Compare commits
1 Commits
9e58e1607d
...
b06a5044db
Author | SHA1 | Date |
---|---|---|
Mike Yuan | b06a5044db |
|
@ -37,7 +37,7 @@ jobs:
|
||||||
VALIDATE_GITHUB_ACTIONS: true
|
VALIDATE_GITHUB_ACTIONS: true
|
||||||
|
|
||||||
- name: Check that tabs are not used in Python code
|
- name: Check that tabs are not used in Python code
|
||||||
run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py test/integration-test-wrapper.py'
|
run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py'
|
||||||
|
|
||||||
- name: Install ruff and mypy
|
- name: Install ruff and mypy
|
||||||
run: |
|
run: |
|
||||||
|
@ -47,14 +47,14 @@ jobs:
|
||||||
- name: Run mypy
|
- name: Run mypy
|
||||||
run: |
|
run: |
|
||||||
python3 -m mypy --version
|
python3 -m mypy --version
|
||||||
python3 -m mypy src/ukify/ukify.py test/integration-test-wrapper.py
|
python3 -m mypy src/ukify/ukify.py
|
||||||
|
|
||||||
- name: Run ruff check
|
- name: Run ruff check
|
||||||
run: |
|
run: |
|
||||||
ruff --version
|
ruff --version
|
||||||
ruff check src/ukify/ukify.py test/integration-test-wrapper.py
|
ruff check src/ukify/ukify.py
|
||||||
|
|
||||||
- name: Run ruff format
|
- name: Run ruff format
|
||||||
run: |
|
run: |
|
||||||
ruff --version
|
ruff --version
|
||||||
ruff format --check src/ukify/ukify.py test/integration-test-wrapper.py
|
ruff format --check src/ukify/ukify.py
|
||||||
|
|
|
@ -105,7 +105,7 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
|
||||||
- uses: systemd/mkosi@0825cca8084674ec8fa27502134b1bc601f79e0c
|
- uses: systemd/mkosi@8976a0abb19221e65300222f2d33067970cca0f1
|
||||||
|
|
||||||
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
|
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
|
||||||
# immediately, we remove the files in the background. However, we first move them to a different location
|
# immediately, we remove the files in the background. However, we first move them to a different location
|
||||||
|
|
3
NEWS
3
NEWS
|
@ -764,9 +764,6 @@ CHANGES WITH 257 in spe:
|
||||||
other cases EnterNamespace= might be an suitable approach to acquire
|
other cases EnterNamespace= might be an suitable approach to acquire
|
||||||
symbolized backtraces.)
|
symbolized backtraces.)
|
||||||
|
|
||||||
Special thanks to Nick Owens for bringing attention to and testing
|
|
||||||
fixes for issue #34516.
|
|
||||||
|
|
||||||
Contributions from: 12paper, A. Wilcox, Abderrahim Kitouni,
|
Contributions from: 12paper, A. Wilcox, Abderrahim Kitouni,
|
||||||
Adrian Vovk, Alain Greppin, Allison Karlitskaya, Alyssa Ross,
|
Adrian Vovk, Alain Greppin, Allison Karlitskaya, Alyssa Ross,
|
||||||
Anders Jonsson, Andika Triwidada, Andres Beltran, Anouk Ceyssens,
|
Anders Jonsson, Andika Triwidada, Andres Beltran, Anouk Ceyssens,
|
||||||
|
|
|
@ -295,10 +295,6 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X:*
|
||||||
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X:*
|
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X:*
|
||||||
ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 1
|
ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 1
|
||||||
|
|
||||||
# Chuwi Hi10 X1
|
|
||||||
sensor:modalias:acpi:NSA2513*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X1:*
|
|
||||||
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
|
|
||||||
|
|
||||||
# Chuwi Hi10 Go
|
# Chuwi Hi10 Go
|
||||||
sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIINNOVATIONLIMITED:pnHi10Go:*
|
sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIINNOVATIONLIMITED:pnHi10Go:*
|
||||||
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0,-1, 0; 0, 0, 1
|
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0,-1, 0; 0, 0, 1
|
||||||
|
@ -957,15 +953,6 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
|
||||||
sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
|
sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
|
||||||
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
|
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
|
||||||
|
|
||||||
#########################################
|
|
||||||
# Pine64
|
|
||||||
#########################################
|
|
||||||
|
|
||||||
# PineTab2
|
|
||||||
|
|
||||||
sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
|
|
||||||
ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
|
|
||||||
|
|
||||||
#########################################
|
#########################################
|
||||||
# Pipo
|
# Pipo
|
||||||
#########################################
|
#########################################
|
||||||
|
|
|
@ -684,15 +684,6 @@ fi</programlisting>
|
||||||
<citerefentry><refentrytitle>file-hierarchy</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
<citerefentry><refentrytitle>file-hierarchy</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
|
||||||
<title>Notes</title>
|
|
||||||
|
|
||||||
<para>
|
|
||||||
All example codes in this page are licensed under <literal>MIT No Attribution</literal>
|
|
||||||
(SPDX-License-Identifier: MIT-0).
|
|
||||||
</para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>See Also</title>
|
<title>See Also</title>
|
||||||
<para><simplelist type="inline">
|
<para><simplelist type="inline">
|
||||||
|
|
|
@ -114,10 +114,10 @@
|
||||||
invoked, for example from the system service manager or via a PAM module.</para>
|
invoked, for example from the system service manager or via a PAM module.</para>
|
||||||
|
|
||||||
<para>Specifically, for ssh logins, the
|
<para>Specifically, for ssh logins, the
|
||||||
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
<citerefentry project='die-net'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
service builds an environment that is a combination of variables forwarded from the remote system and
|
service builds an environment that is a combination of variables forwarded from the remote system and
|
||||||
defined by <command>sshd</command>, see the discussion in
|
defined by <command>sshd</command>, see the discussion in
|
||||||
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
<citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
||||||
A graphical display session will have an analogous mechanism to define the environment. Note that some
|
A graphical display session will have an analogous mechanism to define the environment. Note that some
|
||||||
managers query the systemd user instance for the exported environment and inject this configuration into
|
managers query the systemd user instance for the exported environment and inject this configuration into
|
||||||
programs they start, using <command>systemctl show-environment</command> or the underlying D-Bus call.
|
programs they start, using <command>systemctl show-environment</command> or the underlying D-Bus call.
|
||||||
|
|
|
@ -215,8 +215,8 @@
|
||||||
below this directory is subject to specifications that ensure interoperability.</para>
|
below this directory is subject to specifications that ensure interoperability.</para>
|
||||||
|
|
||||||
<para>Note that resources placed in this directory typically are under shared ownership,
|
<para>Note that resources placed in this directory typically are under shared ownership,
|
||||||
i.e. multiple different packages have provided and consumed these resources, on equal footing, without
|
i.e. multiple different packages have provide and consume these resources, on equal footing, without
|
||||||
any obvious primary owner. This makes things systematically different from
|
any obvious primary owner. This makes makes things systematically different from
|
||||||
<filename>/usr/lib/</filename>, where ownership is generally not shared.</para></listitem>
|
<filename>/usr/lib/</filename>, where ownership is generally not shared.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
|
@ -378,7 +378,7 @@
|
||||||
|
|
||||||
<listitem><para>Takes a comma- or colon-separated list of languages preferred by the user, ordered
|
<listitem><para>Takes a comma- or colon-separated list of languages preferred by the user, ordered
|
||||||
by descending priority. The <varname>$LANG</varname> and <varname>$LANGUAGE</varname> environment
|
by descending priority. The <varname>$LANG</varname> and <varname>$LANGUAGE</varname> environment
|
||||||
variables are initialized from this value on login, and thus values suitable for these environment
|
variables are initialized from this value on login, and thus values suitible for these environment
|
||||||
variables are accepted here, for example <option>--language=de_DE.UTF-8</option>. This option may
|
variables are accepted here, for example <option>--language=de_DE.UTF-8</option>. This option may
|
||||||
be used more than once, in which case the language lists are concatenated.</para>
|
be used more than once, in which case the language lists are concatenated.</para>
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,7 @@
|
||||||
<citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
<citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
||||||
|
|
||||||
<para><command>importctl</command> operates both on block-level disk images (such as DDIs) as well as
|
<para><command>importctl</command> operates both on block-level disk images (such as DDIs) as well as
|
||||||
file-system-level images (tarballs). It supports disk images in one of the four following
|
file-system-level images (tarballs). It supports disk images are one of the four following
|
||||||
classes:</para>
|
classes:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
@ -50,7 +50,7 @@
|
||||||
managed via
|
managed via
|
||||||
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
|
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>Portable service images, that may be attached and managed via
|
<listitem><para>Portable service images, that may be attached an managed via
|
||||||
<citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
|
<citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>System extension (sysext) images, that may be activated via
|
<listitem><para>System extension (sysext) images, that may be activated via
|
||||||
|
@ -128,13 +128,12 @@
|
||||||
|
|
||||||
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
|
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
|
||||||
a read-only subvolume/directory in the image directory that is named after the specified URL and its
|
a read-only subvolume/directory in the image directory that is named after the specified URL and its
|
||||||
HTTP etag (see <ulink url="https://en.wikipedia.org/wiki/HTTP_ETag">HTTP ETag</ulink> for more
|
HTTP etag. A writable snapshot is then taken from this subvolume, and named after the specified local
|
||||||
information). A writable snapshot is then taken from this subvolume, and named after the specified local
|
|
||||||
name. This behavior ensures that creating multiple instances of the same URL is efficient, as
|
name. This behavior ensures that creating multiple instances of the same URL is efficient, as
|
||||||
multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
|
multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
|
||||||
its writable snapshot, specify <literal>-</literal> as local name.</para>
|
its writable snapshot, specify <literal>-</literal> as local name.</para>
|
||||||
|
|
||||||
<para>Note that pressing Control-c during execution of this command will not abort the download. Use
|
<para>Note that pressing C-c during execution of this command will not abort the download. Use
|
||||||
<command>cancel-transfer</command>, described below.</para>
|
<command>cancel-transfer</command>, described below.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
|
@ -146,14 +145,14 @@
|
||||||
<listitem><para>Downloads a <filename>.raw</filename> disk image from the specified URL, and makes it
|
<listitem><para>Downloads a <filename>.raw</filename> disk image from the specified URL, and makes it
|
||||||
available under the specified local name in the image directory for the selected
|
available under the specified local name in the image directory for the selected
|
||||||
<option>--class=</option>. The URL must be of type <literal>http://</literal> or
|
<option>--class=</option>. The URL must be of type <literal>http://</literal> or
|
||||||
<literal>https://</literal>. The image must either be a qcow2 or raw disk
|
<literal>https://</literal>. The image must either be a <filename>.qcow2</filename> or raw disk
|
||||||
image, optionally compressed as <filename>.gz</filename>, <filename>.xz</filename>, or
|
image, optionally compressed as <filename>.gz</filename>, <filename>.xz</filename>, or
|
||||||
<filename>.bz2</filename>. If the local name is omitted, it is automatically derived from the last
|
<filename>.bz2</filename>. If the local name is omitted, it is automatically derived from the last
|
||||||
component of the URL, with its suffix removed.</para>
|
component of the URL, with its suffix removed.</para>
|
||||||
|
|
||||||
<para>Image verification is identical for raw and tar images (see above).</para>
|
<para>Image verification is identical for raw and tar images (see above).</para>
|
||||||
|
|
||||||
<para>If the downloaded image is in qcow2 format it is converted into a raw
|
<para>If the downloaded image is in <filename>.qcow2</filename> format it is converted into a raw
|
||||||
image file before it is made available.</para>
|
image file before it is made available.</para>
|
||||||
|
|
||||||
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
|
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
|
||||||
|
@ -163,7 +162,7 @@
|
||||||
necessary. In order to create only the read-only image, and avoid creating its writable copy,
|
necessary. In order to create only the read-only image, and avoid creating its writable copy,
|
||||||
specify <literal>-</literal> as local name.</para>
|
specify <literal>-</literal> as local name.</para>
|
||||||
|
|
||||||
<para>Note that pressing Control-c during execution of this command will not abort the download. Use
|
<para>Note that pressing C-c during execution of this command will not abort the download. Use
|
||||||
<command>cancel-transfer</command>, described below.</para>
|
<command>cancel-transfer</command>, described below.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
|
@ -175,14 +174,8 @@
|
||||||
|
|
||||||
<listitem><para>Imports a TAR or RAW image, and places it under the specified name in the image
|
<listitem><para>Imports a TAR or RAW image, and places it under the specified name in the image
|
||||||
directory for the image class selected via <option>--class=</option>. When
|
directory for the image class selected via <option>--class=</option>. When
|
||||||
<command>import-tar</command> is used, the file specified as the first argument should be a
|
<command>import-tar</command> is used, the file specified as the first argument should be a tar
|
||||||
<citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
archive, possibly compressed with xz, gzip or bzip2. It will then be unpacked into its own
|
||||||
archive, possibly compressed with
|
|
||||||
<citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
||||||
<citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
||||||
or
|
|
||||||
<citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
|
||||||
It will then be unpacked into its own
|
|
||||||
subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw
|
subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw
|
||||||
disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image
|
disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image
|
||||||
name) is not specified, it is automatically derived from the file name. If the filename is passed as
|
name) is not specified, it is automatically derived from the file name. If the filename is passed as
|
||||||
|
@ -203,9 +196,7 @@
|
||||||
<listitem><para>Imports an image stored in a local directory into the image directory for the image
|
<listitem><para>Imports an image stored in a local directory into the image directory for the image
|
||||||
class selected via <option>--class=</option> and operates similarly to <command>import-tar</command>
|
class selected via <option>--class=</option> and operates similarly to <command>import-tar</command>
|
||||||
or <command>import-raw</command>, but the first argument is the source directory. If supported, this
|
or <command>import-raw</command>, but the first argument is the source directory. If supported, this
|
||||||
command will create a
|
command will create a btrfs snapshot or subvolume for the new image.</para>
|
||||||
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
||||||
snapshot or subvolume for the new image.</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -216,13 +207,9 @@
|
||||||
|
|
||||||
<listitem><para>Exports a TAR or RAW image and stores it in the specified file. The first parameter
|
<listitem><para>Exports a TAR or RAW image and stores it in the specified file. The first parameter
|
||||||
should be an image name. The second parameter should be a file path the TAR or RAW
|
should be an image name. The second parameter should be a file path the TAR or RAW
|
||||||
image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with
|
image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with gzip, if
|
||||||
<citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
it ends in <literal>.xz</literal>, with xz, and if it ends in <literal>.bz2</literal>, with bzip2. If
|
||||||
if it ends in <literal>.xz</literal>, with
|
the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
|
||||||
<citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
||||||
and if it ends in <literal>.bz2</literal>, with
|
|
||||||
<citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
|
||||||
If the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
|
|
||||||
is written to standard output. The compression may also be explicitly selected with the
|
is written to standard output. The compression may also be explicitly selected with the
|
||||||
<option>--format=</option> switch. This is in particular useful if the second parameter is left
|
<option>--format=</option> switch. This is in particular useful if the second parameter is left
|
||||||
unspecified.</para>
|
unspecified.</para>
|
||||||
|
|
|
@ -113,11 +113,11 @@
|
||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<entry><constant>user-early</constant></entry>
|
<entry><constant>user-early</constant></entry>
|
||||||
<entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
|
<entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <filename>systemd-user-sessions.service</filename>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
|
||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<entry><constant>user-incomplete</constant></entry>
|
<entry><constant>user-incomplete</constant></entry>
|
||||||
<entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
|
<entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <command>ssh</command> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
|
||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<entry><constant>greeter</constant></entry>
|
<entry><constant>greeter</constant></entry>
|
||||||
|
@ -129,15 +129,15 @@
|
||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<entry><constant>background</constant></entry>
|
<entry><constant>background</constant></entry>
|
||||||
<entry>Used for background sessions, such as those invoked by <citerefentry project='die-net'><refentrytitle>cron</refentrytitle><manvolnum>8</manvolnum></citerefentry> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
|
<entry>Used for background sessions, such as those invoked by <command>cron</command> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
|
||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<entry><constant>background-light</constant></entry>
|
<entry><constant>background-light</constant></entry>
|
||||||
<entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
|
<entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <filename>user@.service</filename> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
|
||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<entry><constant>manager</constant></entry>
|
<entry><constant>manager</constant></entry>
|
||||||
<entry>The <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> service of the user is registered under this session class. (Added in v256.)</entry>
|
<entry>The <filename>user@.service</filename> service of the user is registered under this session class. (Added in v256.)</entry>
|
||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<entry><constant>manager-early</constant></entry>
|
<entry><constant>manager-early</constant></entry>
|
||||||
|
@ -445,8 +445,6 @@ session required pam_unix.so</programlisting>
|
||||||
<title>See Also</title>
|
<title>See Also</title>
|
||||||
<para><simplelist type="inline">
|
<para><simplelist type="inline">
|
||||||
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
||||||
<member><citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
||||||
<member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
||||||
|
|
|
@ -28,9 +28,7 @@
|
||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
|
<para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
|
||||||
and sets the last password in the list as the PAM authtok, which can be used by e.g.
|
and sets the last password in the list as the PAM authtok.</para>
|
||||||
<citerefentry project='man-pages'><refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
<para>The password list is supposed to be stored in the "user" keyring of the root user,
|
<para>The password list is supposed to be stored in the "user" keyring of the root user,
|
||||||
by an earlier call to
|
by an earlier call to
|
||||||
|
@ -114,8 +112,7 @@
|
||||||
during boot.</para>
|
during boot.</para>
|
||||||
|
|
||||||
<para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
|
<para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
|
||||||
Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g.
|
Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. <filename>sddm-autologin</filename>):</para>
|
||||||
<filename>sddm-autologin</filename>):</para>
|
|
||||||
|
|
||||||
<programlisting>
|
<programlisting>
|
||||||
-auth optional pam_systemd_loadkey.so
|
-auth optional pam_systemd_loadkey.so
|
||||||
|
@ -134,9 +131,8 @@ KeyringMode=inherit
|
||||||
<para>In this setup, early during the boot process,
|
<para>In this setup, early during the boot process,
|
||||||
<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>.
|
will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>.
