Commit graph

27605 commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek b0828828bb CONTRIBUTING: reword the part about unsetting the label (#4716)
Only project members can do it.
2016-11-23 08:52:19 +01:00
Zbigniew Jędrzejewski-Szmek ee43050b40 Merge pull request #4692 from poettering/networkd-dhcp
Various networkd/DHCP fixes.
2016-11-22 23:22:04 -05:00
Janne Heß 6d9e45e97f Document an edge-case with resume and mounting (#4581)
When trying to read keyfiles from an encrypted partition to unlock the swap,
a cyclic dependency is generated because systemd can not mount the
filesystem before it has checked if there is a swap to resume from.

Closes #3940
2016-11-22 23:19:56 -05:00
Zbigniew Jędrzejewski-Szmek c5c755e1bc Merge pull request #4693 from poettering/nspawn-ephemeral
nspawn: support ephemeral boots from images
2016-11-22 23:15:07 -05:00
Lennart Poettering acbbf69b71 nspawn: don't require chown() if userns is not on
Fixes: #4711
2016-11-22 13:35:24 +01:00
Lennart Poettering 17cbb288fa nspawn: add fallback top normal copy/reflink when we cannot btrfs snapshot
Given that other file systems (notably: xfs) support reflinks these days, let's
extend the file system snapshotting logic to fall back to plan copies or
reflinks when full btrfs subvolume snapshots are not available.

This essentially makes "systemd-nspawn --ephemeral" and "systemd-nspawn
--template=" available on non-btrfs subvolumes. Of course, both operations will
still be slower on non-btrfs than on btrfs (simply because reflinking each file
individually in a directory tree is still slower than doing this in one step
for a whole subvolume), but it's probably good enough for many cases, and we
should provide the users with the tools, they have to figure out what's good
for them.

Note that "machinectl clone" already had a fallback like this in place, this
patch generalizes this, and adds similar support to our other cases.
2016-11-22 13:35:09 +01:00
Lennart Poettering c67b008273 nspawn: remove temporary root directory on exit
When mountint a loopback image, we need a temporary root directory we can mount
stuff to. Make sure to actually remove it when exiting, so that we don't leave
stuff around in /tmp unnecessarily.

See: #4664
2016-11-22 13:35:09 +01:00
Lennart Poettering 6a0f896b97 nspawn: try to wait for the container PID 1 to exit, before we exit
Let's make the shutdown logic synchronous, so that there's a better chance to
detach the loopback device after use.
2016-11-22 13:35:09 +01:00
Lennart Poettering b6e953f24c nspawn: add ability to run nspawn without container locks applied
This adds a new undocumented env var $SYSTEMD_NSPAWN_LOCK. When set to "0",
nspawn will not attempt to lock the image.

Fixes: #4037
2016-11-22 13:35:09 +01:00
Lennart Poettering 546dbec532 shared: make sure image_path_lock() return parameters are always initialized on success
We forgot to initialize the "global" return parameter in one case. Fix that.
2016-11-22 13:35:09 +01:00
Lennart Poettering 0f3be6ca4d nspawn: support ephemeral boots from images
Previously --ephemeral was only supported with container trees in btrfs
subvolumes (i.e. in combination with --directory=). This adds support for
--ephemeral in conjunction with disk images (i.e. --image=) too.

As side effect this fixes that --ephemeral was accepted but ignored when using
-M on a container that turned out to be an image.

Fixes: #4664
2016-11-22 13:35:09 +01:00
Lennart Poettering 1a1b13c957 seccomp: add @filesystem syscall group (#4537)
@filesystem groups various file system operations, such as opening files and
directories for read/write and stat()ing them, plus renaming, deleting,
symlinking, hardlinking.
2016-11-21 19:29:12 -05:00
Martin Ejdestig 6680b8d118 sd-event: fix sd_event_source_get_priority() (#4712)
To properly store priority in passed in pointer and return 0 for success.
Also add a test for verifying that it works correctly.
2016-11-21 19:21:00 -05:00
Zbigniew Jędrzejewski-Szmek ef8b008455 sd-dhcp-client: use free_and_strdup
This changes the return value a bit: 1 will be returned if the value is
changed. But the return value was not documented, and the change should
be for the good anyway. Current callers don't care.
2016-11-21 23:01:02 +01:00
Lennart Poettering 640be8806e man: make /etc/nsswitch.conf documentation for nss-resolve match example
Fixes: #4683
2016-11-21 22:58:27 +01:00
Lennart Poettering d9ec2e632d dhcp4: filter bogus DNS/NTP server addresses silently
if we receive a bogus lease with a DNS/NTP server within local scope let's
politely ignore.

