From 8e92d92fb8981b109259d0c50f2c26cf3281ee4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 4 Feb 2020 16:40:52 +0100 Subject: [PATCH 1/5] man: tweak description of blockdev@.target In particular, let's just say "is" and "must" instead of "may be" and "should". The weaker forms are obviously correct, but the text is easier to understand if non-conditional forms are used. --- man/systemd.special.xml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/man/systemd.special.xml b/man/systemd.special.xml index f393283a1d..d54a5de871 100644 --- a/man/systemd.special.xml +++ b/man/systemd.special.xml @@ -848,20 +848,19 @@ blockdev@.target - This template unit may be used to order mount units and other consumers of block - devices against services that synthesize these block devices. This is intended to be used to order - storage services (such as + This template unit is used to order mount units and other consumers of block + devices after services that synthesize these block devices. In particular, this is intended to be + used with storage services (such as systemd-cryptsetup@.service5) - that allocate and manage a virtual block device against mount units and other consumers of - it. Specifically, the storage services are supposed to be orderd before an instance of - blockdev@.target, and the mount unit (or other consuming unit, such as a swap - unit) after it. The ordering is particular relevant during shutdown, as it ensures that the mount - is deactivated first and the service backing the mount only deactivated after that completed. The - blockdev@.target instance should be pulled in via a - dependency of the storage daemon and thus generally not be part of any transaction unless a storage - daemon is used. The instance name for instances of this template unit is supposed to be the - properly escaped bock device node path, e.g. blockdev@dev-mapper-foobar.target - for a storage device /dev/mapper/foobar. + that allocate and manage a virtual block device. Storage services are ordered before an instance of + blockdev@.target, and the consumer units after it. The ordering is + particularly relevant during shutdown, as it ensures that the mount is deactivated first and the + service backing the mount later. The blockdev@.target instance should be + pulled in via a dependency of the storage daemon and thus generally not be + part of any transaction unless a storage daemon is used. The instance name for instances of this + template unit must be a properly escaped block device node path, e.g. + blockdev@dev-mapper-foobar.target for the storage device + /dev/mapper/foobar. cryptsetup-pre.target From 6bdd90fbcd941a3f9d5bcd44a40e42e28f1690c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 27 Jan 2020 09:37:27 +0100 Subject: [PATCH 2/5] man: add "quick-help" to sysusers.d synopsis We have that in tmpfiles.d and it is makes looking up the syntax very easy. While at it, add an example for "r" and use the underscrore as prefix as described in the text. --- man/sysusers.d.xml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/man/sysusers.d.xml b/man/sysusers.d.xml index 72d8f62399..c632e8713e 100644 --- a/man/sysusers.d.xml +++ b/man/sysusers.d.xml @@ -25,6 +25,16 @@ /etc/sysusers.d/*.conf /run/sysusers.d/*.conf /usr/lib/sysusers.d/*.conf + + +#Type Name ID GECOS Home directory Shell +u user_name uid "User Description" /path/to/shell +u user_name uid:gid - - +u user_name /file/owned/by/user - - +g group_name gid "Group Description" +g group_name /file/owned/by/group - +m user_name group_name +r - lowest-highest @@ -81,11 +91,13 @@ #Type Name ID GECOS Home directory Shell u httpd 404 "HTTP User" -u authd /usr/bin/authd "Authorization user" +u _authd /usr/bin/authd "Authorization user" u postgres - "Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb g input - - -m authd input -u root 0 "Superuser" /root /bin/zsh +m _authd input +u root 0 "Superuser" /root /bin/zsh +r - 500-900 + Empty lines and lines beginning with the # character are ignored, and may be used for commenting. @@ -109,7 +121,7 @@ u root 0 "Superuser" /root /bin/zshg Create a system group of the specified name should it not exist yet. Note that u - implicitly create a matching group. The group will be + implicitly creates a matching group. The group will be created with no password set. From 2ad988896c4752850ba4ada884e16ae55a3ea7d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 4 Feb 2020 15:19:37 +0100 Subject: [PATCH 3/5] NEWS: reword and shorten a bunch of stuff --- NEWS | 225 +++++++++++++++++++++++++++++------------------------------ 1 file changed, 109 insertions(+), 116 deletions(-) diff --git a/NEWS b/NEWS index d3d7d6f549..6a827ee545 100644 --- a/NEWS +++ b/NEWS @@ -3,29 +3,26 @@ systemd System and Service Manager CHANGES WITH 245 in spe: * A new tool "systemd-repart" has been added, that operates as an - idempotent, robust, incremental, elastic and declarative - repartitioner. It takes inspiration from - systemd-tmpfiles/systemd-sysusers but applies the algorithmic - concepts to GPT partition tables. Specifically, a set of partitions - that must or may exist can be configured via drop-in files, and - during every boot the partition table on disk is