Compare commits

...

18 Commits

Author SHA1 Message Date
Ferdinand Thiessen e498ff87fe
Merge faadbf89c4 into 321c202e7c 2024-11-25 23:30:39 +08:00
Luca Boccassi 321c202e7c
man: assorted fixes (#35326)
Closes #35307.
2024-11-25 15:02:08 +00:00
Daan De Meyer e3b5a0c32d test: Use env in testsuite readme
Let's make sure we use env when we're setting environment variables
to rely less on shell specifics.
2024-11-25 14:54:23 +00:00
Zbigniew Jędrzejewski-Szmek 766d74fd8b
core/device: ignore ID_PROCESSING udev property on enumerate (#35332)
Fixes #35329.
2024-11-25 14:21:36 +01:00
Zbigniew Jędrzejewski-Szmek d293fade24
Check inode number to see if we are in init namespace (#35306)
This is a more comprehensive fix compared to #35273. Also adds a minimal
test only.

Based on Luca's #35273 but generalizes the code a bit.

In v258 we really should get rid of the old heuristics around userns and
cgroupns detection, but given we are late in the v257 cycle this keeps
them in.
2024-11-25 14:13:36 +01:00
Daan De Meyer 4a346b779a test: Dump coredumps from journal in the integration test wrapper
Fixes #35277
2024-11-25 19:12:11 +09:00
Yu Watanabe 0e42004f3e networkd-test.py: disable IPv6AcceptRA= if not necessary
To speed up the test. Otherwise, it takes about few seconds interfaces
to enter the configured state. And may networkd-wait-online timeouts.
2024-11-25 10:07:26 +00:00
Yu Watanabe 675feaf521 TEST-17: add reproducer for issue #35329
Without the previous commit, the test case will fail.
2024-11-25 15:33:48 +09:00
Yu Watanabe c4fc22c4de core/device: ignore ID_PROCESSING udev property on enumerate
This partially reverts the commit 405be62f05
"tree-wide: refuse enumerated device with ID_PROCESSING=1".

Otherwise, when systemd-udev-trigger.service is (re)started just before
daemon-reexec, which can be easily happen on systemd package update, then
udev database files for many devices may have ID_PROCESSING=1 property,
thus devices may not be enumerated on daemon-reexec. That causes many
units especially mount units being deactivated after daemon-reexec.

Fixes #35329.
2024-11-25 15:33:48 +09:00
Luca Boccassi 6fd3496cfd test: mask tmpfiles.d file shipped by selinux policy package in containers
This tmpfiles.d wants to write to sysfs, which is read-only in containers,
so systemd-tmpfiles --create fails in TEST-22-TMPFILES when ran in nspawn
if the selinux policy package is instealled. Mask it, as it's not our
config file, we don't need it in the test.
2024-11-25 15:25:55 +09:00
Daan De Meyer bb486fe9df mkosi: Use shared extra tree between initrd and main image
Let's share more between initrd and main system and use a shared
extra tree to achieve that.
2024-11-25 15:09:58 +09:00
Yu Watanabe d07fbf22ed man: update documentation about basic .netdev file handling
Follow-up for #34909 and later PRs.
2024-11-24 01:11:46 +09:00
Yu Watanabe 4ebbb5bfe8 man: asorted fixes
Closes #35307.
2024-11-24 01:11:42 +09:00
Lennart Poettering 4b4af14a98 test-namespace: tweak log message a bit 2024-11-23 00:14:20 +01:00
Lennart Poettering a2429f507c virt: make use of ns inode check in running_in_userns() and running_in_cgroupns() too 2024-11-23 00:14:20 +01:00
Luca Boccassi 193bf42ab0 detect-virt: check the inode number of the pid namespace
The indoe number of root pid namespace is hardcoded in the kernel to
0xEFFFFFFC since 3.8, so check the inode number of our pid namespace
if all else fails. If it's not 0xEFFFFFFC then we are in a pid
namespace, hence a container environment.

Fixes https://github.com/systemd/systemd/issues/35249

[Reworked by Lennart, to make use of namespace_is_init()]
2024-11-23 00:14:20 +01:00
Lennart Poettering 18ead2b03d namespace-util: add generic namespace_is_init() call 2024-11-23 00:14:20 +01:00
Ferdinand Thiessen faadbf89c4
feat: Add F23 key support for Lenovo
The ThinkPad T14 and P14s (G5) as well as the IdeaPad 5 Pro 14AHP9 added support for the F23 key as part of the copilot key sequence.

The scan code is 0x6e following *PS/2 Set 1 Make*.
2024-11-18 16:04:09 +01:00
72 changed files with 501 additions and 212 deletions

View File

@ -1044,6 +1044,10 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnLENOVO*:pn*3000*:pvr*
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnLENOVO:pn0769AP2:pvr3000N200:*
KEYBOARD_KEY_b4=prog1
# Lenovo common (ThinkPad P/T 14 G5+, IdeaPad Pro 5 14)
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnLENOVO*:*
KEYBOARD_KEY_6e=f23
# Lenovo IdeaPad
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnLENOVO*:pn*IdeaPad*:pvr*
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnLENOVO*:pnS10-*:*

View File

@ -114,10 +114,10 @@
invoked, for example from the system service manager or via a PAM module.</para>
<para>Specifically, for ssh logins, the
<citerefentry project='die-net'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
service builds an environment that is a combination of variables forwarded from the remote system and
defined by <command>sshd</command>, see the discussion in
<citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
A graphical display session will have an analogous mechanism to define the environment. Note that some
managers query the systemd user instance for the exported environment and inject this configuration into
programs they start, using <command>systemctl show-environment</command> or the underlying D-Bus call.

View File

@ -215,8 +215,8 @@
below this directory is subject to specifications that ensure interoperability.</para>
<para>Note that resources placed in this directory typically are under shared ownership,
i.e. multiple different packages have provide and consume these resources, on equal footing, without
any obvious primary owner. This makes makes things systematically different from
i.e. multiple different packages have provided and consumed these resources, on equal footing, without
any obvious primary owner. This makes things systematically different from
<filename>/usr/lib/</filename>, where ownership is generally not shared.</para></listitem>
</varlistentry>

View File

@ -378,7 +378,7 @@
<listitem><para>Takes a comma- or colon-separated list of languages preferred by the user, ordered
by descending priority. The <varname>$LANG</varname> and <varname>$LANGUAGE</varname> environment
variables are initialized from this value on login, and thus values suitible for these environment
variables are initialized from this value on login, and thus values suitable for these environment
variables are accepted here, for example <option>--language=de_DE.UTF-8</option>. This option may
be used more than once, in which case the language lists are concatenated.</para>

View File

@ -40,7 +40,7 @@
<citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<para><command>importctl</command> operates both on block-level disk images (such as DDIs) as well as
file-system-level images (tarballs). It supports disk images are one of the four following
file-system-level images (tarballs). It supports disk images in one of the four following
classes:</para>
<itemizedlist>
@ -50,7 +50,7 @@
managed via
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
<listitem><para>Portable service images, that may be attached an managed via
<listitem><para>Portable service images, that may be attached and managed via
<citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
<listitem><para>System extension (sysext) images, that may be activated via
@ -133,7 +133,7 @@
multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
its writable snapshot, specify <literal>-</literal> as local name.</para>
<para>Note that pressing C-c during execution of this command will not abort the download. Use
<para>Note that pressing Control-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
@ -145,14 +145,14 @@
<listitem><para>Downloads a <filename>.raw</filename> disk image from the specified URL, and makes it
available under the specified local name in the image directory for the selected
<option>--class=</option>. The URL must be of type <literal>http://</literal> or
<literal>https://</literal>. The image must either be a <filename>.qcow2</filename> or raw disk
<literal>https://</literal>. The image must either be a qcow2 or raw disk
image, optionally compressed as <filename>.gz</filename>, <filename>.xz</filename>, or
<filename>.bz2</filename>. If the local name is omitted, it is automatically derived from the last
component of the URL, with its suffix removed.</para>
<para>Image verification is identical for raw and tar images (see above).</para>
<para>If the downloaded image is in <filename>.qcow2</filename> format it is converted into a raw
<para>If the downloaded image is in qcow2 format it is converted into a raw
image file before it is made available.</para>
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
@ -162,7 +162,7 @@
necessary. In order to create only the read-only image, and avoid creating its writable copy,
specify <literal>-</literal> as local name.</para>
<para>Note that pressing C-c during execution of this command will not abort the download. Use
<para>Note that pressing Control-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
@ -174,8 +174,14 @@
<listitem><para>Imports a TAR or RAW image, and places it under the specified name in the image
directory for the image class selected via <option>--class=</option>. When
<command>import-tar</command> is used, the file specified as the first argument should be a tar
archive, possibly compressed with xz, gzip or bzip2. It will then be unpacked into its own
<command>import-tar</command> is used, the file specified as the first argument should be a
<citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry>
archive, possibly compressed with
<citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
or
<citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
It will then be unpacked into its own
subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw
disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image
name) is not specified, it is automatically derived from the file name. If the filename is passed as
@ -196,7 +202,9 @@
<listitem><para>Imports an image stored in a local directory into the image directory for the image
class selected via <option>--class=</option> and operates similarly to <command>import-tar</command>
or <command>import-raw</command>, but the first argument is the source directory. If supported, this
command will create a btrfs snapshot or subvolume for the new image.</para>
command will create a
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
snapshot or subvolume for the new image.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
@ -207,9 +215,13 @@
<listitem><para>Exports a TAR or RAW image and stores it in the specified file. The first parameter
should be an image name. The second parameter should be a file path the TAR or RAW
image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with gzip, if
it ends in <literal>.xz</literal>, with xz, and if it ends in <literal>.bz2</literal>, with bzip2. If
the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with
<citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
if it ends in <literal>.xz</literal>, with
<citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
and if it ends in <literal>.bz2</literal>, with
<citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
If the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
is written to standard output. The compression may also be explicitly selected with the
<option>--format=</option> switch. This is in particular useful if the second parameter is left
unspecified.</para>

