Compare commits

...

861 Commits

Author SHA1 Message Date
Petr Menšík 54c0facbb3
Merge b8675eef92 into bbec1c87d3 2024-11-27 06:45:27 +00:00
gerblesh bbec1c87d3 sysext: set SELinux context for hierarchies and workdir 2024-11-26 17:47:32 +00:00
Yu Watanabe f29a07f3fc man: several more assorted fixes
Continuation of 4ebbb5bfe8.
Closes #35307.
2024-11-26 17:28:14 +01:00
Luca Boccassi 0566bd9643
machine: increase timeouts in attempt to fix #35115 (#35117)
An attempt to fix https://github.com/systemd/systemd/issues/35115
2024-11-26 16:12:56 +00:00
Lennart Poettering 7b4b3a8f7b sd-varlink: fix bug when enqueuing messages with fds asynchronously
When determining the poll events to wait for we need to take the queue
of pending messages that carry fds into account. Otherwise we might end
up not waking up if such an fd-carrying message is enqueued
asynchronously (i.e. not from a dispatch callback).
2024-11-26 16:06:53 +00:00
Winterhuman 5bed97dd57
man/systemd-system.conf: Correct "struct" to "strict" (#35364) 2024-11-26 22:41:49 +09:00
Luca Boccassi c4d7a13c06 cryptsetup: convert pkcs11/fido2 to iovec for key handling
key-data might be NULL. Fixes crash:

0  0x0000559c62120530 in attach_luks_or_plain_or_bitlk (cd=0x559c6b192830, name=0x7ffd57981dc4 "root", token_type=TOKEN_FIDO2, key_file=0x0, key_data=0x0, passwords=0x0, flags=524296, until=0)
    at ../src/cryptsetup/cryptsetup.c:2234
        pass_volume_key = false
        r = 1469577760
        __func__ = '\000' <repeats 29 times>
1  0x0000559c6212279c in run (argc=6, argv=0x7ffd5797fe98) at ../src/cryptsetup/cryptsetup.c:2597
        discovered_key_data = {iov_base = 0x0, iov_len = 0}
        key_data = 0x0
        token_type = TOKEN_FIDO2
        destroy_key_file = 0x0
        flags = 524296
        until = 0
        passphrase_type = PASSPHRASE_NONE
        volume = 0x7ffd57981dc4 "root"
        source = 0x7ffd57981dc9 "/dev/disk/by-uuid/8372fb39-9ba4-461a-a618-07dcaae66280"
        status = CRYPT_INACTIVE
        tries = 0
        key_file = 0x0
        config = 0x7ffd57981e05 "luks,discard,fido2-device=auto,x-initrd.attach"
        use_cached_passphrase = true
        try_discover_key = true
        discovered_key_fn = 0x7ffd5797fa70 "root.key"
        passwords = 0x0
        cd = 0x559c6b192830
        verb = 0x7ffd57981dbd "attach"
        r = 0
        __func__ = "\000\000\000"
2  0x0000559c621231e6 in main (argc=6, argv=0x7ffd5797fe98) at ../src/cryptsetup/cryptsetup.c:2674
        r = 32553
        __func__ = "\000\000\000\000"

Follow-up for 53b6c99018
2024-11-26 22:04:24 +09:00
Abderrahim Kitouni 0ae6f4843e updatectl: fix DBus method signature for SetFeatureEnabled
The signature was changed to 'sit' in sysupdated during review, but updatectl
kept using 'sbt'
2024-11-26 22:03:41 +09:00
Yu Watanabe 1ea1a79aa1 Revert "Revert "man: use MIT-0 license for example codes in daemon(7)""
This reverts commit 7a9d0abe4d.
2024-11-26 12:26:10 +01:00
Luca Boccassi 7a9d0abe4d Revert "man: use MIT-0 license for example codes in daemon(7)"
This reverts commit 6046cc3660.
2024-11-26 19:47:21 +09:00
Yu Watanabe 6046cc3660 man: use MIT-0 license for example codes in daemon(7)
This page contains many short example codes. I do not think we should
add SPDX-License-Identifier for all codes.

Closes #35356.
2024-11-26 11:12:08 +01:00
Luca Boccassi 321c202e7c
man: assorted fixes (#35326)
Closes #35307.
2024-11-25 15:02:08 +00:00
Daan De Meyer e3b5a0c32d test: Use env in testsuite readme
Let's make sure we use env when we're setting environment variables
to rely less on shell specifics.
2024-11-25 14:54:23 +00:00
Zbigniew Jędrzejewski-Szmek 766d74fd8b
core/device: ignore ID_PROCESSING udev property on enumerate (#35332)
Fixes #35329.
2024-11-25 14:21:36 +01:00
Zbigniew Jędrzejewski-Szmek d293fade24
Check inode number to see if we are in init namespace (#35306)
This is a more comprehensive fix compared to #35273. Also adds a minimal
test only.

Based on Luca's #35273 but generalizes the code a bit.

In v258 we really should get rid of the old heuristics around userns and
cgroupns detection, but given we are late in the v257 cycle this keeps
them in.
2024-11-25 14:13:36 +01:00
Daan De Meyer 4a346b779a test: Dump coredumps from journal in the integration test wrapper
Fixes #35277
2024-11-25 19:12:11 +09:00
Yu Watanabe 0e42004f3e networkd-test.py: disable IPv6AcceptRA= if not necessary
To speed up the test. Otherwise, it takes about few seconds interfaces
to enter the configured state. And may networkd-wait-online timeouts.
2024-11-25 10:07:26 +00:00
Yu Watanabe 675feaf521 TEST-17: add reproducer for issue #35329
Without the previous commit, the test case will fail.
2024-11-25 15:33:48 +09:00
Yu Watanabe c4fc22c4de core/device: ignore ID_PROCESSING udev property on enumerate
This partially reverts the commit 405be62f05
"tree-wide: refuse enumerated device with ID_PROCESSING=1".

Otherwise, when systemd-udev-trigger.service is (re)started just before
daemon-reexec, which can be easily happen on systemd package update, then
udev database files for many devices may have ID_PROCESSING=1 property,
thus devices may not be enumerated on daemon-reexec. That causes many
units especially mount units being deactivated after daemon-reexec.

Fixes #35329.
2024-11-25 15:33:48 +09:00
Luca Boccassi 6fd3496cfd test: mask tmpfiles.d file shipped by selinux policy package in containers
This tmpfiles.d wants to write to sysfs, which is read-only in containers,
so systemd-tmpfiles --create fails in TEST-22-TMPFILES when ran in nspawn
if the selinux policy package is instealled. Mask it, as it's not our
config file, we don't need it in the test.
2024-11-25 15:25:55 +09:00
Daan De Meyer bb486fe9df mkosi: Use shared extra tree between initrd and main image
Let's share more between initrd and main system and use a shared
extra tree to achieve that.
2024-11-25 15:09:58 +09:00
Daan De Meyer 0e44a351ea mkosi: Make sure mkosi.clangd always runs on the host
If the editor that invokes mkosi.clangd is a flatpak, let's make sure
that mkosi is run on the host and not in the flatpak sandbox since it
won't be installed there.
2024-11-25 00:21:10 +01:00
Luca Boccassi 94eacb9329
Various mkosi and integration test fixes (#35336) 2024-11-24 18:10:03 +00:00
Daan De Meyer f458a60391 test: Lint integration-test-wrapper.py 2024-11-24 16:47:20 +01:00
Daan De Meyer ceca7c5005 test: Fix typing errors in integration-test-wrapper.py 2024-11-24 16:47:20 +01:00
Daan De Meyer 4f969b20b0 test: Format integration-test-wrapper.py 2024-11-24 16:47:20 +01:00
Daan De Meyer d6047d9fb5 ukify: Fix typing error 2024-11-24 16:47:20 +01:00
Daan De Meyer a2aacbfad5 Move mypy.ini and ruff.toml to top level
This allows reusing them for integration-test-wrapper.py as well.
2024-11-24 16:47:20 +01:00
Daan De Meyer 6d2fd490cf integration-test-wrapper: Remove unneeded format strings 2024-11-24 16:47:20 +01:00
Daan De Meyer c859b310ed mkosi: Add github CLI to tools 2024-11-24 16:47:20 +01:00
Daan De Meyer 51cd3dec2a mkosi: Add dnf and dnf5 to sanitizer workaround list 2024-11-24 16:47:20 +01:00
Daan De Meyer fdc4706850 mkosi: Install clangd everywhere 2024-11-24 16:47:20 +01:00
Daan De Meyer 506403f561 mkosi: Use bash to execute command -v
command is only an executable on Fedora due to a downstream patch,
on Arch for example it's only a builtin so we have to use bash to
execute command -v to get proper results on Arch.
2024-11-24 16:47:18 +01:00
Daan De Meyer 6fd5df6005 mkosi: Add shellcheck to tools 2024-11-24 16:47:04 +01:00
Daan De Meyer a197604af4 mkosi: update to latest 2024-11-24 16:47:04 +01:00
Vito Caputo 4f3df8c1bb NEWS: add blurb thanking Nick Owens
Nick's largely responsible for nerd-sniping me into fixing #34516
and did most of the testing.
2024-11-24 16:31:27 +09:00
白一百 8c18851e7e
hwdb: add entry for Chuwi Hi10 X1 (#35331)
https://www.chuwi.com/product/items/chuwi-hi10-x1.html
Rotated -90 degrees in the Z axis.
2024-11-24 16:30:33 +09:00
Yu Watanabe 5b2926d941 curl-util: do not configure new io event source when the event loop is already dead
Similar to c5ecf09494, but for io event source.

Fixes #35322.
2024-11-23 22:49:57 +01:00
Yu Watanabe d07fbf22ed man: update documentation about basic .netdev file handling
Follow-up for #34909 and later PRs.
2024-11-24 01:11:46 +09:00
Yu Watanabe 4ebbb5bfe8 man: asorted fixes
Closes #35307.
2024-11-24 01:11:42 +09:00
Ani Sinha 4b356c90dc measure: add 'dtbauto' option in help message
'dtbauto' command line was missing from the help string. Add it.
2024-11-23 12:43:34 +00:00
Léane GRASSER f28e16d14e po: Translated using Weblate (French)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Léane GRASSER <leane.grasser@proton.me>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fr/
Translation: systemd/main
2024-11-23 20:49:18 +09:00
Yu Watanabe 9e05e33871 networkd-test.py: fix interface state checker
After 259125d53d, network interfaces
declared by .netdev files are created after systemd-networkd sends READY
notification. So, even when networkd is started, the netdevs may not
be created yet, and 'ip' command may fail. Let's also check the return
code of the command.

This also
- drops never worked stdout checks,
- makes the test fail if the interface is not created within the timeout.
2024-11-23 17:33:43 +09:00
Lennart Poettering 95116bdfd5 nspawn: improve log message on bad incoming sd_notify() message
It's the PID that is wrong, not the UID/GID, be precise.
2024-11-23 17:33:17 +09:00
Lennart Poettering 2bd290ca02 nspawn: fix userns_mkdir() invocation
The wrong error code was logged.

But actually given that userns_mkdir() is fine with existing dirs, let's
drop the redundant conditionalization.

Follow-up for: a1fcaa1549
2024-11-23 17:33:06 +09:00
Yu Watanabe 1e9fb1d456 shutdown: propagate one more error from sync_making_progress()
No functional change, just refactoring, as anyway all errors will be
ignored by the caller.
2024-11-23 17:32:51 +09:00
Yu Watanabe 56c761f8c6
namespace-util: handle -ENOSPC by userns_acquire() gracefully in is_idmapping_supported() (#35313)
Follow-up for edae62120f.
Fixes #35311.
2024-11-23 17:32:23 +09:00
Yu Watanabe b76730f3fe shutdown: close DM block device before issuing DM_DEV_REMOVE ioctl
Otherwise, the ioctl() may fail with EBUSY.

Follow-up for b4b66b2662.
Hopefully fixes #35243.
2024-11-23 17:31:36 +09:00
Yu Watanabe 3dda236c5c basic/linux: update kernel headers from v6.12 2024-11-23 17:31:12 +09:00
Zbigniew Jędrzejewski-Szmek 5598454a3f Undeprecate commandline params forcequotacheck, fastboot, and forcefsck
Those are historical names, but there is nothing wrong with them. The files on
/ (/fastboot, /forcefsck, and /forcequotacheck) are problematic because they
require a modification of the root file system. But the commandline params work
fine. They have the obvious advantage compared to our "modern" option that they
are much easier to type without looking up the spelling in the docs. Undeprecate
them to avoid unnecessary churn.
2024-11-23 17:30:56 +09:00
Lennart Poettering 4b4af14a98 test-namespace: tweak log message a bit 2024-11-23 00:14:20 +01:00
Lennart Poettering a2429f507c virt: make use of ns inode check in running_in_userns() and running_in_cgroupns() too 2024-11-23 00:14:20 +01:00
Luca Boccassi 193bf42ab0 detect-virt: check the inode number of the pid namespace
The indoe number of root pid namespace is hardcoded in the kernel to
0xEFFFFFFC since 3.8, so check the inode number of our pid namespace
if all else fails. If it's not 0xEFFFFFFC then we are in a pid
namespace, hence a container environment.

Fixes https://github.com/systemd/systemd/issues/35249

[Reworked by Lennart, to make use of namespace_is_init()]
2024-11-23 00:14:20 +01:00
Lennart Poettering 18ead2b03d namespace-util: add generic namespace_is_init() call 2024-11-23 00:14:20 +01:00
Yu Watanabe 2994ca354b namespace-util: update log messages 2024-11-23 06:52:48 +09:00
Yu Watanabe eb14b993bb namespace-util: handle -ENOSPC by userns_acquire() gracefully in is_idmapping_supported()
Follow-up for edae62120f.
Fixes #35311.
2024-11-23 06:52:38 +09:00
Christian Hesse c946b13575 link README.logs from tmpfiles.d/legacy.conf only if available
The file README.logs is installed only if SysVInit support is enabled.
Thus the link should depend on it as well.
2024-11-22 18:33:20 +00:00
Lennart Poettering e39cbb1442 varlink: apparently on old kernels SO_PEERPIDFD returns EINVAL 2024-11-23 03:09:49 +09:00
Marco Tomaschett bc4a027f9c
hwdb: add support for PineTab2 to 60-sensor.hwdb (#35304)
Add accelerometer support for PineTab2
2024-11-23 03:08:06 +09:00
Lennart Poettering d209e197f8
userdbctl: two trivial fixlets (#35296)
Fixes: #35294
2024-11-22 16:06:01 +01:00
Antonio Alvarez Feijoo 9ed090230e tpm2-util: fix parameter name 2024-11-22 16:04:16 +01:00
Luca Boccassi 9bf6ffe166
man: split cryptenroll man page into sections (#35297) 2024-11-22 12:01:07 +00:00
Lennart Poettering 47c5ca237b userdbctl: respect selected disposition also when showing gid boundaries
Follow-up for: ad5de3222f
2024-11-22 11:28:30 +01:00
Lennart Poettering 7f8a4f12df userdbctl: fix counting
Fixes: #35294
2024-11-22 11:28:28 +01:00
Lennart Poettering e412fc5e04 userbdctl: show 'mapped' user range only inside of userns
Outside of userns the concept makes no sense, there cannot be users
mapped from further outside.
2024-11-22 11:28:17 +01:00
Lennart Poettering cc6baba720 cryptenroll: it's called PKCS#11, not PKCS11
In the --help text we really should use the official spelling, just like
in the man page.
2024-11-22 10:42:37 +01:00
Lennart Poettering 3ae48d071c man: add enrollment type sections to cryptenroll man page
We have the same sections in the --help text, hence we even more so
should have them in the man page.
2024-11-22 10:42:37 +01:00
Antonio Alvarez Feijoo 2ccacdd57c bash-completion: add --list-devices to systemd-cryptenroll
And also use it to list suitable block devices.
2024-11-22 10:38:19 +01:00
Yu Watanabe d99198819c core/service: service_add_fd_store() consumes passed fd
Without this change, the fd is closed twice on failure.

Fixes a bug introduced by dff9808a62.

Fixes #35288.
2024-11-22 04:15:51 +01:00
Tobias Zimmermann f70e5620b6 hwdb: Add quirk for Logitech MX Keys for Mac
The KEY_102ND and KEY_GRAVE keys are switched on the
Logitech MX Keys for Mac, so switch them back
2024-11-21 21:16:07 +01:00
Zbigniew Jędrzejewski-Szmek 3127c71bf4
Keep tmpfiles/legacy.conf even if SysVInit support is dropped (#35278) 2024-11-21 21:13:50 +01:00
Yuri Chornoivan b153eebfb2 po: Translated using Weblate (Ukrainian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Yuri Chornoivan <yurchor@ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/uk/
Translation: systemd/main
2024-11-22 05:02:16 +09:00
Zbigniew Jędrzejewski-Szmek 2c06e40ae9 tmpfiles: add period at end of the sentence
The license that is immediately above is properly punctuated and it looks
sloppy when our line below isn't.
2024-11-21 18:35:18 +01:00
Zbigniew Jędrzejewski-Szmek 5ca9149464 tmpfiles: narrow scope of HAVE_SYSV_COMPAT condition for legacy.conf
That file contains a bunch of entries of which only some are related to SysV.
The rest are just "traditional APIs" that need to stay. In particular,
/var/lock a.k.a. /run/lock is used by many programs (LVM, iscsi, alsactl).
Similarly, the README about /var/log is something that should stay as long as
we have people migrating from older systems or using the copiuos documentation
that mentions /var/log/messages.txt on the Internet.

/var/lock/subsys is only used by sysvinit, and our code to support /forcefsck,
/fastboot, and /forcequotacheck is conditionalized on HAVE_SYSV_COMPAT, so
conditionalize those here on HAVE_SYSV_COMPAT too.
2024-11-21 18:32:46 +01:00
Luca Boccassi b7eefa1996 cgroup-util: fix memory leak on error
CID#1565824

Follow-up for f6793bbcf0
2024-11-21 14:02:34 +09:00
Luca Boccassi 2e5b0412f9
network: update state files before replying bus method (#35255)
Follow-up for 2b07a3211b.

Fixes the failure found in
https://autopkgtest.ubuntu.com/results/autopkgtest-noble-upstream-systemd-ci-systemd-ci/noble/amd64/s/systemd-upstream/20241115_182040_92382@/log.gz
. Relevant logs:
```
Nov 16 02:48:36 systemd-networkd[2706]: veth99: Reconfiguring with /run/systemd/network/25-dhcp-client-ipv6-only.network.
Nov 16 02:48:36 systemd-networkd[2706]: veth99: NDISC: Started IPv6 Router Solicitation client
Nov 16 02:48:36 systemd-networkd[2706]: veth99: IPv6 Router Discovery is configured and started.
Nov 16 02:48:36 systemd-networkd[2706]: veth99: NDISC: Sent Router Solicitation, next solicitation in 3s
Nov 16 02:48:36 systemd-networkd[2706]: veth99: NDISC: Received Router Advertisement from fe80::1034:56ff:fe78:9abd: flags=0xc0(managed, other), preference=medium, lifetime=30min
Nov 16 02:48:36 systemd-networkd[2706]: veth99: NDISC: Invoking callback for 'router' event.
Nov 16 02:48:36 systemd-networkd[2706]: veth99: link_check_ready(): dynamic addressing protocols are enabled but none of them finished yet.
Nov 16 02:48:36 systemd-networkd[2706]: veth99: DHCPv6 client: Starting in Solicit mode
Nov 16 02:48:36 systemd-networkd[2706]: veth99: DHCPv6 client: State changed: stopped -> solicitation
Nov 16 02:48:36 systemd-networkd[2706]: veth99: Acquiring DHCPv6 lease on NDisc request
Nov 16 02:48:36 systemd-networkd[2706]: veth99: DHCPv6 client: Sent Solicit
Nov 16 02:48:36 systemd-networkd[2706]: veth99: DHCPv6 client: Next retransmission in 1s
Nov 16 02:48:37 systemd-networkd[2706]: veth99: DHCPv6 client: Sent Solicit
Nov 16 02:48:37 systemd-networkd[2706]: veth99: DHCPv6 client: Next retransmission in 1s
Nov 16 02:48:39 systemd-networkd[2706]: veth99: NDISC: Received Neighbor Advertisement from fe80::1034:56ff:fe78:9abd: Router=yes, Solicited=yes, Override=no
Nov 16 02:48:39 systemd-networkd[2706]: veth99: NDISC: Invoking callback for 'neighbor' event.
Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: Processed Reply message
Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: T1 expires in 50s
Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: T2 expires in 55s
Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: Valid lifetime expires in 2min
Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: State changed: solicitation -> bound
Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 address 2600::15/128 (valid for 1min 59s, preferred for 1min 59s)
Nov 16 02:48:41 systemd-networkd[2706]: veth99: Received updated DHCPv6 address (configured): 2600::15/128 (valid for 1min 58s, preferred for 1min 58s), flags: no-prefixroute, scope: global
Nov 16 02:48:41 systemd-networkd[2706]: veth99: DHCPv6 addresses and routes set.
Nov 16 02:48:41 systemd-networkd[2706]: veth99: link_check_ready(): IPv4LL:no DHCPv4:no DHCPv6:yes DHCP-PD:no NDisc:no
Nov 16 02:48:41 systemd-networkd[2706]: veth99: State changed: configuring -> configured
```
The interface veth99 entered the configured state after 5 seconds, but
at the same time, the `wait_online()` in the test script considered the
test failed.
The function `wait_online()` first invokes
`systemd-networkd-wait-online` with `--timeout=20`, then check setup
states of interfaces with 5 seconds timeout. So, the failure suggests
that `systemd-networkd-wait-online` finishes immediately, as the state
file was not updated when it is invoked, and thus it handles the
interface veth99 already in the configured state.
2024-11-20 23:36:35 +00:00
Martin Srebotnjak 69af4849aa po: Translated using Weblate (Slovenian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Martin Srebotnjak <miles@filmsi.net>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/sl/
Translation: systemd/main
2024-11-21 04:17:08 +09:00
Jiri Grönroos 18d4e0be89 po: Translated using Weblate (Finnish)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Jiri Grönroos <jiri.gronroos@iki.fi>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fi/
Translation: systemd/main
2024-11-21 04:17:08 +09:00
Dmytro Markevych 7d7b89a015 po: Translated using Weblate (Ukrainian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Dmytro Markevych <hotr1pak@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/uk/
Translation: systemd/main
2024-11-21 04:17:08 +09:00
Léane GRASSER 8a92365f79 po: Translated using Weblate (French)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Léane GRASSER <leane.grasser@proton.me>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fr/
Translation: systemd/main
2024-11-21 04:17:08 +09:00
Yu Watanabe 2b397d43ab test-network: actually check metric and preference
Otherwise, nexthop ID may contain e.g. 300, then
===
AssertionError: '300' unexpectedly found in
'default nhid 3860882700 via fe80::1034:56ff:fe78:9a99 proto ra metric 512 expires 1798sec pref high\n
 default nhid 2639230080 via fe80::1034:56ff:fe78:9a98 proto ra metric 2048 expires 1798sec pref low'
===
2024-11-21 03:43:35 +09:00
Yu Watanabe 9ad294efd0 network: update state files before replying bus method
Follow-up for 2b07a3211b.
2024-11-21 03:42:06 +09:00
Lennart Poettering f6793bbcf0 killall: gracefully handle processes inserted into containers via nsenter -a
"nsenter -a" doesn't migrate the specified process into the target
cgroup (it really should). Thus the cgroup will remain in a cgroup
that is (due to cgroup ns) outside our visibility. The kernel will
report the cgroup path of such cgroups as starting with "/../". Detect
that and print a reasonably error message instead of trying to resolve
that.
2024-11-20 18:11:38 +00:00
Mike Yuan f87863a8ff process-util: refuse to operate on remote PidRef
Follow-up for 7e3e540b88
2024-11-20 18:10:26 +00:00
Antonio Alvarez Feijoo 58c3c2886d cryptenroll: fix typo 2024-11-20 18:03:44 +00:00
Daan De Meyer dbbe895807 test-audit-util: Migrate to new assertion macros 2024-11-20 16:48:55 +00:00
Yu Watanabe 52b0351a15
core/exec-invoke: suppress placeholder home only in build_environment() (#35219)
Alternative to https://github.com/systemd/systemd/pull/34789
Closes #34789
2024-11-20 17:34:25 +09:00
Luca Boccassi fe077a1a58 units: add initrd directory to list of conditions for systemd-confext
systemd-sysext has the same check, but it was forgotten for confexts.
Needed to activate confexts from the ESP in the initrd.
2024-11-20 09:12:24 +01:00
Xuanjun Wen a526b9ddfc hwdb: add new Cube Mix Plus (i18D) rotation info
Added rotation information for the new version of Cube Mix Plus (i18D).
2024-11-20 05:23:34 +09:00
Mike Yuan 804dd670d1
sd-varlink: mark sd_varlink_server_{ref,unref} as _public_ (#35241)
Co-authored-by: Thorsten Kukuk <kukuk@suse.com>
2024-11-20 05:21:15 +09:00
Ivan Kruglov 3aa3f130c1 machine: add debug for systemd-nspawn@.service 2024-11-19 19:12:32 +01:00
Ivan Kruglov df18408ac6 machine: increase timeouts in attempt to fix #35115 2024-11-19 18:04:27 +01:00
Lennart Poettering d5bb359429
user-record: don't synthesize default list of self-modfiable fields for non-regular users. (#35133)
A follow-up for a192250eda

/cc @AdrianVovk
2024-11-19 14:32:21 +01:00
Antonio Alvarez Feijoo a04d42821b man/kernel-command-line: fix typo 2024-11-19 13:59:11 +01:00
Luca Boccassi 987156769b
network/ndisc: process zero lifetime options at first (#35212)
Fixes two issues reported at #33468.
2024-11-19 12:42:03 +00:00
Antonio Alvarez Feijoo 2b251491de cryptenroll: show better log message if slot to wipe does not exist
```
$ systemd-cryptenroll /dev/vda3
SLOT TYPE
   0 password
$ systemd-cryptenroll --wipe-slot 1 /dev/vda3
Failed to wipe slot 1, continuing: No such file or directory
```
2024-11-19 12:00:50 +01:00
Lennart Poettering 12b06fef7a update TODO 2024-11-19 11:03:16 +01:00
Yaron Shahrabani dd7bc02ee6 po: Translated using Weblate (Hebrew)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/he/
Translation: systemd/main
2024-11-19 19:01:31 +09:00
Mantas Mikulėnas 2424a67c02 ssh-generator: silence "Binding to socket" messages 2024-11-19 11:00:20 +01:00
Lennart Poettering ebe37f771c user-record: distinguish explicit and implicit empty modifiable lists case
We now distinguish two cases: where the list of self modifiable fields
is explicitly set to empty, and where the default is empty.

Let's display them differently in the output. When set explicitly to
empty let's mention the admin, otherwise just say "none".
2024-11-19 10:15:42 +01:00
Lennart Poettering ac8e381e26 user-record: only synthesize default list of self-modifiable fields for *regular* users
For system users we should lock things down, hence generate an empty
list.

This is mostly a safety precaution, but also hides really confusing
output of "userdbctl user" for an system user.

Follow-up for: a192250eda
2024-11-19 10:15:40 +01:00
Zbigniew Jędrzejewski-Szmek 574a04f62a
test: fix generate-sym-test using the wrong array (#35185)
For my understanding bsearch is searching in the wrong array. Or, if
it's the right one, then the size is wrong. In another commit I made the
arrays different by mistake and that triggered a SIGSEV during tests.
2024-11-19 10:15:18 +01:00
Lennart Poettering ec97125a7e vmspawn: enable memory pressure logic for vmspawn 2024-11-19 10:12:03 +01:00
Lennart Poettering 54646b1ca9 systemctl: grey out tasks limit the same way we grey out the fd store limit in the output
"systemctl status systemd-logind" otherwise looks a bit weird, since the
tasks and the fdstore lines are so close to each other but formatted
quite differently when it comes to coloring.
2024-11-19 10:11:49 +01:00
Federico Giovanardi 0c851a58f7 style: Fix formatting 2024-11-19 09:55:07 +01:00
Mike Yuan b718b86e1b
core/exec-invoke: suppress placeholder home only in build_environment()
Currently, get_fixed_user() employs USER_CREDS_SUPPRESS_PLACEHOLDER,
meaning home path is set to NULL if it's empty or root. However,
the path is also used for applying WorkingDirectory=~, and we'd
spuriously use the invoking user's home as fallback even if
User= is changed in that case.

Let's instead delegate such suppression to build_environment(),
so that home is proper initialized for usage at other steps.
shell doesn't actually suffer from such problem, but it's changed
too for consistency.

Alternative to #34789
2024-11-19 00:38:18 +01:00
Mike Yuan d911778877
core/exec-invoke: minor cleanup for apply_working_directory() error handling
Assign exit_status at the same site where error log is emitted,
for readability.
2024-11-19 00:38:18 +01:00
Mike Yuan eea9d3eb10
basic/user-util: split out placeholder suppression from USER_CREDS_CLEAN into its own flag
No functional change, preparation for later commits.
2024-11-19 00:38:18 +01:00
Mike Yuan 579ce77ead
basic/user-util: introduce shell_is_placeholder() helper 2024-11-19 00:38:18 +01:00
Daan De Meyer 70bb29db62 mkosi: Enable clangd execution for all distributions 2024-11-18 23:21:24 +00:00
Lennart Poettering cc74edd861 update TODO 2024-11-18 23:50:04 +01:00
Yu Watanabe c295b558bf test-network: add test case for IPv6 Core Conformance test v6LC.2.2.23 2024-11-19 04:48:39 +09:00
Yu Watanabe 16ccdc3748 test-network: split out check_router_preference() from test_router_preference()
This also drop high2.network and low2.network, and edit high.network and
low.network during the test.
2024-11-19 04:44:59 +09:00
Yu Watanabe 25688f8d5a network/ndisc: first process options with zero lifetime
Fixes IPv6 Core Conformance test failures reported at #33468.
https://www.ipv6ready.org/docs/Core_Conformance.pdf
Test v6LC.2.2.23 h and j: Processing Router Advertisement with Route
Information Option (Host Only)

When a RA contains route option with ::/0 prefix, then previously that
may contradict with the default route requested with the RA header.
If the route option has zero lifetime, the existing default route should
be removed, and a new route based on the RA header should be configured.
If the route option has non-zero lifetime, the RA header should be
ignored.

So, we first need to process options with zero lifetime (not only
route option, as the similar reasons), then configure the default route
based on the RA, finally process options with non-zero lifetime.
2024-11-19 04:04:14 +09:00
Yu Watanabe cb3243460b network/ndisc: sd_ndisc_router_route_get_preference() does not return -EOPNOTSUPP anymore 2024-11-19 04:04:14 +09:00
Yu Watanabe c8ddd5ff72 ndisc-option: use memcpy_safe() at one more place
As 'len' may be 8.

Follow-up for a163404cc8.
2024-11-19 04:04:14 +09:00
Zbigniew Jędrzejewski-Szmek 5e7e4e4d49 ukify: fix parsing of SignTool configuration option
This partially reverts 02eabaffe9.
As noted in https://github.com/systemd/systemd/pull/35211:
> The configuration parsing simply stores the string as-is, rather than
> creating the appropriate object

One way to fix the issue would be to store the "appropriate object", i.e.
actually the class. But that makes the code very verbose, with the conversion
being done in two places. And that still doesn't fix the issue, because we need
to map the class objects back to the original name in error messages.

So instead, store the setting as a string and only map it to the class much
later. This makes the code simpler and fixes the error messages too.

Resolves https://github.com/systemd/systemd/pull/35193
2024-11-18 14:58:41 +00:00
Yu Watanabe 4d9cac56db man: fix copy-and-paste error
Follow-up for 85a1360ecf.
2024-11-18 15:18:26 +09:00
Yu Watanabe 85a1360ecf man: add several future version info tags 2024-11-18 15:04:17 +09:00
Yu Watanabe ec0847f8fb po: update Japanese translations 2024-11-18 13:01:34 +09:00
Yu Watanabe efb158a11b network/netdev: fix typo
Follow-up for 09db410606.
2024-11-18 12:53:21 +09:00
Michał Górny 7fd70a5326 nspawn: Include arm_fadvise64_64 in syscall allow_list
Add the `arm_fadvise64_64` syscall to the allow_list, in addition
to the existing `fadvise64` and `fadvise64_64` syscalls, as this is
the syscall actually defined for `arm` architecture.  Adding it fixes
the syscall being rejected in arm32 containers.

Fixes #35194
2024-11-18 11:43:35 +09:00
Yaron Shahrabani 2b60615a41 po: Translated using Weblate (Hebrew)
Currently translated at 89.1% (229 of 257 strings)

Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/he/
Translation: systemd/main
2024-11-18 01:17:40 +09:00
Weblate Translation Memory d0ac6be44b po: Translated using Weblate (German)
Currently translated at 95.7% (246 of 257 strings)

Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/
Translation: systemd/main
2024-11-18 01:17:40 +09:00
Ettore Atalan 6b5ce5d6cc po: Translated using Weblate (German)
Currently translated at 95.7% (246 of 257 strings)

Co-authored-by: Ettore Atalan <atalanttore@googlemail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/
Translation: systemd/main
2024-11-18 01:17:40 +09:00
Sergey A 033ee241b7 po: Translated using Weblate (Russian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Sergey A <Ser82-png@yandex.ru>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ru/
Translation: systemd/main
2024-11-17 15:50:36 +00:00
Luca Boccassi 72cfd2def6
mkosi: Update packaging specs (#35196) 2024-11-17 15:49:24 +00:00
Daan De Meyer ac2cdd8d09 mkosi: update debian commit reference
* 51cd22f368 Update changelog for 257~rc2-3 release
* 5308c3b905 Backport patch to remove faulty unit test assertion
* b7d805151b Update changelog for 257~rc2-2 release
* 5afc23b288 Backport patch to fix FTBFS due to failing unit test
* 0ca89ce40c Update changelog for 257~rc2-1 release
* f27216d493 Update lintian override to ignore false positive typos
* 2caa74f473 d/rules: adjust blhc override to account for source files being moved
* 6b48328ead systemd-ukify: recommend systemd-repart
* 5e01b67f43 systemd-ukify: downgrade dependency on systemd, not mandatory
* 3a4dd59e41 Install new systemd-keyutil binary in the systemd-repart package
* e64cffab71 Drop all patches, merged upstream
* 0fcef228c7 Update upstream source from tag 'upstream/257_rc2'
* a01322bb29 d/t/control: add more packages to dummy hint-testsuite-triggers
2024-11-17 13:00:59 +01:00
Daan De Meyer 59cd621733 mkosi: update fedora commit reference
* 7bd1d09f7f Change sysusers u! lines to u because we don't have support in rpm
* 943bd94cf6 Version 257~rc2
* 6162965002 Disable freezing of user sessions
* 0c236cedb9 Upload sources
* ea947ce068 Version 257~rc1
* 834ba50e79 Use %posttrans instead of %postun to restart services
* 8dafa3810b Disable OpenSSL v3 ENGINE on RHEL
* 8f44e8097d Add forgotten patch
* 86ca699d18 Backport user manager reexec changes
* 009c64d6a2 Use %systemd_preun in systemd-resolved
2024-11-17 13:00:57 +01:00
Daan De Meyer c36a963956 mkosi: update arch commit reference
* 29a73017cd upgpkg: 256.8-1: new upstream release
* cda4f7b35e add a hint on my personal testing repository
2024-11-17 13:00:55 +01:00
Luca Boccassi 248eeec612 meson: update version 2024-11-15 19:16:58 +00:00
Luca Boccassi a66fd4ac9f NEWS: update date 2024-11-15 19:16:47 +00:00
anonymix007 61d6075775 ukify: Use new .hwids PE section format 2024-11-15 19:15:30 +00:00
Daan De Meyer f2ac4458f0 bootctl: Only create loader/keys/auto if required
systemd-boot uses the existance of loader/keys/auto to determine
whether to auto-enroll secure boot or not so only create the directory
if we're actually going to put auto-enroll signature lists in it.
2024-11-15 18:36:53 +00:00
Zbigniew Jędrzejewski-Szmek 10ed6d91cb
Chores for rc2 (#35186) 2024-11-15 18:56:54 +01:00
Luca Boccassi 69cd0f4781 NEWS: update contributors list 2024-11-15 17:26:07 +00:00
Luca Boccassi 7751bfb179 NEWS: systemd-keyutil, --certificate-source, --certificate-provider 2024-11-15 17:25:29 +00:00
Luca Boccassi d182ada2c2 Update hwdb
ninja -C build update-hwdb
2024-11-15 17:17:47 +00:00
Federico Giovanardi 55980446c3 test: fix generate-sym-test using the wrong array
The second check was searching the symbols into the same array, but
using the size of the other. This generated a SIGSEV when they
occassionally mismatched.
2024-11-15 17:12:42 +01:00
Frantisek Sumsal 238ddac165 test: ignore inconsistent coverage errors
lcov 2.1 introduced additional consistency checks [0] which make it trip
over our coverage results quite often:

Summary coverage rate:
  source files: 915
  lines.......: 36.9% (78950 of 214010 lines)
  functions...: 53.3% (6906 of 12949 functions)
Message summary:
  73 warning messages:
    inconsistent: 73
lcov: ERROR: (corrupt) unable to read trace file '/var/tmp/systemd-test-TEST-04-JOURNAL/coverage-info.new': lcov: ERROR: (inconsistent) "/build/src/shutdown/umount.c":298: function 'umount_with_timeout' is not hit but line 317 is.
        To skip consistency checks, see the 'check_data_consistency' section in man lcovrc(5).
        (use "lcov --ignore-errors inconsistent ..." to bypass this error)
        (use "lcov --ignore-errors corrupt ..." to bypass this error)

This is caused by coverage collected during shutdown which is a bit
unreliable, especially towards the final shutdown stage(s). Let's just
ignore the consistency errors for now.

[0] https://github.com/linux-test-project/lcov/releases/tag/v2.2
2024-11-15 15:54:28 +00:00
Lennart Poettering be6e599935 boot: make .hwids PE section more flexible to cover more than DT one day
The proposal in https://github.com/systemd/systemd/pull/35091 suggests
that there are going to be more resources sooner or later that shall be
embeddable in a UKI, but are specific to some machine. The .hwids logic
as it is implemented right now is conceptually flexible enough to cover
that too (as long as the system has SMBIOS and thus CHIDs). Hence, let's
prepare the ground for a future (that might possibly never come, but
let's keep the door open) where the section can be reused for this
purpose.

The patch is really dumb ultimately. it just changes the initial field
in the "Device" struct to carry not just the size of it (as before) but
also a type indicator, that is for now fixed to 1, indicating DT blobs.

This breaks compatibility, hence this should get merged before we do the
v257 release, so that this is done properly before the first release
with .hwids.
2024-11-15 15:40:43 +00:00
Lennart Poettering bae936b418 nspawn: --private-users-ownership= value is called 'chown', not 'own' 2024-11-15 13:34:59 +00:00
Lennart Poettering 4b20ae9a0e pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary, noone else
We use the $WATCHDOG_USEC variable for two very closely uses: as part of
the sd_watchdog_enabled() protocol for implementing service watchdogs.
And as part of the protocol between the service manager and
systemd-shutdown across the PID 1 execve() transition during shutdown.

Apparently some exitrds tools got confused by the latter use. Let's
address that by setting $WATCHDOG_PID to 1, in accordance to the
sd_watchdog_enabled() protocol to make clear this is only intended for
PID 1 and nothing else.

Replaces: #35135
2024-11-15 13:34:06 +00:00
Daan De Meyer 1a077e05fb Add proper dependencies to ukify target
Also remove the systemd-measure dependency from the mkosi target as
mkosi doesn't invoke systemd-measure itself.
2024-11-15 10:32:24 +00:00
Lennart Poettering 9386bcc2da boot: explain the 4G quirks we apply to initrd memory allocations
Given how long it took to come to a conclusion of the discussions around
https://github.com/systemd/systemd/issues/35026, let's add a comment
that makes this easier to grok for the next time this comes up.

Follow-up for: 6e207b370e
2024-11-15 10:14:17 +00:00
Yu Watanabe dd54e63429 network/nexthop: fix copy-and-paste error
Follow-up for 688f166972.
2024-11-15 10:44:07 +01:00
Luca Boccassi 893aa45886 test: skip TEST-84-STORAGETM if running with bugged libnvme
libnvme 1.11 appears to require a kernel built with NVME TLS
kconfigs, and fails hard if it is not, as the expected
privileged keyring '.nvme' is not present. We cannot just
create it from userspace, as privileged keyrings can only
be created by the kernel itself (those starting with '.').

Skip the test if the library exactly matches this version.

https://github.com/linux-nvme/nvme-cli/issues/2573

Fixes https://github.com/systemd/systemd/issues/35130
2024-11-14 18:00:35 +00:00
Luca Boccassi 32a14422ec
ukify: Support building UKIs with .dtbauto and .hwids sections (#34158)
Stub behavior will be as following:
1. If there are no `.dtbauto` sections then is used `.dtb` if present
2. If there are `.dtbauto` sections and there is at least one matching
(either with the firmware-provided DT or via `.hwids`) then it'll be
used instead of the `.dtb`.

Based on #28959 and [dtbloader](https://github.com/TravMurav/dtbloader)

Closes #28959 
Fixes #31946
2024-11-14 16:26:01 +00:00
Yu Watanabe 3ea89c64c8
nspawn: several follow-ups for recent changes (#35146)
Closes #35116.
2024-11-15 00:12:40 +09:00
Yu Watanabe 360e59ed1c
network/ndisc: fix coalescing of ndisc routes when multiple router exists (#35119)
Fixes #33470.
2024-11-15 00:10:22 +09:00
anonymix007 0333b9d589 ukify: Support building UKIs with a .hwids section
This section contains a predefined set of HWIDs and the corresponding compatibles to be used in dtb matching
2024-11-14 16:42:42 +03:00
anonymix007 fa258f7729 ukify: Support building UKIs with .dtbauto sections 2024-11-14 16:42:35 +03:00
Mike Yuan c8590ad60d process-util: refuse FORK_DETACH + FORK_DEATHSIG_*
There's no synchoronization between the intermediate process
and the double-forked child, and the semantics are not useful.
Refuse such combination.
2024-11-14 12:22:15 +00:00
Mike Yuan 7eaf5ded61 async: block SIGTERM in asynchronous_rm_rf()
See justifications at https://github.com/systemd/systemd/pull/32235#issuecomment-2062327783
2024-11-14 12:21:25 +00:00
Luca Boccassi 6a479f0d63
network/netdev: follow-ups for reloading .netdev files (#34979)
Follow-ups for #34909.
2024-11-14 11:36:26 +00:00
Yu Watanabe a65f008784 TEST-13-NSPAWN: add test case for /dev/net/tun
For issue #35116.
2024-11-14 18:08:50 +09:00
Yu Watanabe 985ea98e7f nspawn: ignore failure in creating /dev/net/tun when --private-network is unspecified
Follow-up for efedb6b0f3.
Closes #35116.
2024-11-14 16:54:06 +09:00
Yu Watanabe a1fcaa1549 nspawn: split out copy_devnode_one() and bind_mount_devnode() from copy_devnodes()
While doing that, even if mknod() failed, we anyway try to fall back to
use bind mount if arg_uid_shift == 0.

Mostly no functional change, just refactoring and preparation for later commit.
2024-11-14 16:54:06 +09:00
Yu Watanabe 330e44e293 nspawn: silence warning about failure in getting fuse version
Follow-up for dc3223919f.

If nspawn is invoked with DevicePolicy= but DeviceAllow= does not
contain /dev/fuse, nspawn will fail to get fuse version with -EPERM.
Let's silence the warning in that case.
2024-11-14 16:54:06 +09:00
andre4ik3 6e207b370e
boot/stub: allocate pages for combined initrds below 4GiB only on x86 (#35149)
Outside of x86, some machines (e.g. Apple silicon, AMD Opteron A1100)
have physical memory mapped above 4GiB, meaning this allocation will
fail, causing the entire boot process to fail on these machines.

This commit makes it so that the below-4GB address space allocation
requirement is only set on x86 platforms, and not on other platforms
(that don't have the specific Linux x86 boot protocol), thereby fixing
boot on those that have no memory mapped below 4GiB in their address
space.

Tested on an Apple silicon M1 laptop and an AMD x86_64 desktop tower.

Fixes: #35026
2024-11-14 13:20:09 +09:00
Yu Watanabe 1507899383
fetch-distro: use git log --first-parent and update debian commit (#35151) 2024-11-14 12:15:38 +09:00
Yu Watanabe 300edfd982
logind-session: be more specific about session_kill() errors, plus minor fixes for sd_bus_error handling (#35150) 2024-11-14 12:04:30 +09:00
Yu Watanabe e06151b494
tmpfiles.d/meson.build: two minor tweaks (#35153) 2024-11-14 12:02:34 +09:00
Yu Watanabe 0f8afaf94d network/ndisc: dynamically configure nexthops when routes with gateway are requested
Previously, when multiple routers send RAs with the same preference,
then the kernel merges routes with the same gateway address:
===
default proto ra metric 1024 expires 595sec pref medium
        nexthop via fe80::200:10ff:fe10:1060 dev enp0s9 weight 1
        nexthop via fe80::200:10ff:fe10:1061 dev enp0s9 weight 1
===
This causes IPv6 Conformance Test v6LC.2.2.11 failure, as reported in #33470.

To avoid the coalescing issue, we can use nexthop, as suggested by Ido Schimmel:
https://lore.kernel.org/netdev/ZytjEINNRmtpadr_@shredder/
> BTW, you can avoid the coalescing problem by using the nexthop API.
> # ip nexthop add id 1 via fe80::200:10ff:fe10:1060 dev enp0s9
> # ip -6 route add default nhid 1 expires 600 proto ra
> # ip nexthop add id 2 via fe80::200:10ff:fe10:1061 dev enp0s9
> # ip -6 route append default nhid 2 expires 600 proto ra
> # ip -6 route
> fe80::/64 dev enp0s9 proto kernel metric 256 pref medium
> default nhid 1 via fe80::200:10ff:fe10:1060 dev enp0s9 proto ra metric 1024 expires 563sec pref medium
> default nhid 2 via fe80::200:10ff:fe10:1061 dev enp0s9 proto ra metric 1024 expires 594sec pref medium

Fixes #33470.

Suggested-by: Ido Schimmel <idosch@idosch.org>
2024-11-14 11:59:59 +09:00
Yu Watanabe ae2ffddcfc network/nexthop: serialize/deserialize nexthops 2024-11-14 11:59:59 +09:00
Yu Watanabe b5b42b516e network/nexthop: preparation for dynamically configuring nexthops
Preparation for later commits.
2024-11-14 11:59:59 +09:00
Yu Watanabe bdc6edbdab
network: serialize and deserialize current configuration (#34989)
Replaces #34963.

Fixes #26602.
Fixes #32569.
2024-11-14 11:59:44 +09:00
Yu Watanabe bbef21e4e5 test-network: update KeepConfiguration=dhcp -> dynamic 2024-11-14 10:24:27 +09:00
Yu Watanabe c8a7c81427 man/network: update documentation for KeepConfiguration= 2024-11-14 10:24:24 +09:00
Yu Watanabe 80a89d1ad5 network: rename KeepConfiguration=dhcp -> dynamic
KeepConfiguration=dhcp keeps not only DHCP configurations but
also SLAAC or IPV4LL. Let's rename the value to 'dynamic'.
2024-11-14 10:23:09 +09:00
Yu Watanabe d13ce4ea0d network/ipv4ll: use a foreign IPv4LL address when KeepConfiguration=dhcp
This is similar to what we do for DHCPv4 address, but for IPv4LL
address.
2024-11-14 10:23:01 +09:00
Yu Watanabe 4eca221ab8 network: keep all dynamically acquired configurations when KeepConfiguration=dhcp-on-stop
By the previous commit, configuration source of addresses and routes are
saved on stop and restored on start. Hence, we can keep dynamic
configurations on stop.