Fixes: #4524
2016-11-21 22:58:26 +01:00
Lennart Poettering 49ad68298a networkd: do not automatically propagate bogus DNS/NTP servers
Never propagate DNS/NTP servers on the local link via the DHCP server. The
DNS/NTP servers 0.0.0.0 and 127.0.0.1 only make sense in the local context,
hence never propagate them automatically to other hosts.

Fixes: #4524
2016-11-21 22:58:26 +01:00
Lennart Poettering a380b2d4c6 networkd: rename link_push_dns_to_dhcp_server() → link_push_uplink_dns_to_dhcp_server()
Let's clarify that this is only relevant for pushing uplink DNS config data,
not in any other context.

(Same for NTP)
2016-11-21 22:58:26 +01:00
Lennart Poettering 5512a96316 networkd: store DNS servers configured per-network as parsed addresses
DNS servers must be specified as IP addresses, hence let's store them as that
internally, so that they are guaranteed to be fully normalized always, and
invalid data cannot be stored.
2016-11-21 22:58:26 +01:00
Lennart Poettering fa105ce6b7 networkd: minor word extraction fixes
Let's make the loops around extract_first_word() be more alike.
2016-11-21 22:58:26 +01:00
Lennart Poettering 94e9bd571e networkd: reorder fields in Network struct a bit
Let's reorder them a bit, so that stuff that belongs together semantically is
placed together (in particular, move the various DHCP "use" booleans together).
2016-11-21 22:58:26 +01:00
Lennart Poettering 265759908d networkd: validate NTP server strings configured in .network files
Let's be a bit stricter, and make sure users only configure proper DNS names or
IP addresses, but not any other strings.
2016-11-21 22:58:26 +01:00
Lennart Poettering 08a4849ec9 shared: add new API to validate a string as hostname or IP address 2016-11-21 22:58:26 +01:00
Lennart Poettering fd18634de4 basic: make sure in_addr_from_string() can take NULL arguments
This way, we can use it for validating IP address strings.
2016-11-21 22:47:47 +01:00
Lennart Poettering fdedbe2676 basic: add explicit ipv4-specific in_addr classification calls
This adds in4_addr_is_localhost() and in4_addr_is_link_local() that only take
an IPv4 "struct in_addr", to match in_addr_is_localhost() and
in_addr_is_link_local() that that a "union in_addr_union".

This matches the existing in4_addr_is_null() call that already exists.

For IPv6 glibc already exports a set of macros, hence we don't add similar
functions in6_addr_is_localhost(). We also drop in6_addr_is_null() as
IN6_IS_ADDR_UNSPECIFIED() already provides that.
2016-11-21 22:47:47 +01:00
Lennart Poettering 7192bb81bd networkd: rework how we set the hostname on the dhcp4 client
Let's split out the code into its own little function and let's use
gethostname_strict() which already filters out localhost for us.
2016-11-21 22:47:47 +01:00
Lennart Poettering 17f6ed4d59 sd-dhcp: permit unsetting the hostname again
Let's handle NULL hostnames (for unsetting it) before we validate the name.
2016-11-21 22:47:47 +01:00
Lennart Poettering c5066640a1 Merge pull request #4701 from martinpitt/networkd-polkit
hostnamed: allow networkd to set the transient hostname
2016-11-21 18:24:51 +01:00
Martin Pitt 89748b0af1 tests: check transient hostname with and without static hostname
We expect a static hostname to win over a transient one, so test both cases.
2016-11-21 12:57:16 +01:00
Evgeny Vereshchagin 270f419316 Merge pull request #4691 from keszybz/test-suite-fixes
Test suite fixes
2016-11-20 19:38:58 +03:00
Martin Pitt e8c0de9127 hostnamed: allow networkd to set the transient hostname
systemd-networkd runs as user "systemd-network" and thus is not privileged to
set the transient hostname:

  systemd-networkd[516]: ens3: Could not set hostname: Interactive authentication required.

Standard polkit *.policy files do not have a syntax for granting privileges to
a user, so ship a pklocalauthority (for polkit < 106) and a JavaScript rules
file (for polkit >= 106) that grants the "systemd-network" system user that
privilege.

Add DnsmasqClientTest.test_transient_hostname() test to networkd-test.py to
cover this. Make do_test() a bit more flexible by interpreting "coldplug==None"
as "test sets up the interface by itself". Change DnsmasqClientTest to set up
test_eth42 with a fixed MAC address so that we can configure dnsmasq to send a
special host name for that.

Fixes #4646
2016-11-20 12:19:21 +01:00
Martin Pitt 9e0c296a16 test: clean up "dummy0" interface after each test case in networkd-test.py 2016-11-20 12:19:21 +01:00
Zbigniew Jędrzejewski-Szmek cf5f9bb840 test-functions: also add qemu define for ppc64 2016-11-19 22:45:23 -05:00
Hans de Goede 3f59367e6f hwdb: keyboard: Ignore brightness hotkey presses on MSI VR420 (model MS-1422) (#4696)
Add MSI VR420 (model MS-1422) to the list of MSI models which need to
ignore brightness hotkey presses, as these are already reported through
the acpi-video interface.

Bug-link: https://bugzilla.redhat.com/show_bug.cgi?id=1270124
Reported-by: David Dreggors <dadreggors@gmail.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
2016-11-19 10:07:41 -05:00
Lennart Poettering f4ff4aa800 Merge pull request #4395 from s-urbaniak/rw-support
nspawn: R/W support for /sysfs, /proc, and /proc/sys/net
2016-11-18 12:36:46 +01:00
Lennart Poettering 2e6dbc0fcd Merge pull request #4538 from fbuihuu/confirm-spawn-fixes
Confirm spawn fixes/enhancements
2016-11-18 11:08:06 +01:00
Evgeny Vereshchagin 8e391ada6b
tests/TEST-13-NSPAWN-SMOKE: add SYSTEMD_NSPAWN_API_VFS_WRITABLE
https://github.com/systemd/systemd/pull/4395
2016-11-18 09:51:03 +01:00
Sergiusz Urbaniak 4f086aab52
nspawn: R/W support for /sys, and /proc/sys
This commit adds the possibility to leave /sys, and /proc/sys read-write.
It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE
to enable this feature.

If set to "yes", /sys, and /proc/sys will be read-write.
If set to "no", /sys, and /proc/sys will be read-only.
If set to "network" /proc/sys/net will be read-write. This is useful in
use-cases, where systemd-nspawn is used in an external network
namespace.

This adds the possibility to start privileged containers which need more
control over settings in the /proc, and /sys filesystem.

This is also a follow-up on the discussion from
https://github.com/systemd/systemd/pull/4018#r76971862 where an
introduction of a simple env var to enable R/W support for those
directories was already discussed.
2016-11-18 09:50:40 +01:00
Zbigniew Jędrzejewski-Szmek 5c7119f43e test-ipcrm: skip test if nfsnobody is missing 2016-11-17 20:57:22 -05:00
Zbigniew Jędrzejewski-Szmek 041b5ae170 basic/process-util: we need to take the shorter of two strings
==30496== Conditional jump or move depends on uninitialised value(s)
==30496==    at 0x489F654: memcmp (vg_replace_strmem.c:1091)
==30496==    by 0x49BF203: getenv_for_pid (process-util.c:678)
==30496==    by 0x4993ACB: detect_container (virt.c:442)
==30496==    by 0x182DFF: test_get_process_comm (test-process-util.c:98)
==30496==    by 0x185847: main (test-process-util.c:368)
==30496==
2016-11-17 20:57:22 -05:00
Zbigniew Jędrzejewski-Szmek 347ebd0297 test-process-util: bind mount fails under selinux, skip test 2016-11-17 20:57:22 -05:00
Zbigniew Jędrzejewski-Szmek 9a4550e258 Merge pull request #4671 from poettering/namespace-bind
rework service namespace handling a bit
2016-11-17 19:40:57 -05:00
Zbigniew Jędrzejewski-Szmek a1e45b8ba3 basic/env-uil: fix assertion failure in strv_env_replace (#4688)
free_and_replace sets the setcond argument to NULL (it's designed
to be used with _clenaup_ macros), and we don't want that here.

Fixes #4684.
2016-11-17 22:25:01 +01:00
Franck Bui 539622bd8c core: in confirm spawn, suggest 'f' when user selects 'n' choice 2016-11-17 18:23:32 +01:00
Franck Bui c891efaf8a core: confirm_spawn: always accept units with same_pgrp set for now
For some reasons units remaining in the same process group as PID 1
(same_pgrp=true) fail to acquire the console even if it's not taken by anyone.

So always accept for units with same_pgrp set for now.
2016-11-17 18:16:51 +01:00
Franck Bui 63d77c9254 core: include the unit name when notifying that a confirmation question timed out 2016-11-17 18:16:51 +01:00
Franck Bui b0eb29449e core: add 'c' in confirmation_spawn to resume the boot process 2016-11-17 18:16:50 +01:00
Franck Bui 56fde33af1 core: add 'j' in confirmation_spawn to list the jobs that are in progress 2016-11-17 18:16:50 +01:00
Franck Bui dd6f9ac0d0 core: add 'D' in confirmat spawn to show a full dump of the unit to spawn 2016-11-17 18:16:50 +01:00
Franck Bui eedf223a30 core: add 'i' in confirm spawn to give a short summary of the unit to spawn 2016-11-17 18:16:50 +01:00