View File

@ -113,11 +113,11 @@
</row>
<row>
<entry><constant>user-early</constant></entry>
<entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <filename>systemd-user-sessions.service</filename>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
<entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
</row>
<row>
<entry><constant>user-incomplete</constant></entry>
<entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <command>ssh</command> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
<entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
</row>
<row>
<entry><constant>greeter</constant></entry>
@ -129,15 +129,15 @@
</row>
<row>
<entry><constant>background</constant></entry>
<entry>Used for background sessions, such as those invoked by <command>cron</command> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
<entry>Used for background sessions, such as those invoked by <citerefentry project='die-net'><refentrytitle>cron</refentrytitle><manvolnum>8</manvolnum></citerefentry> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
</row>
<row>
<entry><constant>background-light</constant></entry>
<entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <filename>user@.service</filename> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
<entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
</row>
<row>
<entry><constant>manager</constant></entry>
<entry>The <filename>user@.service</filename> service of the user is registered under this session class. (Added in v256.)</entry>
<entry>The <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> service of the user is registered under this session class. (Added in v256.)</entry>
</row>
<row>
<entry><constant>manager-early</constant></entry>
@ -445,6 +445,8 @@ session required pam_unix.so</programlisting>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>

View File

@ -112,7 +112,8 @@
during boot.</para>
<para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. <filename>sddm-autologin</filename>):</para>
Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g.
<filename>sddm-autologin</filename>):</para>
<programlisting>
-auth optional pam_systemd_loadkey.so
@ -131,8 +132,9 @@ KeyringMode=inherit
<para>In this setup, early during the boot process,
<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>.
Then when the display manager does the autologin, pam_systemd_loadkey will read the passphrase from the kernel keyring,
set it as the PAM authtok, and then pam_gnome_keyring and pam_kwallet5 will unlock with the same passphrase.</para>
Then when the display manager does the autologin, <command>pam_systemd_loadkey</command> will read the passphrase
from the kernel keyring, set it as the PAM authtok, and then <command>pam_gnome_keyring</command> and
<command>pam_kwallet5</command> will unlock with the same passphrase.</para>
</refsect1>
</refentry>

View File

@ -48,7 +48,7 @@
and transfer them as a whole between systems. When these images are attached to the local system, the contained units
may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing,
depending on the selected configuration. For more details, see
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.</para>
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.</para>
<para>Portable service images may be of the following kinds:</para>
@ -417,7 +417,7 @@
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Images can be block images, btrfs subvolumes or directories. For more information on portable
services with extensions, see the <literal>Extension Images</literal> paragraph on
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.
</para>
<para>Note that the same extensions have to be specified, in the same order, when attaching

View File

@ -606,7 +606,8 @@
<varname>Subvolumes=</varname>.</para>
<para>Note that this option only takes effect if the target filesystem supports subvolumes, such as
<literal>btrfs</literal>.</para>
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
<para>Note that this option is only supported in combination with <option>--offline=yes</option>
since btrfs-progs 6.11 or newer.</para>
@ -686,7 +687,7 @@
<listitem><para>Configures the data block size of the generated verity hash partition. Must be between 512 and
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
block device sector size, or 4K if systemd-repart is not operating on a block device.
block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device.
</para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
@ -697,7 +698,7 @@
<listitem><para>Configures the hash block size of the generated verity hash partition. Must be between 512 and
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
block device sector size, or 4K if systemd-repart is not operating on a block device.
block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device.
</para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
@ -807,7 +808,9 @@
mount options. These fields correspond to the second and fourth column of the
<citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
format. This setting may be specified multiple times to mount the partition multiple times. This can
be used to add mounts for different btrfs subvolumes located on the same btrfs partition.</para>
be used to add mounts for different
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
subvolumes located on the same btrfs partition.</para>
<para>Note that this setting is only taken into account when <option>--generate-fstab=</option> is
specified on the <command>systemd-repart</command> command line.</para>
@ -818,7 +821,7 @@
<varlistentry>
<term><varname>EncryptedVolume=</varname></term>
<listitem><para>Specify how the encrypted partition should be set up. Takes at least one and at most
<listitem><para>Specifies how the encrypted partition should be set up. Takes at least one and at most
three fields separated with a colon (<literal>:</literal>). The first field specifies the encrypted
volume name under <filename>/dev/mapper/</filename>. If not specified, <literal>luks-UUID</literal>
will be used where <literal>UUID</literal> is the LUKS UUID. The second field specifies the keyfile
@ -837,13 +840,14 @@
<varlistentry>
<term><varname>Compression=</varname></term>
<listitem><para>Specify the compression algorithm to use for the filesystem configured with
<listitem><para>Specifies the compression algorithm to use for the filesystem configured with
<varname>Format=</varname>. Takes a single argument specifying the compression algorithm.</para>
<para>Note that this setting is only taken into account when the filesystem configured with
<varname>Format=</varname> supports compression (btrfs, squashfs, erofs). Here's an incomplete list
of compression algorithms supported by the filesystems known to
<command>systemd-repart</command>:</para>
<varname>Format=</varname> supports compression (
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
squashfs, erofs). Here's an incomplete list of compression algorithms supported by the filesystems
known to <command>systemd-repart</command>:</para>
<table>
<title>File System Compression Algorithms</title>
@ -883,7 +887,7 @@
<varlistentry>
<term><varname>CompressionLevel=</varname></term>
<listitem><para>Specify the compression level to use for the filesystem configured with
<listitem><para>Specifies the compression level to use for the filesystem configured with
<varname>Format=</varname>. Takes a single argument specifying the compression level to use for the
configured compression algorithm. The possible compression levels and their meaning are filesystem
specific (refer to the filesystem's documentation for the exact meaning of a particular compression

View File

@ -485,7 +485,7 @@
<listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If
true, rules regarding routing of single-label names are relaxed. Defaults to false. By default,
lookups of single label names are assumed to refer to local hosts to be resolved via local resolution
lookups of single-label names are assumed to refer to local hosts to be resolved via local resolution
such as LLMNR or via search domain qualification and are not routed to upstream servers as is. If
this option is enabled these rules are disabled and the queries are routed upstream anyway. Also see
the <varname>ResolveUnicastSingleLabel=</varname> option in

View File

@ -81,7 +81,7 @@
<varlistentry>
<term><option>--property=</option></term>
<listitem><para>Sets a property on the service unit that is created. This option takes an assignment
<listitem><para>Sets a property of the service unit that is created. This option takes an assignment
in the same format as
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
<command>set-property</command> command.</para>
@ -225,7 +225,7 @@
<term><option>--machine=</option></term>
<listitem>
<para>Execute operation on a local container. Specify a container name to connect to.</para>
<para>Execute operation in a local container. Specify a container name to connect to.</para>
<xi:include href="version-info.xml" xpointer="v256"/>
</listitem>

View File

@ -1397,7 +1397,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
<para>Note that this shows the <emphasis>effective</emphasis> block, i.e. the combination of
environment variables configured via configuration files, environment generators and via IPC
(i.e. via the <command>set-environment</command> described below). At the moment a unit process
is forked off this combined environment block will be further combined with per-unit environment
is forked off, this combined environment block will be further combined with per-unit environment
variables, which are not visible in this command.</para>
</listitem>
</varlistentry>

View File

@ -54,7 +54,7 @@
<listitem><para>The EFI Shell binary, if installed.</para></listitem>
<listitem><para>A <literal>Reboot Into Firmware Interface option</literal>, if supported by the UEFI
<listitem><para>A <literal>Reboot Into Firmware Interface</literal> option, if supported by the UEFI
firmware.</para></listitem>
<listitem><para>Secure Boot variables enrollment if the UEFI firmware is in setup-mode and files are provided

View File

@ -299,7 +299,7 @@
<varlistentry>
<term><option>--unlock-tpm2-device=<replaceable>PATH</replaceable></option></term>
<listitem><para>Use a TPM2 device instead of a password/passhprase read from stdin to unlock the
<listitem><para>Use a TPM2 device instead of a password/passphrase read from stdin to unlock the
volume. Expects a device node path referring to the TPM2 chip (e.g. <filename>/dev/tpmrm0</filename>).
Alternatively the special value <literal>auto</literal> may be specified, in order to automatically
determine the device node of a currently discovered TPM2 device (of which there must be exactly one).