Co-authored-by: Jian Zhang <zhangjian.3032@bytedance.com>
2024-11-14 10:21:58 +09:00
Yu Watanabe c321d332e3 network: introduce manager_serialize()/deserialize()
Currently, only configuration sources and providers of addresses and
routes are serialized/deserialized.
This should mostly not change behavior, as dynamic (except for DHCPv4)
configurations will be dropped before stopping networkd, and for DHCPv4
protocol, we have already had another logic to handle DHCPv4
configurations.
Preparation for later commits.
2024-11-14 10:21:55 +09:00
Yu Watanabe f1ca3479ec networkd-test.py: show current status when wait-online failed
For easier debugging on failure.
2024-11-14 10:17:19 +09:00
Yu Watanabe 5b73edfa7f test-network: add tests for reloading .netdev files for independent netdevs 2024-11-14 10:17:19 +09:00
Yu Watanabe 34e5440fb2 network/tuntap: manage tun/tap fds by manager
Otherwise, when a .netdev file for tun or tap netdev is updated,
reloading the file leaks the previous file descriptor.
2024-11-14 10:17:19 +09:00
Yu Watanabe 69bd661a2d network/bond: do not update several parameters if already up or has slaves
Some bonding parameters cannot be updated when the netdev is already up
or already has at least one slave interface.
2024-11-14 10:17:19 +09:00
Yu Watanabe 422b7c857c network/netdev: do not try to update if not supported
Some netdevs cannot update there properties after created.
Let's skip requests in that case.
2024-11-14 10:17:19 +09:00
Yu Watanabe f264cd2037 network/netdev: fix counter handling if request is cancelled
Follow-up for 1003093604.

If a netdev is detached for some reasons, then previously the request
was simply cancelled, and the underlying interface never enter the
configured state, as the 'stacked_netdevs_created' flag never set.

This makes the counter decremented manually by the function, and set the
flag. So, the underlying interface can eter the configured state.
2024-11-14 10:17:19 +09:00
Yu Watanabe 259125d53d network/netdev: always queue request of creating netdev then process it later
After PR #34909, networkd tries to update an existing netdev interface if
possible. But, when .netdev files are loaded on start, we have not
enumerate interfaces, so we do not know if the corresponding interface
exists or not. Let's delay processing request a bit.
2024-11-14 10:17:19 +09:00
Yu Watanabe b0d2ce8342 network/netdev: enter ready state only when it is created by us
Follow-up for PR #34909.

This fixes an issue that network interfaces cannot join a master netdev,
like bond or bridge, when the corresponding .netdev is reloaded.

With PR #34909, networkd supports reloading .netdev files. However,
When a .netdev file is modified and reloaded, ifindex is copied from
the old NetDev object to the new one. Thus, even if the interface is
successfully updated, netdev_set_ifindex_impl() will return 0 and
netdev_enter_ready() will never called. If the netdev is a kind of
master netdev, then port interfaces cannot join the master netdev,
as REQUEST_TYPE_SET_LINK_MASTER requires that the master netdev is
in the ready state.
2024-11-14 10:17:19 +09:00
Yu Watanabe 09db410606 network/netdev: do not update MAC address if netdev is already running
Follow-up for 17c5337f7b.

Older kernels (older than v6.5) refuse RTM_NEWLINK messages with IFLA_ADDRESS
attribute when the netdev already exists and is running, even if the MAC
address is unchanged.

So, let's not set IFLA_ADDRESS or IFLA_MTU if they are unchanged, and
set the attributes only when we can update them.
2024-11-14 10:15:44 +09:00
Yu Watanabe ab6d427547 network/netdev: set interface name only when creating a new netdev
Otherwise, the kernel older than v6.2 will refuse the netlink message.
2024-11-14 10:01:42 +09:00
Mike Yuan 5b8b32cb09
tmpfiles.d/meson: remove the need of specifying empty condition 2024-11-13 22:51:28 +01:00
Mike Yuan 1c03fda52e
tmpfiles.d/meson: call subdir_done() early if tmpfiles is disabled 2024-11-13 22:51:27 +01:00
Luca Boccassi 1bc3095de8 mkosi: update debian commit reference
* 48fabbd5d2 Install new sd-keyutil binary in sd-repart package
* 6dd9ab10fe Update changelog for 257~rc1-4 release
* 6dd325f04b Backport patch to fix TEST-07-PID1 integration test
* 5988cc60ee Update changelog for 257~rc1-3 release
* cf3a2f7ccc Backport another patch to fix test failure on buildd
* 5d6a226dbb Update changelog for 257~rc1-2 release
* ebe97c52c8 Backport patch to fix unit test failure on buildd
* 21f63b20bb Update changelog for 257~rc1-1 release
* 0dfec51bbb d/copyright: remove pattern for directory that is no longer present
* 337b3bb2dd Ignore Lintian warning dh-exec-script-without-dh-exec-features
* b680e6b448 List new libsystemd0 symbols
* 3c00aa000c gbp.conf: use --first-parent for dch to avoid upstream commits
* d53ecc7769 Install new files
* 546e8c9137 Drop all patches, merged upstream
* 6757597480 Update upstream source from tag 'upstream/257_rc1'
* 4b82805020 gbp.conf: switch upstream branch to full upstream history
* e60c637a95 gbp.conf: enable signing tags by default
* 2ad27b63c4 Update changelog for 256.7-3 release
* a212c36c54 systemd-boot: provide integration with shim
2024-11-13 17:03:45 +00:00
Luca Boccassi d9822cd859 fetch-distro: use git log --first-parent
We now import the upstream tag in the debian repository, so
this explodes as it tries to walk all upstream commits. Use
--first-parent so that merges only get added via the merge
commit.
2024-11-13 17:03:35 +00:00
Mike Yuan 9c6dc69f3e
logind-session: be more specific about session_kill() errors
When kill_whom == _ALL, there can be two cases that lead to
ESRCH: the session expects no scope at all or the scope is
not active. Let's distinguish the two cases.
2024-11-13 17:49:07 +01:00
Mike Yuan 2f2058da0b
portable: do not use SYNTHETIC_ERRNO for sd_bus_error_set_errno()
The concept of synthetic errnos is about logging, which
is irrelevant irt bus error and we don't do any special
treatment in sd-bus for them, meaning the value propagated
would be spurious.
2024-11-13 17:47:11 +01:00
Mike Yuan 46f2dd800f
sd-bus/bus-common-errors: reorder one pid1 error to group with others 2024-11-13 17:27:10 +01:00
Lennart Poettering 9466fe014f namespace-util: pin pid via pidfd during namespace_open() 2024-11-13 14:18:05 +00:00
Luca Boccassi 4efc556211
network/ndisc: fix removal of unnecessary routes (#35128)
Follow-up for 972f1d17ab.

This fixes the logic of removing unnecessary routes configured by the
previously received RAs. Previously, we wrongly handled existing routes
could be updated, and unexpected routes would be kept.
2024-11-13 14:06:21 +00:00
Yu Watanabe b4dc8b6415
sd-boot/sd-stub: two log message fixes (#35143)
Fixes: #35033
Fixes: #35100
2024-11-13 10:09:05 +09:00
Yu Watanabe d762b14e38
audit-util: return -ENODATA from audit_{session|loginuid}_from_pid() if invoked in a container (#35072)
The auditing subsystem is still not virtualized for containers, hence
the two values don't really make sense inside them, they will just leak
information from outside into the container. Hence don't make use of the
data if we detect we are run inside of a container.

This has visible effects: logind will no longer try to reuse the
auditing session ids as its own session ids when run inside a container.

While are at it, modernize the calls in more ways:

1. switch to pidref behaviour, all but one of our uses are using pidref
anyway already.
2. use read_virtual_file() + proc_mounted()
3. reasonably distinguish ENOENT errors when reading the process proc
files: distinguish the case where /proc is not mounted, from the case
where the process is already gone, from where auditing is not enabled in
the kernel build.
2024-11-13 10:08:29 +09:00
Lennart Poettering ead9ef5027 ptyfwd: ellipsize overly long window titles
Apparently some terminal emulators have problems with overly long
titles, hence truncate them at some safe length (128).

Also, when parsing ANSI sequences ourselves accept longer sequences
(192), after all we should be fine when parsing our own title sequences.

Fixes: #35104
2024-11-13 10:07:25 +09:00
Mike Yuan e2f82f6151 various: check meson feature flag early
Prompted by https://github.com/systemd/systemd/pull/35110#discussion_r1835885340
2024-11-13 08:21:33 +09:00
Lennart Poettering f2b4f19881 pe: use PE_SECTION_VECTOR_IS_SET() macro where appropriate 2024-11-12 23:45:15 +01:00
Lennart Poettering 557d9fd5d1 pe: remove unnecessary log message about DT/HWID
Fixes: #35100
2024-11-12 23:45:14 +01:00
Lennart Poettering 1991ffa912 efi: don't log if EFI RNG isn't ready
Apparently this happens IRL on some systems, let's handle this
gracefully and don't log.

Fixes: #35033
2024-11-12 23:44:59 +01:00
Lennart Poettering c892816ceb run0: when changing privileges to non-root, do not show superhero emoji
Let's show an idcard logo instead, to indicate that we changed ids.
2024-11-12 23:09:21 +01:00
Lennart Poettering 4e0bdf950e dbus-manager: add missing word 'unit' to PK message 2024-11-12 23:09:01 +01:00
Lennart Poettering dcf5e9a6bf
tree-wide: remove some dead code (#35137) 2024-11-12 23:08:45 +01:00
Lennart Poettering 7bf0149e9b process-util: more gracefully handle oom adjust parsing/setting
Who knows what kind of mount shenanigans people employ, let's gracefully
handle parse failures of proc files, like we alway do otherwsie.
2024-11-12 23:03:40 +01:00
Lennart Poettering 68c554f23a audit-util: modernize use_audit() a bit
Use ERRNO_IS_xyz() macros where appropriate.

Also, reduce indentation a bit by inverted early check.

And log in more error codepaths.
2024-11-12 23:03:40 +01:00
Lennart Poettering 7e02ee98d8 audit-util: return -ENODATA from audit_{session|loginuid}_from_pid() if invoked in a container
The auditing subsystem is still not virtualized for containers, hence the two
values don't really make sense inside them, they will just leak
information from outside into the container. Hence don't make use of the
data if we detect we are run inside of a container.

This has visible effects: logind will no longer try to reuse the
auditing session ids as its own session ids when run inside a container.

While are at it, modernize the calls in more ways:

1. switch to pidref behaviour, all but one of our uses are using pidref
   anyway already.
2. use read_virtual_file() + proc_mounted()
3. reasonable distinguish ENOENT errors when reading the process proc
   files: distinguish the case where /proc is not mounted, from the case
   where the process is already gone, from where auditing is not enabled
   in the kernel build.
2024-11-12 23:03:03 +01:00
Davide Cavalca fa8a55a914 mkosi: ruff is not available on all distros
Refactor to only install ruff where it is available
2024-11-12 18:05:17 +00:00
Maanya Goenka 68a2a43c9b
TODO: Fix typo (#35138)
Replace confex with confext
2024-11-12 19:00:23 +01:00
Lennart Poettering 4aaabb55c7 nspawn: fix indentation of run_container() parameter list 2024-11-12 18:31:56 +01:00
Lennart Poettering 9c56a3629f mntwork: shorten code 2024-11-12 18:31:56 +01:00
Lennart Poettering 0557f82650 dissect-image: remove dead code 2024-11-12 18:31:56 +01:00
Lennart Poettering e688097ce3 mountfsd: drop unused variable 2024-11-12 18:31:56 +01:00
Antonio Alvarez Feijoo 2a310c0ad6 sbsign: remove unused --no-pager option 2024-11-12 17:52:48 +01:00
Davide Cavalca f2672f2c5d mkosi: Install tpm2-tss-devel to tools for CentOS and Fedora instead of tss2-devel
tss2-devel is the IBM TPM stack, we want the Intel TPM stack, so let's
use the correct package.
2024-11-12 22:45:25 +09:00
Yu Watanabe 5da7e9b208
Fix man page links broken due to incorrect volume numbers (#35122) 2024-11-12 18:23:47 +09:00
Yu Watanabe d7b323c2dd test-network: several cleanups
- fix verifiers in test_router_preference() to make them actually check
  if unnecessary routes are removed,
- stop radv in test_ndisc_vs_static_route() before checking if the static
  route is preserved even when the router sends a RA with zero lifetime,
- make verifiers in NetworkdIPv6PrefixTests stricter.
2024-11-12 18:08:25 +09:00
Yu Watanabe e2060bc124 network/ndisc: restore the original preference and priority before checking if existing route can be updated
Follow-up for 972f1d17ab.

This fixes the logic of removing unnecessary routes configured by the
previously received RAs. Previously, we wrongly handled existing routes
could be updated, and unexpected routes would be kept.
2024-11-12 18:08:25 +09:00
Yu Watanabe 74e0b590dd network/ndisc: introduce ndisc_route_prepare() and ndisc_router_route_prepare()
These applies common parameters to the route to be requested or removed.
No functional change, just refactoring and preparation for later
commits.
2024-11-12 18:08:25 +09:00
Yu Watanabe 42d9660f10 network/ndisc: several cleanups for ndisc_remove_route()
- drop unnecessary call of ndisc_set_route_priority() at the beginning,
  as it is called later in the loop below,
- use RET_GATHER() and remove all possible routes even if failed.
2024-11-12 18:08:25 +09:00
Yu Watanabe 2437ebee20 network/ndisc: introduce route_is_bound_to_link() helper function and use it where applicable
No functional change, and preparation for later commits.
2024-11-12 18:08:25 +09:00
Antonio Alvarez Feijoo 05a0366381 man/systemd-keyutil: fix rendering typo 2024-11-12 17:54:07 +09:00
Štěpán Němec 62ec4798f2 man/systemd.special: fix a typo 2024-11-11 20:31:43 +01:00
Štěpán Němec 597c6cc119 man: fix incorrect volume numbers in internal man page references
Some ambiguity (e.g., same-named man pages in multiple volumes)
makes it impossible to fully automate this, but the following
Python snippet (run inside the man/ directory of the systemd repo)
helped to generate the sed command lines (which were subsequently
manually reviewed, run and the false positives reverted):

from pathlib import Path

import lxml
from lxml import etree as ET

man2vol: dict[str, str] = {}
man2citerefs: dict[str, list] = {}

for file in Path(".").glob("*.xml"):
    tree = ET.parse(file, lxml.etree.XMLParser(recover=True))
    meta = tree.find("refmeta")
    if meta is not None:
        title = meta.findtext("refentrytitle")
        if title is not None:
            vol = meta.findtext("manvolnum")
            if vol is not None:
                man2vol[title] = vol
            citerefs = list(tree.iter("citerefentry"))
            if citerefs:
                man2citerefs[title] = citerefs

for man, refs in man2citerefs.items():
    for ref in refs:
        title = ref.findtext("refentrytitle")
        if title is not None:
            has = ref.findtext("manvolnum")
            try:
                should_have = man2vol[title]
            except KeyError:  # Non-systemd man page reference?  Ignore.
                continue
            if has != should_have:
                print(
                    f"sed -i '\\|<citerefentry><refentrytitle>{title}"
                    f"</refentrytitle><manvolnum>{has}</manvolnum>"
                    f"</citerefentry>|s|<manvolnum>{has}</manvolnum>|"
                    f"<manvolnum>{should_have}</manvolnum>|' {man}.xml"
                )
2024-11-11 20:31:08 +01:00
Yu Watanabe 3304a029b8
network: forget IPv4 non-local routes when an interface went down (#35099)
Fixes #35047.
2024-11-12 01:07:43 +09:00
Lennart Poettering 67e003d7dd
Introduce systemd-keyutil to do various key/certificate operations (#35095)
Let's gather generic key/certificate operations in a new tool
systemd-keyutil instead of spreading them across various special purpose
tools.

Fixes #35087
2024-11-11 16:09:07 +01:00
Yu Watanabe 7f1b36a82a test-network: add test case for issue #35047 2024-11-11 13:59:41 +00:00
Yu Watanabe 688f166972 network/nexthop: also forget IPv4 nexthops when an interface went down
Similar to the previous commit, but for nexthop.
2024-11-11 13:59:41 +00:00
Yu Watanabe 6954c38cf8 network/route: forget IPv4 non-local routes when an interface went down
When an interface went down, IPv4 non-local routes are removed by the
kernel without any notifications. Let's forget the routes in that case.

Fixes #35047.
2024-11-11 13:59:41 +00:00
Yu Watanabe fd2ea787bd network/nexthop: forget dependent routes without trying to remove
When a nexthop is removed, routes depend on the removed nexthop are
already removed. It is not necessary to remove them, as already
commented. Let's forget them without trying to remove.
2024-11-11 13:59:41 +00:00
Yu Watanabe 1ca180b994 network/nexthop: do not remove depending nexthops when a nexthop is removed
Previously, when a nexthop is removed, depending nexthops were removed, but
that's not necessary, as the kernel keeps them, at least with v6.11.
2024-11-11 13:59:41 +00:00
Yu Watanabe 422e418ab9 network/route: update reference of the route from nexthop
Follow-up for 6f09031e4d.

The function has been introduced by the commit, but it has never been used...
2024-11-11 13:59:41 +00:00
Luca Boccassi 2e33cd7110
network: further rework for reconfiguring interfaces (#35059)
Follow-ups for #35035.
Split-out of #34989.
Fixes #35092.
2024-11-11 12:59:31 +00:00
Yu Watanabe d48bdad0b8
Split src/partition (#35110) 2024-11-11 18:36:26 +09:00
Gabriel Elyas 698afbf4fe po: Translated using Weblate (Portuguese (Brazil))
Currently translated at 96.1% (247 of 257 strings)

Co-authored-by: Gabriel Elyas <gabrielelyas@protonmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/pt_BR/
Translation: systemd/main
2024-11-11 17:57:18 +09:00
Zbigniew Jędrzejewski-Szmek 211d2f972d Rename src/partition to src/repart 2024-11-11 09:17:10 +01:00
Yu Watanabe 82df2e0f04 network: make 'networkctl reconfigure' work safely even when KeepConfiguration=dhcp or yes
Previously, even if KeepConfiguration=dhcp or yes is specified in the
new .network file, dynamic configurations like DHCP address and routes
were dropped when 'networkctl reconfigure INTERFACE' is invoked.

If the setting is specified, let's gracefully handle the dynamic
configurations. Then, 'networkctl reconfigure' can be also used for
an interface that has critical connections.
2024-11-11 11:53:24 +09:00
Yu Watanabe e8da735ceb network: drop static configs later
Follow-up for dd6d53a8dc.

Unnecessary static configs will be anyway dropped later in
link_configure() -> link_drop_unmanaged_config(). Hence, even if we are
reconfiguring an interface cleanly, it is not necessary to drop static
configs here.
2024-11-11 11:53:24 +09:00
Yu Watanabe 4e76c57c7f network/dhcp-pd: do not remove unreachable route when reconfiguring non-upstream interface
Unreachable routes are not owned by any interfaces, and its ifindex is
zero. Previously, if a non-upstream interface is reconfigured, all routes
including unreachable routes configured by the upstream interface are
removed.

This makes unreachable routes are always handled by the upstream interface,
and only removed when the delegated prefixes are changed or lost.
2024-11-11 11:53:24 +09:00
Yu Watanabe 42152390da network: reorder dropping dynamic configuration
Follow-up for 451c2baf30.
2024-11-11 11:53:24 +09:00
Yu Watanabe 130d66956f test-network: reconfigure interface cleanly to drop previous DHCP lease and friends
Follow-up for 451c2baf30.

With the commits, reloading .network files does not release previously
acquired DHCP lease and friends if possible.

On graceful reconfigure triggered by the reload, the interface may
acquire a new DHCPv4 lease earlier than DHCPv6 lease. In that case,
the check will fail as it is done with the new DHCPv4 lease and old
DHCPv6 lease, which does not contain any IPv6 DNS servers or so.
So, when switching from no -> yes, we need to wait a new lease with DNS
servers or so. To achieve that, we need to clean reconfigure the interface.
2024-11-11 11:53:24 +09:00
Yu Watanabe 52f46b77d7 network: reset 'configured' flags even if we keep DHCP lease and friends on reconfigure
Follow-up for 451c2baf30.

With the commits, reloading .network files does not release previously
acquired DHCP lease and friends if possible. If previously a DHCP client
was configured as not requesting DNS servers or so, then the previously
acquired lease might not contain any DNS servers. In that case, if the
new .network file enables UseDNS=, then the interface should enter the
configured state after a new lease is acquired. To achieve that, we need
to reset the flags.

With this change, the workaround applied to the test by the commit
451c2baf30 can be dropped.
2024-11-11 11:53:24 +09:00
Yu Watanabe 525a582ae8 network: drop unnecessary size specifier
It does not save any memory usage but increase code complexity.
2024-11-11 11:53:24 +09:00
Yu Watanabe ed3bab7a0e netwrok: call link_drop_unmanaged_config() earlier in link_configure()
Otherwise, even if a link enters the configuring state at the beginning
of link_configure(), link_check_ready() may be called before
link_drop_unmanaged_config() is called, and the link may enter the
configured state.

Fixes #35092.
2024-11-11 11:53:24 +09:00
Zbigniew Jędrzejewski-Szmek a32e1f8896 Move growfs+makefs to src/growfs/
Those two programs are used together and it makes sense to keep them
together. makefs is smaller, so name the directory after growfs.
2024-11-10 14:09:46 +01:00
Yu Watanabe cf8fd7148c
Various multi-dt fixes and CHID test (#35056)
Part of #34158
2024-11-10 11:19:10 +09:00
12paper 8254755091
login: fix session_kill(..., KILL_LEADER,...) (#35105)
`loginctl kill-session --kill-whom=leader <N>` (or the D-Bus equivalent)
doesn't work because logind ends up calling `KillUnit(..., "main", ...)`
on a scope unit and these don't have a `MainPID` property. Here, I just
make it send a signal to the `Leader` directly.
2024-11-10 11:13:39 +09:00
Valentin David 053452e22b ukify: Fix broken assert when building a signed addon
An assert always expected a kernel when signature key was present in command
line. That prevented building signed addons.

Fixes #35041
2024-11-10 05:44:30 +09:00
Weblate Translation Memory 5cfe76e1d6 po: Translated using Weblate (German)
Currently translated at 93.7% (241 of 257 strings)

Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/
Translation: systemd/main
2024-11-10 05:40:14 +09:00
Ettore Atalan bb7e2e4b9d po: Translated using Weblate (German)
Currently translated at 93.7% (241 of 257 strings)

Co-authored-by: Ettore Atalan <atalanttore@googlemail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/
Translation: systemd/main
2024-11-10 05:40:14 +09:00
Mike Yuan e997cfaa73 meson.build: add a few features to summary 2024-11-10 05:39:11 +09:00
Luca Boccassi 6d558e53c9
sysupdate: Bug fixes for target enumeration (#35052)
Fixes a couple of bugs with systemd-sysupdated's target enumeration. See
commit messages for details.











<!-- devel-freezer =
{"comment-id":"2460494553","freezing-tag":"v257-rc1"} -->
2024-11-08 23:21:29 +00:00
Lidong Zhong 2ae79a31b7 udev: skipping empty udev rules file while collecting the stats
To keep align with the logic used in udev_rules_parse_file(), we also
should skip the empty udev rules file while collecting the stats during
manager reload. Otherwise all udev rules files will be parsed again whenever
reloading udev manager with an empty udev rules file. It's time consuming
and the following uevents will fail with timeout.
2024-11-08 23:20:09 +00:00
Lennart Poettering 56933f2073 uid-classification: properly classify *all* container UIDs
A bit confusingly CONTAINER_UID_BASE_MAX is just the maximum *base* UID
for a container. Thus, with the usual 64K UID assignments, the last
actual container UID is CONTAINER_UID_BASE_MAX+0xFFFF.

To make this less confusing define CONTAINER_UID_MIN/MAX that add the
missing extra space.

Also adjust two uses where this was mishandled so far, due to this
confusion.

With this change the UID ranges we default to should properly match what
is documented on https://systemd.io/UIDS-GIDS/.
2024-11-08 23:18:39 +00:00
Zbigniew Jędrzejewski-Szmek 347def981b
News and f41 and formatting (#35078) 2024-11-08 17:17:37 +01:00
Daan De Meyer 4b1ad0398e Introduce systemd-keyutil to do various key/certificate operations
Let's gather generic key/certificate operations in a new tool
systemd-keyutil instead of spreading them across various special
purpose tools.

Fixes #35087
2024-11-08 15:00:21 +01:00
Zbigniew Jędrzejewski-Szmek fe45f8dc9b man: drop whitespace from final <programlisting> lines
In the troff output, this doesn't seem to make any difference. But in the
html output, the whitespace is sometimes preserved, creating an additional
gap before the following content. Drop it everywhere to avoid this.
2024-11-08 14:14:36 +01:00
Yu Watanabe 5261c521e3 mount-util: make path_get_mount_info() work arbitrary inode
Follow-up for d49d95df0a.
Replaces 9a032ec55a.
Fixes #35075.
2024-11-08 13:25:17 +01:00
Franck Bui 514d9e1665 test: install integration-test-setup.sh in testdata/
integration-test-setup.sh is an auxiliary script that tests rely on at
runtime. As such, install the script in testdata/.

Follow-up for af153e36ae.
2024-11-08 12:37:40 +01:00
Lennart Poettering b480a4c15e update TODO 2024-11-08 10:10:11 +01:00
Lennart Poettering af3baf174a fs-util: add comment about XO_NOCOW 2024-11-08 09:21:25 +01:00
Ryan Wilson d8091e1281 Fix PrivatePIDs=yes integration test for kernels with no /proc/scsi 2024-11-08 13:38:35 +09:00
anonymix007 310997d5b4 fundamental: Fix buffer size in get_chid
NUL byte should not be hashed
2024-11-08 00:53:26 +03:00
anonymix007 9f9c847609 fundamental: Fix iteration count in chid_calculate 2024-11-08 00:53:26 +03:00
anonymix007 5d8d7d8e43 fundamental: move string includes from chid-fundamental.c to header 2024-11-08 00:53:26 +03:00
anonymix007 ab7c319268 test: Add chid-fundamental test 2024-11-08 00:53:22 +03:00
Lennart Poettering 0df42ebcd6 sd-varlink: allow that method handles call sd_varlink_close()
It's fine if a method handler closes the connection, deal with it
gracefully.
2024-11-07 22:30:42 +01:00
Daan De Meyer 20c03ed72b
tree-wide: Introduce --certificate-source= option (#35057)
This allows loading the X.509 certificate from an OpenSSL provider
instead of a file system path. This allows loading certficates directly
from hardware tokens instead of having to export them to a file on
disk first.










































<!-- devel-freezer =
{"comment-id":"2460915782","freezing-tag":"v257-rc1"} -->
2024-11-07 21:51:00 +01:00
anonymix007 e266359689 fundamental: Add userspace efi_guid_equal 2024-11-07 22:52:29 +03:00
anonymix007 24677c6787 boot: Fix .dtbauto section number for error reporting 2024-11-07 22:52:29 +03:00
anonymix007 145479f4d0 boot: Fix overflow check for FDT_PROP in devicetree_get_compatible 2024-11-07 22:52:29 +03:00
anonymix007 f935dd74c6 boot: Drop const modifier for smbios_fields and fix smbios_info_done 2024-11-07 22:52:29 +03:00
Daan De Meyer 64cc7ba517 ukify: Introduce --certificate-provider= option
This translates to --certificate-source=provider:<provider> for
signing tools invoked by ukify.
2024-11-07 20:33:08 +01:00
Daan De Meyer c4bc0fd6de measure: Add pcrpkey verb
This verb writes a public key to stdout extracted from either a public key
path, from a certificate (path or provider) or from a private key (path,
engine, provider). We'll use this in ukify to get rid of the use of the
python cryptography module to convert a private key or certificate to a
public key.
2024-11-07 20:33:08 +01:00
Daan De Meyer a1d46e3078 tree-wide: Introduce --certificate-source= option
This allows loading the X.509 certificate from an OpenSSL provider
instead of a file system path. This allows loading certficates directly
from hardware tokens instead of having to export them to a file on
disk first.
2024-11-07 20:30:47 +01:00
Daan De Meyer 5619a61829 openssl-util: Set expected object type to private keys
Configures the store to only try to fetch private keys and nothing
else.
2024-11-07 20:24:59 +01:00
Daan De Meyer 4047b99c00 bootctl: Validate private key path 2024-11-07 20:24:59 +01:00
Daan De Meyer 5cca978dae mkosi: Add pytest to tools 2024-11-07 20:24:59 +01:00
Yu Watanabe dd2bf3141b
Split and rename src/boot (#35068) 2024-11-08 04:13:45 +09:00
Vursc eb03dffd97 hwdb: fix broken numpad paren keys on Lenovo Thinkbook 16 G6+ 2024 2024-11-08 04:09:55 +09:00
Zbigniew Jędrzejewski-Szmek 56f9a56a6f man: update Fedora links to F41 2024-11-07 16:55:53 +01:00
Zbigniew Jędrzejewski-Szmek 579e905ffe NEWS: add specific versions in key codes entry
This should be easier for folks to consume.

Refs:
https://lists.x.org/archives/xorg-announce/2024-October/003543.html
https://lists.x.org/archives/xorg-announce/2024-October/003544.html
2024-11-07 16:55:53 +01:00
Anselm Schueler 73f4882ef3 po: Translated using Weblate (German)
Currently translated at 89.8% (231 of 257 strings)

Co-authored-by: Anselm Schueler <mail@anselmschueler.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/
Translation: systemd/main
2024-11-07 15:48:31 +01:00
Zbigniew Jędrzejewski-Szmek 9a10d7eae5 github: adjust version number in templates
Most people are probably on stable releases, but we don't want to update the
minor version all the time, so just specify 256.x as a hint to fill in the
full version.
2024-11-07 15:39:30 +01:00
Zbigniew Jędrzejewski-Szmek 97318131fd Rename src/boot/efi to just src/boot
I very much dislike the approach in which we were mixing Linux and UEFI C code
in the same subdirectory. No code was shared between two environments. This
layout was created in e7dd673d1e, with the
justification of "being more consistent with the rest of systemd", but I don't
see how it's supposed to be so.

Originally, when the C code was just a single bootctl.c file, this wasn't so
bad. But over time the userspace code grew quite a bit. With the moves done in
previuos commits, the intermediate subdirectory is now empty except for the
efi/ subdir, and this additional subdirectory level doesn't have a good
justification. The components is called "systemd-boot", not "systemd-efi", and
we can remove one level of indentation.
2024-11-07 14:52:06 +01:00
Zbigniew Jędrzejewski-Szmek 5ffff673ac Move systemd-sbsign to its own source subdirectory
It's already two files, and I expect that more will come. It's nicer to give
its own subdirectory to maintain consistent structure.
2024-11-07 14:51:43 +01:00
Zbigniew Jędrzejewski-Szmek 1dabec0056 Move systemd-measure to its own source subdirectory
We have other subdirectories with just a single C file. And I expect
that systemd-measure will only grow over time, adding new functionality.
It's nicer to give its own subdirectory to maintain consistent structure.
2024-11-07 14:50:53 +01:00
Zbigniew Jędrzejewski-Szmek daf72e8df1 Move bless-boot components to their own source subdirectory 2024-11-07 14:50:41 +01:00
Zbigniew Jędrzejewski-Szmek 0b676aab33 Move bootctl to its own source subdirectory
It's been split into a bunch of files and deserves its own subdirectory
similarly to systemctl.
2024-11-07 14:15:00 +01:00
Luca Boccassi bb5936f7f3 man: fix typos flagged by Lintian 2024-11-07 18:51:21 +09:00
Yu Watanabe 869fe6c9e4
Translations update from Fedora Weblate (#35060) 2024-11-07 18:50:23 +09:00
Luca Boccassi 9a032ec55a test: fix assertion on build system
/* test_path_is_network_fs_harder */
src/test/test-mount-util.c:541: Assertion failed: expected "path_is_network_fs_harder("/")" to succeed but got the following error: Invalid argument

https://buildd.debian.org/status/fetch.php?pkg=systemd&arch=all&ver=257%7Erc1-1&stamp=1730945197&raw=0

Follow-up for d49d95df0a
2024-11-07 18:48:44 +09:00
Oğuz Ersen 100ceecc6c po: Translated using Weblate (Turkish)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Oğuz Ersen <oguz@ersen.moe>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/tr/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Luna Jernberg af76e987e8 po: Translated using Weblate (Swedish)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Luna Jernberg <bittin@reimu.nl>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/sv/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Sergey A d73735fbe1 po: Translated using Weblate (Russian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Sergey A <Ser82-png@yandex.ru>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ru/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Piotr Drąg 01aafdf637 po: Translated using Weblate (Polish)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Piotr Drąg <piotrdrag@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/pl/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Andika Triwidada 67c1f6bf04 po: Translated using Weblate (Indonesian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Andika Triwidada <andika@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/id/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Léane GRASSER b0cb4c70a9 po: Translated using Weblate (French)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Léane GRASSER <leane.grasser@proton.me>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fr/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Temuri Doghonadze e75d25ac1e po: Translated using Weblate (Georgian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Temuri Doghonadze <temuri.doghonadze@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ka/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
김인수 d9b96bf093 po: Translated using Weblate (Korean)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: 김인수 <simmon@nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ko/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Antonio Alvarez Feijoo 215292d09e sbsign: remove unimplemented options 2024-11-07 09:47:50 +00:00
Yu Watanabe fed7857672 NEWS: fix typo
Follow-up for a6d7cc74d6.
2024-11-07 10:05:32 +09:00
Lennart Poettering c8d45ebfd6 update TODO 2024-11-06 22:19:01 +01:00
Lennart Poettering acc8bae0b3 NEWS: various cleanups 2024-11-06 22:18:55 +01:00
Lennart Poettering a6d7cc74d6 NEWS: various cleanups 2024-11-06 21:50:56 +01:00
Adrian Vovk 31616d00ef
sysupdated: Permit mount namespaces
dissect-image tries to use mount namespaces to dissect images without
polluting the host mounts. This change allows it to do that.
2024-11-06 15:44:11 -05:00
Adrian Vovk a509603b2e
sysupdated: Make sure targets we skip are skipped
We'd log that we're skipping the target, but it would never actually get
removed from the manager's list. Thus, we'd advertise targets that don't
actually exist to clients.

In the original version of the sysupdated PR, this was handled by
removing the target from the manager's list in target_free, and using a
_cleanup_ attribute to free the target when skipping. However, this
changed at some point during review. So, this commit takes the
alternative approach
2024-11-06 15:44:10 -05:00
Luca Boccassi d80d7a2f2a
docs: fix sbsign manpage syntax and add to list, update release instructions (#35055)
<!-- devel-freezer =
{"comment-id":"2460595245","freezing-tag":"v257-rc1"} -->
2024-11-06 20:18:43 +00:00
Luca Boccassi 088793239e docs: add reminder to run update-man-rules before tagging a release 2024-11-06 19:21:14 +00:00
Luca Boccassi 94a46c20da docs: remove 'v' prefix from meson.version
It is actually v-less
2024-11-06 19:20:00 +00:00
Luca Boccassi d6f4c96b10 man: run update-man-rules 2024-11-06 19:19:13 +00:00
Luca Boccassi 9e51b12e13 man: fix syntax error in systemd-sbsign.xml
Follow-up for 5f163921e9
2024-11-06 19:18:35 +00:00
Luca Boccassi d145d1d410 meson: update version numbers for 257~rc1 2024-11-06 16:58:14 +00:00
Luca Boccassi f10d1c679e NEWS: finalize 2024-11-06 16:58:14 +00:00
Luca Boccassi e1c8f3a8d9 NEWS: update list of contributors 2024-11-06 16:53:46 +00:00
Luca Boccassi 859634ea63 NEWS: add note about sd-sbsign 2024-11-06 16:49:42 +00:00
Luca Boccassi 4484cad6f3
Update hwdb and translations (#35048) 2024-11-06 16:42:11 +00:00
Daan De Meyer e5011dd239
Introduce systemd-sbsign to do secure boot signing (#35021)
Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:

- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure

There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.

To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
2024-11-06 17:38:10 +01:00
Luca Boccassi 66d044b560 Update NEWS for recent PRs 2024-11-06 15:50:59 +00:00
Michele Dionisio d865abf9eb networkd: add possibility to specify MulticastIGMPVersion 2024-11-06 15:50:27 +00:00
Luca Boccassi f72fe2d73c
Grammar and formatting for DeviceTree docs (#35050) 2024-11-06 15:13:18 +00:00
Luca Boccassi 839c37dc7f Update translations
ninja -C build systemd-pot
ninja -C build systemd-update-po
2024-11-06 14:42:31 +00:00
Luca Boccassi 8e152361e9 Update hwdb
ninja -C build update-hwdb
2024-11-06 14:41:26 +00:00
Daan De Meyer 65fbf3b194 ukify: Add --signing-provider= option 2024-11-06 15:18:46 +01:00
Léane GRASSER b8cb1bc983 po: Translated using Weblate (French)
Currently translated at 100.0% (253 of 253 strings)

Co-authored-by: Léane GRASSER <leane.grasser@proton.me>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fr/
Translation: systemd/main
2024-11-06 15:07:28 +01:00
Zbigniew Jędrzejewski-Szmek 78ed1e973c docs/TPM2_PCR_MEASUREMENTS: drop quotes from around section titles
The section headers used quotes as if the strings were some constants. But
AFAICT, those are just normal plain-text titles. Also lowercase them, because
this is almost like a table and it's easier to read without capitalization.
2024-11-06 15:02:24 +01:00
Zbigniew Jędrzejewski-Szmek 265488414c tree-wide: use Device*T*ree spelling
We used both, in fact "Devicetree" was more common. But we have a general rule
that we capitalize all words in names and also we have a DeviceTree=
configuration setting, which we cannot change. If we use two different
spelllings, this will make it harder for people to use the correct one in
config files. So use the "DeviceTree" spelling everywhere.
2024-11-06 15:00:55 +01:00
Luca Boccassi d99fe076b5
introduce report_errno_and_exit() helper (#35028)
This is a follow for https://github.com/systemd/systemd/pull/34853. In
particular, this comment
https://github.com/systemd/systemd/pull/34853#discussion_r1825837705.
2024-11-06 13:51:10 +00:00
Yu Watanabe b66948bbf2 core/manager: silence false-positive warning by coverity
Follow-up for 406f177501.

Closes CID#1564897.
2024-11-06 13:47:33 +00:00
Luca Boccassi 4055529003
machine: introduce io.systemd.Machine.Open method (#34867)
This PR introduces io.systemd.Machine.Open method which combines three
DBus alternatives:
- OpenMachinePTY
- OpenMachineLogin
- OpenMachineShell

The PR contains basic tests.
2024-11-06 13:45:04 +00:00
Zbigniew Jędrzejewski-Szmek d0ab0e5fa5 pid1: stop refusing to boot with cgroup v1
Since v256 we completely fail to boot if v1 is configured. Fedora 41 was just
released with v256.7 and this is probably the first major exposure of users to
this code. It turns out not work very well. Fedora switched to v2 as default in
F31 (2019) and at that time some people added configuration to use v1 either
because of Docker or for other reasons. But it's been long enough ago that
people don't remember this and are now very unhappy when the system refuses to
boot after an upgrade.

Refusing to boot is also unnecessarilly punishing to users. For machines that
are used remotely, this could mean somebody needs to physically access the
machine. For other users, the machine might be the only way to access the net
and help, and people might not know how to set kernel parameters without some
docs. And because this is in systemd, after an upgrade all boot choices are
affected, and it's not possible to e.g. select an older kernel for boot. And
crashing the machine doesn't really serve our goal either: we were giving a
hint how to continue using v1 and nothing else.

If the new override is configured, warn and immediately boot to v1.
If v1 is configured w/o the override, warn and wait 30 s and boot to v2.
Also give a hint how to switch to v2.

https://bugzilla.redhat.com/show_bug.cgi?id=2323323
https://bugzilla.redhat.com/show_bug.cgi?id=2323345
https://bugzilla.redhat.com/show_bug.cgi?id=2322467
https://www.reddit.com/r/Fedora/comments/1gfcyw9/refusing_to_run_under_cgroup_01_sy_specified_on/

The advice is to set systemd.unified_cgroup_hierarchy=1 (instead of removing
systemd.unified_cgroup_hierarchy=0). I think this is easier to convey. Users
who are understand what is going on can just remove the option instead.

The caching is dropped in cg_is_legacy_wanted(). It turns out that the
order in which those functions are called during early setup is very fragile.
If cg_is_legacy_wanted() is called before we have set up the v2 hierarchy,
we incorrectly cache a true answer. The function is called just a handful
of times at most, so we don't really need to cache the response.
2024-11-06 13:43:25 +00:00
Zbigniew Jędrzejewski-Szmek bc11463e8e man/systemd-stub: rework the description of sections
The text added for .dtbauto/.hwids was very hard to grok. This rewords it to be
proper English. No semantic changes are intended.

When updating this, I noticed that the interaction of multi-profile UKIs and
dtb autoselection is very unclear, a FIXME is added.
2024-11-06 14:40:21 +01:00
Daan De Meyer d835c4476b ukify: Add support for systemd-sbsign 2024-11-06 14:01:33 +01:00
Daan De Meyer 8cbd9d8328 sbsign: Add validate-key verb
This verb checks that we can load the specified private key.
2024-11-06 14:01:09 +01:00
Daan De Meyer 5f163921e9 Introduce systemd-sbsign to do secure boot signing
Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:

- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure

There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.

To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
2024-11-06 14:00:49 +01:00
Ivan Kruglov 1e2cd07394 machine: tests for io.systemd.Machine.Open 2024-11-06 11:58:51 +01:00
Ivan Kruglov a686bedb88 machine: introduce io.systemd.Machine.Open method 2024-11-06 11:37:51 +01:00
Ivan Kruglov 7779d4944c json: introduce json_dispatch_strv_environment()
I just moved json_dispatch_environment() from src/shared/user-record.c
under name 'json_dispatch_strv_environment()' to shared json code.
2024-11-06 11:37:51 +01:00
Ivan Kruglov b0eca6dee0 machine: machine_default_shell_path() & machine_default_shell_args() helper functions 2024-11-06 11:37:51 +01:00
Ivan Kruglov 41f1f283d7 machine: introduce machine_start_getty() and machine_start_shell() helpers 2024-11-06 11:37:51 +01:00
Ivan Kruglov c0589b0227 use report_errno_and_exit() in src/core/exec-invoke.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov 7022563b5b use report_errno_and_exit() in src/shared/elf-util.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov 3d44b469f3 use report_errno_and_exit() in src/shared/dissect-image.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov 9af164b71c use report_errno_and_exit() in src/shared/mount-util.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov f72a64f352 use report_errno_and_exit() in src/shutdown/umount.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov a567de392d process-util: introduce report_errno_and_exit() as part of src/basic/process-util.{h,c} 2024-11-06 11:18:38 +01:00
Yu Watanabe ea457d59e9 man/varlink: fix typo
Follow-up for 4f5fabe7a3.
2024-11-06 19:06:47 +09:00
Yu Watanabe 9dcf5c226e man/udev: fix typo
Follow-up for df8f9b88bd.
2024-11-06 19:06:40 +09:00
Zbigniew Jędrzejewski-Szmek f755ac99cb man/systemd-measure: add forgotten "="
Both syntaxes work, but let's use one syntax for consistency.

Fixup for 0641ce809a27cc1bc358924c26770f19d1213ec1.
2024-11-06 10:18:16 +01:00
Zbigniew Jędrzejewski-Szmek ad6a4bf09c man/systemd-measure: update to new ukify syntax, non-root operation
It's been a while, but systemd-measure doesn't need root, and
ukify has a more modern syntax.
2024-11-06 10:14:29 +01:00
Yu Watanabe df69f29728
network: reconfigure interface more gracefully (#35035)
split-out of #34989.
2024-11-06 17:57:56 +09:00
Lennart Poettering 682195a00a
UKI: Introduce `.dtbauto` sections (#34855)
Split out from #34158
2024-11-06 09:29:04 +01:00
Andres Beltran f348831d27 namespace-util: make idmapping not supported if syscalls return EPERM 2024-11-06 09:27:33 +01:00
Lennart Poettering 299b6c3c28
Various man page updates (#35032)
Fixes: #34996
Fixes: #15032
Fixes: #32751
Fixes: #33130
Fixes: #34735
Fixes: #34840
Fixes: #34949
2024-11-06 09:26:57 +01:00
Zbigniew Jędrzejewski-Szmek ddcdc6b365
mount-util: introduce path_is_network_fs_harder() and use it in networkd (#35040)
Closes #32426.
2024-11-06 08:39:24 +01:00
Lennart Poettering df8f9b88bd man: convert multiple left-over "See Also" sections to <simplelist>
These were forgotten during the initial conversion, probably because
most of them consisted only of a single entry.

Fix that.
2024-11-05 22:57:51 +01:00
Lennart Poettering 607d297487 man: link up D-Bus API docs from daemon man pages
Let's systematically make sure that we link up the D-Bus interfaces from
the daemon man pages once in prose and once in short form at the bottom
("See Also"), for all daemons.

Also, add reverse links at the bottom of the D-Bus API docs.

Fixes: #34996
2024-11-05 22:57:51 +01:00
Lennart Poettering 2f69ad26ca man: point people from sd-bus man page to busctl 2024-11-05 22:57:51 +01:00
Lennart Poettering 4f5fabe7a3 man: add brief entrypoint man page for sd-varlink
We have this in a similar fashion for the other APIs libsystemd
provides. Add the same for sd-varlink. There isn't too much on it for
now, but at least it's a start.

Also link it up everywhere.
2024-11-05 22:57:51 +01:00
Lennart Poettering ac804bc2f8 man: tone down claims on processes having exited already in ExecStop=
Processes can easily survive the first kill operation we execute, hence
we shouldn't make strong claims about them having exited already. Let's
just say "likely" hence.

Fixes: #15032
2024-11-05 22:57:51 +01:00
Lennart Poettering 5adc433799 man: document that .path units don't care for hidden files
Fixes: #32751
2024-11-05 22:57:51 +01:00
Lennart Poettering b711737096 man: document that PrivateTmp= is unaffected by ProtectSystem=strict
Fixes: #33130
2024-11-05 22:57:51 +01:00
Lennart Poettering 172ac39fc8 man: highlight the privilege issues around the LogControl1 more
Let's emphasize the privilege thing with a <caution> section.

Let's also point out that other D-Bus libraries are less restrictive
than sd-bus by default regarding permission access.

Fixes: #34735
2024-11-05 22:57:34 +01:00
anonymix007 73b1fbc777 man: Document stub behaviour for .hwids and .dtbauto sections 2024-11-06 00:47:04 +03:00
anonymix007 1d79f667f4 stub: Handle .dtbauto sections 2024-11-06 00:47:04 +03:00
anonymix007 4c0b7f4250 measure: Introduce .dtbauto support 2024-11-06 00:47:04 +03:00
anonymix007 630cf4e7da uki: add new .dtbauto PE section type
.dtbauto section contains DT blobs, just like .dtb, the difference is
that multiple .dtbauto sections are allowed to be in a UKI and only one
is selected automatically

Temporarily drop an assert_cc() check in systemd-measure to make it compilable before the next commit
2024-11-06 00:47:04 +03:00
anonymix007 763028a16c measure: introduce support for a .hwids section 2024-11-06 00:47:04 +03:00
anonymix007 c033267912 boot: Add .dtbauto section matching in PE section discovery against HWIDs and FW-provided DT 2024-11-06 00:46:57 +03:00
Lennart Poettering ecbe9ae5a0 man: don't claim SELinuxContext= only worked in the system service manager
Fixes: #34840
2024-11-05 22:42:38 +01:00
Lennart Poettering af080967ba man: document the timeout applied to /usr/lib/systemd/system-shutdown/ drop-in binaries
Fixes: #34949
2024-11-05 22:42:32 +01:00
Luca Boccassi 78b032d727 test: delete /swapfile after swapoff
[   23.608342] TEST-55-OOMD.sh[689]: + btrfs filesystem mkswapfile -s 64M /swapfile
[   23.651930] TEST-55-OOMD.sh[704]: ERROR: cannot create new swapfile: File exists
2024-11-06 05:02:57 +09:00
Ronan Pigott 57feaaece3 network: handle ENODATA better with DNR
It is normal for DHCP leases not to have DNR options. We need to be less
verbose and more forgiving in these cases. Also, if either DHCP does not
have DNR options, make sure to still consider any DHCPv6/RA options.

Fixes: c7c9e3c7c0 (network: adjust log message about DNR)
2024-11-06 05:01:55 +09:00
Yu Watanabe c0323de6ca network: use path_is_network_fs_harder()
Closes #32426.
2024-11-06 04:58:59 +09:00
Yu Watanabe d49d95df0a mount-util: introduce path_is_network_fs_harder()
It also detects e.g. glusterfs or mounts with "_netdev" option.
2024-11-06 04:58:55 +09:00
Zbigniew Jędrzejewski-Szmek 2257be13fe tree-wide: time-out → timeout
For justification, see 3f9a0a522f.
2024-11-05 19:32:19 +00:00
anonymix007 6bb76ab959 boot: Add HWID calculation from SMBIOS strings and matching against a built-in list 2024-11-05 22:29:58 +03:00
anonymix007 1c3a0a4b1f boot: Add firmware_devicetree_exists() 2024-11-05 22:29:58 +03:00
Diogo Ivo e6cb29fa0f boot: add matching against FW-provided Devicetree blob
Add support for matching the DT contained in a .dtb section of the
UKI image against the FW provided FDT or arbitrary compatible.
2024-11-05 22:29:40 +03:00
Daan De Meyer 0bf70b1984 openssl-util: Set default UI method instead of setting engine method
While for engines we have ENGINE_ctrl() to set the UI method for the
second PIN prompt, for openssl providers we don't have such a feature
which means we get the default openssl UI for the second pin prompt.

Instead, let's set the default UI method which does get used for the
second pin prompt by the pkcs11 provider.
2024-11-05 19:58:45 +01:00
Luca Boccassi 7af37f3a90
Add PrivatePIDs= (continued) (#34940) 2024-11-05 18:42:28 +00:00
Yu Watanabe 6e0c9b7dac network: introduce LINK_RECONFIGURE_CLEANLY flag
And use it when explicit reconfiguration is requested by Reconfigure() DBus method
or networkd certainly detects that connected network is changed.
Otherwise do not use the flag especially when we come back from sleep mode.
2024-11-06 02:05:00 +09:00
Yu Watanabe 451c2baf30 network: keep dynamic configurations as possible as we can on reconfigure
E.g. when a .network file is updated, but DHCP setting is unchanged, it
is not necessary to drop acquired DHCP lease.
So, let's not stop DHCP client and friends in link_reconfigure_impl(),
but stop them later when we know they are not necessary anymore.

Still DHCP clients and friends are stopped and leases are dropped when
the explicit reconfiguration is requested
2024-11-06 02:05:00 +09:00
Yu Watanabe dd6d53a8dc network: merge link_foreignize_config() and link_drop_foreign_config()
When a reconfiguration of an interface is triggered, previously we
call link_foreignize_config(), which sets all static configurations as
foreign, then later call link_drop_foreign_config(), which drops
unnecessary foreign configurations.

This commit merges these two steps into one, link_drop_unmanaged_config(),
which drops unnecessary static and foreign configurations.

Also, this renames link_drop_managed_configs() to
link_drop_static_config(), as it only drops static configurations.
Note that dynamically aquired configurations are dropped by
link_stop_engines().
2024-11-06 02:05:00 +09:00
Yu Watanabe 2b07a3211b network: several cleanups for link_reconfigure()
Effectively no functional changes, just refactoring and preparation for
later changes.

- convert boolean flag 'force' to LinkReconfigurationFlag enum,
- merge link_reconfigure() and reconfigure_handler_on_bus_method_reload() as
  link_reconfigure_full(),
- Rename ReconfigureData -> LinkReconfigurationData,
- make Reconfigure() DBus message wait for reconfiguration being
  started before sending reply.
2024-11-06 02:05:00 +09:00
Yu Watanabe 5a1ef6dffb network: split out link_enter_unmanaged() from link_reconfigure_impl()
No functional change, just refactoring.
2024-11-06 02:05:00 +09:00
Yu Watanabe f5834423b8
Translations update from Fedora Weblate (#35031) 2024-11-06 01:52:36 +09:00
Weblate Translation Memory df884b7de5 po: Translated using Weblate (German)
Currently translated at 90.9% (230 of 253 strings)

po: Translated using Weblate (German)

Currently translated at 89.3% (226 of 253 strings)

po: Translated using Weblate (German)

Currently translated at 88.9% (225 of 253 strings)

po: Translated using Weblate (German)

Currently translated at 88.1% (223 of 253 strings)

Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/
Translation: systemd/main
2024-11-05 14:50:15 +01:00
Ettore Atalan aa6e0bf4b0 po: Translated using Weblate (German)
Currently translated at 90.9% (230 of 253 strings)

po: Translated using Weblate (German)

Currently translated at 89.3% (226 of 253 strings)

po: Translated using Weblate (German)

Currently translated at 88.9% (225 of 253 strings)

po: Translated using Weblate (German)

Currently translated at 88.1% (223 of 253 strings)

Co-authored-by: Ettore Atalan <atalanttore@googlemail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/
Translation: systemd/main
2024-11-05 14:50:15 +01:00
Lennart Poettering 9810899ef2 run: handle gracefully if we can't find binary client-side due to perms
Fixes: #35022
2024-11-05 13:41:20 +00:00
Daan De Meyer 406f177501 core: Introduce PrivatePIDs=
This new setting allows unsharing the pid namespace in a unit. Because
you have to fork to get a process into a pid namespace, we fork in
systemd-executor to get into the new pid namespace. The parent then
sends the pid of the child process back to the manager and exits while
the child process continues on with the rest of exec_invoke() and then
executes the actual payload.

Communicating the child pid is done via a new pidref socket pair that is
set up on manager startup.

We unshare the PID namespace right before the mount namespace so we
mount procfs correctly. Note PrivatePIDs=yes always implies MountAPIVFS=yes
to mount procfs.

When running unprivileged in a user session, user namespace is set up first
to allow for PID namespace to be unshared. However, when running in
privileged mode, we unshare the user namespace last to ensure the user
namespace does not own the PID namespace and cannot break out of the sandbox.

Note we disallow Type=forking services from using PrivatePIDs=yes since the
init proess inside the PID namespace must not exit for other processes in
the namespace to exist.

Note Daan De Meyer did the original work for this commit with Ryan Wilson
addressing follow-ups.

Co-authored-by: Daan De Meyer <daan.j.demeyer@gmail.com>
2024-11-05 05:32:02 -08:00
Daan De Meyer cf0238d854 pcrlock: Move pe_hash() and uki_hash() to pe-binary.h
Let's move these to shared so we can reuse pe_hash() in the upcoming
systemd-sbsign.
2024-11-05 14:26:21 +01:00
Daan De Meyer 48c5a4cd67 mkosi: Add ruff and mypy to tools tree packages 2024-11-05 14:26:21 +01:00
anonymix007 26060eb7a0 fundamental: Add HWID calculation 2024-11-05 14:48:43 +03:00
anonymix007 09f16de6d8 boot: Add xnew0
Same as xnew but initialized with zeros
2024-11-05 14:48:33 +03:00
Zbigniew Jędrzejewski-Szmek ee95e86ae1 resolved: log error messages for openssl/gnutls context creation
In https://bugzilla.redhat.com/show_bug.cgi?id=2322937 we're getting
an error message:
Okt 29 22:21:03 fedora systemd-resolved[29311]: Could not create manager: Cannot allocate memory
I expect that this actually comes from dnstls_manager_init(), the
openssl version. But without real logs it's hard to know for sure.

Use EIO instead of ENOMEM, because the problem is unlikely to be actually
related to memory.
2024-11-05 11:59:29 +01:00
Ronan Pigott a791fea0d6 network: limit the total number of Encrypted DNS options processed
We need a sensible limit on the number of Encrypted DNS options allowed
so that the set of resolvers per link does not grow without bound.

Fixes: 0c90d1d2f2 ("ndisc: Parse RFC9463 encrypted DNS (DNR) option")
2024-11-05 09:33:35 +01:00
Luca Boccassi 1da80d2ca3
sd-daemon: some tweaks (#35011) 2024-11-05 00:56:28 +00:00
Luca Boccassi cf95ad41b0
ci: add coverage for builds without sd-boot (#35016)
This should catch compilation issues such as:
https://github.com/systemd/systemd/pull/35014
2024-11-04 21:46:19 +00:00
Luca Boccassi 8a3ac7afa6 ci: add coverage for builds without sd-boot
This should catch compilation issues such as:
https://github.com/systemd/systemd/pull/35014
2024-11-04 20:27:00 +00:00
Luca Boccassi 441922336b test: set nullglob to avoid failure when building without sd-boot
2024-11-04T20:13:17.3258095Z + for loader in build/src/boot/efi/*{.efi,.efi.stub}
2024-11-04T20:13:17.3258275Z ++ sbverify --list 'build/src/boot/efi/*.efi'
2024-11-04T20:13:17.3258525Z + [[ Error reading file build/src/boot/efi/*.efi: No such file or directory
2024-11-04T20:13:17.3258952Z Can't open image build/src/boot/efi/*.efi != \N\o\ \s\i\g\n\a\t\u\r\e\ \t\a\b\l\e\ \p\r\e\s\e\n\t ]]
2024-11-04 20:27:00 +00:00
Luca Boccassi c53df275d5 test: fix tool name in comment 2024-11-04 20:27:00 +00:00
Yu Watanabe 995d0296e9
network: sevearal random trivial cleanups (#34994)
split-out of #34989.
2024-11-05 04:16:44 +09:00
Daan De Meyer b5dc805583 tmpfiles: Implement L? to only create symlinks if source exists
This allows a single tmpfiles snippet with lines to symlink directories
from /usr/share/factory to be shared across many different configurations
while making sure symlinks only get created if the source actually exists.
2024-11-04 19:04:21 +01:00
Yu Watanabe 8c3d6d7150 network/dhcp4: keep DHCP address and routes on stop even when SendDecline=yes
KeepConfiguration=dhcp or dhcp-on-stop already violate RFC. It is not
necessary to honor the RFC about sending decline message on stop.
2024-11-05 02:56:48 +09:00
Yu Watanabe 2afd12e0a1 network: expose log_route_debug() and log_address_debug()
They will be used in another file in a later commit.
2024-11-05 02:55:15 +09:00
Yu Watanabe 6119221afa network: add more debugging logs
This also fixes the position of the logging "Enumeration completed.",
and downgrade its log level.
2024-11-05 02:55:15 +09:00
Yu Watanabe 9c402e3ae2 network: check if interface is initialized after enumeration completed
We enumerate interfaces at first, then enumerate other configurations
like addresses and so on. If we are running on a container, previously
we started to configure the enumerated interfaces before enumerating other
configurations.
Let's configure interfaces after all configurations are enumerated.
2024-11-05 02:55:15 +09:00
Yu Watanabe 30d5d11be0 network: check earlier if we are running in test mode 2024-11-05 02:55:15 +09:00
Yu Watanabe bf6e9b383d network: introduce network_config_source_from_string()
It is currently unused, but will be used later.
Preparation for later commits.
2024-11-05 02:55:15 +09:00
Yu Watanabe 5ca212a984 network/json: add missing entries for route properties 2024-11-05 02:55:15 +09:00
Yu Watanabe ae65974883 network: remove unexpected netlink socket from service manager 2024-11-05 02:55:15 +09:00
Yu Watanabe 20465bcb1e daemon-util: expose notify_push_fd()
It will be used in a later commit.
2024-11-05 02:55:15 +09:00
Yu Watanabe dc12457bfd network/address: slightly optimize link_address_is_dynamic() 2024-11-05 02:55:03 +09:00
Yu Watanabe b5a8440f55 network: realign string table 2024-11-05 02:54:02 +09:00
Daan De Meyer 89fdca7168 exec-invoke: Add debug logging for setup_private_users() 2024-11-04 09:19:36 -08:00
Franck Bui c52f6c1f33 efi-loader: add missing stub for efi_stub_get_device_part_uuid() 2024-11-04 17:18:23 +00:00
Lennart Poettering 679a95593d
json: add json_dispatch_ifindex() helper (#34982)
Inspired by: #34640
2024-11-04 15:19:51 +01:00
Daan De Meyer e37701a8cd pcrlock: Pad pe hash to a multiple of 8 bytes
All other tools (sbsigntools, osslsigncode, sbctl, goblin) do this
as well so let's follow suite.
2024-11-04 14:08:54 +01:00
Luca Boccassi 867e2c2a60
network: refuse new requests on stop (#35004)
split-out of #34989..
2024-11-04 12:12:31 +00:00
Luca Boccassi c990f96ea1
network: cleanups for IPv4LL (#34995)
split-out of #34989.
2024-11-04 12:08:27 +00:00
Colin Foster 38557d9ffb test-dhcp-client: utilize log_info instead of printf
log_info appears to be the preferred method to convey information from
tests. Convert all the printfs to log_info to follow this standard.
2024-11-04 11:57:32 +00:00
Lennart Poettering f57efb3d6c update NEWS 2024-11-04 12:42:40 +01:00
Lennart Poettering cb42df5310 sd-daemon: add fd array size safety check to sd_notify_with_fds()
The previous commit removed the UINT_MAX check for the fd array. Let's
now re-add one, but at a better place, and with a more useful limit. As
it turns out the kernel does not allow passing more than 253 fds at the
same time, hence use that as limit. And do so immediately before
calculating the control buffer size, so that we catch multiplication
overflows.
2024-11-04 12:10:09 +01:00
Lennart Poettering c4c04e2c2e tree-wide: port things over to new json_dispatch_ifindex() 2024-11-04 11:42:38 +01:00
Lennart Poettering dfaff662a0 json-util: generalize json_dispatch_ifindex()
Let's move the helper from nss-resolve.c to generic code, as it's going
to be useful in #34640.

Also, let's tighten the rules, and refuse negative ifindexes, because
they are invalid.
2024-11-04 11:42:37 +01:00
Lennart Poettering 74806f7116 sd-daemon: count array elements in size_t
We fucked that up in the original sd_listen() calls, and then we fixed
that on the newer flavours. But pour internal common implementation
should of course use the full range size_t, as it should be.

This then allows us to drop a redundant range check.
2024-11-04 11:02:38 +01:00
Lennart Poettering bea2237f67 sd-daemon: drop some redundant 'else' 2024-11-04 11:01:07 +01:00
Lennart Poettering 6606348981 sd-daemon: clean up env var unsetting
This cleans up the handling of the "unset_environment" parameter to
sd_listen() and related calls: the man pages claim we operate on it on
error too. Hence, actually do so in strictly all error paths. Previously
we'd miss out on some, because wrapper functions mishandled them.

This was addressed before in 362dcfc5db
but some codepaths were missed. Complete the work now.

This establishes a common pattern: a function to unset the relevant env
vars, that is called from a goto section at the botom on both success
and failure.
2024-11-04 11:00:13 +01:00
Lennart Poettering 0e44f02e2f update TODO 2024-11-04 10:45:26 +01:00
Martin Wilck 7f6674624e udev-builtin-path_id: SAS wide ports must have num_phys > 1
Some kernel SAS drivers (e.g. smartpqi) expose ports with num_phys = 0. udev
shouldn't treat these ports as wide ports.  SAS wide ports always have
num_phys > 1. See comments for sas_port_add_phy() in the kernel sources.

Sample data from a smartpqi system to illustrate the issue below.
Here the phy device is attached to port 0:0, which has no end devices attached
and the SAS end device (where sda is attached) is associated with SAS
port 0:1, which has no associated phy device. Thus num_phys for port-0:1 is 0.
This is arguably wrong, but it's how smartpqi has always set up its devices in
sysfs.

/sys/class/sas_phy/phy-0:0 -> ../../devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/phy-0:0/sas_phy/phy-0:0
/sys/devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/port-0:0/phy-0:0 -> ../phy-0:0
/sys/devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/phy-0:0/port -> ../port-0:0

/sys/class/sas_device/end_device-0:1 -> ../../devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/port-0:1/end_device-0:1/sas_device/end_device-0:1
/sys/class/block/sda -> ../../devices/pci0000:46/0000:46:02.0/0000:47:00.0/host0/scsi_host/host0/port-0:1/end_device-0:1/target0:0:0/0:0:0:0/block/sda

Signed-off-by: Martin Wilck <mwilck@suse.com>
2024-11-04 09:55:48 +01:00
Daan De Meyer c32e54456e
openssl-util: Query engine/provider pin via ask-password (#34948)
In mkosi, we want to support signing via a hardware token. We already
support this in systemd-repart and systemd-measure. However, if the
hardware token is protected by a pin, the pin is asked as many as 20
times when building an image as the pin is not cached and thus requested
again for every operation.

Let's introduce a custom openssl ui when we use engines and providers
and plug systemd-ask-password into the process. With
systemd-ask-password, the pin can be cached in the kernel keyring,
allowing us to reuse it without querying the user again every time to
enter the pin.

We use the private key URI as the keyring identifier so that the cached
pin can be shared across multiple tools.
2024-11-03 12:54:20 +01:00
Daan De Meyer a07864a4fe bootctl: Add --secure-boot-auto-enroll
When specified, bootctl install will also set up secure boot
auto-enrollment. For now, We sign all variables using the same
certificate and key pair.
2024-11-03 10:46:17 +01:00
Daan De Meyer eac5336c27 openssl-util: Query engine/provider pin via ask-password
In mkosi, we want to support signing via a hardware token. We already
support this in systemd-repart and systemd-measure. However, if the
hardware token is protected by a pin, the pin is asked as many as 20
times when building an image as the pin is not cached and thus requested
again for every operation.

Let's introduce a custom openssl ui when we use engines and providers
and plug systemd-ask-password into the process. With systemd-ask-password,
the pin can be cached in the kernel keyring, allowing us to reuse it without
querying the user again every time to enter the pin.

We use the private key URI as the keyring identifier so that the cached pin
can be shared across multiple tools.

Note that if the private key is pin protected, openssl will prompt both when
loading the private key using the pkcs11 engine and when actually signing the
roothash. To make sure our custom UI is used when signing the roothash, we have
to also configure it with ENGINE_ctrl() which takes a non-owning pointer to
the UI_METHOD object and its userdata object which we have to keep alive so we
introduce a new AskPasswordUserInterface struct which we use to keep both objects
alive together with the EVP_PKEY object.

Because the AskPasswordRequest struct stores non-owning pointers to its fields,
we change repart to store the private key URI as a global variable again instead
of the EVP_PKEY object so that we can use the private key argument as the keyring
field of the AskPasswordRequest instance without running into lifetime issues.
2024-11-03 10:46:14 +01:00
Yu Watanabe 49e5013432 network: free DHCP client and friends in link_free()
No functional change, at least now. Preparation for later commits.

But we are planning to extend KeepConfiguration= and also keep
addresses and so on assigned by other dynamic configuration protocol
like DHCPv6 or NDisc.
However, when link_free_engines() is called here, acquired addresses so
on by NDisc will be removed, even if link_stop_engines() handles
restarting networkd or KeepConfiguration= gracefully.
So, let's not free engines here, but free them later in link_free().
It is not necessary to be called here anyway.
2024-11-03 09:14:36 +09:00
Yu Watanabe ef45f5c8d0 network: refuse further requests when manager is in MANAGER_STOPPED
In that case, requests will never be processed anyway. But further more,
we cannot call link_ref() at that stage. Otherwise, we trigger assertion.
2024-11-03 09:14:36 +09:00
Daan De Meyer d5c12da904 efivars: Remove STRINGIFY() helper macros
The names of these conflict with macros from efi.h that we'll move
to efi-fundamental.h in a later commit. Let's avoid the conflict by
getting rid of these helpers. Arguably this also improves readability
by clearly indicating we're passing arbitrary strings and not constants
to the macros when we invoke them.
2024-11-02 23:20:57 +01:00
Daan De Meyer 36c6c696a7 ask-password: Add $SYSTEMD_ASK_PASSWORD_KEYRING_TYPE
Currently ask_password_auto() will always try to store the password into
the user keyring. Let's make this configurable so that we can configure
ask_password_auto() into the session keyring. This is required when working
with user namespaces, as the user keyring is namespaced by user namespaces
which makes it impossible to share cached keys across user namespaces by using
the user namespace while this is possible with the session keyring.
2024-11-02 23:20:57 +01:00
Daan De Meyer 01d138b990 ask-password: Drop "default" for SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC
Users can simply unset the environment variable to achieve the same effect.
2024-11-02 23:20:57 +01:00
Daan De Meyer b3bca11c18 ask-password: Use default timeout if SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC is unset
Follow-up for d9f4dad986
2024-11-02 23:20:57 +01:00
Daan De Meyer d980aee1e8 mkosi: Add extra tools tree packages required to run integration tests
With https://github.com/systemd/mkosi/pull/3164, we'll be able to run
arbitrary commands in the mkosi sandbox, which has /usr from the tools
tree if one is configured. Let's add the required packages to be able to
run meson to setup the integration tests. This allows running the integration
tests without having to install meson or other build dependencies on the
host system.

"""
mkosi sandbox meson setup build
mkosi sandbox meson compile -C build mkosi
mkosi sandbox env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build ...
"""
2024-11-02 23:18:41 +01:00
dependabot[bot] 4839fb527f build(deps): bump systemd/mkosi
Bumps [systemd/mkosi](https://github.com/systemd/mkosi) from 2a35f9958bc6b82d95d1eac02dc245e9bb068765 to 8976a0abb19221e65300222f2d33067970cca0f1.
- [Release notes](https://github.com/systemd/mkosi/releases)
- [Commits](2a35f9958b...8976a0abb1)

---
updated-dependencies:
- dependency-name: systemd/mkosi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-02 23:18:12 +01:00
Daan De Meyer e1a105a6f9
Two integration test fixes (#34984) 2024-11-02 22:12:27 +01:00
Daan De Meyer 2ec809dd3b TEST-64-UDEV-STORAGE: Don't hardcode device name in long-sysfs-path test
There's no guarantee our device will be named /dev/vda, so give it
a serial so we can query for its devname inside the test.
2024-11-02 20:43:22 +01:00
Daan De Meyer 29a8e71d9c TEST-17-UDEV: Don't hardcode root device name
There's no guarantee the root device will be /dev/sda, so let's use
bootctl to get the actual path instead of harcoding it.
2024-11-02 20:43:19 +01:00
Ronan Pigott f4092cb974 pam: quiet a spurious debug message
This singular debug message gets printed even if debug is not enabled.
Quiet this message when debug is not enabled for consistency.
2024-11-02 22:47:17 +09:00
Luca Boccassi 5cae569818 user-record: add missing comma to list of strings
Follow-up for ad03f2d5f0
2024-11-02 22:46:45 +09:00
Yu Watanabe 500c61ee49 network/ipv4ll: not necessary to set initial address on each start 2024-11-02 22:42:01 +09:00
Yu Watanabe fecd205d3e network/dhcp4: do not restart IPv4LL client when KeepConfiguration=dhcp
When KeepConfiguration=dhcp, we do not remove acquired address, hence
not necessary to restart IPv4LL client.
2024-11-02 22:42:01 +09:00
Luca Boccassi 89099136d7
machine: introduce io.systemd.MachineImage.{Clone, Remove} methods (#34853)
This PR introduces io.systemd.MachineImage.Clone and Remove methods.
They are 1:1 mapping to DBus alternatives.
2024-11-02 12:06:23 +00:00
Luca Boccassi c7e818fc1a
Add support for id-mapped mounts to Exec directories (#34078)
Currently, bind-mounted directories within a user/mount namespace get
the uid/gid stored on their files. If the host creates a file in the
source directory, it will still show as root in the namespace.
Id-mapping is a filesystem feature that allows a mount namespace to show
a different uid than what is actually stored on a file. Add support for
id-mappings to exec directories, so that the files within the mount
namespace are owned by the unprivileged uid/gid.

Example:

Using unit:
```
[Unit]
Description=Sample service

[Service]
MountAPIVFS=yes
DynamicUser=yes
PrivateUsers=yes
TemporaryFileSystem=/run /var/opt /var/lib /vol
UMask=0000
ExecStart=/bin/bash -c 'while true; do echo "ping"; sleep 5; done'
StateDirectory=andresstatedir:sampleservice

[Install]
WantedBy=multi-user.target
```

In the host namespace, creating a file "test":
```
root@abeltran-test:/var/lib/andresstatedir# ls -lah
total 8.0K
drwxr-xr-x 2 root root 4.0K Aug 21 23:48 .
drwx------ 3 root root 4.0K Aug 21 23:47 ..
-rw-r--r-- 1 root root    0 Aug 21 23:48 test
```

Within the unit namespace:
```
root@abeltran-test:/var/lib/sampleservice# ls -lah
total 4.0K
drwxr-xr-x 2 63750 63750 4.0K Aug 21 23:48 .
drwxr-xr-x 3 root  root    60 Aug 21 23:47 ..
-rw-r--r-- 1 63750 63750    0 Aug 21 23:48 test
```
```
root@abeltran-test:/# mount | grep and
/dev/sda1 on /var/lib/private/andresstatedir type ext4 (rw,nosuid,noexec,relatime,idmapped,discard,errors=remount-ro,commit=30)
```
2024-11-02 12:04:49 +00:00
Luca Boccassi c166969137
logind: respect SD_LOGIND_ROOT_CHECK_INHIBITORS with weak blockers (#34969)
The check for the old flag was not restored when the weak blocker was
added, add it back. Also skip polkit check for root for the weak
blocker, to keep compatibility with the previous behaviour.

Partially fixes https://github.com/systemd/systemd/issues/34091

Follow-up for 804874d26a
2024-11-02 11:27:28 +00:00
Andres Beltran eae5127246 core: add id-mapped mount support for Exec directories 2024-11-01 18:45:28 +00:00
Andres Beltran edae62120f namespace-util: add util function to check if id-mapped mounts are supported for a given path 2024-11-01 18:41:27 +00:00
Lennart Poettering acc35e5129
core/service: don't propagate stop jobs if RestartMode=direct (#34768)
Fixes https://github.com/systemd/systemd/issues/34758
2024-11-01 17:25:49 +01:00
Luca Boccassi ffd81a1202 resolve: remove always-true superflous check and rename label
Fixes https://github.com/systemd/systemd/security/code-scanning/2900
2024-11-01 15:44:01 +00:00
Luca Boccassi 93445c2e89 logind: ensure the stronger inhibitor currently in place is taken into account 2024-11-01 15:43:14 +00:00
Luca Boccassi 845f95b9e0 logind: respect SD_LOGIND_ROOT_CHECK_INHIBITORS with weak blockers
The check for the old flag was not restored when the weak
blocker was added, add it back. Also skip polkit check for
root for the weak blocker, to keep compatibility with the
previous behaviour.

Partially fixes https://github.com/systemd/systemd/issues/34091

Follow-up for 804874d26a
2024-11-01 15:43:14 +00:00
Ivan Kruglov b50fe8a0d9 machine: remove redundant --more in TEST-13-NSPAWN.machined 2024-11-01 15:30:39 +01:00
Ivan Kruglov 0c16936acc machine: tests for io.systemd.MachineImage.{Clone, Remove} methods 2024-11-01 15:30:39 +01:00
Ivan Kruglov 88d0b72833 machine: use ImageUpdateParameters in io.systemd.MachineImage.Update 2024-11-01 15:30:39 +01:00
Ivan Kruglov cc060c2910 machine: reuse VARLINK_DEFINE_IMAGE_LOOKUP_AND_POLKIT_FIELDS in io.systemd.MachineImage.Update declaration 2024-11-01 15:30:39 +01:00
Ivan Kruglov 1663455b63 machine: introduce io.systemd.MachineImage.Remove method 2024-11-01 15:30:39 +01:00
Ivan Kruglov 38a0cf4172 machine: introduce io.systemd.MachineImage.Clone method 2024-11-01 15:30:34 +01:00
Ivan Kruglov 95d5b9097b machine: use report_errno_and_exit() in dbus code 2024-11-01 15:21:22 +01:00
Ivan Kruglov 30a34657b8 machine: introduce report_errno_and_exit() 2024-11-01 15:21:22 +01:00
Ivan Kruglov a52ce4a29d machine: align polkit verb of io.systemd.MachineImage.Update with the rest of the code 2024-11-01 15:20:59 +01:00
Luca Boccassi 74a17f875f
hwdb: update for v257 (#34976) 2024-11-01 12:32:56 +00:00
Lennart Poettering d248e1a8d6 update hwdb 2024-11-01 12:32:06 +00:00
Lennart Poettering 2e4432507b hwdb: import newest autosuspend rules from chromeos 2024-11-01 12:32:06 +00:00
Daan De Meyer 70af6703b0 mkosi: Set BuildSourcesEphemeral=no in mkosi.clangd
We're just running a language server so no need to put a writable
overlay on top of the build sources to prevent modifications. This
hopefully helps the language server track modifications to the source
files better.
2024-11-01 13:30:45 +01:00
Luca Boccassi c77f4f5df7
coredump: lock down EnterNamespace= mount even more (#34975)
Let's disable symlink following if we attach a container's mount tree to
our own mount namespace. We afte rall mount the tree to a different
location in the mount tree than where it was inside the container, hence
symlinks (if they exist) will all point to the wrong places (even if
relative, some might point to other places). And since symlink attacks
are a thing, and we let libdw operate on the tree, let's lock this down
as much as we can and simply disable symlink traversal entirely.
2024-11-01 12:25:35 +00:00
dependabot[bot] 593b125a30 build(deps): bump meson from 1.5.2 to 1.6.0 in /.github/workflows
Bumps [meson](https://github.com/mesonbuild/meson) from 1.5.2 to 1.6.0.
- [Release notes](https://github.com/mesonbuild/meson/releases)
- [Commits](https://github.com/mesonbuild/meson/compare/1.5.2...1.6.0)

---
updated-dependencies:
- dependency-name: meson
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-01 11:45:37 +00:00
Luca Boccassi e7bbcbb27c Update NEWS 2024-11-01 11:39:26 +00:00
Luca Boccassi fdccba15be
util-lib/systemd-run: implement race-free PTY peer opening (#34953)
This makes use of the new TIOCGPTPEER pty ioctl() for directly opening a
PTY peer, without going via path names. This is nice because it closes a
race around allocating and opening the peer. And also has the nice
benefit that if we acquired an fd originating from some other
namespace/container, we can directly derive the peer fd from it, without
having to reenter the namespace again.
2024-11-01 11:29:19 +00:00
Luca Boccassi d86e9b64e4
tweaks to ANSI sequence (OSC) handling (#34964)
Fixes: #34604

Prompted by that I realized we do not correctly recognize both "ST"
sequences we want to recognize, fix that.
2024-11-01 11:18:57 +00:00
Luca Boccassi 1006022e4c
Homed update policy: user changing own settings (#31153)
Rework of #30109 to deal with changes in #30840 and discussed changes to
behavior

Depends on and includes #30840 

Fixes https://github.com/systemd/systemd/issues/34268
2024-11-01 11:14:04 +00:00
Luca Boccassi 57b908caef
network: update tunnel or vxlan with Local=dhcp4 and friends (#34957)
Fixes #24854.
2024-11-01 11:10:21 +00:00
Luca Boccassi 890bdd1d77 core: add read-only flag for exec directories
When an exec directory is shared between services, this allows one of the
service to be the producer of files, and the other the consumer, without
letting the consumer modify the shared files.
This will be especially useful in conjunction with id-mapped exec directories
so that fully sandboxed services can share directories in one direction, safely.
2024-11-01 10:46:55 +00:00
Adrian Vovk 6a2d4a233d test: Test user record selfModifiable behavior 2024-11-01 10:41:46 +00:00
Adrian Vovk a192250eda homed: Allow user to change parts of their record
This allows an unprivileged user that is active at the console to change
the fields that are in the selfModifiable allowlists (introduced in a
previous commit) without authenticating as a system administrator.

Administrators can disable this behavior per-user by setting the
relevant selfModifiable allowlists, or system-wide by changing the
policy of the org.freedesktop.home1.update-home-by-owner Polkit action.
2024-11-01 10:41:46 +00:00
Adrian Vovk ad03f2d5f0 user-record: Introduce selfModifiable fields
Allows the system administrator to configure what fields the user is
allowed to edit about themself, along with hard-coded defaults.
2024-11-01 10:41:46 +00:00
dependabot[bot] 7fdcd903ab build(deps): bump actions/checkout from 4.2.0 to 4.2.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](d632683dd7...11bd71901b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-01 11:25:37 +01:00
Lennart Poettering cbddc201e5 man: <strong> is not a valid docbook tag, but <emphasis> is 2024-11-01 10:12:44 +01:00
Lennart Poettering f0a1d44939 update NEWS 2024-11-01 10:12:41 +01:00
Lennart Poettering 00f7398049 coredump: rename gather_pid_mount_tree_fd() → acquire_pid_mount_tree_fd()
From my understanding of the english language "gather" imples there are
multiple things to gather. But here there's only one, hence use
"acquire"
2024-11-01 10:07:55 +01:00
Lennart Poettering 4c9c8b8d09 coredump: lock down EnterNamespace= mount even more
Let's disable symlink following if we attach a container's mount tree to
our own mount namespace. We afte rall mount the tree to a different
location in the mount tree than where it was inside the container, hence
symlinks (if they exist) will all point to the wrong places (even if
relative, some might point to other places). And since symlink attacks
are a thing, and we let libdw operate on the tree, let's lock this down
as much as we can and simply disable symlink traversal entirely.
2024-11-01 10:05:53 +01:00
Lennart Poettering e64ccd2242
coredump: rework protocol between coredump pattern handler and processing service (#34970)
In
68511cebe5
the ability to pass the
coredump's mount namespace fd from the coredump patter handler was added
to systemd-coredump. For this the protocol was augmented, in attempt to
provide both forward and backward compatibility.

The protocol as of v256: one or more datagrams with journal log fields
about the coredump are sent via an SOCK_SEQPACKET connection. It is
finished with a zero length datagram which carries the coredump fd (this
last datagram is called "sentinel" sometimes).

The protocol after
68511cebe5
is extended
so that after the sentinal a 2nd sentinel is sent, with a pair of fds:
the coredump fd *again* and a mount fd (acquired via open_tree()) of the
container's mount tree. It's a bit ugly to send the coredump fd a 2nd
time, but what's more important the implementation didn't work: since on
SOCK_SEQPACKET a zero sized datagram cannot be distinguished from EOF
(which is a Linux API design mistake), an early EOF would be
misunderstood as a zero size datagram lacking any fd, which resulted in
protocol termination.

Moreover, I think if we touch the protocol we should make the move to
pidfs at the same time.

All of the above is what this protocol rework addresses.

1. A pidfd is now sent as well

2. The protocol is now payload, followed by the coredump fd datagram (as
   before).  But now followed by a second empty datagram with a pidfd,
   and a third empty datagram with the mount tree fd. Of this the latter
   two or last are optional. Thus, it's now a stream of payload
   datagrams with one, two or three fd-laden datagrams as sentinel. If
   we read the 2nd or 3rd sentinel without an attached fd we assume this
   is actually an EOF (whether it actually is one or not doesn't matter
   here). This should provide nice up and down compatibility.

3. The mount_tree_fd is moved into the Context object. The pidfd is
   placed there too, as a PidRef. Thus the data we pass around is now
   the coredump fd plus the context, which is simpler and makes a lot
   more semantical sense I think.

4. The "first" boolean is replaced by an explicit state engine enum

Fixes: https://github.com/systemd/systemd/issues/34130
2024-11-01 08:15:05 +01:00
Lennart Poettering 098c3975ac coredump: make check that all argv[] meta data fields are passed strict
Otherwise, if some field is not supplied we might end up parsing a NULL
string later. Let's catch that early.
2024-10-31 23:09:14 +01:00
Lennart Poettering b1694040af coredump: use memory_startswith() when looking at a data blob 2024-10-31 23:08:11 +01:00
Lennart Poettering 0e3e075b56 iovw: normalize destructors
instead of passing a boolean picking the destruction method just have
different functions. That's much nicer in context of _cleanup_, and how
we usually do things.
2024-10-31 23:08:11 +01:00
Lennart Poettering 811aa36ab6 iovw: add simpler iovw_done() destructor 2024-10-31 23:08:11 +01:00
Lennart Poettering 2865561eaa coredump: move to _cleanup_ for destroying iovw object 2024-10-31 23:08:11 +01:00
Lennart Poettering 19455dd600 coredump: parse rlimit field at same place as other fields 2024-10-31 23:08:11 +01:00
Lennart Poettering 960b045875 coredump: parse signal number at the same time as parsing other fields 2024-10-31 23:08:11 +01:00
Lennart Poettering 32756e57ef coredump: rename save_context() → context_parse_iovw()
The function doesn't "save" anything, it just parses iovw into the
individual fields, hence name the function accordingly.
2024-10-31 23:08:11 +01:00
Lennart Poettering 1f485bc735 coredump: acquire some process fields via pidref
Use pidref to acquire some fields. This just makes use of the pidref
helpers we already have. We acquire a lot of other data via classic pids
still, but for that we first have to write race-free pidref getters,
hence leave that for another time.
2024-10-31 23:08:11 +01:00
Lennart Poettering 313537da6f coredump: rework protocol between coredump pattern handler and processing service
In 68511cebe5 the ability to pass the
coredump's mount namespace fd from the coredump patter handler was added
to systemd-coredump. For this the protocol was augmented, in attempt to
provide both forward and backward compatibility.

The protocol as of v256: one or more datagrams with journal log fields
about the coredump are sent via an SOCK_SEQPACKET connection. It is
finished with a zero length datagram which carries the coredump fd (this
last datagram is called "sentinel" sometimes).

The protocol after 68511cebe5 is extended
so that after the sentinal a 2nd sentinel is sent, with a pair of fds:
the coredump fd *again* and a mount fd (acquired via open_tree()) of the
container's mount tree. It's a bit ugly to send the coredump fd a 2nd
time, but what's more important the implementation didn't work: since on
SOCK_SEQPACKET a zero sized datagram cannot be distinguished from EOF
(which is a Linux API design mistake), an early EOF would be
misunderstood as a zero size datagram lacking any fd, which resulted in
protocol termination.

Moreover, I think if we touch the protocol we should make the move to
pidfs at the same time.

All of the above is what this protocol rework addresses.

1. A pidfd is now sent as well

2. The protocol is now payload, followed by the coredump fd datagram (as
   before).  But now followed by a second empty datagram with a pidfd,
   and a third empty datagram with the mount tree fd. Of this the latter
   two or last are optional. Thus, it's now a stream of payload
   datagrams with one, two or three fd-laden datagrams as sentinel. If
   we read the 2nd or 3rd sentinel without an attached fd we assume this
   is actually an EOF (whether it actually is one or not doesn't matter
   here). This should provide nice up and down compatibility.

3. The mount_tree_fd is moved into the Context object. The pidfd is
   placed there too, as a PidRef. Thus the data we pass around is now
   the coredump fd plus the context, which is simpler and makes a lot
   more semantical sense I think.

4. The "first" boolean is replaced by an explicit state engine enum

Fixes: #34130
2024-10-31 23:08:11 +01:00
Lennart Poettering ecfb4bb05e coredump: correct debug log message 2024-10-31 23:08:11 +01:00
Lennart Poettering ea8eb370e7 coredump: minor modernizations 2024-10-31 23:08:11 +01:00
Lennart Poettering 393d0d2b69 coredump: rename pid → leader_pid
Let's rename this local variable, since we are not operating on the
coredump process here after all, but on the leader of the namespace the
coredump process in, which is quite different, hence let's make this
very clear via the name.
2024-10-31 23:08:11 +01:00
Lennart Poettering aea215d5d9 update TODO 2024-10-31 23:07:48 +01:00
Yu Watanabe 4d8e5fefae sd-varlink: suppress one log message when callback already successfully enqueued an error response
Follow-up for d2ebf5cc1d.

The detailed error response is already logged, hence not necessary to
log again with the errno converted from the error response, which typically
less informative, e.g.
===
varlink-26-26: Setting state idle-server
varlink-26-26: Received message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"service":""}}
varlink-26-26: Changing state idle-server → processing-method
varlink-26-26: Sending message: {"error":"io.systemd.UserDatabase.BadService","parameters":{}}
varlink-26-26: Changing state processing-method → processed-method
varlink-26-26: Callback for io.systemd.UserDatabase.GetUserRecord returned error: Invalid request descriptor
varlink-26-26: Changing state processed-method → idle-server
varlink-26-26: Got POLLHUP from socket.
===
2024-10-31 22:58:35 +01:00
Luca Boccassi e4a4a5bd2b
Rework sysupdate meson options (#34832)
systemd-sysupdated is still unstable and we'd like to make breaking
changes to it even after the v257 release, so we document it as such and
disable building it by default in release builds. The distro can still
opt-in, and we still build it in developer mode so it has CI coverage
2024-10-31 21:10:28 +00:00
Zbigniew Jędrzejewski-Szmek 243b63d8a6 meson: add separate option for sysupdated, disable in release builds
This commit introduces a build-time option to enable/disable sysupdated
separately from sysupdate. 'auto' translated to enabled by default in
developer builds.
2024-10-31 21:08:08 +00:00
Lennart Poettering c8c13fdf51
Drop trailing NUL in .sbat/.sdmagic sections (#34950) 2024-10-31 21:48:18 +01:00
Lennart Poettering 02bf14d924
logind/systemctl: one follow-up for DesignatedMaintenanceWindow (#34966)
Fixes https://github.com/systemd/systemd/issues/33429
2024-10-31 21:47:45 +01:00
Lennart Poettering 5ca96e2717
machine: several follow-ups for recent change (#34882)
Follow-ups for #34761.
2024-10-31 21:43:18 +01:00
Lennart Poettering ccf46aa54b sd-json: don't accidentally convert between unsigned/signed when parsing signal 2024-10-31 19:54:47 +01:00
Mike Gilbert ff94426f8a posix_spawn_wrapper: do not set POSIX_SPAWN_SETSIGDEF flag
Setting this flag is a noop without a corresponding call to
posix_spawnattr_setsigdefault.

If we call posix_spawnattr_setsigdefault with a full signal set,
it causes glibc's posix_spawn implementation to call sigaction 63 times,
once for each signal. That seems wasteful.

This feature is really only useful for signals which have their
disposition set to SIG_IGN. Otherwise the dispostion gets set to
SIG_DFL automatically, either by clone(CLONE_CLEAR_SIGHAND) or the
subsequent execve.

As far as I can tell, systemd does not have any signals set to SIG_IGN
under normal operating conditions.
2024-10-31 18:16:58 +01:00
Mike Yuan 3e094f8489
bus-common-errors: use more appropriate errno for BUS_ERROR_DESIGNATED_MAINTENANCE_TIME_NOT_SCHEDULED
Fixes #33429
2024-10-31 15:46:27 +01:00
Mike Yuan 249bb7f894
systemctl: don't fall back to immediate shutdown silently if we cannot schedule one
The previous behavior of systemctl --when= seems absurd, i.e.
if we fail to schedule shutdown in the future it's performed
immediately. Let's instead hard fail, which also removes the need
of specializing on certain errnos (preparation for later commits).
2024-10-31 15:45:40 +01:00
Mike Yuan 57d8134d45
logind-dbus: return appropriate errno for unexpected errors
Follow-up for 0e10c3d872
2024-10-31 15:34:47 +01:00
Mike Yuan 5aa48b6de1
systemctl: use the retval of must_be_root() 2024-10-31 15:32:32 +01:00
Zbigniew Jędrzejewski-Szmek d97b8d9d7b boot: stop appending NUL to .sdmagic and .sbat sections
Those text sections had a trailing NUL byte. It's debatable whether this is a
good idea or not. Correctly written consumers will look at the section size so
they wouldn't need this. Shim doesn't use a trailing NUL, so let's follow suit.

Fixes https://github.com/systemd/systemd/issues/33731.

898e9edc46 reworked this code, but didn't actually
change the logic. We have always been appending the trailing zero by using a
NUL-terminated string as the section contents. (I checked this with v253.18
from before the elf2efi rework.)

.sdmagic contains a string like "#### LoaderInfo: systemd-boot 257~devel ####",
which changes with each version, so previous versions would compare unequal
anyway, so we don't need to worry about backwards compatibility.
2024-10-31 14:58:12 +01:00
Daan De Meyer 1f9425d1c4 mkosi: Install gdb in centos/fedora build image
Lack of gdb-add-index has become a fatal error in Rawhide/c10s so
let's install gdb to make rpmbuild happy.
2024-10-31 13:44:13 +00:00
Lennart Poettering a39c51799b string-util: also check for 0x1b 0x5c ST when stripping ANSI from strings 2024-10-31 11:38:18 +01:00
Lennart Poettering 0367424786 terminal-util: define ANSI_OSC as macro for the OSC terminal sequence prefix 2024-10-31 11:38:18 +01:00
Lennart Poettering de0ebee637 ptyfwd: document why we only honour two of the three kinds of ST 2024-10-31 11:38:18 +01:00
Lennart Poettering b8311af810 tree-wide: prefer generating 0x1B 0x5C as ANSI sequence "ST"
OSC sequences can be closed with one of three terminators:

1. ASCII code 7, aka BEL, aka ^G, aka \x07, aka \a
2. ASCII code 156, aka \x9c
2. Pair of ASCII code 27 followed by ASCII code 92, aka \x1b\x5c

Of these, in some corner case scenarios BEL makes problem (see #34604).
Hence switch away from that wherever we use it, and prefer the \x1b\x5c
instead. That's preferable over \x9c, since the latter is also a valid
UTF-8 codepoint. See discussion here for example:

https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda#the-escape-sequence

Fixes: #34604
2024-10-31 11:38:08 +01:00
Lennart Poettering e65b0904a0 string-util: it's called OSC sequence, not CSO sequence 2024-10-31 11:28:57 +01:00
Yu Watanabe 3d8f2c1464 resolve: do not try to send varlink error more than once
After d2ebf5cc1d, sd_varlink_error() and
friends return negative errno.

Fixes https://github.com/systemd/systemd/pull/34946#discussion_r1823703636.
2024-10-31 18:45:08 +09:00
Yu Watanabe 80f38c1f65 test-network: add test case for tunnel Local=dhcp4
For issue #24854.
2024-10-31 18:41:44 +09:00
Yu Watanabe b8b0c1a065 network: update tunnel or vxlan interface if the local address is changed
If a tunnel or vxlan is configured with Local=dhcp4 or so, then the
local address needs to be changed when it is changed.

Fixes #24854.
2024-10-31 18:41:44 +09:00
Yu Watanabe 76423f301e machine: lookup_machine_by_name_or_pidref() returns negative errno on failure
This effectively reverts d2c1451b73.

After the commit d2ebf5cc1d, sd_varlink_error()
returns negative errno, hence the function always return negative errno
on failure.
2024-10-31 11:02:35 +09:00
Yu Watanabe 0ef4a21b09 machine: use JSON_BUILD_PAIR_STRV_ENV_PAIR_NON_EMPTY()
Also use JSON_BUILD_PAIR_UNSIGNED_NOT_EQUAL().
2024-10-31 11:02:35 +09:00
Yu Watanabe dbceb0507f sd-json: introduce JSON_BUILD_PAIR_STRV_ENV_PAIR_NON_EMPTY() macro
It is similar to JSON_BUILD_PAIR_STRV_NON_EMPTY, but takes the
list of environment variables.
2024-10-31 11:02:35 +09:00
Yu Watanabe 32d77f5df8 sd-json: use strv_env_get_merged() 2024-10-31 11:02:35 +09:00
Yu Watanabe 7633001cdd env-util: introduce strv_env_get_merged() 2024-10-31 11:02:35 +09:00
Yu Watanabe e4d477efc6 env-util: replace 'char **' with 'char**' 2024-10-31 11:02:35 +09:00
Yu Watanabe b1e11a252d TEST-13-NSPAWN: add test cases for listing multiple machines 2024-10-31 11:02:23 +09:00
Yu Watanabe f0fdefc045 TEST-13-NSPAWN: trivially kill all processes in the container on termination
Follow-up for 841988f80d.

No functional change, as $PID is 0 when the trap is inserted.
2024-10-31 10:59:14 +09:00
Yu Watanabe 1856ab4503 TEST-13-NSPAWN: check returned machine list 2024-10-31 10:59:14 +09:00
Yu Watanabe e79b58c825 TEST-13-NSPAWN: fix race between container exit and varlink call
Follow-up for 3cb72c7862.

The test container exits shortly, hence when varlinkctl is called, the
container may be already terminated. Let's make the container live
infinitely.
Also, this makes the os-release files removed after the container is started.
2024-10-31 10:59:14 +09:00
Yu Watanabe 20e1237ce1 machined: ACQUIRE_METADATA_NO is zero
Follow-ups for a94fbcaa35 and
9de215219c.
2024-10-31 10:59:14 +09:00
Yu Watanabe f283816acb machine: use sd_json_variant_append_arraybo() and JSON_BUILD_PAIR_VARIANT_NON_NULL()
Follow-up for 45755275e5.
2024-10-31 10:59:14 +09:00
Yu Watanabe 5310cf3354 NEWS: fix typo 2024-10-31 10:58:25 +09:00
Yu Watanabe ba63cc7448 sd-varlink: update comment 2024-10-31 09:52:15 +09:00
Lennart Poettering d2ebf5cc1d sd-varlink: change sd_varlink_error() to always return an error
Let's make sure that sd_varlink_error() always returns an error code, so
that we can use it in a style "return sd_varlink_error(…);" everywhere,
which has two effects: return a good error reply to clients, and exit
the current stack frame with a failure code.

Interestingly sd_varlink_error_invalid_parameter() already worked like
this in some cases, but sd_varlink_error() itself didn't.

This is an alternative to the error handling tweak proposed in #34882,
but I think is a lot more generically useful, since it establishes a
pattern.

I checked our codebase, and this change should generally be OK without
breaking callsites, since the current callers (with exception of the
machined case from #34882) called sd_varlink_error() in the outermost
varlink method call dispatch stack frame, where this behaviour change
does not alter anything.

This is similar btw, how sd_bus_error_setf() and friends always return
error codes too, synthesized from its parameters.
2024-10-31 09:50:50 +09:00
Lennart Poettering 76a3af0630 sd-varlink: add helper VARLINK_STATE_WANTS_REPLY()
Let's add a helper that detects whether we still need to reply to a
state. This should make the logic easier to follow.
2024-10-31 09:50:50 +09:00
Lennart Poettering aa5e67ae6f sd-varlink: don't show error code we already decoded as part of the log message 2024-10-31 09:50:50 +09:00
Lennart Poettering 0118074f85 sd-varlink: if we reply to errors without passing to callback, go through regular error path
If replying with an error fails, we should failt the whole connection,
and not leave the connection in a weird state.
2024-10-31 09:50:50 +09:00
Yu Watanabe 885691d454
firstboot: several cleanups (#34958)
Split out of #33226
2024-10-31 08:05:39 +09:00
Lennart Poettering 2ff3adeb29 sd-json: don't use C99 bool in public headers
All our public headers strive to C90 compatibility with a few
extensions, and thus avoided stdbool.h and bool.

The sd_json_format_enabled() helper seems like a poor place to start
requiring stdbool.h now.

Also drop __extension__ since we are not using it anywhere else in very
similar inline functions.

(And we probably should drop any _sd_const declarations on inline
functions. Given that the compiler has the function implementation
around always, because it's in the header there's really no reason to
specify this manually, the compiler can trivially figure this out on its
own. But that's for another time.)
2024-10-31 07:59:41 +09:00
Yu Watanabe cb15aa7b37
network: support reconfiguring netdev (#34909)
Closes #9627
Closes #27177.
Closes #34907.
Replaces #22557.
2024-10-31 07:01:46 +09:00
Lennart Poettering 42c8f1c761 machined: port to pty_open_peer_racefree() 2024-10-30 22:37:44 +01:00
Lennart Poettering 24a386e21a run: port over to new pty_open_peer() call 2024-10-30 22:37:44 +01:00
Lennart Poettering fc9dc71a3f terminal-util: add pty_open_peer() helper
This opens a pty peer in one go, and uses the new race-free TIOCGPTPEER
ioctl() to do so – if it is available.
2024-10-30 22:37:44 +01:00
Lennart Poettering fbd2679f66 terminal-util: various minor modernizations
Various fixes:

1. Adds O_CLOEXEC for two socketpair()s where we forgot it.

2. Uses FORK_WAIT instead of manual wait_for_terminate_and_check()
   invocations.

3. Prefix opaque NULL/0 arguments with comments what they are.

4. Add a banch of assert()s, and change flag validation in
   open_terminal() to be assert() (since flags mistakes are programming
   errors, not runtime errors).
2024-10-30 22:15:56 +01:00
Yu Watanabe 2e612ce1b7 man: update documentation for 'networkctl reload' 2024-10-31 05:33:10 +09:00
Yu Watanabe 0de5562413 test-network: test for reload of .netdev file of stacked netdev
For issue #9627, #27177, and #34907.
2024-10-31 05:30:40 +09:00
Yu Watanabe b3ae4e8622 network/netdev: replace old NetDev object with newer one on reload
Then, when a .netdev file of a stacked netdev is modified, the netdev
can be reconfigured with the updated setting by something like the
following way:
```
ip link del vlan99
networkctl reload
```

Note, removing the vlan interface in the above example may not be necessary,
e.g. when only VLAN flags, egress mapping, or ingress mapping are updated.
But, it is necessary when VLAN ID is updated.

Closes #9627.
Closes #27177.
Closes #34907.
Replaces #22557.
2024-10-31 05:30:40 +09:00
Yu Watanabe 890bd7225a network/netdev: reconfigure netdev if possible
Some netdev configs can be modified after the interface is created.
Let's allow to reconfigure existing interfaces.
2024-10-31 05:30:40 +09:00
Yu Watanabe 933d88f756 network/netdev: move calls of netdev_attach() and netdev_request_to_create() to netdev_load()
No functional change, preparation for later commits.
2024-10-31 05:30:40 +09:00
Daan De Meyer 954dd5242b mkosi: Ensure we build with debuginfo 2024-10-30 19:48:18 +00:00
Michal Sekletar d9fd1d3707 coredump: allow only empty messages after first "sentinel" 2024-10-30 19:45:31 +00:00
Michael Ferrari 178d80d719
firstboot: generalize prompt_loop more
Allows unifying the custom logic for the hostname and root shell. Root
password prompting remains separate as it's logic is substantially
different to the other prompts.
2024-10-30 20:13:56 +01:00
Michael Ferrari 26f9e08231
firstboot: use consistent wording for prompts 2024-10-30 20:13:53 +01:00
Michael Ferrari f4da5ed538
firstboot: clean up welcome message 2024-10-30 20:13:47 +01:00
Michael Ferrari d689dd88fd
firstboot: order non-interactive options last 2024-10-30 20:13:41 +01:00
Yu Watanabe f7d5d7c593
network/tunnel: reuse existing 6rd sit tunnel (#34938)
split-out of #34909.
2024-10-31 04:04:55 +09:00
Yu Watanabe 5251cb8254
network/netdev: do not try to update several parameters if the interface already exists (#34937)
split-out of #34909.
2024-10-31 04:04:33 +09:00
Yu Watanabe e725a91ab7
network: several cleanups for reloading .network files (#34933)
split-out of #34909.
2024-10-31 04:04:10 +09:00
Yu Watanabe 6ab12224c9
network: process queued remove requests on stop (#34871)
Fixes a regression caused by 85a6f300c1
and its later commits.
Fixes #34837.
2024-10-31 04:03:11 +09:00
Yu Watanabe d1fd45d145
mkosi: Update packaging specs to latest (#34951) 2024-10-31 02:31:03 +09:00
Yu Watanabe 59528e55af test-network: add test case for reuse of existing 6rd SIT tunnel 2024-10-31 02:09:31 +09:00
Lennart Poettering f2ef9f7760
Fix display of qrcodes by bsod and other related cleanups (#34914) 2024-10-30 17:44:40 +01:00
Daan De Meyer d9f4dad986 ask-password: Allow configuring the keyring timeout via an environment variable
In mkosi, we want an easy way to set the keyring timeout for every
tool we invoke that might use systemd-ask-password to query for a
password which is then stored in the kernel keyring. Let's make this
possible via a new $SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC environment
variable.

Using an environment variable means we don't have to modify every separate
tool to add a CLI option allowing to specify the timeout. In mkosi specifically,
we'll set up a new session keyring for the mkosi process linked to the user keyring
so that any pins in the user keyring are used if available, and otherwise we'll query
for and store password in mkosi's session keyring with a zero timeout so that they stay
in the keyring until the mkosi process exits at which point they're removed from the
keyring.
2024-10-30 17:43:53 +01:00
Luca Boccassi 14b0fcdf6d logind: add BlockWeakInhibited property
Fixes https://github.com/systemd/systemd/issues/34091
Follow-up for 804874d26a
2024-10-30 17:41:52 +01:00
Łukasz Stelmach 8144537a81 core: make mount(8) and swapon(8) inherit SMACK label from systemd
By default mount(8), umount(8), swapon(8) and swapoff(8) should run with
with the SMACK label inherited from systemd rather than the default one
meant for services.

Fixes: aa5ae9711e
Follow-up-for: 20bbf5ee4c
2024-10-30 17:41:23 +01:00
Yu Watanabe ceae9f9a38 network/ipvlan: do not try to update MAC address 2024-10-31 01:06:25 +09:00
Yu Watanabe 6804bbdaf1 network/macsec: IFLA_MACSEC_PORT attribute cannot be changed
Also, though currently not supported by networkd,
  IFLA_MACSEC_CIPHER_SUITE, IFLA_MACSEC_ICV_LEN, IFLA_MACSEC_SCI
cannot be updated.
2024-10-31 01:06:25 +09:00
Yu Watanabe 49639363ab network/vxlan: do not try to update several parameters
Currently, netdev->ifindex is always zero when this function is called.
So, this does not change any behavior. Preparation for later commits.
2024-10-31 01:06:25 +09:00
Yu Watanabe 17c5337f7b network/netdev: introduce netdev_can_set_mac/mtu() helper functions
Several netdevs cannot set IFLA_ADDRESS or IFLA_MTU attribute on update.
Currently, the vtable field is unused, as we do not support updating
existing netdevs. Preparation for later commits.
2024-10-31 01:06:25 +09:00
Yu Watanabe 00c0a94498 network: use newly loaded Network object if a referenced NetDev object is updated
Even if .network file is not updated, referenced NetDev object may be
different. In that case, let's use the newly loaded Network object.
2024-10-31 00:58:47 +09:00
Yu Watanabe 173c9f639b network: drop no-op cleanup
- network_load() is always called with an empty OrderedHashmap, renamed the output
  parameter to 'ret'.
- When netdev_load() is called on startup, the hashmap is NULL. When it is
  called on reloading, the hashmap is not cleaned up.

Hence, then these cleanups are always no-op. Let's drop them.
2024-10-31 00:58:42 +09:00
Yu Watanabe d16083557b network/netdev: update state file when NetDev object assignment is changed 2024-10-31 00:52:28 +09:00
Yu Watanabe 525c53a95a network: swap asterisk and space 2024-10-31 00:51:50 +09:00
Yu Watanabe f85213e8f6 github: drop workaround and use distro mold
Now, ubuntu-24.04 has mold-2.30.0+dfsg-1build1 .
See https://packages.ubuntu.com/noble/mold .
2024-10-31 00:34:48 +09:00
Yu Watanabe 58a011ba48 test-network: add test for DHCPv4 address removal on stop
For issue #34837.
2024-10-31 00:34:48 +09:00
Yu Watanabe db68e99046 network: process queued remove requests before networkd is stopped
This makes networkd process all queued remove requests when a
terminating or restarting signal is received. Otherwise, e.g. DHCPv4
address will not be removed on stop, especially when
KeepConfiguration=no.

Fixes a bug introduced by 85a6f300c1 and
its subsequent commits.

Fixes #34837.

Co-authored-by: Will Fancher <elvishjerricco@gmail.com>
2024-10-31 00:34:44 +09:00
Daan De Meyer f512934164 mkosi: update debian commit reference
* 2f288667e0 Install sysupdate.feature manpage
* 384393a955 d/systemd.postrm: delete more internal state directories on purge
2024-10-30 16:31:39 +01:00
Daan De Meyer a86b011158 mkosi: update arch commit reference
* 62c224b60c Specify --no-rebuild when calling meson install
* b5c20dc6b0 fix redirection for dash
* 7fef8e4cdd upgpkg: 256.7-1: new upstream release
2024-10-30 16:29:43 +01:00
Luca Boccassi 58ada3eab2
coredump: AccessContainer= bunch of followups (#34333)
Fixes #34130
2024-10-30 14:37:44 +00:00
Zbigniew Jędrzejewski-Szmek 07000101eb test-sbat: separate the two sbat sections 2024-10-30 15:22:25 +01:00
Zbigniew Jędrzejewski-Szmek c8b774463e NEWS: remove duplicated entry
The same item is described below.

Also reflow some paragraphs (presumably indented with emacs, which does this
wrong).
2024-10-30 15:09:26 +01:00
Zbigniew Jędrzejewski-Szmek 10faa40ba7 cryptenroll,homectl,journalctl: adjust messages before qrcodes
Users will generally know what a qrcode is, so let's not treat them as dumb and
explain that it can be scanned. OTOH, we should say what the qrcode contains
and it is useful to give a hint why the users would want to scan it. Reword
messages accordingly.

(Also, don't say "to your phone", when somebody might be using a stolen phone,
or something else then a phone.)
2024-10-30 15:03:18 +01:00
Zbigniew Jędrzejewski-Szmek abf1cae0a7 bsod: make message for qrcode more useful
People know what a qrcode is. We don't need to tell them to scan it.
Instead, we should say what the code contains.

While at it, rename "stream" to "f" in line with the usual style.
2024-10-30 15:03:17 +01:00
Adrian Vovk 89696521d2 man: warn that sysupdate's API is unstable
There's still some breaking changes we want to make to sysupdated, but
they'll potentially take months and we don't want to block the systemd
release for that long. So, we can instead mark sysupdate's API as
unstable
2024-10-30 14:45:16 +01:00
Michal Sekletar 65c75f99e1 test: add test coverage for EnterNamespace= 2024-10-30 12:38:27 +00:00
Michal Sekletár 13cd1db07f coredump: return correct error variable 2024-10-30 12:38:27 +00:00
Michal Sekletar e26a7e08f5 coredump: rename AccessContainer= to EnterNamespace= 2024-10-30 12:38:27 +00:00
Michal Sekletar b8fe1b1dc8 coredump: rework gather_pid_mount_tree_fd() 2024-10-30 12:38:27 +00:00
Michal Sekletar c287f0f7e9 coredump: use FORK_WAIT 2024-10-30 12:38:26 +00:00
Lennart Poettering 2ef87de9d3 core: add EXEC_DIRECTORY_TYPE_SHALL_CHOWN() helper
Let's make ConfigurationDirectory= a bit less "special-casey", by hiding
the fact that it's the only per-service dir we do not do chown()ing for
inside of a new EXEC_DIRECTORY_TYPE_SHALL_CHOWN() helper.
2024-10-30 13:33:29 +01:00
Michal Sekletar 84289ab90f coredump: store actual fd in appropriate variable 2024-10-30 12:20:40 +00:00
Michal Sekletar e5bad3a7b9 coredump: use FORK_LOG to get more precise logging 2024-10-30 12:20:40 +00:00
Michal Sekletar a88e72be2c coredump: fix coding style 2024-10-30 12:20:40 +00:00
Michal Sekletar 4698fd9769 coredump: get rid of redundant double space 2024-10-30 12:20:40 +00:00
Michal Sekletar 5e55410aca coredump: use more appropriate return code 2024-10-30 12:20:40 +00:00
Michal Sekletar a65ad191cd coredump: check for and close unexpected FDs 2024-10-30 12:20:40 +00:00
Michal Sekletar 7bfce97666 coredump: fix line spacing 2024-10-30 11:47:34 +00:00
Michal Sekletar d8a567dfc3 coredump: merge variable definitions 2024-10-30 11:47:34 +00:00
Michal Sekletar 0aea68721a coredump: rework attaching container mount trees 2024-10-30 11:47:34 +00:00
Lennart Poettering ba21b29039
docs: Update instructions for building distribution packages in HACKING.md (#34941)
When building distribution packages without building an image, the
distribution packages will only be located in mkosi.builddir/ now and
not in mkosi.output/, so update the documentation to reflect that.

Also add installation instructions for distributions other than
CentOS/Fedora while we're at it.
2024-10-30 12:11:28 +01:00
Daan De Meyer 7ae96246f6 docs: Update instructions for building distribution packages in HACKING.md
When building distribution packages without building an image, the
distribution packages will only be located in mkosi.builddir/ now and
not in mkosi.output/, so update the documentation to reflect that.

Also add installation instructions for distributions other than CentOS/Fedora
while we're at it.
2024-10-30 11:16:42 +01:00
Daan De Meyer a33f453702 docs: Align some comments in HACKING.md 2024-10-30 11:16:36 +01:00
hugo303 f172dfddde analyze: Add times in seconds for Activating and Activated in tooltip
Print the times in seconds in the tooltip to remove the need to count
and trying to follow the lines in the svg diagram in order to see at
what times these events happen.
2024-10-30 11:16:28 +01:00
Yu Watanabe 5e48fd0506 network/tunnel: allow Local=/Remote=any for all tunnel types
It seems there is no restriction for local and remote addresses.

Fixes #34930.
2024-10-30 10:29:07 +01:00
Yu Watanabe 7e322c3dd0 sd-netlink,network: do not set NLM_F_CREATE and NLM_F_EXCL flags if an interface index is specified
If an ifindex is specified, we are modifying the existing interface.
Hence, these flags should not be set. Otherwise, the request will be
refused with -EEXIST.
2024-10-30 10:28:18 +01:00
Daan De Meyer 0a1b553e2a
network: skip processing netdev if it is already detached (#34935)
split-out of #34909.
2024-10-30 10:27:24 +01:00
Daan De Meyer b6fed18772
pretty-print: add format-string version of draw_progress_bar() (#34939)
We often format the prefix string via asprintf() before, let's hence add
a helper for that.
2024-10-30 10:26:48 +01:00
Lennart Poettering dd9a8cb999 update NEWS 2024-10-30 09:13:48 +01:00
Lennart Poettering c79d38d412 update TODO 2024-10-30 09:06:37 +01:00
Lennart Poettering 5c11f6e0a9
core/service: support sd_notify() MAINPIDFD=1 and MAINPIDFDID= (#34932) 2024-10-30 08:45:25 +01:00
Lennart Poettering eae9e74f35
network: add missing else in dhcp_lease_load (#34927)
Fixes: 3fd6708cde (network: Serialize DNR servers)

---

Fixes: #34926
2024-10-30 08:39:15 +01:00
Ronan Pigott b31b99d76f network: Restrict the valid charset of DNR names
Not all possible DNS names will survive serialization. Restrict the set
of valid dns names to LDH encoded names.

Fixes: 25c33e3500 (network: parse RFC9463 DHCPv4 DNR option, 2024-01-16)
Fixes: a07e83cc58 (network: Parse RFC9463 DHCPv6 DNR option, 2024-01-17)
Fixes: 0c90d1d2f2 (ndisc: Parse RFC9463 encrypted DNS (DNR) option, 2024-01-19)
2024-10-29 14:18:37 -07:00
Lennart Poettering 91d640435d pretty-print: add format-string version of draw_progress_bar()
We often format the prefix string via asprintf() before, let's hence add
a helper for that.
2024-10-29 21:37:26 +01:00
Lennart Poettering 21abc0a943 pretty-print: rename draw_progress_bar_impl()→draw_progress_bar_unbuffered() 2024-10-29 21:37:26 +01:00
Lennart Poettering 6e492ae98a busctl: minor tweak to help text for --limit-messages= 2024-10-29 21:34:47 +01:00
Daan De Meyer 3dd0389ba0 import: Draw progress bars
Currently every progress update results in a new progress message
which is extremely verbose. Instead, let's use the progress bar infra
to draw a proper progress bar similar to what we do in systemd-repart
now.
2024-10-29 21:11:26 +01:00
Lennart Poettering 1322af50e5
progress-bar: issue Windows Terminal progress indicating ANSI sequences (#34929)
This generates the Windows Terminal OSC sequences indicating progress.
This let's the terminal know that we are doing a slow operation, and how
we are progressing.

Windows Terminal uses this in two ways: it shows a circle in the tab
that completes, and it highlights the progress in the task bar.

I found no Linux terminal that currently supports it, but also none that
didn't like it. Thankfully most terminals correctly ignore unrecognized
OSC sequences.

I think we should just merge this, and see if this trips up too many
people, but I have reason to believe this shouldn't be too bad.

And yes, I do work from Windows Terminal sometimes, ssh into my Linux
build systems, and it is really cute seeing the progress animation
there.
2024-10-29 21:00:15 +01:00
Luca Boccassi d140d478e2
sysusers: optionally create fully locked accounts (#34876)
Let's ramp up security for system user accounts, at least where
possible, by creating them fully locked (instead of just with an invalid
password). This matters when taking non-password (i.e. SSH) logins into
account.

Fixes: #13522
2024-10-29 18:46:14 +00:00
Yu Watanabe d252451482 network/tunnel: reuse existing 6rd SIT tunnel
The 6rd SIT tunnel configuration can be updated without recreating the
interface. Let's reuse existing tunnel.
2024-10-30 03:17:09 +09:00
Yu Watanabe dc3dfb72c8 network/tunnel: merge dhcp4_pd_create_6rd_tunnel_message() into dhcp4_pd_create_6rd_tunnel()
No functional change, just refactoring and preparation for later
commits.
2024-10-30 03:17:09 +09:00
Luca Boccassi a91c739a24
busctl: various bugfixes + tweaks (#34928)
Fixes: #34048
Replaces: #34796
Follow-up for: #33961
2024-10-29 18:15:16 +00:00
Michal Sekletar 3ed5c6aa9b analyze: don't use Yoda conditions 2024-10-29 18:08:04 +00:00
Michal Sekletar b189f0d455 analyze: modernize opening ELF binary a bit 2024-10-29 18:08:04 +00:00
Yu Watanabe 1003093604 network/netdev: skip processing netdev if it is already detached
No functional change, as currently networkd detaches NetDev objects only
on stop (or invalid .netdev file is loaded).
Preparation for later commits.
2024-10-30 03:07:32 +09:00
Yu Watanabe 3252a1f274 network/netdev: split out netdev_attach_name_full()
No functional change, preparation for later commits.
2024-10-30 03:07:32 +09:00
Mike Yuan c3ecb747f1
TEST-80-NOTIFYACCESS: don't specify --pid= if MAINPID= is provided explicitly
Otherwise, with recent additions, the MAINPIDFDID= generated by
systemd-notify would mismatch with overridden MAINPID=.
2024-10-29 18:42:16 +01:00
Mike Yuan e2037d07c0
notify: send MAINPIDFDID= for --pid= too if available 2024-10-29 18:42:15 +01:00
Mike Yuan 695323d90a
core/service: support sd_notify() MAINPIDFD=1 and MAINPIDFDID=
These serve as race-free alternatives for MAINPID= notification.
2024-10-29 18:42:15 +01:00
Mike Yuan 68d9aa7ede
shared/fdset: minor modernization 2024-10-29 18:38:42 +01:00
Lennart Poettering 89858a0513 mkosi: update fedora commit reference
* e42eed4afd test_sysusers_defined: support new ! line flag for creating fully locked accounts
* 2c6a4e2f90 Version 256.7
* bedc0270e7 Move yum/dnf protection removal config file under /usr
* 5a82129a41 Reword some descriptions
* ce99022f7b Version 256.6
2024-10-29 17:22:23 +01:00
Zbigniew Jędrzejewski-Szmek 99996d5f5e
Merge pull request #34245 from bluca/logind_drop_weak_delay_inhibitor
logind: drop new delay-weak inhibitor
2024-10-29 17:13:11 +01:00
Lennart Poettering 960b342dbf busctl: add the usual section highlighting to our --help texts 2024-10-29 16:50:13 +01:00
Lennart Poettering c00c6d1959 busctl: add a testcase that definitely causes the timeout to trigger 2024-10-29 16:50:11 +01:00
Lennart Poettering 0be245a637 busctl: if --timeout= or --limit-messages= are specified with no argument, reset to defaults.
Follow-up for: 989e843e75
See: #34048
2024-10-29 16:50:08 +01:00
Lennart Poettering 8187515aab busctl: rename --num-matches= → --limit-messages=
We should avoid unnecessary abbreviations for such messages, and this
puts a maximum limit on things, hence it should indicate this in the
name.

Moreover, matches is a bit confusing, since most people will probably
call "busctl monitor" without any match specification, i.e. zero
matches, but that's not what was meant here at all.

Also, add a brief switch for this (-N) since I figure in particular
"-N1" might be a frequent operation people might want to use.

Follow-up for: 989e843e75
See: #34048
2024-10-29 16:50:06 +01:00
Lennart Poettering 312dad32c1 busctl: fix timeout calculation for "busctl monitor"
The --timeout= logic was implemented incorrectly, as it would not put a
a limit on the runtime of the operation, but only on the IO sleep.
However, spurious wakeups are possible, hence the timer would be reset
too often.

Fix that, by determining the absolute timestamp early, and checking
against that.

Follow-up for: 989e843e75
See: #34048
2024-10-29 16:49:55 +01:00
Mike Yuan aa61fe48e5
NEWS: be less misleading since systemd-run does not support ExtraFileDescriptors= yet 2024-10-29 16:35:35 +01:00
Lennart Poettering 99bd933fa2 meson.build: do not mark test-progress-bar as manual
It will finish on its own always and cleanly, and running it always
should increase test coverage.
2024-10-29 15:55:12 +01:00
Lennart Poettering 07b869b9c1 progress-bar: issue Windows Terminal progress indicating ANSI sequences
This generates the Windows Terminal OSC sequences indicating progress.
This let's the terminal know that we are doing a slow operation, and how
we are progressing.

Windows Terminal uses this in two ways: it shows a circle in the tab
that completes, and it highlights the progress in the task bar.

I found no Linux terminal that currently supports it, but also none that
didn't like it. Thankfully most terminals correctly ignore unrecognized
OSC sequences.

I think we should just merge this, and see if this trips up too many
people, but I have reason to believe this shouldn't be too bad.

And yes, I do work from Windows Terminal sometimes, ssh into my Linux
build systems, and it is really cute seeing the progress animation
there.
2024-10-29 15:54:08 +01:00
Lennart Poettering ebc64de22f udevadm: automatically anable JSON-SEQ in case JSON is used for "udevadm info -a"
We are going to output a series of JSON objects, hence let's
automatically enable JSON-SEQ output mode, as we usually do.

"jq --seq" supports this natively, hence this should not really restrict
us.

Follow-up for: 67ea8a4c0e
2024-10-29 22:39:59 +09:00
Daan De Meyer 7aea1c9e80 mkosi: Move copying packages to the output directory to the postinst script
Now that we have the mkosi.clangd script to run clangd from the mkosi
build script, it becomes clear that doing cleanup with mkosi.clean has
a big gap in that we always run the mkosi.clean script and thus we also
run it when we run the mkosi.clangd script, causing the previously built
packages to be removed when we run clangd without producing new ones.

In mkosi we're improving the situation by only running clean scripts when we
clean up the output directory and disallowing writing to the output directory
from build scripts.

Let's adapt systemd to these changes by moving the copying of packages to the
output directory to the postinst script.
2024-10-29 11:28:47 +01:00
Lennart Poettering 5ada96c842 test: test new 'u' sysusers.d lines 2024-10-29 11:00:13 +01:00
Lennart Poettering a4c0528f14 sysusers.d: lock all system users defined by us 2024-10-29 11:00:13 +01:00
Lennart Poettering 2ec7977e1b sysusers: add new ! line flag for creating fully locked accounts
Fixes: #13522
2024-10-29 11:00:13 +01:00
Lennart Poettering 815569791f
Merge pull request #34391 from poettering/dns-long-label-fix
resolved: fixes when trying to serialize overly long DNS names
2024-10-29 10:47:14 +01:00
Zbigniew Jędrzejewski-Szmek 439306da8b qrcode-util: avoid memleak in error path 2024-10-29 09:41:54 +01:00
Zbigniew Jędrzejewski-Szmek b137b29798 test-terminal-util: print value of colors_enabled()
This makes it easier to diagnose why colors are disabled.
2024-10-29 09:41:26 +01:00
Zbigniew Jędrzejewski-Szmek 5a64c86936 bsod: do not check for color support
When invoked on a running system, bsod would not print the qrcode.
The check for "color support" on stdout is pointless, since we're not
printing to stdout but to a terminal fd that is opened separately.
2024-10-29 09:41:23 +01:00
Ronan Pigott f54f473b36 network: add missing else in dhcp_lease_load
Fixes: 3fd6708cde (network: Serialize DNR servers)
2024-10-28 20:59:17 -07:00
Yu Watanabe f27ae592f7 update-utmp: wait slightly longer for the private bus socket being active
Before a339495b1d, update-utmp typically
connects the public DBus socket when disconnected from the private DBus
socket, as dbus service should be active even during PID1 is being reexecuted.

However, after a339495b1d, update-utmp
tries to connect only the private DBus socket, but reexecution of PID1
may be slow, hence all trials may fail when the reexecution is slow.

With this change, now it waits for 100ms to 2000ms, so in total it waits
about 37 seconds in average, previously about 4 seconds.
2024-10-29 08:43:21 +09:00
Lennart Poettering b7f84f76fc man: fix return parameter type of sd_device_get_device_id() 2024-10-29 00:19:16 +01:00
David Michael 3eec82f6b3 socket: support setting ownership of message queues
This applies the existing SocketUser=/SocketGroup= options to units
defining a POSIX message queue, bringing them in line with UNIX
sockets and FIFOs.  They are set on the file descriptor rather than
a file system path because the /dev/mqueue path interface is an
optional mount unit.
2024-10-28 23:40:42 +01:00
Lennart Poettering 2b7a56d286 update NEWS for v257 2024-10-28 23:38:24 +01:00
Yu Watanabe feb9ccb56e
Merge pull request #34633 from keszybz/sd-json-enum-formatting
Add sd_json_format_enabled() helper
2024-10-29 03:29:03 +09:00
Yu Watanabe 3499e87885
Merge pull request #34806 from ryantimwilson/protect-control-groups
cgroup: Add support for ProtectControlGroups= private and strict
2024-10-29 02:53:11 +09:00
Pavel Borecki ab5715e1cd po: Translated using Weblate (Czech)
Currently translated at 86.5% (219 of 253 strings)

Co-authored-by: Pavel Borecki <pavel.borecki@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/cs/
Translation: systemd/main
2024-10-29 01:50:01 +09:00
Ryan Wilson cd58b5a135 cgroup: Add support for ProtectControlGroups= private and strict
This commit adds two settings private and strict to
the ProtectControlGroups= property. Private will unshare the cgroup
namespace and mount a read-write private cgroup2 filesystem at /sys/fs/cgroup.
Strict does the same except the mount is read-only. Since the unit is
running in a cgroup namespace, the new root of /sys/fs/cgroup is the unit's
own cgroup.

We also add a new dbus property ProtectControlGroupsEx which accepts strings
instead of boolean. This will allow users to use private/strict via dbus
and systemd-run in addition to service files.

Note private and strict fall back to no and yes respectively if the kernel
doesn't support cgroup2 or system is not using unified hierarchy.

Fixes: #34634
2024-10-28 08:37:36 -07:00
Ryan Wilson 5fe2923828 core: Refactor ProtectControlGroups= to use enum vs bool
This commit refactors ProtectControlGroups= from using a boolean
in the dbus/execute backend to using an enum. There is no functional
change but this will allow adding new non-boolean values (e.g. strict,
private) a la PrivateHome.
2024-10-28 06:42:53 -07:00
Zbigniew Jędrzejewski-Szmek f0764b98e5 qrcode-util: add debug message to show why a qrcode wasn't printed 2024-10-28 14:04:06 +01:00
Zbigniew Jędrzejewski-Szmek bb56c27fc8 sysv-generator: break long message into lines
The journal handles multi-line messages nicely, and they are easier
to read. Drop the recycling symbol, there is no circular process here,
we go from a to b and never back to a again.
2024-10-28 14:04:06 +01:00
Zbigniew Jędrzejewski-Szmek 23441a3d88 sd-json,tree-wide: add sd_json_format_enabled() and use it everwhere
We often used a pattern like if (!FLAGS_SET(flags, SD_JSON_FORMAT_OFF)),
which is rather verbose and also contains a double negative, which we try
to avoid. Add a little helper to avoid an explicit bit check.

This change clarifies an aditional thing: in some cases we treated
SD_JSON_FORMAT_OFF as a flag (flags & SD_JSON_FORMAT_OFF), while in other cases
we treated it as an independent enum value (flags == SD_JSON_FORMAT_OFF).
In the first form, flags like SD_JSON_FORMAT_SSE do _not_ turn the json
output on, while in the second form they do. Let's use the first form
everywhere.

No functional change intended.

Initially I wasn't sure if this helper should be made public or just internal,
but it seems such a common pattern that if we expose the flags, we might just
as well expose it too, to make life easier for any consumers.
2024-10-28 09:23:07 +01:00
Zbigniew Jędrzejewski-Szmek dc32b09b70 sd-id128: mark functions as const, not pure
We would need to use pure if the funtion was getting pointers and
dereferencing them. But sd128_t is a structure and those functions
only access the parameters of the call.
2024-10-28 09:23:07 +01:00
Zbigniew Jędrzejewski-Szmek 955c51c087 sd-common: add __const__
const is stronger than pure, see
https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-pure-function-attribute
and
https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-const-function-attribute.
2024-10-28 09:23:07 +01:00
Zhou Qiankang 85d0aff84c meson: add loongarch64's definition to cpu_arch_defines
The default definition to add is `-D__loongarch64__`, which is not searched in [bpf_tracing.h](09b9e83102/src/bpf_tracing.h (L68))

This may avoid `error: Must specify a BPF target arch via __TARGET_ARCH_xxx` in loongarch64

Signed-off-by: Zhou Qiankang <wszqkzqk@qq.com>
2024-10-28 15:21:55 +09:00
Mike Yuan 9b42c58a2b
TEST-03-JOBS: add test case for #34758 2024-10-27 20:04:58 +01:00
Mike Yuan 7a13937007
core/service: don't propagate stop jobs if RestartMode=direct
The goal of RestartMode=direct is to make restarts invisible
to dependents, so auto restart jobs shouldn't bring them down
at all. So far we only skipped going through failed/dead states
in service_enter_dead(), i.e. the unit would never be considered
dead. But when constructing restart transaction, the stop job
would be propagated to dependents. Consider the following 2 units:

dependent.target:
[Unit]
BindsTo=a.service
After=a.service

a.service:
[Service]
ExecStart=bash -c 'sleep 100 && exit 1'
Restart=on-failure
RestartMode=direct

Before this commit, even though BindsTo= isn't triggered since
a.service never failed, when a.service auto-restarts, dependent.target
is also restarted. Let's suppress it by using JOB_REPLACE instead of
JOB_RESTART_DEPENDENCIES in service_enter_restart().

Fixes #34758

The example above is subtly different from the original report,
to illustrate that the new behavior makes sense for less exotic
use cases too.
2024-10-27 20:02:47 +01:00
Mike Yuan 569269d02d
core: make refuse_late_merge a proper attr of Job and introduce TRANSACTION_REENQUEUE_ANCHOR 2024-10-27 20:02:47 +01:00
Mike Yuan d993ad6c6f
core/manager: introduce manager_add_job_full() which takes extra TransactionAddFlags
No functional change. Preparation for later commits.
2024-10-27 20:02:46 +01:00
Mike Yuan 215ffd6c1f
core/job: trivial modernization 2024-10-27 20:02:46 +01:00
Mike Yuan 2c0ce41cb8
core: drop effectively unused UNIT_ATOM_PROPAGATE_RESTART
Restart jobs are always run as stop jobs initially, and later gets
converted to start jobs by job engine. Hence UNIT_ATOM_PROPAGATE_STOP
should and does cover the restart case, as currently all dep types
with _RESTART also carries _STOP. Drop UNIT_ATOM_PROPAGATE_RESTART.
2024-10-27 20:02:46 +01:00
Mike Yuan 1e8f0beee4
core/service: use log_unit_* where appropriate 2024-10-27 20:02:46 +01:00
Andika Triwidada e127c66985 po: Translated using Weblate (Indonesian)
Currently translated at 100.0% (253 of 253 strings)

Co-authored-by: Andika Triwidada <andika@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/id/
Translation: systemd/main
2024-10-27 17:14:54 +09:00
Yu Watanabe 99b76684d7
Merge pull request #34902 from ryantimwilson/root-dir-not-exists-error
core: Add RootDirectory= path to error message if directory does not exist
2024-10-27 13:49:05 +09:00
Ryan Wilson 141dfbe537 core: Add RootDirectory= path to error message if directory does not exist
A colleague reported when RootDirectory= does not exist, systemd reports an error like:
```
Failed to set up mount namespacing: No such file or directory
```

Unfortunately, with large spec files, it can be hard to diagnose which path systemd is talking
about. Thus, to make the error message more helpful and similar to mount error messages, we add
the root directory/image path into the error message like:
```
Failed to set up mount namespacing: /tmp/thisdoesnotexist: No such file or directory
```
2024-10-26 15:33:30 -07:00
Ryan Wilson e73c042be6 core/execute: Rename error_path -> reterr_path/ret_path per coding guidelines
This is a non-functional change to ensure error_path used to print out the
offending mount causing an error follows coding guidelines.
2024-10-26 15:28:49 -07:00
Yu Watanabe 7354936ef7 core/cgroup: rename CGROUP_PRESSURE_WATCH_ON/OFF -> CGROUP_PRESSURE_WATCH_YES/NO
No functional change, but let's print yes/no rather than on/off in systemd-analyze.

Similar to 2e8a581b9c and
edd3f4d9b7.
(Note, the commit messages of those commits are wrong, as
 parse_boolean() supports on/off anyway.)
2024-10-27 03:04:35 +09:00
Sascha Mester f2eccaab34
hwdb: add Stream Deck Neo (#34903) 2024-10-27 00:27:29 +09:00
Yu Watanabe 5dc0668802 sd-event: fix memleak when built without assertion
Fixes a bug introduced by baf3fdec27.

This also adds several assertions at the beginning of the function.

Fixes #34899.
2024-10-26 17:21:34 +02:00
Yu Watanabe ddeb701b55 man: fix typo
Follow-up for 115fac3c29.
2024-10-26 14:00:38 +09:00
Yu Watanabe f7804c1aa2 basic/missing: add short comment about when CLONE_NEWCGROUP is added 2024-10-26 13:59:19 +09:00
Integral ddb8a639d5
tree-wide: replace for loop with FOREACH_ELEMENT or FOREACH_ARRAY macros (#34893) 2024-10-26 07:10:22 +09:00
Yu Watanabe f7078de515
Merge pull request #34884 from poettering/run0-disconnect-fix
run: reconnect if our dbus connection is terminated
2024-10-26 02:50:48 +09:00
Yu Watanabe 6d6048b4cb
Merge pull request #34881 from poettering/run0-ui-tweaks
run0: various UI tweaks
2024-10-26 02:49:48 +09:00
Ivan Kruglov 10a48938ef machine: operation should not send a response when 'done' callback set 2024-10-26 02:45:53 +09:00
Lennart Poettering b58b13f1c6 test: add brief testcase for systemd-run disconnect handling 2024-10-25 17:51:04 +02:00
Lennart Poettering c8f59296bf run: reconnect if our dbus connection is terminated
We must be prepared that systemd temporarily drops off the bus or
disconnects our direct connections (due to systemctl daemon-reexec or
so). Hence automatically reconnect when we watch the unit status, and
handle this case gracefully.

Fixes: #32906 #27204
2024-10-25 17:51:04 +02:00
Lennart Poettering d585085f57 update TODO 2024-10-25 17:32:19 +02:00
Lennart Poettering ff4b6a1915 run: drop "-" prefix from command line when generating unit description
Let's not confuse users with the login shell indicator and drop it from
the description. This means a run0 session will now usually show up with
a description of "[run0] /bin/bash" rather than "[run0] -/bin/bash".
2024-10-25 17:32:19 +02:00
Lennart Poettering d9f68f48f7 run: prefix unit description with our own process name
I think we should try to communicate clearly if something is a run0
session, or a systemd-run invocation. Hence, let's initialize the
description so that the command is prefixed by
program_invocation_short_name.

Effectively this means that our run0 sessions now appear as services
with a description of "[run0] -/bin/bash"
2024-10-25 17:32:19 +02:00
Lennart Poettering 0310b2a60b run: tweak how we name our transient units
The current logic is a bit complex how systemd-run units are called. It
used to be just the unique ID of the dbus connection. Which was nice,
since its system-widely, uniquely assigned to us. But this didn't work
out well, due to direct connections to PID 1 and due to soft reboots.

We nowadays have a better ID to use though, with nicer properties: the
kernel manages a pidfd ID for every process after all, and it's globally
unique, for any process, and regardless of soft reboots. Hence use that
for naming preferably, and just keep one branch with a randomized name
as fallback.
2024-10-25 17:32:19 +02:00
Lennart Poettering 115fac3c29 run0: optionally show superhero emoji on each shell prompt
This makes use of the infra introduced in 229d4a9806 to indicate visually on each prompt that we are in superuser mode temporarily.
pick ad5de3222f userdbctl: add some basic client-side filtering
2024-10-25 17:31:06 +02:00
Lennart Poettering 9d8f5e22f8
Merge pull request #34891 from poettering/run0-pty
run0: add --pty and --pipe switches to force allocation of a pty or pipe
2024-10-25 16:25:01 +02:00
Lennart Poettering 6fb0c52295 ci: add some basic testing of the new --pty and --pipe switches 2024-10-25 14:14:26 +02:00
Lennart Poettering edd10ab29c run0: add options to force allocation of PTY or of pipe use
Fixes: #33033
2024-10-25 14:14:26 +02:00
Lennart Poettering 988053eac3 tree-wide: use isatty_safe() everywhere 2024-10-25 14:09:38 +02:00
Lennart Poettering a586f57eb2 update TODO 2024-10-25 13:57:44 +02:00
Lennart Poettering c18ac81f17
Merge pull request #34877 from aafeijoo-suse/veritysetup-fixes
veritysetup-generator: minor man/code changes
2024-10-25 10:06:31 +02:00
Lennart Poettering c4363051e4
Merge pull request #34880 from poettering/change-user-on-pam-always
core: make sure that if PAMName= is set we always do the full user ch…
2024-10-25 09:22:03 +02:00
Lennart Poettering f515ea1cd4 test: add quick test to verify the PAM stack really ran in all run0 modes of operation 2024-10-24 22:56:44 +02:00
Lennart Poettering e4b4d9cc7a core: make sure that if PAMName= is set we always do the full user changing even if no user is specified explicitly
When PAMName= is set this should be enough to go through our entire user
changing story, so that PAM is definitely run, and environment variables
definitely pulled in and so on.

Previously, it would happen that under some circumstances we might no do
this when transitioning from root to root itself even though PAM was
enabled.

Fixes: #34682
2024-10-24 22:37:00 +02:00
Lennart Poettering 210fb8626f
Merge pull request #34875 from poettering/userdbctl-filter
userdbctl: add some basic client-side filtering
2024-10-24 22:36:22 +02:00
Lennart Poettering 4167e9e210 user-util: tighten shell validation a tiny bit 2024-10-24 22:28:17 +02:00
Mike Yuan 4e69da071d
Merge pull request #34799 from YHNdnzj/service-followups
core: follow-ups for live mount
2024-10-24 19:44:10 +02:00
Lennart Poettering 1c6f542e81 ci: give new userdbctl some CI exposure 2024-10-24 10:17:35 +02:00
Lennart Poettering 9bbc424a60 user-record: fix indentation 2024-10-24 10:17:35 +02:00
Lennart Poettering c17a76982a userdbctl: set shell/home cell type to TABLE_PATH
This only matters for sorting, and we currently don't support sorting by
path, hence this is of no real effect, but it certainly is more correct.
2024-10-24 10:17:35 +02:00
Lennart Poettering 2ea94b145e userdbctl: grey out nologin shell in tabular output 2024-10-24 10:17:35 +02:00
Lennart Poettering 8bc86b1944 userdbctl: optionally hide UID range boundaries in output 2024-10-24 10:17:35 +02:00
Lennart Poettering ad5de3222f userdbctl: add some basic client-side filtering
This adds some basic client-side user/group filtering to "userdbctl":

1. by uid/gid min/max
2. by user "disposition" (i.e. show only regular users with "userdbctl
   user -R")
3. by fuzzy name (i.e. search by substring/levenshtein of user name,
   real name, and other identifiers of the user/group record).

In the long run we also want to support this server side, but let's
start out with doing this client-side, since many backends won't support
server-side filtering anytime soon anyway, so we need it in either case.
2024-10-24 10:17:23 +02:00
Antonio Alvarez Feijoo 11de19f3da
veritysetup-generator: remove unused code 2024-10-24 10:07:45 +02:00
Antonio Alvarez Feijoo e98e3f856d
man/veritysetup-generator: document veritytab kernel command line option 2024-10-24 10:07:28 +02:00
Antonio Alvarez Feijoo dcbfc7872e
man: fix links to veritysetup(8) 2024-10-24 09:54:48 +02:00
Yu Watanabe e7c567cc78 man: insert a comma before 'and'
Follow-up for bd91f23acf.
2024-10-24 16:42:59 +09:00
Yu Watanabe 81d1fcce97
Merge pull request #27916 from yuwata/test-execute-credstore
test: update permission of credstore
2024-10-24 16:34:49 +09:00
Yu Watanabe 4e83ac4029 Revert "TEST-55-OOMD: workaround for kernel regression in 6.12-rcX"
This reverts commit 88bbf187a9.

The kernel regression has been hopefully fixed by
c650812419
which is included in 6.12-rc4.
Let's drop the workaround.
2024-10-24 09:10:15 +02:00
Anders Jonsson 24cc5082f6 po: Translated using Weblate (Swedish)
Currently translated at 100.0% (253 of 253 strings)

Co-authored-by: Anders Jonsson <anders.jonsson@norsjovallen.se>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/sv/
Translation: systemd/main
2024-10-24 15:08:50 +09:00
Daan De Meyer c2c75d5ade docs: Mention that a local build might be required to use mkosi
Currently we need ukify with support for --profile and --join-profile
which isn't in an official release yet so mention that a local build
from source might be required.
2024-10-24 05:33:30 +09:00
Yu Watanabe 491c903dbe man/network: suggest to not request IA_NA when received RA with Managed bit unset
Follow-up for 1f5a052963.
2024-10-24 05:32:40 +09:00
Yu Watanabe 228e26ba03
Merge pull request #34834 from yuwata/protect-home-tmpfs-read-only
core/namespace: make ProtectHome=tmpfs makes /home and friends read-only as documented
2024-10-24 05:32:12 +09:00
Łukasz Stelmach 20bbf5ee4c core: don't forget about fallback_smack_process_label
Call setup_smack() also when only fallback_smack_process_label is set.

Fixes: 75689fb2d4
2024-10-24 03:24:29 +09:00
Yu Watanabe 5811a0117c core/namespace: replace MOUNT_PRIVATE_TMP_READ_ONLY with MOUNT_PRIVATE_TMP with .read_only = true 2024-10-24 03:05:06 +09:00
Yu Watanabe d69ee5acdc core/namespace: coding style cleanups 2024-10-24 03:05:06 +09:00
Yu Watanabe 0cc496b2d2 core/namespace: honor MountEntry.read_only, .options, and so on in static entries
Otherwise, ProtectHome=tmpfs makes /home/ and friends not read-only.
Also, mount options for /run/ specified in MountAPIVFS=yes are not
applied.

The function append_static_mounts() was introduced in
5327c910d2, but at that time, there were
neither .read_only nor .options in the struct. But, when later the
struct is extended, the function was not updated and they were not
copied from the static table.
The fields has been used in static tables since
e4da7d8c79, and also in
94293d65cd.