compared with these - files, creating missing partitions or growing existing ones based on - configurable relative and absolute size constraints. The tool is - strictly incremental, i.e. does not delete, shrink or move - partitions, but only adds and grows them. The primary use-case is OS - images that shall ship in minimized form, with only a minimal boot - and root partition, that on first boot is grown to the size of the - underlying block device or augmented with additional partitions. For - example, the root partition could be extended to cover the whole - disk, or a swap or /home partitions could be added implicitly on - first boot. It also has uses on systems that use an A/B update scheme - to allow shipping minimal images with just the A set of partition, - and with the B set added on first boot. The tool is primarily - intended to be run in the initrd, shortly before transitioning into - the host OS, but also can be run after the transition took place. It - automatically discovers the disk backing the root file system, and - should hence not require any additional configuration besides the - partition definition drop-ins. + idempotent declarative repartitioner for GPT partition tables. + Specifically, a set of partitions that must or may exist can be + configured via drop-in files, and during every boot the partition + table on disk is compared with these files, creating missing + partitions or growing existing ones based on configurable relative + and absolute size constraints. The tool is strictly incremental, + i.e. does not delete, shrink or move partitions, but only adds and + grows them. The primary use-case is OS images that ship in minimized + form, that on first boot are grown to the size of the underlying + block device or augmented with additional partitions. For example, + the root partition could be extended to cover the whole disk, or a + swap or /home partitions could be added on first boot. It can also be + used for systems that use an A/B update scheme but ship images with + just the A partition, with B added on first boot. The tool is + primarily intended to be run in the initrd, shortly before + transitioning into the host OS, but can also be run after the + transition took place. It automatically discovers the disk backing + the root file system, and should hence not require any additional + configuration besides the partition definition drop-ins. If no + configuration drop-ins are present, no action is taken. * A new component "userdb" has been added, along with a small daemon "systemd-userdb.service" and a client tool "userdbctl". The framework @@ -43,22 +40,21 @@ CHANGES WITH 245 in spe: that for the first time resource management and various other per-user settings can be configured in LDAP directories and then provided to systemd (specifically to systemd-logind and pam-system) - to enforce on log-in. For further details see: + to apply on login. For further details see: https://systemd.io/USER_RECORD https://systemd.io/GROUP_RECORD https://systemd.io/USER_GROUP_API * A small new service systemd-homed.service has been added, that may be - used to securely manage home directories, with built-in encryption - and unifying the user's own home directory data together with - complete user record data in a single place, thus making home - directories naturally migratable. Its primary back-end is based on - LUKS volumes, but it also supports fscrypt, plain directories and - more. It solves a couple of problems we saw with traditional ways to - manage home directories, in particular when it comes to - encryption. For further discussion of this, see the video of - Lennart's talk at AllSystemsGo! 2019: + used to securely manage home directories with built-in encryption. + The complete user record data is unified with the home directory, + thus making home directories naturally migratable. Its primary + back-end is based on LUKS volumes, but fscrypt, plain directories, + and other storage schemes are also supported. This solves a couple of + problems we saw with traditional ways to manage home directories, in + particular when it comes to encryption. For further discussion of + this, see the video of Lennart's talk at AllSystemsGo! 2019: https://media.ccc.de/v/ASG2019-164-reinventing-home-directories @@ -69,49 +65,49 @@ CHANGES WITH 245 in spe: * systemd-journald is now multi-instantiable. In addition to the main instance systemd-journald.service there's now a template unit - systemd-journald@.service that can be instantiated multiple times, - each time defining a new named log 'namespace' (whose name is - specified via the instance part of the instance unit name). A new - unit file setting LogNamespace= has been added, taking such a - namespace name, that allows assigning services to such log - namespaces. As each log namespace is serviced by its own, independent - journal daemon this functionality may be use to improve performance - and increase isolation of applications, at the price of losing global - message ordering. Each daemon may have a separate set of - configuration files, with possibly different disk space settings and - such. journalctl has been updated to take a new option --namespace= - which