaths (#5687)
2017-04-24 18:23:35 +02:00
_cleanup_free_ char *sresolved = NULL, *dresolved = NULL;
core: add ability to define arbitrary bind mounts for services This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
2016-11-23 22:21:40 +01:00
char *s = NULL, *d = NULL;
bool rbind = true, ignore_enoent = false;
r = extract_first_word(&p, &source, ":" WHITESPACE, EXTRACT_QUOTES|EXTRACT_DONT_COALESCE_SEPARATORS);
if (r == 0)
break;
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse %s: %s", lvalue, rvalue);
return 0;
}
load-fragment: resolve specifiers in BindPaths/BindReadOnlyPaths (#5687)
2017-04-24 18:23:35 +02:00
r = unit_full_printf(u, source, &sresolved);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolved specifiers in \"%s\", ignoring: %m", source);
return 0;
}
s = sresolved;
core: add ability to define arbitrary bind mounts for services This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
2016-11-23 22:21:40 +01:00
if (s[0] == '-') {
ignore_enoent = true;
s++;
}
if (!utf8_is_valid(s)) {
log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, s);
return 0;
}
if (!path_is_absolute(s)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Not an absolute source path, ignoring: %s", s);
return 0;
}
path_kill_slashes(s);
/* Optionally, the destination is specified. */
if (p && p[-1] == ':') {
r = extract_first_word(&p, &destination, ":" WHITESPACE, EXTRACT_QUOTES|EXTRACT_DONT_COALESCE_SEPARATORS);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse %s: %s", lvalue, rvalue);
return 0;
}
if (r == 0) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Missing argument after ':': %s", rvalue);
return 0;
}
load-fragment: resolve specifiers in BindPaths/BindReadOnlyPaths (#5687)
2017-04-24 18:23:35 +02:00
r = unit_full_printf(u, destination, &dresolved);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolved specifiers in \"%s\", ignoring: %m", destination);
return 0;
}
if (!utf8_is_valid(dresolved)) {
log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, dresolved);
core: add ability to define arbitrary bind mounts for services This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
2016-11-23 22:21:40 +01:00
return 0;
}
load-fragment: resolve specifiers in BindPaths/BindReadOnlyPaths (#5687)
2017-04-24 18:23:35 +02:00
if (!path_is_absolute(dresolved)) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Not an absolute destination path, ignoring: %s", dresolved);
core: add ability to define arbitrary bind mounts for services This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
2016-11-23 22:21:40 +01:00
return 0;
}
load-fragment: resolve specifiers in BindPaths/BindReadOnlyPaths (#5687)
2017-04-24 18:23:35 +02:00
d = path_kill_slashes(dresolved);
core: add ability to define arbitrary bind mounts for services This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
2016-11-23 22:21:40 +01:00
/* Optionally, there's also a short option string specified */
if (p && p[-1] == ':') {
_cleanup_free_ char *options = NULL;
r = extract_first_word(&p, &options, NULL, EXTRACT_QUOTES);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse %s: %s", lvalue, rvalue);
return 0;
}
if (isempty(options) || streq(options, "rbind"))
rbind = true;
else if (streq(options, "norbind"))
rbind = false;
else {
log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid option string, ignoring setting: %s", options);
return 0;
}
}
} else
d = s;
r = bind_mount_add(&c->bind_mounts, &c->n_bind_mounts,
&(BindMount) {
.source = s,
.destination = d,
.read_only = !!strstr(lvalue, "ReadOnly"),
.recursive = rbind,
.ignore_enoent = ignore_enoent,
});
if (r < 0)
return log_oom();
}
return 0;
}
fix spelling of privilege
2014-05-18 15:43:18 +02:00
int config_parse_no_new_privileges(
core: don't override NoNewPriviliges= from SystemCallFilter= if it is already explicitly set
2014-03-05 04:41:01 +01:00
const char* unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
int k;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
k = parse_boolean(rvalue);
if (k < 0) {
tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers
2015-09-30 18:22:42 +02:00
log_syntax(unit, LOG_ERR, filename, line, k, "Failed to parse boolean value, ignoring: %s", rvalue);
core: don't override NoNewPriviliges= from SystemCallFilter= if it is already explicitly set
2014-03-05 04:41:01 +01:00
return 0;
}
core: do not set no_new_privileges flag in config_parse_syscall_filter If SyscallFilter was set, and subsequently cleared, the no_new_privileges flag was not reset properly. We don't need to set this flag here, it will be set automatically in unit_patch_contexts() if syscall_filter is set.