Fixes #34825.
2024-10-24 02:59:46 +09:00
Integral b6b8527cd1
refactor: replace sizeof in loop with ELEMENTSOF & FOREACH_ELEMENT (#34863) 2024-10-23 10:32:02 +02:00
Lennart Poettering 4d5d574906 update TODO 2024-10-23 10:27:04 +02:00
Yu Watanabe 967c586e9c man/network: fix typo
Follow-up for 1f5a052963.
2024-10-23 17:25:37 +09:00
Yu Watanabe f0b974050d measure: fix typo
Follow-up for 0005411352.
2024-10-23 17:25:37 +09:00
Yu Watanabe 82d8a2c810 TEST-55-OOMD: fix typo
Follow-up for 63d4c4271c.
2024-10-23 17:25:37 +09:00
Lennart Poettering efaa5e0539
Merge pull request #34850 from poettering/openat-report-new-tweaks
openat_report_new() tweaks
2024-10-23 10:25:18 +02:00
Ronan Pigott c7c9e3c7c0 network: adjust log message about DNR
The only possible error return in this position is -ENODATA, which is
not interesting.
2024-10-23 10:24:39 +02:00
Lennart Poettering 53c5073858
Merge pull request #34861 from poettering/can-idle
logind: introduce CanIdle/CanLock properties on logind session dbus objects
2024-10-23 10:24:23 +02:00
Lennart Poettering 953ab98744 resolved: add test case from #33671 2024-10-23 10:22:28 +02:00
Lennart Poettering e637856117 resolved: explicitly refuse adding invalid DNS names to DNS packets
Fixes: #33671
2024-10-23 10:22:28 +02:00
Lennart Poettering 360105f1e7 resolved: when adding names to packet fails, remove them from label compression hash table again
let's make sure we undo any pollution of the label compression hash
table.

Fixes: #33671
2024-10-23 10:22:28 +02:00
Lennart Poettering 8ed2c62d46 dns-domain: tweak hash table comparison function for DNS names
Currently, when comparing two DNS names when storing them in a
hashtable, and the DNS names are not actually valid we'll compare the
error codes.

This is not very smart however, since this means two invalid DNS names
that happen to be equally "invalid" will be considered identical, even
if their strings are entirely different.

Let's find a better solution for this niche case: let's simple compare
the domains as strings.

This matters in case of DNS label compression: if we already added added
an invalid DNS name into the label compression hash table, and lookup
any other invalid DNS name, this lookup will likely return what the
earlier one already returned, and that's confusing.
2024-10-23 10:22:28 +02:00
Lennart Poettering 87d6a9fb2e dns-packet: refuse reading overlong DNS names from packets
Even if we have no problem processing them they are invalid according to
RFC, hence refuse.

Fixes: #34416
2024-10-23 10:22:28 +02:00
Luca Boccassi dfe68da9c4 mkosi: update debian commit reference
* 07a294d0c6 Do not mask systemd-gpt-auto-generator in upstream CI builds
* 5636398bf7 Backport patch to fix test failures with tzdata 2024b-1
* 354ded4946 Update changelog for 256.7-2 release
* e38c7c5345 Backport fixes for upstream autopkgtest suite
* 249676834c Disable utmp support, not y2038 safe
* 822d44da42 initramfs-tools: support missing /etc/udev/udev.conf
* ad71ebf700 systemd-boot: depend on systemd for kernel-install
* 5bf7008ef8 d/systemd.postinst: do not restart systemd-binfmt.service if masked
* 58d5aa1b41 d/rules: mask systemd-gpt-auto-generator on Ubuntu
* 481987d85c Update changelog for 256.7-1 release
* ce7f3d4b43 Revert "autopkgtest: skip TEST-64-UDEV-STORAGE due to qemu crash"
* 7007e73b22 Mark dependencies on clang and bpftool as :native
*   0e120cf704 Update upstream source from tag 'upstream/256.7'
|\
| * 914aae055c New upstream version 256.7
* fcea89cb00 d/t/upstream: honor /etc/apt configured by autopkgtest
2024-10-23 15:21:25 +09:00
Mike Yuan 810d94b429
Merge pull request #34860 from enr0n/varlinkctl-fixes
Fix varlinkctl output with `--more`
2024-10-22 23:46:33 +02:00
Luca Boccassi 5ff6841c23 logind: allow read/write to char-hvc devices
virtio console uses /dev/hvc* so we need access to write wall
messages
2024-10-22 23:44:47 +02:00
Mike Yuan f19afb2177
core: clean up errors for live mounting
* Use SD_BUS_ERROR_NOT_SUPPORTED where appropriate
* Use Service object in service_can_live_mount()
* Include errno in bus error message
2024-10-22 19:52:24 +02:00
Mike Yuan f5b0e4f92e
core/service: fix one wording 2024-10-22 19:51:02 +02:00
Mike Yuan 78270121c3
core/service: add missing serialization for Service.live_mount_result 2024-10-22 19:51:01 +02:00
Mike Yuan 20366875f9
core/service: call service_enter_running() if live mount fails
service_enter_running() would re-arm timer for RuntimeMaxSec=,
hence it should be called instead of disabling timer completely
when live mount operation fails, in a similar fashion as
service_enter_reload_by_notify().
2024-10-22 19:51:01 +02:00
Mike Yuan a6eeca9a00
core/service: introduce service_live_mount_finish()
that combines updating Service.live_mount_result and
service_mount_request_reply()
2024-10-22 19:19:47 +02:00
Mike Yuan a53e92a17c
core/service: place occurrences of SERVICE_MOUNTING closer to reload states 2024-10-22 19:19:47 +02:00
Mike Yuan b8fa230596
core/unit: put the reload job back to queue if unit is refreshing 2024-10-22 19:19:46 +02:00
Mike Yuan c240f293b8
shared/bus-util: debug log when falling back to session bus
Follow-up for d0316b7a0d
2024-10-22 19:19:46 +02:00
Mike Yuan d845254b7f
basic/fs-util: move unlink_tempfilep() to tmpfile-util 2024-10-22 19:19:39 +02:00
Mike Yuan 7e40b51a2e
man/org.freedesktop.systemd1: complete version info for ManagedOOMMemoryPressureDurationUSec
Follow-up for 63d4c4271c

Some unit types were left out.
2024-10-22 19:12:27 +02:00
Lennart Poettering 1bf9e308eb logind: also check session class in session_get_idle_hint() 2024-10-22 18:44:05 +02:00
Lennart Poettering 4096fcde09 logind: use RET_GATHER() at one more place 2024-10-22 18:44:05 +02:00
Lennart Poettering bd91f23acf logind: add CanIdle + CanLock dbus properties to session object
Clients should be able to know if the idle logic is available on a
session without secondary knowledge about the session class. Let's hence
expose a property for that.

Similar for the screen lock concept.

Fixes: #34844
2024-10-22 18:44:05 +02:00
Nick Rosbrook ebc8b9e45b varlinkctl: set SD_JSON_FORMAT_FLUSH when --more is set
This makes it possible to process continuous replies with jq etc.
2024-10-22 12:09:55 -04:00
Nick Rosbrook c89b578f33 varlinkctl: do not clobber format flags in verb_call
Currently, when SD_JSON_FORMAT_OFF is set in verb_call, the json format
flags are set to SD_JSON_FORMAT_PRETTY_AUTO|SD_JSON_FORMAT_COLOR_AUTO,
rather than or'ing those flags in. This means that other flags that may
have been set, e.g. SD_JSON_FORMAT_SEQ when --more is set, will be
clobbered.

Fix this by masking SD_JSON_FORMAT_OFF out, and then or'ing the new
flags in.
2024-10-22 12:09:41 -04:00
Lennart Poettering 119252343e
Merge pull request #34848 from yuwata/network-dhcpv6-do-not-request-ia-pd-on-info-req
network/dhcp6: do not request IA_PD on information requesting mode
2024-10-22 18:00:12 +02:00
Ronan Pigott afdb38a39f resolved: validate noerror response for CNAMEs
CNAME doesn't exist at the zone apex. When we get an unsigned noerror
response to a direct query for a CNAME record, we don't yet know if this
name is zone apex. We already request the correct DS record in this
case, but previously skipped it at validation time, causing the answer
to appear bogus. Make sure to also consider the DS record for the query
name for negative replies.
2024-10-22 17:59:05 +02:00
Lennart Poettering b9633ebb2a fs-util: move attempts counter in openat_report_new() into loop 2024-10-22 17:51:26 +02:00
Lennart Poettering 4ffecbbbee label: move label_ops_reset() up a bit
Let#s move it close to label_ops_set(), since it is somewhat symmetric
to it.
2024-10-22 17:51:26 +02:00
Lennart Poettering 4e4ed4b64d label: add missing assert() to label_ops_set() 2024-10-22 17:51:26 +02:00
Lennart Poettering 3a7ae4ba62 shared: get rid of fileio-label.[ch]
Move the renaming function to reboot-util.h (since it writes out
/run/nologin at shutdown), and let's get rid of fileio-label.[ch] now
that it serves no purpose anymore.
2024-10-22 17:51:26 +02:00
Lennart Poettering aec1262a2e fileio: port write_string_file_full() to openat_report_new()
This brings two benefits: we will label the created file only if it is
actually created, and we can correctly delete any file we create again
on failure.
2024-10-22 17:51:26 +02:00
Lennart Poettering 8eeb870971 fileio: port write_string_file() to LabelOps, and thus add WRITE_STRING_FILE_LABEL flag
Given that we have the LabelOps abstraction these days, we can teach
write_string_file() to use it, which means we can get rid of
fileio-label.[ch] as a separate concept.

(The only reason that fileio-label.[ch] exists independently of
fileio.[ch] was that the former linekd to libselinux potentially, and
thus had to be in src/shared/ while the other always was in src/basic/.
But the LabelOps vtable provides us with a nice work-around)
2024-10-22 17:51:26 +02:00
Lennart Poettering 4946dd4197 fs-util: tweak how openat_report_new() operates when O_CREAT is used on a dangling symlink
One of the big mistakes of Linux is that when you create a file with
open() and O_CREAT and the file already exists as dangling symlink that
the symlink will be followed and the file created that it points to.
This has resulted in many vulnerabilities, and triggered the creation of
the O_MOFOLLOW flag, addressing the problem.

O_NOFOLLOW is less than ideal in many ways, but in particular one: when
actually creating a file it makes sense to set, because it is a problem
to follow final symlinks in that case. But if the file is already
existing, it actually does make sense to follow the symlinks. With
openat_report_new() we distinguish these two cases anyway (the whole
function exists only to distinguish the create and the exists-already
case after all), hence let's do something about this: let's simply never
create files "through symlinks".

This can be implemented very easily: just pass O_NOFOLLOW to the 2nd
openat() call, where we actually create files.

And then basically remove 0dd82dab91
again, because we don't need to care anymore, we already will see ELOOP
when we touch a symlink.

Note that this change means that openat_report_new() will thus start to
deviate from plain openat() behaviour in this one small detail: when
actually creating files we will *never* follow the symlink. That should
be a systematic improvement of security.

Fixes: #34088
2024-10-22 17:51:26 +02:00
Lennart Poettering 64053bed08 fs-util: always call label post ops in xopenat_full(), in both success and error path
For SELinux it is essential that we reset the file creation label both
in the success and in the error path, hence do so.

Moreover, when calling the label post ops do it if possible with the
opened fd of the inode itself, rather than always going via its path,
simply to reduce the attack surface.
2024-10-22 17:51:26 +02:00
Lennart Poettering da3d81cccd fs-util: don't second guess openat_report_new() return values
If openat_report_new() fails, then 'made_file' will be false, as no file
was created, hence there's no need to skip the unlinkat() explicitly
early, given that we check for 'made_file' anyway in the error path. The
extra error code checks are hence entirely redundant.
2024-10-22 17:51:26 +02:00
Lennart Poettering d49449c89b label: tweak LabelOps post() hook to take "created" boolean
We have two distinct implementations of the post hook.

1. For SELinux we just reset the selinux label we told the kernel
   earlier to use for new inodes.

2. For SMACK we might apply an xattr to the specified file.

The two calls are quite different: the first call we want to call in all
cases (failure or success), the latter only if we actually managed to
create an inode, in which case it is called on the inode.
2024-10-22 17:51:26 +02:00
Lennart Poettering 652371a3c1 fs-util: always go through the unlink cleanup paths in xopenat_full()
We didn't go through it at all if label_ops_post() failed.
2024-10-22 17:45:41 +02:00
Lennart Poettering 12620ca1fb fs-util: remove misplaced RET_NERRNO() 2024-10-22 17:45:41 +02:00
Daan De Meyer a95aacc851
Merge pull request #34851 from DaanDeMeyer/medium
bus-util: Return ENOMEDIUM if XDG_RUNTIME_DIR is unset
2024-10-22 13:37:59 +02:00
Yu Watanabe aa7507ea4a TEST-02-UNITTESTS: reuse $TEST_MATCH_SUBTEST to specify unit tests to be run
Then, we can easily test specific unit tests in qemu or container.
2024-10-22 20:14:33 +09:00
Yu Watanabe c443f6924f test-execute: update permission of credstore
Follow-up for 40fb9eebbc.
2024-10-22 20:14:33 +09:00
Daan De Meyer d64a5b30f1 bus-util: Fix bus_log_connect_error() 2024-10-22 12:32:02 +02:00
Daan De Meyer d0316b7a0d bus-util: Special case when DBUS_SESSION_BUS_ADDRESS is set and XDG_RUNTIME_DIR isn't
We noticed some failures because we have code that connects to user
managers by setting DBUS_SESSION_BUS_ADDRESS without setting XDG_RUNTIME_DIR.
If that's the case, connect to the user session bus instead of the
private manager bus as we can't connect to the latter if XDG_RUNTIME_DIR
is not set.
2024-10-22 11:17:40 +02:00
Daan De Meyer c5698fe907 bus-util: Return ENOMEDIUM if XDG_RUNTIME_DIR is unset
bus_log_connect_error() checks for ENOMEDIUM, not ENXIO.
2024-10-22 10:59:27 +02:00
Lennart Poettering 35f51be4f8
Merge pull request #34761 from ikruglov/ikruglov/io-systemd-Machine-GetAddresses
machine: add Addresses, OSRelease, and UIDShift fields in varlink io.systemd.Machine.List output
2024-10-22 09:06:56 +02:00
Lennart Poettering 2d74427a7c
Merge pull request #30952 from rpigott/resolved-dnr
RFC9463: Discovery of Network-designated Resolvers
2024-10-22 09:05:36 +02:00
Luca Boccassi aa077884c1 test: CET/EET are deprecated, use Europe/Berlin and Kyiv
The links moved to the legacy dataset so they won't be available by
default, so stop using them and just use the city ones instead
2024-10-21 21:37:33 +02:00
Yu Watanabe 1f5a052963 man: suggest to use DHCPv6Client= when upstream provides RA with the Managed bit unset
Follow-up for daf9f42f91.
2024-10-22 04:35:03 +09:00
Yu Watanabe 5ff567f74f network/dhcp6: do not request IA_PD when running in the other-information mode
This reverts the following commits:
- 180cc5421d
  "sd-dhcp6-client: allow to request IA_PD on information requesting mode"
- cf7a403e47
  "sd-dhcp6-lease: adjust information refresh time with lifetime of IA_PD"
- 1918eda30d
  "network/dhcp6: process hostname and IA_PD on information requesting mode"

As per discussion in #34299,
https://github.com/systemd/systemd/issues/34299#issuecomment-2425153221
the offending commits violate RFC 8415 section 18.2.6:
> The client uses an Information-request message to obtain
> configuration information without having addresses and/or delegated
> prefixes assigned to it.
2024-10-22 04:34:50 +09:00
Daan De Meyer e8fb0643c1
Merge pull request #34628 from DaanDeMeyer/measure
Rework TEST-86-MULTI-PROFILE-UKI + associated bugfixes
2024-10-21 18:55:33 +02:00
Ronan Pigott ee2108dcd5 resolve: move sd-* api into libsystemd-network
This duplicates the svc param constants for the benefit of the
resolved-core library.
2024-10-21 09:10:20 -07:00
Ronan Pigott e3a23b1679 ndisc: implement ndisc_option_build_encrypted_dns
This is only used by the fuzzer so far.
2024-10-21 09:10:20 -07:00
Ronan Pigott 7823f8a784 network: add dnr resolvers to networkctl status json output 2024-10-21 09:10:20 -07:00
Ronan Pigott 8ef7b6e656 test/fuzz: add dnr packets
The structure of DNR options is considerably more complicated than most
DHCP options, and as a result the fuzzer has poor coverage of these code
paths.

This adds some DNR packets to the fuzzing corpus, not with the intent of
capturing some specific edge case, but with the intent to rapidly
improve the fuzzers' coverage of these codepaths by giving it a valid
example to begin with.

Also include an ndisc router advert with a few Encrypted DNS options,
for the same purpose.
2024-10-21 09:10:20 -07:00
Ronan Pigott 65187c46ef network: Serialize ipv6ra DNR
Serialize DNR servers acquired by ipv6ra option, same as the V4/V6 DNR
DHCP options.
2024-10-21 09:10:20 -07:00
Ronan Pigott 9c683c0e1f network: Introduce IPv6RA UseDNR= option
Same as the DHCP v4/v6 options, this controls the use of DNR received
from ipv6ra.
2024-10-21 09:10:20 -07:00
Ronan Pigott 0c90d1d2f2 ndisc: Parse RFC9463 encrypted DNS (DNR) option
This option is equivalent to the V4/V6 DNR options for DHCP.
2024-10-21 09:10:19 -07:00
Ronan Pigott cb386795c2 test-network: add DHCPv6 DNR test
Same as the DHCPv4 test.
2024-10-21 09:10:19 -07:00
Ronan Pigott 168ad243cc network: Serialize DHCPv6 DNR servers
This serializes DNR servers acquired by V6_DNR option, equivalent to the
V4_DNR option.
2024-10-21 09:10:19 -07:00
Ronan Pigott c691f9d984 network: Introduce UseDNR DHCPv6 option
This is equivalent to the DHCPv4 option introduced earlier.
2024-10-21 09:10:19 -07:00
Ronan Pigott a07e83cc58 network: Parse RFC9463 DHCPv6 DNR option
Implement the parsing for V6_DNR DHCPv6 option. This does the same as
the DHCP V4_DNR option.
2024-10-21 09:10:19 -07:00
Ronan Pigott 1be9b30a3b dhcp6: use dns_name_from_wire_format
Convert some of the option parsing to use dns_name_from_wire_format,
introduced earlier. No change in behavior intended.
2024-10-21 09:10:19 -07:00
Ronan Pigott 2d9822b634 test-dhcp6: terminate fqdn option
The encoded fqdn in this option must be properly terminated. We will
soon validate that this field is correctly encoded, so correct it in the
test.
2024-10-21 09:10:19 -07:00
Ronan Pigott 7957154e06 test-network: add test for DHCPv4 DNR
This will test that networkd/resolved can understand the V4_DNR DHCP
option.
2024-10-21 09:10:19 -07:00
Ronan Pigott 3fd6708cde network: Serialize DNR servers
Implement serialization/deserialization for DNR servers. This re-uses
the string format in place for user configuration of DoT servers, and as
a consequence non-DoT servers are discarded when recording the link
configuration, for correctness.

This also enables sd-resolved to use these servers as it would other DNS
servers.
2024-10-21 09:10:19 -07:00
Ronan Pigott b0e716310d network: Add serialization for DoT resolvers
For now only DoT is supported, so DoT resolvers are represented using
the existing configuration format.
2024-10-21 09:10:19 -07:00
Ronan Pigott 869381589d network: Introduce UseDNR DHCPv4 option
This option will control the use of DNR for choosing DNS servers on the
link. Defaults to the value of UseDNS so that in most cases they will be
toggled together.
2024-10-21 09:10:19 -07:00
Ivan Kruglov 3cb72c7862 machine: add tests for Addresses/OSRelease/UIDShift fields in io.systemd.Machine.List output 2024-10-21 17:42:37 +02:00
Ivan Kruglov 9de215219c machine: use AcquireMetadata in io.systemd.MachineImage.List method 2024-10-21 17:42:37 +02:00
Ivan Kruglov 45755275e5 machine: add Addresses field in varlink io.systemd.Machine.List output
This is equivalent to DBus implementation of GetMachineAddresses.
2024-10-21 17:38:29 +02:00
Ivan Kruglov a94fbcaa35 machine: add OSRelease and UIDShift fields in varlink io.systemd.Machine.List output
This commit adds support of the above mentioned fields. This is equivalent to DBus implementation of:
- GetMachineOSRelease
- GetMachineUIDShift
2024-10-21 17:38:28 +02:00
Ivan Kruglov 16b1b304ba machine: enum AcquireMetadata 2024-10-21 17:34:11 +02:00
Daan De Meyer 977fc93603 Rework TEST-86-MULTI-PROFILE-UKI
Now that mkosi supports generating UKI profiles, let's make use of
that to generate the UKI profiles required for the test instead of
doing it within the test itself.
2024-10-21 17:24:14 +02:00
Daan De Meyer 922fe8b91d TEST-70-TPM2: Disable public key enrollment explicitly
Otherwise, when the test is executed on a system with signed PCRs,
cryptenroll will automatically pick up the public key from the UKI
which results in a volume that can't be unlocked because the pcrextend
tests appends extra things to pcr 11.
2024-10-21 17:24:14 +02:00
Daan De Meyer 88d9ca6d8a cryptenroll: Remove faulty assert()
We can break out of the preceeding for loop in certain scenarios
which would trigger the assert so let's drop it.
2024-10-21 17:24:14 +02:00
Daan De Meyer b53f2d5ed8 pcrlock: Take VirtualSize > SizeOfRawData into account
If VirtualSize > SizeOfRawData, measure extra zeros to take into
account the extra zeros also measured by the stub.
2024-10-21 17:22:35 +02:00
Ivan Kruglov d8964f9d4d machine: rework Operation logic to reuse in varlink interface 2024-10-21 17:08:14 +02:00
Lennart Poettering 9312b3dc28
Merge pull request #34403 from poettering/askpw-per-user
modernize the ask-password logic, and add unpriv askpw agents to the concept
2024-10-21 16:37:28 +02:00
Lennart Poettering 13be6e70af
Merge pull request #34787 from yuwata/core-ip-address-allow-deny
core/cgroup: fix IPAddressAllow=/IPAddressDeny= set through DBus
2024-10-21 16:35:49 +02:00
Luca Boccassi 3034dc0013 mkosi: update opensuse commit reference
It was force-pushed again
2024-10-21 15:17:00 +01:00
Lennart Poettering e8139b15e1 varlinkctl: respect $COLUMNS when rebreaking lines and we are not connected to a TTY
Let's provide a mechanism to select the number of screen columns for
rebreaking comments in Varlink IDL connected to a TTY, by honouring the
$COLUMNS env var then too. Previously we'd only honour when connected to
a TTY, but it's also useful otherwise for rebreaking ridiculously long
comments, hence honour it in this case too.
2024-10-21 15:47:25 +02:00
Lennart Poettering eda91cf080 tty-askpw-agent: modernize wall_tty_match() a bit 2024-10-21 14:15:21 +02:00
Lennart Poettering 2ee6fa552e ask-password-api: don't accidentally create a dir, when we don't want one
Previously, we were using touch(), which usually works fine, because the
path should always refer to an existing directory, in which case it just
updates the timestamp. However, if the dir does not exist yet (which
shouldn't happen), it would be created as regular file, which is just
wrong.

Hence, let's instead create the dir as dir if it is missing, and then
update its timestamp.
2024-10-21 14:14:16 +02:00
Lennart Poettering f4c3bafd10 man: update PASSWORD_AGENTS spec, and introduce unpriv pw queries
Fixes: #1232 #2217
2024-10-21 14:14:13 +02:00
Lennart Poettering 9c1fa3c235 ask-password-tool: add --user/--system flag to systemd-ask-password tool
This allows selecting which agents to ask about this: system-level
agents, or per-user agents.

Fixes: #1232 #2217
2024-10-21 14:14:10 +02:00
Lennart Poettering 4dd2748b65 ask-password-api: add support for querying pws from unpriv agents 2024-10-21 14:14:05 +02:00
Lennart Poettering dbdec4b195 ask-password-api: minor modernizations 2024-10-21 14:14:02 +02:00
Lennart Poettering ec572753c3 tty-ask-password-agent: support for watching both system-wide and per-user askpw dir
Fixes: #1232 #2217
2024-10-21 14:13:45 +02:00
Lennart Poettering 5475c3dbe4 tty-ask-password-agent: minor modernizations 2024-10-21 14:13:41 +02:00
Lennart Poettering 298507b24d core: modernize askpw handling a bit 2024-10-21 14:12:24 +02:00
Lennart Poettering 6eabea49da
Merge pull request #33398 from AdrianVovk/sysupdate-optional
sysupdate: Add support for optional features
2024-10-21 12:36:43 +02:00
Lennart Poettering 069da86dbc
Merge pull request #34667 from rpigott/resolved-bypass
resolve: fixes for sd-resolved bypass
2024-10-21 12:34:24 +02:00
Adrian Vovk f82a7c87d2 sysupdate: Use camelCase for JSON field names
Seems like we missed some snake_case field names in previous reviews of
systemd-sysupdate
2024-10-21 12:31:54 +02:00
Daan De Meyer 0005411352 measure: Take SizeOfImage into account as well for .linux section
Same change as https://github.com/systemd/systemd/pull/34583 but for
systemd-measure. Otherwise we end up with PCR policy digest mismatches
as systemd-stub will measure the full virtual size of the kernel image
after it has been loaded while systemd-measure will disregard the extra
size introduced by SizeOfImage.

While ideally the stub would only measure the data that's actually on
disk and not the uninitialized data introduced by VirtualSize > SizeOfRawData,
we want newer systemd-measure to work with older stubs so we have to fix
systemd-measure and can't fix this in the stub.
2024-10-20 13:22:54 +02:00
Ronan Pigott b7b1c50c6a test: exercise bypass mode on the sd-resolved stub
A basic test will verify that we provide the right flags.
2024-10-18 21:21:35 -07:00
Ronan Pigott fa02d04ee9 resolved: update condition for caching full packets
Previously a full packet was cached only if the CD bit was set, but this
no longer corresponds to the cases where bypass is enabled.

Update the cache to retain a full packet in the cases where it might
actually be useful.
2024-10-18 21:21:35 -07:00
Ronan Pigott 36074e0149 resolved: enable CD bit without DO set
This is useful for a validating resolver to indicate to a non-validating
resolver when checking was disabled for the query. This matches the
behavior of the major public resovlers in response to queries with CD bu
tnot DO set.
2024-10-18 21:21:35 -07:00
Ronan Pigott 008f23b7c5 resolved: authenticate bypass queries
Following 13e15dae9f, resolved does not forward the AD bit for bypass
queries, but resolved also didn't do it's own validation, making these
replies appear to never be authentic. We should enable validation for
bypass queries.

Let's disable our own validation when processing a +cd query, and also
ensure that it skips the cache so that we don't accidentally fail to
return inauthentic replies from upstream.

Previously, when we had a bypass transaction without cd, a cached,
authenticated, reply with cd could be served, leaving the cd bit
erroneously set in the reply. Only reply with a CD bit if the client
requested it.

Fixes: 13e15dae9f (resolved: clear the AD bit for bypass packets)
2024-10-18 21:20:46 -07:00
Yu Watanabe 88bbf187a9 TEST-55-OOMD: workaround for kernel regression in 6.12-rcX
This ignore failures when running on kernel-6.12-rcX, which has a
regression in the kernel scheduler that breaks PSI.

From https://github.com/systemd/systemd/issues/32730#issuecomment-2415312260
> There is a known scheduler bug in 6.12 that breaks psi. It leaks
> "running tasks" counts, which matches your symptoms of seeing partial
> pressure only.
>
> Do you see "inconsistent task state" warnings in dmesg | grep psi?
>
> A fix is queued in the scheduler tree, should be sent to Linus shortly:
> https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=c6508124193d42bbc3224571eb75bfa4c1821fbb

Workaround for #32730.
2024-10-19 12:34:48 +09:00
Adrian Vovk 5803efff44
updatectl: Introduce optional feature verbs
This introduces a nice UX for listing, inspecting, enabling, and
disabling optional features from the command line.
2024-10-18 18:08:39 -04:00
Adrian Vovk e55e7a5a61
sysupdated: Plumb through optional features
This adds APIs to enumerate/inspect/enable/disable optional features.
2024-10-18 18:08:38 -04:00
Adrian Vovk 0cd1a58921
sysupdate: Add verb to inspect features 2024-10-18 17:58:47 -04:00
Adrian Vovk 2ffc8b23f0
sysupdate: Add tests for optional features
Makes sure we don't regress on #33343 and #33344
2024-10-18 17:58:46 -04:00
Adrian Vovk e1384cfb09
sysupdate: Introduce optional features
Optional features allow distros to define sets of transfers that can
be enabled or disabled by the system administrator. This is useful for
situations where a distro may want to ship some resources version-locked
to the core OS, but many people have no need for the resource, such as:
development tools/compilers, drivers for specialized hardware, language
packs, etc

We also rename sysupdate.d/*.conf -> sysupdate.d/*.transfer, because
now there are more than one type of definition in sysupdate.d/. For
backwards compat, we still load *.conf files as long as no *.transfer
files are found and the *.conf files don't try to declare themselves
as part of any features

Fixes https://github.com/systemd/systemd/issues/33343
Fixes https://github.com/systemd/systemd/issues/33344
2024-10-18 17:58:45 -04:00
Adrian Vovk 3e18762123
fs-util: Introduce symlinkat_idempotent 2024-10-18 17:58:45 -04:00
Yu Watanabe 12e58ab18d
Merge pull request #34820 from poettering/dissect-image-uclean
dissect-image: generate better log message for EUCLEAN dissect error
2024-10-19 02:15:01 +09:00
Zbigniew Jędrzejewski-Szmek 2c23b7054f
Merge pull request #34783 from keszybz/man-nspawn-private-users
Change systemd-nspawn man page to strongly recommend private users
2024-10-18 18:44:05 +02:00
Zbigniew Jędrzejewski-Szmek 487d412327 tree-wise: use "lightweight" spelling
Both spellings were used, but the dictionary says that "lightweight"
is the standard spelling.
2024-10-18 18:43:40 +02:00
Zbigniew Jędrzejewski-Szmek 9b1a5bc365 man/systemd-nspawn: emphasise that user namespaces are strongly recommended 2024-10-18 18:43:40 +02:00
Luca Boccassi 2f6fe4e113 test: customize /etc/os-release instead of /usr/lib/os-release
As per spec image builders can create a local /etc/os-release
with per-image IDs, so modify that one instead of the original
one in /usr/lib. For example we do this when we build debian
unstable images in mkosi.
2024-10-18 17:03:16 +01:00
Lennart Poettering 2186334e00 dissect-image: generate better log message for EUCLEAN dissect error
Fixes: #31799
2024-10-18 14:16:53 +02:00
Lennart Poettering 620a03f669 dissect-image: uppercase first char of dissect error message systematically
Some of the log message stricts used proper uppercasing, others didn't.
Fix that to make it uniform.
2024-10-18 14:16:15 +02:00
Lennart Poettering 562f7bde88 resolved: refresh resolv.conf files when link goes away
This might have the effect that some DNS server or search domain
disappears, hence rewrite the relevant files.

See: #27543
2024-10-18 20:58:50 +09:00
Luca Boccassi 77579c66ef mkosi: update opensuse commit reference and switch branch
'factory' was reset to 8 years ago
2024-10-18 12:32:08 +01:00
Lennart Poettering 2e2826d7d9 resolved: add some more comments to varlink interface
This is by no means complete, but gets us a bit closer.
2024-10-18 19:17:36 +09:00
Lennart Poettering af7674f4ad networkd: raise limits on number of address 8x
Limits should be enforced, but not in a way real setups collide with
them.

There have been multiple reports that current limits are too low, hence
raise them 8x.

Fixes: #24852
2024-10-18 19:13:49 +09:00
Lennart Poettering 5fc46d7b87 update TODO 2024-10-18 09:54:32 +02:00
Lennart Poettering 3cc52015a8 update TODO 2024-10-18 09:23:54 +02:00
Adrian Vovk fafc3c2d5c GREEDY_REALLOC_APPEND: Make more type safe
Previously, GREEDY_REALLOC_APPEND would compile perfectly fine and cause
subtle memory corruption if the caller messes up the type they're passing
in (i.e. by forgetting to pass-by-reference when appending a Type* to an
array of Type*). Now this will lead to compilation failure
2024-10-18 14:22:58 +09:00
Yu Watanabe 5f3cfb9d5e TEST-19-CGROUP: add test cases for IPAddressAllow=/IPAddressDeny= 2024-10-16 14:32:13 +09:00
Yu Watanabe 77bbd9f1bd core/cgroup: fix IPAddressAllow=/IPAddressDeny= set through DBus
Fixes a regression caused by 84ebe6f013 (v250).
Fixes #34773.
2024-10-16 14:31:49 +09:00
Ronan Pigott 25c33e3500 network: parse RFC9463 DHCPv4 DNR option
This option is another way for DHCP servers to indicate preferred DNS
servers for the network, but includes more detailed info like the server
name, transport (DoT/DoH/DoQ etc.), and port.

Allow our DHCPv4 client to parse this option.
2024-09-13 22:57:51 -07:00
Ronan Pigott 1e2ead52e1 network: Introduce sd_dns_resolver
This type will be used to represent a "designated resolver", and the
necessary info for communicating with it. Beyond and address endpoint,
we may need to know the dns transport, authenticated domain name, DoH
path, etc.
2024-09-13 22:57:50 -07:00
Ronan Pigott 427166c3b0 dns: introduce dns_name_from_wire_format
This is implemented in various places, but it is better to share this
code.
2024-09-13 22:57:50 -07:00
Luca Boccassi f2f9c199d1 systemctl: keep ignoring sessions on shutdown as root
The change was supposed to be about respecting inhibitors, but
it was extended to also error out when there are active user
sessions, which was not intentional. Previously systemctl skipped
all checks if the caller was root or root-equivalent. Restore the
previous behaviour and again avoid blocking systemctl reboot by root
if there are active sessions, as long as there are no active
inhibitors.

Fixes https://github.com/systemd/systemd/issues/34086

Follow-up for 804874d26a
2024-09-13 12:32:42 +02:00
Luca Boccassi 5360db2a90 logind: drop new delay-weak inhibitor
It wasn't actually requested, just a misunderstanding, so drop it.

Fixes https://github.com/systemd/systemd/issues/34091

Follow-up for 804874d26a
2024-09-13 12:32:42 +02:00
Petr Menšík b8675eef92 Cancel re-link to uplink if it is missing
In case target file would be missing as well, symlinking to it won't
help. Just log it and finish.
2024-03-05 21:38:12 +01:00
Petr Menšík 844b2e9588 Configure no-stub fallback on resolved shutdown
When stub listener is disabled, stub-resolv.conf is made symlink to
resolv.conf. That contains valid servers obtained from the system. Do
the same action on systemd-resolved shutdown, where stub listener
becomes unavailable. If /etc/resolv.conf is linked to stub-resolv.conf,
avoid breaking network resolution on temporary resolved shutdown.
It gets fixed on (re)start again. Ignore return code, used only for
logging.
2024-03-05 21:20:24 +01:00
998 changed files with 153717 additions and 124804 deletions

View File

@ -18,7 +18,7 @@ body:
If a distro build is used, please just paste the package version, e.g. `systemd-254.7-1.fc39.x86_64`.
See https://github.com/systemd/systemd-stable/tags for the list of most recent releases.
For older version please use distribution trackers (see https://systemd.io/CONTRIBUTING#filing-issues).
placeholder: '255'
placeholder: '256.x'
validations:
required: true

View File

@ -121,6 +121,6 @@ body:
attributes:
label: The systemd version you checked that didn't have the feature you are asking for
description: If this is not the most recently released upstream version, then please check first if it has that feature already.
placeholder: '255'
placeholder: '256.x'
validations:
required: false

View File

@ -3,6 +3,8 @@
set -ex
shopt -s nullglob
info() { echo -e "\033[33;1m$1\033[0m"; }
fatal() { echo >&2 -e "\033[31;1m$1\033[0m"; exit 1; }
success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
@ -12,7 +14,7 @@ ARGS=(
"--optimization=s -Dutmp=false"
"--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
"--optimization=3 -Db_lto=true -Ddns-over-tls=false"
"--optimization=3 -Db_lto=false -Dtpm2=disabled -Dlibfido2=disabled -Dp11kit=disabled"
"--optimization=3 -Db_lto=false -Dtpm2=disabled -Dlibfido2=disabled -Dp11kit=disabled -Defi=false -Dbootloader=disabled"
"--optimization=3 -Dfexecve=true -Dstandalone-binaries=true -Dstatic-libsystemd=true -Dstatic-libudev=true"
"-Db_ndebug=true"
)
@ -45,7 +47,7 @@ PACKAGES=(
libxkbcommon-dev
libxtables-dev
libzstd-dev
# mold
mold
mount
net-tools
python3-evdev
@ -68,14 +70,6 @@ LINKER="${LINKER:?}"
CRYPTOLIB="${CRYPTOLIB:?}"
RELEASE="$(lsb_release -cs)"
# mold-2.2.0+ fixes some bugs breaking bootloader builds.
# TODO: Switch to distro mold with ubuntu-24.04
if [[ "$LINKER" == mold ]]; then
wget https://github.com/rui314/mold/releases/download/v2.2.0/mold-2.2.0-x86_64-linux.tar.gz
echo "d66e0230c562c2ba0e0b789cc5034e0fa2369cc843d0154920de4269cd94afeb mold-2.2.0-x86_64-linux.tar.gz" | sha256sum -c
sudo tar -xz -C /usr --strip-components=1 -f mold-2.2.0-x86_64-linux.tar.gz
fi
# Note: As we use postfixed clang/gcc binaries, we need to override $AR
# as well, otherwise meson falls back to ar from binutils which
# doesn't work with LTO

View File

@ -33,6 +33,6 @@ jobs:
env: ${{ matrix.env }}
steps:
- name: Repository checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Build check
run: .github/workflows/build_test.sh

View File

@ -42,7 +42,7 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Initialize CodeQL
uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13

View File

@ -22,7 +22,7 @@ jobs:
COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
steps:
- name: Repository checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# Reuse the setup phase of the unit test script to avoid code duplication
- name: Install build dependencies
run: sudo -E .github/workflows/unit_tests.sh SETUP

View File

@ -30,7 +30,7 @@ jobs:
name: Pull Request Metadata
- name: Repository checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0

View File

@ -23,7 +23,7 @@ jobs:
steps:
- name: Repository checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0

View File

@ -16,7 +16,7 @@ jobs:
steps:
- name: Repository checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- id: metadata
name: Gather Pull Request Metadata

View File

@ -20,7 +20,7 @@ jobs:
template: [ bug_report.yml, feature_request.yml ]
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Parse issue form
uses: stefanbuck/github-issue-parser@1e5bdee70d4b3e066a33aa0669ab782943825f94

View File

@ -30,7 +30,7 @@ jobs:
steps:
- name: Repository checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
if: github.event_name == 'pull_request'
- name: Label PR based on policy in labeler.yml

View File

@ -23,7 +23,7 @@ jobs:
steps:
- name: Repo checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# We need a full repo clone
fetch-depth: 0
@ -37,7 +37,7 @@ jobs:
VALIDATE_GITHUB_ACTIONS: true
- name: Check that tabs are not used in Python code
run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py'
run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py test/integration-test-wrapper.py'
- name: Install ruff and mypy
run: |
@ -47,14 +47,14 @@ jobs:
- name: Run mypy
run: |
python3 -m mypy --version
python3 -m mypy src/ukify/ukify.py
python3 -m mypy src/ukify/ukify.py test/integration-test-wrapper.py
- name: Run ruff check
run: |
ruff --version
ruff check src/ukify/ukify.py
ruff check src/ukify/ukify.py test/integration-test-wrapper.py
- name: Run ruff format
run: |
ruff --version
ruff format --check src/ukify/ukify.py
ruff format --check src/ukify/ukify.py test/integration-test-wrapper.py

View File

@ -104,8 +104,8 @@ jobs:
relabel: yes
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
- uses: systemd/mkosi@2a35f9958bc6b82d95d1eac02dc245e9bb068765
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: systemd/mkosi@0825cca8084674ec8fa27502134b1bc601f79e0c
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location

View File

@ -1,6 +1,6 @@
meson==1.5.2 \
--hash=sha256:77706e2368a00d789c097632ccf4fc39251fba56d03e1e1b262559a3c7a08f5b \
--hash=sha256:f955e09ab0d71ef180ae85df65991d58ed8430323de7d77a37e11c9ea630910b
meson==1.6.0 \
--hash=sha256:234a45f9206c6ee33b473ec1baaef359d20c0b89a71871d58c65a6db6d98fe74 \
--hash=sha256:999b65f21c03541cf11365489c1fad22e2418bb0c3d50ca61139f2eec09d5496
ninja==1.11.1.1 \
--hash=sha256:18302d96a5467ea98b68e1cae1ae4b4fb2b2a56a82b955193c637557c7273dbd \
--hash=sha256:185e0641bde601e53841525c4196278e9aaf4463758da6dd1e752c0a0f54136a \

View File

@ -29,7 +29,7 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

View File

@ -30,7 +30,7 @@ jobs:
cryptolib: gcrypt
steps:
- name: Repository checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install build dependencies
run: |
# Drop XDG_* stuff from /etc/environment, so we don't get the user

View File

@ -69,6 +69,9 @@ The following exceptions apply:
* the following sources are under **Public Domain** (LicenseRef-alg-sha1-public-domain):
- src/fundamental/sha1-fundamental.c
- src/fundamental/sha1-fundamental.h
* the following files are licensed under **BSD-3-Clause** license:
- src/boot/efi/chid.c
- src/boot/efi/chid.h
* Heebo fonts under docs/fonts/ are licensed under the **SIL Open Font License 1.1**,
* any files under test/ without an explicit license we assume non-copyrightable
(eg: computer-generated fuzzer data)

821
NEWS

File diff suppressed because it is too large Load Diff

91
TODO
View File

@ -129,8 +129,66 @@ Deprecations and removals:
Features:
* add a generic varlink dispatcher for pidfd/pidinode/pid to PidRef handling
(and formatter?)
* Teach systemd-ssh-generator to generated an /run/issue.d/ drop-in telling
users how to connect to the system via the AF_VSOCK, as per:
https://github.com/systemd/systemd/issues/35071#issuecomment-2462803142
* maybe introduce an OSC sequence that signals when we ask for a password, so
that terminal emulators can maybe connect a password manager or so, and
highlight things specially.
* Port pidref_namespace_open() to use PIDFD_GET_MNT_NAMESPACE and related
ioctls to get nsfds directly from pidfds.
* start using STATX_SUBVOL in btrfs_is_subvol(). Also, make use of it
generically, so that image discovery recognizes bcachefs subvols too.
* format-table: introduce new cell type for strings with ansi sequences in
them. display them in regular output mode (via strip_tab_ansi()), but
suppress them in json mode.
* machined: when registering a machine, also take a relative cgroup path,
relative to the machine's unit. This is useful when registering unpriv
machines, as they might sit down the cgroup tree, below a cgroup delegation
boundary. Then, install an inotify watch on that cgroup to track when the
machine's local cgroup goes down.
* resolved: report ttl in resolution replies if we know it. This data is useful
for tools such as wireguard which want to periodically re-resolve DNS names,
and might want to use the TTL has hint for that.
* journald: beef up ClientContext logic to store pidfd_id of peer, to validate
we really use the right cache entry
* journald: log client's pidfd id as a new automatic field _PIDFDID= or so.
* journald: split up ClientContext cache in two: one cache keyed by pid/pidfdid
with process information, and another one keyed by cgroup path/cgroupid with
cgroup information. This way if a service consisting of many logging
processes can take benefit of the cgroup caching.
* system lsmbpf policy that prohibits creating files owned by "nobody"
system-wide
* system lsmpbf policy that prohibits creating or opening device nodes outside
of devtmpfs/tmpfs, except if they are the pseudo-devices /dev/null,
/dev/zero, /dev/urandom and so on.
* system lsmbpf policy that enforces that block device backed mounts may only
be established on top of dm-crypt or dm-verity devices, or an allowlist of
file systems (which should probably include vfat, for compat with the ESP)
* $LISTEN_PID, $MAINPID and $SYSTEMD_EXECPID env vars that the service manager
sets should be augmented with $LISTEN_PIDFDID, $MAINPIDFDID and
$SYSTEMD_EXECPIDFD (and similar for other env vars we might send).
* port copy.c over to use LabelOps for all labelling.
* port remaining getmntent() users over to libmount. There are subtle
differences in the parsers (see #25371 for example), and it hence makes sense
if we stick to one set of parsers on this, not mix both.
* run0 and run0 --user=root have different effect on tty ownership?
* get rid of compat with libidn.so.11 (retain only for libidn.so.12)
@ -152,9 +210,6 @@ Features:
sd_event_add_child(), and then get rid of many more explicit sigprocmask()
calls.
* maybe set shell.prompt.prefix credential in run0 to some warning emoji,
i.e. ⚠️ or ☢️ or ⚡ or 👊 or 🧑‍🔧 or so.
* introduce new structure Tpm2CombinedPolicy, that combines the various TPm2
policy bits into one structure, i.e. public key info, pcr masks, pcrlock
stuff, pin and so on. Then pass that around in tpm2_seal() and tpm2_unseal().
@ -180,12 +235,8 @@ Features:
services where mount propagation from the root fs is off, an still have
confext/sysext propagated in.
* support F_DUDFD_QUERY for comparing fds in same_fd (requires kernel 6.10)
* generic interface for varlink for setting log level and stuff that all our daemons can implement
* use pty ioctl to get peer wherever possible (TIOCGPTPEER)
* maybe teach repart.d/ dropins a new setting MakeMountNodes= or so, which is
just like MakeDirectories=, but uses an access mode of 0000 and sets the +i
chattr bit. This is useful as protection against early uses of /var/ or /tmp/
@ -216,8 +267,6 @@ Features:
* initrd: when transitioning from initrd to host, validate that
/lib/modules/`uname -r` exists, refuse otherwise
* tmpfiles: add "owning" flag for lines that limits effect of --purge
* signed bpf loading: to address need for signature verification for bpf
programs when they are loaded, and given the bpf folks don't think this is
realistic in kernel space, maybe add small daemon that facilitates this
@ -421,9 +470,6 @@ Features:
* introduce mntid_t, and make it 64bit, as apparently the kernel switched to
64bit mount ids
* use udev rule networkd ownership property to take ownership of network
interfaces nspawn creates
* mountfsd/nsresourced
- userdb: maybe allow callers to map one uid to their own uid
- bpflsm: allow writes if resulting UID on disk would be userns' owner UID
@ -610,6 +656,7 @@ Features:
- openpt_allocate_in_namespace()
- unit_attach_pid_to_cgroup_via_bus()
- cg_attach() requires new kernel feature
- journald's process cache
* ddi must be listed as block device fstype
@ -1426,9 +1473,6 @@ Features:
- "systemd-sysupdate update --all" support, that iterates through all components
defined on the host, plus all images installed into /var/lib/machines/,
/var/lib/portable/ and so on.
- figure out what to do about system extensions (i.e. they need to imply an
update component, since otherwise sysupdate.d/ files would override the
host's update files.)
- Allow invocation with a single transfer definition, i.e. with
--definitions= pointing to a file rather than a dir.
- add ability to disable implicit decompression of downloaded artifacts,
@ -1436,9 +1480,6 @@ Features:
* in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
* DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to
make dirs appear under right UID.
* systemd-sysext: optionally, run it in initrd already, before transitioning
into host, to open up possibility for services shipped like that.
@ -1610,14 +1651,6 @@ Features:
* maybe add kernel cmdline params: to force random seed crediting
* introduce a new per-process uuid, similar to the boot id, the machine id, the
invocation id, that is derived from process creds, specifically a hashed
combination of AT_RANDOM + getpid() + the starttime from
/proc/self/status. Then add these ids implicitly when logging. Deriving this
uuid from these three things has the benefit that it can be derived easily
from /proc/$PID/ in a stable, and unique way that changes on both fork() and
exec().
* let's not GC a unit while its ratelimits are still pending
* when killing due to service watchdog timeout maybe detect whether target
@ -2031,7 +2064,7 @@ Features:
with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst
- ExtensionImages= deduplication for services is currently only applied to disk images without GPT envelope.
This should be extended to work with proper DDIs too, as well as directory confext/sysext. Moreover,
system-wide confex/sysext should support this too.
system-wide confext/sysext should support this too.
- Pin the mount namespace via FD by sending it back from sd-exec to the manager, and use it
for live mounting, instead of doing it via PID

View File

@ -735,3 +735,16 @@ Tools using the Varlink protocol (such as `varlinkctl`) or sd-bus (such as
* `SYSTEMD_EXIT_ON_IDLE` Takes a boolean. When false, the exit-on-idle logic
of these services is disabled, making it easier to debug them.
`systemd-ask-password`:
* `$SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC` - takes a timespan, which controls
the expiration time of keys stored in the kernel keyring by `systemd-ask-password`.
If unset, the default expiration of 150 seconds is used. If set to `0`, keys are
not cached in the kernel keyring. If set to `infinity`, keys are cached without an
expiration time in the kernel keyring.
* `SYSTEMD_ASK_PASSWORD_KEYRING_TYPE` - takes a keyring ID or one of `thread`,
`process`, `session`, `user`, `user-session`, or `group`. Controls the kernel
keyring in which `systemd-ask-password` caches the queried password. Defaults
to `user`.

View File

@ -44,9 +44,37 @@ or:
$ mkosi qemu
```
By default, the tools from your host system are used to build the image. To have
`mkosi` use the systemd tools from the `build/` directory, add the following to
`mkosi.local.conf`:
By default, the tools from your host system are used to build the image.
Sometimes we start using mkosi features that rely on functionality in systemd
tools that's not in an official release yet. In that case, you'll need to build
systemd from source on the host and configure mkosi to use the tools from the
systemd build directory.
To do a local build, most distributions provide very simple and convenient ways
to install most development packages necessary to build systemd:
```sh
# Fedora
$ sudo dnf builddep systemd
# Debian/Ubuntu
$ sudo apt-get build-dep systemd
# Arch
$ sudo pacman -S devtools
$ pkgctl repo clone --protocol=https systemd
$ cd systemd
$ makepkg -seoc
```
After installing the development packages, systemd can be built from source as follows:
```sh
$ meson setup build <options>
$ ninja -C build
$ meson test -C build
```
To have `mkosi` use the systemd tools from the `build/` directory, add the
following to `mkosi.local.conf`:
```conf
[Host]
@ -69,9 +97,9 @@ another terminal on your host (choose the right one depending on the
distribution of the container or virtual machine):
```sh
mkosi -t none && mkosi ssh dnf upgrade --disablerepo="*" --assumeyes "/work/build/*.rpm" # CentOS/Fedora
mkosi -t none && mkosi ssh apt-get install "/work/build/*.deb" # Debian/Ubuntu
mkosi -t none && mkosi ssh pacman --upgrade --needed --noconfirm "/work/build/*.pkg.tar" # Arch Linux
mkosi -t none && mkosi ssh dnf upgrade --disablerepo="*" --assumeyes "/work/build/*.rpm" # CentOS/Fedora
mkosi -t none && mkosi ssh apt-get install "/work/build/*.deb" # Debian/Ubuntu
mkosi -t none && mkosi ssh pacman --upgrade --needed --noconfirm "/work/build/*.pkg.tar" # Arch Linux
mkosi -t none && mkosi ssh zypper --non-interactive install --allow-unsigned-rpm "/work/build/*.rpm" # OpenSUSE
```
@ -97,29 +125,6 @@ $ git push -u <REMOTE> # where REMOTE is your "fork" on GitHub
And after that, head over to your repo on GitHub and click "Compare & pull request"
If you want to do a local build without mkosi,
most distributions also provide very simple and convenient ways to install most development packages necessary to build systemd:
```sh
# Fedora
$ sudo dnf builddep systemd
# Debian/Ubuntu
$ sudo apt-get build-dep systemd
# Arch
$ sudo pacman -S devtools
$ pkgctl repo clone --protocol=https systemd
$ cd systemd
$ makepkg -seoc
```
After installing the development packages, systemd can be built from source as follows:
```sh
$ meson setup build <options>
$ ninja -C build
$ meson test -C build
```
Happy hacking!
## Building distribution packages with mkosi
@ -128,22 +133,25 @@ To build distribution packages for a specific distribution and release without
building an actual image, the following command can be used:
```sh
mkosi -d <distribution> -r <release> -t none -f
mkosi -d <distribution> -r <release> -t none
```
Afterwards the distribution packages will be located in `build/mkosi.output`. To
also build debuginfo packages, the following command can be used:
Afterwards the distribution packages will be located in
`build/mkosi.builddir/<distribution>~<release>~<architecture>/`. To also build
debuginfo packages, the following command can be used:
```sh
mkosi -d <distribution> -r <release> -E WITH_DEBUG=1 -t none -f
mkosi -d <distribution> -r <release> -E WITH_DEBUG=1 -t none
```
To upgrade the systemd packages on the host system to the newer versions built
by mkosi, run the following:
```sh
dnf upgrade build/mkosi.output/*.rpm # Fedora/CentOS
# TODO: Other distributions
dnf upgrade build/mkosi.builddir/<distribution>~<release>~<architecture>/*.rpm # Fedora/CentOS
apt-get install build/mkosi.builddir/<distribution>~<release>~<architecture>/*.deb # Debian/Ubuntu
pacman --upgrade --needed --noconfirm build/mkosi.builddir/<distribution>~<release>~<architecture>/*.pkg.tar # Arch Linux
zypper --non-interactive install --allow-unsigned-rpm build/mkosi.builddir/<distribution>~<release>~<architecture>/*.rpm # OpenSUSE
```
To downgrade back to the old version shipped by the distribution, run the

View File

@ -42,8 +42,8 @@ If such a lock is taken the operation will fail (but still may be overridden if
The InhibitDelayMaxSec= setting in [logind.conf(5)](http://www.freedesktop.org/software/systemd/man/logind.conf.html) controls the timeout for this. This is intended to be used by applications which need a synchronous way to execute actions before system suspend but shall not be allowed to block suspend indefinitely.
This mode is only available for _sleep_ and _shutdown_ locks.
3. _block-weak_ and _delay-weak_ that work as the non-weak counterparts, but that in addition may be ignored
automatically and silently under certain circumstances, unlike the formers which are always respected.
3. _block-weak_ that works as its non-weak counterpart, but that in addition may be ignored
automatically and silently under certain circumstances, unlike the former which is always respected.
Inhibitor locks are taken via the Inhibit() D-Bus call on the logind Manager object:

View File

@ -7,25 +7,30 @@ SPDX-License-Identifier: LGPL-2.1-or-later
# Password Agents
systemd 12 and newer support lightweight password agents which can be used to query the user for system-level passwords or passphrases.
These are passphrases that are not related to a specific user, but to some kind of hardware or service.
Right now this is used exclusively for encrypted hard-disk passphrases but later on this is likely to be used to query passphrases of SSL certificates at Apache startup time as well.
The basic idea is that a system component requesting a password entry can simply drop a simple .ini-style file into `/run/systemd/ask-password` which multiple different agents may watch via `inotify()`, and query the user as necessary.
The answer is then sent back to the querier via an `AF_UNIX`/`SOCK_DGRAM` socket.
Multiple agents might be running at the same time in which case they all should query the user and the agent which answers first wins.
Right now systemd ships with the following passphrase agents:
systemd 12 and newer support lightweight password agents which can be used to
query the user for system-level passwords or passphrases. These are
passphrases that are not related to a specific user, but to some kind of
hardware or service. This is used for encrypted hard-disk passphrases or to
query passphrases of SSL certificates at web server start-up time. The basic
idea is that a system component requesting a password entry can simply drop a
simple .ini-style file into `/run/systemd/ask-password/` which multiple
different agents may watch via `inotify()`, and query the user as necessary.
The answer is then sent back to the querier via an `AF_UNIX`/`SOCK_DGRAM`
socket. Multiple agents might be running at the same time in which case they
all should query the user and the agent which answers first wins. Right now
systemd ships with the following passphrase agents:
* A Plymouth agent used for querying passwords during boot-up
* A console agent used in similar situations if Plymouth is not available
* A GNOME agent which can be run as part of the normal user session which pops up a notification message and icon which when clicked receives the passphrase from the user.
This is useful and necessary in case an encrypted system hard-disk is plugged in when the machine is already up.
* A [`wall(1)`](https://man7.org/linux/man-pages/man1/wall.1.html) agent which sends wall messages as soon as a password shall be entered.
* A simple tty agent which is built into "`systemctl start`" (and similar commands) and asks passwords to the user during manual startup of a service
* A simple tty agent which can be run manually to respond to all queued passwords
## Implementing Agents
It is easy to write additional agents. The basic algorithm to follow looks like this:
* Create an inotify watch on /run/systemd/ask-password, watch for `IN_CLOSE_WRITE|IN_MOVED_TO`
* Create an inotify watch on `/run/systemd/ask-password/`, watch for `IN_CLOSE_WRITE|IN_MOVED_TO`
* Ignore all events on files in that directory that do not start with "`ask.`"
* As soon as a file named "`ask.xxxx`" shows up, read it. It's a simple `.ini` file that may be parsed with the usual parsers. The `xxxx` suffix is randomized.
* Make sure to ignore unknown `.ini` file keys in those files, so that we can easily extend the format later on.
@ -42,23 +47,57 @@ It is easy to write additional agents. The basic algorithm to follow looks like
* Make sure to hide a password query dialog as soon as a) the `ask.xxxx` file is deleted, watch this with inotify. b) the `NotAfter=` time elapses, if it is set `!= 0`.
* Access to the socket is restricted to privileged users.
To acquire the necessary privileges to send the answer back, consider using PolicyKit.
In fact, the GNOME agent we ship does that, and you may simply piggyback on that, by executing "`/usr/bin/pkexec /usr/lib/systemd/systemd-reply-password 1 /path/to/socket`" or "`/usr/bin/pkexec /usr/lib/systemd/systemd-reply-password 0 /path/to/socket`" and writing the password to its standard input.
For convenience, a reference implementation is provided: "`/usr/bin/pkexec /usr/lib/systemd/systemd-reply-password 1 /path/to/socket`" or "`/usr/bin/pkexec /usr/lib/systemd/systemd-reply-password 0 /path/to/socket`" and writing the password to its standard input.
Use '`1`' as argument if a password was entered by the user, or '`0`' if the user canceled the request.
* If you do not want to use PK ensure to acquire the necessary privileges in some other way and send a single datagram
to the socket consisting of the password string either prefixed with "`+`" or with "`-`" depending on whether the password entry was successful or not.
You may but don't have to include a final `NUL` byte in your message.
Again, it is essential that you stop showing the password box/notification/status icon if the `ask.xxx` file is removed or when `NotAfter=` elapses (if it is set `!= 0`)!
Again, it is essential that you stop showing the password
box/notification/status icon if the `ask.xxxx` file is removed or when
`NotAfter=` elapses (if it is set `!= 0`)!
It may happen that multiple password entries are pending at the same time.
Your agent needs to be able to deal with that. Depending on your environment you may either choose to show all outstanding passwords at the same time or instead only one and as soon as the user has replied to that one go on to the next one.
Your agent needs to be able to deal with that. Depending on your environment
you may either choose to show all outstanding passwords at the same time or
instead only one and as soon as the user has replied to that one go on to the
next one.
You may test this all with manually invoking the "`systemd-ask-password`" tool on the command line.
Pass `--no-tty` to ensure the password is asked via the agent system.
Note that only privileged users may use this tool (after all this is intended purely for system-level passwords).
If you write a system level agent, a smart way to activate it is using systemd
`.path` units. This will ensure that systemd will watch the
`/run/systemd/ask-password/` directory and spawn the agent as soon as that
directory becomes non-empty. In fact, the console, wall and Plymouth agents
are started like this. If systemd is used to maintain user sessions as well
you can use a similar scheme to automatically spawn your user password agent as
well.
If you write a system level agent a smart way to activate it is using systemd `.path` units.
This will ensure that systemd will watch the `/run/systemd/ask-password` directory and spawn the agent as soon as that directory becomes non-empty.
In fact, the console, wall and Plymouth agents are started like this.
If systemd is used to maintain user sessions as well you can use a similar scheme to automatically spawn your user password agent as well.
(As of this moment we have not switched any DE over to use systemd for session management, however.)
## Implementing Queriers
It's also easy to implement applications that want to query passwords this way
(i.e. client for the agents above). Simply bind an `AF_UNIX`/`SOCK_DGRAM`
socket somewhere (suggestion: you can do this in `/run/systemd/ask-password/`
under a randomized socket name, not beginning with `ask.`). Then, create an
`/run/systemd/ask-password/ask.xxxx` (replace the `xxxx` by some randomized
string) file, with the appropriate `Message=`, `PID=`, `Icon=`, `Echo=`,
`NotAfter=` fields in the `[Ask]` section. Most importantly, include `Socket=`
pointing to your socket entrypoint. Then, just wait until the password is
delivered to you on the socket. Finally, don't forget to remove the file and
the socket once done.
## Testing
You may test agents by manually invoking the "`systemd-ask-password`" tool from
a shell. Pass `--no-tty` to ensure the password is asked via the agent system.
You may test queriers by manually invoking the
"`systemd-tty-ask-password-agent`" from a shell.
## Unprivileged Per-User Password Agents
Starting with systemd v257 the scheme is extended to per-user password
agents. A second per-user directory `$XDG_RUNTIME_DIR/systemd/ask-password/` is
now available, with the same protocol as the system-wide
counterpart. Unprivileged, per-directory agents should watch this directory in
parallel to the system-wide one. Unprivileged queriers (i.e. clients to these
agents) should pick the per-user directory to place their password request
files in.

View File

@ -15,18 +15,19 @@ SPDX-License-Identifier: LGPL-2.1-or-later
6. [RC1] Update library numbers in `meson.build`
7. Update version number in `meson.version` (e.g. from `256~devel` to `256~rc1` or from `256~rc3` to `256`). Note that this uses a tilde (\~) instead of a hyphen (-) because tildes sort lower in version comparisons according to the [version format specification](https://uapi-group.org/specifications/specs/version_format_specification/), and we want `255~rc1` to sort lower than `255`.
8. Check dbus docs with `ninja -C build update-dbus-docs`
9. Update translation strings (`ninja -C build systemd-pot`, `ninja -C build systemd-update-po`) - drop the header comments from `systemd.pot` + re-add SPDX before committing. If the only change in a file is the 'POT-Creation-Date' field, then ignore that file.
10. Tag the release: `version="v$(sed 's/~/-/g' meson.version)" && git tag -s "${version}" -m "systemd ${version}"` (tildes are replaced with hyphens, because git doesn't accept the former).
11. Do `ninja -C build`
12. Make sure that the version string and package string match: `build/systemctl --version`
13. [FINAL] Close the github milestone and open a new one (https://github.com/systemd/systemd/milestones)
14. "Draft" a new release on github (https://github.com/systemd/systemd/releases/new), mark "This is a pre-release" if appropriate.
15. Check that announcement to systemd-devel, with a copy&paste from NEWS, was sent. This should happen automatically.
16. Update IRC topic (`/msg chanserv TOPIC #systemd Version NNN released | Online resources https://systemd.io/`)
17. [FINAL] Create an empty -stable branch: `git push systemd origin/main:refs/heads/v${version}-stable`.
18. [FINAL] Build and upload the documentation (on the -stable branch): `ninja -C build doc-sync`
9. Check manpages list with `ninja -C build update-man-rules`
10. Update translation strings (`ninja -C build systemd-pot`, `ninja -C build systemd-update-po`) - drop the header comments from `systemd.pot` + re-add SPDX before committing. If the only change in a file is the 'POT-Creation-Date' field, then ignore that file.
11. Tag the release: `version="v$(sed 's/~/-/g' meson.version)" && git tag -s "${version}" -m "systemd ${version}"` (tildes are replaced with hyphens, because git doesn't accept the former).
12. Do `ninja -C build`
13. Make sure that the version string and package string match: `build/systemctl --version`
14. [FINAL] Close the github milestone and open a new one (https://github.com/systemd/systemd/milestones)
15. "Draft" a new release on github (https://github.com/systemd/systemd/releases/new), mark "This is a pre-release" if appropriate.
16. Check that announcement to systemd-devel, with a copy&paste from NEWS, was sent. This should happen automatically.
17. Update IRC topic (`/msg chanserv TOPIC #systemd Version NNN released | Online resources https://systemd.io/`)
18. [FINAL] Create an empty -stable branch: `git push systemd origin/main:refs/heads/v${version}-stable`.
19. [FINAL] Build and upload the documentation (on the -stable branch): `ninja -C build doc-sync`
20. [FINAL] Change the Github Pages branch to the newly created branch (https://github.com/systemd/systemd/settings/pages) and set the 'Custom domain' to 'systemd.io'
21. [FINAL] Update version number in `meson.version` to the devel version of the next release (e.g. from `v256` to `v257~devel`)
21. [FINAL] Update version number in `meson.version` to the devel version of the next release (e.g. from `256` to `257~devel`)
# Steps to a Successful Stable Release

View File

@ -80,7 +80,7 @@ _With all vendor-supplied OS resources in a single directory /usr they may be sh
**Myth #4**: The /usr merges only purpose is to look pretty, and has no other benefits
**Fact**: The /usr merge makes sharing the vendor-supplied OS resources between a host and networked clients as well as a host and local light-weight containers easier and atomic. Snapshotting the OS becomes a viable option. The /usr merge also allows making the entire vendor-supplied OS resources read-only for increased security and robustness.
**Fact**: The /usr merge makes sharing the vendor-supplied OS resources between a host and networked clients as well as a host and local lightweight containers easier and atomic. Snapshotting the OS becomes a viable option. The /usr merge also allows making the entire vendor-supplied OS resources read-only for increased security and robustness.
**Myth #5**: Adopting the /usr merge in your distribution means additional work for your distribution's package maintainers

View File

@ -41,7 +41,7 @@ used for new, additional measurements.
## PCR Measurements Made by `systemd-boot` (UEFI)
### PCS 5, `EV_EVENT_TAG`, "loader.conf"
### PCS 5, `EV_EVENT_TAG`, `loader.conf`
The content of `systemd-boot`'s configuration file, `loader/loader.conf`, is
measured as a tagged event.
@ -52,7 +52,7 @@ measured as a tagged event.
**Measured hash** covers the content of `loader.conf` as it is read from the ESP.
### PCR 12, `EV_IPL`, "Kernel Command Line"
### PCR 12, `EV_IPL`, kernel command line
If the kernel command line was specified explicitly (by the user or in a Boot
Loader Specification Type #1 file), the kernel command line passed to the
@ -70,7 +70,7 @@ trailing NUL bytes).
## PCR Measurements Made by `systemd-stub` (UEFI)
### PCR 11, `EV_IPL`, "PE Section Name"
### PCR 11, `EV_IPL`, PE section name
A measurement is made for each PE section of the UKI that is defined by the
[UKI
@ -87,7 +87,7 @@ both types of records appear interleaved in the event log.
**Measured hash** covers the PE section name in ASCII (*including* a trailing NUL byte!).
### PCR 11, `EV_IPL`, "PE Section Data"
### PCR 11, `EV_IPL`, PE section data
Happens once for each UKI-defined PE section of the UKI, in the canonical UKI
PE section order, as per the UKI specification, see above.
@ -96,7 +96,7 @@ PE section order, as per the UKI specification, see above.
**Measured hash** covers the (binary) PE section contents.
### PCR 12, `EV_IPL`, "Kernel Command Line"
### PCR 12, `EV_IPL`, kernel command line
Might happen up to three times, for kernel command lines from:
@ -110,37 +110,37 @@ UTF-16.
**Measured hash** covers the literal kernel command line in UTF-16 (without any
trailing NUL bytes).
### PCR 12, `EV_EVENT_TAG`, "Devicetrees"
### PCR 12, `EV_EVENT_TAG`, DeviceTrees
Devicetree addons are measured individually as a tagged event.
DeviceTree addons are measured individually as a tagged event.
**Event Tag** `0x6c46f751`
**Description** the addon filename.
**Description** is the addon filename.
**Measured hash** covers the content of the Devicetree.
**Measured hash** covers the content of the DeviceTree.
### PCR 12, `EV_EVENT_TAG`, "Initrd addons"
### PCR 12, `EV_EVENT_TAG`, initrd addons
Initrd addons are measured individually as a tagged event.
**Event Tag** `0x49dffe0f`
**Description** the addon filename.
**Description** is the addon filename.
**Measured hash** covers the contents of the initrd.
### PCR 12, `EV_EVENT_TAG`, "Ucode addons"
### PCR 12, `EV_EVENT_TAG`, ucode addons
Ucode addons are measured individually as a tagged event.
**Event Tag** `0xdac08e1a`
**Description** the addon filename.
**Description** is the addon filename.
**Measured hash** covers the contents of the ucode initrd.
### PCR 12, `EV_IPL`, "Per-UKI Credentials initrd"
### PCR 12, `EV_IPL`, per-uki credentials initrd
**Description** in the event log record is the constant string "Credentials
initrd" in UTF-16.
@ -148,7 +148,7 @@ initrd" in UTF-16.
**Measured hash** covers the per-UKI credentials cpio archive (which is generated
on-the-fly by `systemd-stub`).
### PCR 12, `EV_IPL`, "Global Credentials initrd"
### PCR 12, `EV_IPL`, global credentials initrd
**Description** in the event log record is the constant string "Global
credentials initrd" in UTF-16.
@ -156,7 +156,7 @@ credentials initrd" in UTF-16.
**Measured hash** covers the global credentials cpio archive (which is generated
on-the-fly by `systemd-stub`).
### PCR 13, `EV_IPL`, "sysext initrd"
### PCR 13, `EV_IPL`, sysext initrd
**Description** in the event log record is the constant string "System extension
initrd" in UTF-16.
@ -166,7 +166,7 @@ on-the-fly by `systemd-stub`).
## PCR Measurements Made by `systemd-pcrextend` (Userspace)
### PCR 11, "Boot Phases"
### PCR 11, boot phases
The `systemd-pcrphase.service`, `systemd-pcrphase-initrd.service`,
`systemd-pcrphase-sysinit.service` services will measure the boot phase reached
@ -178,7 +178,7 @@ choose to define additional/different phases.)
**Measured hash** covers the phase string (in UTF-8, without trailing NUL
bytes).
### PCR 15, "Machine ID"
### PCR 15, machine ID
The `systemd-pcrmachine.service` service will measure the machine ID (as read
from `/etc/machine-id`) during boot.
@ -187,7 +187,7 @@ from `/etc/machine-id`) during boot.
formatted in hexadecimal lowercase characters (in UTF-8, without trailing NUL
bytes).
### PCR 15, "File System"
### PCR 15, file system
The `systemd-pcrfs-root.service` and `systemd-pcrfs@.service` services will
measure a string identifying a specific file system, typically covering the
@ -200,7 +200,7 @@ without trailing NUL bytes).
## PCR Measurements Made by `systemd-cryptsetup` (Userspace)
### PCR 15, "Volume Key"
### PCR 15, volume key
The `systemd-cryptsetup@.service` service will measure a key derived from the
LUKS volume key of a specific encrypted volume, typically covering the backing

View File

@ -597,6 +597,17 @@ The salt to pass to the FIDO2 device is found in `fido2HmacSalt`.
The only supported recovery key type at the moment is `modhex64`, for details see the description of `recoveryKey` below.
An account may have any number of recovery keys defined, and the array should have one entry for each.
`selfModifiableFields` → An array of strings, each corresponding to a field name that can appear
in the `regular` or `perMachine` sections. The user may be allowed to edit any field in this list
without authenticating as an administrator. Note that the user will only be allowed to edit fields
in `perMachine` sections that match the machine the user is performing the edit from.
`selfModifiableBlobs` → Similar to `selfModifiableFields`, but it lists blobs that the user
is allowed to edit.
`selfModifiablePrivileged` → Similar to `selfModifiableFields`, but it lists fields in
the `privileged` section that the user is allowed to edit.
`privileged` → An object, which contains the fields of the `privileged` section
of the user record, see below.
@ -754,7 +765,7 @@ All other fields that may be used in this section are identical to the equally n
`autoLogin`, `preferredSessionType`, `preferredSessionLauncher`, `stopDelayUSec`, `killProcesses`,
`passwordChangeMinUSec`, `passwordChangeMaxUSec`, `passwordChangeWarnUSec`,
`passwordChangeInactiveUSec`, `passwordChangeNow`, `pkcs11TokenUri`,
`fido2HmacCredential`.
`fido2HmacCredential`, `selfModifiableFields`, `selfModifiableBlobs`, `selfModifiablePrivileged`.
## Fields in the `binding` section

File diff suppressed because it is too large Load Diff

View File

@ -102,6 +102,9 @@ acpi:DMST*:
acpi:DNBK*:
ID_VENDOR_FROM_DATABASE=Dynabook Inc.
acpi:DSHR*:
ID_VENDOR_FROM_DATABASE=3mdeb
acpi:DSUO*:
ID_VENDOR_FROM_DATABASE=Shenzhen DSO Microelectronics Co.,Ltd.
@ -189,6 +192,9 @@ acpi:ILIT*:
acpi:IMPJ*:
ID_VENDOR_FROM_DATABASE=Impinj
acpi:INIT*:
ID_VENDOR_FROM_DATABASE=INIT - Innovative Informatikanwendungen GmbH
acpi:INSY*:
ID_VENDOR_FROM_DATABASE=Insyde Software
@ -309,6 +315,9 @@ acpi:RKCP*:
acpi:RPIL*:
ID_VENDOR_FROM_DATABASE=Raspberry Pi
acpi:RSCV*:
ID_VENDOR_FROM_DATABASE=RISC-V International
acpi:RVOS*:
ID_VENDOR_FROM_DATABASE=Rivos Inc.
@ -318,6 +327,9 @@ acpi:RZSN*:
acpi:SECC*:
ID_VENDOR_FROM_DATABASE=Seiko Epson Corporation
acpi:SGSN*:
ID_VENDOR_FROM_DATABASE=SigmaSense, LLC
acpi:SHRP*:
ID_VENDOR_FROM_DATABASE=Sharp Corporation
@ -360,6 +372,9 @@ acpi:VAIO*:
acpi:VFSI*:
ID_VENDOR_FROM_DATABASE=Validity Sensors, Inc
acpi:VNTN*:
ID_VENDOR_FROM_DATABASE=Ventana Micro Systems
acpi:VSHY*:
ID_VENDOR_FROM_DATABASE=Vishay Intertechnology, Inc.
@ -489,6 +504,9 @@ acpi:ADD*:
acpi:ADE*:
ID_VENDOR_FROM_DATABASE=Arithmos, Inc.
acpi:ADG*:
ID_VENDOR_FROM_DATABASE=Airdrop Gaming LLC
acpi:ADH*:
ID_VENDOR_FROM_DATABASE=Aerodata Holdings Ltd
@ -1524,6 +1542,9 @@ acpi:CHY*:
acpi:CIC*:
ID_VENDOR_FROM_DATABASE=Comm. Intelligence Corporation
acpi:CID*:
ID_VENDOR_FROM_DATABASE=Indicates an identity defined by CTS/DID Standards other than EDID
acpi:CIE*:
ID_VENDOR_FROM_DATABASE=Convergent Engineering, Inc.
@ -1998,9 +2019,6 @@ acpi:DEL*:
acpi:DEM*:
ID_VENDOR_FROM_DATABASE=DemoPad Software Ltd
acpi:DEM*:
ID_VENDOR_FROM_DATABASE=DemoPad Software Ltd
acpi:DEN*:
ID_VENDOR_FROM_DATABASE=Densitron Computers Ltd
@ -2250,6 +2268,9 @@ acpi:DTK*:
acpi:DTL*:
ID_VENDOR_FROM_DATABASE=e-Net Inc
acpi:DTM*:
ID_VENDOR_FROM_DATABASE=Daten Tecnologia
acpi:DTN*:
ID_VENDOR_FROM_DATABASE=Datang Telephone Co
@ -4140,6 +4161,9 @@ acpi:LAS*:
acpi:LAV*:
ID_VENDOR_FROM_DATABASE=Lava Computer MFG Inc
acpi:LBC*:
ID_VENDOR_FROM_DATABASE=LABAU Technology Corp.
acpi:LBO*:
ID_VENDOR_FROM_DATABASE=Lubosoft
@ -6417,6 +6441,9 @@ acpi:SHR*:
acpi:SHT*:
ID_VENDOR_FROM_DATABASE=Shin Ho Tech
acpi:SHU*:
ID_VENDOR_FROM_DATABASE=Shure Inc.
acpi:SIA*:
ID_VENDOR_FROM_DATABASE=SIEMENS AG
@ -7944,6 +7971,9 @@ acpi:XIT*:
acpi:XLX*:
ID_VENDOR_FROM_DATABASE=Xilinx, Inc.
acpi:XMI*:
ID_VENDOR_FROM_DATABASE=Xiaomi Corporation
acpi:XMM*:
ID_VENDOR_FROM_DATABASE=C3PO S.L.

View File

@ -1,5 +1,5 @@
--- 20-acpi-vendor.hwdb.base 2024-06-11 18:28:44.326630949 +0100
+++ 20-acpi-vendor.hwdb 2024-06-11 18:28:44.334631113 +0100
--- 20-acpi-vendor.hwdb.base 2024-11-15 17:16:38.971258201 +0000
+++ 20-acpi-vendor.hwdb 2024-11-15 17:16:38.979258339 +0000
@@ -3,6 +3,8 @@
# Data imported from:
# https://uefi.org/uefi-pnp-export
@ -19,7 +19,7 @@
acpi:AMDI*:
ID_VENDOR_FROM_DATABASE=AMD
@@ -379,6 +378,9 @@
@@ -394,6 +393,9 @@
acpi:AAA*:
ID_VENDOR_FROM_DATABASE=Avolites Ltd
@ -29,7 +29,7 @@
acpi:AAE*:
ID_VENDOR_FROM_DATABASE=Anatek Electronics Inc.
@@ -406,6 +408,9 @@
@@ -421,6 +423,9 @@
acpi:ABO*:
ID_VENDOR_FROM_DATABASE=D-Link Systems Inc
@ -39,7 +39,7 @@
acpi:ABS*:
ID_VENDOR_FROM_DATABASE=Abaco Systems, Inc.
@@ -451,7 +456,7 @@
@@ -466,7 +471,7 @@
acpi:ACO*:
ID_VENDOR_FROM_DATABASE=Allion Computer Inc.
@ -48,7 +48,7 @@
ID_VENDOR_FROM_DATABASE=Aspen Tech Inc
acpi:ACR*:
@@ -727,6 +732,9 @@
@@ -745,6 +750,9 @@
acpi:AMT*:
ID_VENDOR_FROM_DATABASE=AMT International Industry
@ -58,7 +58,7 @@
acpi:AMX*:
ID_VENDOR_FROM_DATABASE=AMX LLC
@@ -775,6 +783,9 @@
@@ -793,6 +801,9 @@
acpi:AOA*:
ID_VENDOR_FROM_DATABASE=AOpen Inc.
@ -68,7 +68,7 @@
acpi:AOE*:
ID_VENDOR_FROM_DATABASE=Advanced Optics Electronics, Inc.
@@ -784,6 +795,9 @@
@@ -802,6 +813,9 @@
acpi:AOT*:
ID_VENDOR_FROM_DATABASE=Alcatel
@ -78,7 +78,7 @@
acpi:APC*:
ID_VENDOR_FROM_DATABASE=American Power Conversion
@@ -965,7 +979,7 @@
@@ -983,7 +997,7 @@
ID_VENDOR_FROM_DATABASE=ALPS ALPINE CO., LTD.
acpi:AUO*:
@ -87,7 +87,7 @@
acpi:AUR*:
ID_VENDOR_FROM_DATABASE=Aureal Semiconductor
@@ -1045,6 +1059,9 @@
@@ -1063,6 +1077,9 @@
acpi:AXE*:
ID_VENDOR_FROM_DATABASE=Axell Corporation
@ -97,7 +97,7 @@
acpi:AXI*:
ID_VENDOR_FROM_DATABASE=American Magnetics
@@ -1201,6 +1218,9 @@
@@ -1219,6 +1236,9 @@
acpi:BML*:
ID_VENDOR_FROM_DATABASE=BIOMED Lab
@ -107,7 +107,7 @@
acpi:BMS*:
ID_VENDOR_FROM_DATABASE=BIOMEDISYS
@@ -1213,6 +1233,9 @@
@@ -1231,6 +1251,9 @@
acpi:BNO*:
ID_VENDOR_FROM_DATABASE=Bang & Olufsen
@ -117,7 +117,7 @@
acpi:BNS*:
ID_VENDOR_FROM_DATABASE=Boulder Nonlinear Systems
@@ -1459,6 +1482,9 @@
@@ -1477,6 +1500,9 @@
acpi:CHA*:
ID_VENDOR_FROM_DATABASE=Chase Research PLC
@ -127,7 +127,7 @@
acpi:CHD*:
ID_VENDOR_FROM_DATABASE=ChangHong Electric Co.,Ltd
@@ -1621,6 +1647,9 @@
@@ -1642,6 +1668,9 @@
acpi:COD*:
ID_VENDOR_FROM_DATABASE=CODAN Pty. Ltd.
@ -137,7 +137,7 @@
acpi:COI*:
ID_VENDOR_FROM_DATABASE=Codec Inc.
@@ -2042,7 +2071,7 @@
@@ -2060,7 +2089,7 @@
ID_VENDOR_FROM_DATABASE=Dragon Information Technology
acpi:DJE*:
@ -146,7 +146,7 @@
acpi:DJP*:
ID_VENDOR_FROM_DATABASE=Maygay Machines, Ltd
@@ -2392,6 +2421,9 @@
@@ -2413,6 +2442,9 @@
acpi:EIN*:
ID_VENDOR_FROM_DATABASE=Elegant Invention
@ -156,7 +156,7 @@
acpi:EKA*:
ID_VENDOR_FROM_DATABASE=MagTek Inc.
@@ -2662,6 +2694,9 @@
@@ -2683,6 +2715,9 @@
acpi:FCG*:
ID_VENDOR_FROM_DATABASE=First International Computer Ltd
@ -166,7 +166,7 @@
acpi:FCS*:
ID_VENDOR_FROM_DATABASE=Focus Enhancements, Inc.
@@ -3038,7 +3073,7 @@
@@ -3059,7 +3094,7 @@
ID_VENDOR_FROM_DATABASE=General Standards Corporation
acpi:GSM*:
@ -175,7 +175,7 @@
acpi:GSN*:
ID_VENDOR_FROM_DATABASE=Grandstream Networks, Inc.
@@ -3148,6 +3183,9 @@
@@ -3169,6 +3204,9 @@
acpi:HEC*:
ID_VENDOR_FROM_DATABASE=Hisense Electric Co., Ltd.
@ -185,7 +185,7 @@
acpi:HEL*:
ID_VENDOR_FROM_DATABASE=Hitachi Micro Systems Europe Ltd
@@ -3283,6 +3321,9 @@
@@ -3304,6 +3342,9 @@
acpi:HSD*:
ID_VENDOR_FROM_DATABASE=HannStar Display Corp
@ -195,7 +195,7 @@
acpi:HSM*:
ID_VENDOR_FROM_DATABASE=AT&T Microelectronics
@@ -3409,6 +3450,9 @@
@@ -3430,6 +3471,9 @@
acpi:ICI*:
ID_VENDOR_FROM_DATABASE=Infotek Communication Inc
@ -205,7 +205,7 @@
acpi:ICM*:
ID_VENDOR_FROM_DATABASE=Intracom SA
@@ -3505,6 +3549,9 @@
@@ -3526,6 +3570,9 @@
acpi:IKE*:
ID_VENDOR_FROM_DATABASE=Ikegami Tsushinki Co. Ltd.
@ -215,7 +215,7 @@
acpi:IKS*:
ID_VENDOR_FROM_DATABASE=Ikos Systems Inc
@@ -3553,6 +3600,9 @@
@@ -3574,6 +3621,9 @@
acpi:IMX*:
ID_VENDOR_FROM_DATABASE=arpara Technology Co., Ltd.
@ -225,7 +225,7 @@
acpi:INA*:
ID_VENDOR_FROM_DATABASE=Inventec Corporation
@@ -4081,6 +4131,9 @@
@@ -4102,6 +4152,9 @@
acpi:LAN*:
ID_VENDOR_FROM_DATABASE=Sodeman Lancom Inc
@ -235,7 +235,7 @@
acpi:LAS*:
ID_VENDOR_FROM_DATABASE=LASAT Comm. A/S
@@ -4129,6 +4182,9 @@
@@ -4153,6 +4206,9 @@
acpi:LED*:
ID_VENDOR_FROM_DATABASE=Long Engineering Design Inc
@ -245,7 +245,7 @@
acpi:LEG*:
ID_VENDOR_FROM_DATABASE=Legerity, Inc
@@ -4147,6 +4203,9 @@
@@ -4171,6 +4227,9 @@
acpi:LGD*:
ID_VENDOR_FROM_DATABASE=LG Display
@ -255,7 +255,7 @@
acpi:LGI*:
ID_VENDOR_FROM_DATABASE=Logitech Inc
@@ -4213,6 +4272,9 @@
@@ -4237,6 +4296,9 @@
acpi:LND*:
ID_VENDOR_FROM_DATABASE=Land Computer Company Ltd
@ -265,7 +265,7 @@
acpi:LNK*:
ID_VENDOR_FROM_DATABASE=Link Tech Inc
@@ -4247,7 +4309,7 @@
@@ -4271,7 +4333,7 @@
ID_VENDOR_FROM_DATABASE=Design Technology
acpi:LPL*:
@ -274,7 +274,7 @@
acpi:LSC*:
ID_VENDOR_FROM_DATABASE=LifeSize Communications
@@ -4423,6 +4485,9 @@
@@ -4447,6 +4509,9 @@
acpi:MCX*:
ID_VENDOR_FROM_DATABASE=Millson Custom Solutions Inc.
@ -284,7 +284,7 @@
acpi:MDA*:
ID_VENDOR_FROM_DATABASE=Media4 Inc
@@ -4669,6 +4734,9 @@
@@ -4693,6 +4758,9 @@
acpi:MOM*:
ID_VENDOR_FROM_DATABASE=Momentum Data Systems
@ -294,7 +294,7 @@
acpi:MOS*:
ID_VENDOR_FROM_DATABASE=Moses Corporation
@@ -4909,6 +4977,9 @@
@@ -4933,6 +5001,9 @@
acpi:NAL*:
ID_VENDOR_FROM_DATABASE=Network Alchemy
@ -304,7 +304,7 @@
acpi:NAT*:
ID_VENDOR_FROM_DATABASE=NaturalPoint Inc.
@@ -5449,6 +5520,9 @@
@@ -5473,6 +5544,9 @@
acpi:PCX*:
ID_VENDOR_FROM_DATABASE=PC Xperten
@ -314,7 +314,7 @@
acpi:PDM*:
ID_VENDOR_FROM_DATABASE=Psion Dacom Plc.
@@ -5512,9 +5586,6 @@
@@ -5536,9 +5610,6 @@
acpi:PHE*:
ID_VENDOR_FROM_DATABASE=Philips Medical Systems Boeblingen GmbH
@ -324,7 +324,7 @@
acpi:PHL*:
ID_VENDOR_FROM_DATABASE=Philips Consumer Electronics Company
@@ -5605,9 +5676,6 @@
@@ -5629,9 +5700,6 @@
acpi:PNL*:
ID_VENDOR_FROM_DATABASE=Panelview, Inc.
@ -334,7 +334,7 @@
acpi:PNR*:
ID_VENDOR_FROM_DATABASE=Planar Systems, Inc.
@@ -6085,9 +6153,6 @@
@@ -6109,9 +6177,6 @@
acpi:RTI*:
ID_VENDOR_FROM_DATABASE=Rancho Tech Inc
@ -344,7 +344,7 @@
acpi:RTL*:
ID_VENDOR_FROM_DATABASE=Realtek Semiconductor Company Ltd
@@ -6262,9 +6327,6 @@
@@ -6286,9 +6351,6 @@
acpi:SEE*:
ID_VENDOR_FROM_DATABASE=SeeColor Corporation
@ -354,7 +354,7 @@
acpi:SEI*:
ID_VENDOR_FROM_DATABASE=Seitz & Associates Inc
@@ -6745,6 +6807,9 @@
@@ -6772,6 +6834,9 @@
acpi:SVD*:
ID_VENDOR_FROM_DATABASE=SVD Computer
@ -364,7 +364,7 @@
acpi:SVI*:
ID_VENDOR_FROM_DATABASE=Sun Microsystems
@@ -6829,6 +6894,9 @@
@@ -6856,6 +6921,9 @@
acpi:SZM*:
ID_VENDOR_FROM_DATABASE=Shenzhen MTC Co., Ltd
@ -374,7 +374,7 @@
acpi:TAA*:
ID_VENDOR_FROM_DATABASE=Tandberg
@@ -6919,6 +6987,9 @@
@@ -6946,6 +7014,9 @@
acpi:TDG*:
ID_VENDOR_FROM_DATABASE=Six15 Technologies
@ -384,7 +384,7 @@
acpi:TDM*:
ID_VENDOR_FROM_DATABASE=Tandem Computer Europe Inc
@@ -6961,6 +7032,9 @@
@@ -6988,6 +7059,9 @@
acpi:TEV*:
ID_VENDOR_FROM_DATABASE=Televés, S.A.
@ -394,7 +394,7 @@
acpi:TEZ*:
ID_VENDOR_FROM_DATABASE=Tech Source Inc.
@@ -7090,9 +7164,6 @@
@@ -7117,9 +7191,6 @@
acpi:TNC*:
ID_VENDOR_FROM_DATABASE=TNC Industrial Company Ltd
@ -404,7 +404,7 @@
acpi:TNM*:
ID_VENDOR_FROM_DATABASE=TECNIMAGEN SA
@@ -7402,14 +7473,14 @@
@@ -7429,14 +7500,14 @@
acpi:UNC*:
ID_VENDOR_FROM_DATABASE=Unisys Corporation
@ -425,7 +425,7 @@
acpi:UNI*:
ID_VENDOR_FROM_DATABASE=Uniform Industry Corp.
@@ -7444,6 +7515,9 @@
@@ -7471,6 +7542,9 @@
acpi:USA*:
ID_VENDOR_FROM_DATABASE=Utimaco Safeware AG
@ -435,7 +435,7 @@
acpi:USD*:
ID_VENDOR_FROM_DATABASE=U.S. Digital Corporation
@@ -7705,9 +7779,6 @@
@@ -7732,9 +7806,6 @@
acpi:WAL*:
ID_VENDOR_FROM_DATABASE=Wave Access
@ -445,7 +445,7 @@
acpi:WAV*:
ID_VENDOR_FROM_DATABASE=Wavephore
@@ -7835,7 +7906,7 @@
@@ -7862,7 +7933,7 @@
ID_VENDOR_FROM_DATABASE=WyreStorm Technologies LLC
acpi:WYS*:
@ -454,7 +454,7 @@
acpi:WYT*:
ID_VENDOR_FROM_DATABASE=Wooyoung Image & Information Co.,Ltd.
@@ -7849,9 +7920,6 @@
@@ -7876,9 +7947,6 @@
acpi:XDM*:
ID_VENDOR_FROM_DATABASE=XDM Ltd.
@ -464,7 +464,7 @@
acpi:XES*:
ID_VENDOR_FROM_DATABASE=Extreme Engineering Solutions, Inc.
@@ -7882,9 +7950,6 @@
@@ -7912,9 +7980,6 @@
acpi:XNT*:
ID_VENDOR_FROM_DATABASE=XN Technologies, Inc.
@ -474,7 +474,7 @@
acpi:XQU*:
ID_VENDOR_FROM_DATABASE=SHANGHAI SVA-DAV ELECTRONICS CO., LTD
@@ -7951,6 +8016,9 @@
@@ -7981,6 +8046,9 @@
acpi:ZBX*:
ID_VENDOR_FROM_DATABASE=Zebax Technologies

File diff suppressed because it is too large Load Diff

View File

@ -7142,6 +7142,9 @@ usb:v045Ep02E6*
usb:v045Ep02EA*
ID_MODEL_FROM_DATABASE=Xbox One Controller
usb:v045Ep02F3*
ID_MODEL_FROM_DATABASE=Xbox One Chatpad
usb:v045Ep02FD*
ID_MODEL_FROM_DATABASE=Xbox One S Controller [Bluetooth]
@ -14919,7 +14922,7 @@ usb:v04BFp1302*
ID_MODEL_FROM_DATABASE=i3 Gateway
usb:v04BFp1303*
ID_MODEL_FROM_DATABASE=3 Micro Module
ID_MODEL_FROM_DATABASE=i3 Micro Module
usb:v04BFp1304*
ID_MODEL_FROM_DATABASE=i3 Module
@ -19241,6 +19244,9 @@ usb:v04F9p2061*
usb:v04F9p2064*
ID_MODEL_FROM_DATABASE=PT-P700 P-touch Label Printer RemovableDisk
usb:v04F9p2065*
ID_MODEL_FROM_DATABASE=PT-P750W P-Touch Label Writer
usb:v04F9p2074*
ID_MODEL_FROM_DATABASE=PT-D600 P-touch Label Printer
@ -22259,6 +22265,9 @@ usb:v056Ap03EC*
usb:v056Ap03ED*
ID_MODEL_FROM_DATABASE=DTC121 [DTC121] touchscreen
usb:v056Ap03F0*
ID_MODEL_FROM_DATABASE=DTH135 [Movink 13]
usb:v056Ap0400*
ID_MODEL_FROM_DATABASE=PenPartner 4x5
@ -27089,6 +27098,9 @@ usb:v05E3p0760*
usb:v05E3p0761*
ID_MODEL_FROM_DATABASE=Genesys Mass Storage Device
usb:v05E3p0769*
ID_MODEL_FROM_DATABASE=SPR2801S [Lightspeeur 2801]
usb:v05E3p0780*
ID_MODEL_FROM_DATABASE=USBFS DFU Adapter
@ -32634,7 +32646,7 @@ usb:v079Bp005F*
ID_MODEL_FROM_DATABASE=Laser Pro LL [MFPrinter]
usb:v079Bp0062*
ID_MODEL_FROM_DATABASE=XG-76NA 802.11bg
ID_MODEL_FROM_DATABASE=XG-76NA / XG-760N 802.11b/g Wireless adapter
usb:v079Bp0078*
ID_MODEL_FROM_DATABASE=Laser Pro Monochrome MFP
@ -33446,6 +33458,9 @@ usb:v07CAp1830*
usb:v07CAp1871*
ID_MODEL_FROM_DATABASE=TD310 DVB-T/T2/C dongle
usb:v07CAp2553*
ID_MODEL_FROM_DATABASE=Live Gamer Ultra 2.1
usb:v07CAp3835*
ID_MODEL_FROM_DATABASE=AVerTV Volar Green HD (A835B)
@ -33479,6 +33494,9 @@ usb:v07CApB800*
usb:v07CApC039*
ID_MODEL_FROM_DATABASE=DVD EZMaker 7
usb:v07CApD553*
ID_MODEL_FROM_DATABASE=Live Gamer Ultra Pro-RGB
usb:v07CApE880*
ID_MODEL_FROM_DATABASE=MPEG-2 Capture Device (E880)
@ -36798,7 +36816,7 @@ usb:v0930p0B05*
ID_MODEL_FROM_DATABASE=PX1220E-1G25 External hard drive
usb:v0930p0B09*
ID_MODEL_FROM_DATABASE=PX1396E-3T01 External hard drive
ID_MODEL_FROM_DATABASE=PX139xE 3.5 External HDD
usb:v0930p0B1A*
ID_MODEL_FROM_DATABASE=STOR.E ALU 2S
@ -37199,6 +37217,9 @@ usb:v0944p0117*
usb:v0944p012F*
ID_MODEL_FROM_DATABASE=SQ-1
usb:v0944p0154*
ID_MODEL_FROM_DATABASE=NTS-1 digital kit mkII
usb:v0944p0203*
ID_MODEL_FROM_DATABASE=KRONOS
@ -38951,6 +38972,9 @@ usb:v0A5Cp5804*
usb:v0A5Cp5832*
ID_MODEL_FROM_DATABASE=BCM5880 Secure Applications Processor Smartcard reader
usb:v0A5Cp5843*
ID_MODEL_FROM_DATABASE=BCM58200 ControlVault 3 (FingerPrint sensor + Contacted SmartCard)
usb:v0A5Cp6300*
ID_MODEL_FROM_DATABASE=Pirelli Remote NDIS Device
@ -38999,6 +39023,12 @@ usb:v0A5Fp0027*
usb:v0A5Fp0050*
ID_MODEL_FROM_DATABASE=P120i / WM120i
usb:v0A5Fp0062*
ID_MODEL_FROM_DATABASE=GK420d Label Printer
usb:v0A5Fp0065*
ID_MODEL_FROM_DATABASE=ZM400 Label Printer
usb:v0A5Fp0080*
ID_MODEL_FROM_DATABASE=GK420d Label Printer
@ -39014,6 +39044,9 @@ usb:v0A5Fp008B*
usb:v0A5Fp008C*
ID_MODEL_FROM_DATABASE=ZP 450 Printer
usb:v0A5Fp00A1*
ID_MODEL_FROM_DATABASE=TLP2824 Plus
usb:v0A5Fp00D1*
ID_MODEL_FROM_DATABASE=GC420d Label Printer
@ -39044,6 +39077,9 @@ usb:v0A66*
usb:v0A67*
ID_VENDOR_FROM_DATABASE=Medeli Electronics Co., Ltd
usb:v0A67pFFFF*
ID_MODEL_FROM_DATABASE=LCS Audio
usb:v0A68*
ID_VENDOR_FROM_DATABASE=Comaide Corp.
@ -39678,7 +39714,7 @@ usb:v0AC9p0001*
ID_MODEL_FROM_DATABASE=BACKPACK 2 Cable
usb:v0AC9p0010*
ID_MODEL_FROM_DATABASE=BACKPACK
ID_MODEL_FROM_DATABASE=BACKPACK CD Drive
usb:v0AC9p0011*
ID_MODEL_FROM_DATABASE=Backpack 40GB Hard Drive
@ -39689,6 +39725,9 @@ usb:v0AC9p0110*
usb:v0AC9p0111*
ID_MODEL_FROM_DATABASE=BackPack
usb:v0AC9p10FF*
ID_MODEL_FROM_DATABASE=BACKPACK
usb:v0AC9p1234*
ID_MODEL_FROM_DATABASE=BACKPACK
@ -39864,7 +39903,7 @@ usb:v0AECp3216*
ID_MODEL_FROM_DATABASE=HS Card Reader
usb:v0AECp3260*
ID_MODEL_FROM_DATABASE=7-in-1 Card Reader
ID_MODEL_FROM_DATABASE=ND3260 7-in-1 Card Reader
usb:v0AECp5010*
ID_MODEL_FROM_DATABASE=ND5010 Card Reader
@ -40085,6 +40124,9 @@ usb:v0B05p17A1*
usb:v0B05p17AB*
ID_MODEL_FROM_DATABASE=USB-N13 802.11n Network Adapter (rev. B1) [Realtek RTL8192CU]
usb:v0B05p17B5*
ID_MODEL_FROM_DATABASE=Broadcom BCM20702A0 Bluetooth
usb:v0B05p17BA*
ID_MODEL_FROM_DATABASE=N10 Nano 802.11n Network Adapter [Realtek RTL8192CU]

View File

@ -83,6 +83,9 @@ usb:v1C7Ap0571*
# Supported by libfprint driver egismoc
usb:v1C7Ap0582*
usb:v1C7Ap0583*
usb:v1C7Ap0586*
usb:v1C7Ap0587*
usb:v1C7Ap05A1*
ID_AUTOSUSPEND=1
ID_PERSIST=0
@ -160,6 +163,7 @@ usb:v04F3p0C88*
usb:v04F3p0C8C*
usb:v04F3p0C8D*
usb:v04F3p0C99*
usb:v04F3p0C9F*
ID_AUTOSUSPEND=1
ID_PERSIST=0
@ -181,6 +185,8 @@ usb:v10A5pA305*
usb:v10A5pDA04*
usb:v10A5pD805*
usb:v10A5pD205*
usb:v10A5p9524*
usb:v10A5p9544*
ID_AUTOSUSPEND=1
ID_PERSIST=0
@ -204,6 +210,7 @@ usb:v27C6p63AC*
usb:v27C6p63BC*
usb:v27C6p63CC*
usb:v27C6p6496*
usb:v27C6p650A*
usb:v27C6p650C*
usb:v27C6p6582*
usb:v27C6p6584*
@ -213,6 +220,8 @@ usb:v27C6p6594*
usb:v27C6p659A*
usb:v27C6p659C*
usb:v27C6p6A94*
usb:v27C6p6512*
usb:v27C6p689A*
ID_AUTOSUSPEND=1
ID_PERSIST=0
@ -223,6 +232,7 @@ usb:v298Dp1010*
# Supported by libfprint driver realtek
usb:v0BDAp5813*
usb:v0BDAp5816*
ID_AUTOSUSPEND=1
ID_PERSIST=0
@ -232,6 +242,7 @@ usb:v06CBp00DF*
usb:v06CBp00F9*
usb:v06CBp00FC*
usb:v06CBp00C2*
usb:v06CBp00C4*
usb:v06CBp0100*
usb:v06CBp00F0*
usb:v06CBp0103*
@ -244,6 +255,8 @@ usb:v06CBp015F*
usb:v06CBp0104*
usb:v06CBp0173*
usb:v06CBp0106*
usb:v06CBp019D*
usb:v06CBp00C6*
ID_AUTOSUSPEND=1
ID_PERSIST=0
@ -340,7 +353,6 @@ usb:v06CBp00A8*
usb:v06CBp00B7*
usb:v06CBp00BB*
usb:v06CBp00BE*
usb:v06CBp00C4*
usb:v06CBp00CB*
usb:v06CBp00C9*
usb:v06CBp00D8*

View File

@ -1149,6 +1149,11 @@ evdev:name:SIPODEV Lenovo HID Device:dmi:*:svnLENOVO:*:pvrLenovoideapadD330-10IG
evdev:name:SIPODEV Lenovo HID Device Consumer Control:dmi:*:svnLENOVO:*:pvrLenovoideapadD330-10IGM:*
KEYBOARD_KEY_c00ff=fn_esc # Fn+Tab (FnLk toggle)
# Lenovo Thinkbook 16 G6+ 2024
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnLENOVO:pn21LG:pvr*
KEYBOARD_KEY_0a=!9
KEYBOARD_KEY_0b=!0
###########################################################
# LG
###########################################################
@ -1433,6 +1438,11 @@ evdev:input:b0003v046DpC309*
KEYBOARD_KEY_c01b6=images # My Pictures (F11)
KEYBOARD_KEY_c01b7=audio # My Music (F12)
# Logitech MX Keys for Mac
evdev:input:b0003v046Dp4092*
KEYBOARD_KEY_70035=102nd # '<' key
KEYBOARD_KEY_70064=grave # '^' key
###########################################################
# Maxdata
###########################################################

View File

@ -295,6 +295,10 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X:*
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X:*
ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 1
# Chuwi Hi10 X1
sensor:modalias:acpi:NSA2513*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X1:*
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
# Chuwi Hi10 Go
sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIINNOVATIONLIMITED:pnHi10Go:*
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0,-1, 0; 0, 0, 1
@ -376,11 +380,12 @@ sensor:modalias:acpi:KIOX000A*:dmi:*:svncube:pni1-TF:*
sensor:modalias:acpi:SMO8500*:dmi:*:svncube:pni7:*
ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1
# Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B)
# Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B/i18D)
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni7Stylus:*
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni8-L:*
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni16:*
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni18B:*
sensor:modalias:acpi:KIOX000A*:dmi:*:svnALLDOCUBE:pni18D:*
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
# Cube iWork 10 Flagship
@ -952,6 +957,15 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
#########################################
# Pine64
#########################################
# PineTab2
sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
#########################################
# Pipo
#########################################

View File

@ -71,6 +71,10 @@ usb:v0FD9p006D*
usb:v0FD9p0080*
ID_AV_PRODUCTION_CONTROLLER=1
# Stream Deck Neo
usb:v0FD9p009A*
ID_AV_PRODUCTION_CONTROLLER=1
# Stream Deck Plus
usb:v0FD9p0084*
ID_AV_PRODUCTION_CONTROLLER=1

View File

@ -122,4 +122,9 @@ IDEMIA,IDEM,06/26/2018
"ILI Technology Corp",ILIT,06/20/2023
"Hangzhou hj-micro Technology Co., Ltd",HJMC,07/31/2023
"Vervent Audio Group",NAIM,01/04/2024
"Das U-Boot",UBOO,02/14/2024
"Das U-Boot",UBOO,02/14/2024
3mdeb,DSHR,06/13/2024
"SigmaSense, LLC",SGSN,06/13/2024
"INIT - Innovative Informatikanwendungen GmbH",INIT,08/28/2024
"RISC-V International",RSCV,10/23/2023
"Ventana Micro Systems",VNTN,09/16/2024
1 Company ACPI ID Approved On Date
122 ILI Technology Corp ILIT 06/20/2023
123 Hangzhou hj-micro Technology Co., Ltd HJMC 07/31/2023
124 Vervent Audio Group NAIM 01/04/2024
125 Das U-Boot UBOO 02/14/2024
126 3mdeb DSHR 06/13/2024
127 SigmaSense, LLC SGSN 06/13/2024
128 INIT - Innovative Informatikanwendungen GmbH INIT 08/28/2024
129 RISC-V International RSCV 10/23/2023
130 Ventana Micro Systems VNTN 09/16/2024

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -2540,7 +2540,6 @@ AVARRO,RRO,08/07/2023
"LUMINO Licht Elektronik GmbH",LLT,11/07/2023
"Reonel Oy",RNL,01/04/2024
DemoPad Software Ltd,DEM,01/04/2024
DemoPad Software Ltd,DEM,01/04/2024
"TeamViewer Germany GmbH",TMV,01/04/2024
"Pixio USA",PXO,02/14/2024
"ELARABY COMPANY FOR ENGINEERING INDUSTRIES",EEI,02/14/2024
@ -2548,4 +2547,10 @@ DemoPad Software Ltd,DEM,01/04/2024
"Somnium Space Ltd.",SMN,02/29/2024
"Raspberry PI",RPL,05/07/2024
"DEIF A/S",DEF,05/10/2024
"Moka International limited",MOK,05/23/2024
"Moka International limited",MOK,05/23/2024
"Shure Inc.",SHU,06/13/2024
"Indicates an identity defined by CTS/DID Standards other than EDID",CID,06/28/2024
"Daten Tecnologia",DTM,06/15/2024
"LABAU Technology Corp.",LBC,08/05/2024
"Xiaomi Corporation",XMI,08/05/2024
"Airdrop Gaming LLC",ADG,09/03/2024
1 Company PNP ID Approved On Date
2540 LUMINO Licht Elektronik GmbH LLT 11/07/2023
2541 Reonel Oy RNL 01/04/2024
2542 DemoPad Software Ltd DEM 01/04/2024
DemoPad Software Ltd DEM 01/04/2024
2543 TeamViewer Germany GmbH TMV 01/04/2024
2544 Pixio USA PXO 02/14/2024
2545 ELARABY COMPANY FOR ENGINEERING INDUSTRIES EEI 02/14/2024
2547 Somnium Space Ltd. SMN 02/29/2024
2548 Raspberry PI RPL 05/07/2024
2549 DEIF A/S DEF 05/10/2024
2550 Moka International limited MOK 05/23/2024
2551 Shure Inc. SHU 06/13/2024
2552 Indicates an identity defined by CTS/DID Standards other than EDID CID 06/28/2024
2553 Daten Tecnologia DTM 06/15/2024
2554 LABAU Technology Corp. LBC 08/05/2024
2555 Xiaomi Corporation XMI 08/05/2024
2556 Airdrop Gaming LLC ADG 09/03/2024

View File

@ -9,8 +9,8 @@
# The latest version can be obtained from
# http://www.linux-usb.org/usb.ids
#
# Version: 2024.03.18
# Date: 2024-03-18 20:34:02
# Version: 2024.07.04
# Date: 2024-07-04 20:34:02
#
# Vendors, devices and interfaces. Please keep sorted.
@ -2400,6 +2400,7 @@
02e3 Xbox One Elite Controller
02e6 Xbox Wireless Adapter for Windows
02ea Xbox One Controller
02f3 Xbox One Chatpad
02fd Xbox One S Controller [Bluetooth]
02fe Xbox Wireless Adapter for Windows
0306 Surface Pro 7 SD Card Reader
@ -4992,7 +4993,7 @@
0a28 INDI AV-IN Device
1301 Network Controller
1302 i3 Gateway
1303 3 Micro Module
1303 i3 Micro Module
1304 i3 Module
1305 i3 Multi Sensing Module
04c1 U.S. Robotics (3Com)
@ -6433,6 +6434,7 @@
2060 PT-E550W P-touch Label Printer
2061 PT-P700 P-touch Label Printer
2064 PT-P700 P-touch Label Printer RemovableDisk
2065 PT-P750W P-Touch Label Writer
2074 PT-D600 P-touch Label Printer
209b QL-800 Label Printer
209c QL-810W Label Printer
@ -7439,6 +7441,7 @@
03dd PTH-460 [Intuos Pro BT (S)] tablet
03ec DTH134 [DTH134] touchscreen
03ed DTC121 [DTC121] touchscreen
03f0 DTH135 [Movink 13]
0400 PenPartner 4x5
4001 TPC4001
4004 TPC4004
@ -9049,6 +9052,7 @@
0752 micros Reader
0760 USB 2.0 Card Reader/Writer
0761 Genesys Mass Storage Device
0769 SPR2801S [Lightspeeur 2801]
0780 USBFS DFU Adapter
07a0 Pen Flash
0880 Wasp (SL-6612)
@ -10898,7 +10902,7 @@
0056 Agfa AP1100 Photo Printer
005d Mobile Mass Storage
005f Laser Pro LL [MFPrinter]
0062 XG-76NA 802.11bg
0062 XG-76NA / XG-760N 802.11b/g Wireless adapter
0078 Laser Pro Monochrome MFP
079d Alfadata Computer Corp.
0201 GamePort Adapter
@ -11169,6 +11173,7 @@
1228 MPEG-2 Capture Device (M038)
1830 AVerTV Volar Video Capture (H830)
1871 TD310 DVB-T/T2/C dongle
2553 Live Gamer Ultra 2.1
3835 AVerTV Volar Green HD (A835B)
850a AverTV Volar Black HD (A850)
850b AverTV Red HD+ (A850T)
@ -11180,6 +11185,7 @@
b300 A300 DVB-T TV receiver
b800 MR800 FM Radio
c039 DVD EZMaker 7
d553 Live Gamer Ultra Pro-RGB
e880 MPEG-2 Capture Device (E880)
e882 MPEG-2 Capture Device (E882)
07cb Kingmax Technology, Inc.
@ -12286,7 +12292,7 @@
0a0b WLU5053 802.11abgn Wireless Module [Broadcom BCM43236B]
0a13 AX88179 Gigabit Ethernet [Toshiba]
0b05 PX1220E-1G25 External hard drive
0b09 PX1396E-3T01 External hard drive
0b09 PX139xE 3.5 External HDD
0b1a STOR.E ALU 2S
1300 Wireless Broadband (CDMA EV-DO) SM-Bus Minicard Status Port
1301 Wireless Broadband (CDMA EV-DO) Minicard Status Port
@ -12420,6 +12426,7 @@
010f nanoKONTROL studio controller
0117 nanoKONTROL2 MIDI Controller
012f SQ-1
0154 NTS-1 digital kit mkII
0203 KRONOS
0f03 K-Series K61P MIDI studio controller
0945 Pasco Scientific
@ -13004,6 +13011,7 @@
5803 BCM5880 Secure Applications Processor with secure keyboard
5804 BCM5880 Secure Applications Processor with fingerprint swipe sensor
5832 BCM5880 Secure Applications Processor Smartcard reader
5843 BCM58200 ControlVault 3 (FingerPrint sensor + Contacted SmartCard)
6300 Pirelli Remote NDIS Device
6410 BCM20703A1 Bluetooth 4.1 + LE
bd11 BCM4320 802.11bg Wireless Adapter
@ -13020,11 +13028,14 @@
0009 LP2844 Printer
0027 ZTC LP2844-Z-200dpi
0050 P120i / WM120i
0062 GK420d Label Printer
0065 ZM400 Label Printer
0080 GK420d Label Printer
0081 GK420t Label Printer
0084 GX420d Desktop Label Printer
008b HC100 wristbands Printer
008c ZP 450 Printer
00a1 TLP2824 Plus
00d1 GC420d Label Printer
0110 ZD500 Desktop Label Printer
011c ZD410 Direct Thermal Label Printer
@ -13035,6 +13046,7 @@
0010 MPMan MP-F40 MP3 Player
0a66 ClearCube Technology
0a67 Medeli Electronics Co., Ltd
ffff LCS Audio
0a68 Comaide Corp.
0a69 Chroma ate, Inc.
0a6b Green House Co., Ltd
@ -13246,10 +13258,11 @@
0ac9 Micro Solutions, Inc.
0000 Backpack CD-ReWriter
0001 BACKPACK 2 Cable
0010 BACKPACK
0010 BACKPACK CD Drive
0011 Backpack 40GB Hard Drive
0110 BACKPACK
0111 BackPack
10ff BACKPACK
1234 BACKPACK
0aca OPEN Networks Ltd
1060 OPEN NT1 Plus II
@ -13308,7 +13321,7 @@
3102 MemoryStick Card Reader
3201 MMC/SD+MemoryStick Card Reader
3216 HS Card Reader
3260 7-in-1 Card Reader
3260 ND3260 7-in-1 Card Reader
5010 ND5010 Card Reader
0af0 Option
5000 UMTS Card
@ -13382,6 +13395,7 @@
17a0 Xonar U3 sound card
17a1 Eee Note EA800 (mass storage mode)
17ab USB-N13 802.11n Network Adapter (rev. B1) [Realtek RTL8192CU]
17b5 Broadcom BCM20702A0 Bluetooth
17ba N10 Nano 802.11n Network Adapter [Realtek RTL8192CU]
17c2 ROG Spitfire
17c7 WL-330NUL

View File

@ -526,6 +526,35 @@
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--secure-boot-auto-enroll=yes|no</option></term>
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
<listitem><para>Configure the ESP for secure boot auto-enrollment when invoking the
<command>install</command> command. Takes a boolean argument. Disabled by default. Enabling this
option will make <command>bootctl</command> populate the ESP with signed <literal>PK</literal>,
<literal>KEK</literal> and <literal>db</literal> signature databases, each containing the given
certificate in <literal>DER</literal> format as their only entry. These secure boot signature
databases will be picked up and enrolled by <command>systemd-boot</command> if secure boot is in
setup mode and secure boot auto-enrollment is enabled.</para>
<para>When specifying this option, a certificate and private key have to be provided as well using
the <option>--certificate=</option> and <option>--private-key=</option> options. The
<option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate or a URI
that's passed to the OpenSSL provider configured with <option>--certificate-source</option> which
takes one of <literal>file</literal> or <literal>provider</literal>, with the latter being followed
by a specific provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>.
The <option>--private-key=</option> option can take a path or a URI that will be passed to the
OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
signing engine or provider will be used to sign the EFI signature lists.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="no-pager"/>
<xi:include href="standard-options.xml" xpointer="json" />
<xi:include href="standard-options.xml" xpointer="help"/>

View File

@ -417,7 +417,8 @@
</varlistentry>
<varlistentry>
<term><option>--num-matches=<replaceable>NUMBER</replaceable></option></term>
<term><option>--limit-messages=<replaceable>NUMBER</replaceable></option></term>
<term><option>-N <replaceable>NUMBER</replaceable></option></term>
<listitem>
<para>When used with the <command>monitor</command> command, if enabled will make

View File

@ -106,17 +106,17 @@
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>busctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>busctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -110,14 +110,14 @@
</varlistentry>
<varlistentry>
<term><varname>AccessContainer=</varname></term>
<term><varname>EnterNamespace=</varname></term>
<listitem><para>Controls whether <command>systemd-coredump</command> will attempt to use the mount tree of
a process that crashed within a container. Access to the container's filesystem might be necessary to generate
a process that crashed in PID namespace. Access to the namespace's mount tree might be necessary to generate
a fully symbolized backtrace. If set to <literal>yes</literal>, then <command>systemd-coredump</command> will
obtain the mount tree from corresponding mount namespace and will try to generate the stack trace using the
binary and libraries from the mount namespace. Note that the coredump of the containerized process might
still be saved in <filename>/var/lib/systemd/coredump/</filename> even if <varname>AccessContainer=</varname>
binary and libraries from the mount namespace. Note that the coredump of the namespaced process might
still be saved in <filename>/var/lib/systemd/coredump/</filename> even if <varname>EnterNamespace=</varname>
is set to <literal>no</literal>. Defaults to <literal>no</literal>.</para>
<xi:include href="version-info.xml" xpointer="v257"/>

View File

@ -903,7 +903,7 @@
<term><option>tpm2-pcrlock=</option></term>
<listitem><para>Takes an absolute path to a TPM2 pcrlock policy file, as produced by the
<citerefentry><refentrytitle>systemd-pcrlock</refentrytitle><manvolnum>1</manvolnum></citerefentry>
<citerefentry><refentrytitle>systemd-pcrlock</refentrytitle><manvolnum>8</manvolnum></citerefentry>
tool. This permits locking LUKS2 volumes to a local policy of allowed PCR values with
variants. See
<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
@ -950,7 +950,7 @@
for supported formats). Defaults to 30s. Once the specified timeout elapsed authentication via
password is attempted. Note that this timeout applies to waiting for the security device to show up —
it does not apply to the PIN prompt for the device (should one be needed) or similar. Pass 0 to turn
off the time-out and wait forever.</para>
off the timeout and wait forever.</para>
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
</varlistentry>

View File

@ -18,5 +18,5 @@
<!ENTITY DEFAULT_TIMEOUT "{{DEFAULT_TIMEOUT_SEC}} s">
<!ENTITY DEFAULT_USER_TIMEOUT "{{DEFAULT_USER_TIMEOUT_SEC}} s">
<!ENTITY DEFAULT_KEYMAP "{{SYSTEMD_DEFAULT_KEYMAP}}">
<!ENTITY fedora_latest_version "40">
<!ENTITY fedora_cloud_release "1.10">
<!ENTITY fedora_latest_version "41">
<!ENTITY fedora_cloud_release "1.4">

View File

@ -684,6 +684,15 @@ fi</programlisting>
<citerefentry><refentrytitle>file-hierarchy</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
</refsect1>
<refsect1>
<title>Notes</title>
<para>
All example codes in this page are licensed under <literal>MIT No Attribution</literal>
(SPDX-License-Identifier: MIT-0).
</para>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">

View File

@ -86,7 +86,7 @@
PATH=/opt/foo/bin:$PATH
LD_LIBRARY_PATH=/opt/foo/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
XDG_DATA_DIRS=/opt/foo/share:${XDG_DATA_DIRS:-/usr/local/share/:/usr/share/}
</programlisting>
</programlisting>
</example>
</refsect2>
</refsect1>
@ -114,10 +114,10 @@
invoked, for example from the system service manager or via a PAM module.</para>
<para>Specifically, for ssh logins, the
<citerefentry project='die-net'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
service builds an environment that is a combination of variables forwarded from the remote system and
defined by <command>sshd</command>, see the discussion in
<citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
A graphical display session will have an analogous mechanism to define the environment. Note that some
managers query the systemd user instance for the exported environment and inject this configuration into
programs they start, using <command>systemctl show-environment</command> or the underlying D-Bus call.

View File

@ -215,8 +215,8 @@
below this directory is subject to specifications that ensure interoperability.</para>
<para>Note that resources placed in this directory typically are under shared ownership,
i.e. multiple different packages have provide and consume these resources, on equal footing, without
any obvious primary owner. This makes makes things systematically different from
i.e. multiple different packages have provided and consumed these resources, on equal footing, without
any obvious primary owner. This makes things systematically different from
<filename>/usr/lib/</filename>, where ownership is generally not shared.</para></listitem>
</varlistentry>

View File

@ -378,7 +378,7 @@
<listitem><para>Takes a comma- or colon-separated list of languages preferred by the user, ordered
by descending priority. The <varname>$LANG</varname> and <varname>$LANGUAGE</varname> environment
variables are initialized from this value on login, and thus values suitible for these environment
variables are initialized from this value on login, and thus values suitable for these environment
variables are accepted here, for example <option>--language=de_DE.UTF-8</option>. This option may
be used more than once, in which case the language lists are concatenated.</para>

View File

@ -145,10 +145,8 @@ PROPERTY_WITH_SPACES=some string</programlisting>
<refsect1>
<title>See Also</title>
<para>
<citerefentry>
<refentrytitle>systemd-hwdb</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd-hwdb</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -40,7 +40,7 @@
<citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<para><command>importctl</command> operates both on block-level disk images (such as DDIs) as well as
file-system-level images (tarballs). It supports disk images are one of the four following
file-system-level images (tarballs). It supports disk images in one of the four following
classes:</para>
<itemizedlist>
@ -50,7 +50,7 @@
managed via
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
<listitem><para>Portable service images, that may be attached an managed via
<listitem><para>Portable service images, that may be attached and managed via
<citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
<listitem><para>System extension (sysext) images, that may be activated via
@ -128,12 +128,13 @@
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
a read-only subvolume/directory in the image directory that is named after the specified URL and its
HTTP etag. A writable snapshot is then taken from this subvolume, and named after the specified local
HTTP etag (see <ulink url="https://en.wikipedia.org/wiki/HTTP_ETag">HTTP ETag</ulink> for more
information). A writable snapshot is then taken from this subvolume, and named after the specified local
name. This behavior ensures that creating multiple instances of the same URL is efficient, as
multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
its writable snapshot, specify <literal>-</literal> as local name.</para>
<para>Note that pressing C-c during execution of this command will not abort the download. Use
<para>Note that pressing Control-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
@ -145,14 +146,14 @@
<listitem><para>Downloads a <filename>.raw</filename> disk image from the specified URL, and makes it
available under the specified local name in the image directory for the selected
<option>--class=</option>. The URL must be of type <literal>http://</literal> or
<literal>https://</literal>. The image must either be a <filename>.qcow2</filename> or raw disk
<literal>https://</literal>. The image must either be a qcow2 or raw disk
image, optionally compressed as <filename>.gz</filename>, <filename>.xz</filename>, or
<filename>.bz2</filename>. If the local name is omitted, it is automatically derived from the last
component of the URL, with its suffix removed.</para>
<para>Image verification is identical for raw and tar images (see above).</para>
<para>If the downloaded image is in <filename>.qcow2</filename> format it is converted into a raw
<para>If the downloaded image is in qcow2 format it is converted into a raw
image file before it is made available.</para>
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
@ -162,7 +163,7 @@
necessary. In order to create only the read-only image, and avoid creating its writable copy,
specify <literal>-</literal> as local name.</para>
<para>Note that pressing C-c during execution of this command will not abort the download. Use
<para>Note that pressing Control-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
@ -174,8 +175,14 @@
<listitem><para>Imports a TAR or RAW image, and places it under the specified name in the image
directory for the image class selected via <option>--class=</option>. When
<command>import-tar</command> is used, the file specified as the first argument should be a tar
archive, possibly compressed with xz, gzip or bzip2. It will then be unpacked into its own
<command>import-tar</command> is used, the file specified as the first argument should be a
<citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry>
archive, possibly compressed with
<citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
or
<citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
It will then be unpacked into its own
subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw
disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image
name) is not specified, it is automatically derived from the file name. If the filename is passed as
@ -196,7 +203,9 @@
<listitem><para>Imports an image stored in a local directory into the image directory for the image
class selected via <option>--class=</option> and operates similarly to <command>import-tar</command>
or <command>import-raw</command>, but the first argument is the source directory. If supported, this
command will create a btrfs snapshot or subvolume for the new image.</para>
command will create a
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
snapshot or subvolume for the new image.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
@ -207,9 +216,13 @@
<listitem><para>Exports a TAR or RAW image and stores it in the specified file. The first parameter
should be an image name. The second parameter should be a file path the TAR or RAW
image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with gzip, if
it ends in <literal>.xz</literal>, with xz, and if it ends in <literal>.bz2</literal>, with bzip2. If
the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with
<citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
if it ends in <literal>.xz</literal>, with
<citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
and if it ends in <literal>.bz2</literal>, with
<citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
If the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
is written to standard output. The compression may also be explicitly selected with the
<option>--format=</option> switch. This is in particular useful if the second parameter is left
unspecified.</para>

View File

@ -91,7 +91,7 @@
configures the time to wait for the connectivity to get restored. If the server is
not reachable over the network for the configured time, <command>systemd-journal-upload</command>
exits. Takes a value in seconds (or in other time units if suffixed with "ms", "min", "h", etc).
For details, see <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
For details, see <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
</para>
<xi:include href="version-info.xml" xpointer="v249"/></listitem>

View File

@ -421,7 +421,7 @@
<term><varname>rd.systemd.verity=</varname></term>
<term><varname>systemd.verity_root_data=</varname></term>
<term><varname>systemd.verity_root_hash=</varname></term>
<term><varname>systemd.verity.root_options=</varname></term>
<term><varname>systemd.verity_root_options=</varname></term>
<term><varname>usrhash=</varname></term>
<term><varname>systemd.verity_usr_data=</varname></term>
<term><varname>systemd.verity_usr_hash=</varname></term>

View File

@ -35,7 +35,8 @@
#include &lt;systemd/sd-login.h&gt;
#include &lt;systemd/sd-messages.h&gt;
#include &lt;systemd/sd-path.h&gt;
</programlisting>
#include &lt;systemd/sd-varlink.h&gt;
</programlisting>
<cmdsynopsis>
<command>pkg-config --cflags --libs libsystemd</command>
@ -61,8 +62,9 @@
<citerefentry><refentrytitle>sd-id128</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sd-json</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
and
<citerefentry><refentrytitle>sd-login</refentrytitle><manvolnum>3</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>sd-varlink</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for information about different parts of the library interface.</para>
</refsect1>
@ -80,7 +82,7 @@
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>libudev</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>libudev</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink></member>
</simplelist></para>

View File

@ -362,7 +362,7 @@ attr=NON_VOLATILE,RUNTIME_ACCESS,BOOTSERVICE_ACCESS,TIME_BASED_AUTHENTICATED_WRI
sbvarsign --attr "${attr}" --key PK.key --cert PK.pem --output PK.auth PK PK.esl
sbvarsign --attr "${attr}" --key PK.key --cert PK.pem --output KEK.auth KEK KEK.esl
sbvarsign --attr "${attr}" --key KEK.key --cert KEK.pem --output db.auth db db.esl
</programlisting>
</programlisting>
<para>This feature is considered dangerous because even if all the required files are signed with the
keys being loaded, some files necessary for the system to function properly still won't be. This
@ -409,7 +409,7 @@ sbvarsign --attr "${attr}" --key KEK.key --cert KEK.pem --output db.auth db db.e
timeout 0
default 01234567890abcdef1234567890abdf0-*
editor no
</programlisting>
</programlisting>
<para>The menu will not be shown by default (the menu can still be shown by
pressing and holding a key during boot). One of the entries with files with a

View File

@ -413,14 +413,23 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR)
<term>
<command>reload</command>
</term>
<listitem><para>Reload <filename>.netdev</filename> and <filename>.network</filename> files.
If a new <filename>.netdev</filename> file is found, then the corresponding netdev is created.
Note that even if an existing <filename>.netdev</filename> is modified or removed,
<command>systemd-networkd</command> does not update or remove the netdev.
If a new, modified or removed <filename>.network</filename> file is found, then all interfaces
which match the file are reconfigured.</para>
<listitem>
<para>Reload <filename>.netdev</filename> and <filename>.network</filename> files.</para>
<xi:include href="version-info.xml" xpointer="v244"/></listitem>
<para>If a new or modified <filename>.netdev</filename> file is found, then the corresponding
netdev is created or updated, respectively. Note, if the corresponding interface already exists,
then some of new settings may not be applied. E.g., VLAN ID cannot be changed after the interface
was created, so changing [VLAN] <varname>Id=</varname> will not take effect if the matching VLAN
interface already exists. To apply such settings, the interfaces need to be removed manually before
reload. Also note that even if a <filename>.netdev</filename> file is removed,
<command>systemd-networkd</command> does not remove the existing netdev corresponding to the file.
</para>
<para>If a new, modified, or removed <filename>.network</filename> file is found, then all
interfaces that matched the file are reconfigured.</para>
<xi:include href="version-info.xml" xpointer="v244"/>
</listitem>
</varlistentry>
<varlistentry>

View File

@ -175,7 +175,7 @@ netgroup: nis</programlisting>
<member><citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>

View File

@ -55,7 +55,7 @@ node /org/freedesktop/LogControl1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -89,7 +89,9 @@ node /org/freedesktop/LogControl1 {
<citerefentry project="man-pages"><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> call).
</para>
<para>Those two properties are writable, so they may be set by sufficiently privileged users.</para>
<caution><title>Write Access</title><para>The <varname>LogLevel</varname> and
<varname>LogTarget</varname> properties are supposed to be writable. Care should be taken to ensure
that only appropriately privileged clients can modify them.</para></caution>
<para><varname>SyslogIdentifier</varname> is a read-only property that shows the "syslog identifier".
It is a short string that identifies the program that is the source of log messages that is passed to
@ -127,6 +129,11 @@ node /org/freedesktop/LogControl1 {
<para>This creates a simple server on the bus. It implements the LogControl1 interface by providing
the required properties and allowing to set the writable ones. It logs at the configured log level using
<citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
<para>Note that when porting this example to other D-Bus libraries it might be necessary to add manual
client privilege checks, as they typically do not default to the restrictive defaults of sd-bus, where
unprivileged access to properties is controlled via the <constant>SD_BUS_VTABLE_UNPRIVILEGED</constant>
flag that is opt-in rather than opt-out.</para>
</example>
</refsect1>

View File

@ -125,7 +125,7 @@ node /org/freedesktop/home1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -337,7 +337,7 @@ node /org/freedesktop/home1 {
can be used to further customize the behavior of this method via flags defined as follows:</para>
<programlisting>
#define SD_HOMED_UPDATE_OFFLINE (UINT64_C(1) &lt;&lt; 0)
</programlisting>
</programlisting>
<para>When <constant>SD_HOMED_UPDATE_OFFLINE</constant> (0x01) is set, no attempt is made to update the copies
of the user record and blob directory that are embedded into the home directory. Changes will be stored, however,
and may be propagated into the home directory the next time it is reconciled (most likely when the user next logs in).
@ -495,7 +495,7 @@ node /org/freedesktop/home1/home {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.DBus.ObjectManager { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->

View File

@ -106,7 +106,7 @@ node /org/freedesktop/hostname1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -259,7 +259,7 @@ node /org/freedesktop/hostname1 {
are not necessary. Use
<citerefentry project="man-pages"><refentrytitle>gethostname</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
<filename>/etc/hostname</filename> (possibly with per-distribution fallbacks), and
<citerefentry><refentrytitle>machine-info</refentrytitle><manvolnum>3</manvolnum></citerefentry>
<citerefentry><refentrytitle>machine-info</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for that. For more information on these files and syscalls see the respective man pages.</para>
<para><varname>KernelName</varname>, <varname>KernelRelease</varname>, and
@ -376,7 +376,7 @@ node /org/freedesktop/hostname1 {
<para>To properly handle name lookups with changing local hostnames without having to edit
<filename>/etc/hosts</filename>, we recommend using <filename>systemd-hostnamed</filename> in combination
with <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
with <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
<para>Here are some recommendations to follow when generating a static (internet) hostname from a pretty
@ -427,8 +427,6 @@ node /org/freedesktop/hostname1 {
name.</para>
</refsect1>
<xi:include href="org.freedesktop.locale1.xml" xpointer="versioning"/>
<refsect1>
<title>Examples</title>
@ -438,16 +436,11 @@ node /org/freedesktop/hostname1 {
<programlisting>$ gdbus introspect --system \
--dest org.freedesktop.hostname1 \
--object-path /org/freedesktop/hostname1
</programlisting>
</programlisting>
</example>
</refsect1>
<refsect1>
<title>See Also</title>
<para>David Zeuthen's original Fedora
<ulink url="https://fedoraproject.org/wiki/Features/BetterHostname">Feature page about xdg-hostname</ulink></para>
</refsect1>
<xi:include href="org.freedesktop.locale1.xml" xpointer="versioning"/>
<refsect1>
<title>History</title>
@ -462,4 +455,16 @@ node /org/freedesktop/hostname1 {
<varname>VSockCID</varname> were added in version 256.</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-hostnamed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member>David Zeuthen's original Fedora
<ulink url="https://fedoraproject.org/wiki/Features/BetterHostname">Feature page about xdg-hostname</ulink></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -155,7 +155,7 @@ node /org/freedesktop/import1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -362,7 +362,7 @@ node /org/freedesktop/import1/transfer/_1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -439,7 +439,7 @@ node /org/freedesktop/import1/transfer/_1 {
<programlisting>$ gdbus introspect --system \
--dest org.freedesktop.import1 \
--object-path /org/freedesktop/import1
</programlisting>
</programlisting>
</example>
<example>
@ -448,11 +448,12 @@ node /org/freedesktop/import1/transfer/_1 {
<programlisting>$ gdbus introspect --system \
--dest org.freedesktop.import1 \
--object-path /org/freedesktop/import1/transfer/_1
</programlisting>
</programlisting>
</example>
</refsect1>
<xi:include href="org.freedesktop.locale1.xml" xpointer="versioning"/>
<refsect1>
<title>History</title>
<refsect2>
@ -469,4 +470,13 @@ node /org/freedesktop/import1/transfer/_1 {
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>importctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -63,7 +63,7 @@ node /org/freedesktop/locale1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -175,7 +175,7 @@ node /org/freedesktop/locale1 {
$ gdbus introspect --system \
--dest org.freedesktop.locale1 \
--object-path /org/freedesktop/locale1
</programlisting>
</programlisting>
</example>
</refsect1>
@ -185,4 +185,14 @@ $ gdbus introspect --system \
<para>These D-Bus interfaces follow <ulink url="https://0pointer.de/blog/projects/versioning-dbus.html">
the usual interface versioning guidelines</ulink>.</para>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-localed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -216,6 +216,7 @@ node /org/freedesktop/login1 {
readonly t IdleSinceHint = ...;
readonly t IdleSinceHintMonotonic = ...;
readonly s BlockInhibited = '...';
readonly s BlockWeakInhibited = '...';
readonly s DelayInhibited = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly t InhibitDelayMaxUSec = ...;
@ -288,7 +289,7 @@ node /org/freedesktop/login1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--property SleepOperation is not documented!-->
@ -488,6 +489,8 @@ node /org/freedesktop/login1 {
<variablelist class="dbus-property" generated="True" extra-ref="BlockInhibited"/>
<variablelist class="dbus-property" generated="True" extra-ref="BlockWeakInhibited"/>
<variablelist class="dbus-property" generated="True" extra-ref="DelayInhibited"/>
<variablelist class="dbus-property" generated="True" extra-ref="InhibitDelayMaxUSec"/>
@ -670,18 +673,20 @@ node /org/freedesktop/login1 {
#define SD_LOGIND_SOFT_REBOOT (UINT64_C(1) &lt;&lt; 2)
#define SD_LOGIND_SOFT_REBOOT_IF_NEXTROOT_SET_UP (UINT64_C(1) &lt;&lt; 3)
#define SD_LOGIND_SKIP_INHIBITORS (UINT64_C(1) &lt;&lt; 4)
</programlisting>
</programlisting>
<para>When the <varname>flags</varname> is 0 then these methods behave just like the versions without
flags. Since systemd version 256 <constant>SD_LOGIND_ROOT_CHECK_INHIBITORS</constant> (0x01) is deprecated,
and active inhibitors are always honoured by default for privileged users too, and a new flag
<constant>SD_LOGIND_SKIP_INHIBITORS</constant> (0x04) can be specified to bypass inhibitors. When
<constant>SD_LOGIND_KEXEC_REBOOT</constant> (0x02) is set, then <function>RebootWithFlags()</function>
performs a kexec reboot if kexec kernel is loaded. When <constant>SD_LOGIND_SOFT_REBOOT</constant>
(0x04) is set, or <constant>SD_LOGIND_SOFT_REBOOT_IF_NEXTROOT_SET_UP</constant> (0x08) is set and a
new root file system has been set up on <literal>/run/nextroot/</literal>, then
<function>RebootWithFlags()</function> performs a userspace reboot only.
<constant>SD_LOGIND_SOFT_REBOOT_IF_NEXTROOT_SET_UP</constant> and
<constant>SD_LOGIND_KEXEC_REBOOT</constant> can be combined, with soft-reboot having precedence.</para>
flags. Since systemd version 257 active inhibitors are honoured by default for privileged users too.
<constant>SD_LOGIND_ROOT_CHECK_INHIBITORS</constant> (0x01) now only applies to weak inhibitors, to
request that they honoured for privileged users too, since they ignore them by default. A new flag
<constant>SD_LOGIND_SKIP_INHIBITORS</constant> (0x04) can be specified to bypass all types of
inhibitors. When <constant>SD_LOGIND_KEXEC_REBOOT</constant> (0x02) is set, then
<function>RebootWithFlags()</function> performs a kexec reboot if kexec kernel is loaded. When
<constant>SD_LOGIND_SOFT_REBOOT</constant> (0x04) is set, or
<constant>SD_LOGIND_SOFT_REBOOT_IF_NEXTROOT_SET_UP</constant> (0x08) is set and a new root file system
has been set up on <literal>/run/nextroot/</literal>, then <function>RebootWithFlags()</function>
performs a userspace reboot only. <constant>SD_LOGIND_SOFT_REBOOT_IF_NEXTROOT_SET_UP</constant> and
<constant>SD_LOGIND_KEXEC_REBOOT</constant> can be combined, with soft-reboot having precedence.
</para>
<para><function>SetRebootParameter()</function> sets a parameter for a subsequent reboot operation.
See the description of <command>reboot</command> in
@ -738,11 +743,10 @@ node /org/freedesktop/login1 {
should be a short human readable string identifying the reason why the lock is taken. Finally,
<varname>mode</varname> is either <literal>block</literal> or <literal>delay</literal> which encodes
whether the inhibit shall be consider mandatory or whether it should just delay the operation to a
certain maximum time, while the <literal>block-weak</literal> and <literal>delay-weak</literal>
variants will create an inhibitor that is automatically ignored in some circumstances. The method
returns a file descriptor. The lock is released the moment this file descriptor and all its duplicates
are closed. For more information on the inhibition logic see
<ulink url="https://systemd.io/INHIBITOR_LOCKS">Inhibitor Locks</ulink>.
certain maximum time, while the <literal>block-weak</literal> and variants will create an inhibitor
that is automatically ignored in some circumstances. The method returns a file descriptor. The lock is
released the moment this file descriptor and all its duplicates are closed. For more information on
the inhibition logic see <ulink url="https://systemd.io/INHIBITOR_LOCKS">Inhibitor Locks</ulink>.
</para>
</refsect2>
@ -804,9 +808,10 @@ node /org/freedesktop/login1 {
timestamps of the last change of the idle hint boolean, in <constant>CLOCK_REALTIME</constant> and
<constant>CLOCK_MONOTONIC</constant> timestamps, respectively, in microseconds since the epoch.</para>
<para>The <varname>BlockInhibited</varname> and <varname>DelayInhibited</varname> properties encode
the currently active locks of the respective modes. They are colon separated lists of
<literal>shutdown</literal>, <literal>sleep</literal>, and <literal>idle</literal> (see above).</para>
<para>The <varname>BlockInhibited</varname>, <varname>BlockWeakInhibited</varname>, and
<varname>DelayInhibited</varname> properties encode the currently active locks of the respective
modes. They are colon separated lists of <literal>shutdown</literal>, <literal>sleep</literal>, and
<literal>idle</literal> (see above).</para>
<para><varname>NCurrentSessions</varname> and <varname>NCurrentInhibitors</varname> contain the number
of currently registered sessions and inhibitors.</para>
@ -940,7 +945,7 @@ node /org/freedesktop/login1/seat/seat0 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -1060,7 +1065,7 @@ node /org/freedesktop/login1/user/_1000 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -1245,13 +1250,17 @@ node /org/freedesktop/login1/session/1 {
readonly b IdleHint = ...;
readonly t IdleSinceHint = ...;
readonly t IdleSinceHintMonotonic = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b CanIdle = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b CanLock = ...;
readonly b LockedHint = ...;
};
interface org.freedesktop.DBus.Peer { ... };
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -1349,6 +1358,10 @@ node /org/freedesktop/login1/session/1 {
<variablelist class="dbus-property" generated="True" extra-ref="IdleSinceHintMonotonic"/>
<variablelist class="dbus-property" generated="True" extra-ref="CanIdle"/>
<variablelist class="dbus-property" generated="True" extra-ref="CanLock"/>
<variablelist class="dbus-property" generated="True" extra-ref="LockedHint"/>
<!--End of Autogenerated section-->
@ -1538,6 +1551,10 @@ node /org/freedesktop/login1/session/1 {
<para><varname>LockedHint</varname> shows the locked hint state of this session, as set by the
<function>SetLockedHint()</function> method described above.</para>
<para><varname>CanIdle</varname> indicates whether the session supports the idle hint
concept. Similarly, <varname>CanLock</varname> indicates whether the session supports the screen lock
concept.</para>
</refsect2>
</refsect1>
@ -1549,12 +1566,12 @@ node /org/freedesktop/login1/session/1 {
<programlisting>$ gdbus introspect --system --dest org.freedesktop.login1 \
--object-path /org/freedesktop/login1
</programlisting>
</programlisting>
<para>or</para>
<programlisting>$ busctl introspect org.freedesktop.login1 /org/freedesktop/login1
</programlisting>
</programlisting>
</example>
<example>
@ -1562,12 +1579,12 @@ node /org/freedesktop/login1/session/1 {
<programlisting>$ gdbus introspect --system --dest org.freedesktop.login1 \
--object-path /org/freedesktop/login1/seat/seat0
</programlisting>
</programlisting>
<para>or</para>
<programlisting>$ busctl introspect org.freedesktop.login1 /org/freedesktop/login1/seat/seat0
</programlisting>
</programlisting>
<para>Seat <literal>seat0</literal> is the default seat, so it'll be present unless local configuration
is made to reassign all devices to a different seat. The list of seats and users can be acquired with
@ -1579,12 +1596,12 @@ node /org/freedesktop/login1/session/1 {
<programlisting>$ gdbus introspect --system --dest org.freedesktop.login1 \
--object-path /org/freedesktop/login1/user/_1000
</programlisting>
</programlisting>
<para>or</para>
<programlisting>$ busctl introspect org.freedesktop.login1 /org/freedesktop/login1/user/_1000
</programlisting>
</programlisting>
</example>
<example>
@ -1592,12 +1609,12 @@ node /org/freedesktop/login1/session/1 {
<programlisting>$ gdbus introspect --system --dest org.freedesktop.login1 \
--object-path /org/freedesktop/login1/session/45
</programlisting>
</programlisting>
<para>or</para>
<programlisting>$ busctl introspect org.freedesktop.login1 /org/freedesktop/login1/session/45
</programlisting>
</programlisting>
</example>
</refsect1>
@ -1619,10 +1636,10 @@ node /org/freedesktop/login1/session/1 {
<function>CanSleep()</function>,
<varname>SleepOperation</varname>, and
<function>ListSessionsEx()</function> were added in version 256.</para>
<para><varname>HandleSecureAttentionKey</varname>,
<function>SecureAttentionKey()</function>,
<varname>PreparingForShutdownWithMetadata</varname>, and
<varname>DesignatedMaintenanceTime</varname> were added in version 257.</para>
<para><varname>HandleSecureAttentionKey</varname>, <function>SecureAttentionKey()</function>,
<varname>PreparingForShutdownWithMetadata</varname>, <varname>DesignatedMaintenanceTime</varname>,
<varname>CanIdle</varname>, <varname>CanLock</varname>,
and <varname>BlockWeakInhibited</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Session Objects</title>
@ -1631,4 +1648,13 @@ node /org/freedesktop/login1/session/1 {
<para><function>SetClass()</function> was added in version 256.</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -183,7 +183,7 @@ node /org/freedesktop/machine1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method UnregisterMachine is not documented!-->
@ -531,7 +531,7 @@ node /org/freedesktop/machine1/machine/rawhide {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method GetUIDShift is not documented!-->
@ -651,7 +651,7 @@ node /org/freedesktop/machine1/machine/rawhide {
<para><varname>Leader</varname> is the PID of the leader process of the machine.</para>
<para><varname>Class</varname> is the class of the machine and is either the string "vm" (for real VMs
based on virtualized hardware) or "container" (for light-weight userspace virtualization sharing the
based on virtualized hardware) or "container" (for lightweight userspace virtualization sharing the
same kernel as the host).</para>
<para><varname>RootDirectory</varname> is the root directory of the container if it is known and
@ -687,7 +687,7 @@ node /org/freedesktop/machine1/machine/rawhide {
$ gdbus introspect --system \
--dest org.freedesktop.machine1 \
--object-path /org/freedesktop/machine1
</programlisting>
</programlisting>
</example>
<example>
@ -697,7 +697,7 @@ $ gdbus introspect --system \
$ gdbus introspect --system \
--dest org.freedesktop.machine1 \
--object-path /org/freedesktop/machine1/machine/rawhide
</programlisting>
</programlisting>
</example>
</refsect1>
@ -719,4 +719,13 @@ $ gdbus introspect --system \
and <varname>SSHPrivateKeyPath</varname> were added in version 256.</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -94,7 +94,7 @@ node /org/freedesktop/network1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method ListLinks is not documented!-->
@ -270,7 +270,7 @@ node /org/freedesktop/network1/link/_1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method SetNTP is not documented!-->
@ -407,7 +407,7 @@ node /org/freedesktop/network1/network/_1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--property Description is not documented!-->
@ -464,7 +464,7 @@ node /org/freedesktop/network1/link/_1 {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.network1.Link { ... };
};
</programlisting>
</programlisting>
<!--property Leases is not documented!-->
@ -501,7 +501,7 @@ node /org/freedesktop/network1/link/_1 {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.network1.Link { ... };
};
</programlisting>
</programlisting>
<!--property State is not documented!-->
@ -538,7 +538,7 @@ node /org/freedesktop/network1/link/_1 {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.network1.Link { ... };
};
</programlisting>
</programlisting>
<!--property State is not documented!-->
@ -571,7 +571,7 @@ node /org/freedesktop/network1/link/_1 {
$ gdbus introspect --system \
--dest org.freedesktop.network1 \
--object-path /org/freedesktop/network1
</programlisting>
</programlisting>
</example>
<example>
@ -581,7 +581,7 @@ $ gdbus introspect --system \
$ gdbus introspect --system \
--dest org.freedesktop.network1 \
--object-path /org/freedesktop/network1/link/_11
</programlisting>
</programlisting>
</example>
</refsect1>
@ -602,4 +602,13 @@ $ gdbus introspect --system \
<para><varname>NamespaceNSID</varname> was added in version 256.</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -47,7 +47,7 @@ node /org/freedesktop/oom1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method DumpByFileDescriptor is not documented!-->
@ -103,4 +103,14 @@ node /org/freedesktop/oom1 {
<para><function>Killed()</function> was added in version 252.</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>oomctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -117,7 +117,7 @@ node /org/freedesktop/portable1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -329,7 +329,7 @@ node /org/freedesktop/portable1 {
#define SD_SYSTEMD_PORTABLE_RUNTIME (UINT64_C(1) &lt;&lt; 0)
#define SD_SYSTEMD_PORTABLE_FORCE_ATTACH (UINT64_C(1) &lt;&lt; 1)
#define SD_SYSTEMD_PORTABLE_FORCE_EXTENSION (UINT64_C(1) &lt;&lt; 2)
</programlisting>
</programlisting>
</refsect2>
<refsect2>
@ -428,7 +428,7 @@ node /org/freedesktop/portable1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method GetOSRelease is not documented!-->
@ -591,4 +591,13 @@ node /org/freedesktop/portable1 {
<para><function>ReattachWithExtensions()</function> was added in version 254.</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-portabled.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -154,7 +154,7 @@ node /org/freedesktop/resolve1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -705,7 +705,7 @@ node /org/freedesktop/resolve1/link/_1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -920,7 +920,7 @@ node /org/freedesktop/resolve1/link/_1 {
$ gdbus introspect --system \
--dest org.freedesktop.resolve1 \
--object-path /org/freedesktop/resolve1
</programlisting>
</programlisting>
</example>
<example>
@ -930,9 +930,18 @@ $ gdbus introspect --system \
$ gdbus introspect --system \
--dest org.freedesktop.resolve1 \
--object-path /org/freedesktop/resolve1/link/_11
</programlisting>
</programlisting>
</example>
</refsect1>
<xi:include href="org.freedesktop.locale1.xml" xpointer="versioning"/>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>resolvectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -568,7 +568,7 @@ node /org/freedesktop/systemd1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method GetUnitByInvocationID is not documented!-->
@ -1532,7 +1532,7 @@ node /org/freedesktop/systemd1 {
#define SD_SYSTEMD_UNIT_RUNTIME (UINT64_C(1) &lt;&lt; 0)
#define SD_SYSTEMD_UNIT_FORCE (UINT64_C(1) &lt;&lt; 1)
#define SD_SYSTEMD_UNIT_PORTABLE (UINT64_C(1) &lt;&lt; 2)
</programlisting>
</programlisting>
<para><varname>SD_SYSTEMD_UNIT_RUNTIME</varname> will enable or disable the unit for runtime only,
<varname>SD_SYSTEMD_UNIT_FORCE</varname> controls whether symlinks pointing to other units shall be
@ -1553,7 +1553,7 @@ node /org/freedesktop/systemd1 {
<para>Similarly, <function>PresetUnitFiles()</function> enables/disables one or more unit files
according to the preset policy. See
<citerefentry><refentrytitle>systemd.preset</refentrytitle><manvolnum>7</manvolnum></citerefentry> for more
<citerefentry><refentrytitle>systemd.preset</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more
information.</para>
<para>Similarly, <function>MaskUnitFiles()</function> masks unit files and
@ -2140,7 +2140,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method EnqueueJob is not documented!-->
@ -3251,6 +3251,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b ProtectControlGroups = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectControlGroupsEx = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateNetwork = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateUsers = ...;
@ -3261,6 +3263,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s PrivatePIDs = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectHome = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectSystem = '...';
@ -3386,7 +3390,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--method GetProcesses is not documented!-->
@ -3868,8 +3872,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<!--property ProtectKernelLogs is not documented!-->
<!--property ProtectControlGroups is not documented!-->
<!--property PrivateNetwork is not documented!-->
<!--property PrivateUsers is not documented!-->
@ -4572,6 +4574,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="ProtectControlGroups"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectControlGroupsEx"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivateNetwork"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivateUsers"/>
@ -4582,6 +4586,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="PrivateIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivatePIDs"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectHome"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectSystem"/>
@ -4734,7 +4740,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<para><varname>TimeoutStartUSec</varname>, <varname>TimeoutStopUSec</varname> and
<varname>TimeoutAbortUSec</varname> contain the start, stop and abort timeouts, in microseconds. Note
the slight difference in naming when compared to the matching unit file settings (see
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>7</manvolnum></citerefentry>):
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>):
these bus properties strictly use microseconds (and thus are suffixed <varname>…USec</varname>) while
the unit file settings default to a time unit of seconds (and thus are suffixed
<varname>…Sec</varname>), unless a different unit is explicitly specified. This reflects that fact that
@ -4845,8 +4851,12 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<varname>CacheDirectorySymlink</varname> and <varname>LogsDirectorySymlink</varname> respectively
implement the destination parameter of the unit files settings <varname>RuntimeDirectory</varname>,
<varname>StateDirectory</varname>, <varname>CacheDirectory</varname> and <varname>LogsDirectory</varname>,
which will create a symlink of the given name to the respective directory. The messages take an unused
<varname>flags</varname> parameter, reserved for future backward-compatible changes.</para>
which will create a symlink of the given name to the respective directory. The messages take a
<varname>flags</varname> parameter that make the directory read only:</para>
<programlisting>
#define SD_EXEC_DIRECTORY_READ_ONLY (UINT64_C(1) &lt;&lt; 0)
</programlisting>
<para><varname>ExtraFileDescriptorNames</varname> contains file descriptor names passed to the service via
the <varname>ExtraFileDescriptors</varname> property in the <function>StartTransientUnit()</function>
@ -4858,6 +4868,17 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
unit file setting <varname>ManagedOOMMemoryPressureDurationSec=</varname> listed in
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Note the time unit is expressed in <literal>μs</literal>.</para>
<para><varname>ProtectControlGroupsEx</varname> implement the destination parameter of the
unit file setting <varname>ProtectControlGroups=</varname> listed in
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Unlike boolean <varname>ProtectControlGroups</varname>, <varname>ProtectControlGroupsEx</varname>
is a string type.</para>
<para><varname>PrivatePIDs</varname> implements the destination parameter of the
unit file setting <varname>PrivatePIDs=</varname> listed in
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Note <varname>PrivatePIDs</varname> is a string type to allow adding more values in the future.</para>
</refsect2>
</refsect1>
@ -5415,6 +5436,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b ProtectControlGroups = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectControlGroupsEx = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateNetwork = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateUsers = ...;
@ -5425,6 +5448,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s PrivatePIDs = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectHome = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectSystem = '...';
@ -5550,7 +5575,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--method GetProcesses is not documented!-->
@ -6044,8 +6069,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<!--property ProtectKernelLogs is not documented!-->
<!--property ProtectControlGroups is not documented!-->
<!--property PrivateNetwork is not documented!-->
<!--property PrivateUsers is not documented!-->
@ -6720,6 +6743,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="ProtectControlGroups"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectControlGroupsEx"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivateNetwork"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivateUsers"/>
@ -6730,6 +6755,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="PrivateIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivatePIDs"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectHome"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectSystem"/>
@ -6900,7 +6927,7 @@ node /org/freedesktop/systemd1/unit/basic_2etarget {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<para>Target units have neither type-specific methods nor properties.</para>
</refsect1>
@ -6923,7 +6950,7 @@ node /org/freedesktop/systemd1/unit/dev_2dttyS0_2edevice {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -7416,6 +7443,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b ProtectControlGroups = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectControlGroupsEx = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateNetwork = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateUsers = ...;
@ -7426,6 +7455,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s PrivatePIDs = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectHome = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectSystem = '...';
@ -7551,7 +7582,7 @@ node /org/freedesktop/systemd1/unit/home_2emount {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--method GetProcesses is not documented!-->
@ -7971,8 +8002,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<!--property ProtectKernelLogs is not documented!-->
<!--property ProtectControlGroups is not documented!-->
<!--property PrivateNetwork is not documented!-->
<!--property PrivateUsers is not documented!-->
@ -8559,6 +8588,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="ProtectControlGroups"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectControlGroupsEx"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivateNetwork"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivateUsers"/>
@ -8569,6 +8600,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="PrivateIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivatePIDs"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectHome"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectSystem"/>
@ -8738,7 +8771,7 @@ node /org/freedesktop/systemd1/unit/proc_2dsys_2dfs_2dbinfmt_5fmisc_2eautomount
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--property Where is not documented!-->
@ -8829,7 +8862,7 @@ node /org/freedesktop/systemd1/unit/systemd_2dtmpfiles_2dclean_2etimer {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--property OnClockChange is not documented!-->
@ -9384,6 +9417,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b ProtectControlGroups = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectControlGroupsEx = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateNetwork = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateUsers = ...;
@ -9394,6 +9429,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s PrivatePIDs = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectHome = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectSystem = '...';
@ -9519,7 +9556,7 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--method GetProcesses is not documented!-->
@ -9925,8 +9962,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<!--property ProtectKernelLogs is not documented!-->
<!--property ProtectControlGroups is not documented!-->
<!--property PrivateNetwork is not documented!-->
<!--property PrivateUsers is not documented!-->
@ -10499,6 +10534,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="ProtectControlGroups"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectControlGroupsEx"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivateNetwork"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivateUsers"/>
@ -10509,6 +10546,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="PrivateIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="PrivatePIDs"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectHome"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectSystem"/>
@ -10682,7 +10721,7 @@ node /org/freedesktop/systemd1/unit/cups_2epath {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--property MakeDirectory is not documented!-->
@ -10944,7 +10983,7 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--method GetProcesses is not documented!-->
@ -11576,7 +11615,7 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
interface org.freedesktop.DBus.Properties { ... };
interface org.freedesktop.systemd1.Unit { ... };
};
</programlisting>
</programlisting>
<!--method GetProcesses is not documented!-->
@ -12075,7 +12114,7 @@ node /org/freedesktop/systemd1/job/666 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method GetAfter is not documented!-->
@ -12147,7 +12186,7 @@ node /org/freedesktop/systemd1/job/666 {
$ gdbus introspect --system \
--dest org.freedesktop.systemd1 \
--object-path /org/freedesktop/systemd1
</programlisting>
</programlisting>
</example>
<example>
@ -12159,7 +12198,7 @@ $ busctl introspect org.freedesktop.systemd1 \
/org/freedesktop/systemd1 \
org.freedesktop.systemd1.Manager \
GetUnit s systemd-resolved.service | cut -d'"' -f2)
</programlisting>
</programlisting>
</example>
<example>
@ -12168,7 +12207,7 @@ $ busctl introspect org.freedesktop.systemd1 \
<programlisting>
$ gdbus introspect --system --dest org.freedesktop.systemd1 \
--object-path /org/freedesktop/systemd1/job/1292
</programlisting>
</programlisting>
</example>
</refsect1>
@ -12262,8 +12301,10 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>ImportCredentialEx</varname>,
<varname>ExtraFileDescriptorNames</varname>,
<varname>ManagedOOMMemoryPressureDurationUSec</varname>,
<varname>BindLogSockets</varname>, and
<varname>PrivateUsersEx</varname> were added in version 257.</para>
<varname>BindLogSockets</varname>,
<varname>ProtectControlGroupsEx</varname>,
<varname>PrivateUsersEx</varname>, and
<varname>PrivatePIDs</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Socket Unit Objects</title>
@ -12302,8 +12343,11 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>PassFileDescriptorsToExec</varname> were added in version 256.</para>
<para><varname>PrivateTmpEx</varname>,
<varname>ImportCredentialEx</varname>,
<varname>BindLogSockets</varname>, and
<varname>PrivateUsersEx</varname> were added in version 257.</para>
<varname>BindLogSockets</varname>,
<varname>PrivateUsersEx</varname>,
<varname>ManagedOOMMemoryPressureDurationUSec</varname>,
<varname>ProtectControlGroupsEx</varname>, and
<varname>PrivatePIDs</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Mount Unit Objects</title>
@ -12339,8 +12383,11 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemoryZSwapWriteback</varname> were added in version 256.</para>
<para><varname>PrivateTmpEx</varname>,
<varname>ImportCredentialEx</varname>,
<varname>BindLogSockets</varname>, and
<varname>PrivateUsersEx</varname> were added in version 257.</para>
<varname>BindLogSockets</varname>,
<varname>PrivateUsersEx</varname>,
<varname>ManagedOOMMemoryPressureDurationUSec</varname>,
<varname>ProtectControlGroupsEx</varname>, and
<varname>PrivatePIDs</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Swap Unit Objects</title>
@ -12376,8 +12423,11 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemoryZSwapWriteback</varname> were added in version 256.</para>
<para><varname>PrivateTmpEx</varname>,
<varname>ImportCredentialEx</varname>,
<varname>BindLogSockets</varname>, and
<varname>PrivateUsersEx</varname> were added in version 257.</para>
<varname>BindLogSockets</varname>,
<varname>PrivateUsersEx</varname>,
<varname>ManagedOOMMemoryPressureDurationUSec</varname>,
<varname>ProtectControlGroupsEx</varname>, and
<varname>PrivatePIDs</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Slice Unit Objects</title>
@ -12439,4 +12489,13 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<para><varname>DeferReactivation</varname> was added in version 257.</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" >
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="org.freedesktop.sysupdate1" conditional='ENABLE_SYSUPDATE'
<refentry id="org.freedesktop.sysupdate1" conditional='ENABLE_SYSUPDATED'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>org.freedesktop.sysupdate1</title>
@ -27,6 +27,9 @@
<citerefentry><refentrytitle>systemd-sysupdated.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
is a system service that allows unprivileged clients to update the system. This page describes the D-Bus
interface.</para>
<para><emphasis>WARNING!</emphasis> This API is currently <emphasis>unstable</emphasis> and is thus subject
to breaking changes between versions of systemd.</para>
</refsect1>
<refsect1>
@ -50,7 +53,7 @@ node /org/freedesktop/sysupdate1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -122,9 +125,18 @@ node /org/freedesktop/sysupdate1/target/host {
out s new_version,
out t job_id,
out o job_path);
Vacuum(out u count);
Vacuum(out u instances,
out u disabled_transfers);
GetAppStream(out as appstream);
GetVersion(out s version);
ListFeatures(in t flags,
out as features);
DescribeFeature(in s feature,
in t flags,
out s json);
SetFeatureEnabled(in s feature,
in i enabled,
in t flags);
properties:
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s Class = '...';
@ -137,7 +149,7 @@ node /org/freedesktop/sysupdate1/target/host {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -159,6 +171,12 @@ node /org/freedesktop/sysupdate1/target/host {
<variablelist class="dbus-method" generated="True" extra-ref="GetVersion()"/>
<variablelist class="dbus-method" generated="True" extra-ref="ListFeatures()"/>
<variablelist class="dbus-method" generated="True" extra-ref="DescribeFeature()"/>
<variablelist class="dbus-method" generated="True" extra-ref="SetFeatureEnabled()"/>
<variablelist class="dbus-property" generated="True" extra-ref="Class"/>
<variablelist class="dbus-property" generated="True" extra-ref="Name"/>
@ -176,7 +194,7 @@ node /org/freedesktop/sysupdate1/target/host {
<programlisting>
#define SD_SYSUPDATE_OFFLINE (UINT64_C(1) &lt;&lt; 0)
</programlisting>
</programlisting>
<para>When <constant>SD_SYSUPDATE_OFFLINE</constant> is set, this method returns only the versions
installed locally. Otherwise, this method pulls metadata from the network and returns all versions
@ -231,12 +249,12 @@ node /org/freedesktop/sysupdate1/target/host {
</varlistentry>
<varlistentry>
<term><literal>changelog_urls</literal></term>
<listitem><para>A list of strings that contain user-presentable URLs to ChangeLogs associated with
<term><literal>changelogUrls</literal></term>
<listitem><para>A list of strings that contain user-presentable URLs to change logs associated with
this version.</para></listitem>
</varlistentry>
</variablelist>
<para><function>CheckNew()</function> checks if a newer version is available for this target. This
method pulls metadata from the network. If a newer version is found, this method returns the
version number. If no newer version is found, this method returns an empty string. Use
@ -273,6 +291,68 @@ node /org/freedesktop/sysupdate1/target/host {
<varname>IMAGE_VERSION</varname> in <filename>/etc/os-release</filename>. If the target has no current
version, the function will return an empty string.</para>
<para><function>ListFeatures()</function> returns a list of this target's optional features, by ID.
The <varname>flags</varname> argument is added for future extensibility, and must be set to 0.
If the target has no optional features, the method returns an empty array.</para>
<para><function>DescribeFeature()</function> returns all known information about a given optional feature.
The <varname>feature</varname> argument is used to pass the ID of the feature to be described.
The <varname>flags</varname> argument is added for future extensibility, and must be set to 0.
The returned JSON object contains several known keys. More keys may be added in the future.
The currently known keys are as follows:</para>
<variablelist>
<varlistentry>
<term><literal>name</literal></term>
<listitem><para>A string containing the feature's name.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>description</literal></term>
<listitem><para>An optional string that contains a user-presentable description that identifies
this feature</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>enabled</literal></term>
<listitem><para>A boolean indicating whether this feature is enabled.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>documentationUrl</literal></term>
<listitem><para>An optional string that contains a user-presentable HTTP/HTTPS URL to documentation
about this feature.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>appstreamUrl</literal></term>
<listitem><para>An optional string that contains an HTTP/HTTPS URL to an
<ulink url="https://wwww.freedesktop.org/software/appstream/docs/chap-CatalogData.html">appstream
catalog</ulink> XML file containing metadata about this feature.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>transfers</literal></term>
<listitem><para>An optional array of strings that list which transfer definitions belong to this
feature.</para></listitem>
</varlistentry>
</variablelist>
<para><function>SetFeatureEnabled()</function> writes an appropriate drop-in file to enable or disable
the specified optional feature.
If <varname>enable</varname> is zero, the feature is disabled. When greater than zero, the feature is
enabled. When less than zero, the feature is reset to the distribution's default.
The <varname>flags</varname> argument is added for future extensibility, and must be set to 0.
The feature does not have to exist; this allows for graceful handling of masked features, and for
preemptive decisions to be made about features that are planned to appear in future releases of the OS.
The drop-in will have a filename of <literal>50-systemd-sysupdate-enabled.conf</literal>.
This method only changes configuration files; to actually apply the changes, clients will need to
call <function>Update()</function>.
Depending on the exact needs of the client, it can choose to update the system to the latest available
version, or it can extend the newest existing installation in-place (by passing in the version returned
by <varname>GetVersion()</varname>).
For now, this method only works with the <literal>host</literal> target.</para>
</refsect2>
<refsect2>
@ -327,8 +407,13 @@ node /org/freedesktop/sysupdate1/target/host {
<interfacename>org.freedesktop.sysupdate1.vacuum</interfacename>. By default, this action requires
administrator authentication.</para>
<para><function>GetAppStream()</function> and <function>GetVersion()</function> are unauthenticated and
may be called by anybody.</para>
<para><function>SetFeatureEnabled()</function> uses the polkit action
<interfacename>org.freedesktop.sysupdate1.manage-features</interfacename>. By default, this action
requires administrator authentication.</para>
<para><function>GetAppStream()</function>, <function>GetVersion()</function>,
<function>ListFeatures()</function>, and <function>DescribeFeature()</function>
are unauthenticated and may be called by anybody.</para>
<para>All methods called on this interface expose additional variables to the polkit rules.
<literal>class</literal> contains the class of the Target being acted upon, and <literal>name</literal>
@ -367,7 +452,7 @@ node /org/freedesktop/sysupdate1/job/_1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -409,9 +494,9 @@ node /org/freedesktop/sysupdate1/job/_1 {
<para>The <varname>Id</varname> property exposes the numeric job ID of the job object.</para>
<para>The <varname>Type</varname> property exposes the type of operation (one of: <literal>list</literal>,
<literal>describe</literal>, <literal>check-new</literal>, <literal>update</literal>, or <literal>vacuum</literal>).
</para>
<para>The <varname>Type</varname> property exposes the type of operation (one of:
<literal>list</literal>, <literal>describe</literal>, <literal>check-new</literal>,
<literal>update</literal>, <literal>vacuum</literal>, or <literal>describe-feature</literal>).</para>
<para>The <varname>Offline</varname> property exposes whether the job is permitted to access
the network or not.</para>
@ -440,7 +525,7 @@ node /org/freedesktop/sysupdate1/job/_1 {
<programlisting>$ gdbus introspect --system \
--dest org.freedesktop.sysupdate1 \
--object-path /org/freedesktop/sysupdate1
</programlisting>
</programlisting>
</example>
<example>
@ -449,7 +534,7 @@ node /org/freedesktop/sysupdate1/job/_1 {
<programlisting>$ gdbus introspect --system \
--dest org.freedesktop.sysupdate1 \
--object-path /org/freedesktop/sysupdate1/target/host
</programlisting>
</programlisting>
</example>
<example>
@ -458,7 +543,7 @@ node /org/freedesktop/sysupdate1/job/_1 {
<programlisting>$ gdbus introspect --system \
--dest org.freedesktop.sysupdate1 \
--object-path /org/freedesktop/sysupdate1/job/_1
</programlisting>
</programlisting>
</example>
</refsect1>
@ -481,6 +566,9 @@ node /org/freedesktop/sysupdate1/job/_1 {
<function>Vacuum()</function>,
<function>GetAppStream()</function>,
<function>GetVersion()</function>,
<function>ListFeatures()</function>,
<function>DescribeFeature()</function>,
<function>SetFeatureEnabled()</function>,
<varname>Class</varname>,
<varname>Name</varname>, and
<varname>Path</varname> were added in version 257.</para>
@ -494,4 +582,13 @@ node /org/freedesktop/sysupdate1/job/_1 {
<varname>Progress</varname> were added in version 257.</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-sysupdated.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>updatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -66,7 +66,7 @@ node /org/freedesktop/timedate1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--Autogenerated cross-references for systemd.directives, do not edit-->
@ -186,7 +186,7 @@ node /org/freedesktop/timedate1 {
$ gdbus introspect --system \
--dest org.freedesktop.timedate1 \
--object-path /org/freedesktop/timedate1
</programlisting>
</programlisting>
</example>
</refsect1>
@ -194,7 +194,11 @@ $ gdbus introspect --system \
<refsect1>
<title>See Also</title>
<para><ulink url="https://lists.freedesktop.org/archives/systemd-devel/2011-May/002526.html">More information on how the system clock and RTC interact</ulink></para>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-timedate.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>timedatectl.service</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><ulink url="https://lists.freedesktop.org/archives/systemd-devel/2011-May/002526.html">More information on how the system clock and RTC interact</ulink></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -68,7 +68,7 @@ node /org/freedesktop/timesync1 {
interface org.freedesktop.DBus.Introspectable { ... };
interface org.freedesktop.DBus.Properties { ... };
};
</programlisting>
</programlisting>
<!--method SetRuntimeNTPServers is not documented!-->
@ -146,11 +146,18 @@ node /org/freedesktop/timesync1 {
$ gdbus introspect --system \
--dest org.freedesktop.timesync1 \
--object-path /org/freedesktop/timesync1
</programlisting>
</programlisting>
</example>
</refsect1>
<xi:include href="org.freedesktop.locale1.xml" xpointer="versioning"/>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-timesync.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -113,11 +113,11 @@
</row>
<row>
<entry><constant>user-early</constant></entry>
<entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <filename>systemd-user-sessions.service</filename>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
<entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
</row>
<row>
<entry><constant>user-incomplete</constant></entry>
<entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <command>ssh</command> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
<entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
</row>
<row>
<entry><constant>greeter</constant></entry>
@ -129,15 +129,15 @@
</row>
<row>
<entry><constant>background</constant></entry>
<entry>Used for background sessions, such as those invoked by <command>cron</command> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
<entry>Used for background sessions, such as those invoked by <citerefentry project='die-net'><refentrytitle>cron</refentrytitle><manvolnum>8</manvolnum></citerefentry> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
</row>
<row>
<entry><constant>background-light</constant></entry>
<entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <filename>user@.service</filename> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
<entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
</row>
<row>
<entry><constant>manager</constant></entry>
<entry>The <filename>user@.service</filename> service of the user is registered under this session class. (Added in v256.)</entry>
<entry>The <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> service of the user is registered under this session class. (Added in v256.)</entry>
</row>
<row>
<entry><constant>manager-early</constant></entry>
@ -409,7 +409,7 @@ pam_set_data(handle, "systemd.tasks_max", (void *)"50", cleanup);
pam_set_data(handle, "systemd.cpu_weight", (void *)"100", cleanup);
pam_set_data(handle, "systemd.io_weight", (void *)"340", cleanup);
pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup);
</programlisting>
</programlisting>
</para>
</refsect1>
@ -445,6 +445,8 @@ session required pam_unix.so</programlisting>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>

View File

@ -28,7 +28,9 @@
<title>Description</title>
<para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
and sets the last password in the list as the PAM authtok.</para>
and sets the last password in the list as the PAM authtok, which can be used by e.g.
<citerefentry project='man-pages'><refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
</para>
<para>The password list is supposed to be stored in the "user" keyring of the root user,
by an earlier call to
@ -112,27 +114,29 @@
during boot.</para>
<para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. <filename>sddm-autologin</filename>):</para>
Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g.
<filename>sddm-autologin</filename>):</para>
<programlisting>
-auth optional pam_systemd_loadkey.so
-auth optional pam_gnome_keyring.so
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start
</programlisting>
</programlisting>
<para>And add the following lines to your display manager's systemd service file, so it can access root's keyring:</para>
<programlisting>
[Service]
KeyringMode=inherit
</programlisting>
</programlisting>
<para>In this setup, early during the boot process,
<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>.
Then when the display manager does the autologin, pam_systemd_loadkey will read the passphrase from the kernel keyring,
set it as the PAM authtok, and then pam_gnome_keyring and pam_kwallet5 will unlock with the same passphrase.</para>
Then when the display manager does the autologin, <command>pam_systemd_loadkey</command> will read the passphrase
from the kernel keyring, set it as the PAM authtok, and then <command>pam_gnome_keyring</command> and
<command>pam_kwallet5</command> will unlock with the same passphrase.</para>
</refsect1>
</refentry>

View File

@ -48,7 +48,7 @@
and transfer them as a whole between systems. When these images are attached to the local system, the contained units
may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing,
depending on the selected configuration. For more details, see
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.</para>
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.</para>
<para>Portable service images may be of the following kinds:</para>
@ -417,7 +417,7 @@
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Images can be block images, btrfs subvolumes or directories. For more information on portable
services with extensions, see the <literal>Extension Images</literal> paragraph on
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.
</para>
<para>Note that the same extensions have to be specified, in the same order, when attaching

View File

@ -91,9 +91,9 @@
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd-pstore.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -606,7 +606,8 @@
<varname>Subvolumes=</varname>.</para>
<para>Note that this option only takes effect if the target filesystem supports subvolumes, such as
<literal>btrfs</literal>.</para>
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
<para>Note that this option is only supported in combination with <option>--offline=yes</option>
since btrfs-progs 6.11 or newer.</para>
@ -686,7 +687,7 @@
<listitem><para>Configures the data block size of the generated verity hash partition. Must be between 512 and
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
block device sector size, or 4K if systemd-repart is not operating on a block device.
block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device.
</para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
@ -697,7 +698,7 @@
<listitem><para>Configures the hash block size of the generated verity hash partition. Must be between 512 and
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
block device sector size, or 4K if systemd-repart is not operating on a block device.
block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device.
</para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
@ -807,7 +808,9 @@
mount options. These fields correspond to the second and fourth column of the
<citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
format. This setting may be specified multiple times to mount the partition multiple times. This can
be used to add mounts for different btrfs subvolumes located on the same btrfs partition.</para>
be used to add mounts for different
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
subvolumes located on the same btrfs partition.</para>
<para>Note that this setting is only taken into account when <option>--generate-fstab=</option> is
specified on the <command>systemd-repart</command> command line.</para>
@ -818,7 +821,7 @@
<varlistentry>
<term><varname>EncryptedVolume=</varname></term>
<listitem><para>Specify how the encrypted partition should be set up. Takes at least one and at most
<listitem><para>Specifies how the encrypted partition should be set up. Takes at least one and at most
three fields separated with a colon (<literal>:</literal>). The first field specifies the encrypted
volume name under <filename>/dev/mapper/</filename>. If not specified, <literal>luks-UUID</literal>
will be used where <literal>UUID</literal> is the LUKS UUID. The second field specifies the keyfile
@ -837,13 +840,14 @@
<varlistentry>
<term><varname>Compression=</varname></term>
<listitem><para>Specify the compression algorithm to use for the filesystem configured with
<listitem><para>Specifies the compression algorithm to use for the filesystem configured with
<varname>Format=</varname>. Takes a single argument specifying the compression algorithm.</para>
<para>Note that this setting is only taken into account when the filesystem configured with
<varname>Format=</varname> supports compression (btrfs, squashfs, erofs). Here's an incomplete list
of compression algorithms supported by the filesystems known to
<command>systemd-repart</command>:</para>
<varname>Format=</varname> supports compression (
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
squashfs, erofs). Here's an incomplete list of compression algorithms supported by the filesystems
known to <command>systemd-repart</command>:</para>
<table>
<title>File System Compression Algorithms</title>
@ -883,7 +887,7 @@
<varlistentry>
<term><varname>CompressionLevel=</varname></term>
<listitem><para>Specify the compression level to use for the filesystem configured with
<listitem><para>Specifies the compression level to use for the filesystem configured with
<varname>Format=</varname>. Takes a single argument specifying the compression level to use for the
configured compression algorithm. The possible compression levels and their meaning are filesystem
specific (refer to the filesystem's documentation for the exact meaning of a particular compression

View File

@ -485,7 +485,7 @@
<listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If
true, rules regarding routing of single-label names are relaxed. Defaults to false. By default,
lookups of single label names are assumed to refer to local hosts to be resolved via local resolution
lookups of single-label names are assumed to refer to local hosts to be resolved via local resolution
such as LLMNR or via search domain qualification and are not routed to upstream servers as is. If
this option is enabled these rules are disabled and the queries are routed upstream anyway. Also see
the <varname>ResolveUnicastSingleLabel=</varname> option in

View File

@ -65,7 +65,7 @@ manpages = [
['org.freedesktop.portable1', '5', [], 'ENABLE_PORTABLED'],
['org.freedesktop.resolve1', '5', [], 'ENABLE_RESOLVE'],
['org.freedesktop.systemd1', '5', [], ''],
['org.freedesktop.sysupdate1', '5', [], 'ENABLE_SYSUPDATE'],
['org.freedesktop.sysupdate1', '5', [], 'ENABLE_SYSUPDATED'],
['org.freedesktop.timedate1', '5', [], 'ENABLE_TIMEDATED'],
['org.freedesktop.timesync1', '5', [], 'ENABLE_TIMESYNCD'],
['os-release', '5', ['extension-release', 'initrd-release'], ''],
@ -155,6 +155,7 @@ manpages = [
['sd-journal', '3', [], ''],
['sd-json', '3', [], ''],
['sd-login', '3', [], 'HAVE_PAM'],
['sd-varlink', '3', [], ''],
['sd_booted', '3', [], ''],
['sd_bus_add_match',
'3',
@ -991,6 +992,7 @@ manpages = [
'systemd-journald@.service',
'systemd-journald@.socket'],
''],
['systemd-keyutil', '1', [], ''],
['systemd-localed.service', '8', ['systemd-localed'], 'ENABLE_LOCALED'],
['systemd-logind.service', '8', ['systemd-logind'], 'ENABLE_LOGIND'],
['systemd-machine-id-commit.service', '8', [], ''],
@ -1068,6 +1070,7 @@ manpages = [
'ENABLE_RFKILL'],
['systemd-run-generator', '8', [], ''],
['systemd-run', '1', [], ''],
['systemd-sbsign', '1', [], ''],
['systemd-sleep.conf', '5', ['sleep.conf.d'], ''],
['systemd-socket-activate', '1', [], ''],
['systemd-socket-proxyd', '8', [], ''],
@ -1107,7 +1110,7 @@ manpages = [
['systemd-sysupdated.service',
'8',
['systemd-sysupdated'],
'ENABLE_SYSUPDATE'],
'ENABLE_SYSUPDATED'],
['systemd-sysusers', '8', ['systemd-sysusers.service'], ''],
['systemd-sysv-generator', '8', [], 'HAVE_SYSV_COMPAT'],
['systemd-time-wait-sync.service',
@ -1192,6 +1195,7 @@ manpages = [
['systemd.unit', '5', [], ''],
['systemd.v', '7', [], ''],
['sysupdate.d', '5', [], 'ENABLE_SYSUPDATE'],
['sysupdate.features', '5', [], 'ENABLE_SYSUPDATE'],
['sysusers.d', '5', [], 'ENABLE_SYSUSERS'],
['telinit', '8', [], 'HAVE_SYSV_COMPAT'],
['timedatectl', '1', [], 'ENABLE_TIMEDATECTL'],
@ -1285,7 +1289,7 @@ manpages = [
['udev_new', '3', ['udev_ref', 'udev_unref'], ''],
['udevadm', '8', [], ''],
['ukify', '1', [], 'ENABLE_UKIFY'],
['updatectl', '1', [], 'ENABLE_SYSUPDATE'],
['updatectl', '1', [], 'ENABLE_SYSUPDATED'],
['user@.service',
'5',
['systemd-user-runtime-dir', 'user-runtime-dir@.service'],

View File

@ -61,7 +61,10 @@
<literal>systemd-run0</literal> PAM stack.</para>
<para>Note that <command>run0</command> is implemented as an alternative multi-call invocation of
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>. That is,
<command>run0</command> is a symbolic link to <command>systemd-run</command> executable file, and it
behaves as <command>run0</command> if it is invoked through the symbolic link, otherwise behaves as
<command>systemd-run</command>.</para>
</refsect1>
<refsect1>
@ -81,7 +84,7 @@
<varlistentry>
<term><option>--property=</option></term>
<listitem><para>Sets a property on the service unit that is created. This option takes an assignment
<listitem><para>Sets a property of the service unit that is created. This option takes an assignment
in the same format as
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
<command>set-property</command> command.</para>
@ -192,11 +195,40 @@
</listitem>
</varlistentry>
<varlistentry>
<term><option>--pty</option></term>
<term><option>--pipe</option></term>
<listitem><para>Request allocation of a pseudo TTY for the <command>run0</command> session (in case
of <option>--pty</option>), or request passing the caller's STDIO file descriptors directly through
(in case of <option>--pipe</option>). If neither switch is specified, or if both switches are
specified, the mode will be picked automatically: if standard input, standard output and standard
error output are all connected to a TTY then a pseudo TTY is allocated, otherwise the relevant file
descriptors are passed through directly.</para>
<xi:include href="version-info.xml" xpointer="v257"/>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--shell-prompt-prefix=<replaceable>STRING</replaceable></option></term>
<listitem><para>Set a shell prompt prefix string. This ultimately controls the
<varname>$SHELL_PROMPT_PREFIX</varname> environment variable for the invoked program, which is
typically imported into the shell prompt. By default if emojis are supported a superhero emoji is
shown (🦸). This default may also be changed (or turned off) by passing the
<varname>$SYSTEMD_RUN_SHELL_PROMPT_PREFIX</varname> environment variable to <varname>run0</varname>,
see below. Set to an empty string to disable shell prompt prefixing.</para>
<xi:include href="version-info.xml" xpointer="v257"/>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--machine=</option></term>
<listitem>
<para>Execute operation on a local container. Specify a container name to connect to.</para>
<para>Execute operation in a local container. Specify a container name to connect to.</para>
<xi:include href="version-info.xml" xpointer="v256"/>
</listitem>
@ -256,7 +288,30 @@
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>$SHELL_PROMPT_PREFIX</varname></term>
<listitem><para>By default set to the superhero emoji (if supported), but may be overridden with the
<varname>$SYSTEMD_RUN_SHELL_PROMPT_PREFIX</varname> environment variable (see below), or the
<option>--shell-prompt-prefix=</option> switch (see above).</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
</variablelist>
<para>The following variables may be passed to <command>run0</command>:</para>
<variablelist>
<varlistentry>
<term><varname>$SYSTEMD_RUN_SHELL_PROMPT_PREFIX</varname></term>
<listitem><para>If set, overrides the default shell prompt prefix that <command>run0</command> sets
for the invoked shell (the superhero emoji). Set to an empty string to disable shell prompt
prefixing.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>

View File

@ -179,6 +179,9 @@
<member><citerefentry><refentrytitle>sd_bus_track_new</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
</simplelist>
for more information about the functions available.</para>
<para>The <citerefentry><refentrytitle>busctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool
makes the functionality implemented by sd-bus available from the command line.</para>
</refsect1>
<xi:include href="libsystemd-pkgconfig.xml" />
@ -189,9 +192,10 @@
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-event</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>busctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-varlink</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>dbus-daemon</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>dbus-send</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -289,7 +289,7 @@ int main(int argc, char **argv) {
<member><citerefentry><refentrytitle>sd_id128_get_machine</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>printf</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
</simplelist></para>

View File

@ -84,7 +84,8 @@
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>,
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-varlink</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>

64
man/sd-varlink.xml Normal file
View File

@ -0,0 +1,64 @@
<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="sd-varlink"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>sd-varlink</title>
<productname>systemd</productname>
</refentryinfo>
<refmeta>
<refentrytitle>sd-varlink</refentrytitle>
<manvolnum>3</manvolnum>
</refmeta>
<refnamediv>
<refname>sd-varlink</refname>
<refpurpose>APIs for Varlink IPC</refpurpose>
</refnamediv>
<refsynopsisdiv>
<funcsynopsis>
<funcsynopsisinfo>#include &lt;systemd/sd-varlink.h&gt;</funcsynopsisinfo>
</funcsynopsis>
<cmdsynopsis>
<command>pkg-config --cflags --libs libsystemd</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para><filename>sd-varlink.h</filename> is part of
<citerefentry><refentrytitle>libsystemd</refentrytitle><manvolnum>3</manvolnum></citerefentry> and
provides APIs for implementing Varlink IPC clients and services. See <ulink url="https://varlink.org/"/>
for more information about Varlink IPC.</para>
<para>Varlink IPC uses <ulink url="https://json.org/">JSON</ulink> as marshalling format. The sd-varlink
API relies on the
<citerefentry><refentrytitle>sd-json</refentrytitle><manvolnum>3</manvolnum></citerefentry> API for JSON
serialization, deserialization and manipulation.</para>
<para>The <citerefentry><refentrytitle>varlinkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool
makes the functionality implemented by sd-varlink available from the command line.</para>
</refsect1>
<xi:include href="libsystemd-pkgconfig.xml" />
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-event</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-json</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>varlinkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -562,7 +562,7 @@
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>2</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>credentials</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>

View File

@ -66,8 +66,8 @@
<constant>POLLIN</constant>, <constant>POLLOUT</constant>, … events, or negative on error.
</para>
<para><function>sd_bus_get_timeout()</function> returns the <emphasis>absolute</emphasis> time-out in μs,
from which the relative time-out to pass to <function>poll()</function> (or a similar call) can be
<para><function>sd_bus_get_timeout()</function> returns the <emphasis>absolute</emphasis> timeout in μs,
from which the relative timeout to pass to <function>poll()</function> (or a similar call) can be
derived, when waiting for events on the specified bus connection. The returned timeout may be zero, in
which case a subsequent I/O polling call should be invoked in non-blocking mode. The returned timeout may
be <constant>UINT64_MAX</constant> in which case the I/O polling call may block indefinitely, without any

View File

@ -194,12 +194,12 @@ sd_bus_message_append(m, "ynqiuxtd", y, n, q, i, u, x, t, d);</programlisting>
<para>Append a structure composed of a string and a D-Bus path:</para>
<programlisting>sd_bus_message_append(m, "(so)", "a string", "/a/path");
</programlisting>
</programlisting>
<para>Append an array of UNIX file descriptors:</para>
<programlisting>sd_bus_message_append(m, "ah", 3, STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO);
</programlisting>
</programlisting>
<para>Append a variant, with the real type "g" (signature),
and value "sdbusisgood":</para>
@ -210,7 +210,7 @@ sd_bus_message_append(m, "ynqiuxtd", y, n, q, i, u, x, t, d);</programlisting>
</para>
<programlisting>sd_bus_message_append(m, "a{is}", 3, 1, "a", 2, "b", 3, NULL);
</programlisting>
</programlisting>
</refsect1>
<refsect1>

View File

@ -83,7 +83,7 @@
STRING "AnExplicitProperty";
};
};
</programlisting>
</programlisting>
</para>
</refsect1>

View File

@ -56,7 +56,7 @@
parameter. The signal will be sent to path <parameter>path</parameter>, on the interface
<parameter>interface</parameter>, member <parameter>member</parameter>. When this message is
sent, no reply is expected. See
<citerefentry><refentrytitle>sd_bus_message_new_method_call</refentrytitle><manvolnum>1</manvolnum></citerefentry>
<citerefentry><refentrytitle>sd_bus_message_new_method_call</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for a short description of the meaning of the <parameter>path</parameter>,
<parameter>interface</parameter>, and <parameter>member</parameter> parameters.
</para>

View File

@ -249,7 +249,7 @@ sd_bus_message_read(m, "v", "gt", &amp;s, &amp;v);</programlisting>
const char *s, *t, *u;
sd_bus_message_read(m, "a{is}", 3, &amp;i, &amp;s, &amp;j, &amp;t, &amp;k, &amp;u);
</programlisting>
</programlisting>
<para>Read a single file descriptor, and duplicate it in order to keep it open after the message is
freed.</para>

View File

@ -40,7 +40,7 @@
current location in the message <parameter>m</parameter> matches the specified
<parameter>type</parameter> and <parameter>contents</parameter>. If non-zero, parameter
<parameter>type</parameter> must be one of the types specified in
<citerefentry><refentrytitle>sd_bus_message_append</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
<citerefentry><refentrytitle>sd_bus_message_append</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
If non-null, parameter <parameter>contents</parameter> must be a valid sequence of complete
types. If both <parameter>type</parameter> and <parameter>contents</parameter> are specified
<parameter>type</parameter> must be a container type.</para>

View File

@ -40,7 +40,7 @@
<para><function>sd_bus_pending_method_calls()</function> returns the number of currently pending outgoing
method calls, i.e. method calls enqueued with
<citerefentry><refentrytitle>sd_bus_call_async</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
which no reply has been received yet, and which have not reached a time-out yet.</para>
which no reply has been received yet, and which have not reached a timeout yet.</para>
<para>The <parameter>bus</parameter> argument may be <constant>NULL</constant>, in which case zero is
returned.</para>

View File

@ -156,7 +156,7 @@
</variablelist>
<para>In addition, any error returned by
<citerefentry><refentrytitle>sd_bus_send</refentrytitle><manvolnum>1</manvolnum></citerefentry>
<citerefentry><refentrytitle>sd_bus_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>
may be returned.</para>
</refsect2>
</refsect1>

View File

@ -111,7 +111,7 @@
</variablelist>
<para>In addition, any error returned by
<citerefentry><refentrytitle>sd_bus_send</refentrytitle><manvolnum>1</manvolnum></citerefentry>
<citerefentry><refentrytitle>sd_bus_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>
may be returned.</para>
</refsect2>
</refsect1>

View File

@ -113,7 +113,7 @@
<funcprototype>
<funcdef>int <function>sd_device_get_device_id</function></funcdef>
<paramdef>sd_device *<parameter>device</parameter></paramdef>
<paramdef>uint64_t *<parameter>ret</parameter></paramdef>
<paramdef>const char **<parameter>ret</parameter></paramdef>
</funcprototype>
</funcsynopsis>
@ -191,7 +191,7 @@
<literal>+drivers:</literal> followed by its driver subsystem and sysfs name separated with a colon.
Example: <literal>+drivers:pci:iwlwifi</literal> for a driver device record whose driver subsystem is
<literal>pci</literal> and sysfs name is <literal>iwlwifi</literal>,
When an other type of device is specified, this function returns <literal>+</literal> followed by its
When another type of device is specified, this function returns <literal>+</literal> followed by its
subsystem and sysfs name separated with a colon. Example: <literal>+acpi:ACPI0003:00</literal>,
<literal>+input:input16</literal>, or <literal>+pci:0000:00:1f.6</literal>.</para>
</refsect1>
@ -250,9 +250,10 @@
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
</para>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>sd-device</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>

View File

@ -83,7 +83,7 @@
<citerefentry><refentrytitle>sd_event_add_signal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
…) has the effect of <function>sd_event_exit()</function> being invoked once the event source triggers,
with the specified userdata pointer cast to an integer as the exit code parameter. This is useful to
automatically terminate an event loop after some condition, such as a time-out or reception of
automatically terminate an event loop after some condition, such as a timeout or reception of
<constant>SIGTERM</constant> or similar. See the documentation for the respective constructor call for
details.</para>
</refsect1>

Some files were not shown because too many files have changed in this diff Show More