allows viewing logs from a specific log namespace. The - sd-journal.h API gained sd_journal_open_namespace() for opening the - log stream of a specific log namespace. systemd-journald also gained - the ability to exit on idle, which is useful in the context of log - namespaces, as this means log daemons for log namespaces can be - activated automatically on demand and stop automatically when no - longer used, minimizing resource usage. + systemd-journald@.service, with each instance defining a new named + log 'namespace' (whose name is specified via the instance part of the + unit name). A new unit file setting LogNamespace= has been added, + taking such a namespace name, that assigns services to the specified + log namespaces. As each log namespace is serviced by its own + independent journal daemon, this functionality may be used to improve + performance and increase isolation of applications, at the price of + losing global message ordering. Each instance of journald has a + separate set of configuration files, with possibly different disk + usage limitations and other settings. + + journalctl now takes a new option --namespace= to show logs from a + specific log namespace. The sd-journal.h API gained + sd_journal_open_namespace() for opening the log stream of a specific + log namespace. systemd-journald also gained the ability to exit on + idle, which is useful in the context of log namespaces, as this means + log daemons for log namespaces can be activated automatically on + demand and will stop automatically when no longer used, minimizing + resource usage. * When systemd-tmpfiles copies a file tree using the 'C' line type it - will now implicitly label every copied file matching the SELinux - database. + will now label every copied file according to the SELinux database. * When systemd/PID 1 detects it is used in the initrd it will now boot into initrd.target rather than default.target by default. This should make it simpler to build initrds with systemd as for many cases the only difference between a host OS image and an initrd image now is - the /etc/initrd-release file that identifies the initrd as one. + the presence of the /etc/initrd-release file. * A new kernel command line option systemd.cpu_affinity= is now understood. It's equivalent to the CPUAffinity= option in /etc/systemd/system.conf and allows setting the CPU mask for PID 1 - itself and the default for all forked off processes. + itself and the default for all other processes. - * When systemd/PID 1 is reloaded (with systemctl daemon-reload or an - equivalent tool) the SELinux database is now reloaded, ensuring that + * When systemd/PID 1 is reloaded (with systemctl daemon-reload or + equivalent), the SELinux database is now reloaded, ensuring that sockets and other file system objects are generated taking the new database into account. - * The sd-event.h API now has native support for the new Linux "pidfd" + * The sd-event.h API gained native support for the new Linux "pidfd" concept. This permits watching processes using file descriptors instead of PID numbers, which fixes a number of races and makes - process supervision more robust and more efficient. All of systemd's + process supervision more robust and efficient. All of systemd's components will now use pidfds if the kernel supports it for process watching, with the exception of PID 1 itself, unfortunately. We hope to move PID 1 to exclusively using pidfds too eventually, but this @@ -122,13 +118,13 @@ CHANGES WITH 245 in spe: * Closely related to this, the sd-event.h API gained two new calls sd_event_source_send_child_signal() (for sending a signal to a watched process) and sd_event_source_get_child_process_own() (for - marking a process so that it is killed implicitly whenever the event - source watching it is freed). + marking a process so that it is killed automatically whenever the + event source watching it is freed). * systemd-networkd gained support for configuring Token Buffer Filter - (TBF) parameters in its qdisc configuration support. Similar, support - for Stochastic Fairness Queuing (SFQ), Controlled-Delay Active - Queue Management (CoDel), Fair Queue (FQ) has been added. + (TBF) parameters in its qdisc configuration support. Similarly, + support for Stochastic Fairness Queuing (SFQ), Controlled-Delay + Active Queue Management (CoDel), Fair Queue (FQ) has been added. * systemd-networkd gained support for Intermediate Functional Block (IFB) network devices. @@ -136,40 +132,39 @@ CHANGES WITH 245 in spe: * systemd-networkd gained support for configuring multi-path IP routes, using the new MultiPathRoute= setting in the [Route] section. - * systemd-networkd's DHCPv4 support has been updated to support a new - SendDecline= option. If enabled duplicate address detection is done - after a DHCP offer is received from a server. If a conflict is - detected the address is declined. The DHCPv4 support also gained + * systemd-networkd's DHCPv4 client has been updated to support a new + SendDecline= option. If enabled, duplicate address detection is done + after a DHCP offer is received from the server. If a conflict is + detected, the address is declined. The DHCPv4 client also gained support for