|
||||||
Then when the display manager does the autologin, <command>pam_systemd_loadkey</command> will read the passphrase
|
Then when the display manager does the autologin, pam_systemd_loadkey will read the passphrase from the kernel keyring,
|
||||||
from the kernel keyring, set it as the PAM authtok, and then <command>pam_gnome_keyring</command> and
|
set it as the PAM authtok, and then pam_gnome_keyring and pam_kwallet5 will unlock with the same passphrase.</para>
|
||||||
<command>pam_kwallet5</command> will unlock with the same passphrase.</para>
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
</refentry>
|
</refentry>
|
||||||
|
|
|
@ -48,7 +48,7 @@
|
||||||
and transfer them as a whole between systems. When these images are attached to the local system, the contained units
|
and transfer them as a whole between systems. When these images are attached to the local system, the contained units
|
||||||
may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing,
|
may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing,
|
||||||
depending on the selected configuration. For more details, see
|
depending on the selected configuration. For more details, see
|
||||||
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.</para>
|
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.</para>
|
||||||
|
|
||||||
<para>Portable service images may be of the following kinds:</para>
|
<para>Portable service images may be of the following kinds:</para>
|
||||||
|
|
||||||
|
@ -417,7 +417,7 @@
|
||||||
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||||
Images can be block images, btrfs subvolumes or directories. For more information on portable
|
Images can be block images, btrfs subvolumes or directories. For more information on portable
|
||||||
services with extensions, see the <literal>Extension Images</literal> paragraph on
|
services with extensions, see the <literal>Extension Images</literal> paragraph on
|
||||||
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.
|
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>Note that the same extensions have to be specified, in the same order, when attaching
|
<para>Note that the same extensions have to be specified, in the same order, when attaching
|
||||||
|
|
|
@ -606,8 +606,7 @@
|
||||||
<varname>Subvolumes=</varname>.</para>
|
<varname>Subvolumes=</varname>.</para>
|
||||||
|
|
||||||
<para>Note that this option only takes effect if the target filesystem supports subvolumes, such as
|
<para>Note that this option only takes effect if the target filesystem supports subvolumes, such as
|
||||||
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
<literal>btrfs</literal>.</para>
|
||||||
</para>
|
|
||||||
|
|
||||||
<para>Note that this option is only supported in combination with <option>--offline=yes</option>
|
<para>Note that this option is only supported in combination with <option>--offline=yes</option>
|
||||||
since btrfs-progs 6.11 or newer.</para>
|
since btrfs-progs 6.11 or newer.</para>
|
||||||
|
@ -687,7 +686,7 @@
|
||||||
|
|
||||||
<listitem><para>Configures the data block size of the generated verity hash partition. Must be between 512 and
|
<listitem><para>Configures the data block size of the generated verity hash partition. Must be between 512 and
|
||||||
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
|
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
|
||||||
block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device.
|
block device sector size, or 4K if systemd-repart is not operating on a block device.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
||||||
|
@ -698,7 +697,7 @@
|
||||||
|
|
||||||
<listitem><para>Configures the hash block size of the generated verity hash partition. Must be between 512 and
|
<listitem><para>Configures the hash block size of the generated verity hash partition. Must be between 512 and
|
||||||
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
|
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
|
||||||
block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device.
|
block device sector size, or 4K if systemd-repart is not operating on a block device.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
||||||
|
@ -808,9 +807,7 @@
|
||||||
mount options. These fields correspond to the second and fourth column of the
|
mount options. These fields correspond to the second and fourth column of the
|
||||||
<citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
<citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
format. This setting may be specified multiple times to mount the partition multiple times. This can
|
format. This setting may be specified multiple times to mount the partition multiple times. This can
|
||||||
be used to add mounts for different
|
be used to add mounts for different btrfs subvolumes located on the same btrfs partition.</para>
|
||||||
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
||||||
subvolumes located on the same btrfs partition.</para>
|
|
||||||
|
|
||||||
<para>Note that this setting is only taken into account when <option>--generate-fstab=</option> is
|
<para>Note that this setting is only taken into account when <option>--generate-fstab=</option> is
|
||||||
specified on the <command>systemd-repart</command> command line.</para>
|
specified on the <command>systemd-repart</command> command line.</para>
|
||||||
|
@ -821,7 +818,7 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>EncryptedVolume=</varname></term>
|
<term><varname>EncryptedVolume=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Specifies how the encrypted partition should be set up. Takes at least one and at most
|
<listitem><para>Specify how the encrypted partition should be set up. Takes at least one and at most
|
||||||
three fields separated with a colon (<literal>:</literal>). The first field specifies the encrypted
|
three fields separated with a colon (<literal>:</literal>). The first field specifies the encrypted
|
||||||
volume name under <filename>/dev/mapper/</filename>. If not specified, <literal>luks-UUID</literal>
|
volume name under <filename>/dev/mapper/</filename>. If not specified, <literal>luks-UUID</literal>
|
||||||
will be used where <literal>UUID</literal> is the LUKS UUID. The second field specifies the keyfile
|
will be used where <literal>UUID</literal> is the LUKS UUID. The second field specifies the keyfile
|
||||||
|
@ -840,14 +837,13 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>Compression=</varname></term>
|
<term><varname>Compression=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Specifies the compression algorithm to use for the filesystem configured with
|
<listitem><para>Specify the compression algorithm to use for the filesystem configured with
|
||||||
<varname>Format=</varname>. Takes a single argument specifying the compression algorithm.</para>
|
<varname>Format=</varname>. Takes a single argument specifying the compression algorithm.</para>
|
||||||
|
|
||||||
<para>Note that this setting is only taken into account when the filesystem configured with
|
<para>Note that this setting is only taken into account when the filesystem configured with
|
||||||
<varname>Format=</varname> supports compression (
|
<varname>Format=</varname> supports compression (btrfs, squashfs, erofs). Here's an incomplete list
|
||||||
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
of compression algorithms supported by the filesystems known to
|
||||||
squashfs, erofs). Here's an incomplete list of compression algorithms supported by the filesystems
|
<command>systemd-repart</command>:</para>
|
||||||
known to <command>systemd-repart</command>:</para>
|
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<title>File System Compression Algorithms</title>
|
<title>File System Compression Algorithms</title>
|
||||||
|
@ -887,7 +883,7 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>CompressionLevel=</varname></term>
|
<term><varname>CompressionLevel=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Specifies the compression level to use for the filesystem configured with
|
<listitem><para>Specify the compression level to use for the filesystem configured with
|
||||||
<varname>Format=</varname>. Takes a single argument specifying the compression level to use for the
|
<varname>Format=</varname>. Takes a single argument specifying the compression level to use for the
|
||||||
configured compression algorithm. The possible compression levels and their meaning are filesystem
|
configured compression algorithm. The possible compression levels and their meaning are filesystem
|
||||||
specific (refer to the filesystem's documentation for the exact meaning of a particular compression
|
specific (refer to the filesystem's documentation for the exact meaning of a particular compression
|
||||||
|
|
|
@ -485,7 +485,7 @@
|
||||||
|
|
||||||
<listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If
|
<listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If
|
||||||
true, rules regarding routing of single-label names are relaxed. Defaults to false. By default,
|
true, rules regarding routing of single-label names are relaxed. Defaults to false. By default,
|
||||||
lookups of single-label names are assumed to refer to local hosts to be resolved via local resolution
|
lookups of single label names are assumed to refer to local hosts to be resolved via local resolution
|
||||||
such as LLMNR or via search domain qualification and are not routed to upstream servers as is. If
|
such as LLMNR or via search domain qualification and are not routed to upstream servers as is. If
|
||||||
this option is enabled these rules are disabled and the queries are routed upstream anyway. Also see
|
this option is enabled these rules are disabled and the queries are routed upstream anyway. Also see
|
||||||
the <varname>ResolveUnicastSingleLabel=</varname> option in
|
the <varname>ResolveUnicastSingleLabel=</varname> option in
|
||||||
|
|
|
@ -61,10 +61,7 @@
|
||||||
<literal>systemd-run0</literal> PAM stack.</para>
|
<literal>systemd-run0</literal> PAM stack.</para>
|
||||||
|
|
||||||
<para>Note that <command>run0</command> is implemented as an alternative multi-call invocation of
|
<para>Note that <command>run0</command> is implemented as an alternative multi-call invocation of
|
||||||
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>. That is,
|
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
||||||
<command>run0</command> is a symbolic link to <command>systemd-run</command> executable file, and it
|
|
||||||
behaves as <command>run0</command> if it is invoked through the symbolic link, otherwise behaves as
|
|
||||||
<command>systemd-run</command>.</para>
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
@ -84,7 +81,7 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--property=</option></term>
|
<term><option>--property=</option></term>
|
||||||
|
|
||||||
<listitem><para>Sets a property of the service unit that is created. This option takes an assignment
|
<listitem><para>Sets a property on the service unit that is created. This option takes an assignment
|
||||||
in the same format as
|
in the same format as
|
||||||
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
||||||
<command>set-property</command> command.</para>
|
<command>set-property</command> command.</para>
|
||||||
|
@ -228,7 +225,7 @@
|
||||||
<term><option>--machine=</option></term>
|
<term><option>--machine=</option></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Execute operation in a local container. Specify a container name to connect to.</para>
|
<para>Execute operation on a local container. Specify a container name to connect to.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/>
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
|
@ -1397,7 +1397,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
|
||||||
<para>Note that this shows the <emphasis>effective</emphasis> block, i.e. the combination of
|
<para>Note that this shows the <emphasis>effective</emphasis> block, i.e. the combination of
|
||||||
environment variables configured via configuration files, environment generators and via IPC
|
environment variables configured via configuration files, environment generators and via IPC
|
||||||
(i.e. via the <command>set-environment</command> described below). At the moment a unit process
|
(i.e. via the <command>set-environment</command> described below). At the moment a unit process
|
||||||
is forked off, this combined environment block will be further combined with per-unit environment
|
is forked off this combined environment block will be further combined with per-unit environment
|
||||||
variables, which are not visible in this command.</para>
|
variables, which are not visible in this command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
|
@ -54,7 +54,7 @@
|
||||||
|
|
||||||
<listitem><para>The EFI Shell binary, if installed.</para></listitem>
|
<listitem><para>The EFI Shell binary, if installed.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>A <literal>Reboot Into Firmware Interface</literal> option, if supported by the UEFI
|
<listitem><para>A <literal>Reboot Into Firmware Interface option</literal>, if supported by the UEFI
|
||||||
firmware.</para></listitem>
|
firmware.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>Secure Boot variables enrollment if the UEFI firmware is in setup-mode and files are provided
|
<listitem><para>Secure Boot variables enrollment if the UEFI firmware is in setup-mode and files are provided
|
||||||
|
|
|
@ -299,7 +299,7 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--unlock-tpm2-device=<replaceable>PATH</replaceable></option></term>
|
<term><option>--unlock-tpm2-device=<replaceable>PATH</replaceable></option></term>
|
||||||
|
|
||||||
<listitem><para>Use a TPM2 device instead of a password/passphrase read from stdin to unlock the
|
<listitem><para>Use a TPM2 device instead of a password/passhprase read from stdin to unlock the
|
||||||
volume. Expects a device node path referring to the TPM2 chip (e.g. <filename>/dev/tpmrm0</filename>).
|
volume. Expects a device node path referring to the TPM2 chip (e.g. <filename>/dev/tpmrm0</filename>).
|
||||||
Alternatively the special value <literal>auto</literal> may be specified, in order to automatically
|
Alternatively the special value <literal>auto</literal> may be specified, in order to automatically
|
||||||
determine the device node of a currently discovered TPM2 device (of which there must be exactly one).
|
determine the device node of a currently discovered TPM2 device (of which there must be exactly one).
|
||||||
|
|
|
@ -32,7 +32,7 @@
|
||||||
<arg choice="plain">VOLUME</arg>
|
<arg choice="plain">VOLUME</arg>
|
||||||
<arg choice="plain">SOURCE-DEVICE</arg>
|
<arg choice="plain">SOURCE-DEVICE</arg>
|
||||||
<arg choice="opt">KEY-FILE</arg>
|
<arg choice="opt">KEY-FILE</arg>
|
||||||
<arg choice="opt">CRYPTTAB-OPTIONS</arg>
|
<arg choice="opt">CONFIG</arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
|
@ -150,7 +150,7 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>cryptsetup.luks2-pin</varname></term>
|
<term><varname>cryptsetup.luks2-pin</varname></term>
|
||||||
|
|
||||||
<listitem><para>This credential specifies the pin requested by generic LUKS2 token modules.</para>
|
<listitem><para>This credential specifies the PIN requested by generic LUKS2 token modules.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
|
@ -57,9 +57,7 @@
|
||||||
last check, number of mounts, unclean unmount, etc.</para>
|
last check, number of mounts, unclean unmount, etc.</para>
|
||||||
|
|
||||||
<para><filename>systemd-fsck-root.service</filename> and <filename>systemd-fsck-usr.service</filename>
|
<para><filename>systemd-fsck-root.service</filename> and <filename>systemd-fsck-usr.service</filename>
|
||||||
will activate <filename>reboot.target</filename> if
|
will activate <filename>reboot.target</filename> if <command>fsck</command> returns the "System
|
||||||
<citerefentry project='man-pages'><refentrytitle>fsck</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
||||||
returns the "System
|
|
||||||
should reboot" condition, or <filename>emergency.target</filename> if <command>fsck</command>
|
should reboot" condition, or <filename>emergency.target</filename> if <command>fsck</command>
|
||||||
returns the "Filesystem errors left uncorrected" condition.</para>
|
returns the "Filesystem errors left uncorrected" condition.</para>
|
||||||
|
|
||||||
|
|
|
@ -164,10 +164,9 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
|
||||||
used to view the log stream of a specific namespace. If the switch is not used the log stream of the
|
used to view the log stream of a specific namespace. If the switch is not used the log stream of the
|
||||||
default namespace is shown, i.e. log data from other namespaces is not visible.</para>
|
default namespace is shown, i.e. log data from other namespaces is not visible.</para>
|
||||||
|
|
||||||
<para>Services associated with a specific log namespace may log via
|
<para>Services associated with a specific log namespace may log via syslog, the native logging protocol
|
||||||
<citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
of the journal and via stdout/stderr; the logging from all three transports is associated with the
|
||||||
the native logging protocol of the journal and via stdout/stderr; the logging from all three transports
|
namespace.</para>
|
||||||
is associated with the namespace.</para>
|
|
||||||
|
|
||||||
<para>By default only the default namespace will collect kernel and audit log messages.</para>
|
<para>By default only the default namespace will collect kernel and audit log messages.</para>
|
||||||
|
|
||||||
|
@ -289,11 +288,8 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
|
||||||
<term><varname>systemd.journald.max_level_socket=</varname></term>
|
<term><varname>systemd.journald.max_level_socket=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Controls the maximum log level of messages that are stored in the journal, forwarded
|
<listitem><para>Controls the maximum log level of messages that are stored in the journal, forwarded
|
||||||
to
|
to syslog, kmsg, the console, the wall, or a socket. This kernel command line options override the
|
||||||
<citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
settings of the same names in the
|
||||||
kmsg, the console,
|
|
||||||
<citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
||||||
or a socket. This kernel command line options override the settings of the same names in the
|
|
||||||
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
|
|
|
@ -136,7 +136,6 @@
|
||||||
<member><citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>org.freedesktop.machine1</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>org.freedesktop.machine1</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
||||||
</simplelist></para>
|
</simplelist></para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
|
|
@ -57,9 +57,7 @@
|
||||||
<para>The returned mounts are automatically allowlisted in the per-user-namespace allowlist maintained by
|
<para>The returned mounts are automatically allowlisted in the per-user-namespace allowlist maintained by
|
||||||
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
||||||
|
|
||||||
<para>The file systems are automatically
|
<para>The file systems are automatically fsck'ed before mounting.</para>
|
||||||
<citerefentry project='man-pages'><refentrytitle>fsck</refentrytitle><manvolnum>8</manvolnum></citerefentry>'ed
|
|
||||||
before mounting.</para>
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -140,7 +140,7 @@
|
||||||
<para>When running in unprivileged mode, some needed functionality is provided via
|
<para>When running in unprivileged mode, some needed functionality is provided via
|
||||||
<citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
and
|
and
|
||||||
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -106,7 +106,7 @@
|
||||||
|
|
||||||
<listitem><para>This reads the combined TPM2 event log and writes it to STDOUT in <ulink
|
<listitem><para>This reads the combined TPM2 event log and writes it to STDOUT in <ulink
|
||||||
url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Canonical Event Log
|
url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Canonical Event Log
|
||||||
Format (CEL-JSON)</ulink>.</para>
|
Format (CEL-JSON)</ulink> format.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -387,10 +387,8 @@
|
||||||
|
|
||||||
<listitem><para>Generates/removes a <filename>.pcrlock</filename> file based on a kernel initrd cpio
|
<listitem><para>Generates/removes a <filename>.pcrlock</filename> file based on a kernel initrd cpio
|
||||||
archive. This is useful for predicting measurements the Linux kernel makes to PCR 9
|
archive. This is useful for predicting measurements the Linux kernel makes to PCR 9
|
||||||
("kernel-initrd"). Do not use for
|
("kernel-initrd"). Do not use for <command>systemd-stub</command> UKIs, as the initrd is combined
|
||||||
<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
dynamically from various sources and hence does not take a single input, like this command.</para>
|
||||||
UKIs, as the initrd is combined dynamically from various sources and hence does not take a single
|
|
||||||
input, like this command.</para>
|
|
||||||
|
|
||||||
<para>This writes/removes the file
|
<para>This writes/removes the file
|
||||||
<filename>/var/lib/pcrlock.d/720-kernel-initrd.pcrlock/generated.pcrlock</filename>.</para>
|
<filename>/var/lib/pcrlock.d/720-kernel-initrd.pcrlock/generated.pcrlock</filename>.</para>
|
||||||
|
@ -523,7 +521,7 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--pcrlock=</option></term>
|
<term><option>--pcrlock=</option></term>
|
||||||
|
|
||||||
<listitem><para>Takes a file system path as argument. If specified, configures where to write the
|
<listitem><para>Takes a file system path as argument. If specified overrides where to write the
|
||||||
generated pcrlock data to. Honoured by the various <command>lock-*</command> commands. If not
|
generated pcrlock data to. Honoured by the various <command>lock-*</command> commands. If not
|
||||||
specified, a default path is generally used, as documented above.</para>
|
specified, a default path is generally used, as documented above.</para>
|
||||||
|
|
||||||
|