View File

@ -32,7 +32,7 @@
<arg choice="plain">VOLUME</arg>
<arg choice="plain">SOURCE-DEVICE</arg>
<arg choice="opt">KEY-FILE</arg>
<arg choice="opt">CONFIG</arg>
<arg choice="opt">CRYPTTAB-OPTIONS</arg>
</cmdsynopsis>
<cmdsynopsis>
@ -150,7 +150,7 @@
<varlistentry>
<term><varname>cryptsetup.luks2-pin</varname></term>
<listitem><para>This credential specifies the PIN requested by generic LUKS2 token modules.</para>
<listitem><para>This credential specifies the pin requested by generic LUKS2 token modules.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>

View File

@ -57,7 +57,9 @@
last check, number of mounts, unclean unmount, etc.</para>
<para><filename>systemd-fsck-root.service</filename> and <filename>systemd-fsck-usr.service</filename>
will activate <filename>reboot.target</filename> if <command>fsck</command> returns the "System
will activate <filename>reboot.target</filename> if
<citerefentry project='man-pages'><refentrytitle>fsck</refentrytitle><manvolnum>8</manvolnum></citerefentry>
returns the "System
should reboot" condition, or <filename>emergency.target</filename> if <command>fsck</command>
returns the "Filesystem errors left uncorrected" condition.</para>

View File

@ -164,9 +164,10 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
used to view the log stream of a specific namespace. If the switch is not used the log stream of the
default namespace is shown, i.e. log data from other namespaces is not visible.</para>
<para>Services associated with a specific log namespace may log via syslog, the native logging protocol
of the journal and via stdout/stderr; the logging from all three transports is associated with the
namespace.</para>
<para>Services associated with a specific log namespace may log via
<citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
the native logging protocol of the journal and via stdout/stderr; the logging from all three transports
is associated with the namespace.</para>
<para>By default only the default namespace will collect kernel and audit log messages.</para>
@ -288,8 +289,11 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
<term><varname>systemd.journald.max_level_socket=</varname></term>
<listitem><para>Controls the maximum log level of messages that are stored in the journal, forwarded
to syslog, kmsg, the console, the wall, or a socket. This kernel command line options override the
settings of the same names in the
to
<citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
kmsg, the console,
<citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
or a socket. This kernel command line options override the settings of the same names in the
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
file.</para>

View File

@ -136,6 +136,7 @@
<member><citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>org.freedesktop.machine1</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>

View File

@ -57,7 +57,9 @@
<para>The returned mounts are automatically allowlisted in the per-user-namespace allowlist maintained by
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<para>The file systems are automatically fsck'ed before mounting.</para>
<para>The file systems are automatically
<citerefentry project='man-pages'><refentrytitle>fsck</refentrytitle><manvolnum>8</manvolnum></citerefentry>'ed
before mounting.</para>
</refsect1>
<refsect1>

View File

@ -140,7 +140,7 @@
<para>When running in unprivileged mode, some needed functionality is provided via
<citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
</refsect1>
<refsect1>

View File

@ -106,7 +106,7 @@
<listitem><para>This reads the combined TPM2 event log and writes it to STDOUT in <ulink
url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Canonical Event Log
Format (CEL-JSON)</ulink> format.</para>
Format (CEL-JSON)</ulink>.</para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
</varlistentry>
@ -387,8 +387,10 @@
<listitem><para>Generates/removes a <filename>.pcrlock</filename> file based on a kernel initrd cpio
archive. This is useful for predicting measurements the Linux kernel makes to PCR 9
("kernel-initrd"). Do not use for <command>systemd-stub</command> UKIs, as the initrd is combined
dynamically from various sources and hence does not take a single input, like this command.</para>
("kernel-initrd"). Do not use for
<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>
UKIs, as the initrd is combined dynamically from various sources and hence does not take a single
input, like this command.</para>
<para>This writes/removes the file
<filename>/var/lib/pcrlock.d/720-kernel-initrd.pcrlock/generated.pcrlock</filename>.</para>
@ -521,7 +523,7 @@
<varlistentry>
<term><option>--pcrlock=</option></term>
<listitem><para>Takes a file system path as argument. If specified overrides where to write the
<listitem><para>Takes a file system path as argument. If specified, configures where to write the
generated pcrlock data to. Honoured by the various <command>lock-*</command> commands. If not
specified, a default path is generally used, as documented above.</para>
@ -531,7 +533,7 @@
<varlistentry>
<term><option>--policy=</option></term>
<listitem><para>Takes a file system path as argument. If specified overrides where to write pcrlock
<listitem><para>Takes a file system path as argument. If specified, configures where to write pcrlock
policy metadata to. If not specified defaults to
<filename>/var/lib/systemd/pcrlock.json</filename>.</para>

View File

@ -53,7 +53,7 @@
might be broken — the running PID 1 could still depend on libraries which are not available any more,
thus keeping the file system busy, which then cannot be re-mounted read-only.</para>
<para>Shortly before executing the actual system power-off/halt/reboot/kexec
<para>Shortly before executing the actual system power-off/halt/reboot/kexec,
<filename>systemd-shutdown</filename> will run all executables in
<filename>/usr/lib/systemd/system-shutdown/</filename> and pass one arguments to them: either
<literal>poweroff</literal>, <literal>halt</literal>, <literal>reboot</literal>, or

View File

@ -569,7 +569,7 @@
(sysext, see
<citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details), configuration extension (confext) or <ulink
url="https://systemd.io/PORTABLE_SERVICES">portable service</ulink>. The generated image will consist
url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>. The generated image will consist
of a signed Verity <literal>erofs</literal> file system as root partition. In this mode of operation
the partition definitions in <filename>/usr/lib/repart.d/*.conf</filename> and related directories
are not read, and <option>--definitions=</option> is not supported, as appropriate definitions for
@ -605,10 +605,11 @@
<varlistentry>
<term><option>--generate-fstab=<replaceable>PATH</replaceable></option></term>
<listitem><para>Specifies a path where to write fstab entries for the mountpoints configured with
<option>MountPoint=</option> in the root directory specified with <option>--copy-source=</option> or
<option>--root=</option> or in the host's root directory if neither is specified. Disabled by
default.</para>
<listitem><para>Specifies a path where to write
<citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
entries for the mountpoints configured with <option>MountPoint=</option> in the root directory
specified with <option>--copy-source=</option> or <option>--root=</option> or in the host's root
directory if neither is specified. Disabled by default.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
@ -680,7 +681,7 @@ systemd-confext refresh</programlisting>
<title>Generate a system extension image and sign it via PKCS11</title>
<para>The following creates a system extension DDI (sysext) for an
<filename>/usr/foo</filename> update and signs it with a hardware token via PKCS11.</para>
<filename>/usr/foo</filename> update and signs it with a hardware token via PKCS11:</para>
<programlisting>mkdir -p tree/usr/lib/extension-release.d
echo "Hello World" >tree/usr/foo

View File

@ -343,10 +343,10 @@ search foobar.com barbar.com
<listitem><para><command>systemd-resolved</command> maintains the
<filename>/run/systemd/resolve/stub-resolv.conf</filename> file for compatibility with traditional
Linux programs. This file lists the 127.0.0.53 DNS stub (see above) as the only DNS server. It also
contains a list of search domains that are in use by systemd-resolved. The list of search domains is
always kept up-to-date. Note that <filename>/run/systemd/resolve/stub-resolv.conf</filename> should not
be used directly by applications, but only through a symlink from
<filename>/etc/resolv.conf</filename>. This file may be symlinked from
contains a list of search domains that are in use by <command>systemd-resolved</command>. The list of
search domains is always kept up-to-date. Note that
<filename>/run/systemd/resolve/stub-resolv.conf</filename> should not be used directly by applications,
but only through a symlink from <filename>/etc/resolv.conf</filename>. This file may be symlinked from
<filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs
to <command>systemd-resolved</command> with correct search domains settings. This mode of operation is
recommended.</para></listitem>

View File

@ -139,7 +139,8 @@ DefaultDependencies=no</programlisting>
<varname>Conflicts=umount.target</varname>)</para></listitem>
<listitem><para>If the unit publishes a service over D-Bus, the connection needs to be re-established
after soft-reboot as the D-Bus broker will be stopped and then started again. When using the sd-bus
after soft-reboot as the D-Bus broker will be stopped and then started again. When using the
<citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>
library this can be achieved by adapting the following example.
<programlisting><xi:include href="sd_bus_service_reconnect.c" parse="text"/></programlisting>
</para></listitem>

View File

@ -34,9 +34,9 @@
<para><command>systemd-ssh-generator</command> binds a socket-activated SSH server to local
<constant>AF_VSOCK</constant> and <constant>AF_UNIX</constant> sockets under certain conditions. It only
has an effect if the <citerefentry
project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> binary is
installed. Specifically, it does the following:</para>
has an effect if the
<citerefentry project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
binary is installed. Specifically, it does the following:</para>
<itemizedlist>
<listitem><para>If invoked in a VM with <constant>AF_VSOCK</constant> support, a socket-activated SSH
@ -71,14 +71,14 @@
<para>The generator will use a packaged <filename>sshd@.service</filename> service template file if one
exists, and otherwise generate a suitable service template file.</para>
<para><filename>systemd-ssh-generator</filename> implements
<para><command>systemd-ssh-generator</command> implements
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
</refsect1>
<refsect1>
<title>Kernel Command Line</title>
<para><filename>systemd-ssh-generator</filename> understands the following
<para><command>systemd-ssh-generator</command> understands the following
<citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>
parameters:</para>
@ -102,8 +102,9 @@
times to bind multiple sockets. The syntax should follow the one of <varname>ListenStream=</varname>,
see
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This functionality supports all socket families systemd supports, including
<constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
for details. This functionality supports all socket families
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> supports,
including <constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>

View File

@ -77,7 +77,7 @@ Host .host
<para>This tool is supposed to be used together with
<citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
which when run inside a VM or container will bind SSH to suitable
addresses. <command>systemd-ssh-generator</command> is supposed to run in the container of VM guest, and
addresses. <command>systemd-ssh-generator</command> is supposed to run in the container or VM guest, and
<command>systemd-ssh-proxy</command> is run on the host, in order to connect to the container or VM
guest.</para>
</refsect1>

View File

@ -43,7 +43,7 @@
<para><citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry> uses
<command>systemd-stdio-bridge</command> to forward D-Bus connections over
<citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
or to connect to the bus of a different user, see
<citerefentry><refentrytitle>sd_bus_set_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
</para>

View File

@ -209,7 +209,7 @@
images to the initrd. See
<citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
details on configuration extension images. The generated <command>cpio</command> archive containing
these system extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem>
these configuration extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem>
<listitem><para>Similarly, files
<filename><replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename> are loaded and verified as

View File

@ -141,7 +141,7 @@
but the used architecture identifiers are the same as for <varname>ConditionArchitecture=</varname>
described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
<varname>EXTENSION_RELOAD_MANAGER=</varname> can be set to 1 if the extension requires a service manager reload after application
of the extension. Note that for the reasons mentioned earlier:
of the extension. Note that for the reasons mentioned earlier,
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> remain
the recommended way to ship system services.
@ -206,13 +206,13 @@
the underlying host <filename>/usr/</filename> is managed as immutable disk image or is a traditional
package manager controlled (i.e. writable) tree.</para>
<para>With systemd-confext one can perform runtime reconfiguration of OS services.
<para>With <command>systemd-confext</command> one can perform runtime reconfiguration of OS services.
Sometimes, there is a need to swap certain configuration parameter values or restart only a specific
service without deployment of new code or a complete OS deployment. In other words, we want to be able
to tie the most frequently configured options to runtime updateable flags that can be changed without a
system reboot. This will help reduce servicing times when there is a need for changing the OS configuration.
It also provides a reliable tool for managing configuration because all old configuration files disappear when
the systemd-confext image is removed.</para></refsect1>
the <command>systemd-confext</command> image is removed.</para></refsect1>
<refsect1>
<title>Mutability</title>

View File

@ -30,7 +30,7 @@
<refsect1>
<title>Description</title>
<para><filename>systemd-tpm2-generator</filename> is a generator that adds a <varname>Wants=</varname>
<para><command>systemd-tpm2-generator</command> is a generator that adds a <varname>Wants=</varname>
dependency from <filename>sysinit.target</filename> to <filename>tpm2.target</filename> when it detects
that the firmware discovered a TPM2 device but the OS kernel so far did
not. <filename>tpm2.target</filename> is supposed to act as synchronization point for all services that
@ -45,7 +45,7 @@
for it yet. The latter might be useful in environments where a suitable TPM2 driver for the available
hardware is not available.</para>
<para><filename>systemd-tpm2-generator</filename> implements
<para><command>systemd-tpm2-generator</command> implements
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
</refsect1>

View File

@ -45,7 +45,7 @@
file descriptors must be passed with the names <literal>kvm</literal> and <literal>vhost-vsock</literal>
respectively.</para>
<para>Note: on Ubuntu/Debian derivatives systemd-vmspawn requires the user to be in the
<para>Note: on Ubuntu/Debian derivatives <command>systemd-vmspawn</command> requires the user to be in the
<literal>kvm</literal> group to use the VSOCK options.</para>
</refsect1>
@ -420,7 +420,8 @@
for more information.</para>
<para>By default <literal>ed25519</literal> keys are generated, however <literal>rsa</literal> keys
may also be useful if the VM has a particularly old version of <command>sshd</command>.</para>
may also be useful if the VM has a particularly old version of
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<xi:include href="version-info.xml" xpointer="v256"/>
</listitem>

View File

@ -46,7 +46,7 @@
<para>If the specified path does not reference a <literal>.v/</literal> path (i.e. neither the final
component ends in <literal>.v</literal>, nor the penultimate does or the final one does contain a triple
underscore) it specified path is written unmodified to standard output.</para>
underscore) its specified path is written unmodified to standard output.</para>
</refsect1>
<refsect1>

View File

@ -378,7 +378,7 @@
<para>This setting is useful to configure the <literal>ID_NET_MANAGED_BY=</literal> property which
declares which network management service shall manage the interface, which is respected by
systemd-networkd and others. Use
<command>systemd-networkd</command> and others. Use
<programlisting>Property=ID_NET_MANAGED_BY=io.systemd.Network</programlisting>
to declare explicitly that <command>systemd-networkd</command> shall manage the interface, or set
the property to something else to declare explicitly it shall not do so. See
@ -974,10 +974,10 @@
<listitem>
<para>Configures Receive Packet Steering (RPS) list of CPUs to which RPS may forward traffic.
Takes a list of CPU indices or ranges separated by either whitespace or commas. Alternatively,
takes the special value <literal>all</literal> in which will include all available CPUs in the mask.
takes the special value <literal>all</literal>, which will include all available CPUs in the mask.
CPU ranges are specified by the lower and upper CPU indices separated by a dash (e.g. <literal>2-6</literal>).
This option may be specified more than once, in which case the specified CPU affinity masks are merged.
If an empty string is assigned, the mask is reset, all assignments prior to this will have no effect.
This option may be specified more than once, in which case the specified list of CPU ranges are merged.
If an empty string is assigned, the list is reset, all assignments prior to this will have no effect.
Defaults to unset and RPS CPU list is unchanged. To disable RPS when it was previously enabled, use the
special value <literal>disable</literal>.</para>

View File

@ -293,7 +293,7 @@
comes from unit fragments, i.e. generated from <filename>/etc/fstab</filename> by <citerefentry>
<refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> or loaded from
a manually configured mount unit, a combination of <varname>Requires=</varname> and <varname>StopPropagatedFrom=</varname>
dependencies is set on the backing device. If doesn't, only <varname>Requires=</varname> is used.</para>
dependencies is set on the backing device, otherwise only <varname>Requires=</varname> is used.</para>
<xi:include href="version-info.xml" xpointer="v233"/></listitem>
</varlistentry>
@ -556,7 +556,7 @@
for details. This setting is optional.</para>
<para>If the type is <literal>overlay</literal>, and <literal>upperdir=</literal> or
<literal>workdir=</literal> are specified as options and they don't exist, they will be created.
<literal>workdir=</literal> are specified as options and the directories don't exist, they will be created.
</para></listitem>
</varlistentry>

View File

@ -27,18 +27,19 @@
attributes and the use of this information is configured. This page describes interface naming, i.e. what
possible names may be generated. Those names are generated by the
<citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
builtin <command>net_id</command> and exported as udev properties
(<varname>ID_NET_NAME_ONBOARD=</varname>, <varname>ID_NET_LABEL_ONBOARD=</varname>,
builtin <command>net_id</command> and exported as
<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
properties (<varname>ID_NET_NAME_ONBOARD=</varname>, <varname>ID_NET_LABEL_ONBOARD=</varname>,
<varname>ID_NET_NAME_PATH=</varname>, <varname>ID_NET_NAME_SLOT=</varname>).</para>
<para>Names and MAC addresses are derived from various stable device metadata attributes. Newer versions
of udev take more of these attributes into account, improving (and thus possibly changing) the names and
addresses used for the same devices. Different versions of those generation rules are called "naming
schemes". The default naming scheme is chosen at compilation time. Usually this will be the latest
implemented version, but it is also possible to set one of the older versions to preserve
compatibility. This may be useful for example for distributions, which may introduce new versions of
systemd in stable releases without changing the naming scheme. The naming scheme may also be overridden
using the <varname>net.naming_scheme=</varname> kernel command line switch, see
of <command>systemd-udevd</command> take more of these attributes into account, improving (and thus
possibly changing) the names and addresses used for the same devices. Different versions of those
generation rules are called "naming schemes". The default naming scheme is chosen at compilation time.
Usually this will be the latest implemented version, but it is also possible to set one of the older
versions to preserve compatibility. This may be useful for example for distributions, which may introduce
new versions of systemd in stable releases without changing the naming scheme. The naming scheme may also
be overridden using the <varname>net.naming_scheme=</varname> kernel command line switch, see
<citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
Available naming schemes are described below.</para>
@ -521,7 +522,8 @@
change introduced in <constant>v254</constant> by default.</para>
<para>If we detect that a PCI device associated with a slot is a PCI bridge, we no longer set
<varname>ID_NET_NAME_SLOT</varname>, reverting a change that was introduced in v251.</para>
<varname>ID_NET_NAME_SLOT</varname>, reverting a change that was introduced in
<constant>v251</constant>.</para>
<xi:include href="version-info.xml" xpointer="v255"/>
</listitem>
@ -708,6 +710,7 @@ net:naming:drvirtio_net:*
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><ulink url="https://systemd.io/PREDICTABLE_INTERFACE_NAMES">Predictable Network Interface Names</ulink></member>
<member><citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>