a new RouteMTUBytes= setting that allows to configure the MTU size to be used for routes generated from DHCPv4 leases. * The PrefixRoute= setting in systemd-networkd's [Address] section of .network files has been deprecated, and replaced by AddPrefixRoute=, - with it's sense inverted. + with its sense inverted. * The Gateway= setting of [Route] sections of .network files gained support for a special new value "dhcp". If set the configured static route uses the gateway host configured via DHCP. * A new User= setting has been implemented for the [RoutingPolicyRule] - section of .network files for configuring source routing based on UID + section of .network files to configure source routing based on UID ranges. - * sd-bus gained a new API call sd_bus_message_sensitive() for marking a - D-Bus message object as "sensitive". Objects that are marked that way - are erased from memory when they are freed. This concept is intended - to be used for messages that contain security sensitive data that - should be erased after use. A new flag SD_BUS_VTABLE_SENSITIVE has - been introduced as well that allows marking method calls in sd-bus - vtables like this, so that this new message flag is implicitly set - for incoming and outgoing messages of specific methods. + * sd-bus gained a new API call sd_bus_message_sensitive() that marks a + D-Bus message object as "sensitive". Those objects are erased from + memory when they are freed. This concept is intended to be used for + messages that contain security sensitive data. A new flag + SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods + in sd-bus vtables, causing any incoming and outgoing messages of + those methods to be implicitly marked as "sensitive". * sd-bus gained a new API call sd_bus_message_dump() for dumping the - contents of a message (or parts thereof) onto standard output, for + contents of a message (or parts thereof) to standard output for debugging purposes. - * systemd-sysusers gained support for creating users with primary - groups named differently than the user itself. + * systemd-sysusers gained support for creating users with the primary + group named differently than the user. * systemd-resolved's DNS-over-TLS support gained SNI validation. @@ -178,13 +173,13 @@ CHANGES WITH 245 in spe: only ext4 and btrfs partitions. * The support for /etc/crypttab gained a new x-initrd.attach option. If - set the specified encrypted volume is unlocked in the initrd - already. This concept corresponds to the x-initrd.mount option in + set, the specified encrypted volume is unlocked already in the + initrd. This concept corresponds to the x-initrd.mount option in /etc/fstab. * systemd-cryptsetup gained native support for unlocking encrypted volumes utilizing PKCS#11 smartcards, i.e. for example to bind - encryption of volumes to YubiKeys.This is exposed in the new + encryption of volumes to YubiKeys. This is exposed in the new pkcs11-uri= option in /etc/crypttab. * The /etc/fstab support in systemd now supports two new mount options @@ -194,42 +189,41 @@ CHANGES WITH 245 in spe: * The https://systemd.io/ web site has been relaunched, directly populated with most of the documentation included in the systemd - repository. In particular, systemd acquired a new logo, thanks to - Tobias Bernard. + repository. systemd also acquired a new logo, thanks to Tobias + Bernard. * systemd-udevd gained support for managing "alternative" network interface names, as supported by new Linux kernels. For the first time this permits assigning multiple (and longer!) names to a network interface. systemd-udevd will now by default assign the names - generated via all supported naming schemes to each interface in - parallel. This may be further tweaked with .link drop-in files, and - the AlternativeName= and AlternativeNamesPolicy= settings. All other - components of systemd have been updated to support the new - alternative names too, wherever that is appropriate. For example, - systemd-nspawn will now generate alternative interface names for the - host-facing side of container veth links based on the full container - name without truncation. + generated via all supported naming schemes to each interface. This + may be further tweaked with .link files and the AlternativeName= and + AlternativeNamesPolicy= settings. Other components of systemd have + been updated to support the new alternative names wherever + appropriate. For example, systemd-nspawn will now generate + alternative interface names for the host-facing side of container + veth links based on the full container name without truncation. * systemd-nspawn interface naming logic has been updated in another way too: if the main interface name (i.e. as opposed to new-style - "alternative" names) is the truncated result of container name a - simple hashing scheme is used that ensures that multiple containers - whose name all begin the same are likely resulting in different - interface names. Since this changes the primary interface names - pointing to containers if truncation happens the old scheme may still - be requested by selecting a different naming scheme than the v245 - one, via the net.naming-scheme= kernel command line option. + "alternative" names) based