@ -533,7 +531,7 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--policy=</option></term>
|
<term><option>--policy=</option></term>
|
||||||
|
|
||||||
<listitem><para>Takes a file system path as argument. If specified, configures where to write pcrlock
|
<listitem><para>Takes a file system path as argument. If specified overrides where to write pcrlock
|
||||||
policy metadata to. If not specified defaults to
|
policy metadata to. If not specified defaults to
|
||||||
<filename>/var/lib/systemd/pcrlock.json</filename>.</para>
|
<filename>/var/lib/systemd/pcrlock.json</filename>.</para>
|
||||||
|
|
||||||
|
|
|
@ -53,7 +53,7 @@
|
||||||
might be broken — the running PID 1 could still depend on libraries which are not available any more,
|
might be broken — the running PID 1 could still depend on libraries which are not available any more,
|
||||||
thus keeping the file system busy, which then cannot be re-mounted read-only.</para>
|
thus keeping the file system busy, which then cannot be re-mounted read-only.</para>
|
||||||
|
|
||||||
<para>Shortly before executing the actual system power-off/halt/reboot/kexec,
|
<para>Shortly before executing the actual system power-off/halt/reboot/kexec
|
||||||
<filename>systemd-shutdown</filename> will run all executables in
|
<filename>systemd-shutdown</filename> will run all executables in
|
||||||
<filename>/usr/lib/systemd/system-shutdown/</filename> and pass one arguments to them: either
|
<filename>/usr/lib/systemd/system-shutdown/</filename> and pass one arguments to them: either
|
||||||
<literal>poweroff</literal>, <literal>halt</literal>, <literal>reboot</literal>, or
|
<literal>poweroff</literal>, <literal>halt</literal>, <literal>reboot</literal>, or
|
||||||
|
|
|
@ -569,7 +569,7 @@
|
||||||
(sysext, see
|
(sysext, see
|
||||||
<citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
for details), configuration extension (confext) or <ulink
|
for details), configuration extension (confext) or <ulink
|
||||||
url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>. The generated image will consist
|
url="https://systemd.io/PORTABLE_SERVICES">portable service</ulink>. The generated image will consist
|
||||||
of a signed Verity <literal>erofs</literal> file system as root partition. In this mode of operation
|
of a signed Verity <literal>erofs</literal> file system as root partition. In this mode of operation
|
||||||
the partition definitions in <filename>/usr/lib/repart.d/*.conf</filename> and related directories
|
the partition definitions in <filename>/usr/lib/repart.d/*.conf</filename> and related directories
|
||||||
are not read, and <option>--definitions=</option> is not supported, as appropriate definitions for
|
are not read, and <option>--definitions=</option> is not supported, as appropriate definitions for
|
||||||
|
@ -605,11 +605,10 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--generate-fstab=<replaceable>PATH</replaceable></option></term>
|
<term><option>--generate-fstab=<replaceable>PATH</replaceable></option></term>
|
||||||
|
|
||||||
<listitem><para>Specifies a path where to write
|
<listitem><para>Specifies a path where to write fstab entries for the mountpoints configured with
|
||||||
<citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
<option>MountPoint=</option> in the root directory specified with <option>--copy-source=</option> or
|
||||||
entries for the mountpoints configured with <option>MountPoint=</option> in the root directory
|
<option>--root=</option> or in the host's root directory if neither is specified. Disabled by
|
||||||
specified with <option>--copy-source=</option> or <option>--root=</option> or in the host's root
|
default.</para>
|
||||||
directory if neither is specified. Disabled by default.</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -681,7 +680,7 @@ systemd-confext refresh</programlisting>
|
||||||
<title>Generate a system extension image and sign it via PKCS11</title>
|
<title>Generate a system extension image and sign it via PKCS11</title>
|
||||||
|
|
||||||
<para>The following creates a system extension DDI (sysext) for an
|
<para>The following creates a system extension DDI (sysext) for an
|
||||||
<filename>/usr/foo</filename> update and signs it with a hardware token via PKCS11:</para>
|
<filename>/usr/foo</filename> update and signs it with a hardware token via PKCS11.</para>
|
||||||
|
|
||||||
<programlisting>mkdir -p tree/usr/lib/extension-release.d
|
<programlisting>mkdir -p tree/usr/lib/extension-release.d
|
||||||
echo "Hello World" >tree/usr/foo
|
echo "Hello World" >tree/usr/foo
|
||||||
|
|
|
@ -343,10 +343,10 @@ search foobar.com barbar.com
|
||||||
<listitem><para><command>systemd-resolved</command> maintains the
|
<listitem><para><command>systemd-resolved</command> maintains the
|
||||||
<filename>/run/systemd/resolve/stub-resolv.conf</filename> file for compatibility with traditional
|
<filename>/run/systemd/resolve/stub-resolv.conf</filename> file for compatibility with traditional
|
||||||
Linux programs. This file lists the 127.0.0.53 DNS stub (see above) as the only DNS server. It also
|
Linux programs. This file lists the 127.0.0.53 DNS stub (see above) as the only DNS server. It also
|
||||||
contains a list of search domains that are in use by <command>systemd-resolved</command>. The list of
|
contains a list of search domains that are in use by systemd-resolved. The list of search domains is
|
||||||
search domains is always kept up-to-date. Note that
|
always kept up-to-date. Note that <filename>/run/systemd/resolve/stub-resolv.conf</filename> should not
|
||||||
<filename>/run/systemd/resolve/stub-resolv.conf</filename> should not be used directly by applications,
|
be used directly by applications, but only through a symlink from
|
||||||
but only through a symlink from <filename>/etc/resolv.conf</filename>. This file may be symlinked from
|
<filename>/etc/resolv.conf</filename>. This file may be symlinked from
|
||||||
<filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs
|
<filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs
|
||||||
to <command>systemd-resolved</command> with correct search domains settings. This mode of operation is
|
to <command>systemd-resolved</command> with correct search domains settings. This mode of operation is
|
||||||
recommended.</para></listitem>
|
recommended.</para></listitem>
|
||||||
|
|
|
@ -41,10 +41,8 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Kernel Command Line</title>
|
<title>Kernel Command Line</title>
|
||||||
|
|
||||||
<para>
|
<para><filename>systemd-rfkill</filename> understands the
|
||||||
<command>systemd-rfkill</command> understands the following kernel command line parameter. See also
|
following kernel command line parameter:</para>
|
||||||
<citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
<variablelist class='kernel-commandline-options'>
|
<variablelist class='kernel-commandline-options'>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
|
@ -139,8 +139,7 @@ DefaultDependencies=no</programlisting>
|
||||||
<varname>Conflicts=umount.target</varname>)</para></listitem>
|
<varname>Conflicts=umount.target</varname>)</para></listitem>
|
||||||
|
|
||||||
<listitem><para>If the unit publishes a service over D-Bus, the connection needs to be re-established
|
<listitem><para>If the unit publishes a service over D-Bus, the connection needs to be re-established
|
||||||
after soft-reboot as the D-Bus broker will be stopped and then started again. When using the
|
after soft-reboot as the D-Bus broker will be stopped and then started again. When using the sd-bus
|
||||||
<citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
||||||
library this can be achieved by adapting the following example.
|
library this can be achieved by adapting the following example.
|
||||||
<programlisting><xi:include href="sd_bus_service_reconnect.c" parse="text"/></programlisting>
|
<programlisting><xi:include href="sd_bus_service_reconnect.c" parse="text"/></programlisting>
|
||||||
</para></listitem>
|
</para></listitem>
|
||||||
|
|
|
@ -34,9 +34,9 @@
|
||||||
|
|
||||||
<para><command>systemd-ssh-generator</command> binds a socket-activated SSH server to local
|
<para><command>systemd-ssh-generator</command> binds a socket-activated SSH server to local
|
||||||
<constant>AF_VSOCK</constant> and <constant>AF_UNIX</constant> sockets under certain conditions. It only
|
<constant>AF_VSOCK</constant> and <constant>AF_UNIX</constant> sockets under certain conditions. It only
|
||||||
has an effect if the
|
has an effect if the <citerefentry
|
||||||
<citerefentry project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> binary is
|
||||||
binary is installed. Specifically, it does the following:</para>
|
installed. Specifically, it does the following:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><para>If invoked in a VM with <constant>AF_VSOCK</constant> support, a socket-activated SSH
|
<listitem><para>If invoked in a VM with <constant>AF_VSOCK</constant> support, a socket-activated SSH
|
||||||
|
@ -71,14 +71,14 @@
|
||||||
<para>The generator will use a packaged <filename>sshd@.service</filename> service template file if one
|
<para>The generator will use a packaged <filename>sshd@.service</filename> service template file if one
|
||||||
exists, and otherwise generate a suitable service template file.</para>
|
exists, and otherwise generate a suitable service template file.</para>
|
||||||
|
|
||||||
<para><command>systemd-ssh-generator</command> implements
|
<para><filename>systemd-ssh-generator</filename> implements
|
||||||
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Kernel Command Line</title>
|
<title>Kernel Command Line</title>
|
||||||
|
|
||||||
<para><command>systemd-ssh-generator</command> understands the following
|
<para><filename>systemd-ssh-generator</filename> understands the following
|
||||||
<citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||||||
parameters:</para>
|
parameters:</para>
|
||||||
|
|
||||||
|
@ -102,9 +102,8 @@
|
||||||
times to bind multiple sockets. The syntax should follow the one of <varname>ListenStream=</varname>,
|
times to bind multiple sockets. The syntax should follow the one of <varname>ListenStream=</varname>,
|
||||||
see
|
see
|
||||||
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
for details. This functionality supports all socket families
|
for details. This functionality supports all socket families systemd supports, including
|
||||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> supports,
|
<constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
|
||||||
including <constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
|
@ -77,7 +77,7 @@ Host .host
|
||||||
<para>This tool is supposed to be used together with
|
<para>This tool is supposed to be used together with
|
||||||
<citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
which when run inside a VM or container will bind SSH to suitable
|
which when run inside a VM or container will bind SSH to suitable
|
||||||
addresses. <command>systemd-ssh-generator</command> is supposed to run in the container or VM guest, and
|
addresses. <command>systemd-ssh-generator</command> is supposed to run in the container of VM guest, and
|
||||||
<command>systemd-ssh-proxy</command> is run on the host, in order to connect to the container or VM
|
<command>systemd-ssh-proxy</command> is run on the host, in order to connect to the container or VM
|
||||||
guest.</para>
|
guest.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
|
@ -43,7 +43,7 @@
|
||||||
|
|
||||||
<para><citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry> uses
|
<para><citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry> uses
|
||||||
<command>systemd-stdio-bridge</command> to forward D-Bus connections over
|
<command>systemd-stdio-bridge</command> to forward D-Bus connections over
|
||||||
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
<citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||||
or to connect to the bus of a different user, see
|
or to connect to the bus of a different user, see
|
||||||
<citerefentry><refentrytitle>sd_bus_set_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
<citerefentry><refentrytitle>sd_bus_set_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||||||
</para>
|
</para>
|
||||||
|
|
|
@ -209,7 +209,7 @@
|
||||||
images to the initrd. See
|
images to the initrd. See
|
||||||
<citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
|
<citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
|
||||||
details on configuration extension images. The generated <command>cpio</command> archive containing
|
details on configuration extension images. The generated <command>cpio</command> archive containing
|
||||||
these configuration extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem>
|
these system extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem>
|
||||||
|
|
||||||
<listitem><para>Similarly, files
|
<listitem><para>Similarly, files
|
||||||
<filename><replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename> are loaded and verified as
|
<filename><replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename> are loaded and verified as
|
||||||
|
|
|
@ -141,7 +141,7 @@
|
||||||
but the used architecture identifiers are the same as for <varname>ConditionArchitecture=</varname>
|
but the used architecture identifiers are the same as for <varname>ConditionArchitecture=</varname>
|
||||||
described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||||
<varname>EXTENSION_RELOAD_MANAGER=</varname> can be set to 1 if the extension requires a service manager reload after application
|
<varname>EXTENSION_RELOAD_MANAGER=</varname> can be set to 1 if the extension requires a service manager reload after application
|
||||||
of the extension. Note that for the reasons mentioned earlier,
|
of the extension. Note that for the reasons mentioned earlier:
|
||||||
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> remain
|
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> remain
|
||||||
the recommended way to ship system services.
|
the recommended way to ship system services.
|
||||||
|
|
||||||
|
@ -206,13 +206,13 @@
|
||||||
the underlying host <filename>/usr/</filename> is managed as immutable disk image or is a traditional
|
the underlying host <filename>/usr/</filename> is managed as immutable disk image or is a traditional
|
||||||
package manager controlled (i.e. writable) tree.</para>
|
package manager controlled (i.e. writable) tree.</para>
|
||||||
|
|
||||||
<para>With <command>systemd-confext</command> one can perform runtime reconfiguration of OS services.
|
<para>With systemd-confext one can perform runtime reconfiguration of OS services.
|
||||||
Sometimes, there is a need to swap certain configuration parameter values or restart only a specific
|
Sometimes, there is a need to swap certain configuration parameter values or restart only a specific
|
||||||
service without deployment of new code or a complete OS deployment. In other words, we want to be able
|
service without deployment of new code or a complete OS deployment. In other words, we want to be able
|
||||||
to tie the most frequently configured options to runtime updateable flags that can be changed without a
|
to tie the most frequently configured options to runtime updateable flags that can be changed without a
|
||||||
system reboot. This will help reduce servicing times when there is a need for changing the OS configuration.
|
system reboot. This will help reduce servicing times when there is a need for changing the OS configuration.
|
||||||
It also provides a reliable tool for managing configuration because all old configuration files disappear when
|
It also provides a reliable tool for managing configuration because all old configuration files disappear when
|
||||||
the <command>systemd-confext</command> image is removed.</para></refsect1>
|
the systemd-confext image is removed.</para></refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Mutability</title>
|
<title>Mutability</title>
|
||||||
|
|
|
@ -302,7 +302,7 @@
|
||||||
and running in an initrd equivalent to true, otherwise false. This implements a restricted subset of
|
and running in an initrd equivalent to true, otherwise false. This implements a restricted subset of
|
||||||
the per-unit setting of the same name, see
|
the per-unit setting of the same name, see
|
||||||
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
||||||
details: currently, the <literal>full</literal> or <literal>strict</literal> values are not
|
details: currently, the <literal>full</literal> or <literal>struct</literal> values are not
|
||||||
supported.</para>
|
supported.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para><command>systemd-tpm2-generator</command> is a generator that adds a <varname>Wants=</varname>
|
<para><filename>systemd-tpm2-generator</filename> is a generator that adds a <varname>Wants=</varname>
|
||||||
dependency from <filename>sysinit.target</filename> to <filename>tpm2.target</filename> when it detects
|
dependency from <filename>sysinit.target</filename> to <filename>tpm2.target</filename> when it detects
|
||||||
that the firmware discovered a TPM2 device but the OS kernel so far did
|
that the firmware discovered a TPM2 device but the OS kernel so far did
|
||||||
not. <filename>tpm2.target</filename> is supposed to act as synchronization point for all services that
|
not. <filename>tpm2.target</filename> is supposed to act as synchronization point for all services that
|
||||||
|
@ -45,7 +45,7 @@
|
||||||
for it yet. The latter might be useful in environments where a suitable TPM2 driver for the available
|
for it yet. The latter might be useful in environments where a suitable TPM2 driver for the available
|
||||||
hardware is not available.</para>
|
hardware is not available.</para>
|
||||||
|
|
||||||
<para><command>systemd-tpm2-generator</command> implements
|
<para><filename>systemd-tpm2-generator</filename> implements
|
||||||
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
|
|
@ -45,7 +45,7 @@
|
||||||
file descriptors must be passed with the names <literal>kvm</literal> and <literal>vhost-vsock</literal>
|
file descriptors must be passed with the names <literal>kvm</literal> and <literal>vhost-vsock</literal>
|
||||||
respectively.</para>
|
respectively.</para>
|
||||||
|
|
||||||
<para>Note: on Ubuntu/Debian derivatives <command>systemd-vmspawn</command> requires the user to be in the
|
<para>Note: on Ubuntu/Debian derivatives systemd-vmspawn requires the user to be in the
|
||||||
<literal>kvm</literal> group to use the VSOCK options.</para>
|
<literal>kvm</literal> group to use the VSOCK options.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
@ -420,8 +420,7 @@
|
||||||
for more information.</para>
|
for more information.</para>
|
||||||
|
|
||||||
<para>By default <literal>ed25519</literal> keys are generated, however <literal>rsa</literal> keys
|
<para>By default <literal>ed25519</literal> keys are generated, however <literal>rsa</literal> keys
|
||||||
may also be useful if the VM has a particularly old version of
|
may also be useful if the VM has a particularly old version of <command>sshd</command>.</para>
|
||||||
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/>
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
|
@ -46,7 +46,7 @@
|
||||||
|
|
||||||
<para>If the specified path does not reference a <literal>.v/</literal> path (i.e. neither the final
|
<para>If the specified path does not reference a <literal>.v/</literal> path (i.e. neither the final
|
||||||
component ends in <literal>.v</literal>, nor the penultimate does or the final one does contain a triple
|
component ends in <literal>.v</literal>, nor the penultimate does or the final one does contain a triple
|
||||||
underscore) its specified path is written unmodified to standard output.</para>
|
underscore) it specified path is written unmodified to standard output.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -378,7 +378,7 @@
|
||||||
|
|
||||||
<para>This setting is useful to configure the <literal>ID_NET_MANAGED_BY=</literal> property which
|
<para>This setting is useful to configure the <literal>ID_NET_MANAGED_BY=</literal> property which
|
||||||
declares which network management service shall manage the interface, which is respected by
|
declares which network management service shall manage the interface, which is respected by
|
||||||
<command>systemd-networkd</command> and others. Use
|
systemd-networkd and others. Use
|
||||||
<programlisting>Property=ID_NET_MANAGED_BY=io.systemd.Network</programlisting>
|
<programlisting>Property=ID_NET_MANAGED_BY=io.systemd.Network</programlisting>
|
||||||
to declare explicitly that <command>systemd-networkd</command> shall manage the interface, or set
|
to declare explicitly that <command>systemd-networkd</command> shall manage the interface, or set
|
||||||
the property to something else to declare explicitly it shall not do so. See
|
the property to something else to declare explicitly it shall not do so. See
|
||||||
|
@ -974,10 +974,10 @@
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Configures Receive Packet Steering (RPS) list of CPUs to which RPS may forward traffic.
|
<para>Configures Receive Packet Steering (RPS) list of CPUs to which RPS may forward traffic.
|
||||||
Takes a list of CPU indices or ranges separated by either whitespace or commas. Alternatively,
|
Takes a list of CPU indices or ranges separated by either whitespace or commas. Alternatively,
|
||||||
takes the special value <literal>all</literal>, which will include all available CPUs in the mask.
|
takes the special value <literal>all</literal> in which will include all available CPUs in the mask.
|
||||||
CPU ranges are specified by the lower and upper CPU indices separated by a dash (e.g. <literal>2-6</literal>).
|
CPU ranges are specified by the lower and upper CPU indices separated by a dash (e.g. <literal>2-6</literal>).
|
||||||
This option may be specified more than once, in which case the specified list of CPU ranges are merged.
|
This option may be specified more than once, in which case the specified CPU affinity masks are merged.
|
||||||
If an empty string is assigned, the list is reset, all assignments prior to this will have no effect.
|
If an empty string is assigned, the mask is reset, all assignments prior to this will have no effect.
