Fixes#6282.
This solution is a bit busy, but we close the race without setting *.all.*, so
it is still possible to set a different setting for particular interfaces.
Setting just "default" is not very useful because any interfaces present before
systemd-sysctl is invoked are not affected. Setting "all" is too harsh, because
the kernel takes the stronger of the device-specific setting and the "all" value,
so effectively having a weaker setting for specific interfaces is not possible.
This is intended for net.*.conf.*.foo files. Setting just "default" is not very
useful because any interfaces present before systemd-sysctl is invoked are not
affected. Setting "all" is too harsh, because the kernel takes the stronger of
the device-specific setting and the "all" value, so effectively having a weaker
setting for specific interfaces is not possible. Let's add a way in which can
set "default" first and then all the others without "all".
When unit is reloaded, and the reloaded unit has bad-setting, then
unit_patch_contexts() is not called and exec_context::user and group
may not be configured.
A minimum reproducer for the case is:
- step 1.
$ sudo systemctl edit --full hoge.service
[Service]
oneshot
ExecStart=sleep 1h
- step 2.
$ sudo systemctl start hoge.service
- step 3.
$ sudo systemctl edit --full hoge.service
[Service]
Type=oneshot
ExecStart=@bindir@/sleep 1h
DynamicUser=yes
Then pid1 crashed.
Fixes#14733.
This extends the "uid:gid" syntax for "u" lines so that a group
name can be given instead of a GID. This requires that the group
is either queued for creation by sysusers, or it is already defined
on the system.
Closes#14340
Having /etc/securetty in test containers prevents root from logging into
them:
```
Jan 31 10:15:11 systemd-testsuite login[69]: pam_securetty(login:auth): access denied: tty 'pts/0' is not secure !
Jan 31 10:15:11 systemd-testsuite login[69]: FAILED LOGIN 1 FROM pts/0 FOR root, Authentication failure
```
We already apply them to the directory in /var. Let's do the same in
/run too. That's because due to the log namespace logic we nowadays can
gain additional subdirs there during regular operation.
If we have exit on idle, then operations such as "journalctl
--namespace=foo --rotate" should work even if the journal daemon is
currently not running.
(Note that we don't do activation by varlink for the main instance of
journald, I am not sure the deadlocks it might introduce are worth it)
