Compare commits

...

8 Commits

Author SHA1 Message Date
Anita Zhang 3d9489ee45
Merge pull request #15321 from topimiettinen/dbus-execute-add-protect-clock
dbus-execute: show also ProtectClock
2020-04-03 16:15:51 -07:00
Anita Zhang 4fbf39926e
Merge pull request #15290 from keszybz/unrelated-fixes
Three unrelated minor tweaks
2020-04-03 15:54:38 -07:00
Anita Zhang 3adb304ae6
Merge pull request #15297 from poettering/homed-no-fallocate
homed: fall back to ftruncate() if fallocate() is not supported on ba…
2020-04-03 15:49:43 -07:00
Topi Miettinen b8b7b838fd
dbus-execute: show also ProtectClock
Show also `ProtectClock=` setting. This also lets `systemd-analyze security`
get the correct state for it.
2020-04-03 16:32:10 +03:00
Lennart Poettering e46f877c5c homed: fall back to ftruncate() if fallocate() is not supported on backing fs
This means "discard" mode is enabled implicitly on such simpler backing
fs.

Fixes: #15059
2020-04-01 18:19:07 +02:00
Zbigniew Jędrzejewski-Szmek e6a4e25a82 man: add note that --no-hostname has limited effect
Clearly there is some confusion about the intent of this option, let's add
a short note.

https://bugzilla.redhat.com/show_bug.cgi?id=1819313
2020-04-01 09:25:50 +02:00
Zbigniew Jędrzejewski-Szmek 82b2281dd5 journal-remote: fix description of option
We use whatever compression is configured, most often not XZ.
2020-03-31 22:19:22 +02:00
Zbigniew Jędrzejewski-Szmek 934cf0a9c7 sd-bus: simplify bus_maybe_reply_error
sd_bus_reply_method_errno already does the same two checks
(sd_bus_error_is_set(error), r < 0) internally. But it did them in opposite
order. The effect is the same, because sd_bus_reply_method_errno falls back to
sd_bus_reply_method_error, but it seems inelegant. So let's simplify
bus_maybe_reply_error() to offload the job fully to sd_bus_reply_method_errno().

No functional change.
2020-03-31 22:19:22 +02:00
5 changed files with 56 additions and 36 deletions

View File

@ -398,8 +398,8 @@
<varlistentry> <varlistentry>
<term><option>--output-fields=</option></term> <term><option>--output-fields=</option></term>
<listitem><para>A comma separated list of the fields which should be included in the output. This only has an <listitem><para>A comma separated list of the fields which should be included in the output. This has an
effect for the output modes which would normally show all fields (<option>verbose</option>, effect only for the output modes which would normally show all fields (<option>verbose</option>,
<option>export</option>, <option>json</option>, <option>json-pretty</option>, <option>json-sse</option> and <option>export</option>, <option>json</option>, <option>json-pretty</option>, <option>json-sse</option> and
<option>json-seq</option>). The <literal>__CURSOR</literal>, <literal>__REALTIME_TIMESTAMP</literal>, <option>json-seq</option>). The <literal>__CURSOR</literal>, <literal>__REALTIME_TIMESTAMP</literal>,
<literal>__MONOTONIC_TIMESTAMP</literal>, and <literal>_BOOT_ID</literal> fields are always <literal>__MONOTONIC_TIMESTAMP</literal>, and <literal>_BOOT_ID</literal> fields are always
@ -416,8 +416,13 @@
<varlistentry> <varlistentry>
<term><option>--no-hostname</option></term> <term><option>--no-hostname</option></term>
<listitem><para>Don't show the hostname field of log messages originating from the local host. This switch only <listitem><para>Don't show the hostname field of log messages originating from the local host. This
has an effect on the <option>short</option> family of output modes (see above).</para></listitem> switch has an effect only on the <option>short</option> family of output modes (see above).
</para>
<para>Note: this option does not remove occurrences of the hostname from log entries themselves, so
it does not prevent the hostname from being visible in the logs.</para>
</listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>

View File

@ -795,6 +795,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("MountFlags", "t", bus_property_get_ulong, offsetof(ExecContext, mount_flags), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("MountFlags", "t", bus_property_get_ulong, offsetof(ExecContext, mount_flags), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("PrivateTmp", "b", bus_property_get_bool, offsetof(ExecContext, private_tmp), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("PrivateTmp", "b", bus_property_get_bool, offsetof(ExecContext, private_tmp), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("PrivateDevices", "b", bus_property_get_bool, offsetof(ExecContext, private_devices), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("PrivateDevices", "b", bus_property_get_bool, offsetof(ExecContext, private_devices), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectClock", "b", bus_property_get_bool, offsetof(ExecContext, protect_clock), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectKernelTunables", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_tunables), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ProtectKernelTunables", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_tunables), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectKernelModules", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_modules), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ProtectKernelModules", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_modules), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectKernelLogs", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_logs), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ProtectKernelLogs", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_logs), SD_BUS_VTABLE_PROPERTY_CONST),

View File

@ -1765,6 +1765,45 @@ static int calculate_disk_size(UserRecord *h, const char *parent_dir, uint64_t *
return 0; return 0;
} }
static int home_truncate(
UserRecord *h,
int fd,
const char *path,
uint64_t size) {
bool trunc;
int r;
assert(h);
assert(fd >= 0);
assert(path);
trunc = user_record_luks_discard(h);
if (!trunc) {
r = fallocate(fd, 0, 0, size);
if (r < 0 && ERRNO_IS_NOT_SUPPORTED(errno)) {
/* Some file systems do not support fallocate(), let's gracefully degrade
* (ZFS, reiserfs, ) and fall back to truncation */
log_notice_errno(errno, "Backing file system does not support fallocate(), falling back to ftruncate(), i.e. implicitly using non-discard mode.");
trunc = true;
}
}
if (trunc)
r = ftruncate(fd, size);
if (r < 0) {
if (ERRNO_IS_DISK_SPACE(errno)) {
log_error_errno(errno, "Not enough disk space to allocate home.");
return -ENOSPC; /* make recognizable */
}
return log_error_errno(errno, "Failed to truncate home image %s: %m", path);
}
return 0;
}
int home_create_luks( int home_create_luks(
UserRecord *h, UserRecord *h,
char **pkcs11_decrypted_passwords, char **pkcs11_decrypted_passwords,
@ -1917,20 +1956,9 @@ int home_create_luks(
if (r < 0) if (r < 0)
log_warning_errno(r, "Failed to set file attributes on %s, ignoring: %m", temporary_image_path); log_warning_errno(r, "Failed to set file attributes on %s, ignoring: %m", temporary_image_path);
if (user_record_luks_discard(h)) r = home_truncate(h, image_fd, temporary_image_path, host_size);
r = ftruncate(image_fd, host_size); if (r < 0)
else
r = fallocate(image_fd, 0, 0, host_size);
if (r < 0) {
if (ERRNO_IS_DISK_SPACE(errno)) {
log_debug_errno(errno, "Not enough disk space to allocate home.");
r = -ENOSPC; /* make recognizable */
goto fail;
}
r = log_error_errno(errno, "Failed to truncate home image %s: %m", temporary_image_path);
goto fail; goto fail;
}
log_info("Allocating image file completed."); log_info("Allocating image file completed.");
} }
@ -2625,19 +2653,9 @@ int home_resize_luks(
if (S_ISREG(st.st_mode)) { if (S_ISREG(st.st_mode)) {
/* Grow file size */ /* Grow file size */
r = home_truncate(h, image_fd, ip, new_image_size);
if (user_record_luks_discard(h)) if (r < 0)
r = ftruncate(image_fd, new_image_size); return r;
else
r = fallocate(image_fd, 0, 0, new_image_size);
if (r < 0) {
if (ERRNO_IS_DISK_SPACE(errno)) {
log_debug_errno(errno, "Not enough disk space to grow home.");
return -ENOSPC; /* make recognizable */
}
return log_error_errno(errno, "Failed to grow image file %s: %m", ip);
}
log_info("Growing of image file completed."); log_info("Growing of image file completed.");
} }

View File

@ -786,7 +786,7 @@ static int help(void) {
" --listen-http=ADDR Listen for HTTP connections at ADDR\n" " --listen-http=ADDR Listen for HTTP connections at ADDR\n"
" --listen-https=ADDR Listen for HTTPS connections at ADDR\n" " --listen-https=ADDR Listen for HTTPS connections at ADDR\n"
" -o --output=FILE|DIR Write output to FILE or DIR/external-*.journal\n" " -o --output=FILE|DIR Write output to FILE or DIR/external-*.journal\n"
" --compress[=BOOL] XZ-compress the output journal (default: yes)\n" " --compress[=BOOL] Use compression in the output journal (default: yes)\n"
" --seal[=BOOL] Use event sealing (default: no)\n" " --seal[=BOOL] Use event sealing (default: no)\n"
" --key=FILENAME SSL key in PEM format (default:\n" " --key=FILENAME SSL key in PEM format (default:\n"
" \"" PRIV_KEY_FILE "\")\n" " \"" PRIV_KEY_FILE "\")\n"

View File

@ -314,13 +314,9 @@ char *bus_address_escape(const char *v) {
int bus_maybe_reply_error(sd_bus_message *m, int r, sd_bus_error *error) { int bus_maybe_reply_error(sd_bus_message *m, int r, sd_bus_error *error) {
assert(m); assert(m);
if (r < 0) { if (sd_bus_error_is_set(error) || r < 0) {
if (m->header->type == SD_BUS_MESSAGE_METHOD_CALL) if (m->header->type == SD_BUS_MESSAGE_METHOD_CALL)
sd_bus_reply_method_errno(m, r, error); sd_bus_reply_method_errno(m, r, error);
} else if (sd_bus_error_is_set(error)) {
if (m->header->type == SD_BUS_MESSAGE_METHOD_CALL)
sd_bus_reply_method_error(m, error);
} else } else
return r; return r;