|
||||||
Defaults to unset and RPS CPU list is unchanged. To disable RPS when it was previously enabled, use the
|
Defaults to unset and RPS CPU list is unchanged. To disable RPS when it was previously enabled, use the
|
||||||
special value <literal>disable</literal>.</para>
|
special value <literal>disable</literal>.</para>
|
||||||
|
|
||||||
|
|
|
@ -293,7 +293,7 @@
|
||||||
comes from unit fragments, i.e. generated from <filename>/etc/fstab</filename> by <citerefentry>
|
comes from unit fragments, i.e. generated from <filename>/etc/fstab</filename> by <citerefentry>
|
||||||
<refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> or loaded from
|
<refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> or loaded from
|
||||||
a manually configured mount unit, a combination of <varname>Requires=</varname> and <varname>StopPropagatedFrom=</varname>
|
a manually configured mount unit, a combination of <varname>Requires=</varname> and <varname>StopPropagatedFrom=</varname>
|
||||||
dependencies is set on the backing device, otherwise only <varname>Requires=</varname> is used.</para>
|
dependencies is set on the backing device. If doesn't, only <varname>Requires=</varname> is used.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v233"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v233"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -556,7 +556,7 @@
|
||||||
for details. This setting is optional.</para>
|
for details. This setting is optional.</para>
|
||||||
|
|
||||||
<para>If the type is <literal>overlay</literal>, and <literal>upperdir=</literal> or
|
<para>If the type is <literal>overlay</literal>, and <literal>upperdir=</literal> or
|
||||||
<literal>workdir=</literal> are specified as options and the directories don't exist, they will be created.
|
<literal>workdir=</literal> are specified as options and they don't exist, they will be created.
|
||||||
</para></listitem>
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
|
@ -27,19 +27,18 @@
|
||||||
attributes and the use of this information is configured. This page describes interface naming, i.e. what
|
attributes and the use of this information is configured. This page describes interface naming, i.e. what
|
||||||
possible names may be generated. Those names are generated by the
|
possible names may be generated. Those names are generated by the
|
||||||
<citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
builtin <command>net_id</command> and exported as
|
builtin <command>net_id</command> and exported as udev properties
|
||||||
<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
(<varname>ID_NET_NAME_ONBOARD=</varname>, <varname>ID_NET_LABEL_ONBOARD=</varname>,
|
||||||
properties (<varname>ID_NET_NAME_ONBOARD=</varname>, <varname>ID_NET_LABEL_ONBOARD=</varname>,
|
|
||||||
<varname>ID_NET_NAME_PATH=</varname>, <varname>ID_NET_NAME_SLOT=</varname>).</para>
|
<varname>ID_NET_NAME_PATH=</varname>, <varname>ID_NET_NAME_SLOT=</varname>).</para>
|
||||||
|
|
||||||
<para>Names and MAC addresses are derived from various stable device metadata attributes. Newer versions
|
<para>Names and MAC addresses are derived from various stable device metadata attributes. Newer versions
|
||||||
of <command>systemd-udevd</command> take more of these attributes into account, improving (and thus
|
of udev take more of these attributes into account, improving (and thus possibly changing) the names and
|
||||||
possibly changing) the names and addresses used for the same devices. Different versions of those
|
addresses used for the same devices. Different versions of those generation rules are called "naming
|
||||||
generation rules are called "naming schemes". The default naming scheme is chosen at compilation time.
|
schemes". The default naming scheme is chosen at compilation time. Usually this will be the latest
|
||||||
Usually this will be the latest implemented version, but it is also possible to set one of the older
|
implemented version, but it is also possible to set one of the older versions to preserve
|
||||||
versions to preserve compatibility. This may be useful for example for distributions, which may introduce
|
compatibility. This may be useful for example for distributions, which may introduce new versions of
|
||||||
new versions of systemd in stable releases without changing the naming scheme. The naming scheme may also
|
systemd in stable releases without changing the naming scheme. The naming scheme may also be overridden
|
||||||
be overridden using the <varname>net.naming_scheme=</varname> kernel command line switch, see
|
using the <varname>net.naming_scheme=</varname> kernel command line switch, see
|
||||||
<citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
<citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
||||||
Available naming schemes are described below.</para>
|
Available naming schemes are described below.</para>
|
||||||
|
|
||||||
|
@ -522,8 +521,7 @@
|
||||||
change introduced in <constant>v254</constant> by default.</para>
|
change introduced in <constant>v254</constant> by default.</para>
|
||||||
|
|
||||||
<para>If we detect that a PCI device associated with a slot is a PCI bridge, we no longer set
|
<para>If we detect that a PCI device associated with a slot is a PCI bridge, we no longer set
|
||||||
<varname>ID_NET_NAME_SLOT</varname>, reverting a change that was introduced in
|
<varname>ID_NET_NAME_SLOT</varname>, reverting a change that was introduced in v251.</para>
|
||||||
<constant>v251</constant>.</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v255"/>
|
<xi:include href="version-info.xml" xpointer="v255"/>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -710,7 +708,6 @@ net:naming:drvirtio_net:*
|
||||||
<para><simplelist type="inline">
|
<para><simplelist type="inline">
|
||||||
<member><citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
||||||
<member><ulink url="https://systemd.io/PREDICTABLE_INTERFACE_NAMES">Predictable Network Interface Names</ulink></member>
|
<member><ulink url="https://systemd.io/PREDICTABLE_INTERFACE_NAMES">Predictable Network Interface Names</ulink></member>
|
||||||
<member><citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
||||||
</simplelist></para>
|
</simplelist></para>
|
||||||
|
|
|
@ -34,16 +34,10 @@
|
||||||
for a general description of the syntax.</para>
|
for a general description of the syntax.</para>
|
||||||
|
|
||||||
<para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
|
<para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
|
||||||
other extensions are ignored. Virtual network devices are created as soon as
|
other extensions are ignored. Virtual network devices are created as soon as networkd is
|
||||||
<command>systemd-networkd</command> is started if possible. If a netdev with the specified name already
|
started. If a netdev with the specified name already exists, networkd will use that as-is rather
|
||||||
exists, <command>systemd-networkd</command> will try to update the config if the kind of the existing
|
than create its own. Note that the settings of the pre-existing netdev will not be changed by
|
||||||
netdev is equivalent to the requested one, otherwise (e.g. when bridge device <filename>foo</filename>
|
networkd.</para>
|
||||||
exists but bonding device with the same name is configured in a .netdev file) use the existing netdev
|
|
||||||
as-is rather than replacing with the requested netdev. Note, several settings (e.g. vlan ID) cannot be
|
|
||||||
changed after the netdev is created. To change such settings, it is necessary to first remove the
|
|
||||||
existing netdev, and then run <command>networkctl reload</command> command or restart
|
|
||||||
<command>systemd-networkd</command>. See also
|
|
||||||
<citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
|
||||||
|
|
||||||
<para>The <filename>.netdev</filename> files are read from the files located in the system network
|
<para>The <filename>.netdev</filename> files are read from the files located in the system network
|
||||||
directory <filename>/usr/lib/systemd/network</filename> and
|
directory <filename>/usr/lib/systemd/network</filename> and
|
||||||
|
@ -594,7 +588,7 @@
|
||||||
<para>Controls the threshold for broadcast queueing of the macvlan device. Takes the special value
|
<para>Controls the threshold for broadcast queueing of the macvlan device. Takes the special value
|
||||||
<literal>no</literal>, or an integer in the range 0…2147483647. When <literal>no</literal> is
|
<literal>no</literal>, or an integer in the range 0…2147483647. When <literal>no</literal> is
|
||||||
specified, the broadcast queueing is disabled altogether. When an integer is specified, a multicast
|
specified, the broadcast queueing is disabled altogether. When an integer is specified, a multicast
|
||||||
address will be queued as broadcast if the number of devices using the macvlan is greater than the given
|
address will be queued as broadcast if the number of devices using it is greater than the given
|
||||||
value. Defaults to unset, and the kernel default will be used.</para>
|
value. Defaults to unset, and the kernel default will be used.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/>
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
||||||
|
@ -1935,8 +1929,7 @@
|
||||||
the <command>wg genkey</command> command
|
the <command>wg genkey</command> command
|
||||||
(see <citerefentry project='man-pages'><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
|
(see <citerefentry project='man-pages'><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
|
||||||
Specially, if the specified key is prefixed with <literal>@</literal>, it is interpreted as
|
Specially, if the specified key is prefixed with <literal>@</literal>, it is interpreted as
|
||||||
the name of the credential from which the actual key shall be read.
|
the name of the credential from which the actual key shall be read. <command>systemd-networkd.service</command>
|
||||||
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
||||||
automatically imports credentials matching <literal>network.wireguard.*</literal>. For more details
|
automatically imports credentials matching <literal>network.wireguard.*</literal>. For more details
|
||||||
on credentials, refer to
|
on credentials, refer to
|
||||||
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||||
|
@ -2090,7 +2083,7 @@
|
||||||
i.e. the packets that pass through the tunnel itself. To cause packets to be sent via the tunnel in
|
i.e. the packets that pass through the tunnel itself. To cause packets to be sent via the tunnel in
|
||||||
the first place, an appropriate route needs to be added as well — either in the
|
the first place, an appropriate route needs to be added as well — either in the
|
||||||
<literal>[Routes]</literal> section on the <literal>.network</literal> matching the wireguard
|
<literal>[Routes]</literal> section on the <literal>.network</literal> matching the wireguard
|
||||||
interface, or externally to <command>systemd-networkd</command>.</para>
|
interface, or externally to <filename>systemd-networkd</filename>.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v237"/>
|
<xi:include href="version-info.xml" xpointer="v237"/>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -2977,7 +2970,7 @@ Independent=yes</programlisting>
|
||||||
<title>See Also</title>
|
<title>See Also</title>
|
||||||
<para><simplelist type="inline">
|
<para><simplelist type="inline">
|
||||||
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
||||||
<member><citerefentry><refentrytitle>systemd-network-generator.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
<member><citerefentry><refentrytitle>systemd-network-generator.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
||||||
|
|
|
@ -887,7 +887,7 @@ DuplicateAddressDetection=none</programlisting></para>
|
||||||
from the network interface will be appear as coming from the local host. Typically, this should be
|
from the network interface will be appear as coming from the local host. Typically, this should be
|
||||||
enabled on the downstream interface of routers. Takes one of <literal>ipv4</literal>,
|
enabled on the downstream interface of routers. Takes one of <literal>ipv4</literal>,
|
||||||
<literal>ipv6</literal>, <literal>both</literal>, or <literal>no</literal>. Defaults to
|
<literal>ipv6</literal>, <literal>both</literal>, or <literal>no</literal>. Defaults to
|
||||||
<literal>no</literal>. Note that any positive boolean values such as <literal>yes</literal> or
|
<literal>no</literal>. Note. Any positive boolean values such as <literal>yes</literal> or
|
||||||
<literal>true</literal> are now deprecated. Please use one of the values above. Specifying
|
<literal>true</literal> are now deprecated. Please use one of the values above. Specifying
|
||||||
<literal>ipv4</literal> or <literal>both</literal> implies <varname>IPv4Forwarding=</varname>
|
<literal>ipv4</literal> or <literal>both</literal> implies <varname>IPv4Forwarding=</varname>
|
||||||
settings in both .network file for this interface and the global
|
settings in both .network file for this interface and the global
|
||||||
|
@ -928,8 +928,8 @@ DuplicateAddressDetection=none</programlisting></para>
|
||||||
<para>Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support for the interface.
|
<para>Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support for the interface.
|
||||||
If true, RAs are accepted; if false, RAs are ignored. When RAs are accepted, they may trigger the
|
If true, RAs are accepted; if false, RAs are ignored. When RAs are accepted, they may trigger the
|
||||||
start of the DHCPv6 client if the relevant flags are set in the RA data, or if no routers are found
|
start of the DHCPv6 client if the relevant flags are set in the RA data, or if no routers are found
|
||||||
on the link. Defaults to false for bridge devices, when <varname>IPv6Forwarding=</varname>,
|
on the link. Defaults to false for bridge devices, when IP forwarding is enabled,
|
||||||
<varname>IPv6SendRA=</varname>, or <varname>KeepMaster=</varname> is enabled. Otherwise, enabled by
|
<varname>IPv6SendRA=</varname> or <varname>KeepMaster=</varname> is enabled. Otherwise, enabled by
|
||||||
default. Cannot be enabled on devices aggregated in a bond device or when link-local addressing is
|
default. Cannot be enabled on devices aggregated in a bond device or when link-local addressing is
|
||||||
disabled.</para>
|
disabled.</para>
|
||||||
|
|
||||||
|
@ -993,9 +993,9 @@ DuplicateAddressDetection=none</programlisting></para>
|
||||||
whether the <emphasis>source</emphasis> of the packet would be routed through the interface it came in. If there is no
|
whether the <emphasis>source</emphasis> of the packet would be routed through the interface it came in. If there is no
|
||||||
route to the source on that interface, the machine will drop the packet. Takes one of
|
route to the source on that interface, the machine will drop the packet. Takes one of
|
||||||
<literal>no</literal>, <literal>strict</literal>, or <literal>loose</literal>. When <literal>no</literal>,
|
<literal>no</literal>, <literal>strict</literal>, or <literal>loose</literal>. When <literal>no</literal>,
|
||||||
no source validation will be done. When <literal>strict</literal>, each incoming packet is tested against the FIB and
|
no source validation will be done. When <literal>strict</literal>, mode each incoming packet is tested against the FIB and
|
||||||
if the incoming interface is not the best reverse path, the packet check will fail. By default failed packets are discarded.
|
if the incoming interface is not the best reverse path, the packet check will fail. By default failed packets are discarded.
|
||||||
When <literal>loose</literal>, each incoming packet's source address is tested against the FIB. The packet is dropped
|
When <literal>loose</literal>, mode each incoming packet's source address is tested against the FIB. The packet is dropped
|
||||||
only if the source address is not reachable via any interface on that router.
|
only if the source address is not reachable via any interface on that router.
|
||||||
See <ulink url="https://tools.ietf.org/html/rfc1027">RFC 3704</ulink>.
|
See <ulink url="https://tools.ietf.org/html/rfc1027">RFC 3704</ulink>.
|
||||||
When unset, the kernel's default will be used.</para>
|
When unset, the kernel's default will be used.</para>
|
||||||
|
@ -1084,10 +1084,9 @@ DuplicateAddressDetection=none</programlisting></para>
|
||||||
Advertisement messages intended for another machine by offering its own MAC address as
|
Advertisement messages intended for another machine by offering its own MAC address as
|
||||||
destination. Unlike proxy ARP for IPv4, it is not enabled globally, but will only send
|
destination. Unlike proxy ARP for IPv4, it is not enabled globally, but will only send
|
||||||
Neighbour Advertisement messages for addresses in the IPv6 neighbor proxy table, which can
|
Neighbour Advertisement messages for addresses in the IPv6 neighbor proxy table, which can
|
||||||
also be shown by <command>ip -6 neighbour show proxy</command>.
|
also be shown by <command>ip -6 neighbour show proxy</command>. systemd-networkd will control
|
||||||
<command>systemd-networkd</command> will control the per-interface `proxy_ndp` switch for each
|
the per-interface `proxy_ndp` switch for each configured interface depending on this option.
|
||||||
configured interface depending on this option. When unset, the kernel's default will be used.
|
When unset, the kernel's default will be used.</para>
|
||||||
</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v234"/>
|
<xi:include href="version-info.xml" xpointer="v234"/>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -1097,7 +1096,7 @@ DuplicateAddressDetection=none</programlisting></para>
|
||||||
<term><varname>IPv6ProxyNDPAddress=</varname></term>
|
<term><varname>IPv6ProxyNDPAddress=</varname></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>An IPv6 address, for which Neighbour Advertisement messages will be proxied. This
|
<para>An IPv6 address, for which Neighbour Advertisement messages will be proxied. This
|
||||||
option may be specified more than once. <command>systemd-networkd</command> will add the
|
option may be specified more than once. systemd-networkd will add the
|
||||||
<varname>IPv6ProxyNDPAddress=</varname> entries to the kernel's IPv6 neighbor proxy table.
|
<varname>IPv6ProxyNDPAddress=</varname> entries to the kernel's IPv6 neighbor proxy table.
|
||||||
This setting implies <varname>IPv6ProxyNDP=yes</varname> but has no effect if
|
This setting implies <varname>IPv6ProxyNDP=yes</varname> but has no effect if
|
||||||
<varname>IPv6ProxyNDP=</varname> has been set to false. When unset, the kernel's default will
|
<varname>IPv6ProxyNDP=</varname> has been set to false. When unset, the kernel's default will
|
||||||
|
@ -1226,9 +1225,9 @@ DuplicateAddressDetection=none</programlisting></para>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>ConfigureWithoutCarrier=</varname></term>
|
<term><varname>ConfigureWithoutCarrier=</varname></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Takes a boolean. Allows <command>systemd-networkd</command> to configure a specific link even
|
<para>Takes a boolean. Allows networkd to configure a specific link even if it has no
|
||||||
if it has no carrier. Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname>
|
carrier. Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname> setting
|
||||||
setting is not explicitly set, then it is enabled as well.</para>
|
is not explicitly set, then it is enabled as well.</para>
|
||||||
|
|
||||||
<para>With this enabled, to make the interface enter the <literal>configured</literal> state,
|
<para>With this enabled, to make the interface enter the <literal>configured</literal> state,
|
||||||
which is required to make <command>systemd-networkd-wait-online</command> work properly for the
|
which is required to make <command>systemd-networkd-wait-online</command> work properly for the
|
||||||
|
@ -1456,11 +1455,11 @@ DuplicateAddressDetection=none</programlisting></para>
|
||||||
<command>ip maddr</command> command would not work if we have an Ethernet switch that does
|
<command>ip maddr</command> command would not work if we have an Ethernet switch that does
|
||||||
IGMP snooping since the switch would not replicate multicast packets on ports that did not
|
IGMP snooping since the switch would not replicate multicast packets on ports that did not
|
||||||
have IGMP reports for the multicast addresses. Linux vxlan interfaces created via
|
have IGMP reports for the multicast addresses. Linux vxlan interfaces created via
|
||||||
<command>ip link add vxlan</command> or <command>systemd-networkd</command>'s netdev kind vxlan
|
<command>ip link add vxlan</command> or networkd's netdev kind vxlan have the group option
|
||||||
have the group option that enables them to do the required join. By extending
|
that enables them to do the required join. By extending <command>ip address</command> command
|
||||||
<command>ip address</command> command with option <literal>autojoin</literal> we can get similar
|
with option <literal>autojoin</literal> we can get similar functionality for openvswitch (OVS)
|
||||||
functionality for openvswitch (OVS) vxlan interfaces as well as other tunneling mechanisms that
|
vxlan interfaces as well as other tunneling mechanisms that need to receive multicast traffic.
