The fstab generator adds Before=swap.target by default, and when creating
a custom .swap unit, you can also add Before=swap.target to the unit.
However, it is impossible to not have this ordering dependency right now.
Virtually all existing setups likely use the fstab generator, so this
change is unlikely to break anything.
Use cases:
* iptables.service – atomically reload rules without having to flush
them beforehand (which may leave the system insecure if reload fails)
* rpc-nfsd.service – reexport filesystems after /etc/exports update
without completely stopping and restarting nfsd
(In both cases, the actual service is provided by a kernel module and
does not have any associated user-space processes, thus Type=oneshot.)
Valgrind says:
==29176== Conditional jump or move depends on uninitialised value(s)
==29176== at 0x412A85: cunescape_length_with_prefix (util.c:1565)
==29176== by 0x40B351: dev_kmsg_record (journald-kmsg.c:301)
==29176== by 0x40B653: server_read_dev_kmsg (journald-kmsg.c:347)
==29176== by 0x40B701: server_flush_dev_kmsg (journald-kmsg.c:365)
==29176== by 0x409DE7: main (journald.c:1535)
The MESSAGE_ID=... stanza will appear in countless number of places.
It is just too long to write it out in full each time.
Incidentally, this also fixes a typo of MESSSAGE is three places.
The removal of the TIMEOUT= handling in udevd put firmware requests into the
devpath parent/child dependency tracking. Drivers which block in module_init()
asking userspace for firmware ran into a 30 sec device timeout.
The whole firmware loading willl hopefully move into the kernel and
the fragile-since-day-one fake async driver-core device dance involving
udev can be retired:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=abb139e75c2cdbb955e840d6331cb5863e409d0e
If the final key in any sysctl.d file is a duplicate, systemd-sysctl
will exit with an error (and no explaination why). Ignore this, as
duplicate keys are to be expected when overriding settings in the
directory hierarchy.
This allows unprivileged clients to check for the used virtualization
even when lacking the privileges that some of the virtualization tests
require.
https://bugzilla.gnome.org/show_bug.cgi?id=684801
No longer override the default kernel keymap if nothing is specified in
vconsole.conf.
The default should be to do nothing (i.e., use what is already in the
kernel) unless the distro/admin has explicitly requested it.
No longer override the default kernel font if nothing is specified in
vconsole.conf.
The default kernel font[0] provides ISO-8859-1 and box characters. Users
of Arabic, Cyrilic or Hebrew must set a different font manually as these
character sets were provided by the old default font [1], but are not
any longer.
Rationale:
* it is counter-intuitive that an empty vconsole.conf file is different
from adding FONT="";
* the version of the default font shipped with Arch (which is the
upstream one) behaves very badly during early boot[2] (which should
admittedly be fixed in the font itself);
* the kernel already supplies a default font, it seems reasonable to
use that unless anything else is specified;
* This also avoids a needless slow call to setfont; and
* We don't want to work around problems in the kernel (in case the
compiled-in font is not acceptable for whatever reason).
[0]: <https://dev.archlinux.org/~tomegun/kernel.bdf>
[1]: <https://dev.archlinux.org/~tomegun/latarcyrheb.bdf>
[2]: <http://i.imgur.com/J2tM4.jpg>
As audit is pretty much just a special kind of logging we should treat
it similar, and manage the audit fd in a static variable.
This simplifies the audit fd sharing with the SELinux access checking
code quite a bit.
a) Instead of parsing the bus messages inside of selinux-access.c
simply pass everything pre-parsed in the functions
b) implement the access checking with a macro that resolves to nothing
on non-selinux builds
c) split out the selinux checks into their own sources
selinux-util.[ch]
d) this unifies the job creation code behind the D-Bus calls
Manager.StartUnit() and Unit.Start().
d4e9eb91ea changed the behavior for the F and f actions, wrongly sending
them to glob_item(). Restore the old behavior and shortcut straight to
write_one_file().