2016-10-23 05:28:46 +02:00
c->no_new_privileges = k;
core: don't override NoNewPriviliges= from SystemCallFilter= if it is already explicitly set
2014-03-05 04:41:01 +01:00
return 0;
}
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-04 18:07:55 +02:00
int config_parse_protect_home(
core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
2014-06-03 23:41:44 +02:00
const char* unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
namespace: introduce parse_protect_home_or_bool()
2018-01-01 16:08:40 +01:00
ProtectHome h;
core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
2014-06-03 23:41:44 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
/* Our enum shall be a superset of booleans, hence first try
treewide: fix typos and remove accidental repetition of words
2016-07-10 14:48:23 +02:00
* to parse as boolean, and then as enum */
core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
2014-06-03 23:41:44 +02:00
namespace: introduce parse_protect_home_or_bool()
2018-01-01 16:08:40 +01:00
h = parse_protect_home_or_bool(rvalue);
if (h < 0) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse protect home value, ignoring: %s", rvalue);
return 0;
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-04 18:07:55 +02:00
}
namespace: introduce parse_protect_home_or_bool()
2018-01-01 16:08:40 +01:00
c->protect_home = h;
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-04 18:07:55 +02:00
return 0;
}
int config_parse_protect_system(
const char* unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
namespace: introduce parse_protect_system()_or_bool
2018-01-01 16:10:22 +01:00
ProtectSystem s;
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-04 18:07:55 +02:00
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
/* Our enum shall be a superset of booleans, hence first try
treewide: fix typos and remove accidental repetition of words
2016-07-10 14:48:23 +02:00
* to parse as boolean, and then as enum */
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-04 18:07:55 +02:00
namespace: introduce parse_protect_system()_or_bool
2018-01-01 16:10:22 +01:00
s = parse_protect_system_or_bool(rvalue);
if (s < 0) {
log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse protect system value, ignoring: %s", rvalue);
return 0;
core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
2014-06-03 23:41:44 +02:00
}
namespace: introduce parse_protect_system()_or_bool
2018-01-01 16:10:22 +01:00
c->protect_system = s;
core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
2014-06-03 23:41:44 +02:00
return 0;
}
core: add new per-unit setting KeyringMode= for controlling kernel keyring setup Usually, it's a good thing that we isolate the kernel session keyring for the various services and disconnect them from the user keyring. However, in case of the cryptsetup key caching we actually want that multiple instances of the cryptsetup service can share the keys in the root user's user keyring, hence we need to be able to disable this logic for them. This adds KeyringMode=inherit|private|shared: inherit: don't do any keyring magic (this is the default in systemd --user) private: a private keyring as before (default in systemd --system) shared: the new setting
2017-09-14 21:19:05 +02:00
DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_keyring_mode, exec_keyring_mode, ExecKeyringMode, "Failed to parse keyring mode");
unit: when JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too We added JobRunningTimeoutSec= late, and Dracut configured only JobTimeoutSec= to turn of root device timeouts before. With this change we'll propagate a reset of JobTimeoutSec= into JobRunningTimeoutSec=, but only if the latter wasn't set explicitly. This should restore compatibility with older systemd versions. Fixes: #6402
2017-09-27 17:30:50 +02:00
int config_parse_job_timeout_sec(
const char* unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Unit *u = data;
usec_t usec;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
r = parse_sec_fix_0(rvalue, &usec);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse JobTimeoutSec= parameter, ignoring: %s", rvalue);
return 0;
}
/* If the user explicitly changed JobTimeoutSec= also change JobRunningTimeoutSec=, for compatibility with old
Merge pull request #6931 from poettering/job-timeout-sec
2017-10-05 14:42:29 +02:00
* versions. If JobRunningTimeoutSec= was explicitly set, avoid this however as whatever the user picked should
unit: when JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too We added JobRunningTimeoutSec= late, and Dracut configured only JobTimeoutSec= to turn of root device timeouts before. With this change we'll propagate a reset of JobTimeoutSec= into JobRunningTimeoutSec=, but only if the latter wasn't set explicitly. This should restore compatibility with older systemd versions. Fixes: #6402
2017-09-27 17:30:50 +02:00
* count. */
if (!u->job_running_timeout_set)
u->job_running_timeout = usec;
u->job_timeout = usec;
return 0;
}
int config_parse_job_running_timeout_sec(
const char* unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Unit *u = data;
usec_t usec;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
r = parse_sec_fix_0(rvalue, &usec);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse JobRunningTimeoutSec= parameter, ignoring: %s", rvalue);
return 0;
}
u->job_running_timeout = usec;
u->job_running_timeout_set = true;
return 0;
}
implement proper logging for services
2010-01-28 02:06:20 +01:00
#define FOLLOW_MAX 8
s/name/unit
2010-01-26 21:39:06 +01:00
core: add minimal templating system
2010-04-15 03:11:11 +02:00
static int open_follow(char **filename, FILE **_f, Set *names, char **_final) {
core: when encountering a symlink alias for non-aliasable units warn nicely If the user defines a symlink alias for a unit whose type does not support aliasing, detect this early and print a nice warning. Fixe: #2730
2016-04-29 17:37:33 +02:00
char *id = NULL;
implement drop-in directories
2010-01-27 00:15:56 +01:00
unsigned c = 0;
s/name/unit
2010-01-26 21:39:06 +01:00
int fd, r;
FILE *f;
assert(filename);
assert(*filename);
assert(_f);
assert(names);
implement drop-in directories
2010-01-27 00:15:56 +01:00
/* This will update the filename pointer if the loaded file is
* reached by a symlink. The old string will be freed. */
s/name/unit
2010-01-26 21:39:06 +01:00
implement drop-in directories
2010-01-27 00:15:56 +01:00
for (;;) {
util: introduce readlink_and_make_absolute()
2010-06-16 01:56:00 +02:00
char *target, *name;
s/name/unit
2010-01-26 21:39:06 +01:00
implement drop-in directories
2010-01-27 00:15:56 +01:00
if (c++ >= FOLLOW_MAX)
return -ELOOP;
add mount enumerator
2010-01-29 02:07:41 +01:00
path_kill_slashes(*filename);
s/name/unit
2010-01-26 21:39:06 +01:00
/* Add the file name we are currently looking at to
unit: allow symlinking unit files to /dev/null
2010-07-21 03:13:15 +02:00
* the names of this unit, but only if it is a valid
* unit name. */
Get rid of our reimplementation of basename The only problem is that libgen.h #defines basename to point to it's own broken implementation instead of the GNU one. This can be fixed by #undefining basename.
2013-12-07 03:29:55 +01:00
name = basename(*filename);
core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-30 20:21:00 +02:00
if (unit_name_is_valid(name, UNIT_NAME_ANY)) {
unit: allow symlinking unit files to /dev/null
2010-07-21 03:13:15 +02:00
unit: when loading symlinked template units, properly add all names on the way to the unit
2011-06-28 02:53:15 +02:00
id = set_get(names, name);
if (!id) {
id = strdup(name);
if (!id)
unit: allow symlinking unit files to /dev/null
2010-07-21 03:13:15 +02:00
return -ENOMEM;
s/name/unit
2010-01-26 21:39:06 +01:00
Add set_consume which always takes ownership Freeing in error path is the common pattern with set_put().