|
||||||
need to receive multicast traffic. Defaults to <literal>no</literal>.</para>
|
Defaults to <literal>no</literal>.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v232"/>
|
<xi:include href="version-info.xml" xpointer="v232"/>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -1786,7 +1785,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>L3MasterDevice=</varname></term>
|
<term><varname>L3MasterDevice=</varname></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Takes a boolean. Specifies whether the rule is to direct lookups to the tables associated with
|
<para>A boolean. Specifies whether the rule is to direct lookups to the tables associated with
|
||||||
level 3 master devices (also known as Virtual Routing and Forwarding or VRF devices).
|
level 3 master devices (also known as Virtual Routing and Forwarding or VRF devices).
|
||||||
For further details see <ulink url="https://docs.kernel.org/networking/vrf.html">
|
For further details see <ulink url="https://docs.kernel.org/networking/vrf.html">
|
||||||
Virtual Routing and Forwarding (VRF)</ulink>. Defaults to false.</para>
|
Virtual Routing and Forwarding (VRF)</ulink>. Defaults to false.</para>
|
||||||
|
@ -2904,7 +2903,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
|
||||||
Note that if <varname>AllowList=</varname> is configured then <varname>DenyList=</varname> is
|
Note that if <varname>AllowList=</varname> is configured then <varname>DenyList=</varname> is
|
||||||
ignored.</para>
|
ignored.</para>
|
||||||
<para>Note that this filters only DHCP offers, so the filtering might not work when
|
<para>Note that this filters only DHCP offers, so the filtering might not work when
|
||||||
<varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> above.
|
<varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> in the above.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v246"/>
|
<xi:include href="version-info.xml" xpointer="v246"/>
|
||||||
|
@ -3340,7 +3339,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
|
||||||
<term><varname>UseRedirect=</varname></term>
|
<term><varname>UseRedirect=</varname></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When true (the default), Redirect message sent by the current first-hop router will be
|
<para>When true (the default), Redirect message sent by the current first-hop router will be
|
||||||
accepted, and routes to redirected nodes will be configured.</para>
|
accepted, and configures routes to redirected nodes will be configured.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/>
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -4077,8 +4076,7 @@ ServerAddress=192.168.0.1/24</programlisting>
|
||||||
<para>Takes a boolean. When true, the DHCP server will load and save leases in the persistent
|
<para>Takes a boolean. When true, the DHCP server will load and save leases in the persistent
|
||||||
storage. When false, the DHCP server will neither load nor save leases in the persistent storage.
|
storage. When false, the DHCP server will neither load nor save leases in the persistent storage.
|
||||||
Hence, bound leases will be lost when the interface is reconfigured e.g. by
|
Hence, bound leases will be lost when the interface is reconfigured e.g. by
|
||||||
<command>networkctl reconfigure</command>, or
|
<command>networkctl reconfigure</command>, or <filename>systemd-networkd.service</filename>
|
||||||
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
||||||
is restarted. That may cause address conflict on the network. So, please take an extra care when
|
is restarted. That may cause address conflict on the network. So, please take an extra care when
|
||||||
disable this setting. When unspecified, the value specified in the same setting in
|
disable this setting. When unspecified, the value specified in the same setting in
|
||||||
<citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
||||||
|
@ -4262,7 +4260,7 @@ ServerAddress=192.168.0.1/24</programlisting>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>HomeAgent=</varname></term>
|
<term><varname>HomeAgent=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Takes a boolean. Specifies that IPv6 router advertisements indicate to hosts that
|
<listitem><para>Takes a boolean. Specifies that IPv6 router advertisements which indicate to hosts that
|
||||||
the router acts as a Home Agent and includes a Home Agent option. Defaults to false. See
|
the router acts as a Home Agent and includes a Home Agent option. Defaults to false. See
|
||||||
<ulink url="https://tools.ietf.org/html/rfc6275">RFC 6275</ulink> for further details.</para>
|
<ulink url="https://tools.ietf.org/html/rfc6275">RFC 6275</ulink> for further details.</para>
|
||||||
|
|
||||||
|
@ -4586,9 +4584,10 @@ ServerAddress=192.168.0.1/24</programlisting>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>Priority=</varname></term>
|
<term><varname>Priority=</varname></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Sets the "priority" of sending packets on this interface. Each port in a bridge may have a
|
<para>Sets the "priority" of sending packets on this interface.
|
||||||
different priority which is used to decide which link to use. Lower value means higher priority.
|
Each port in a bridge may have a different priority which is used
|
||||||
It is an integer value between 0 to 63. <command>systemd-networkd</command> does not set any
|
to decide which link to use. Lower value means higher priority.
|
||||||
|
It is an integer value between 0 to 63. Networkd does not set any
|
||||||
default, meaning the kernel default value of 32 is used.</para>
|
default, meaning the kernel default value of 32 is used.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v234"/>
|
<xi:include href="version-info.xml" xpointer="v234"/>
|
||||||
|
|
|
@ -896,7 +896,7 @@ CPUWeight=20 DisableControllers=cpu / \
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Configures restrictions on the ability of unit processes to invoke <citerefentry
|
<para>Configures restrictions on the ability of unit processes to invoke <citerefentry
|
||||||
project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry> on a
|
project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry> on a
|
||||||
socket. Both allow and deny rules to be defined that restrict which addresses a socket may be bound
|
socket. Both allow and deny rules may defined that restrict which addresses a socket may be bound
|
||||||
to.</para>
|
to.</para>
|
||||||
|
|
||||||
<para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>,
|
<para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>,
|
||||||
|
@ -1673,8 +1673,7 @@ DeviceAllow=/dev/loop-control
|
||||||
<para>When <command>systemd-coredump</command> is handling a coredump for a process from a container,
|
<para>When <command>systemd-coredump</command> is handling a coredump for a process from a container,
|
||||||
if the container's leader process is a descendant of a cgroup with <varname>CoredumpReceive=yes</varname>
|
if the container's leader process is a descendant of a cgroup with <varname>CoredumpReceive=yes</varname>
|
||||||
and <varname>Delegate=yes</varname>, then <command>systemd-coredump</command> will attempt to forward
|
and <varname>Delegate=yes</varname>, then <command>systemd-coredump</command> will attempt to forward
|
||||||
the coredump to <command>systemd-coredump</command> within the container. See also
|
the coredump to <command>systemd-coredump</command> within the container.</para>
|
||||||
<citerefentry><refentrytitle>systemd-coredump</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
|
@ -1437,7 +1437,7 @@
|
||||||
<para>The command line accepts <literal>%</literal> specifiers as described in
|
<para>The command line accepts <literal>%</literal> specifiers as described in
|
||||||
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
||||||
|
|
||||||
<para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal>.</para>
|
<para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal></para>
|
||||||
|
|
||||||
<para>Basic environment variable substitution is supported. Use
|
<para>Basic environment variable substitution is supported. Use
|
||||||
<literal>${FOO}</literal> as part of a word, or as a word of its
|
<literal>${FOO}</literal> as part of a word, or as a word of its
|
||||||
|
|
|
@ -120,8 +120,9 @@
|
||||||
<para>The timezone defaults to the current timezone if not specified explicitly.
|
<para>The timezone defaults to the current timezone if not specified explicitly.
|
||||||
It may be given after a space, like above, in which case it can be:
|
It may be given after a space, like above, in which case it can be:
|
||||||
<literal>UTC</literal>,
|
<literal>UTC</literal>,
|
||||||
an entry in the installed IANA timezone database (e.g. <literal>CET</literal>, <literal>Asia/Tokyo</literal>,
|
an entry in the installed IANA timezone database (<literal>CET</literal>, <literal>Asia/Tokyo</literal>, &c.;
|
||||||
where the complete list can be obtained with <command>timedatectl list-timezones</command> (see
|
complete list obtainable with <literal>timedatectl
|
||||||
|
list-timezones</literal> (see
|
||||||
<citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>)),
|
<citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>)),
|
||||||
or <literal>±<replaceable>05</replaceable></literal>,
|
or <literal>±<replaceable>05</replaceable></literal>,
|
||||||
<literal>±<replaceable>05</replaceable><replaceable>30</replaceable></literal>,
|
<literal>±<replaceable>05</replaceable><replaceable>30</replaceable></literal>,
|
||||||
|
|
|
@ -1238,9 +1238,9 @@
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>Signals sent to PID 1 before this message is sent might not be handled correctly yet. A consumer
|
<para>Signals sent to PID 1 before this message is sent might not be handled correctly yet. A consumer
|
||||||
of these messages should parse the value as an unsigned integer that indicates the level of support.
|
of these messages should parse the value as an unsigned integer indication the level of support. For
|
||||||
For now only the mentioned level 2 is defined, but later on additional levels might be defined with
|
now only the mentioned level 2 is defined, but later on additional levels might be defined with higher
|
||||||
higher integers, that will implement a superset of the currently defined behaviour.</para>
|
integers, that will implement a superset of the currently defined behaviour.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
|
|
||||||
|
@ -1389,8 +1389,8 @@
|
||||||
<term><option>--crash-action=</option></term>
|
<term><option>--crash-action=</option></term>
|
||||||
|
|
||||||
<listitem><para>Specify what to do when the system manager (PID 1) crashes. This switch has no
|
<listitem><para>Specify what to do when the system manager (PID 1) crashes. This switch has no
|
||||||
effect when <command>systemd</command> is running as user instance. See
|
effect when systemd is running as user instance. See <varname>systemd.crash_action=</varname>
|
||||||
<varname>systemd.crash_action=</varname> above.</para>
|
above.</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
|
@ -220,8 +220,7 @@
|
||||||
<para>For the <command>inspect</command> verb, the second syntax is used.
|
<para>For the <command>inspect</command> verb, the second syntax is used.
|
||||||
The section <replaceable>NAME</replaceable> will be inspected (if found).
|
The section <replaceable>NAME</replaceable> will be inspected (if found).
|
||||||
If the second argument is <literal>text</literal>, the contents will be printed.
|
If the second argument is <literal>text</literal>, the contents will be printed.
|
||||||
If the third argument is given, the contents will be saved to the file named
|
If the third argument is given, the contents will be saved to file <replaceable>PATH</replaceable>.
|
||||||
<replaceable>PATH</replaceable>.
|
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>Note that the name is used as-is, and if the section name should start with a dot, it must be
|
<para>Note that the name is used as-is, and if the section name should start with a dot, it must be
|
||||||
|
@ -394,9 +393,9 @@
|
||||||
<listitem><para>SBAT metadata associated with the UKI or addon. SBAT policies are useful to revoke
|
<listitem><para>SBAT metadata associated with the UKI or addon. SBAT policies are useful to revoke
|
||||||
whole groups of UKIs or addons with a single, static policy update that does not take space in
|
whole groups of UKIs or addons with a single, static policy update that does not take space in
|
||||||
DBX/MOKX. If not specified manually, a default metadata entry consisting of
|
DBX/MOKX. If not specified manually, a default metadata entry consisting of
|
||||||
<programlisting>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</programlisting>
|
<literal>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</literal>
|
||||||
for UKIs and
|
for UKIs and
|
||||||
<programlisting>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</programlisting>
|
<literal>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</literal>
|
||||||
for addons will be used, to ensure it is always possible to revoke them. For more information on
|
for addons will be used, to ensure it is always possible to revoke them. For more information on
|
||||||
SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim documentation</ulink>.
|
SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim documentation</ulink>.
|
||||||
</para>
|
</para>
|
||||||
|
|
|
@ -52,7 +52,7 @@
|
||||||
<para>User processes may be started by the <filename>user@.service</filename> instance, in which
|
<para>User processes may be started by the <filename>user@.service</filename> instance, in which
|
||||||
case they will be part of that unit in the system hierarchy. They may also be started elsewhere,
|
case they will be part of that unit in the system hierarchy. They may also be started elsewhere,
|
||||||
for example by
|
for example by
|
||||||
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or a
|
<citerefentry project='die-net'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or a
|
||||||
display manager like <command>gdm</command>, in which case they form a .scope unit (see
|
display manager like <command>gdm</command>, in which case they form a .scope unit (see
|
||||||
<citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
|
<citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
|
||||||
Both <filename>user@<replaceable>UID</replaceable>.service</filename> and the scope units are
|
Both <filename>user@<replaceable>UID</replaceable>.service</filename> and the scope units are
|
||||||
|
@ -145,7 +145,7 @@ Control group /:
|
||||||
…</programlisting>
|
…</programlisting>
|
||||||
<para>User with UID 1000 is logged in using <command>gdm</command> (<filename
|
<para>User with UID 1000 is logged in using <command>gdm</command> (<filename
|
||||||
index="false">session-4.scope</filename>) and
|
index="false">session-4.scope</filename>) and
|
||||||
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
<citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||||
(<filename index="false">session-19.scope</filename>), and also has a user manager instance
|
(<filename index="false">session-19.scope</filename>), and also has a user manager instance
|
||||||
running (<filename index="false">user@1000.service</filename>). User with UID 1001 is logged
|
running (<filename index="false">user@1000.service</filename>). User with UID 1001 is logged
|
||||||
in using <command>ssh</command> (<filename index="false">session-20.scope</filename>) and
|
in using <command>ssh</command> (<filename index="false">session-20.scope</filename>) and
|
||||||
|
|
|
@ -416,7 +416,7 @@
|
||||||
<para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly
|
<para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly
|
||||||
contained in a user record available to the SSH daemon for authentication. For that configure the
|
contained in a user record available to the SSH daemon for authentication. For that configure the
|
||||||
following in <citerefentry
|
following in <citerefentry
|
||||||
project='man-pages'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>
|
project='die-net'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>
|
||||||
|
|
||||||
<programlisting>…
|
<programlisting>…
|
||||||
AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u
|
AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u
|
||||||
|
|
10
mkosi.clangd
10
mkosi.clangd
|
@ -1,18 +1,12 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
|
||||||
if command -v flatpak-spawn >/dev/null; then
|
MKOSI_CONFIG="$(mkosi --json summary | jq -r .Images[-1])"
|
||||||
SPAWN=(flatpak-spawn --host)
|
|
||||||
else
|
|
||||||
SPAWN=()
|
|
||||||
fi
|
|
||||||
|
|
||||||
MKOSI_CONFIG="$("${SPAWN[@]}" --host mkosi --json summary | jq -r .Images[-1])"
|
|
||||||
DISTRIBUTION="$(jq -r .Distribution <<< "$MKOSI_CONFIG")"
|
DISTRIBUTION="$(jq -r .Distribution <<< "$MKOSI_CONFIG")"
|
||||||
RELEASE="$(jq -r .Release <<< "$MKOSI_CONFIG")"
|
RELEASE="$(jq -r .Release <<< "$MKOSI_CONFIG")"
|
||||||
ARCH="$(jq -r .Architecture <<< "$MKOSI_CONFIG")"
|
ARCH="$(jq -r .Architecture <<< "$MKOSI_CONFIG")"
|
||||||
|
|
||||||
exec "${SPAWN[@]}" mkosi \
|
exec mkosi \
|
||||||
--incremental=strict \
|
--incremental=strict \
|
||||||
--build-sources-ephemeral=no \
|
--build-sources-ephemeral=no \
|
||||||
--format=none \
|
--format=none \
|
||||||
|
|
|
@ -38,8 +38,9 @@ SignExpectedPcr=yes