This minimal HTTP server can serve journal data via HTTP. Its primary
purpose is synchronization of journal data across the network. It serves
journal data in three formats:
text/plain: the text format known from /var/log/messages
application/json: the journal entries formatted as JSON
application/vnd.fdo.journal: the binary export format of the journal
The HTTP server also serves a small HTML5 app that makes use of the JSON
serialization to present the journal data to the user.
Examples:
This downloads the journal in text format:
# systemctl start systemd-journal-gatewayd.service
# wget http://localhost:19531/entries
Same for JSON:
# curl -H"Accept: application/json" http://localhost:19531/entries
Access via web browser:
$ firefox http://localhost:19531/
Among other cleanups this introduces a threshold for the size of binary
blobs we serialize as integer arrays in the JSON output. THis can be
disabled via --all.
The old code used a timestamp to print a timespan for unsealed journalfiles,
incorrectly showing things like 2230 days of unsealed entries. Print the timespan
between the first and last entry instead.
This requires a little bit of tip-toeing around to explicitly avoid
touching the environment from a sig handler. Instead, simply create a
function to reset the var to its "unset" state, allowing the next call
to columns() to recalculate and cache the new value.
Turns out cpuset needs explicit initialization before we could make use
of it. Thus mounting cpuset with cpu/cpuacct would make it impossible to
just create a group in "cpu" and start it.
Instead of doing hand optimized fd bisect arrays just use plain old
hashmaps. Now I can understand my own code again. Yay!
As a side effect this should fix some bad memory accesses caused by
accesses after mmap(), introduced in 189.
The mmap cache doesn't guarantee that we can look at two files at the
same time. Hence make sure to look at the entries to compare one
after the other, instead of at the same time when comparing them, and
reposition the window in between.
Systemctl would always return 1, because it treated uninteresting dbus
messages ("job added") as errors. Just ignore everything apart from
interesting ("job removed") messages.
Semantics are slightly different, because before unit_name_mangle
returning NULL was ignored, and now it is reported as oom. But
unit_name_mangle only returns NULL on oom.
Note: I did s/MANAGER/SYSTEMD/ everywhere, even though it makes the
patch quite verbose. Nevertheless, keeping MANAGER prefix in some
places, and SYSTEMD prefix in others would just lead to confusion down
the road. Better to rip off the band-aid now.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch adds the ability to look at the calling process that is trying to
do dbus calls into systemd, then it checks with the SELinux policy to see if
the calling process is allowed to do the activity.
The basic idea is we want to allow NetworkManager_t to be able to start and
stop ntpd.service, but not necessarly mysqld.service.
Similarly we want to allow a root admin webadm_t that can only manage the
apache environment. systemctl enable httpd.service, systemctl disable
iptables.service bad.
To make this code cleaner, we really need to refactor the dbus-manager.c code.
This has just become a huge if-then-else blob, which makes doing the correct
check difficult.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5
lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco
=yops
-----END PGP SIGNATURE-----
In many cases this might have a negative effect since we drop escaping
from strings where we better shouldn't have dropped it.
If unescaping makes sense for some settings we can readd it later again,
on a per-case basis.
https://bugs.freedesktop.org/show_bug.cgi?id=54522
When the new PID is invoked the journal socket from the initrd might
still be around. Due to the default log target being journal we'd log to
that initially when the new main systemd initializes even if the kernel
command line included a directive to redirect systemd's logging
elsewhere.
With this fix we initially always log to kmsg now, if we are PID1, and
only after parsing the kernel cmdline try to open the journal if that's
desired.
(The effective benefit of this is that SELinux performance data is now
logged again to kmsg like it used to be.)
Properly tell the kernel at bootup, and any later time zone changes,
the actual system time zone.