View File

@ -34,10 +34,16 @@
for a general description of the syntax.</para>
<para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
other extensions are ignored. Virtual network devices are created as soon as networkd is
started. If a netdev with the specified name already exists, networkd will use that as-is rather
than create its own. Note that the settings of the pre-existing netdev will not be changed by
networkd.</para>
other extensions are ignored. Virtual network devices are created as soon as
<command>systemd-networkd</command> is started if possible. If a netdev with the specified name already
exists, <command>systemd-networkd</command> will try to update the config if the kind of the existing
netdev is equivalent to the requested one, otherwise (e.g. when bridge device <filename>foo</filename>
exists but bonding device with the same name is configured in a .netdev file) use the existing netdev
as-is rather than replacing with the requested netdev. Note, several settings (e.g. vlan ID) cannot be
changed after the netdev is created. To change such settings, it is necessary to first remove the
existing netdev, and then run <command>networkctl reload</command> command or restart
<command>systemd-networkd</command>. See also
<citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
<para>The <filename>.netdev</filename> files are read from the files located in the system network
directory <filename>/usr/lib/systemd/network</filename> and
@ -588,7 +594,7 @@
<para>Controls the threshold for broadcast queueing of the macvlan device. Takes the special value
<literal>no</literal>, or an integer in the range 0…2147483647. When <literal>no</literal> is
specified, the broadcast queueing is disabled altogether. When an integer is specified, a multicast
address will be queued as broadcast if the number of devices using it is greater than the given
address will be queued as broadcast if the number of devices using the macvlan is greater than the given
value. Defaults to unset, and the kernel default will be used.</para>
<xi:include href="version-info.xml" xpointer="v256"/>
@ -1929,7 +1935,8 @@
the <command>wg genkey</command> command
(see <citerefentry project='man-pages'><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
Specially, if the specified key is prefixed with <literal>@</literal>, it is interpreted as
the name of the credential from which the actual key shall be read. <command>systemd-networkd.service</command>
the name of the credential from which the actual key shall be read.
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
automatically imports credentials matching <literal>network.wireguard.*</literal>. For more details
on credentials, refer to
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
@ -2083,7 +2090,7 @@
i.e. the packets that pass through the tunnel itself. To cause packets to be sent via the tunnel in
the first place, an appropriate route needs to be added as well — either in the
<literal>[Routes]</literal> section on the <literal>.network</literal> matching the wireguard
interface, or externally to <filename>systemd-networkd</filename>.</para>
interface, or externally to <command>systemd-networkd</command>.</para>
<xi:include href="version-info.xml" xpointer="v237"/>
</listitem>
@ -2970,7 +2977,7 @@ Independent=yes</programlisting>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-network-generator.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>

View File

@ -887,7 +887,7 @@ DuplicateAddressDetection=none</programlisting></para>
from the network interface will be appear as coming from the local host. Typically, this should be
enabled on the downstream interface of routers. Takes one of <literal>ipv4</literal>,
<literal>ipv6</literal>, <literal>both</literal>, or <literal>no</literal>. Defaults to
<literal>no</literal>. Note. Any positive boolean values such as <literal>yes</literal> or
<literal>no</literal>. Note that any positive boolean values such as <literal>yes</literal> or
<literal>true</literal> are now deprecated. Please use one of the values above. Specifying
<literal>ipv4</literal> or <literal>both</literal> implies <varname>IPv4Forwarding=</varname>
settings in both .network file for this interface and the global
@ -928,8 +928,8 @@ DuplicateAddressDetection=none</programlisting></para>
<para>Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support for the interface.
If true, RAs are accepted; if false, RAs are ignored. When RAs are accepted, they may trigger the
start of the DHCPv6 client if the relevant flags are set in the RA data, or if no routers are found
on the link. Defaults to false for bridge devices, when IP forwarding is enabled,
<varname>IPv6SendRA=</varname> or <varname>KeepMaster=</varname> is enabled. Otherwise, enabled by
on the link. Defaults to false for bridge devices, when <varname>IPv6Forwarding=</varname>,
<varname>IPv6SendRA=</varname>, or <varname>KeepMaster=</varname> is enabled. Otherwise, enabled by
default. Cannot be enabled on devices aggregated in a bond device or when link-local addressing is
disabled.</para>
@ -993,9 +993,9 @@ DuplicateAddressDetection=none</programlisting></para>
whether the <emphasis>source</emphasis> of the packet would be routed through the interface it came in. If there is no
route to the source on that interface, the machine will drop the packet. Takes one of
<literal>no</literal>, <literal>strict</literal>, or <literal>loose</literal>. When <literal>no</literal>,
no source validation will be done. When <literal>strict</literal>, mode each incoming packet is tested against the FIB and
no source validation will be done. When <literal>strict</literal>, each incoming packet is tested against the FIB and
if the incoming interface is not the best reverse path, the packet check will fail. By default failed packets are discarded.
When <literal>loose</literal>, mode each incoming packet's source address is tested against the FIB. The packet is dropped
When <literal>loose</literal>, each incoming packet's source address is tested against the FIB. The packet is dropped
only if the source address is not reachable via any interface on that router.
See <ulink url="https://tools.ietf.org/html/rfc1027">RFC 3704</ulink>.
When unset, the kernel's default will be used.</para>
@ -1084,9 +1084,10 @@ DuplicateAddressDetection=none</programlisting></para>
Advertisement messages intended for another machine by offering its own MAC address as
destination. Unlike proxy ARP for IPv4, it is not enabled globally, but will only send
Neighbour Advertisement messages for addresses in the IPv6 neighbor proxy table, which can
also be shown by <command>ip -6 neighbour show proxy</command>. systemd-networkd will control
the per-interface `proxy_ndp` switch for each configured interface depending on this option.
When unset, the kernel's default will be used.</para>
also be shown by <command>ip -6 neighbour show proxy</command>.
<command>systemd-networkd</command> will control the per-interface `proxy_ndp` switch for each
configured interface depending on this option. When unset, the kernel's default will be used.
</para>
<xi:include href="version-info.xml" xpointer="v234"/>
</listitem>
@ -1096,7 +1097,7 @@ DuplicateAddressDetection=none</programlisting></para>
<term><varname>IPv6ProxyNDPAddress=</varname></term>
<listitem>
<para>An IPv6 address, for which Neighbour Advertisement messages will be proxied. This
option may be specified more than once. systemd-networkd will add the
option may be specified more than once. <command>systemd-networkd</command> will add the
<varname>IPv6ProxyNDPAddress=</varname> entries to the kernel's IPv6 neighbor proxy table.
This setting implies <varname>IPv6ProxyNDP=yes</varname> but has no effect if
<varname>IPv6ProxyNDP=</varname> has been set to false. When unset, the kernel's default will
@ -1225,9 +1226,9 @@ DuplicateAddressDetection=none</programlisting></para>
<varlistentry>
<term><varname>ConfigureWithoutCarrier=</varname></term>
<listitem>
<para>Takes a boolean. Allows networkd to configure a specific link even if it has no
carrier. Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname> setting
is not explicitly set, then it is enabled as well.</para>
<para>Takes a boolean. Allows <command>systemd-networkd</command> to configure a specific link even
if it has no carrier. Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname>
setting is not explicitly set, then it is enabled as well.</para>
<para>With this enabled, to make the interface enter the <literal>configured</literal> state,
which is required to make <command>systemd-networkd-wait-online</command> work properly for the
@ -1455,11 +1456,11 @@ DuplicateAddressDetection=none</programlisting></para>
<command>ip maddr</command> command would not work if we have an Ethernet switch that does
IGMP snooping since the switch would not replicate multicast packets on ports that did not
have IGMP reports for the multicast addresses. Linux vxlan interfaces created via
<command>ip link add vxlan</command> or networkd's netdev kind vxlan have the group option
that enables them to do the required join. By extending <command>ip address</command> command
with option <literal>autojoin</literal> we can get similar functionality for openvswitch (OVS)
vxlan interfaces as well as other tunneling mechanisms that need to receive multicast traffic.
Defaults to <literal>no</literal>.</para>
<command>ip link add vxlan</command> or <command>systemd-networkd</command>'s netdev kind vxlan
have the group option that enables them to do the required join. By extending
<command>ip address</command> command with option <literal>autojoin</literal> we can get similar
functionality for openvswitch (OVS) vxlan interfaces as well as other tunneling mechanisms that
need to receive multicast traffic. Defaults to <literal>no</literal>.</para>
<xi:include href="version-info.xml" xpointer="v232"/>
</listitem>
@ -1785,7 +1786,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
<varlistentry>
<term><varname>L3MasterDevice=</varname></term>
<listitem>
<para>A boolean. Specifies whether the rule is to direct lookups to the tables associated with
<para>Takes a boolean. Specifies whether the rule is to direct lookups to the tables associated with
level 3 master devices (also known as Virtual Routing and Forwarding or VRF devices).
For further details see <ulink url="https://docs.kernel.org/networking/vrf.html">
Virtual Routing and Forwarding (VRF)</ulink>. Defaults to false.</para>
@ -2903,7 +2904,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
Note that if <varname>AllowList=</varname> is configured then <varname>DenyList=</varname> is
ignored.</para>
<para>Note that this filters only DHCP offers, so the filtering might not work when
<varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> in the above.
<varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> above.
</para>
<xi:include href="version-info.xml" xpointer="v246"/>
@ -3339,7 +3340,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
<term><varname>UseRedirect=</varname></term>
<listitem>
<para>When true (the default), Redirect message sent by the current first-hop router will be
accepted, and configures routes to redirected nodes will be configured.</para>
accepted, and routes to redirected nodes will be configured.</para>
<xi:include href="version-info.xml" xpointer="v256"/>
</listitem>
@ -4076,7 +4077,8 @@ ServerAddress=192.168.0.1/24</programlisting>
<para>Takes a boolean. When true, the DHCP server will load and save leases in the persistent
storage. When false, the DHCP server will neither load nor save leases in the persistent storage.
Hence, bound leases will be lost when the interface is reconfigured e.g. by
<command>networkctl reconfigure</command>, or <filename>systemd-networkd.service</filename>
<command>networkctl reconfigure</command>, or
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
is restarted. That may cause address conflict on the network. So, please take an extra care when
disable this setting. When unspecified, the value specified in the same setting in
<citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
@ -4260,7 +4262,7 @@ ServerAddress=192.168.0.1/24</programlisting>
<varlistentry>
<term><varname>HomeAgent=</varname></term>
<listitem><para>Takes a boolean. Specifies that IPv6 router advertisements which indicate to hosts that
<listitem><para>Takes a boolean. Specifies that IPv6 router advertisements indicate to hosts that
the router acts as a Home Agent and includes a Home Agent option. Defaults to false. See
<ulink url="https://tools.ietf.org/html/rfc6275">RFC 6275</ulink> for further details.</para>
@ -4584,10 +4586,9 @@ ServerAddress=192.168.0.1/24</programlisting>
<varlistentry>
<term><varname>Priority=</varname></term>
<listitem>
<para>Sets the "priority" of sending packets on this interface.
Each port in a bridge may have a different priority which is used
to decide which link to use. Lower value means higher priority.
It is an integer value between 0 to 63. Networkd does not set any
<para>Sets the "priority" of sending packets on this interface. Each port in a bridge may have a
different priority which is used to decide which link to use. Lower value means higher priority.
It is an integer value between 0 to 63. <command>systemd-networkd</command> does not set any
default, meaning the kernel default value of 32 is used.</para>
<xi:include href="version-info.xml" xpointer="v234"/>

View File

@ -896,7 +896,7 @@ CPUWeight=20 DisableControllers=cpu / \
<listitem>
<para>Configures restrictions on the ability of unit processes to invoke <citerefentry
project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry> on a
socket. Both allow and deny rules may defined that restrict which addresses a socket may be bound
socket. Both allow and deny rules to be defined that restrict which addresses a socket may be bound
to.</para>
<para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>,
@ -1673,7 +1673,8 @@ DeviceAllow=/dev/loop-control
<para>When <command>systemd-coredump</command> is handling a coredump for a process from a container,
if the container's leader process is a descendant of a cgroup with <varname>CoredumpReceive=yes</varname>
and <varname>Delegate=yes</varname>, then <command>systemd-coredump</command> will attempt to forward
the coredump to <command>systemd-coredump</command> within the container.</para>
the coredump to <command>systemd-coredump</command> within the container. See also
<citerefentry><refentrytitle>systemd-coredump</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
</varlistentry>

View File

@ -1437,7 +1437,7 @@
<para>The command line accepts <literal>%</literal> specifiers as described in
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
<para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal></para>
<para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal>.</para>
<para>Basic environment variable substitution is supported. Use
<literal>${FOO}</literal> as part of a word, or as a word of its

View File

@ -120,9 +120,8 @@
<para>The timezone defaults to the current timezone if not specified explicitly.
It may be given after a space, like above, in which case it can be:
<literal>UTC</literal>,
an entry in the installed IANA timezone database (<literal>CET</literal>, <literal>Asia/Tokyo</literal>, &amp;c.;
complete list obtainable with <literal>timedatectl
list-timezones</literal> (see
an entry in the installed IANA timezone database (e.g. <literal>CET</literal>, <literal>Asia/Tokyo</literal>,
where the complete list can be obtained with <command>timedatectl list-timezones</command> (see
<citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>)),
or <literal>±<replaceable>05</replaceable></literal>,
<literal>±<replaceable>05</replaceable><replaceable>30</replaceable></literal>,

View File

@ -1238,9 +1238,9 @@
</itemizedlist>
<para>Signals sent to PID 1 before this message is sent might not be handled correctly yet. A consumer
of these messages should parse the value as an unsigned integer indication the level of support. For
now only the mentioned level 2 is defined, but later on additional levels might be defined with higher
integers, that will implement a superset of the currently defined behaviour.</para>
of these messages should parse the value as an unsigned integer that indicates the level of support.
For now only the mentioned level 2 is defined, but later on additional levels might be defined with
higher integers, that will implement a superset of the currently defined behaviour.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
@ -1389,8 +1389,8 @@
<term><option>--crash-action=</option></term>
<listitem><para>Specify what to do when the system manager (PID 1) crashes. This switch has no
effect when systemd is running as user instance. See <varname>systemd.crash_action=</varname>
above.</para>
effect when <command>systemd</command> is running as user instance. See
<varname>systemd.crash_action=</varname> above.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>

View File

@ -220,7 +220,8 @@
<para>For the <command>inspect</command> verb, the second syntax is used.
The section <replaceable>NAME</replaceable> will be inspected (if found).
If the second argument is <literal>text</literal>, the contents will be printed.
If the third argument is given, the contents will be saved to file <replaceable>PATH</replaceable>.
If the third argument is given, the contents will be saved to the file named
<replaceable>PATH</replaceable>.
</para>
<para>Note that the name is used as-is, and if the section name should start with a dot, it must be

View File

@ -52,7 +52,7 @@
<para>User processes may be started by the <filename>user@.service</filename> instance, in which
case they will be part of that unit in the system hierarchy. They may also be started elsewhere,
for example by
<citerefentry project='die-net'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or a
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or a
display manager like <command>gdm</command>, in which case they form a .scope unit (see
<citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
Both <filename>user@<replaceable>UID</replaceable>.service</filename> and the scope units are
@ -145,7 +145,7 @@ Control group /:
</programlisting>
<para>User with UID 1000 is logged in using <command>gdm</command> (<filename
index="false">session-4.scope</filename>) and
<citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
(<filename index="false">session-19.scope</filename>), and also has a user manager instance
running (<filename index="false">user@1000.service</filename>). User with UID 1001 is logged
in using <command>ssh</command> (<filename index="false">session-20.scope</filename>) and

View File

@ -416,7 +416,7 @@
<para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly
contained in a user record available to the SSH daemon for authentication. For that configure the
following in <citerefentry
project='die-net'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>
project='man-pages'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>
<programlisting>
AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u

View File

@ -38,9 +38,8 @@ SignExpectedPcr=yes
[Content]
ExtraTrees=
mkosi.extra.common
mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
%O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
%O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
%O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig

View File

@ -6,9 +6,7 @@ Include=
%D/mkosi.sanitizers
[Content]
ExtraTrees=
%D/mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
%D/mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
ExtraTrees=%D/mkosi.extra.common
Packages=
findutils

View File

@ -0,0 +1,12 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
/* Root namespace inode numbers, as per include/linux/proc_ns.h in the kernel source tree, since v3.8:
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98f842e675f96ffac96e6c50315790912b2812be */
#define PROC_IPC_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFF))
#define PROC_UTS_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFE))
#define PROC_USER_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFD))
#define PROC_PID_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFC))
#define PROC_CGROUP_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFB))
#define PROC_TIME_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFA))

View File

@ -12,6 +12,7 @@
#include "fileio.h"
#include "missing_fs.h"
#include "missing_magic.h"
#include "missing_namespace.h"
#include "missing_sched.h"
#include "missing_syscall.h"
#include "mountpoint-util.h"
@ -23,17 +24,17 @@
#include "user-util.h"
const struct namespace_info namespace_info[_NAMESPACE_TYPE_MAX + 1] = {
[NAMESPACE_CGROUP] = { "cgroup", "ns/cgroup", CLONE_NEWCGROUP, },
[NAMESPACE_IPC] = { "ipc", "ns/ipc", CLONE_NEWIPC, },
[NAMESPACE_NET] = { "net", "ns/net", CLONE_NEWNET, },
[NAMESPACE_CGROUP] = { "cgroup", "ns/cgroup", CLONE_NEWCGROUP, PROC_CGROUP_INIT_INO },
[NAMESPACE_IPC] = { "ipc", "ns/ipc", CLONE_NEWIPC, PROC_IPC_INIT_INO },
[NAMESPACE_NET] = { "net", "ns/net", CLONE_NEWNET, 0 },
/* So, the mount namespace flag is called CLONE_NEWNS for historical
* reasons. Let's expose it here under a more explanatory name: "mnt".
* This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
[NAMESPACE_MOUNT] = { "mnt", "ns/mnt", CLONE_NEWNS, },
[NAMESPACE_PID] = { "pid", "ns/pid", CLONE_NEWPID, },
[NAMESPACE_USER] = { "user", "ns/user", CLONE_NEWUSER, },
[NAMESPACE_UTS] = { "uts", "ns/uts", CLONE_NEWUTS, },
[NAMESPACE_TIME] = { "time", "ns/time", CLONE_NEWTIME, },
[NAMESPACE_MOUNT] = { "mnt", "ns/mnt", CLONE_NEWNS, 0 },
[NAMESPACE_PID] = { "pid", "ns/pid", CLONE_NEWPID, PROC_PID_INIT_INO },
[NAMESPACE_USER] = { "user", "ns/user", CLONE_NEWUSER, PROC_USER_INIT_INO },
[NAMESPACE_UTS] = { "uts", "ns/uts", CLONE_NEWUTS, PROC_UTS_INIT_INO },
[NAMESPACE_TIME] = { "time", "ns/time", CLONE_NEWTIME, PROC_TIME_INIT_INO },
{ /* Allow callers to iterate over the array without using _NAMESPACE_TYPE_MAX. */ },
};
@ -479,6 +480,28 @@ int namespace_open_by_type(NamespaceType type) {
return fd;
}
int namespace_is_init(NamespaceType type) {
int r;
assert(type >= 0);
assert(type <= _NAMESPACE_TYPE_MAX);
if (namespace_info[type].root_inode == 0)
return -EBADR; /* Cannot answer this question */
const char *p = pid_namespace_path(0, type);
struct stat st;
r = RET_NERRNO(stat(p, &st));
if (r == -ENOENT)
/* If the /proc/ns/<type> API is not around in /proc/ then ns is off in the kernel and we are in the init ns */
return proc_mounted() == 0 ? -ENOSYS : true;
if (r < 0)
return r;
return st.st_ino == namespace_info[type].root_inode;
}
int is_our_namespace(int fd, NamespaceType request_type) {
int clone_flag;

View File

@ -24,6 +24,7 @@ extern const struct namespace_info {
const char *proc_name;
const char *proc_path;
unsigned int clone_flag;
ino_t root_inode;
} namespace_info[_NAMESPACE_TYPE_MAX + 1];
int pidref_namespace_open(
@ -74,6 +75,8 @@ int parse_userns_uid_range(const char *s, uid_t *ret_uid_shift, uid_t *ret_uid_r
int namespace_open_by_type(NamespaceType type);
int namespace_is_init(NamespaceType type);
int is_our_namespace(int fd, NamespaceType type);
int is_idmapping_supported(const char *path);

View File

@ -585,6 +585,14 @@ static int running_in_cgroupns(void) {
if (!cg_ns_supported())
return false;
r = namespace_is_init(NAMESPACE_CGROUP);
if (r < 0)
log_debug_errno(r, "Failed to test if in root cgroup namespace, ignoring: %m");
else if (r > 0)
return false;
// FIXME: We really should drop the heuristics below.
r = cg_all_unified();
if (r < 0)
return r;
@ -645,6 +653,16 @@ static int running_in_cgroupns(void) {
}
}
static int running_in_pidns(void) {
int r;
r = namespace_is_init(NAMESPACE_PID);
if (r < 0)
return log_debug_errno(r, "Failed to test if in root PID namespace, ignoring: %m");
return !r;
}
static Virtualization detect_container_files(void) {
static const struct {
const char *file_path;
@ -790,12 +808,21 @@ check_files:
r = running_in_cgroupns();
if (r > 0) {
log_debug("Running in a cgroup namespace, assuming unknown container manager.");
v = VIRTUALIZATION_CONTAINER_OTHER;
goto finish;
}
if (r < 0)
log_debug_errno(r, "Failed to detect cgroup namespace: %m");
/* Finally, the root pid namespace has an hardcoded inode number of 0xEFFFFFFC since kernel 3.8, so
* if all else fails we can check the inode number of our pid namespace and compare it. */
if (running_in_pidns() > 0) {
log_debug("Running in a pid namespace, assuming unknown container manager.");
v = VIRTUALIZATION_CONTAINER_OTHER;
goto finish;
}
/* If none of that worked, give up, assume no container manager. */
v = VIRTUALIZATION_NONE;
goto finish;
@ -863,6 +890,14 @@ int running_in_userns(void) {
_cleanup_free_ char *line = NULL;
int r;
r = namespace_is_init(NAMESPACE_USER);
if (r < 0)
log_debug_errno(r, "Failed to test if in root user namespace, ignoring: %m");
else if (r > 0)
return false;
// FIXME: We really should drop the heuristics below.
r = userns_has_mapping("/proc/self/uid_map");
if (r != 0)
return r;

View File

@ -1048,9 +1048,6 @@ static void device_enumerate(Manager *m) {
_cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL;
Device *d;
if (device_is_processed(dev) <= 0)
continue;
if (device_setup_units(m, dev, &ready_units, &not_ready_units) < 0)
continue;

View File

@ -213,9 +213,23 @@ TEST(idmapping_supported) {
assert_se(is_idmapping_supported("/etc") >= 0);
}
TEST(namespace_is_init) {
int r;
for (NamespaceType t = 0; t < _NAMESPACE_TYPE_MAX; t++) {
r = namespace_is_init(t);
if (r == -EBADR)
log_info_errno(r, "In root namespace of type '%s': don't know", namespace_info[t].proc_name);
else {
ASSERT_OK(r);
log_info("In root namespace of type '%s': %s", namespace_info[t].proc_name, yes_no(r));
}
}
}
static int intro(void) {
if (!have_namespaces())
return log_tests_skipped("Don't have namespace support");
return log_tests_skipped("Don't have namespace support or lacking privileges");
return EXIT_SUCCESS;
}

View File

@ -52,14 +52,14 @@ directory (`OutputDirectory=`) to point to the other directory using `mkosi.loca
After the image has been built, the integration tests can be run with:
```shell
$ SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild --suite integration-tests --num-processes "$(($(nproc) / 4))"
$ env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild --suite integration-tests --num-processes "$(($(nproc) / 4))"
```
As usual, specific tests can be run in meson by appending the name of the test
which is usually the name of the directory e.g.
```shell
$ SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -v TEST-01-BASIC
$ env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -v TEST-01-BASIC
```
See `meson introspect build --tests` for a list of tests.
@ -69,7 +69,7 @@ To interactively debug a failing integration test, the `--interactive` option
newer:
```shell
$ SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -i TEST-01-BASIC
$ env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -i TEST-01-BASIC
```
Due to limitations in meson, the integration tests do not yet depend on the
@ -78,7 +78,7 @@ running the integration tests. To rebuild the image and rerun a test, the
following command can be used:
```shell
$ meson compile -C build mkosi && SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -v TEST-01-BASIC
$ meson compile -C build mkosi && env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -v TEST-01-BASIC
```
The integration tests use the same mkosi configuration that's used when you run
@ -92,7 +92,7 @@ To iterate on an integration test, let's first get a shell in the integration te
the following:
```shell
$ meson compile -C build mkosi && SYSTEMD_INTEGRATION_TESTS=1 TEST_SHELL=1 meson test -C build --no-rebuild -i TEST-01-BASIC
$ meson compile -C build mkosi && env SYSTEMD_INTEGRATION_TESTS=1 TEST_SHELL=1 meson test -C build --no-rebuild -i TEST-01-BASIC
```
This will get us a shell in the integration test environment after booting the machine without running the

View File

@ -3,6 +3,7 @@
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'coredump-exclude-regex' : '/(bash|python3.[0-9]+|systemd-executor)$',
'cmdline' : integration_test_template['cmdline'] + [
'''

View File

@ -4,6 +4,7 @@ integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'unit' : files('TEST-16-EXTEND-TIMEOUT.service'),
'coredump-exclude-regex' : '/(bash|sleep)$',
},
]

View File

@ -4,5 +4,6 @@ integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'vm' : true,
'coredump-exclude-regex' : '/(sleep|udevadm)$',
},
]

View File

@ -3,5 +3,6 @@
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'coredump-exclude-regex' : '/(sleep|bash|systemd-notify)$',
},
]

View File

@ -4,5 +4,7 @@ integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'priority' : 10,
# TODO: Remove when https://github.com/systemd/systemd/issues/35335 is fixed.
'coredump-exclude-regex' : '/systemd-localed',
},
]

View File

@ -5,6 +5,7 @@ integration_tests += [
'name' : fs.name(meson.current_source_dir()),
'storage': 'persistent',
'vm' : true,
'coredump-exclude-regex' : '/(test-usr-dump|test-dump|bash)$',
},
]