2013-04-23 05:12:15 +02:00
r = set_consume(names, id);
if (r < 0)
unit: allow symlinking unit files to /dev/null
2010-07-21 03:13:15 +02:00
return r;
s/name/unit
2010-01-26 21:39:06 +01:00
}
}
implement drop-in directories
2010-01-27 00:15:56 +01:00
/* Try to open the file name, but don't if its a symlink */
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
fd = open(*filename, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW);
if (fd >= 0)
s/name/unit
2010-01-26 21:39:06 +01:00
break;
implement drop-in directories
2010-01-27 00:15:56 +01:00
if (errno != ELOOP)
return -errno;
s/name/unit
2010-01-26 21:39:06 +01:00
/* Hmm, so this is a symlink. Let's read the name, and follow it manually */
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
r = readlink_and_make_absolute(*filename, &target);
if (r < 0)
implement drop-in directories
2010-01-27 00:15:56 +01:00
return r;
s/name/unit
2010-01-26 21:39:06 +01:00
implement drop-in directories
2010-01-27 00:15:56 +01:00
free(*filename);
util: introduce readlink_and_make_absolute()
2010-06-16 01:56:00 +02:00
*filename = target;
s/name/unit
2010-01-26 21:39:06 +01:00
}
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
f = fdopen(fd, "re");
if (!f) {
util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.
2014-03-18 19:22:43 +01:00
safe_close(fd);
core/load-fragment: safe_close() protects errno
2015-03-07 20:36:14 +01:00
return -errno;
s/name/unit
2010-01-26 21:39:06 +01:00
}
*_f = f;
core: add minimal templating system
2010-04-15 03:11:11 +02:00
*_final = id;
core: when encountering a symlink alias for non-aliasable units warn nicely If the user defines a symlink alias for a unit whose type does not support aliasing, detect this early and print a nice warning. Fixe: #2730
2016-04-29 17:37:33 +02:00
implement drop-in directories
2010-01-27 00:15:56 +01:00
return 0;
s/name/unit
2010-01-26 21:39:06 +01:00
}
rework merging/loading logic
2010-04-06 02:43:58 +02:00
static int merge_by_names(Unit **u, Set *names, const char *id) {
char *k;
int r;
assert(u);
assert(*u);
assert(names);
/* Let's try to add in all symlink names we found */
while ((k = set_steal_first(names))) {
/* First try to merge in the other name into our
* unit */
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
r = unit_merge_by_name(*u, k);
if (r < 0) {
rework merging/loading logic
2010-04-06 02:43:58 +02:00
Unit *other;
/* Hmm, we couldn't merge the other unit into
* ours? Then let's try it the other way
* round */
core: look for instance when processing template name If first attempt to merge units failed and we are trying to do merge the other way around and at the same time we are working with template name, then other unit can't possibly be template, because it is not possible to have template unit running, only instances of the template. Thus we need to look for already active instance instead.
2016-03-16 14:52:44 +01:00
/* If the symlink name we are looking at is unit template, then
we must search for instance of this template */
load-fragment: don't try to do a template instance replacement if we are not an instance (#3451) Corrects: 7aad67e7 Fixes: #3438
2016-06-09 10:49:36 +02:00
if (unit_name_is_valid(k, UNIT_NAME_TEMPLATE) && (*u)->instance) {
core: look for instance when processing template name If first attempt to merge units failed and we are trying to do merge the other way around and at the same time we are working with template name, then other unit can't possibly be template, because it is not possible to have template unit running, only instances of the template. Thus we need to look for already active instance instead.
2016-03-16 14:52:44 +01:00
_cleanup_free_ char *instance = NULL;
r = unit_name_replace_instance(k, (*u)->instance, &instance);
if (r < 0)
return r;
other = manager_get_unit((*u)->manager, instance);
} else
other = manager_get_unit((*u)->manager, k);
rework merging/loading logic
2010-04-06 02:43:58 +02:00
free(k);
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
if (other) {
r = unit_merge(other, *u);
if (r >= 0) {
rework merging/loading logic
2010-04-06 02:43:58 +02:00
*u = other;
return merge_by_names(u, names, NULL);
}
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
}
rework merging/loading logic
2010-04-06 02:43:58 +02:00
return r;
}
if (id == k)
unit_choose_id(*u, id);
free(k);
}
return 0;
}
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
static int load_from_path(Unit *u, const char *path) {
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
_cleanup_set_free_free_ Set *symlink_names = NULL;
_cleanup_fclose_ FILE *f = NULL;
_cleanup_free_ char *filename = NULL;
char *id = NULL;
rework merging/loading logic
2010-04-06 02:43:58 +02:00
Unit *merged;
systemctl: warn when operating on service files that changed on disk but haven't been reloaded
2010-07-17 00:57:51 +02:00
struct stat st;
core: when encountering a symlink alias for non-aliasable units warn nicely If the user defines a symlink alias for a unit whose type does not support aliasing, detect this early and print a nice warning. Fixe: #2730
2016-04-29 17:37:33 +02:00
int r;
rework merging/loading logic
2010-04-06 02:43:58 +02:00
assert(u);
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
assert(path);
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-13 01:00:18 +02:00
symlink_names = set_new(&string_hash_ops);
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
if (!symlink_names)
s/name/unit
2010-01-26 21:39:06 +01:00
return -ENOMEM;
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
config: implement search path logic
2010-02-13 01:07:02 +01:00
if (path_is_absolute(path)) {
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
filename = strdup(path);
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
if (!filename)
return -ENOMEM;
config: implement search path logic
2010-02-13 01:07:02 +01:00
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
r = open_follow(&filename, &f, symlink_names, &id);
if (r < 0) {
tree-wide: introduce mfree() Pretty trivial helper which wraps free() but returns NULL, so we can simplify this: free(foobar); foobar = NULL; to this: foobar = mfree(foobar);
2015-07-31 19:56:38 +02:00
filename = mfree(filename);
config: implement search path logic
2010-02-13 01:07:02 +01:00
if (r != -ENOENT)
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
return r;
config: implement search path logic
2010-02-13 01:07:02 +01:00
}
} else {
char **p;
core: rework generator dir logic, move the dirs into LookupPaths structure A long time ago – when generators where first introduced – the directories for them were randomly created via mkdtemp(). This was changed later so that they use fixed name directories now. Let's make use of this, and add the genrator dirs to the LookupPaths structure and into the unit file search path maintained in it. This has the benefit that the generator dirs are now normal part of the search path for all tools, and thus are shown in "systemctl list-unit-files" too.