Things like the kernel's FAT filesystem driver needs the actual time
zone to calculate the proper local time to use for the on-disk time
stamps.
https://bugzilla.redhat.com/show_bug.cgi?id=802198
For setups with many listening sockets the default kernel resource limit
of 1024 fds is not enough. Bump this up to 64K to avoid any limitations
in this regard. We are careful to pass on the kernel default to daemons
however, since normally resource limits are a good to enforce,
especially since select() can't handle fds > 1023.
All "btrfs" file systems will be registered with the kernel when they
show up.
Incomplete multi-device volumes will set SYSTEMD_READY=0, to prevent
access until the volume is complete and fully registered.
Previously, if X allocated all 6 TTYs (for multi-session for example) no
getty would be available anymore to guarantee console-based logins.
With the new ReserveVT= switch in logind.conf we can now choose one VT
(6 by default) that will always be subject to autovt-style activation,
i.e. we'll always have a getty on TTY6, and X will never take possession
of it.
This resolves problems with filesystems which do not implement the
aio_write file operation. In this case, the kernel will fall back using
a loop writing technique for each pointer in a received iovec. The
result is strange errors in dmesg such as:
[ 31.855871] elevator: type not found
[ 31.856262] elevator: switch to
[ 31.856262] failed
It does not make sense to implement a synchronous aio_write method for
sysfs as this isn't a real filesystem where a reasonable use case for
using writev exists, nor is there an expectation that tmpfiles will be
used to write more data than can be reasonably written in a single write
syscall.
In addition, some sysfs attrs are currently buggy and will NOT reject
the second write with the newline, causing the sysfs value to be zeroed
out. This of course should be fixed in the kernel regardless of any
wrongdoing in userspace, but this simple change makes us immune to such
a bug.
This change means that we do not write a trailing newline by default, as
the expected use case of 'w' is for sysfs and procfs. In exchange, honor
C-style backslash escapes so that if the newline is really needed, the
user can add it.
Most things seem to function fine without /dev/shm, but it is expected
to be there (quoting linux/Documentation/filesystems/tmpfs.txt:
glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for POSIX
shared memory (shm_open, shm_unlink)).
Since /tmp/ is already mounted as tmpfs, it would be enough to mkdir
/tmp/shm and chmod it. Mounting it separately has the advantage that
it can be easily remounted to change the quota.
When looking for symlinks, it doesn't make sense to error-out if
the directory is missing. The user might delete an empty directory.
This check caused test-unit-file to fail when run before installation.
Before, after the timeout, a session would be timestamped as idle
since 'last activity' + 'idle timeout'. Now, it is timestamped as idle
since 'last activity'.
Before, after all sessions were idle, the seat would be marked with as
idle with the timestamp of the oldest idle session. Now it is
marked with the timestamp of the youngest idle session.
Both changes seem to me to be closer to natural understanding of
idleness: the time since last activity counts.
- Make writing/reading of /etc/timezone dependendent of HAVE_SYSV_COMPAT
- Introduce symlink_atomic() after all, and use it
- Use relative symlink for /etc/localtime
/etc/localtime -> /usr/share/zoneinfo/...
or
/etc/localtime -> ../usr/share/zoneinfo/...
(note, ../usr is not the same if /etc is a symlink, as this isn't
using canonicalize_file_name())
keep other method for now, consider dropping later.
Supporting relative links here are problematic as timezones in
/usr/share/zoneinfo are often themselves symlinks (and symlinks to
symlinks), so this implamentation only supports absolute symlinks
"/usr/share/zoneinfo/" and relative symlinks starting with
"../usr/share/zoneinfo/"
>From TODO (kay sievers):
* kill /etc/timezone handling entirely? What does it provide?
- /etc/localtime carries the same information already:
$ ls -l /etc/localtime; cat /etc/timezone
lrwxrwxrwx 1 root root 33 Jul 27 09:55 /etc/localtime -> /usr/share/zoneinfo/Europe/Berlin
Europe/Berlin
- systemd enforces /usr to be available at bootup, so we can
enforce the use of the symlink
Add specifier expansion to Path and String conditions.
