we need to make sure that configuration data we expose via the bus ends
up in using getting an assert(). Even though configuration data is only
parsed from trusted sources we should be more careful with what we read.
If the service reaches the start limit, mark the sockets that activate
it as failed (with the result code 'service-broken').
This way the sockets won't act as tarpits for clients connecting to
them.
This patch adds WatchdogTimestamp[Monotonic] to the systemd service
D-Bus API. The timestamp is updated to the current time when the
service calls 'sd_nofity("WATCHDOG=1\n")'.
Using a timestamp instead of an 'alive' flag has two advantages:
1. No timeout is needed to define when a service is no longer alive.
This simplifies both configuration (no timeout value) and
implementation (no timeout event).
2. It is more robust. A 'dead' service might not be detected should
systemd 'forget' to reset an 'alive' flag. It is much less likely
to get a valid new timestamp if a service died.
The pid file watch could outlive the service unit if a daemon-reload
request came at the right time. The inotify event would then be
delivered to who knows where.
Fix it by unwatching in the service destructor.
Further changes will be needed to preserve the state of the pid file
watch across daemon-reload. For now let's just fix the crash observed
by Jóhann Guðmundsson:
Assertion 's->state == SERVICE_START || s->state == SERVICE_START_POST'
failed at src/service.c:2609, function service_fd_event(). Aborting
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=783118
Now that objects of all unit types are allocated the exact amount of
memory they need, the Unit union has lost its purpose. Remove it.
"Unit" is a more natural name for the base unit class than "Meta", so
rename Meta to Unit.
Access to members of the base class gets simplified.
The storage of the unit objects on the heap is currently not very
efficient. For every unit object we allocate a chunk of memory as large
as the biggest unit type, although there are significant differences in
the units' real requirements.
pahole shows the following sizes of structs:
488 Target
496 Snapshot
512 Device
528 Path
560 Timer
576 Automount
1080 Socket
1160 Swap
1168 Service
1280 Mount
Usually there aren't many targets or snapshots in the system, but Device
is one of the most common unit types and for every one we waste
1280 - 512 = 768 bytes.
Fix it by allocating only the right amount for the given unit type.
On my machine (x86_64, with 39 LVM volumes) this decreases systemd's
USS (unique set size) by more than 300 KB.
When we merge units that some kind of object points to, those pointers
might become invalidated, and needs to be updated. Introduce a UnitRef
struct which links up all the unit references, to ensure corrected
references.
At the same time, drop configured_sockets in the Service object, and
replace it by proper UNIT_TRIGGERS resp. UNIT_TRIGGERED_BY dependencies,
which allow us to simplify a lot of code.
The handling of failures in ExecStartPost is inconsistent. If the
command times out, the service is stopped. But if the command exits
with a failure, the service keeps running.
It makes more sense to stop the service when ExecStartPost fails.
If this behaviour is not desired, the ExecStartPost command can be
prefixed with "-".
There are a lot of forking daemons that do not exactly follow the
initialization steps as described in daemon(7). It is common that they
do not bother waiting in the parent process for the child to write the
PID file before exiting. The daemons' developers often do not perceive
this as a bug and they're unwilling to change.
Currently systemd warns about the missing PID file and falls back to
guessing the main PID. Being not quite deterministic, the guess can be
wrong with bad consequences. If the guessing is disabled, determinism is
achieved at the cost of losing the ability of noticing when the main
process of the service dies.
As long as it does not negatively affect properly written services,
systemd should strive for compatibility even with services with racy
daemonization. It is possible to provide determinism _and_ main process
supervision to them.
If the PID file is not there, rather than guessing and considering the
service running immediately after getting the SIGCHLD from the ExecStart
(or ExecStartPost) process, we can keep the service in the activating
state for a bit longer. We can use inotify to wait for the PID file to
appear. Only when it finally does appear and we read a valid PID from
it, we'll move the service to the running state. If the PID file never
appears, the usual timeout kicks in and the service fails.
A service that drops its privileges may not be able to remove it when it
exits. The stale pidfile is not a problem as long as the service
carefully recognizes it on its next start.
systemd would produce a warning after the service exits:
PID ... read from file ... does not exist. Your service or init
script might be broken.
Silence the warning in this case. Still warn if this error is detected
when loading the pidfile after service start.
Noticed by Miroslav Lichvar in
https://bugzilla.redhat.com/show_bug.cgi?id=752396
This patch adds support for the Mageia Linux distribution:
http://www.mageia.org/
Mageia is a fork of Mandriva although some divergence has already occured
and thus inclusion of these changes upstream allow us to (hopefully)
migrate more rapidly to the new standard approaches systemd offers.
Indeed, we already use the preferred mechanism of OS identification via
the /etc/os-release file rather than a distro specific variation.
This patch mostly mirrors the patch added previously for Mandriva
support. In addition to those original authors, this patch was mostly
written by Dexter Morgan with help from Colin Guthrie and Eugeni Dodonov.
Services which claim to start in both rcN.d and rcS.d generate
loops which for some reason seems to usually end up with dbus not
starting and the whole machine being quite unhappy. We now rather
assume that if a service can be started in rcS, it should not also
start in rcN.d.
Fixes Debian bug #637037
As it turns out there are quite a number of SysV services too broken to
make the guessing work: instead of returning in the parent only after
the child is fully initialized they return immediately. The effect is
that the guessing in systemd might happen too early, at a time where the
final main process doesn't exist yet.
By turning this off we won't try to detect the main pid anymore, with
the effect that all processes of the service in question are considered
equally likely to be the main process.
Warn if a service promises to write a PID file (using 'PIDFile=' in the
unit file or '# pidfile:' in SysV header), but fails to keep the
promise.
This warning will likely trigger also for the forking services with a
racy daemonization, which exit the original process before the PID file
is written.
This is useful for inetd-style per-connection services, so that they
again can simply specify StandardOutput=socket to connect all three fds
to the socket.
Return 0 only if the PID was really loaded. If no PIDFile= is defined,
return -ENOENT.
Only one caller cares about the return value of this function and this
change makes the usage nicer.
When some forking daemons receive a SIGHUP, they re-execute themselves
and consequently change to a new main PID. As long as they update the
PID file in the right order (before exiting the old PID), we can detect
that and avoid killing them.
The logic never worked since reading from the boot console is useless
when a service is started after boot. Hence drop this half-baked code,
since we now have a place document incompatibilities like this.
http://www.freedesktop.org/wiki/Software/systemd/Incompatibilities
Instead of having individual counters n_serializing and n_deserializing
have a single one n_reloading, which should be sufficient.
Set n_reloading when we are about to go down for reexecution to avoid
cgroup trimming when we free the units for reexecution.
The presence of the chkconfig "pidfile:" header in the initscript is an
excellent indication that it's not a oneshot script (like iptables),
but a real daemon (like httpd).
Explicitly disconnect all clients from a VT when a getty starts/finishes
(requires TIOCVHANGUP, available in 2.6.29).
Explicitly deallocate getty VTs in order to flush scrollback buffer.
Explicitly reset terminals to a defined state before spawning getty.
This commit consists of the initial work to include Angstrom as a ported
distribution for systemd.
Angstrom tries to follow the debian way as much as possible, but deviates
where it doesn't make sense for 'embedded'.