on the container name is truncated, a + simple hashing scheme is used to give different interface names to + multiple containers whose names all begin with the same prefix. Since + this changes the primary interface names pointing to containers if + truncation happens, the old scheme may still be requested by + selecting an older naming scheme, via the net.naming-scheme= kernel + command line option. * PrivateUsers= in service files now works in services run by the systemd --user per-user instance of the service manager. * A new per-service sandboxing option ProtectClock= has been added that locks down write access to the system clock. It takes away device - node access to /dev/rtc as well as the system calls that allow to set - the system clock. It also removes the CAP_SYS_TIME and CAP_WAKE_ALARM - capabilities. Note that this option does not affect access to - auxiliary services that allow changing the clock, for example access - to systemd-timedated. + node access to /dev/rtc as well as the system calls that set the + system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities. + Note that this option does not affect access to auxiliary services + that allow changing the clock, for example access to + systemd-timedated. * The systemd-id128 tool gained a new "show" verb for listing or resolving a number of well-known UUIDs/128bit IDs, currently mostly @@ -257,13 +251,13 @@ CHANGES WITH 245 in spe: permanent MAC address of a network device even if a randomized MAC address is used. - * systemd-logind will now validate access to the operation for changing - virtual terminals via a PolicyKit action. By default only users with - at least one session on a local VT will get access to the method call. + * systemd-logind will now validate access to the operation of changing + the virtual terminal via a PolicyKit action. By default, only users + with at least one session on a local VT are granted permission. - * When systemd sets up PAM sessions that invoked service processes shall - run in, the pam_setcred() API is now invoked, thus permitting PAM - modules to set additional credentials for the processes. + * When systemd sets up PAM sessions that invoked service processes + shall run in, the pam_setcred() API is now invoked, thus permitting + PAM modules to set additional credentials for the processes. … @@ -7181,10 +7175,9 @@ CHANGES WITH 213: * A new fsck.repair= kernel option has been added to control how fsck shall deal with unclean file systems at boot. - * The (.ini) configuration file parser will now silently - ignore sections whose name begins with "X-". This may be - used to maintain application-specific extension sections in unit - files. + * The (.ini) configuration file parser will now silently ignore + sections whose names begin with "X-". This may be used to maintain + application-specific extension sections in unit files. * machined gained a new API to query the IP addresses of registered containers. "machinectl status" has been updated From 823b0352710619a55916bfc2e6926a355e393907 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 4 Feb 2020 15:29:39 +0100 Subject: [PATCH 4/5] NEWS: mention empty .link and .network files --- NEWS | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/NEWS b/NEWS index 6a827ee545..b67994d913 100644 --- a/NEWS +++ b/NEWS @@ -251,6 +251,11 @@ CHANGES WITH 245 in spe: permanent MAC address of a network device even if a randomized MAC address is used. + * Any .link and .network files that have an empty [Match] section (this + also includes empty and commented-out files) will now be + rejected. systemd-udev and systemd-networkd started warning about + such files in version 243. + * systemd-logind will now validate access to the operation of changing the virtual terminal via a PolicyKit action. By default, only users with at least one session on a local VT are granted permission. From 69f173477bb1c0014d1ee98867b931aab1920a6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 4 Feb 2020 17:07:47 +0100 Subject: [PATCH 5/5] NEWS: mention the TrafficControlQueueingDiscipline rename --- NEWS | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index b67994d913..5936d6ec53 100644 --- a/NEWS +++ b/NEWS @@ -124,7 +124,7 @@ CHANGES WITH 245 in spe: * systemd-networkd gained support for configuring Token Buffer Filter (TBF) parameters in its qdisc configuration support. Similarly, support for Stochastic Fairness Queuing (SFQ), Controlled-Delay - Active Queue Management (CoDel), Fair Queue (FQ) has been added. + Active Queue Management (CoDel), and Fair Queue (FQ) has been added. * systemd-networkd gained support for Intermediate Functional Block (IFB) network devices. @@ -251,6 +251,10 @@ CHANGES WITH 245 in spe: permanent MAC address of a network device even if a randomized MAC address is used. + * The [TrafficControlQueueingDiscipline] section in .network files has + been renamed to [NetworkEmulator] with the "NetworkEmulator" prefix + dropped from the individual setting names. + * Any .link and .network files that have an empty [Match] section (this also includes empty and commented-out files) will now be rejected. systemd-udev and systemd-networkd started warning about