|
||||||
|
|
||||||
[Content]
|
[Content]
|
||||||
ExtraTrees=
|
ExtraTrees=
|
||||||
mkosi.extra.common
|
|
||||||
mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
|
mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
|
||||||
|
mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
|
||||||
|
mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
|
||||||
%O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
|
%O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
|
||||||
%O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
|
%O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
|
||||||
%O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
|
%O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
|
||||||
|
|
|
@ -6,12 +6,10 @@ ToolsTreeDistribution=arch
|
||||||
[Build]
|
[Build]
|
||||||
ToolsTreePackages=
|
ToolsTreePackages=
|
||||||
cryptsetup
|
cryptsetup
|
||||||
github-cli
|
|
||||||
libcap
|
libcap
|
||||||
libmicrohttpd
|
libmicrohttpd
|
||||||
python-jinja
|
python-jinja
|
||||||
python-pytest
|
python-pytest
|
||||||
ruff
|
ruff
|
||||||
shellcheck
|
|
||||||
tpm2-tss
|
tpm2-tss
|
||||||
util-linux-libs
|
util-linux-libs
|
||||||
|
|
|
@ -16,4 +16,3 @@ ToolsTreePackages=
|
||||||
tpm2-tss-devel
|
tpm2-tss-devel
|
||||||
python3-jinja2
|
python3-jinja2
|
||||||
python3-pytest
|
python3-pytest
|
||||||
shellcheck
|
|
||||||
|
|
|
@ -6,7 +6,6 @@ ToolsTreeDistribution=|ubuntu
|
||||||
|
|
||||||
[Build]
|
[Build]
|
||||||
ToolsTreePackages=
|
ToolsTreePackages=
|
||||||
gh
|
|
||||||
libblkid-dev
|
libblkid-dev
|
||||||
libcap-dev
|
libcap-dev
|
||||||
libcryptsetup-dev
|
libcryptsetup-dev
|
||||||
|
@ -17,4 +16,3 @@ ToolsTreePackages=
|
||||||
libtss2-dev
|
libtss2-dev
|
||||||
python3-jinja2
|
python3-jinja2
|
||||||
python3-pytest
|
python3-pytest
|
||||||
shellcheck
|
|
||||||
|
|
|
@ -5,5 +5,4 @@ ToolsTreeDistribution=fedora
|
||||||
|
|
||||||
[Build]
|
[Build]
|
||||||
ToolsTreePackages=
|
ToolsTreePackages=
|
||||||
gh
|
|
||||||
ruff
|
ruff
|
||||||
|
|
|
@ -5,7 +5,6 @@ ToolsTreeDistribution=opensuse
|
||||||
|
|
||||||
[Build]
|
[Build]
|
||||||
ToolsTreePackages=
|
ToolsTreePackages=
|
||||||
gh
|
|
||||||
pkgconfig(blkid)
|
pkgconfig(blkid)
|
||||||
pkgconfig(libcap)
|
pkgconfig(libcap)
|
||||||
pkgconfig(libcryptsetup)
|
pkgconfig(libcryptsetup)
|
||||||
|
@ -17,4 +16,3 @@ ToolsTreePackages=
|
||||||
tss2-devel
|
tss2-devel
|
||||||
python3-jinja2
|
python3-jinja2
|
||||||
python3-pytest
|
python3-pytest
|
||||||
ShellCheck
|
|
||||||
|
|
|
@ -13,7 +13,6 @@ Environment=
|
||||||
|
|
||||||
[Content]
|
[Content]
|
||||||
Packages=
|
Packages=
|
||||||
clang-devel
|
|
||||||
compiler-rt
|
compiler-rt
|
||||||
gdb
|
gdb
|
||||||
git-core
|
git-core
|
||||||
|
|
|
@ -15,7 +15,6 @@ Environment=
|
||||||
[Content]
|
[Content]
|
||||||
Packages=
|
Packages=
|
||||||
apt
|
apt
|
||||||
clangd
|
|
||||||
erofs-utils
|
erofs-utils
|
||||||
git-core
|
git-core
|
||||||
libclang-rt-dev
|
libclang-rt-dev
|
||||||
|
|
|
@ -12,7 +12,6 @@ Environment=
|
||||||
|
|
||||||
[Content]
|
[Content]
|
||||||
Packages=
|
Packages=
|
||||||
clang
|
|
||||||
diffutils
|
diffutils
|
||||||
erofs-utils
|
erofs-utils
|
||||||
gcc-c++
|
gcc-c++
|
||||||
|
|
|
@ -6,7 +6,9 @@ Include=
|
||||||
%D/mkosi.sanitizers
|
%D/mkosi.sanitizers
|
||||||
|
|
||||||
[Content]
|
[Content]
|
||||||
ExtraTrees=%D/mkosi.extra.common
|
ExtraTrees=
|
||||||
|
%D/mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
|
||||||
|
%D/mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
|
||||||
|
|
||||||
Packages=
|
Packages=
|
||||||
findutils
|
findutils
|
||||||
|
|
|
@ -57,8 +57,6 @@ wrap=(
|
||||||
delv
|
delv
|
||||||
dhcpd
|
dhcpd
|
||||||
dig
|
dig
|
||||||
dnf
|
|
||||||
dnf5
|
|
||||||
dmsetup
|
dmsetup
|
||||||
dnsmasq
|
dnsmasq
|
||||||
findmnt
|
findmnt
|
||||||
|
@ -95,7 +93,7 @@ wrap=(
|
||||||
)
|
)
|
||||||
|
|
||||||
for bin in "${wrap[@]}"; do
|
for bin in "${wrap[@]}"; do
|
||||||
if ! mkosi-chroot bash -c "command -v $bin" >/dev/null; then
|
if ! mkosi-chroot command -v "$bin" >/dev/null; then
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -105,7 +103,7 @@ for bin in "${wrap[@]}"; do
|
||||||
enable_lsan=0
|
enable_lsan=0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
target="$(mkosi-chroot bash -c "command -v $bin")"
|
target="$(mkosi-chroot command -v "$bin")"
|
||||||
|
|
||||||
mv "$BUILDROOT/$target" "$BUILDROOT/$target.orig"
|
mv "$BUILDROOT/$target" "$BUILDROOT/$target.orig"
|
||||||
|
|
||||||
|
|
4
po/fr.po
4
po/fr.po
|
@ -12,7 +12,7 @@ msgid ""
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"Report-Msgid-Bugs-To: \n"
|
"Report-Msgid-Bugs-To: \n"
|
||||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||||
"PO-Revision-Date: 2024-11-23 10:38+0000\n"
|
"PO-Revision-Date: 2024-11-20 19:13+0000\n"
|
||||||
"Last-Translator: Léane GRASSER <leane.grasser@proton.me>\n"
|
"Last-Translator: Léane GRASSER <leane.grasser@proton.me>\n"
|
||||||
"Language-Team: French <https://translate.fedoraproject.org/projects/systemd/"
|
"Language-Team: French <https://translate.fedoraproject.org/projects/systemd/"
|
||||||
"main/fr/>\n"
|
"main/fr/>\n"
|
||||||
|
@ -1258,7 +1258,7 @@ msgstr ""
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
||||||
msgid "Manage optional features"
|
msgid "Manage optional features"
|
||||||
msgstr "Gérer les fonctionnalités facultatives"
|
msgstr "Gérer les fonctionnalités en option"
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
||||||
msgid "Authentication is required to manage optional features"
|
msgid "Authentication is required to manage optional features"
|
||||||
|
|
|
@ -289,8 +289,7 @@ int write_string_file_full(
|
||||||
const char *fn,
|
const char *fn,
|
||||||
const char *line,
|
const char *line,
|
||||||
WriteStringFileFlags flags,
|
WriteStringFileFlags flags,
|
||||||
const struct timespec *ts,
|
const struct timespec *ts) {
|
||||||
const char *label_fn) {
|
|
||||||
|
|
||||||
bool call_label_ops_post = false, made_file = false;
|
bool call_label_ops_post = false, made_file = false;
|
||||||
_cleanup_fclose_ FILE *f = NULL;
|
_cleanup_fclose_ FILE *f = NULL;
|
||||||
|
@ -322,8 +321,7 @@ int write_string_file_full(
|
||||||
mode_t mode = write_string_file_flags_to_mode(flags);
|
mode_t mode = write_string_file_flags_to_mode(flags);
|
||||||
|
|
||||||
if (FLAGS_SET(flags, WRITE_STRING_FILE_LABEL|WRITE_STRING_FILE_CREATE)) {
|
if (FLAGS_SET(flags, WRITE_STRING_FILE_LABEL|WRITE_STRING_FILE_CREATE)) {
|
||||||
const char *lookup = label_fn ? label_fn : fn;
|
r = label_ops_pre(dir_fd, fn, mode);
|
||||||
r = label_ops_pre(dir_fd, lookup, mode);
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
|
|
|
@ -51,13 +51,12 @@ int write_string_stream_full(FILE *f, const char *line, WriteStringFileFlags fla
|
||||||
static inline int write_string_stream(FILE *f, const char *line, WriteStringFileFlags flags) {
|
static inline int write_string_stream(FILE *f, const char *line, WriteStringFileFlags flags) {
|
||||||
return write_string_stream_full(f, line, flags, /* ts= */ NULL);
|
return write_string_stream_full(f, line, flags, /* ts= */ NULL);
|
||||||
}
|
}
|
||||||
|
int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts);
|
||||||
int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts, const char *label_fn);
|
|
||||||
static inline int write_string_file(const char *fn, const char *line, WriteStringFileFlags flags) {
|
static inline int write_string_file(const char *fn, const char *line, WriteStringFileFlags flags) {
|
||||||
return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
|
return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL);
|
||||||
}
|
}
|
||||||
static inline int write_string_file_at(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags) {
|
static inline int write_string_file_at(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags) {
|
||||||
return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
|
return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL);
|
||||||
}
|
}
|
||||||
int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4);
|
int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4);
|
||||||
|
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
#define AUTOFS_MIN_PROTO_VERSION 3
|
#define AUTOFS_MIN_PROTO_VERSION 3
|
||||||
#define AUTOFS_MAX_PROTO_VERSION 5
|
#define AUTOFS_MAX_PROTO_VERSION 5
|
||||||
|
|
||||||
#define AUTOFS_PROTO_SUBVERSION 6
|
#define AUTOFS_PROTO_SUBVERSION 5
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The wait_queue_token (autofs_wqt_t) is part of a structure which is passed
|
* The wait_queue_token (autofs_wqt_t) is part of a structure which is passed
|
||||||
|
|
|
@ -1121,9 +1121,6 @@ enum bpf_attach_type {
|
||||||
|
|
||||||
#define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
|
#define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
|
||||||
|
|
||||||
/* Add BPF_LINK_TYPE(type, name) in bpf_types.h to keep bpf_link_type_strs[]
|
|
||||||
* in sync with the definitions below.
|
|
||||||
*/
|
|
||||||
enum bpf_link_type {
|
enum bpf_link_type {
|
||||||
BPF_LINK_TYPE_UNSPEC = 0,
|
BPF_LINK_TYPE_UNSPEC = 0,
|
||||||
BPF_LINK_TYPE_RAW_TRACEPOINT = 1,
|
BPF_LINK_TYPE_RAW_TRACEPOINT = 1,
|
||||||
|
@ -2854,7 +2851,7 @@ union bpf_attr {
|
||||||
* **TCP_SYNCNT**, **TCP_USER_TIMEOUT**, **TCP_NOTSENT_LOWAT**,
|
* **TCP_SYNCNT**, **TCP_USER_TIMEOUT**, **TCP_NOTSENT_LOWAT**,
|
||||||
* **TCP_NODELAY**, **TCP_MAXSEG**, **TCP_WINDOW_CLAMP**,
|
* **TCP_NODELAY**, **TCP_MAXSEG**, **TCP_WINDOW_CLAMP**,
|
||||||
* **TCP_THIN_LINEAR_TIMEOUTS**, **TCP_BPF_DELACK_MAX**,
|
* **TCP_THIN_LINEAR_TIMEOUTS**, **TCP_BPF_DELACK_MAX**,
|
||||||
* **TCP_BPF_RTO_MIN**, **TCP_BPF_SOCK_OPS_CB_FLAGS**.
|
* **TCP_BPF_RTO_MIN**.
|
||||||
* * **IPPROTO_IP**, which supports *optname* **IP_TOS**.
|
* * **IPPROTO_IP**, which supports *optname* **IP_TOS**.
|
||||||
* * **IPPROTO_IPV6**, which supports the following *optname*\ s:
|
* * **IPPROTO_IPV6**, which supports the following *optname*\ s:
|
||||||
* **IPV6_TCLASS**, **IPV6_AUTOFLOWLABEL**.
|
* **IPV6_TCLASS**, **IPV6_AUTOFLOWLABEL**.
|
||||||
|
@ -5522,12 +5519,11 @@ union bpf_attr {
|
||||||
* **-EOPNOTSUPP** if the hash calculation failed or **-EINVAL** if
|
* **-EOPNOTSUPP** if the hash calculation failed or **-EINVAL** if
|
||||||
* invalid arguments are passed.
|
* invalid arguments are passed.
|
||||||
*
|
*
|
||||||
* void *bpf_kptr_xchg(void *dst, void *ptr)
|
* void *bpf_kptr_xchg(void *map_value, void *ptr)
|
||||||
* Description
|
* Description
|
||||||
* Exchange kptr at pointer *dst* with *ptr*, and return the old value.
|
* Exchange kptr at pointer *map_value* with *ptr*, and return the
|
||||||
* *dst* can be map value or local kptr. *ptr* can be NULL, otherwise
|
* old value. *ptr* can be NULL, otherwise it must be a referenced
|
||||||
* it must be a referenced pointer which will be released when this helper
|
* pointer which will be released when this helper is called.
|
||||||
* is called.
|
|
||||||
* Return
|
* Return
|
||||||
* The old value of kptr (which can be NULL). The returned pointer
|
* The old value of kptr (which can be NULL). The returned pointer
|
||||||
* if not NULL, is a reference which must be released using its
|
* if not NULL, is a reference which must be released using its
|
||||||
|
@ -6050,6 +6046,11 @@ enum {
|
||||||
BPF_F_MARK_ENFORCE = (1ULL << 6),
|
BPF_F_MARK_ENFORCE = (1ULL << 6),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */
|
||||||
|
enum {
|
||||||
|
BPF_F_INGRESS = (1ULL << 0),
|
||||||
|
};
|
||||||
|
|
||||||
/* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */
|
/* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */
|
||||||
enum {
|
enum {
|
||||||
BPF_F_TUNINFO_IPV6 = (1ULL << 0),
|
BPF_F_TUNINFO_IPV6 = (1ULL << 0),
|
||||||
|
@ -6196,12 +6197,10 @@ enum {
|
||||||
BPF_F_BPRM_SECUREEXEC = (1ULL << 0),
|
BPF_F_BPRM_SECUREEXEC = (1ULL << 0),
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Flags for bpf_redirect and bpf_redirect_map helpers */
|
/* Flags for bpf_redirect_map helper */
|
||||||
enum {
|
enum {
|
||||||
BPF_F_INGRESS = (1ULL << 0), /* used for skb path */
|
BPF_F_BROADCAST = (1ULL << 3),
|
||||||
BPF_F_BROADCAST = (1ULL << 3), /* used for XDP path */
|
BPF_F_EXCLUDE_INGRESS = (1ULL << 4),
|
||||||
BPF_F_EXCLUDE_INGRESS = (1ULL << 4), /* used for XDP path */
|
|
||||||
#define BPF_F_REDIRECT_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS)
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#define __bpf_md_ptr(type, name) \
|
#define __bpf_md_ptr(type, name) \
|
||||||
|
@ -7081,7 +7080,6 @@ enum {
|
||||||
TCP_BPF_SYN = 1005, /* Copy the TCP header */
|
TCP_BPF_SYN = 1005, /* Copy the TCP header */
|
||||||
TCP_BPF_SYN_IP = 1006, /* Copy the IP[46] and TCP header */
|
TCP_BPF_SYN_IP = 1006, /* Copy the IP[46] and TCP header */
|
||||||
TCP_BPF_SYN_MAC = 1007, /* Copy the MAC, IP[46], and TCP header */
|
TCP_BPF_SYN_MAC = 1007, /* Copy the MAC, IP[46], and TCP header */
|
||||||
TCP_BPF_SOCK_OPS_CB_FLAGS = 1008, /* Get or Set TCP sock ops flags */
|
|
||||||
};
|
};
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
|
@ -7514,13 +7512,4 @@ struct bpf_iter_num {
|
||||||
__u64 __opaque[1];
|
__u64 __opaque[1];
|
||||||
} __attribute__((aligned(8)));
|
} __attribute__((aligned(8)));
|
||||||
|
|
||||||
/*
|
|
||||||
* Flags to control BPF kfunc behaviour.
|
|
||||||
* - BPF_F_PAD_ZEROS: Pad destination buffer with zeros. (See the respective
|
|
||||||
* helper documentation for details.)
|
|
||||||
*/
|
|
||||||
enum bpf_kfunc_flags {
|
|
||||||
BPF_F_PAD_ZEROS = (1ULL << 0),
|
|
||||||
};
|
|
||||||
|
|
||||||
#endif /* __LINUX_BPF_H__ */
|
#endif /* __LINUX_BPF_H__ */
|
||||||
|
|
|
@ -28,23 +28,6 @@
|
||||||
#define _BITUL(x) (_UL(1) << (x))
|
#define _BITUL(x) (_UL(1) << (x))
|
||||||
#define _BITULL(x) (_ULL(1) << (x))
|
#define _BITULL(x) (_ULL(1) << (x))
|
||||||
|
|
||||||
#if !defined(__ASSEMBLY__)
|
|
||||||
/*
|
|
||||||
* Missing __asm__ support
|
|
||||||
*
|
|
||||||
* __BIT128() would not work in the __asm__ code, as it shifts an
|
|
||||||
* 'unsigned __init128' data type as direct representation of
|
|
||||||
* 128 bit constants is not supported in the gcc compiler, as
|
|
||||||
* they get silently truncated.
|
|
||||||
*
|
|
||||||
* TODO: Please revisit this implementation when gcc compiler
|
|
||||||
* starts representing 128 bit constants directly like long
|
|
||||||
* and unsigned long etc. Subsequently drop the comment for
|
|
||||||
* GENMASK_U128() which would then start supporting __asm__ code.
|
|
||||||
*/
|
|
||||||
#define _BIT128(x) ((unsigned __int128)(1) << (x))
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (__typeof__(x))(a) - 1)
|
#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (__typeof__(x))(a) - 1)
|
||||||
#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
|
#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
|
||||||
|
|
||||||
|
|
|
@ -2531,20 +2531,4 @@ struct ethtool_link_settings {
|
||||||
* __u32 map_lp_advertising[link_mode_masks_nwords];
|
* __u32 map_lp_advertising[link_mode_masks_nwords];
|
||||||
*/
|
*/
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
|
||||||
* enum phy_upstream - Represents the upstream component a given PHY device
|
|
||||||
* is connected to, as in what is on the other end of the MII bus. Most PHYs
|
|
||||||
* will be attached to an Ethernet MAC controller, but in some cases, there's
|
|
||||||
* an intermediate PHY used as a media-converter, which will driver another
|
|
||||||
* MII interface as its output.
|
|
||||||
* @PHY_UPSTREAM_MAC: Upstream component is a MAC (a switch port,
|
|
||||||
* or ethernet controller)
|
|
||||||
* @PHY_UPSTREAM_PHY: Upstream component is a PHY (likely a media converter)
|
|
||||||
*/
|
|
||||||
enum phy_upstream {
|
|
||||||
PHY_UPSTREAM_MAC,
|
|
||||||
PHY_UPSTREAM_PHY,
|
|
||||||
};
|
|
||||||
|
|
||||||
#endif /* _LINUX_ETHTOOL_H */
|
#endif /* _LINUX_ETHTOOL_H */
|
||||||
|
|
|
@ -67,7 +67,6 @@ enum {
|
||||||
FRA_IP_PROTO, /* ip proto */
|
FRA_IP_PROTO, /* ip proto */
|
||||||
FRA_SPORT_RANGE, /* sport */
|
FRA_SPORT_RANGE, /* sport */
|
||||||
FRA_DPORT_RANGE, /* dport */
|
FRA_DPORT_RANGE, /* dport */
|
||||||
FRA_DSCP, /* dscp */
|
|
||||||
__FRA_MAX
|
__FRA_MAX
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -230,8 +230,8 @@ struct tpacket_hdr_v1 {
|
||||||
* ts_first_pkt:
|
* ts_first_pkt:
|
||||||
* Is always the time-stamp when the block was opened.
|
* Is always the time-stamp when the block was opened.
|
||||||
* Case a) ZERO packets
|
* Case a) ZERO packets
|
||||||
* No packets to deal with but at least you know
|
* No packets to deal with but atleast you know the
|
||||||
* the time-interval of this block.
|
* time-interval of this block.
|
||||||
* Case b) Non-zero packets
|
* Case b) Non-zero packets
|
||||||
* Use the ts of the first packet in the block.
|
* Use the ts of the first packet in the block.
|
||||||
*
|
*
|
||||||
|
@ -265,8 +265,7 @@ enum tpacket_versions {
|
||||||
- struct tpacket_hdr
|
- struct tpacket_hdr
|
||||||
- pad to TPACKET_ALIGNMENT=16
|
- pad to TPACKET_ALIGNMENT=16
|
||||||
- struct sockaddr_ll
|
- struct sockaddr_ll
|
||||||
- Gap, chosen so that packet data (Start+tp_net) aligns to
|
- Gap, chosen so that packet data (Start+tp_net) alignes to TPACKET_ALIGNMENT=16
|
||||||
TPACKET_ALIGNMENT=16
|
|
||||||
- Start+tp_mac: [ Optional MAC header ]
|
- Start+tp_mac: [ Optional MAC header ]
|
||||||
- Start+tp_net: Packet data, aligned to TPACKET_ALIGNMENT=16.
|
- Start+tp_net: Packet data, aligned to TPACKET_ALIGNMENT=16.