View File

@ -6,6 +6,7 @@
import argparse
import json
import os
import re
import shlex
import subprocess
import sys
@ -32,6 +33,59 @@ ExecStart=false
"""
def process_coredumps(args: argparse.Namespace, journal_file: Path) -> bool:
# Collect executable paths of all coredumps and filter out the expected ones.
if args.coredump_exclude_regex:
exclude_regex = re.compile(args.coredump_exclude_regex)
else:
exclude_regex = None
result = subprocess.run(
[
args.mkosi,
'--directory', os.fspath(args.meson_source_dir),
'--extra-search-path', os.fspath(args.meson_build_dir),
'sandbox',
'coredumpctl',
'--file', journal_file,
'--json=short',
],
stdout=subprocess.PIPE,
text=True,
) # fmt: skip
# coredumpctl returns a non-zero exit status if there are no coredumps.
if result.returncode != 0:
return False
coredumps = json.loads(result.stdout)
coredumps = [
coredump for coredump in coredumps if not exclude_regex or not exclude_regex.search(coredump['exe'])
]
if not coredumps:
return False
subprocess.run(
[
args.mkosi,
'--directory', os.fspath(args.meson_source_dir),
'--extra-search-path', os.fspath(args.meson_build_dir),
'sandbox',
'coredumpctl',
'--file', journal_file,
'--no-pager',
'info',
*(coredump['exe'] for coredump in coredumps),
],
check=True,
) # fmt: skip
return True
def main() -> None:
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('--mkosi', required=True)
@ -44,6 +98,7 @@ def main() -> None:
parser.add_argument('--slow', action=argparse.BooleanOptionalAction)
parser.add_argument('--vm', action=argparse.BooleanOptionalAction)
parser.add_argument('--exit-code', required=True, type=int)
parser.add_argument('--coredump-exclude-regex', required=True)
parser.add_argument('mkosi_args', nargs='*')
args = parser.parse_args()
@ -114,7 +169,9 @@ def main() -> None:
"""
)
journal_file = None
journal_file = (args.meson_build_dir / (f'test/journal/{name}.journal')).absolute()
journal_file.unlink(missing_ok=True)
if not sys.stderr.isatty():
dropin += textwrap.dedent(
"""
@ -122,9 +179,6 @@ def main() -> None:
FailureAction=exit
"""
)
journal_file = (args.meson_build_dir / (f'test/journal/{name}.journal')).absolute()
journal_file.unlink(missing_ok=True)
elif not shell:
dropin += textwrap.dedent(
"""
@ -194,44 +248,42 @@ def main() -> None:
)
exit(77)
if journal_file and (
keep_journal == '0' or (result.returncode in (args.exit_code, 77) and keep_journal == 'fail')
coredumps = process_coredumps(args, journal_file)
if keep_journal == '0' or (
keep_journal == 'fail' and result.returncode in (args.exit_code, 77) and not coredumps
):
journal_file.unlink(missing_ok=True)
if shell or result.returncode in (args.exit_code, 77):
if shell or (result.returncode in (args.exit_code, 77) and not coredumps):
exit(0 if shell or result.returncode == args.exit_code else 77)
if journal_file:
ops = []
ops = []
if os.getenv('GITHUB_ACTIONS'):
id = os.environ['GITHUB_RUN_ID']
iteration = os.environ['GITHUB_RUN_ATTEMPT']
j = json.loads(
subprocess.run(
[
args.mkosi,
'--directory', os.fspath(args.meson_source_dir),
'--json',
'summary',
],
stdout=subprocess.PIPE,
text=True,
).stdout
) # fmt: skip
distribution = j['Images'][-1]['Distribution']
release = j['Images'][-1]['Release']
artifact = f'ci-mkosi-{id}-{iteration}-{distribution}-{release}-failed-test-journals'
ops += [f'gh run download {id} --name {artifact} -D ci/{artifact}']
journal_file = Path(f'ci/{artifact}/test/journal/{name}.journal')
if os.getenv('GITHUB_ACTIONS'):
id = os.environ['GITHUB_RUN_ID']
iteration = os.environ['GITHUB_RUN_ATTEMPT']
j = json.loads(
subprocess.run(
[
args.mkosi,
'--directory', os.fspath(args.meson_source_dir),
'--json',
'summary',
],
stdout=subprocess.PIPE,
text=True,
).stdout
) # fmt: skip
distribution = j['Images'][-1]['Distribution']
release = j['Images'][-1]['Release']
artifact = f'ci-mkosi-{id}-{iteration}-{distribution}-{release}-failed-test-journals'
ops += [f'gh run download {id} --name {artifact} -D ci/{artifact}']
journal_file = Path(f'ci/{artifact}/test/journal/{name}.journal')
ops += [f'journalctl --file {journal_file} --no-hostname -o short-monotonic -u {args.unit} -p info']
ops += [f'journalctl --file {journal_file} --no-hostname -o short-monotonic -u {args.unit} -p info']
print(
"Test failed, relevant logs can be viewed with: \n\n" f"{(' && '.join(ops))}\n",
file=sys.stderr,
)
print("Test failed, relevant logs can be viewed with: \n\n" f"{(' && '.join(ops))}\n", file=sys.stderr)
# 0 also means we failed so translate that to a non-zero exit code to mark the test as failed.
exit(result.returncode or 1)

View File

@ -297,6 +297,7 @@ integration_test_template = {
'qemu-args' : [],
'exit-code' : 123,
'vm' : false,
'coredump-exclude-regex' : '',
}
testdata_subdirs = [
'auxv',
@ -391,6 +392,7 @@ foreach integration_test : integration_tests
'--storage', integration_test['storage'],
'--firmware', integration_test['firmware'],
'--exit-code', integration_test['exit-code'].to_string(),
'--coredump-exclude-regex', integration_test['coredump-exclude-regex'],
]
if 'unit' in integration_test

View File

@ -248,6 +248,7 @@ Bridge=mybridge
[Match]
Name=mybridge
[Network]
IPv6AcceptRA=no
DNS=192.168.250.1
Address=192.168.250.33/24
Gateway=192.168.250.1
@ -540,6 +541,7 @@ MACAddress=12:34:56:78:9a:bc
[Match]
Name=dummy0
[Network]
IPv6AcceptRA=no
Address=192.168.42.100/24
DNS=192.168.42.1
Domains= ~company
@ -573,6 +575,7 @@ MACAddress=12:34:56:78:9a:bc
self.write_network('50-myvpn.network', '''[Match]
Name=dummy0
[Network]
IPv6AcceptRA=no
Address=192.168.42.100/24
DNS=192.168.42.1
Domains= ~company ~.
@ -927,6 +930,7 @@ cat <<EOF >/run/systemd/network/50-test.network
Name={ifr}
[Network]
IPv6AcceptRA=no
Address=192.168.5.1/24
{addr6}
DHCPServer=yes
@ -1006,6 +1010,7 @@ MACAddress=12:34:56:78:9a:bc
[Match]
Name=dummy0
[Network]
IPv6AcceptRA=no
Address=192.168.42.100/24
DNS=192.168.42.1
Domains= one two three four five six seven eight nine ten
@ -1035,6 +1040,7 @@ MACAddress=12:34:56:78:9a:bc
[Match]
Name=dummy0
[Network]
IPv6AcceptRA=no
Address=192.168.42.100/24
DNS=192.168.42.1
''')
@ -1107,7 +1113,12 @@ class MatchClientTest(unittest.TestCase, NetworkdTestingUtilities):
def test_basic_matching(self):
"""Verify the Name= line works throughout this class."""
self.add_veth_pair('test_if1', 'fake_if2')
self.write_network('50-test.network', "[Match]\nName=test_*\n[Network]")
self.write_network('50-test.network', '''\
[Match]
Name=test_*
[Network]
IPv6AcceptRA=no
''')
subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
self.assert_link_states(test_if1='managed', fake_if2='unmanaged')
@ -1118,11 +1129,13 @@ class MatchClientTest(unittest.TestCase, NetworkdTestingUtilities):
mac = '00:01:02:03:98:99'
self.add_veth_pair('test_veth', 'test_peer',
['addr', mac], ['addr', mac])
self.write_network('50-no-veth.network', """\
self.write_network('50-no-veth.network', '''\
[Match]
MACAddress={}
Name=!nonexistent *peer*
[Network]""".format(mac))
[Network]
IPv6AcceptRA=no
'''.format(mac))
subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
self.assert_link_states(test_veth='managed', test_peer='unmanaged')

View File

@ -0,0 +1,71 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
# shellcheck disable=SC2317
set -ex
set -o pipefail
# This is a reproducer of issue #35329,
# which is a regression caused by 405be62f05d76f1845f347737b5972158c79dd3e.
IFNAME=udevtestnetif
at_exit() {
set +e
systemctl stop testsleep.service
rm -f /run/udev/udev.conf.d/timeout.conf
rm -f /run/udev/rules.d/99-testsuite.rules
# Forcibly kills sleep command invoked by the udev rule before restarting,
# otherwise systemctl restart below will takes longer.
killall -KILL sleep
systemctl restart systemd-udevd.service
ip link del "$IFNAME"
}
trap at_exit EXIT
udevadm settle
mkdir -p /run/udev/udev.conf.d/
cat >/run/udev/udev.conf.d/timeout.conf <<EOF
event_timeout=1h
EOF
mkdir -p /run/udev/rules.d/
cat >/run/udev/rules.d/99-testsuite.rules <<EOF
SUBSYSTEM=="net", ACTION=="change", KERNEL=="${IFNAME}", OPTIONS="log_level=debug", RUN+="/usr/bin/sleep 1000"
EOF
systemctl restart systemd-udevd.service
ip link add "$IFNAME" type dummy
IFINDEX=$(ip -json link show "$IFNAME" | jq '.[].ifindex')
udevadm wait --timeout 10 "/sys/class/net/${IFNAME}"
# Check if the database file is created.
[[ -e "/run/udev/data/n${IFINDEX}" ]]
systemd-run \
-p After="sys-subsystem-net-devices-${IFNAME}.device" \
-p BindsTo="sys-subsystem-net-devices-${IFNAME}.device" \
-u testsleep.service \
sleep 1h
timeout 10 bash -c 'until systemctl is-active testsleep.service; do sleep .5; done'
udevadm trigger "/sys/class/net/${IFNAME}"
timeout 30 bash -c "until grep -F 'ID_PROCESSING=1' /run/udev/data/n${IFINDEX}; do sleep .5; done"
for _ in {1..3}; do
systemctl daemon-reexec
systemctl is-active testsleep.service
done
for _ in {1..3}; do
systemctl daemon-reload
systemctl is-active testsleep.service
done
# Check if the reexec and reload have finished during processing the event.
grep -F 'ID_PROCESSING=1' "/run/udev/data/n${IFINDEX}"
exit 0

View File

@ -6,6 +6,14 @@ set -o pipefail
# shellcheck source=test/units/test-control.sh
. "$(dirname "$0")"/test-control.sh
if systemd-detect-virt --quiet --container; then
# This comes from the selinux package and tries to write
# some files under sysfs, which will be read-only in a container,
# so mask it. It's not our tmpfiles.d file anyway.
mkdir -p /run/tmpfiles.d/
ln -s /dev/null /run/tmpfiles.d/selinux-policy.conf
fi
run_subtests
touch /testok

View File

@ -5,3 +5,7 @@ set -o pipefail
SYSTEMD_IN_CHROOT=1 systemd-detect-virt --chroot
(! SYSTEMD_IN_CHROOT=0 systemd-detect-virt --chroot)
if ! systemd-detect-virt -c; then
unshare --mount-proc --fork --user --pid systemd-detect-virt --container
fi