2016-02-24 15:31:33 +01:00
STRV_FOREACH(p, u->manager->lookup_paths.search_path) {
config: implement search path logic
2010-02-13 01:07:02 +01:00
/* Instead of opening the path right away, we manually
* follow all symlinks and add their name to our unit
* name set while doing so */
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
filename = path_make_absolute(path, *p);
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
if (!filename)
return -ENOMEM;
config: implement search path logic
2010-02-13 01:07:02 +01:00
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->manager->unit_path_cache &&
!set_get(u->manager->unit_path_cache, filename))
manager: introduce unit path cache to minimize disk accesses
2010-07-11 00:52:00 +02:00
r = -ENOENT;
else
r = open_follow(&filename, &f, symlink_names, &id);
core: when encountering a symlink alias for non-aliasable units warn nicely If the user defines a symlink alias for a unit whose type does not support aliasing, detect this early and print a nice warning. Fixe: #2730
2016-04-29 17:37:33 +02:00
if (r >= 0)
break;
filename = mfree(filename);
load-fragment: ignore ENOTDIR/EACCES errors (#3510) If for whatever reason the file system is "corrupted", we want to be resilient and ignore the error, as long as we can load the units from a different place. Arch bug https://bugs.archlinux.org/task/49547. A user had an ntfs symlink (essentially a file) instead of a directory after restoring from backup. We should just ignore that like we would treat a missing directory, for general resiliency. We should treat permission errors similarly. For example an unreadable /usr/local/lib directory would prevent (user) instances of systemd from loading any units. It seems better to continue.
2016-06-15 23:02:27 +02:00
/* ENOENT means that the file is missing or is a dangling symlink.
* ENOTDIR means that one of paths we expect to be is a directory
* is not a directory, we should just ignore that.
* EACCES means that the directory or file permissions are wrong.
*/
if (r == -EACCES)
log_debug_errno(r, "Cannot access \"%s\": %m", filename);
else if (!IN_SET(r, -ENOENT, -ENOTDIR))
core: when encountering a symlink alias for non-aliasable units warn nicely If the user defines a symlink alias for a unit whose type does not support aliasing, detect this early and print a nice warning. Fixe: #2730
2016-04-29 17:37:33 +02:00
return r;
manager: introduce unit path cache to minimize disk accesses
2010-07-11 00:52:00 +02:00
core: when encountering a symlink alias for non-aliasable units warn nicely If the user defines a symlink alias for a unit whose type does not support aliasing, detect this early and print a nice warning. Fixe: #2730
2016-04-29 17:37:33 +02:00
/* Empty the symlink names for the next run */
set_clear_free(symlink_names);
config: implement search path logic
2010-02-13 01:07:02 +01:00
}
}
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
if (!filename)
unit: allow symlinking unit files to /dev/null
2010-07-21 03:13:15 +02:00
/* Hmm, no suitable file found? */
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
return 0;
s/name/unit
2010-01-26 21:39:06 +01:00
Move no_alias information to shared/ This way it can be used in install.c in subsequent commit.
2016-04-30 22:21:41 +02:00
if (!unit_type_may_alias(u->type) && set_size(symlink_names) > 1) {
core: when encountering a symlink alias for non-aliasable units warn nicely If the user defines a symlink alias for a unit whose type does not support aliasing, detect this early and print a nice warning. Fixe: #2730
2016-04-29 17:37:33 +02:00
log_unit_warning(u, "Unit type of %s does not support alias names, refusing loading via symlink.", u->id);
return -ELOOP;
}
rework merging/loading logic
2010-04-06 02:43:58 +02:00
merged = u;
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
r = merge_by_names(&merged, symlink_names, id);
if (r < 0)
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
return r;
s/name/unit
2010-01-26 21:39:06 +01:00
rework merging/loading logic
2010-04-06 02:43:58 +02:00
if (merged != u) {
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
u->load_state = UNIT_MERGED;
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
return 0;
first attempt at proper service/socket logic
2010-01-26 04:18:44 +01:00
}
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
if (fstat(fileno(f), &st) < 0)
return -errno;
systemctl: warn when operating on service files that changed on disk but haven't been reloaded
2010-07-17 00:57:51 +02:00
core: treat masked files as "unchanged" systemctl prints the "unit file changed on disk" warning for a masked unit. I think it's better to print nothing in that case. When a masked unit is loaded, set mtime as 0. When checking if a unit with mtime of 0 needs reload, check that the mask is still in place.
2016-03-31 06:22:33 +02:00
if (null_or_empty(&st)) {
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
u->load_state = UNIT_MASKED;
core: treat masked files as "unchanged" systemctl prints the "unit file changed on disk" warning for a masked unit. I think it's better to print nothing in that case. When a masked unit is loaded, set mtime as 0. When checking if a unit with mtime of 0 needs reload, check that the mask is still in place.
2016-03-31 06:22:33 +02:00
u->fragment_mtime = 0;
} else {
core: add transient units Transient units can be created via the bus API. They are configured via the method call parameters rather than on-disk files. They are subject to normal GC. Transient units currently may only be created for services (however, we will extend this), and currently only ExecStart= and the cgroup parameters can be configured (also to be extended). Transient units require a unique name, that previously had no configuration file on disk. A tool systemd-run is added that makes use of this functionality to run arbitrary command lines as transient services: $ systemd-run /bin/ping www.heise.de Will cause systemd to create a new transient service and run ping in it.
2013-06-28 04:12:58 +02:00
u->load_state = UNIT_LOADED;
core: treat masked files as "unchanged" systemctl prints the "unit file changed on disk" warning for a masked unit. I think it's better to print nothing in that case. When a masked unit is loaded, set mtime as 0. When checking if a unit with mtime of 0 needs reload, check that the mask is still in place.
2016-03-31 06:22:33 +02:00
u->fragment_mtime = timespec_load(&st.st_mtim);
core: add transient units Transient units can be created via the bus API. They are configured via the method call parameters rather than on-disk files. They are subject to normal GC. Transient units currently may only be created for services (however, we will extend this), and currently only ExecStart= and the cgroup parameters can be configured (also to be extended). Transient units require a unique name, that previously had no configuration file on disk. A tool systemd-run is added that makes use of this functionality to run arbitrary command lines as transient services: $ systemd-run /bin/ping www.heise.de Will cause systemd to create a new transient service and run ping in it.
2013-06-28 04:12:58 +02:00
unit: introduce 'banned' load state for units symlinked to /dev/null
2010-10-08 02:31:36 +02:00
/* Now, parse the file contents */
Let config_parse open file where applicable Special care is needed so that we get an error message if the file failed to parse, but not when it is missing. To avoid duplicating the same error check in every caller, add an additional 'warn' boolean to tell config_parse whether a message should be issued. This makes things both shorter and more robust wrt. to error reporting.
2014-07-17 00:27:12 +02:00
r = config_parse(u->id, filename, f,
UNIT_VTABLE(u)->sections,
config_item_perf_lookup, load_fragment_gperf_lookup,
conf-parser: turn three bool function params into a flags fields This makes things more readable and fixes some issues with incorrect flag propagation between the various flavours of config_parse().
2017-11-09 00:26:11 +01:00
CONFIG_PARSE_ALLOW_INCLUDE, u);
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
if (r < 0)
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
return r;
unit: introduce 'banned' load state for units symlinked to /dev/null
2010-10-08 02:31:36 +02:00
}
add mount enumerator
2010-01-29 02:07:41 +01:00
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
free(u->fragment_path);
u->fragment_path = filename;
implement drop-in directories
2010-01-27 00:15:56 +01:00
filename = NULL;
s/name/unit
2010-01-26 21:39:06 +01:00
units: remove service sysv_path variable and replace it by generic unit_path UnitPath= is also writable via native units and may be used by generators to clarify from which file a unit is generated. This patch also hooks up the cryptsetup and fstab generators to set UnitPath= accordingly.
2012-05-22 23:08:24 +02:00
if (u->source_path) {
if (stat(u->source_path, &st) >= 0)
u->source_mtime = timespec_load(&st.st_mtim);
else
u->source_mtime = 0;
}
core: some more _cleanup_free_
2013-10-22 01:54:10 +02:00
return 0;
implement drop-in directories
2010-01-27 00:15:56 +01:00
}
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
int unit_load_fragment(Unit *u) {
rework merging/loading logic
2010-04-06 02:43:58 +02:00
int r;
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
Iterator i;
const char *t;
implement drop-in directories
2010-01-27 00:15:56 +01:00
assert(u);
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
assert(u->load_state == UNIT_STUB);
assert(u->id);
rework merging/loading logic
2010-04-06 02:43:58 +02:00
core: don't generate stub unit file for transient units We store the properties for transient units in drop-ins anyway, and units don't have to have fragment files, hence don't bother with them, and don't create them.
2015-08-28 16:05:32 +02:00
if (u->transient) {
u->load_state = UNIT_LOADED;
return 0;
}
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
/* First, try to find the unit under its id. We always look
* for unit files in the default directories, to make it easy
* to override things by placing things in /etc/systemd/system */
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
r = load_from_path(u, u->id);
if (r < 0)
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
return r;
/* Try to find an alias we can load this with */
wrap a few *_FOREACH macros in curly braces cppcheck would give up with "syntax error" without them. This led to reports of syntax errors in unrelated locations and potentially hid other errors
2014-12-12 19:51:41 +01:00
if (u->load_state == UNIT_STUB) {
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
SET_FOREACH(t, u->names, i) {
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (t == u->id)
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
continue;
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
r = load_from_path(u, t);
if (r < 0)
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
return r;
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->load_state != UNIT_STUB)
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
break;
}
wrap a few *_FOREACH macros in curly braces cppcheck would give up with "syntax error" without them. This led to reports of syntax errors in unrelated locations and potentially hid other errors
2014-12-12 19:51:41 +01:00
}
rework merging/loading logic
2010-04-06 02:43:58 +02:00
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
/* And now, try looking for it under the suggested (originally linked) path */
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->load_state == UNIT_STUB && u->fragment_path) {
load-fragment: reset fragment_path if we couldn't find a unit file for it
2010-09-27 20:31:23 +02:00
load-fragment: a few modernizations
2012-07-03 16:09:36 +02:00
r = load_from_path(u, u->fragment_path);
if (r < 0)
rework merging/loading logic
2010-04-06 02:43:58 +02:00
return r;
implement drop-in directories
2010-01-27 00:15:56 +01:00
tree-wide: drop {} from one-line if blocks Patch via coccinelle.
2015-09-08 23:03:38 +02:00
if (u->load_state == UNIT_STUB)
load-fragment: reset fragment_path if we couldn't find a unit file for it
2010-09-27 20:31:23 +02:00
/* Hmm, this didn't work? Then let's get rid
* of the fragment path stored for us, so that
* we don't point to an invalid location. */
tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.
2015-09-08 18:43:11 +02:00
u->fragment_path = mfree(u->fragment_path);
load-fragment: reset fragment_path if we couldn't find a unit file for it
2010-09-27 20:31:23 +02:00
}
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
/* Look for a template */
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->load_state == UNIT_STUB && u->instance) {
core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-30 20:21:00 +02:00
_cleanup_free_ char *k = NULL;
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-30 20:21:00 +02:00
r = unit_name_template(u->id, &k);
if (r < 0)
return r;
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
r = load_from_path(u, k);
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
if (r < 0) {
if (r == -ENOEXEC)
log_unit_notice(u, "Unit configuration has fatal error, unit will not be started.");
core: add minimal templating system
2010-04-15 03:11:11 +02:00
return r;
core/load-fragment: refuse units with errors in certain directives If an error is encountered in any of the Exec* lines, WorkingDirectory, SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket units), User, or Group, refuse to load the unit. If the config stanza has support, ignore the failure if '-' is present. For those configuration directives, even if we started the unit, it's pretty likely that it'll do something unexpected (like write files in a wrong place, or with a wrong context, or run with wrong permissions, etc). It seems better to refuse to start the unit and have the admin clean up the configuration without giving the service a chance to mess up stuff. Note that all "security" options that restrict what the unit can do (Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*, PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are only supplementary, and are not always available depending on the architecture and compilation options, so unit authors have to make sure that the service runs correctly without them anyway. Fixes #6237, #6277.
2017-07-06 19:28:19 +02:00
}
load-fragment: prefer unit id over alias names when looking for fragments
2010-02-14 01:08:20 +01:00
wrap a few *_FOREACH macros in curly braces cppcheck would give up with "syntax error" without them. This led to reports of syntax errors in unrelated locations and potentially hid other errors
2014-12-12 19:51:41 +01:00
if (u->load_state == UNIT_STUB) {
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
SET_FOREACH(t, u->names, i) {
bus: when connecting to a container's kdbus instance, enter namespace first Previously we'd open the connection in the originating namespace, which meant most peers of the bus would not be able to make sense of the PID/UID/... identity of us since we didn't exist in the namespace they run in. However they require this identity for privilege decisions, hence disallowing access to anything from the host. Instead, when connecting to a container, create a temporary subprocess, make it join the container's namespace and then connect from there to the kdbus instance. This is similar to how we do it for socket conections already. THis also unifies the namespacing code used by machinectl and the bus APIs.
2013-12-13 22:02:47 +01:00
_cleanup_free_ char *z = NULL;
s/name/unit
2010-01-26 21:39:06 +01:00
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (t == u->id)
rework merging/loading logic
2010-04-06 02:43:58 +02:00
continue;
implement proper logging for services
2010-01-28 02:06:20 +01:00
core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-30 20:21:00 +02:00
r = unit_name_template(t, &z);
if (r < 0)
return r;
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
bus: when connecting to a container's kdbus instance, enter namespace first Previously we'd open the connection in the originating namespace, which meant most peers of the bus would not be able to make sense of the PID/UID/... identity of us since we didn't exist in the namespace they run in. However they require this identity for privilege decisions, hence disallowing access to anything from the host. Instead, when connecting to a container, create a temporary subprocess, make it join the container's namespace and then connect from there to the kdbus instance. This is similar to how we do it for socket conections already. THis also unifies the namespacing code used by machinectl and the bus APIs.
2013-12-13 22:02:47 +01:00
r = load_from_path(u, z);
load: make sure that unit files in /etc/ always take precedence, even over link targets, to make them easily overrdiable
2010-07-21 03:28:10 +02:00
if (r < 0)
rework merging/loading logic
2010-04-06 02:43:58 +02:00
return r;
load-fragment: prefer unit id over alias names when looking for fragments
2010-02-14 01:08:20 +01:00
unit: remove union Unit Now that objects of all unit types are allocated the exact amount of memory they need, the Unit union has lost its purpose. Remove it. "Unit" is a more natural name for the base unit class than "Meta", so rename Meta to Unit. Access to members of the base class gets simplified.
2012-01-15 12:04:08 +01:00
if (u->load_state != UNIT_STUB)
rework merging/loading logic
2010-04-06 02:43:58 +02:00
break;
}
wrap a few *_FOREACH macros in curly braces cppcheck would give up with "syntax error" without them. This led to reports of syntax errors in unrelated locations and potentially hid other errors
2014-12-12 19:51:41 +01:00
}
implement proper logging for services
2010-01-28 02:06:20 +01:00
}
rework merging/loading logic
2010-04-06 02:43:58 +02:00
return 0;
load-fragment: add missing .c/h files
2009-11-19 23:13:20 +01:00
}
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
void unit_dump_config_items(FILE *f) {
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
static const struct {
const ConfigParserCallback callback;
const char *rvalue;
} table[] = {
build-sys: s/HAVE_SMACK/ENABLE_SMACK/ Same justification as for HAVE_UTMP.
2017-10-03 12:22:40 +02:00
#if !HAVE_SYSV_COMPAT || !HAVE_SECCOMP || !HAVE_PAM || !HAVE_SELINUX || !ENABLE_SMACK || !HAVE_APPARMOR
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
{ config_parse_warn_compat, "NOTSUPPORTED" },
#endif
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
{ config_parse_int, "INTEGER" },
{ config_parse_unsigned, "UNSIGNED" },
core: clean up some confusing regarding SI decimal and IEC binary suffixes for sizes According to Wikipedia it is customary to specify hardware metrics and transfer speeds to the basis 1000 (SI decimal), while software metrics and physical volatile memory (RAM) sizes to the basis 1024 (IEC binary). So far we specified everything in IEC, let's fix that and be more true to what's otherwise customary. Since we don't want to parse "Mi" instead of "M" we document each time what the context used is.
2014-02-23 03:13:54 +01:00
{ config_parse_iec_size, "SIZE" },
tree-wide: never use the off_t unless glibc makes us use it off_t is a really weird type as it is usually 64bit these days (at least in sane programs), but could theoretically be 32bit. We don't support off_t as 32bit builds though, but still constantly deal with safely converting from off_t to other types and back for no point. Hence, never use the type anymore. Always use uint64_t instead. This has various benefits, including that we can expose these values directly as D-Bus properties, and also that the values parse the same in all cases.
2015-09-10 18:16:18 +02:00
{ config_parse_iec_uint64, "SIZE" },
core: clean up some confusing regarding SI decimal and IEC binary suffixes for sizes According to Wikipedia it is customary to specify hardware metrics and transfer speeds to the basis 1000 (SI decimal), while software metrics and physical volatile memory (RAM) sizes to the basis 1024 (IEC binary). So far we specified everything in IEC, let's fix that and be more true to what's otherwise customary. Since we don't want to parse "Mi" instead of "M" we document each time what the context used is.
2014-02-23 03:13:54 +01:00
{ config_parse_si_size, "SIZE" },
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
{ config_parse_bool, "BOOLEAN" },
{ config_parse_string, "STRING" },
{ config_parse_path, "PATH" },
{ config_parse_unit_path_printf, "PATH" },
{ config_parse_strv, "STRING [...]" },
{ config_parse_exec_nice, "NICE" },
{ config_parse_exec_oom_score_adjust, "OOMSCOREADJUST" },
{ config_parse_exec_io_class, "IOCLASS" },
{ config_parse_exec_io_priority, "IOPRIORITY" },
{ config_parse_exec_cpu_sched_policy, "CPUSCHEDPOLICY" },
{ config_parse_exec_cpu_sched_prio, "CPUSCHEDPRIO" },
{ config_parse_exec_cpu_affinity, "CPUAFFINITY" },
{ config_parse_mode, "MODE" },
{ config_parse_unit_env_file, "FILE" },
core/exec: add a named-descriptor option ("fd") for streams (#4179) This commit adds a `fd` option to `StandardInput=`, `StandardOutput=` and `StandardError=` properties in order to connect standard streams to externally named descriptors provided by some socket units. This option looks for a file descriptor named as the corresponding stream. Custom names can be specified, separated by a colon. If multiple name-matches exist, the first matching fd will be used.
2016-10-18 02:05:49 +02:00
{ config_parse_exec_output, "OUTPUT" },
{ config_parse_exec_input, "INPUT" },
conf-parse: rename config_parse_level() to config_parse_log_level() "level" is a bit too generic, let's clarify what kind of level we are referring to here.
2014-03-03 21:14:07 +01:00
{ config_parse_log_facility, "FACILITY" },
{ config_parse_log_level, "LEVEL" },
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
{ config_parse_exec_secure_bits, "SECUREBITS" },
capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.
2016-01-07 23:00:04 +01:00
{ config_parse_capability_set, "BOUNDINGSET" },
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
{ config_parse_limit, "LIMIT" },
{ config_parse_unit_deps, "UNIT [...]" },
{ config_parse_exec, "PATH [ARGUMENT [...]]" },
{ config_parse_service_type, "SERVICETYPE" },
{ config_parse_service_restart, "SERVICERESTART" },
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SYSV_COMPAT
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
{ config_parse_sysv_priority, "SYSVPRIORITY" },
#endif
{ config_parse_kill_mode, "KILLMODE" },
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
{ config_parse_signal, "SIGNAL" },
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
{ config_parse_socket_listen, "SOCKET [...]" },
{ config_parse_socket_bind, "SOCKETBIND" },
{ config_parse_socket_bindtodevice, "NETWORKINTERFACE" },
util: rename parse_usec() to parse_sec() sinds the default unit is seconds Internally we store all time values in usec_t, however parse_usec() actually was used mostly to parse values in seconds (unless explicit units were specified to define a different unit). Hence, be clear about this and name the function about what we pass into it, not what we get out of it.
2013-04-02 20:38:16 +02:00
{ config_parse_sec, "SECONDS" },
util: introduce a proper nsec_t and make use of it where appropriate
2012-05-31 04:27:03 +02:00
{ config_parse_nsec, "NANOSECONDS" },
conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...
2014-03-03 21:40:55 +01:00
{ config_parse_namespace_path_strv, "PATH [...]" },
core: add ability to define arbitrary bind mounts for services This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
2016-11-23 22:21:40 +01:00
{ config_parse_bind_paths, "PATH[:PATH[:OPTIONS]] [...]" },
unit: add new dependency type RequiresMountsFor= RequiresMountsFor= is a shortcut for adding requires and after dependencies to all mount units neeed for the specified paths. This solves a couple of issues regarding dep loop cycles for encrypted swap.
2012-04-29 14:26:07 +02:00
{ config_parse_unit_requires_mounts_for, "PATH [...]" },
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
{ config_parse_exec_mount_flags, "MOUNTFLAG [...]" },
{ config_parse_unit_string_printf, "STRING" },
unit: rework trigger dependency logic Instead of having explicit type-specific callbacks that inform the triggering unit when a triggered unit changes state, make this generic so that state changes are forwarded betwee any triggered and triggering unit. Also, get rid of UnitRef references from automount, timer, path units, to the units they trigger and rely exclsuively on UNIT_TRIGGER type dendencies.
2013-04-23 20:53:16 +02:00
{ config_parse_trigger_unit, "UNIT" },
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
{ config_parse_timer, "TIMER" },
{ config_parse_path_spec, "PATH" },
{ config_parse_notify_access, "ACCESS" },
{ config_parse_ip_tos, "TOS" },
{ config_parse_unit_condition_path, "CONDITION" },
{ config_parse_unit_condition_string, "CONDITION" },
{ config_parse_unit_condition_null, "CONDITION" },
core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.
2013-06-17 21:33:26 +02:00
{ config_parse_unit_slice, "SLICE" },
core: update configuration directive list "systemd --dump-configuration-items" shows
2013-07-19 18:45:11 +02:00
{ config_parse_documentation, "URL" },
{ config_parse_service_timeout, "SECONDS" },
failure-action: generalize failure action to emergency action
2016-10-20 15:27:37 +02:00
{ config_parse_emergency_action, "ACTION" },
core: update configuration directive list "systemd --dump-configuration-items" shows
2013-07-19 18:45:11 +02:00
{ config_parse_set_status, "STATUS" },
{ config_parse_service_sockets, "SOCKETS" },
{ config_parse_environ, "ENVIRON" },
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SECCOMP
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
{ config_parse_syscall_filter, "SYSCALLS" },
core: warn when unit files with unsupported options are parsed
2014-02-17 17:49:09 +01:00
{ config_parse_syscall_archs, "ARCHS" },
core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12 18:28:21 +01:00
{ config_parse_syscall_errno, "ERRNO" },
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
{ config_parse_address_families, "FAMILIES" },
core: add new RestrictNamespaces= unit file setting This new setting permits restricting whether namespaces may be created and managed by processes started by a unit. It installs a seccomp filter blocking certain invocations of unshare(), clone() and setns(). RestrictNamespaces=no is the default, and does not restrict namespaces in any way. RestrictNamespaces=yes takes away the ability to create or manage any kind of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces so that only mount and IPC namespaces may be created/managed, but no other kind of namespaces. This setting should be improve security quite a bit as in particular user namespacing was a major source of CVEs in the kernel in the past, and is accessible to unprivileged processes. With this setting the entire attack surface may be removed for system services that do not make use of namespaces.
2016-11-02 03:25:19 +01:00
{ config_parse_restrict_namespaces, "NAMESPACES" },
syscallfilter: port to libseccomp
2014-02-12 01:29:54 +01:00
#endif
core: update configuration directive list "systemd --dump-configuration-items" shows
2013-07-19 18:45:11 +02:00
{ config_parse_cpu_shares, "SHARES" },
core: add cgroup CPU controller support on the unified hierarchy Unfortunately, due to the disagreements in the kernel development community, CPU controller cgroup v2 support has not been merged and enabling it requires applying two small out-of-tree kernel patches. The situation is explained in the following documentation. https://git.kernel.org/cgit/linux/kernel/git/tj/cgroup.git/tree/Documentation/cgroup-v2-cpu.txt?h=cgroup-v2-cpu While it isn't clear what will happen with CPU controller cgroup v2 support, there are critical features which are possible only on cgroup v2 such as buffered write control making cgroup v2 essential for a lot of workloads. This commit implements systemd CPU controller support on the unified hierarchy so that users who choose to deploy CPU controller cgroup v2 support can easily take advantage of it. On the unified hierarchy, "cpu.weight" knob replaces "cpu.shares" and "cpu.max" replaces "cpu.cfs_period_us" and "cpu.cfs_quota_us". [Startup]CPUWeight config options are added with the usual compat translation. CPU quota settings remain unchanged and apply to both legacy and unified hierarchies. v2: - Error in man page corrected. - CPU config application in cgroup_context_apply() refactored. - CPU accounting now works on unified hierarchy.
2016-08-07 15:45:39 +02:00
{ config_parse_cpu_weight, "WEIGHT" },
core: update configuration directive list "systemd --dump-configuration-items" shows
2013-07-19 18:45:11 +02:00
{ config_parse_memory_limit, "LIMIT" },
{ config_parse_device_allow, "DEVICE" },
{ config_parse_device_policy, "POLICY" },
core: add io controller support on the unified hierarchy On the unified hierarchy, blkio controller is renamed to io and the interface is changed significantly. * blkio.weight and blkio.weight_device are consolidated into io.weight which uses the standardized weight range [1, 10000] with 100 as the default value. * blkio.throttle.{read|write}_{bps|iops}_device are consolidated into io.max. Expansion of throttling features is being worked on to support work-conserving absolute limits (io.low and io.high). * All stats are consolidated into io.stats. This patchset adds support for the new interface. As the interface has been revamped and new features are expected to be added, it seems best to treat it as a separate controller rather than trying to expand the blkio settings although we might add automatic translation if only blkio settings are specified. * io.weight handling is mostly identical to blkio.weight[_device] handling except that the weight range is different. * Both read and write bandwidth settings are consolidated into CGroupIODeviceLimit which describes all limits applicable to the device. This makes it less painful to add new limits. * "max" can be used to specify the maximum limit which is equivalent to no config for max limits and treated as such. If a given CGroupIODeviceLimit doesn't contain any non-default configs, the config struct is discarded once the no limit config is applied to cgroup. * lookup_blkio_device() is renamed to lookup_block_device(). Signed-off-by: Tejun Heo <htejun@fb.com>
2016-05-05 22:42:55 +02:00
{ config_parse_io_limit, "LIMIT" },
{ config_parse_io_weight, "WEIGHT" },
{ config_parse_io_device_weight, "DEVICEWEIGHT" },
core: update configuration directive list "systemd --dump-configuration-items" shows
2013-07-19 18:45:11 +02:00
{ config_parse_blockio_bandwidth, "BANDWIDTH" },
{ config_parse_blockio_weight, "WEIGHT" },
{ config_parse_blockio_device_weight, "DEVICEWEIGHT" },
{ config_parse_long, "LONG" },
{ config_parse_socket_service, "SERVICE" },
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SELINUX
core: warn when unit files with unsupported options are parsed
2014-02-17 17:49:09 +01:00
{ config_parse_exec_selinux_context, "LABEL" },
#endif
{ config_parse_job_mode, "MODE" },
{ config_parse_job_mode_isolate, "BOOLEAN" },
core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-25 20:37:03 +01:00
{ config_parse_personality, "PERSONALITY" },
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
};
const char *prev = NULL;
const char *i;
assert(f);
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
NULSTR_FOREACH(i, load_fragment_gperf_nulstr) {
const char *rvalue = "OTHER", *lvalue;
unsigned j;
size_t prefix_len;
const char *dot;
const ConfigPerfItem *p;
assert_se(p = load_fragment_gperf_lookup(i, strlen(i)));
dot = strchr(i, '.');
lvalue = dot ? dot + 1 : i;
prefix_len = dot-i;
if (dot)
use strneq instead of strncmp
2013-02-12 21:47:36 +01:00
if (!prev || !strneq(prev, i, prefix_len+1)) {
load-fragment: speed up parsing by using a perfect hash table with configuration settings built by gperf
2011-08-01 00:43:05 +02:00
if (prev)
fputc('\n', f);
fprintf(f, "[%.*s]\n", (int) prefix_len, i);
}
for (j = 0; j < ELEMENTSOF(table); j++)
if (p->parse == table[j].callback) {
rvalue = table[j].rvalue;
break;
}
fprintf(f, "%s=%s\n", lvalue, rvalue);
prev = i;
}
mount: implement mounting properly This also includes code that writes utmp/wtmp records when applicable, making use the mount infrastructure to detct when those files are accessible. Finally, this also introduces a --dump-configuration-items switch.
2010-04-10 17:53:17 +02:00
}