|
||||||
- Pad to align to TPACKET_ALIGNMENT=16
|
- Pad to align to TPACKET_ALIGNMENT=16
|
||||||
|
|
|
@ -141,7 +141,7 @@ struct in_addr {
|
||||||
*/
|
*/
|
||||||
#define IP_PMTUDISC_INTERFACE 4
|
#define IP_PMTUDISC_INTERFACE 4
|
||||||
/* weaker version of IP_PMTUDISC_INTERFACE, which allows packets to get
|
/* weaker version of IP_PMTUDISC_INTERFACE, which allows packets to get
|
||||||
* fragmented if they exceed the interface mtu
|
* fragmented if they exeed the interface mtu
|
||||||
*/
|
*/
|
||||||
#define IP_PMTUDISC_OMIT 5
|
#define IP_PMTUDISC_OMIT 5
|
||||||
|
|
||||||
|
|
|
@ -140,6 +140,25 @@
|
||||||
|
|
||||||
#endif /* _NETINET_IN_H */
|
#endif /* _NETINET_IN_H */
|
||||||
|
|
||||||
|
/* Coordinate with glibc netipx/ipx.h header. */
|
||||||
|
#if defined(__NETIPX_IPX_H)
|
||||||
|
|
||||||
|
#define __UAPI_DEF_SOCKADDR_IPX 0
|
||||||
|
#define __UAPI_DEF_IPX_ROUTE_DEFINITION 0
|
||||||
|
#define __UAPI_DEF_IPX_INTERFACE_DEFINITION 0
|
||||||
|
#define __UAPI_DEF_IPX_CONFIG_DATA 0
|
||||||
|
#define __UAPI_DEF_IPX_ROUTE_DEF 0
|
||||||
|
|
||||||
|
#else /* defined(__NETIPX_IPX_H) */
|
||||||
|
|
||||||
|
#define __UAPI_DEF_SOCKADDR_IPX 1
|
||||||
|
#define __UAPI_DEF_IPX_ROUTE_DEFINITION 1
|
||||||
|
#define __UAPI_DEF_IPX_INTERFACE_DEFINITION 1
|
||||||
|
#define __UAPI_DEF_IPX_CONFIG_DATA 1
|
||||||
|
#define __UAPI_DEF_IPX_ROUTE_DEF 1
|
||||||
|
|
||||||
|
#endif /* defined(__NETIPX_IPX_H) */
|
||||||
|
|
||||||
/* Definitions for xattr.h */
|
/* Definitions for xattr.h */
|
||||||
#if defined(_SYS_XATTR_H)
|
#if defined(_SYS_XATTR_H)
|
||||||
#define __UAPI_DEF_XATTR 0
|
#define __UAPI_DEF_XATTR 0
|
||||||
|
@ -221,6 +240,23 @@
|
||||||
#define __UAPI_DEF_IP6_MTUINFO 1
|
#define __UAPI_DEF_IP6_MTUINFO 1
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Definitions for ipx.h */
|
||||||
|
#ifndef __UAPI_DEF_SOCKADDR_IPX
|
||||||
|
#define __UAPI_DEF_SOCKADDR_IPX 1
|
||||||
|
#endif
|
||||||
|
#ifndef __UAPI_DEF_IPX_ROUTE_DEFINITION
|
||||||
|
#define __UAPI_DEF_IPX_ROUTE_DEFINITION 1
|
||||||
|
#endif
|
||||||
|
#ifndef __UAPI_DEF_IPX_INTERFACE_DEFINITION
|
||||||
|
#define __UAPI_DEF_IPX_INTERFACE_DEFINITION 1
|
||||||
|
#endif
|
||||||
|
#ifndef __UAPI_DEF_IPX_CONFIG_DATA
|
||||||
|
#define __UAPI_DEF_IPX_CONFIG_DATA 1
|
||||||
|
#endif
|
||||||
|
#ifndef __UAPI_DEF_IPX_ROUTE_DEF
|
||||||
|
#define __UAPI_DEF_IPX_ROUTE_DEF 1
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Definitions for xattr.h */
|
/* Definitions for xattr.h */
|
||||||
#ifndef __UAPI_DEF_XATTR
|
#ifndef __UAPI_DEF_XATTR
|
||||||
#define __UAPI_DEF_XATTR 1
|
#define __UAPI_DEF_XATTR 1
|
||||||
|
|
|
@ -436,7 +436,7 @@ enum nft_set_elem_flags {
|
||||||
* @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
|
* @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
|
||||||
* @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
|
* @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
|
||||||
* @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
|
* @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
|
||||||
* @NFTA_SET_ELEM_TIMEOUT: timeout value, zero means never times out (NLA_U64)
|
* @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
|
||||||
* @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
|
* @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
|
||||||
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
|
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
|
||||||
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
||||||
|
@ -1694,7 +1694,7 @@ enum nft_flowtable_flags {
|
||||||
*
|
*
|
||||||
* @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
|
* @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
|
||||||
* @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
|
* @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
|
||||||
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED)
|
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
|
||||||
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
|
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
|
||||||
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
|
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
|
||||||
* @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
|
* @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
|
||||||
|
|
|
@ -16,15 +16,10 @@ struct nhmsg {
|
||||||
struct nexthop_grp {
|
struct nexthop_grp {
|
||||||
__u32 id; /* nexthop id - must exist */
|
__u32 id; /* nexthop id - must exist */
|
||||||
__u8 weight; /* weight of this nexthop */
|
__u8 weight; /* weight of this nexthop */
|
||||||
__u8 weight_high; /* high order bits of weight */
|
__u8 resvd1;
|
||||||
__u16 resvd2;
|
__u16 resvd2;
|
||||||
};
|
};
|
||||||
|
|
||||||
static __inline__ __u16 nexthop_grp_weight(const struct nexthop_grp *entry)
|
|
||||||
{
|
|
||||||
return ((entry->weight_high << 8) | entry->weight) + 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
NEXTHOP_GRP_TYPE_MPATH, /* hash-threshold nexthop group
|
NEXTHOP_GRP_TYPE_MPATH, /* hash-threshold nexthop group
|
||||||
* default type if not specified
|
* default type if not specified
|
||||||
|
@ -38,9 +33,6 @@ enum {
|
||||||
#define NHA_OP_FLAG_DUMP_STATS BIT(0)
|
#define NHA_OP_FLAG_DUMP_STATS BIT(0)
|
||||||
#define NHA_OP_FLAG_DUMP_HW_STATS BIT(1)
|
#define NHA_OP_FLAG_DUMP_HW_STATS BIT(1)
|
||||||
|
|
||||||
/* Response OP_FLAGS. */
|
|
||||||
#define NHA_OP_FLAG_RESP_GRP_RESVD_0 BIT(31) /* Dump clears resvd fields. */
|
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
NHA_UNSPEC,
|
NHA_UNSPEC,
|
||||||
NHA_ID, /* u32; id for nexthop. id == 0 means auto-assign */
|
NHA_ID, /* u32; id for nexthop. id == 0 means auto-assign */
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
||||||
#pragma once
|
|
||||||
|
|
||||||
/* Root namespace inode numbers, as per include/linux/proc_ns.h in the kernel source tree, since v3.8:
|
|
||||||
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98f842e675f96ffac96e6c50315790912b2812be */
|
|
||||||
|
|
||||||
#define PROC_IPC_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFF))
|
|
||||||
#define PROC_UTS_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFE))
|
|
||||||
#define PROC_USER_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFD))
|
|
||||||
#define PROC_PID_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFC))
|
|
||||||
#define PROC_CGROUP_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFB))
|
|
||||||
#define PROC_TIME_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFA))
|
|
|
@ -12,7 +12,6 @@
|
||||||
#include "fileio.h"
|
#include "fileio.h"
|
||||||
#include "missing_fs.h"
|
#include "missing_fs.h"
|
||||||
#include "missing_magic.h"
|
#include "missing_magic.h"
|
||||||
#include "missing_namespace.h"
|
|
||||||
#include "missing_sched.h"
|
#include "missing_sched.h"
|
||||||
#include "missing_syscall.h"
|
#include "missing_syscall.h"
|
||||||
#include "mountpoint-util.h"
|
#include "mountpoint-util.h"
|
||||||
|
@ -24,17 +23,17 @@
|
||||||
#include "user-util.h"
|
#include "user-util.h"
|
||||||
|
|
||||||
const struct namespace_info namespace_info[_NAMESPACE_TYPE_MAX + 1] = {
|
const struct namespace_info namespace_info[_NAMESPACE_TYPE_MAX + 1] = {
|
||||||
[NAMESPACE_CGROUP] = { "cgroup", "ns/cgroup", CLONE_NEWCGROUP, PROC_CGROUP_INIT_INO },
|
[NAMESPACE_CGROUP] = { "cgroup", "ns/cgroup", CLONE_NEWCGROUP, },
|
||||||
[NAMESPACE_IPC] = { "ipc", "ns/ipc", CLONE_NEWIPC, PROC_IPC_INIT_INO },
|
[NAMESPACE_IPC] = { "ipc", "ns/ipc", CLONE_NEWIPC, },
|
||||||
[NAMESPACE_NET] = { "net", "ns/net", CLONE_NEWNET, 0 },
|
[NAMESPACE_NET] = { "net", "ns/net", CLONE_NEWNET, },
|
||||||
/* So, the mount namespace flag is called CLONE_NEWNS for historical
|
/* So, the mount namespace flag is called CLONE_NEWNS for historical
|
||||||
* reasons. Let's expose it here under a more explanatory name: "mnt".
|
* reasons. Let's expose it here under a more explanatory name: "mnt".
|
||||||
* This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
|
* This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
|
||||||
[NAMESPACE_MOUNT] = { "mnt", "ns/mnt", CLONE_NEWNS, 0 },
|
[NAMESPACE_MOUNT] = { "mnt", "ns/mnt", CLONE_NEWNS, },
|
||||||
[NAMESPACE_PID] = { "pid", "ns/pid", CLONE_NEWPID, PROC_PID_INIT_INO },
|
[NAMESPACE_PID] = { "pid", "ns/pid", CLONE_NEWPID, },
|
||||||
[NAMESPACE_USER] = { "user", "ns/user", CLONE_NEWUSER, PROC_USER_INIT_INO },
|
[NAMESPACE_USER] = { "user", "ns/user", CLONE_NEWUSER, },
|
||||||
[NAMESPACE_UTS] = { "uts", "ns/uts", CLONE_NEWUTS, PROC_UTS_INIT_INO },
|
[NAMESPACE_UTS] = { "uts", "ns/uts", CLONE_NEWUTS, },
|
||||||
[NAMESPACE_TIME] = { "time", "ns/time", CLONE_NEWTIME, PROC_TIME_INIT_INO },
|
[NAMESPACE_TIME] = { "time", "ns/time", CLONE_NEWTIME, },
|
||||||
{ /* Allow callers to iterate over the array without using _NAMESPACE_TYPE_MAX. */ },
|
{ /* Allow callers to iterate over the array without using _NAMESPACE_TYPE_MAX. */ },
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -480,28 +479,6 @@ int namespace_open_by_type(NamespaceType type) {
|
||||||
return fd;
|
return fd;
|
||||||
}
|
}
|
||||||
|
|
||||||
int namespace_is_init(NamespaceType type) {
|
|
||||||
int r;
|
|
||||||
|
|
||||||
assert(type >= 0);
|
|
||||||
assert(type <= _NAMESPACE_TYPE_MAX);
|
|
||||||
|
|
||||||
if (namespace_info[type].root_inode == 0)
|
|
||||||
return -EBADR; /* Cannot answer this question */
|
|
||||||
|
|
||||||
const char *p = pid_namespace_path(0, type);
|
|
||||||
|
|
||||||
struct stat st;
|
|
||||||
r = RET_NERRNO(stat(p, &st));
|
|
||||||
if (r == -ENOENT)
|
|
||||||
/* If the /proc/ns/<type> API is not around in /proc/ then ns is off in the kernel and we are in the init ns */
|
|
||||||
return proc_mounted() == 0 ? -ENOSYS : true;
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
return st.st_ino == namespace_info[type].root_inode;
|
|
||||||
}
|
|
||||||
|
|
||||||
int is_our_namespace(int fd, NamespaceType request_type) {
|
int is_our_namespace(int fd, NamespaceType request_type) {
|
||||||
int clone_flag;
|
int clone_flag;
|
||||||
|
|
||||||
|
@ -554,24 +531,20 @@ int is_idmapping_supported(const char *path) {
|
||||||
userns_fd = userns_acquire(uid_map, gid_map);
|
userns_fd = userns_acquire(uid_map, gid_map);
|
||||||
if (ERRNO_IS_NEG_NOT_SUPPORTED(userns_fd) || ERRNO_IS_NEG_PRIVILEGE(userns_fd))
|
if (ERRNO_IS_NEG_NOT_SUPPORTED(userns_fd) || ERRNO_IS_NEG_PRIVILEGE(userns_fd))
|
||||||
return false;
|
return false;
|
||||||
if (userns_fd == -ENOSPC) {
|
|
||||||
log_debug_errno(userns_fd, "Failed to acquire new user namespace, user.max_user_namespaces seems to be exhausted or maybe even zero, assuming ID-mapping is not supported: %m");
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
if (userns_fd < 0)
|
if (userns_fd < 0)
|
||||||
return log_debug_errno(userns_fd, "Failed to acquire new user namespace for checking if '%s' supports ID-mapping: %m", path);
|
return log_debug_errno(userns_fd, "ID-mapping supported namespace acquire failed for '%s' : %m", path);
|
||||||
|
|
||||||
dir_fd = RET_NERRNO(open(path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
|
dir_fd = RET_NERRNO(open(path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
|
||||||
if (ERRNO_IS_NEG_NOT_SUPPORTED(dir_fd))
|
if (ERRNO_IS_NEG_NOT_SUPPORTED(dir_fd))
|
||||||
return false;
|
return false;
|
||||||
if (dir_fd < 0)
|
if (dir_fd < 0)
|
||||||
return log_debug_errno(dir_fd, "Failed to open '%s', cannot determine if ID-mapping is supported: %m", path);
|
return log_debug_errno(dir_fd, "ID-mapping supported open failed for '%s' : %m", path);
|
||||||
|
|
||||||
mount_fd = RET_NERRNO(open_tree(dir_fd, "", AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC));
|
mount_fd = RET_NERRNO(open_tree(dir_fd, "", AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC));
|
||||||
if (ERRNO_IS_NEG_NOT_SUPPORTED(mount_fd) || ERRNO_IS_NEG_PRIVILEGE(mount_fd) || mount_fd == -EINVAL)
|
if (ERRNO_IS_NEG_NOT_SUPPORTED(mount_fd) || ERRNO_IS_NEG_PRIVILEGE(mount_fd) || mount_fd == -EINVAL)
|
||||||
return false;
|
return false;
|
||||||
if (mount_fd < 0)
|
if (mount_fd < 0)
|
||||||
return log_debug_errno(mount_fd, "Failed to open mount tree '%s', cannot determine if ID-mapping is supported: %m", path);
|
return log_debug_errno(mount_fd, "ID-mapping supported open_tree failed for '%s' : %m", path);
|
||||||
|
|
||||||
r = RET_NERRNO(mount_setattr(mount_fd, "", AT_EMPTY_PATH,
|
r = RET_NERRNO(mount_setattr(mount_fd, "", AT_EMPTY_PATH,
|
||||||
&(struct mount_attr) {
|
&(struct mount_attr) {
|
||||||
|
@ -581,7 +554,7 @@ int is_idmapping_supported(const char *path) {
|
||||||
if (ERRNO_IS_NEG_NOT_SUPPORTED(r) || ERRNO_IS_NEG_PRIVILEGE(r) || r == -EINVAL)
|
if (ERRNO_IS_NEG_NOT_SUPPORTED(r) || ERRNO_IS_NEG_PRIVILEGE(r) || r == -EINVAL)
|
||||||
return false;
|
return false;
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_debug_errno(r, "Failed to set mount attribute to '%s', cannot determine if ID-mapping is supported: %m", path);
|
return log_debug_errno(r, "ID-mapping supported setattr failed for '%s' : %m", path);
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,7 +24,6 @@ extern const struct namespace_info {
|
||||||
const char *proc_name;
|
const char *proc_name;
|
||||||
const char *proc_path;
|
const char *proc_path;
|
||||||
unsigned int clone_flag;
|
unsigned int clone_flag;
|
||||||
ino_t root_inode;
|
|
||||||
} namespace_info[_NAMESPACE_TYPE_MAX + 1];
|
} namespace_info[_NAMESPACE_TYPE_MAX + 1];
|
||||||
|
|
||||||
int pidref_namespace_open(
|
int pidref_namespace_open(
|
||||||
|
@ -75,8 +74,6 @@ int parse_userns_uid_range(const char *s, uid_t *ret_uid_shift, uid_t *ret_uid_r
|
||||||
|
|
||||||
int namespace_open_by_type(NamespaceType type);
|
int namespace_open_by_type(NamespaceType type);
|
||||||
|
|
||||||
int namespace_is_init(NamespaceType type);
|
|
||||||
|
|
||||||
int is_our_namespace(int fd, NamespaceType type);
|
int is_our_namespace(int fd, NamespaceType type);
|
||||||
|
|
||||||
int is_idmapping_supported(const char *path);
|
int is_idmapping_supported(const char *path);
|
||||||
|
|
|
@ -585,14 +585,6 @@ static int running_in_cgroupns(void) {
|
||||||
if (!cg_ns_supported())
|
if (!cg_ns_supported())
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
r = namespace_is_init(NAMESPACE_CGROUP);
|
|
||||||
if (r < 0)
|
|
||||||
log_debug_errno(r, "Failed to test if in root cgroup namespace, ignoring: %m");
|
|
||||||
else if (r > 0)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
// FIXME: We really should drop the heuristics below.