Specifier expansion for conditions will help create instance
and user session units by allowing us to template conditions
based on the instance or user session parameters.
An example would be a system-wide user session service file
that conditionally runs based on whether a user has the
service configured through a configuration file in ~/.config/.
This only adds the fields to the D-Bus interfaces but doesn't fill them
in with anything useful yet. Gummiboot exposes the necessary bits of
information to use however and as soon as I get my fingers on a proper
UEFI laptop I'll hook up the remaining bits.
Since we want to stabilize the D-Bus interface soon and include it in
the stability promise we should get the last fixes in, hence this change
now.
Break out the write logic into a separate function and simply use it as
a callback to glob_item.
This allows users to consolidate writes to sysfs with multiple similar
pathnames, e.g.
w /sys/class/block/sd[a-z]/queue/read_ahead_kb - - - - 1024
This counts 'online sessions' in addition to 'active sessions' and 'sessions'.
In this context, an 'online session' covers all session in the 'active' state
in addition to the explicit 'online' state.
This provides an easy machanism to determin all relevant sessions easily
(i.e. those that are not 'closing') and adds new semantics to the sd-login.c
APIs sd_uid_get_sessions() and sd_uid_get_seats() where the require_active
argument can be supplied as a value 2 which only lists sessions which are
'online'.
This functionality should allow client applications to avoid deadlocks where
they only exit when all sessions are complete, such as a the problem where
PulseAudio will not exit until all sessions are gone, but in itself prevents
the session from exiting.
PulseAudio for example will keep a client connection open provided
at least one session exists. However, if all sessions are currently
in the process of closing, we should flag that as the overall state
appropriately to better reflect what is happening.
Although this does better reflect the status for any given user, it does
not actually solve the overall problem of PulseAudio still finding some
sessions active and thus not exiting and therefore actually preventing
the session from closing. Future commits will extend sd-login to cope
with this situation.
Call rm_rf_children_dangerous() recursively rather than falling back to
rm_rf_children(). This fixes a bug in systemd-tmpfiles.
The problem can easily be reproduced by:
# mount /dev/sda1 /mnt
# mkdir /mnt/test
# echo "D /mnt" > /root/test.conf
# systemd-tmpfiles --remove /root/test.conf
Attempted to remove disk file system, and we can't allow that.
rm_rf(/root/test): Operation not permitted
Reported-by: Lukas Jirkovsky <l.jirkovsky@gmail.com>
This splits the JSON output mode into different modes: json and
json-pretty. The former printing one entry per line, the latter showing
JSON objects nicely indented and in multiple lines to make it easier to
read for humans.
journalctl -f redirected to a pipe or file wasn't working for some
output formats but was working for json. It turns out only json was
doing an fflush.
Make all output formats flush.
After talking to the cgroup kernel folks at LPC we came to the
conclusion that it is probably a good idea to mount all CPU related
resp. all network related cgroup controllers together, both because they
are good defaults for admins and because this might prepare
for eventual kernel cleanups where the ability to mount them separately
is removed.
This creates /dev/fd, /dev/stdin, /dev/stdout, /dev/stderr, and
/dev/core as symlinks to /proc on container creation. Except for
/dev/core, these are needed for shells like bash to be fully functional.
Let's clean up our terminology a bit. New terminology:
FSS = Forward Secure Sealing
FSPRG = Forward Secure Pseudo-Random Generator
FSS is the combination of FSPRG and a HMAC.
Sealing = process of adding authentication tags to the journal.
Verification = process of checking authentication tags to the journal.
Sealing Key = The key used for adding authentication tags to the journal.
Verification Key = The key used for checking authentication tags of the journal.
Key pair = The pair of Sealing Key and Verification Key
Internally, the Sealing Key is the combination of the FSPRG State plus
change interval/start time.
Internally, the Verification Key is the combination of the FSPRG Seed
plus change interval/start time.
Thomas Bächler