|
|
||||||
|
|
||||||
r = cg_all_unified();
|
r = cg_all_unified();
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
@ -653,16 +645,6 @@ static int running_in_cgroupns(void) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static int running_in_pidns(void) {
|
|
||||||
int r;
|
|
||||||
|
|
||||||
r = namespace_is_init(NAMESPACE_PID);
|
|
||||||
if (r < 0)
|
|
||||||
return log_debug_errno(r, "Failed to test if in root PID namespace, ignoring: %m");
|
|
||||||
|
|
||||||
return !r;
|
|
||||||
}
|
|
||||||
|
|
||||||
static Virtualization detect_container_files(void) {
|
static Virtualization detect_container_files(void) {
|
||||||
static const struct {
|
static const struct {
|
||||||
const char *file_path;
|
const char *file_path;
|
||||||
|
@ -808,21 +790,12 @@ check_files:
|
||||||
|
|
||||||
r = running_in_cgroupns();
|
r = running_in_cgroupns();
|
||||||
if (r > 0) {
|
if (r > 0) {
|
||||||
log_debug("Running in a cgroup namespace, assuming unknown container manager.");
|
|
||||||
v = VIRTUALIZATION_CONTAINER_OTHER;
|
v = VIRTUALIZATION_CONTAINER_OTHER;
|
||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
log_debug_errno(r, "Failed to detect cgroup namespace: %m");
|
log_debug_errno(r, "Failed to detect cgroup namespace: %m");
|
||||||
|
|
||||||
/* Finally, the root pid namespace has an hardcoded inode number of 0xEFFFFFFC since kernel 3.8, so
|
|
||||||
* if all else fails we can check the inode number of our pid namespace and compare it. */
|
|
||||||
if (running_in_pidns() > 0) {
|
|
||||||
log_debug("Running in a pid namespace, assuming unknown container manager.");
|
|
||||||
v = VIRTUALIZATION_CONTAINER_OTHER;
|
|
||||||
goto finish;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If none of that worked, give up, assume no container manager. */
|
/* If none of that worked, give up, assume no container manager. */
|
||||||
v = VIRTUALIZATION_NONE;
|
v = VIRTUALIZATION_NONE;
|
||||||
goto finish;
|
goto finish;
|
||||||
|
@ -890,14 +863,6 @@ int running_in_userns(void) {
|
||||||
_cleanup_free_ char *line = NULL;
|
_cleanup_free_ char *line = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
r = namespace_is_init(NAMESPACE_USER);
|
|
||||||
if (r < 0)
|
|
||||||
log_debug_errno(r, "Failed to test if in root user namespace, ignoring: %m");
|
|
||||||
else if (r > 0)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
// FIXME: We really should drop the heuristics below.
|
|
||||||
|
|
||||||
r = userns_has_mapping("/proc/self/uid_map");
|
r = userns_has_mapping("/proc/self/uid_map");
|
||||||
if (r != 0)
|
if (r != 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
|
@ -1048,6 +1048,9 @@ static void device_enumerate(Manager *m) {
|
||||||
_cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL;
|
_cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL;
|
||||||
Device *d;
|
Device *d;
|
||||||
|
|
||||||
|
if (device_is_processed(dev) <= 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
if (device_setup_units(m, dev, &ready_units, ¬_ready_units) < 0)
|
if (device_setup_units(m, dev, &ready_units, ¬_ready_units) < 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,6 @@
|
||||||
#include "fileio.h"
|
#include "fileio.h"
|
||||||
#include "format-util.h"
|
#include "format-util.h"
|
||||||
#include "hexdecoct.h"
|
#include "hexdecoct.h"
|
||||||
#include "iovec-util.h"
|
|
||||||
#include "macro.h"
|
#include "macro.h"
|
||||||
#include "memory-util.h"
|
#include "memory-util.h"
|
||||||
#include "parse-util.h"
|
#include "parse-util.h"
|
||||||
|
@ -32,7 +31,8 @@ int decrypt_pkcs11_key(
|
||||||
const char *key_file, /* We either expect key_file and associated parameters to be set (for file keys) … */
|
const char *key_file, /* We either expect key_file and associated parameters to be set (for file keys) … */
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const struct iovec *key_data, /* … or literal keys via key_data */
|
const void *key_data, /* … or key_data and key_data_size (for literal keys) */
|
||||||
|
size_t key_data_size,
|
||||||
usec_t until,
|
usec_t until,
|
||||||
AskPasswordFlags askpw_flags,
|
AskPasswordFlags askpw_flags,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
|
@ -47,15 +47,15 @@ int decrypt_pkcs11_key(
|
||||||
|
|
||||||
assert(friendly_name);
|
assert(friendly_name);
|
||||||
assert(pkcs11_uri);
|
assert(pkcs11_uri);
|
||||||
assert(key_file || iovec_is_set(key_data));
|
assert(key_file || key_data);
|
||||||
assert(ret_decrypted_key);
|
assert(ret_decrypted_key);
|
||||||
assert(ret_decrypted_key_size);
|
assert(ret_decrypted_key_size);
|
||||||
|
|
||||||
/* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */
|
/* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */
|
||||||
|
|
||||||
if (iovec_is_set(key_data)) {
|
if (key_data) {
|
||||||
data.encrypted_key = (void*) key_data->iov_base;
|
data.encrypted_key = (void*) key_data;
|
||||||
data.encrypted_key_size = key_data->iov_len;
|
data.encrypted_key_size = key_data_size;
|
||||||
|
|
||||||
data.free_encrypted_key = false;
|
data.free_encrypted_key = false;
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -16,7 +16,8 @@ int decrypt_pkcs11_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const struct iovec *key_data,
|
const void *key_data,
|
||||||
|
size_t key_data_size,
|
||||||
usec_t until,
|
usec_t until,
|
||||||
AskPasswordFlags askpw_flags,
|
AskPasswordFlags askpw_flags,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
|
@ -38,7 +39,8 @@ static inline int decrypt_pkcs11_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const struct iovec *key_data,
|
const void *key_data,
|
||||||
|
size_t key_data_size,
|
||||||
usec_t until,
|
usec_t until,
|
||||||
AskPasswordFlags askpw_flags,
|
AskPasswordFlags askpw_flags,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
|
|
|
@ -1471,7 +1471,8 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
||||||
struct crypt_device *cd,
|
struct crypt_device *cd,
|
||||||
const char *name,
|
const char *name,
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
const struct iovec *key_data,
|
const void *key_data,
|
||||||
|
size_t key_data_size,
|
||||||
usec_t until,
|
usec_t until,
|
||||||
uint32_t flags,
|
uint32_t flags,
|
||||||
bool pass_volume_key) {
|
bool pass_volume_key) {
|
||||||
|
@ -1488,7 +1489,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
||||||
assert(name);
|
assert(name);
|
||||||
assert(arg_fido2_device || arg_fido2_device_auto);
|
assert(arg_fido2_device || arg_fido2_device_auto);
|
||||||
|
|
||||||
if (arg_fido2_cid && !key_file && !iovec_is_set(key_data))
|
if (arg_fido2_cid && !key_file && !key_data)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
"FIDO2 mode with manual parameters selected, but no keyfile specified, refusing.");
|
"FIDO2 mode with manual parameters selected, but no keyfile specified, refusing.");
|
||||||
|
|
||||||
|
@ -1512,7 +1513,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
||||||
arg_fido2_rp_id,
|
arg_fido2_rp_id,
|
||||||
arg_fido2_cid, arg_fido2_cid_size,
|
arg_fido2_cid, arg_fido2_cid_size,
|
||||||
key_file, arg_keyfile_size, arg_keyfile_offset,
|
key_file, arg_keyfile_size, arg_keyfile_offset,
|
||||||
key_data,
|
key_data, key_data_size,
|
||||||
until,
|
until,
|
||||||
arg_fido2_manual_flags,
|
arg_fido2_manual_flags,
|
||||||
"cryptsetup.fido2-pin",
|
"cryptsetup.fido2-pin",
|
||||||
|
@ -1622,7 +1623,8 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
||||||
struct crypt_device *cd,
|
struct crypt_device *cd,
|
||||||
const char *name,
|
const char *name,
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
const struct iovec *key_data,
|
const void *key_data,
|
||||||
|
size_t key_data_size,
|
||||||
usec_t until,
|
usec_t until,
|
||||||
uint32_t flags,
|
uint32_t flags,
|
||||||
bool pass_volume_key) {
|
bool pass_volume_key) {
|
||||||
|
@ -1633,7 +1635,6 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
||||||
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
|
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
|
||||||
_cleanup_(sd_event_unrefp) sd_event *event = NULL;
|
_cleanup_(sd_event_unrefp) sd_event *event = NULL;
|
||||||
_cleanup_free_ void *discovered_key = NULL;
|
_cleanup_free_ void *discovered_key = NULL;
|
||||||
struct iovec discovered_key_data = {};
|
|
||||||
int keyslot = arg_key_slot, r;
|
int keyslot = arg_key_slot, r;
|
||||||
const char *uri = NULL;
|
const char *uri = NULL;
|
||||||
bool use_libcryptsetup_plugin = use_token_plugins();
|
bool use_libcryptsetup_plugin = use_token_plugins();
|
||||||
|
@ -1652,13 +1653,13 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
uri = discovered_uri;
|
uri = discovered_uri;
|
||||||
discovered_key_data = IOVEC_MAKE(discovered_key, discovered_key_size);
|
key_data = discovered_key;
|
||||||
key_data = &discovered_key_data;
|
key_data_size = discovered_key_size;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
uri = arg_pkcs11_uri;
|
uri = arg_pkcs11_uri;
|
||||||
|
|
||||||
if (!key_file && !iovec_is_set(key_data))
|
if (!key_file && !key_data)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "PKCS#11 mode selected but no key file specified, refusing.");
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "PKCS#11 mode selected but no key file specified, refusing.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1681,7 +1682,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
||||||
friendly,
|
friendly,
|
||||||
uri,
|
uri,
|
||||||
key_file, arg_keyfile_size, arg_keyfile_offset,
|
key_file, arg_keyfile_size, arg_keyfile_offset,
|
||||||
key_data,
|
key_data, key_data_size,
|
||||||
until,
|
until,
|
||||||
arg_ask_password_flags,
|
arg_ask_password_flags,
|
||||||
&decrypted_key, &decrypted_key_size);
|
&decrypted_key, &decrypted_key_size);
|
||||||
|
@ -2230,9 +2231,9 @@ static int attach_luks_or_plain_or_bitlk(
|
||||||
if (token_type == TOKEN_TPM2)
|
if (token_type == TOKEN_TPM2)
|
||||||
return attach_luks_or_plain_or_bitlk_by_tpm2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
return attach_luks_or_plain_or_bitlk_by_tpm2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||||
if (token_type == TOKEN_FIDO2)
|
if (token_type == TOKEN_FIDO2)
|
||||||
return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
|
||||||
if (token_type == TOKEN_PKCS11)
|
if (token_type == TOKEN_PKCS11)
|
||||||
return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
|
||||||
if (key_data)
|
if (key_data)
|
||||||
return attach_luks_or_plain_or_bitlk_by_key_data(cd, name, key_data, flags, pass_volume_key);
|
return attach_luks_or_plain_or_bitlk_by_key_data(cd, name, key_data, flags, pass_volume_key);
|
||||||
if (key_file)
|
if (key_file)
|
||||||
|
|
|
@ -98,11 +98,16 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
else if (streq(key, "fastboot") && !value)
|
#if HAVE_SYSV_COMPAT
|
||||||
|
else if (streq(key, "fastboot") && !value) {
|
||||||
|
log_warning("Please pass 'fsck.mode=skip' rather than 'fastboot' on the kernel command line.");
|
||||||
arg_skip = true;
|
arg_skip = true;
|
||||||
|
|
||||||
else if (streq(key, "forcefsck") && !value)
|
} else if (streq(key, "forcefsck") && !value) {
|
||||||
|
log_warning("Please pass 'fsck.mode=force' rather than 'forcefsck' on the kernel command line.");
|
||||||
arg_force = true;
|
arg_force = true;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -75,10 +75,6 @@ static int curl_glue_socket_callback(CURL *curl, curl_socket_t s, int action, vo
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Don't configure io event source anymore when the event loop is dead already. */
|
|
||||||
if (g->event && sd_event_get_state(g->event) == SD_EVENT_FINISHED)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
r = hashmap_ensure_allocated(&g->ios, &trivial_hash_ops);
|
r = hashmap_ensure_allocated(&g->ios, &trivial_hash_ops);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
log_oom();
|
log_oom();
|
||||||
|
|
|
@ -1698,8 +1698,7 @@ _public_ int sd_varlink_get_events(sd_varlink *v) {
|
||||||
ret |= EPOLLIN;
|
ret |= EPOLLIN;
|
||||||
|
|
||||||
if (!v->write_disconnected &&
|
if (!v->write_disconnected &&
|
||||||
(v->output_queue ||
|
v->output_buffer_size > 0)
|
||||||
v->output_buffer_size > 0))
|
|
||||||
ret |= EPOLLOUT;
|
ret |= EPOLLOUT;
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
|
|
|
@ -16,7 +16,7 @@ int varlink_get_peer_pidref(sd_varlink *v, PidRef *ret) {
|
||||||
|
|
||||||
int pidfd = sd_varlink_get_peer_pidfd(v);
|
int pidfd = sd_varlink_get_peer_pidfd(v);
|
||||||
if (pidfd < 0) {
|
if (pidfd < 0) {
|
||||||
if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
|
if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd))
|
||||||
return pidfd;
|
return pidfd;
|
||||||
|
|
||||||
pid_t pid;
|
pid_t pid;
|
||||||
|
|
|
@ -108,7 +108,6 @@ static int help(int argc, char *argv[], void *userdata) {
|
||||||
" --ucode=PATH Path to microcode image file %7$s .ucode\n"
|
" --ucode=PATH Path to microcode image file %7$s .ucode\n"
|
||||||
" --splash=PATH Path to splash bitmap file %7$s .splash\n"
|
" --splash=PATH Path to splash bitmap file %7$s .splash\n"
|
||||||
" --dtb=PATH Path to DeviceTree file %7$s .dtb\n"
|
" --dtb=PATH Path to DeviceTree file %7$s .dtb\n"
|
||||||
" --dtbauto=PATH Path to DeviceTree file for auto selection %7$s .dtbauto\n"
|
|
||||||
" --uname=PATH Path to 'uname -r' file %7$s .uname\n"
|
" --uname=PATH Path to 'uname -r' file %7$s .uname\n"
|
||||||
" --sbat=PATH Path to SBAT file %7$s .sbat\n"
|
" --sbat=PATH Path to SBAT file %7$s .sbat\n"
|
||||||
" --pcrpkey=PATH Path to public key for PCR signatures %7$s .pcrpkey\n"
|
" --pcrpkey=PATH Path to public key for PCR signatures %7$s .pcrpkey\n"
|
||||||
|
|
|
@ -2280,9 +2280,10 @@ static int copy_devnode_one(const char *dest, const char *node, bool ignore_mkno
|
||||||
r = path_extract_directory(from, &parent);
|
r = path_extract_directory(from, &parent);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to extract directory from %s: %m", from);
|
return log_error_errno(r, "Failed to extract directory from %s: %m", from);
|
||||||
r = userns_mkdir(dest, parent, 0755, 0, 0);
|
if (!path_equal(parent, "/dev/")) {
|
||||||
if (r < 0)
|
if (userns_mkdir(dest, parent, 0755, 0, 0) < 0)
|
||||||
return log_error_errno(r, "Failed to create directory %s: %m", parent);
|
return log_error_errno(r, "Failed to create directory %s: %m", parent);
|
||||||
|
}
|
||||||
|
|
||||||
if (mknod(to, st.st_mode, st.st_rdev) < 0) {
|
if (mknod(to, st.st_mode, st.st_rdev) < 0) {
|
||||||
r = -errno; /* Save the original error code. */
|
r = -errno; /* Save the original error code. */
|
||||||
|
@ -4653,7 +4654,7 @@ static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r
|
||||||
|
|
||||||
ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
|
ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
|
||||||
if (!ucred || ucred->pid != inner_child_pid) {
|
if (!ucred || ucred->pid != inner_child_pid) {
|
||||||
log_debug("Received notify message from process that is not the payload's PID 1. Ignoring.");
|
log_debug("Received notify message without valid credentials. Ignoring.");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -36,9 +36,14 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
|
||||||
arg_skip = true;
|
arg_skip = true;
|
||||||
else
|
else
|
||||||
log_warning("Invalid quotacheck.mode= value, ignoring: %s", value);
|
log_warning("Invalid quotacheck.mode= value, ignoring: %s", value);
|
||||||
|
}
|
||||||
|
|
||||||
} else if (streq(key, "forcequotacheck") && !value)
|
#if HAVE_SYSV_COMPAT
|
||||||
|
else if (streq(key, "forcequotacheck") && !value) {
|
||||||
|
log_warning("Please use 'quotacheck.mode=force' rather than 'forcequotacheck' on the kernel command line. Proceeding anyway.");
|
||||||
arg_force = true;
|
arg_force = true;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,7 +24,8 @@ int acquire_fido2_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const struct iovec *key_data,
|
const void *key_data,
|
||||||
|
size_t key_data_size,
|
||||||
usec_t until,
|
usec_t until,
|
||||||
Fido2EnrollFlags required,
|
Fido2EnrollFlags required,
|
||||||
const char *askpw_credential,
|
const char *askpw_credential,
|
||||||
|
@ -44,10 +45,10 @@ int acquire_fido2_key(
|
||||||
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
|
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
|
||||||
|
|
||||||
assert(cid);
|
assert(cid);
|
||||||
assert(key_file || iovec_is_set(key_data));
|
assert(key_file || key_data);
|
||||||
|
|
||||||
if (iovec_is_set(key_data))
|
if (key_data)
|
||||||
salt = *key_data;
|
salt = IOVEC_MAKE(key_data, key_data_size);
|
||||||
else {
|
else {
|
||||||
if (key_file_size > 0)
|
if (key_file_size > 0)
|
||||||
log_debug("Ignoring 'keyfile-size=' option for a FIDO2 salt file.");
|
log_debug("Ignoring 'keyfile-size=' option for a FIDO2 salt file.");
|
||||||
|
@ -251,7 +252,7 @@ int acquire_fido2_key_auto(
|
||||||
/* key_file= */ NULL, /* salt is read from LUKS header instead of key_file */
|
/* key_file= */ NULL, /* salt is read from LUKS header instead of key_file */
|
||||||
/* key_file_size= */ 0,
|
/* key_file_size= */ 0,
|
||||||
/* key_file_offset= */ 0,
|
/* key_file_offset= */ 0,
|
||||||
&IOVEC_MAKE(salt, salt_size),
|
salt, salt_size,
|
||||||
until,
|
until,
|
||||||
required,
|
required,
|
||||||
"cryptsetup.fido2-pin",
|
"cryptsetup.fido2-pin",
|
||||||
|
|
|
@ -20,7 +20,8 @@ int acquire_fido2_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const struct iovec *key_data,
|
const void *key_data,
|
||||||
|
size_t key_data_size,
|
||||||
usec_t until,
|
usec_t until,
|
||||||
Fido2EnrollFlags required,
|
Fido2EnrollFlags required,
|
||||||
const char *askpw_credential,
|
const char *askpw_credential,
|
||||||
|
@ -51,7 +52,8 @@ static inline int acquire_fido2_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const struct iovec *key_data,
|
const void *key_data,
|
||||||
|
size_t key_data_size,
|
||||||
usec_t until,
|
usec_t until,
|
||||||
Fido2EnrollFlags required,
|
Fido2EnrollFlags required,
|
||||||
const char *askpw_credential,
|
const char *askpw_credential,
|
||||||
|
|
|
@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
|
||||||
int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);
|
int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);
|
||||||
|
|
||||||
int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
|
int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
|
||||||
int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);
|
int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags);
|
||||||
|
|
||||||
/* Default to PCR 7 only */
|
/* Default to PCR 7 only */
|
||||||
#define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)
|
#define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue