Compare commits

..

1 Commits

Author SHA1 Message Date
anonymix007 19a085132a
Merge 098e44d03c into 0e44a351ea 2024-11-25 00:14:26 +00:00
71 changed files with 212 additions and 497 deletions

View File

@ -114,10 +114,10 @@
invoked, for example from the system service manager or via a PAM module.</para> invoked, for example from the system service manager or via a PAM module.</para>
<para>Specifically, for ssh logins, the <para>Specifically, for ssh logins, the
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> <citerefentry project='die-net'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
service builds an environment that is a combination of variables forwarded from the remote system and service builds an environment that is a combination of variables forwarded from the remote system and
defined by <command>sshd</command>, see the discussion in defined by <command>sshd</command>, see the discussion in
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
A graphical display session will have an analogous mechanism to define the environment. Note that some A graphical display session will have an analogous mechanism to define the environment. Note that some
managers query the systemd user instance for the exported environment and inject this configuration into managers query the systemd user instance for the exported environment and inject this configuration into
programs they start, using <command>systemctl show-environment</command> or the underlying D-Bus call. programs they start, using <command>systemctl show-environment</command> or the underlying D-Bus call.

View File

@ -215,8 +215,8 @@
below this directory is subject to specifications that ensure interoperability.</para> below this directory is subject to specifications that ensure interoperability.</para>
<para>Note that resources placed in this directory typically are under shared ownership, <para>Note that resources placed in this directory typically are under shared ownership,
i.e. multiple different packages have provided and consumed these resources, on equal footing, without i.e. multiple different packages have provide and consume these resources, on equal footing, without
any obvious primary owner. This makes things systematically different from any obvious primary owner. This makes makes things systematically different from
<filename>/usr/lib/</filename>, where ownership is generally not shared.</para></listitem> <filename>/usr/lib/</filename>, where ownership is generally not shared.</para></listitem>
</varlistentry> </varlistentry>

View File

@ -378,7 +378,7 @@
<listitem><para>Takes a comma- or colon-separated list of languages preferred by the user, ordered <listitem><para>Takes a comma- or colon-separated list of languages preferred by the user, ordered
by descending priority. The <varname>$LANG</varname> and <varname>$LANGUAGE</varname> environment by descending priority. The <varname>$LANG</varname> and <varname>$LANGUAGE</varname> environment
variables are initialized from this value on login, and thus values suitable for these environment variables are initialized from this value on login, and thus values suitible for these environment
variables are accepted here, for example <option>--language=de_DE.UTF-8</option>. This option may variables are accepted here, for example <option>--language=de_DE.UTF-8</option>. This option may
be used more than once, in which case the language lists are concatenated.</para> be used more than once, in which case the language lists are concatenated.</para>

View File

@ -40,7 +40,7 @@
<citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> <citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<para><command>importctl</command> operates both on block-level disk images (such as DDIs) as well as <para><command>importctl</command> operates both on block-level disk images (such as DDIs) as well as
file-system-level images (tarballs). It supports disk images in one of the four following file-system-level images (tarballs). It supports disk images are one of the four following
classes:</para> classes:</para>
<itemizedlist> <itemizedlist>
@ -50,7 +50,7 @@
managed via managed via
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem> <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
<listitem><para>Portable service images, that may be attached and managed via <listitem><para>Portable service images, that may be attached an managed via
<citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem> <citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
<listitem><para>System extension (sysext) images, that may be activated via <listitem><para>System extension (sysext) images, that may be activated via
@ -133,7 +133,7 @@
multiple downloads are not necessary. In order to create only the read-only image, and avoid creating multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
its writable snapshot, specify <literal>-</literal> as local name.</para> its writable snapshot, specify <literal>-</literal> as local name.</para>
<para>Note that pressing Control-c during execution of this command will not abort the download. Use <para>Note that pressing C-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para> <command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
@ -145,14 +145,14 @@
<listitem><para>Downloads a <filename>.raw</filename> disk image from the specified URL, and makes it <listitem><para>Downloads a <filename>.raw</filename> disk image from the specified URL, and makes it
available under the specified local name in the image directory for the selected available under the specified local name in the image directory for the selected
<option>--class=</option>. The URL must be of type <literal>http://</literal> or <option>--class=</option>. The URL must be of type <literal>http://</literal> or
<literal>https://</literal>. The image must either be a qcow2 or raw disk <literal>https://</literal>. The image must either be a <filename>.qcow2</filename> or raw disk
image, optionally compressed as <filename>.gz</filename>, <filename>.xz</filename>, or image, optionally compressed as <filename>.gz</filename>, <filename>.xz</filename>, or
<filename>.bz2</filename>. If the local name is omitted, it is automatically derived from the last <filename>.bz2</filename>. If the local name is omitted, it is automatically derived from the last
component of the URL, with its suffix removed.</para> component of the URL, with its suffix removed.</para>
<para>Image verification is identical for raw and tar images (see above).</para> <para>Image verification is identical for raw and tar images (see above).</para>
<para>If the downloaded image is in qcow2 format it is converted into a raw <para>If the downloaded image is in <filename>.qcow2</filename> format it is converted into a raw
image file before it is made available.</para> image file before it is made available.</para>
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in <para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
@ -162,7 +162,7 @@
necessary. In order to create only the read-only image, and avoid creating its writable copy, necessary. In order to create only the read-only image, and avoid creating its writable copy,
specify <literal>-</literal> as local name.</para> specify <literal>-</literal> as local name.</para>
<para>Note that pressing Control-c during execution of this command will not abort the download. Use <para>Note that pressing C-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para> <command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
@ -174,14 +174,8 @@
<listitem><para>Imports a TAR or RAW image, and places it under the specified name in the image <listitem><para>Imports a TAR or RAW image, and places it under the specified name in the image
directory for the image class selected via <option>--class=</option>. When directory for the image class selected via <option>--class=</option>. When
<command>import-tar</command> is used, the file specified as the first argument should be a <command>import-tar</command> is used, the file specified as the first argument should be a tar
<citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry> archive, possibly compressed with xz, gzip or bzip2. It will then be unpacked into its own
archive, possibly compressed with
<citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
or
<citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
It will then be unpacked into its own
subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw
disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image
name) is not specified, it is automatically derived from the file name. If the filename is passed as name) is not specified, it is automatically derived from the file name. If the filename is passed as
@ -202,9 +196,7 @@
<listitem><para>Imports an image stored in a local directory into the image directory for the image <listitem><para>Imports an image stored in a local directory into the image directory for the image
class selected via <option>--class=</option> and operates similarly to <command>import-tar</command> class selected via <option>--class=</option> and operates similarly to <command>import-tar</command>
or <command>import-raw</command>, but the first argument is the source directory. If supported, this or <command>import-raw</command>, but the first argument is the source directory. If supported, this
command will create a command will create a btrfs snapshot or subvolume for the new image.</para>
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
snapshot or subvolume for the new image.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry> </varlistentry>
@ -215,13 +207,9 @@
<listitem><para>Exports a TAR or RAW image and stores it in the specified file. The first parameter <listitem><para>Exports a TAR or RAW image and stores it in the specified file. The first parameter
should be an image name. The second parameter should be a file path the TAR or RAW should be an image name. The second parameter should be a file path the TAR or RAW
image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with gzip, if
<citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>, it ends in <literal>.xz</literal>, with xz, and if it ends in <literal>.bz2</literal>, with bzip2. If
if it ends in <literal>.xz</literal>, with the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
<citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
and if it ends in <literal>.bz2</literal>, with
<citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
If the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
is written to standard output. The compression may also be explicitly selected with the is written to standard output. The compression may also be explicitly selected with the
<option>--format=</option> switch. This is in particular useful if the second parameter is left <option>--format=</option> switch. This is in particular useful if the second parameter is left
unspecified.</para> unspecified.</para>

View File

@ -113,11 +113,11 @@
</row> </row>
<row> <row>
<entry><constant>user-early</constant></entry> <entry><constant>user-early</constant></entry>
<entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry> <entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <filename>systemd-user-sessions.service</filename>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
</row> </row>
<row> <row>
<entry><constant>user-incomplete</constant></entry> <entry><constant>user-incomplete</constant></entry>
<entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry> <entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <command>ssh</command> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
</row> </row>
<row> <row>
<entry><constant>greeter</constant></entry> <entry><constant>greeter</constant></entry>
@ -129,15 +129,15 @@
</row> </row>
<row> <row>
<entry><constant>background</constant></entry> <entry><constant>background</constant></entry>
<entry>Used for background sessions, such as those invoked by <citerefentry project='die-net'><refentrytitle>cron</refentrytitle><manvolnum>8</manvolnum></citerefentry> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry> <entry>Used for background sessions, such as those invoked by <command>cron</command> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
</row> </row>
<row> <row>
<entry><constant>background-light</constant></entry> <entry><constant>background-light</constant></entry>
<entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry> <entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <filename>user@.service</filename> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
</row> </row>
<row> <row>
<entry><constant>manager</constant></entry> <entry><constant>manager</constant></entry>
<entry>The <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> service of the user is registered under this session class. (Added in v256.)</entry> <entry>The <filename>user@.service</filename> service of the user is registered under this session class. (Added in v256.)</entry>
</row> </row>
<row> <row>
<entry><constant>manager-early</constant></entry> <entry><constant>manager-early</constant></entry>
@ -445,8 +445,6 @@ session required pam_unix.so</programlisting>
<title>See Also</title> <title>See Also</title>
<para><simplelist type="inline"> <para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>

View File

@ -112,8 +112,7 @@
during boot.</para> during boot.</para>
<para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase. <para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. <filename>sddm-autologin</filename>):</para>
<filename>sddm-autologin</filename>):</para>
<programlisting> <programlisting>
-auth optional pam_systemd_loadkey.so -auth optional pam_systemd_loadkey.so
@ -132,9 +131,8 @@ KeyringMode=inherit
<para>In this setup, early during the boot process, <para>In this setup, early during the boot process,
<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>. will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>.
Then when the display manager does the autologin, <command>pam_systemd_loadkey</command> will read the passphrase Then when the display manager does the autologin, pam_systemd_loadkey will read the passphrase from the kernel keyring,
from the kernel keyring, set it as the PAM authtok, and then <command>pam_gnome_keyring</command> and set it as the PAM authtok, and then pam_gnome_keyring and pam_kwallet5 will unlock with the same passphrase.</para>
<command>pam_kwallet5</command> will unlock with the same passphrase.</para>
</refsect1> </refsect1>
</refentry> </refentry>

View File

@ -48,7 +48,7 @@
and transfer them as a whole between systems. When these images are attached to the local system, the contained units and transfer them as a whole between systems. When these images are attached to the local system, the contained units
may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing, may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing,
depending on the selected configuration. For more details, see depending on the selected configuration. For more details, see
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.</para> <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.</para>
<para>Portable service images may be of the following kinds:</para> <para>Portable service images may be of the following kinds:</para>
@ -417,7 +417,7 @@
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>. <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Images can be block images, btrfs subvolumes or directories. For more information on portable Images can be block images, btrfs subvolumes or directories. For more information on portable
services with extensions, see the <literal>Extension Images</literal> paragraph on services with extensions, see the <literal>Extension Images</literal> paragraph on
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>. <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.
</para> </para>
<para>Note that the same extensions have to be specified, in the same order, when attaching <para>Note that the same extensions have to be specified, in the same order, when attaching

View File

@ -606,8 +606,7 @@
<varname>Subvolumes=</varname>.</para> <varname>Subvolumes=</varname>.</para>
<para>Note that this option only takes effect if the target filesystem supports subvolumes, such as <para>Note that this option only takes effect if the target filesystem supports subvolumes, such as
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>. <literal>btrfs</literal>.</para>
</para>
<para>Note that this option is only supported in combination with <option>--offline=yes</option> <para>Note that this option is only supported in combination with <option>--offline=yes</option>
since btrfs-progs 6.11 or newer.</para> since btrfs-progs 6.11 or newer.</para>
@ -687,7 +686,7 @@
<listitem><para>Configures the data block size of the generated verity hash partition. Must be between 512 and <listitem><para>Configures the data block size of the generated verity hash partition. Must be between 512 and
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying 4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device. block device sector size, or 4K if systemd-repart is not operating on a block device.
</para> </para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem> <xi:include href="version-info.xml" xpointer="v255"/></listitem>
@ -698,7 +697,7 @@
<listitem><para>Configures the hash block size of the generated verity hash partition. Must be between 512 and <listitem><para>Configures the hash block size of the generated verity hash partition. Must be between 512 and
4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying 4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device. block device sector size, or 4K if systemd-repart is not operating on a block device.
</para> </para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem> <xi:include href="version-info.xml" xpointer="v255"/></listitem>
@ -808,9 +807,7 @@
mount options. These fields correspond to the second and fourth column of the mount options. These fields correspond to the second and fourth column of the
<citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry> <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
format. This setting may be specified multiple times to mount the partition multiple times. This can format. This setting may be specified multiple times to mount the partition multiple times. This can
be used to add mounts for different be used to add mounts for different btrfs subvolumes located on the same btrfs partition.</para>
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
subvolumes located on the same btrfs partition.</para>
<para>Note that this setting is only taken into account when <option>--generate-fstab=</option> is <para>Note that this setting is only taken into account when <option>--generate-fstab=</option> is
specified on the <command>systemd-repart</command> command line.</para> specified on the <command>systemd-repart</command> command line.</para>
@ -821,7 +818,7 @@
<varlistentry> <varlistentry>
<term><varname>EncryptedVolume=</varname></term> <term><varname>EncryptedVolume=</varname></term>
<listitem><para>Specifies how the encrypted partition should be set up. Takes at least one and at most <listitem><para>Specify how the encrypted partition should be set up. Takes at least one and at most
three fields separated with a colon (<literal>:</literal>). The first field specifies the encrypted three fields separated with a colon (<literal>:</literal>). The first field specifies the encrypted
volume name under <filename>/dev/mapper/</filename>. If not specified, <literal>luks-UUID</literal> volume name under <filename>/dev/mapper/</filename>. If not specified, <literal>luks-UUID</literal>
will be used where <literal>UUID</literal> is the LUKS UUID. The second field specifies the keyfile will be used where <literal>UUID</literal> is the LUKS UUID. The second field specifies the keyfile
@ -840,14 +837,13 @@
<varlistentry> <varlistentry>
<term><varname>Compression=</varname></term> <term><varname>Compression=</varname></term>
<listitem><para>Specifies the compression algorithm to use for the filesystem configured with <listitem><para>Specify the compression algorithm to use for the filesystem configured with
<varname>Format=</varname>. Takes a single argument specifying the compression algorithm.</para> <varname>Format=</varname>. Takes a single argument specifying the compression algorithm.</para>
<para>Note that this setting is only taken into account when the filesystem configured with <para>Note that this setting is only taken into account when the filesystem configured with
<varname>Format=</varname> supports compression ( <varname>Format=</varname> supports compression (btrfs, squashfs, erofs). Here's an incomplete list
<citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>, of compression algorithms supported by the filesystems known to
squashfs, erofs). Here's an incomplete list of compression algorithms supported by the filesystems <command>systemd-repart</command>:</para>
known to <command>systemd-repart</command>:</para>
<table> <table>
<title>File System Compression Algorithms</title> <title>File System Compression Algorithms</title>
@ -887,7 +883,7 @@
<varlistentry> <varlistentry>
<term><varname>CompressionLevel=</varname></term> <term><varname>CompressionLevel=</varname></term>
<listitem><para>Specifies the compression level to use for the filesystem configured with <listitem><para>Specify the compression level to use for the filesystem configured with
<varname>Format=</varname>. Takes a single argument specifying the compression level to use for the <varname>Format=</varname>. Takes a single argument specifying the compression level to use for the
configured compression algorithm. The possible compression levels and their meaning are filesystem configured compression algorithm. The possible compression levels and their meaning are filesystem
specific (refer to the filesystem's documentation for the exact meaning of a particular compression specific (refer to the filesystem's documentation for the exact meaning of a particular compression

View File

@ -485,7 +485,7 @@
<listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If
true, rules regarding routing of single-label names are relaxed. Defaults to false. By default, true, rules regarding routing of single-label names are relaxed. Defaults to false. By default,
lookups of single-label names are assumed to refer to local hosts to be resolved via local resolution lookups of single label names are assumed to refer to local hosts to be resolved via local resolution
such as LLMNR or via search domain qualification and are not routed to upstream servers as is. If such as LLMNR or via search domain qualification and are not routed to upstream servers as is. If
this option is enabled these rules are disabled and the queries are routed upstream anyway. Also see this option is enabled these rules are disabled and the queries are routed upstream anyway. Also see
the <varname>ResolveUnicastSingleLabel=</varname> option in the <varname>ResolveUnicastSingleLabel=</varname> option in

View File

@ -81,7 +81,7 @@
<varlistentry> <varlistentry>
<term><option>--property=</option></term> <term><option>--property=</option></term>
<listitem><para>Sets a property of the service unit that is created. This option takes an assignment <listitem><para>Sets a property on the service unit that is created. This option takes an assignment
in the same format as in the same format as
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
<command>set-property</command> command.</para> <command>set-property</command> command.</para>
@ -225,7 +225,7 @@
<term><option>--machine=</option></term> <term><option>--machine=</option></term>
<listitem> <listitem>
<para>Execute operation in a local container. Specify a container name to connect to.</para> <para>Execute operation on a local container. Specify a container name to connect to.</para>
<xi:include href="version-info.xml" xpointer="v256"/> <xi:include href="version-info.xml" xpointer="v256"/>
</listitem> </listitem>

View File

@ -1397,7 +1397,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
<para>Note that this shows the <emphasis>effective</emphasis> block, i.e. the combination of <para>Note that this shows the <emphasis>effective</emphasis> block, i.e. the combination of
environment variables configured via configuration files, environment generators and via IPC environment variables configured via configuration files, environment generators and via IPC
(i.e. via the <command>set-environment</command> described below). At the moment a unit process (i.e. via the <command>set-environment</command> described below). At the moment a unit process
is forked off, this combined environment block will be further combined with per-unit environment is forked off this combined environment block will be further combined with per-unit environment
variables, which are not visible in this command.</para> variables, which are not visible in this command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -54,7 +54,7 @@
<listitem><para>The EFI Shell binary, if installed.</para></listitem> <listitem><para>The EFI Shell binary, if installed.</para></listitem>
<listitem><para>A <literal>Reboot Into Firmware Interface</literal> option, if supported by the UEFI <listitem><para>A <literal>Reboot Into Firmware Interface option</literal>, if supported by the UEFI
firmware.</para></listitem> firmware.</para></listitem>
<listitem><para>Secure Boot variables enrollment if the UEFI firmware is in setup-mode and files are provided <listitem><para>Secure Boot variables enrollment if the UEFI firmware is in setup-mode and files are provided

View File

@ -299,7 +299,7 @@
<varlistentry> <varlistentry>
<term><option>--unlock-tpm2-device=<replaceable>PATH</replaceable></option></term> <term><option>--unlock-tpm2-device=<replaceable>PATH</replaceable></option></term>
<listitem><para>Use a TPM2 device instead of a password/passphrase read from stdin to unlock the <listitem><para>Use a TPM2 device instead of a password/passhprase read from stdin to unlock the
volume. Expects a device node path referring to the TPM2 chip (e.g. <filename>/dev/tpmrm0</filename>). volume. Expects a device node path referring to the TPM2 chip (e.g. <filename>/dev/tpmrm0</filename>).
Alternatively the special value <literal>auto</literal> may be specified, in order to automatically Alternatively the special value <literal>auto</literal> may be specified, in order to automatically
determine the device node of a currently discovered TPM2 device (of which there must be exactly one). determine the device node of a currently discovered TPM2 device (of which there must be exactly one).

View File

@ -32,7 +32,7 @@
<arg choice="plain">VOLUME</arg> <arg choice="plain">VOLUME</arg>
<arg choice="plain">SOURCE-DEVICE</arg> <arg choice="plain">SOURCE-DEVICE</arg>
<arg choice="opt">KEY-FILE</arg> <arg choice="opt">KEY-FILE</arg>
<arg choice="opt">CRYPTTAB-OPTIONS</arg> <arg choice="opt">CONFIG</arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -150,7 +150,7 @@
<varlistentry> <varlistentry>
<term><varname>cryptsetup.luks2-pin</varname></term> <term><varname>cryptsetup.luks2-pin</varname></term>
<listitem><para>This credential specifies the pin requested by generic LUKS2 token modules.</para> <listitem><para>This credential specifies the PIN requested by generic LUKS2 token modules.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry> </varlistentry>

View File

@ -57,9 +57,7 @@
last check, number of mounts, unclean unmount, etc.</para> last check, number of mounts, unclean unmount, etc.</para>
<para><filename>systemd-fsck-root.service</filename> and <filename>systemd-fsck-usr.service</filename> <para><filename>systemd-fsck-root.service</filename> and <filename>systemd-fsck-usr.service</filename>
will activate <filename>reboot.target</filename> if will activate <filename>reboot.target</filename> if <command>fsck</command> returns the "System
<citerefentry project='man-pages'><refentrytitle>fsck</refentrytitle><manvolnum>8</manvolnum></citerefentry>
returns the "System
should reboot" condition, or <filename>emergency.target</filename> if <command>fsck</command> should reboot" condition, or <filename>emergency.target</filename> if <command>fsck</command>
returns the "Filesystem errors left uncorrected" condition.</para> returns the "Filesystem errors left uncorrected" condition.</para>

View File

@ -164,10 +164,9 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
used to view the log stream of a specific namespace. If the switch is not used the log stream of the used to view the log stream of a specific namespace. If the switch is not used the log stream of the
default namespace is shown, i.e. log data from other namespaces is not visible.</para> default namespace is shown, i.e. log data from other namespaces is not visible.</para>
<para>Services associated with a specific log namespace may log via <para>Services associated with a specific log namespace may log via syslog, the native logging protocol
<citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>, of the journal and via stdout/stderr; the logging from all three transports is associated with the
the native logging protocol of the journal and via stdout/stderr; the logging from all three transports namespace.</para>
is associated with the namespace.</para>
<para>By default only the default namespace will collect kernel and audit log messages.</para> <para>By default only the default namespace will collect kernel and audit log messages.</para>
@ -289,11 +288,8 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
<term><varname>systemd.journald.max_level_socket=</varname></term> <term><varname>systemd.journald.max_level_socket=</varname></term>
<listitem><para>Controls the maximum log level of messages that are stored in the journal, forwarded <listitem><para>Controls the maximum log level of messages that are stored in the journal, forwarded
to to syslog, kmsg, the console, the wall, or a socket. This kernel command line options override the
<citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>, settings of the same names in the
kmsg, the console,
<citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
or a socket. This kernel command line options override the settings of the same names in the
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
file.</para> file.</para>

View File

@ -136,7 +136,6 @@
<member><citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>org.freedesktop.machine1</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>org.freedesktop.machine1</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para> </simplelist></para>
</refsect1> </refsect1>

View File

@ -57,9 +57,7 @@
<para>The returned mounts are automatically allowlisted in the per-user-namespace allowlist maintained by <para>The returned mounts are automatically allowlisted in the per-user-namespace allowlist maintained by
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> <citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<para>The file systems are automatically <para>The file systems are automatically fsck'ed before mounting.</para>
<citerefentry project='man-pages'><refentrytitle>fsck</refentrytitle><manvolnum>8</manvolnum></citerefentry>'ed
before mounting.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

View File

@ -140,7 +140,7 @@
<para>When running in unprivileged mode, some needed functionality is provided via <para>When running in unprivileged mode, some needed functionality is provided via
<citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
and and
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> <citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
</refsect1> </refsect1>
<refsect1> <refsect1>

View File

@ -106,7 +106,7 @@
<listitem><para>This reads the combined TPM2 event log and writes it to STDOUT in <ulink <listitem><para>This reads the combined TPM2 event log and writes it to STDOUT in <ulink
url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Canonical Event Log url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Canonical Event Log
Format (CEL-JSON)</ulink>.</para> Format (CEL-JSON)</ulink> format.</para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem> <xi:include href="version-info.xml" xpointer="v255"/></listitem>
</varlistentry> </varlistentry>
@ -387,10 +387,8 @@
<listitem><para>Generates/removes a <filename>.pcrlock</filename> file based on a kernel initrd cpio <listitem><para>Generates/removes a <filename>.pcrlock</filename> file based on a kernel initrd cpio
archive. This is useful for predicting measurements the Linux kernel makes to PCR 9 archive. This is useful for predicting measurements the Linux kernel makes to PCR 9
("kernel-initrd"). Do not use for ("kernel-initrd"). Do not use for <command>systemd-stub</command> UKIs, as the initrd is combined
<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> dynamically from various sources and hence does not take a single input, like this command.</para>
UKIs, as the initrd is combined dynamically from various sources and hence does not take a single
input, like this command.</para>
<para>This writes/removes the file <para>This writes/removes the file
<filename>/var/lib/pcrlock.d/720-kernel-initrd.pcrlock/generated.pcrlock</filename>.</para> <filename>/var/lib/pcrlock.d/720-kernel-initrd.pcrlock/generated.pcrlock</filename>.</para>
@ -523,7 +521,7 @@
<varlistentry> <varlistentry>
<term><option>--pcrlock=</option></term> <term><option>--pcrlock=</option></term>
<listitem><para>Takes a file system path as argument. If specified, configures where to write the <listitem><para>Takes a file system path as argument. If specified overrides where to write the
generated pcrlock data to. Honoured by the various <command>lock-*</command> commands. If not generated pcrlock data to. Honoured by the various <command>lock-*</command> commands. If not
specified, a default path is generally used, as documented above.</para> specified, a default path is generally used, as documented above.</para>
@ -533,7 +531,7 @@
<varlistentry> <varlistentry>
<term><option>--policy=</option></term> <term><option>--policy=</option></term>
<listitem><para>Takes a file system path as argument. If specified, configures where to write pcrlock <listitem><para>Takes a file system path as argument. If specified overrides where to write pcrlock
policy metadata to. If not specified defaults to policy metadata to. If not specified defaults to
<filename>/var/lib/systemd/pcrlock.json</filename>.</para> <filename>/var/lib/systemd/pcrlock.json</filename>.</para>

View File

@ -53,7 +53,7 @@
might be broken — the running PID 1 could still depend on libraries which are not available any more, might be broken — the running PID 1 could still depend on libraries which are not available any more,
thus keeping the file system busy, which then cannot be re-mounted read-only.</para> thus keeping the file system busy, which then cannot be re-mounted read-only.</para>
<para>Shortly before executing the actual system power-off/halt/reboot/kexec, <para>Shortly before executing the actual system power-off/halt/reboot/kexec
<filename>systemd-shutdown</filename> will run all executables in <filename>systemd-shutdown</filename> will run all executables in
<filename>/usr/lib/systemd/system-shutdown/</filename> and pass one arguments to them: either <filename>/usr/lib/systemd/system-shutdown/</filename> and pass one arguments to them: either
<literal>poweroff</literal>, <literal>halt</literal>, <literal>reboot</literal>, or <literal>poweroff</literal>, <literal>halt</literal>, <literal>reboot</literal>, or

View File

@ -569,7 +569,7 @@
(sysext, see (sysext, see
<citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details), configuration extension (confext) or <ulink for details), configuration extension (confext) or <ulink
url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>. The generated image will consist url="https://systemd.io/PORTABLE_SERVICES">portable service</ulink>. The generated image will consist
of a signed Verity <literal>erofs</literal> file system as root partition. In this mode of operation of a signed Verity <literal>erofs</literal> file system as root partition. In this mode of operation
the partition definitions in <filename>/usr/lib/repart.d/*.conf</filename> and related directories the partition definitions in <filename>/usr/lib/repart.d/*.conf</filename> and related directories
are not read, and <option>--definitions=</option> is not supported, as appropriate definitions for are not read, and <option>--definitions=</option> is not supported, as appropriate definitions for
@ -605,11 +605,10 @@
<varlistentry> <varlistentry>
<term><option>--generate-fstab=<replaceable>PATH</replaceable></option></term> <term><option>--generate-fstab=<replaceable>PATH</replaceable></option></term>
<listitem><para>Specifies a path where to write <listitem><para>Specifies a path where to write fstab entries for the mountpoints configured with
<citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry> <option>MountPoint=</option> in the root directory specified with <option>--copy-source=</option> or
entries for the mountpoints configured with <option>MountPoint=</option> in the root directory <option>--root=</option> or in the host's root directory if neither is specified. Disabled by
specified with <option>--copy-source=</option> or <option>--root=</option> or in the host's root default.</para>
directory if neither is specified. Disabled by default.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry> </varlistentry>
@ -681,7 +680,7 @@ systemd-confext refresh</programlisting>
<title>Generate a system extension image and sign it via PKCS11</title> <title>Generate a system extension image and sign it via PKCS11</title>
<para>The following creates a system extension DDI (sysext) for an <para>The following creates a system extension DDI (sysext) for an
<filename>/usr/foo</filename> update and signs it with a hardware token via PKCS11:</para> <filename>/usr/foo</filename> update and signs it with a hardware token via PKCS11.</para>
<programlisting>mkdir -p tree/usr/lib/extension-release.d <programlisting>mkdir -p tree/usr/lib/extension-release.d
echo "Hello World" >tree/usr/foo echo "Hello World" >tree/usr/foo

View File

@ -343,10 +343,10 @@ search foobar.com barbar.com
<listitem><para><command>systemd-resolved</command> maintains the <listitem><para><command>systemd-resolved</command> maintains the
<filename>/run/systemd/resolve/stub-resolv.conf</filename> file for compatibility with traditional <filename>/run/systemd/resolve/stub-resolv.conf</filename> file for compatibility with traditional
Linux programs. This file lists the 127.0.0.53 DNS stub (see above) as the only DNS server. It also Linux programs. This file lists the 127.0.0.53 DNS stub (see above) as the only DNS server. It also
contains a list of search domains that are in use by <command>systemd-resolved</command>. The list of contains a list of search domains that are in use by systemd-resolved. The list of search domains is
search domains is always kept up-to-date. Note that always kept up-to-date. Note that <filename>/run/systemd/resolve/stub-resolv.conf</filename> should not
<filename>/run/systemd/resolve/stub-resolv.conf</filename> should not be used directly by applications, be used directly by applications, but only through a symlink from
but only through a symlink from <filename>/etc/resolv.conf</filename>. This file may be symlinked from <filename>/etc/resolv.conf</filename>. This file may be symlinked from
<filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs <filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs
to <command>systemd-resolved</command> with correct search domains settings. This mode of operation is to <command>systemd-resolved</command> with correct search domains settings. This mode of operation is
recommended.</para></listitem> recommended.</para></listitem>

View File

@ -139,8 +139,7 @@ DefaultDependencies=no</programlisting>
<varname>Conflicts=umount.target</varname>)</para></listitem> <varname>Conflicts=umount.target</varname>)</para></listitem>
<listitem><para>If the unit publishes a service over D-Bus, the connection needs to be re-established <listitem><para>If the unit publishes a service over D-Bus, the connection needs to be re-established
after soft-reboot as the D-Bus broker will be stopped and then started again. When using the after soft-reboot as the D-Bus broker will be stopped and then started again. When using the sd-bus
<citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>
library this can be achieved by adapting the following example. library this can be achieved by adapting the following example.
<programlisting><xi:include href="sd_bus_service_reconnect.c" parse="text"/></programlisting> <programlisting><xi:include href="sd_bus_service_reconnect.c" parse="text"/></programlisting>
</para></listitem> </para></listitem>

View File

@ -34,9 +34,9 @@
<para><command>systemd-ssh-generator</command> binds a socket-activated SSH server to local <para><command>systemd-ssh-generator</command> binds a socket-activated SSH server to local
<constant>AF_VSOCK</constant> and <constant>AF_UNIX</constant> sockets under certain conditions. It only <constant>AF_VSOCK</constant> and <constant>AF_UNIX</constant> sockets under certain conditions. It only
has an effect if the has an effect if the <citerefentry
<citerefentry project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> binary is
binary is installed. Specifically, it does the following:</para> installed. Specifically, it does the following:</para>
<itemizedlist> <itemizedlist>
<listitem><para>If invoked in a VM with <constant>AF_VSOCK</constant> support, a socket-activated SSH <listitem><para>If invoked in a VM with <constant>AF_VSOCK</constant> support, a socket-activated SSH
@ -71,14 +71,14 @@
<para>The generator will use a packaged <filename>sshd@.service</filename> service template file if one <para>The generator will use a packaged <filename>sshd@.service</filename> service template file if one
exists, and otherwise generate a suitable service template file.</para> exists, and otherwise generate a suitable service template file.</para>
<para><command>systemd-ssh-generator</command> implements <para><filename>systemd-ssh-generator</filename> implements
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>Kernel Command Line</title> <title>Kernel Command Line</title>
<para><command>systemd-ssh-generator</command> understands the following <para><filename>systemd-ssh-generator</filename> understands the following
<citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>
parameters:</para> parameters:</para>
@ -102,9 +102,8 @@
times to bind multiple sockets. The syntax should follow the one of <varname>ListenStream=</varname>, times to bind multiple sockets. The syntax should follow the one of <varname>ListenStream=</varname>,
see see
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This functionality supports all socket families for details. This functionality supports all socket families systemd supports, including
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> supports, <constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
including <constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry> </varlistentry>

View File

@ -77,7 +77,7 @@ Host .host
<para>This tool is supposed to be used together with <para>This tool is supposed to be used together with
<citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> <citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
which when run inside a VM or container will bind SSH to suitable which when run inside a VM or container will bind SSH to suitable
addresses. <command>systemd-ssh-generator</command> is supposed to run in the container or VM guest, and addresses. <command>systemd-ssh-generator</command> is supposed to run in the container of VM guest, and
<command>systemd-ssh-proxy</command> is run on the host, in order to connect to the container or VM <command>systemd-ssh-proxy</command> is run on the host, in order to connect to the container or VM
guest.</para> guest.</para>
</refsect1> </refsect1>

View File

@ -43,7 +43,7 @@
<para><citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry> uses <para><citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry> uses
<command>systemd-stdio-bridge</command> to forward D-Bus connections over <command>systemd-stdio-bridge</command> to forward D-Bus connections over
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
or to connect to the bus of a different user, see or to connect to the bus of a different user, see
<citerefentry><refentrytitle>sd_bus_set_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>. <citerefentry><refentrytitle>sd_bus_set_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
</para> </para>

View File

@ -209,7 +209,7 @@
images to the initrd. See images to the initrd. See
<citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for <citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
details on configuration extension images. The generated <command>cpio</command> archive containing details on configuration extension images. The generated <command>cpio</command> archive containing
these configuration extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem> these system extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem>
<listitem><para>Similarly, files <listitem><para>Similarly, files
<filename><replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename> are loaded and verified as <filename><replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename> are loaded and verified as

View File

@ -141,7 +141,7 @@
but the used architecture identifiers are the same as for <varname>ConditionArchitecture=</varname> but the used architecture identifiers are the same as for <varname>ConditionArchitecture=</varname>
described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
<varname>EXTENSION_RELOAD_MANAGER=</varname> can be set to 1 if the extension requires a service manager reload after application <varname>EXTENSION_RELOAD_MANAGER=</varname> can be set to 1 if the extension requires a service manager reload after application
of the extension. Note that for the reasons mentioned earlier, of the extension. Note that for the reasons mentioned earlier:
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> remain <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> remain
the recommended way to ship system services. the recommended way to ship system services.
@ -206,13 +206,13 @@
the underlying host <filename>/usr/</filename> is managed as immutable disk image or is a traditional the underlying host <filename>/usr/</filename> is managed as immutable disk image or is a traditional
package manager controlled (i.e. writable) tree.</para> package manager controlled (i.e. writable) tree.</para>
<para>With <command>systemd-confext</command> one can perform runtime reconfiguration of OS services. <para>With systemd-confext one can perform runtime reconfiguration of OS services.
Sometimes, there is a need to swap certain configuration parameter values or restart only a specific Sometimes, there is a need to swap certain configuration parameter values or restart only a specific
service without deployment of new code or a complete OS deployment. In other words, we want to be able service without deployment of new code or a complete OS deployment. In other words, we want to be able
to tie the most frequently configured options to runtime updateable flags that can be changed without a to tie the most frequently configured options to runtime updateable flags that can be changed without a
system reboot. This will help reduce servicing times when there is a need for changing the OS configuration. system reboot. This will help reduce servicing times when there is a need for changing the OS configuration.
It also provides a reliable tool for managing configuration because all old configuration files disappear when It also provides a reliable tool for managing configuration because all old configuration files disappear when
the <command>systemd-confext</command> image is removed.</para></refsect1> the systemd-confext image is removed.</para></refsect1>
<refsect1> <refsect1>
<title>Mutability</title> <title>Mutability</title>

View File

@ -30,7 +30,7 @@
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para><command>systemd-tpm2-generator</command> is a generator that adds a <varname>Wants=</varname> <para><filename>systemd-tpm2-generator</filename> is a generator that adds a <varname>Wants=</varname>
dependency from <filename>sysinit.target</filename> to <filename>tpm2.target</filename> when it detects dependency from <filename>sysinit.target</filename> to <filename>tpm2.target</filename> when it detects
that the firmware discovered a TPM2 device but the OS kernel so far did that the firmware discovered a TPM2 device but the OS kernel so far did
not. <filename>tpm2.target</filename> is supposed to act as synchronization point for all services that not. <filename>tpm2.target</filename> is supposed to act as synchronization point for all services that
@ -45,7 +45,7 @@
for it yet. The latter might be useful in environments where a suitable TPM2 driver for the available for it yet. The latter might be useful in environments where a suitable TPM2 driver for the available
hardware is not available.</para> hardware is not available.</para>
<para><command>systemd-tpm2-generator</command> implements <para><filename>systemd-tpm2-generator</filename> implements
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
</refsect1> </refsect1>

View File

@ -45,7 +45,7 @@
file descriptors must be passed with the names <literal>kvm</literal> and <literal>vhost-vsock</literal> file descriptors must be passed with the names <literal>kvm</literal> and <literal>vhost-vsock</literal>
respectively.</para> respectively.</para>
<para>Note: on Ubuntu/Debian derivatives <command>systemd-vmspawn</command> requires the user to be in the <para>Note: on Ubuntu/Debian derivatives systemd-vmspawn requires the user to be in the
<literal>kvm</literal> group to use the VSOCK options.</para> <literal>kvm</literal> group to use the VSOCK options.</para>
</refsect1> </refsect1>
@ -420,8 +420,7 @@
for more information.</para> for more information.</para>
<para>By default <literal>ed25519</literal> keys are generated, however <literal>rsa</literal> keys <para>By default <literal>ed25519</literal> keys are generated, however <literal>rsa</literal> keys
may also be useful if the VM has a particularly old version of may also be useful if the VM has a particularly old version of <command>sshd</command>.</para>
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<xi:include href="version-info.xml" xpointer="v256"/> <xi:include href="version-info.xml" xpointer="v256"/>
</listitem> </listitem>

View File

@ -46,7 +46,7 @@
<para>If the specified path does not reference a <literal>.v/</literal> path (i.e. neither the final <para>If the specified path does not reference a <literal>.v/</literal> path (i.e. neither the final
component ends in <literal>.v</literal>, nor the penultimate does or the final one does contain a triple component ends in <literal>.v</literal>, nor the penultimate does or the final one does contain a triple
underscore) its specified path is written unmodified to standard output.</para> underscore) it specified path is written unmodified to standard output.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

View File

@ -378,7 +378,7 @@
<para>This setting is useful to configure the <literal>ID_NET_MANAGED_BY=</literal> property which <para>This setting is useful to configure the <literal>ID_NET_MANAGED_BY=</literal> property which
declares which network management service shall manage the interface, which is respected by declares which network management service shall manage the interface, which is respected by
<command>systemd-networkd</command> and others. Use systemd-networkd and others. Use
<programlisting>Property=ID_NET_MANAGED_BY=io.systemd.Network</programlisting> <programlisting>Property=ID_NET_MANAGED_BY=io.systemd.Network</programlisting>
to declare explicitly that <command>systemd-networkd</command> shall manage the interface, or set to declare explicitly that <command>systemd-networkd</command> shall manage the interface, or set
the property to something else to declare explicitly it shall not do so. See the property to something else to declare explicitly it shall not do so. See
@ -974,10 +974,10 @@
<listitem> <listitem>
<para>Configures Receive Packet Steering (RPS) list of CPUs to which RPS may forward traffic. <para>Configures Receive Packet Steering (RPS) list of CPUs to which RPS may forward traffic.
Takes a list of CPU indices or ranges separated by either whitespace or commas. Alternatively, Takes a list of CPU indices or ranges separated by either whitespace or commas. Alternatively,
takes the special value <literal>all</literal>, which will include all available CPUs in the mask. takes the special value <literal>all</literal> in which will include all available CPUs in the mask.
CPU ranges are specified by the lower and upper CPU indices separated by a dash (e.g. <literal>2-6</literal>). CPU ranges are specified by the lower and upper CPU indices separated by a dash (e.g. <literal>2-6</literal>).
This option may be specified more than once, in which case the specified list of CPU ranges are merged. This option may be specified more than once, in which case the specified CPU affinity masks are merged.
If an empty string is assigned, the list is reset, all assignments prior to this will have no effect. If an empty string is assigned, the mask is reset, all assignments prior to this will have no effect.
Defaults to unset and RPS CPU list is unchanged. To disable RPS when it was previously enabled, use the Defaults to unset and RPS CPU list is unchanged. To disable RPS when it was previously enabled, use the
special value <literal>disable</literal>.</para> special value <literal>disable</literal>.</para>

View File

@ -293,7 +293,7 @@
comes from unit fragments, i.e. generated from <filename>/etc/fstab</filename> by <citerefentry> comes from unit fragments, i.e. generated from <filename>/etc/fstab</filename> by <citerefentry>
<refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> or loaded from <refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> or loaded from
a manually configured mount unit, a combination of <varname>Requires=</varname> and <varname>StopPropagatedFrom=</varname> a manually configured mount unit, a combination of <varname>Requires=</varname> and <varname>StopPropagatedFrom=</varname>
dependencies is set on the backing device, otherwise only <varname>Requires=</varname> is used.</para> dependencies is set on the backing device. If doesn't, only <varname>Requires=</varname> is used.</para>
<xi:include href="version-info.xml" xpointer="v233"/></listitem> <xi:include href="version-info.xml" xpointer="v233"/></listitem>
</varlistentry> </varlistentry>
@ -556,7 +556,7 @@
for details. This setting is optional.</para> for details. This setting is optional.</para>
<para>If the type is <literal>overlay</literal>, and <literal>upperdir=</literal> or <para>If the type is <literal>overlay</literal>, and <literal>upperdir=</literal> or
<literal>workdir=</literal> are specified as options and the directories don't exist, they will be created. <literal>workdir=</literal> are specified as options and they don't exist, they will be created.
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>

View File

@ -27,19 +27,18 @@
attributes and the use of this information is configured. This page describes interface naming, i.e. what attributes and the use of this information is configured. This page describes interface naming, i.e. what
possible names may be generated. Those names are generated by the possible names may be generated. Those names are generated by the
<citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> <citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
builtin <command>net_id</command> and exported as builtin <command>net_id</command> and exported as udev properties
<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> (<varname>ID_NET_NAME_ONBOARD=</varname>, <varname>ID_NET_LABEL_ONBOARD=</varname>,
properties (<varname>ID_NET_NAME_ONBOARD=</varname>, <varname>ID_NET_LABEL_ONBOARD=</varname>,
<varname>ID_NET_NAME_PATH=</varname>, <varname>ID_NET_NAME_SLOT=</varname>).</para> <varname>ID_NET_NAME_PATH=</varname>, <varname>ID_NET_NAME_SLOT=</varname>).</para>
<para>Names and MAC addresses are derived from various stable device metadata attributes. Newer versions <para>Names and MAC addresses are derived from various stable device metadata attributes. Newer versions
of <command>systemd-udevd</command> take more of these attributes into account, improving (and thus of udev take more of these attributes into account, improving (and thus possibly changing) the names and
possibly changing) the names and addresses used for the same devices. Different versions of those addresses used for the same devices. Different versions of those generation rules are called "naming
generation rules are called "naming schemes". The default naming scheme is chosen at compilation time. schemes". The default naming scheme is chosen at compilation time. Usually this will be the latest
Usually this will be the latest implemented version, but it is also possible to set one of the older implemented version, but it is also possible to set one of the older versions to preserve
versions to preserve compatibility. This may be useful for example for distributions, which may introduce compatibility. This may be useful for example for distributions, which may introduce new versions of
new versions of systemd in stable releases without changing the naming scheme. The naming scheme may also systemd in stable releases without changing the naming scheme. The naming scheme may also be overridden
be overridden using the <varname>net.naming_scheme=</varname> kernel command line switch, see using the <varname>net.naming_scheme=</varname> kernel command line switch, see
<citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. <citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
Available naming schemes are described below.</para> Available naming schemes are described below.</para>
@ -522,8 +521,7 @@
change introduced in <constant>v254</constant> by default.</para> change introduced in <constant>v254</constant> by default.</para>
<para>If we detect that a PCI device associated with a slot is a PCI bridge, we no longer set <para>If we detect that a PCI device associated with a slot is a PCI bridge, we no longer set
<varname>ID_NET_NAME_SLOT</varname>, reverting a change that was introduced in <varname>ID_NET_NAME_SLOT</varname>, reverting a change that was introduced in v251.</para>
<constant>v251</constant>.</para>
<xi:include href="version-info.xml" xpointer="v255"/> <xi:include href="version-info.xml" xpointer="v255"/>
</listitem> </listitem>
@ -710,7 +708,6 @@ net:naming:drvirtio_net:*
<para><simplelist type="inline"> <para><simplelist type="inline">
<member><citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><ulink url="https://systemd.io/PREDICTABLE_INTERFACE_NAMES">Predictable Network Interface Names</ulink></member> <member><ulink url="https://systemd.io/PREDICTABLE_INTERFACE_NAMES">Predictable Network Interface Names</ulink></member>
<member><citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para> </simplelist></para>

View File

@ -34,16 +34,10 @@
for a general description of the syntax.</para> for a general description of the syntax.</para>
<para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>; <para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
other extensions are ignored. Virtual network devices are created as soon as other extensions are ignored. Virtual network devices are created as soon as networkd is
<command>systemd-networkd</command> is started if possible. If a netdev with the specified name already started. If a netdev with the specified name already exists, networkd will use that as-is rather
exists, <command>systemd-networkd</command> will try to update the config if the kind of the existing than create its own. Note that the settings of the pre-existing netdev will not be changed by
netdev is equivalent to the requested one, otherwise (e.g. when bridge device <filename>foo</filename> networkd.</para>
exists but bonding device with the same name is configured in a .netdev file) use the existing netdev
as-is rather than replacing with the requested netdev. Note, several settings (e.g. vlan ID) cannot be
changed after the netdev is created. To change such settings, it is necessary to first remove the
existing netdev, and then run <command>networkctl reload</command> command or restart
<command>systemd-networkd</command>. See also
<citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
<para>The <filename>.netdev</filename> files are read from the files located in the system network <para>The <filename>.netdev</filename> files are read from the files located in the system network
directory <filename>/usr/lib/systemd/network</filename> and directory <filename>/usr/lib/systemd/network</filename> and
@ -594,7 +588,7 @@
<para>Controls the threshold for broadcast queueing of the macvlan device. Takes the special value <para>Controls the threshold for broadcast queueing of the macvlan device. Takes the special value
<literal>no</literal>, or an integer in the range 0…2147483647. When <literal>no</literal> is <literal>no</literal>, or an integer in the range 0…2147483647. When <literal>no</literal> is
specified, the broadcast queueing is disabled altogether. When an integer is specified, a multicast specified, the broadcast queueing is disabled altogether. When an integer is specified, a multicast
address will be queued as broadcast if the number of devices using the macvlan is greater than the given address will be queued as broadcast if the number of devices using it is greater than the given
value. Defaults to unset, and the kernel default will be used.</para> value. Defaults to unset, and the kernel default will be used.</para>
<xi:include href="version-info.xml" xpointer="v256"/> <xi:include href="version-info.xml" xpointer="v256"/>
@ -1935,8 +1929,7 @@
the <command>wg genkey</command> command the <command>wg genkey</command> command
(see <citerefentry project='man-pages'><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>). (see <citerefentry project='man-pages'><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
Specially, if the specified key is prefixed with <literal>@</literal>, it is interpreted as Specially, if the specified key is prefixed with <literal>@</literal>, it is interpreted as
the name of the credential from which the actual key shall be read. the name of the credential from which the actual key shall be read. <command>systemd-networkd.service</command>
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
automatically imports credentials matching <literal>network.wireguard.*</literal>. For more details automatically imports credentials matching <literal>network.wireguard.*</literal>. For more details
on credentials, refer to on credentials, refer to
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
@ -2090,7 +2083,7 @@
i.e. the packets that pass through the tunnel itself. To cause packets to be sent via the tunnel in i.e. the packets that pass through the tunnel itself. To cause packets to be sent via the tunnel in
the first place, an appropriate route needs to be added as well — either in the the first place, an appropriate route needs to be added as well — either in the
<literal>[Routes]</literal> section on the <literal>.network</literal> matching the wireguard <literal>[Routes]</literal> section on the <literal>.network</literal> matching the wireguard
interface, or externally to <command>systemd-networkd</command>.</para> interface, or externally to <filename>systemd-networkd</filename>.</para>
<xi:include href="version-info.xml" xpointer="v237"/> <xi:include href="version-info.xml" xpointer="v237"/>
</listitem> </listitem>
@ -2977,7 +2970,7 @@ Independent=yes</programlisting>
<title>See Also</title> <title>See Also</title>
<para><simplelist type="inline"> <para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-network-generator.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd-network-generator.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>

View File

@ -887,7 +887,7 @@ DuplicateAddressDetection=none</programlisting></para>
from the network interface will be appear as coming from the local host. Typically, this should be from the network interface will be appear as coming from the local host. Typically, this should be
enabled on the downstream interface of routers. Takes one of <literal>ipv4</literal>, enabled on the downstream interface of routers. Takes one of <literal>ipv4</literal>,
<literal>ipv6</literal>, <literal>both</literal>, or <literal>no</literal>. Defaults to <literal>ipv6</literal>, <literal>both</literal>, or <literal>no</literal>. Defaults to
<literal>no</literal>. Note that any positive boolean values such as <literal>yes</literal> or <literal>no</literal>. Note. Any positive boolean values such as <literal>yes</literal> or
<literal>true</literal> are now deprecated. Please use one of the values above. Specifying <literal>true</literal> are now deprecated. Please use one of the values above. Specifying
<literal>ipv4</literal> or <literal>both</literal> implies <varname>IPv4Forwarding=</varname> <literal>ipv4</literal> or <literal>both</literal> implies <varname>IPv4Forwarding=</varname>
settings in both .network file for this interface and the global settings in both .network file for this interface and the global
@ -928,8 +928,8 @@ DuplicateAddressDetection=none</programlisting></para>
<para>Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support for the interface. <para>Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support for the interface.
If true, RAs are accepted; if false, RAs are ignored. When RAs are accepted, they may trigger the If true, RAs are accepted; if false, RAs are ignored. When RAs are accepted, they may trigger the
start of the DHCPv6 client if the relevant flags are set in the RA data, or if no routers are found start of the DHCPv6 client if the relevant flags are set in the RA data, or if no routers are found
on the link. Defaults to false for bridge devices, when <varname>IPv6Forwarding=</varname>, on the link. Defaults to false for bridge devices, when IP forwarding is enabled,
<varname>IPv6SendRA=</varname>, or <varname>KeepMaster=</varname> is enabled. Otherwise, enabled by <varname>IPv6SendRA=</varname> or <varname>KeepMaster=</varname> is enabled. Otherwise, enabled by
default. Cannot be enabled on devices aggregated in a bond device or when link-local addressing is default. Cannot be enabled on devices aggregated in a bond device or when link-local addressing is
disabled.</para> disabled.</para>
@ -993,9 +993,9 @@ DuplicateAddressDetection=none</programlisting></para>
whether the <emphasis>source</emphasis> of the packet would be routed through the interface it came in. If there is no whether the <emphasis>source</emphasis> of the packet would be routed through the interface it came in. If there is no
route to the source on that interface, the machine will drop the packet. Takes one of route to the source on that interface, the machine will drop the packet. Takes one of
<literal>no</literal>, <literal>strict</literal>, or <literal>loose</literal>. When <literal>no</literal>, <literal>no</literal>, <literal>strict</literal>, or <literal>loose</literal>. When <literal>no</literal>,
no source validation will be done. When <literal>strict</literal>, each incoming packet is tested against the FIB and no source validation will be done. When <literal>strict</literal>, mode each incoming packet is tested against the FIB and
if the incoming interface is not the best reverse path, the packet check will fail. By default failed packets are discarded. if the incoming interface is not the best reverse path, the packet check will fail. By default failed packets are discarded.
When <literal>loose</literal>, each incoming packet's source address is tested against the FIB. The packet is dropped When <literal>loose</literal>, mode each incoming packet's source address is tested against the FIB. The packet is dropped
only if the source address is not reachable via any interface on that router. only if the source address is not reachable via any interface on that router.
See <ulink url="https://tools.ietf.org/html/rfc1027">RFC 3704</ulink>. See <ulink url="https://tools.ietf.org/html/rfc1027">RFC 3704</ulink>.
When unset, the kernel's default will be used.</para> When unset, the kernel's default will be used.</para>
@ -1084,10 +1084,9 @@ DuplicateAddressDetection=none</programlisting></para>
Advertisement messages intended for another machine by offering its own MAC address as Advertisement messages intended for another machine by offering its own MAC address as
destination. Unlike proxy ARP for IPv4, it is not enabled globally, but will only send destination. Unlike proxy ARP for IPv4, it is not enabled globally, but will only send
Neighbour Advertisement messages for addresses in the IPv6 neighbor proxy table, which can Neighbour Advertisement messages for addresses in the IPv6 neighbor proxy table, which can
also be shown by <command>ip -6 neighbour show proxy</command>. also be shown by <command>ip -6 neighbour show proxy</command>. systemd-networkd will control
<command>systemd-networkd</command> will control the per-interface `proxy_ndp` switch for each the per-interface `proxy_ndp` switch for each configured interface depending on this option.
configured interface depending on this option. When unset, the kernel's default will be used. When unset, the kernel's default will be used.</para>
</para>
<xi:include href="version-info.xml" xpointer="v234"/> <xi:include href="version-info.xml" xpointer="v234"/>
</listitem> </listitem>
@ -1097,7 +1096,7 @@ DuplicateAddressDetection=none</programlisting></para>
<term><varname>IPv6ProxyNDPAddress=</varname></term> <term><varname>IPv6ProxyNDPAddress=</varname></term>
<listitem> <listitem>
<para>An IPv6 address, for which Neighbour Advertisement messages will be proxied. This <para>An IPv6 address, for which Neighbour Advertisement messages will be proxied. This
option may be specified more than once. <command>systemd-networkd</command> will add the option may be specified more than once. systemd-networkd will add the
<varname>IPv6ProxyNDPAddress=</varname> entries to the kernel's IPv6 neighbor proxy table. <varname>IPv6ProxyNDPAddress=</varname> entries to the kernel's IPv6 neighbor proxy table.
This setting implies <varname>IPv6ProxyNDP=yes</varname> but has no effect if This setting implies <varname>IPv6ProxyNDP=yes</varname> but has no effect if
<varname>IPv6ProxyNDP=</varname> has been set to false. When unset, the kernel's default will <varname>IPv6ProxyNDP=</varname> has been set to false. When unset, the kernel's default will
@ -1226,9 +1225,9 @@ DuplicateAddressDetection=none</programlisting></para>
<varlistentry> <varlistentry>
<term><varname>ConfigureWithoutCarrier=</varname></term> <term><varname>ConfigureWithoutCarrier=</varname></term>
<listitem> <listitem>
<para>Takes a boolean. Allows <command>systemd-networkd</command> to configure a specific link even <para>Takes a boolean. Allows networkd to configure a specific link even if it has no
if it has no carrier. Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname> carrier. Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname> setting
setting is not explicitly set, then it is enabled as well.</para> is not explicitly set, then it is enabled as well.</para>
<para>With this enabled, to make the interface enter the <literal>configured</literal> state, <para>With this enabled, to make the interface enter the <literal>configured</literal> state,
which is required to make <command>systemd-networkd-wait-online</command> work properly for the which is required to make <command>systemd-networkd-wait-online</command> work properly for the
@ -1456,11 +1455,11 @@ DuplicateAddressDetection=none</programlisting></para>
<command>ip maddr</command> command would not work if we have an Ethernet switch that does <command>ip maddr</command> command would not work if we have an Ethernet switch that does
IGMP snooping since the switch would not replicate multicast packets on ports that did not IGMP snooping since the switch would not replicate multicast packets on ports that did not
have IGMP reports for the multicast addresses. Linux vxlan interfaces created via have IGMP reports for the multicast addresses. Linux vxlan interfaces created via
<command>ip link add vxlan</command> or <command>systemd-networkd</command>'s netdev kind vxlan <command>ip link add vxlan</command> or networkd's netdev kind vxlan have the group option
have the group option that enables them to do the required join. By extending that enables them to do the required join. By extending <command>ip address</command> command
<command>ip address</command> command with option <literal>autojoin</literal> we can get similar with option <literal>autojoin</literal> we can get similar functionality for openvswitch (OVS)
functionality for openvswitch (OVS) vxlan interfaces as well as other tunneling mechanisms that vxlan interfaces as well as other tunneling mechanisms that need to receive multicast traffic.
need to receive multicast traffic. Defaults to <literal>no</literal>.</para> Defaults to <literal>no</literal>.</para>
<xi:include href="version-info.xml" xpointer="v232"/> <xi:include href="version-info.xml" xpointer="v232"/>
</listitem> </listitem>
@ -1786,7 +1785,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
<varlistentry> <varlistentry>
<term><varname>L3MasterDevice=</varname></term> <term><varname>L3MasterDevice=</varname></term>
<listitem> <listitem>
<para>Takes a boolean. Specifies whether the rule is to direct lookups to the tables associated with <para>A boolean. Specifies whether the rule is to direct lookups to the tables associated with
level 3 master devices (also known as Virtual Routing and Forwarding or VRF devices). level 3 master devices (also known as Virtual Routing and Forwarding or VRF devices).
For further details see <ulink url="https://docs.kernel.org/networking/vrf.html"> For further details see <ulink url="https://docs.kernel.org/networking/vrf.html">
Virtual Routing and Forwarding (VRF)</ulink>. Defaults to false.</para> Virtual Routing and Forwarding (VRF)</ulink>. Defaults to false.</para>
@ -2904,7 +2903,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
Note that if <varname>AllowList=</varname> is configured then <varname>DenyList=</varname> is Note that if <varname>AllowList=</varname> is configured then <varname>DenyList=</varname> is
ignored.</para> ignored.</para>
<para>Note that this filters only DHCP offers, so the filtering might not work when <para>Note that this filters only DHCP offers, so the filtering might not work when
<varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> above. <varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> in the above.
</para> </para>
<xi:include href="version-info.xml" xpointer="v246"/> <xi:include href="version-info.xml" xpointer="v246"/>
@ -3340,7 +3339,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
<term><varname>UseRedirect=</varname></term> <term><varname>UseRedirect=</varname></term>
<listitem> <listitem>
<para>When true (the default), Redirect message sent by the current first-hop router will be <para>When true (the default), Redirect message sent by the current first-hop router will be
accepted, and routes to redirected nodes will be configured.</para> accepted, and configures routes to redirected nodes will be configured.</para>
<xi:include href="version-info.xml" xpointer="v256"/> <xi:include href="version-info.xml" xpointer="v256"/>
</listitem> </listitem>
@ -4077,8 +4076,7 @@ ServerAddress=192.168.0.1/24</programlisting>
<para>Takes a boolean. When true, the DHCP server will load and save leases in the persistent <para>Takes a boolean. When true, the DHCP server will load and save leases in the persistent
storage. When false, the DHCP server will neither load nor save leases in the persistent storage. storage. When false, the DHCP server will neither load nor save leases in the persistent storage.
Hence, bound leases will be lost when the interface is reconfigured e.g. by Hence, bound leases will be lost when the interface is reconfigured e.g. by
<command>networkctl reconfigure</command>, or <command>networkctl reconfigure</command>, or <filename>systemd-networkd.service</filename>
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
is restarted. That may cause address conflict on the network. So, please take an extra care when is restarted. That may cause address conflict on the network. So, please take an extra care when
disable this setting. When unspecified, the value specified in the same setting in disable this setting. When unspecified, the value specified in the same setting in
<citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
@ -4262,7 +4260,7 @@ ServerAddress=192.168.0.1/24</programlisting>
<varlistentry> <varlistentry>
<term><varname>HomeAgent=</varname></term> <term><varname>HomeAgent=</varname></term>
<listitem><para>Takes a boolean. Specifies that IPv6 router advertisements indicate to hosts that <listitem><para>Takes a boolean. Specifies that IPv6 router advertisements which indicate to hosts that
the router acts as a Home Agent and includes a Home Agent option. Defaults to false. See the router acts as a Home Agent and includes a Home Agent option. Defaults to false. See
<ulink url="https://tools.ietf.org/html/rfc6275">RFC 6275</ulink> for further details.</para> <ulink url="https://tools.ietf.org/html/rfc6275">RFC 6275</ulink> for further details.</para>
@ -4586,9 +4584,10 @@ ServerAddress=192.168.0.1/24</programlisting>
<varlistentry> <varlistentry>
<term><varname>Priority=</varname></term> <term><varname>Priority=</varname></term>
<listitem> <listitem>
<para>Sets the "priority" of sending packets on this interface. Each port in a bridge may have a <para>Sets the "priority" of sending packets on this interface.
different priority which is used to decide which link to use. Lower value means higher priority. Each port in a bridge may have a different priority which is used
It is an integer value between 0 to 63. <command>systemd-networkd</command> does not set any to decide which link to use. Lower value means higher priority.
It is an integer value between 0 to 63. Networkd does not set any
default, meaning the kernel default value of 32 is used.</para> default, meaning the kernel default value of 32 is used.</para>
<xi:include href="version-info.xml" xpointer="v234"/> <xi:include href="version-info.xml" xpointer="v234"/>

View File

@ -896,7 +896,7 @@ CPUWeight=20 DisableControllers=cpu / \
<listitem> <listitem>
<para>Configures restrictions on the ability of unit processes to invoke <citerefentry <para>Configures restrictions on the ability of unit processes to invoke <citerefentry
project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry> on a project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry> on a
socket. Both allow and deny rules to be defined that restrict which addresses a socket may be bound socket. Both allow and deny rules may defined that restrict which addresses a socket may be bound
to.</para> to.</para>
<para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>, <para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>,
@ -1673,8 +1673,7 @@ DeviceAllow=/dev/loop-control
<para>When <command>systemd-coredump</command> is handling a coredump for a process from a container, <para>When <command>systemd-coredump</command> is handling a coredump for a process from a container,
if the container's leader process is a descendant of a cgroup with <varname>CoredumpReceive=yes</varname> if the container's leader process is a descendant of a cgroup with <varname>CoredumpReceive=yes</varname>
and <varname>Delegate=yes</varname>, then <command>systemd-coredump</command> will attempt to forward and <varname>Delegate=yes</varname>, then <command>systemd-coredump</command> will attempt to forward
the coredump to <command>systemd-coredump</command> within the container. See also the coredump to <command>systemd-coredump</command> within the container.</para>
<citerefentry><refentrytitle>systemd-coredump</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem> <xi:include href="version-info.xml" xpointer="v255"/></listitem>
</varlistentry> </varlistentry>

View File

@ -1437,7 +1437,7 @@
<para>The command line accepts <literal>%</literal> specifiers as described in <para>The command line accepts <literal>%</literal> specifiers as described in
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
<para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal>.</para> <para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal></para>
<para>Basic environment variable substitution is supported. Use <para>Basic environment variable substitution is supported. Use
<literal>${FOO}</literal> as part of a word, or as a word of its <literal>${FOO}</literal> as part of a word, or as a word of its

View File

@ -120,8 +120,9 @@
<para>The timezone defaults to the current timezone if not specified explicitly. <para>The timezone defaults to the current timezone if not specified explicitly.
It may be given after a space, like above, in which case it can be: It may be given after a space, like above, in which case it can be:
<literal>UTC</literal>, <literal>UTC</literal>,
an entry in the installed IANA timezone database (e.g. <literal>CET</literal>, <literal>Asia/Tokyo</literal>, an entry in the installed IANA timezone database (<literal>CET</literal>, <literal>Asia/Tokyo</literal>, &amp;c.;
where the complete list can be obtained with <command>timedatectl list-timezones</command> (see complete list obtainable with <literal>timedatectl
list-timezones</literal> (see
<citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>)), <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>)),
or <literal>±<replaceable>05</replaceable></literal>, or <literal>±<replaceable>05</replaceable></literal>,
<literal>±<replaceable>05</replaceable><replaceable>30</replaceable></literal>, <literal>±<replaceable>05</replaceable><replaceable>30</replaceable></literal>,

View File

@ -1238,9 +1238,9 @@
</itemizedlist> </itemizedlist>
<para>Signals sent to PID 1 before this message is sent might not be handled correctly yet. A consumer <para>Signals sent to PID 1 before this message is sent might not be handled correctly yet. A consumer
of these messages should parse the value as an unsigned integer that indicates the level of support. of these messages should parse the value as an unsigned integer indication the level of support. For
For now only the mentioned level 2 is defined, but later on additional levels might be defined with now only the mentioned level 2 is defined, but later on additional levels might be defined with higher
higher integers, that will implement a superset of the currently defined behaviour.</para> integers, that will implement a superset of the currently defined behaviour.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
@ -1389,8 +1389,8 @@
<term><option>--crash-action=</option></term> <term><option>--crash-action=</option></term>
<listitem><para>Specify what to do when the system manager (PID 1) crashes. This switch has no <listitem><para>Specify what to do when the system manager (PID 1) crashes. This switch has no
effect when <command>systemd</command> is running as user instance. See effect when systemd is running as user instance. See <varname>systemd.crash_action=</varname>
<varname>systemd.crash_action=</varname> above.</para> above.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry> </varlistentry>

View File

@ -222,8 +222,7 @@
<para>For the <command>inspect</command> verb, the second syntax is used. <para>For the <command>inspect</command> verb, the second syntax is used.
The section <replaceable>NAME</replaceable> will be inspected (if found). The section <replaceable>NAME</replaceable> will be inspected (if found).
If the second argument is <literal>text</literal>, the contents will be printed. If the second argument is <literal>text</literal>, the contents will be printed.
If the third argument is given, the contents will be saved to the file named If the third argument is given, the contents will be saved to file <replaceable>PATH</replaceable>.
<replaceable>PATH</replaceable>.
</para> </para>
<para>Note that the name is used as-is, and if the section name should start with a dot, it must be <para>Note that the name is used as-is, and if the section name should start with a dot, it must be

View File

@ -52,7 +52,7 @@
<para>User processes may be started by the <filename>user@.service</filename> instance, in which <para>User processes may be started by the <filename>user@.service</filename> instance, in which
case they will be part of that unit in the system hierarchy. They may also be started elsewhere, case they will be part of that unit in the system hierarchy. They may also be started elsewhere,
for example by for example by
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or a <citerefentry project='die-net'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or a
display manager like <command>gdm</command>, in which case they form a .scope unit (see display manager like <command>gdm</command>, in which case they form a .scope unit (see
<citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>). <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
Both <filename>user@<replaceable>UID</replaceable>.service</filename> and the scope units are Both <filename>user@<replaceable>UID</replaceable>.service</filename> and the scope units are
@ -145,7 +145,7 @@ Control group /:
</programlisting> </programlisting>
<para>User with UID 1000 is logged in using <command>gdm</command> (<filename <para>User with UID 1000 is logged in using <command>gdm</command> (<filename
index="false">session-4.scope</filename>) and index="false">session-4.scope</filename>) and
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> <citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
(<filename index="false">session-19.scope</filename>), and also has a user manager instance (<filename index="false">session-19.scope</filename>), and also has a user manager instance
running (<filename index="false">user@1000.service</filename>). User with UID 1001 is logged running (<filename index="false">user@1000.service</filename>). User with UID 1001 is logged
in using <command>ssh</command> (<filename index="false">session-20.scope</filename>) and in using <command>ssh</command> (<filename index="false">session-20.scope</filename>) and

View File

@ -416,7 +416,7 @@
<para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly <para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly
contained in a user record available to the SSH daemon for authentication. For that configure the contained in a user record available to the SSH daemon for authentication. For that configure the
following in <citerefentry following in <citerefentry
project='man-pages'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para> project='die-net'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>
<programlisting> <programlisting>
AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u

View File

@ -38,8 +38,9 @@ SignExpectedPcr=yes
[Content] [Content]
ExtraTrees= ExtraTrees=
mkosi.extra.common
mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
%O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
%O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
%O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig

View File

@ -6,7 +6,9 @@ Include=
%D/mkosi.sanitizers %D/mkosi.sanitizers
[Content] [Content]
ExtraTrees=%D/mkosi.extra.common ExtraTrees=
%D/mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
%D/mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
Packages= Packages=
findutils findutils

View File

@ -1,12 +0,0 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
/* Root namespace inode numbers, as per include/linux/proc_ns.h in the kernel source tree, since v3.8:
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98f842e675f96ffac96e6c50315790912b2812be */
#define PROC_IPC_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFF))
#define PROC_UTS_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFE))
#define PROC_USER_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFD))
#define PROC_PID_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFC))
#define PROC_CGROUP_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFB))
#define PROC_TIME_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFA))

View File

@ -12,7 +12,6 @@
#include "fileio.h" #include "fileio.h"
#include "missing_fs.h" #include "missing_fs.h"
#include "missing_magic.h" #include "missing_magic.h"
#include "missing_namespace.h"
#include "missing_sched.h" #include "missing_sched.h"
#include "missing_syscall.h" #include "missing_syscall.h"
#include "mountpoint-util.h" #include "mountpoint-util.h"
@ -24,17 +23,17 @@
#include "user-util.h" #include "user-util.h"
const struct namespace_info namespace_info[_NAMESPACE_TYPE_MAX + 1] = { const struct namespace_info namespace_info[_NAMESPACE_TYPE_MAX + 1] = {
[NAMESPACE_CGROUP] = { "cgroup", "ns/cgroup", CLONE_NEWCGROUP, PROC_CGROUP_INIT_INO }, [NAMESPACE_CGROUP] = { "cgroup", "ns/cgroup", CLONE_NEWCGROUP, },
[NAMESPACE_IPC] = { "ipc", "ns/ipc", CLONE_NEWIPC, PROC_IPC_INIT_INO }, [NAMESPACE_IPC] = { "ipc", "ns/ipc", CLONE_NEWIPC, },
[NAMESPACE_NET] = { "net", "ns/net", CLONE_NEWNET, 0 }, [NAMESPACE_NET] = { "net", "ns/net", CLONE_NEWNET, },
/* So, the mount namespace flag is called CLONE_NEWNS for historical /* So, the mount namespace flag is called CLONE_NEWNS for historical
* reasons. Let's expose it here under a more explanatory name: "mnt". * reasons. Let's expose it here under a more explanatory name: "mnt".
* This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */ * This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
[NAMESPACE_MOUNT] = { "mnt", "ns/mnt", CLONE_NEWNS, 0 }, [NAMESPACE_MOUNT] = { "mnt", "ns/mnt", CLONE_NEWNS, },
[NAMESPACE_PID] = { "pid", "ns/pid", CLONE_NEWPID, PROC_PID_INIT_INO }, [NAMESPACE_PID] = { "pid", "ns/pid", CLONE_NEWPID, },
[NAMESPACE_USER] = { "user", "ns/user", CLONE_NEWUSER, PROC_USER_INIT_INO }, [NAMESPACE_USER] = { "user", "ns/user", CLONE_NEWUSER, },
[NAMESPACE_UTS] = { "uts", "ns/uts", CLONE_NEWUTS, PROC_UTS_INIT_INO }, [NAMESPACE_UTS] = { "uts", "ns/uts", CLONE_NEWUTS, },
[NAMESPACE_TIME] = { "time", "ns/time", CLONE_NEWTIME, PROC_TIME_INIT_INO }, [NAMESPACE_TIME] = { "time", "ns/time", CLONE_NEWTIME, },
{ /* Allow callers to iterate over the array without using _NAMESPACE_TYPE_MAX. */ }, { /* Allow callers to iterate over the array without using _NAMESPACE_TYPE_MAX. */ },
}; };
@ -480,28 +479,6 @@ int namespace_open_by_type(NamespaceType type) {
return fd; return fd;
} }
int namespace_is_init(NamespaceType type) {
int r;
assert(type >= 0);
assert(type <= _NAMESPACE_TYPE_MAX);
if (namespace_info[type].root_inode == 0)
return -EBADR; /* Cannot answer this question */
const char *p = pid_namespace_path(0, type);
struct stat st;
r = RET_NERRNO(stat(p, &st));
if (r == -ENOENT)
/* If the /proc/ns/<type> API is not around in /proc/ then ns is off in the kernel and we are in the init ns */
return proc_mounted() == 0 ? -ENOSYS : true;
if (r < 0)
return r;
return st.st_ino == namespace_info[type].root_inode;
}
int is_our_namespace(int fd, NamespaceType request_type) { int is_our_namespace(int fd, NamespaceType request_type) {
int clone_flag; int clone_flag;

View File

@ -24,7 +24,6 @@ extern const struct namespace_info {
const char *proc_name; const char *proc_name;
const char *proc_path; const char *proc_path;
unsigned int clone_flag; unsigned int clone_flag;
ino_t root_inode;
} namespace_info[_NAMESPACE_TYPE_MAX + 1]; } namespace_info[_NAMESPACE_TYPE_MAX + 1];
int pidref_namespace_open( int pidref_namespace_open(
@ -75,8 +74,6 @@ int parse_userns_uid_range(const char *s, uid_t *ret_uid_shift, uid_t *ret_uid_r
int namespace_open_by_type(NamespaceType type); int namespace_open_by_type(NamespaceType type);
int namespace_is_init(NamespaceType type);
int is_our_namespace(int fd, NamespaceType type); int is_our_namespace(int fd, NamespaceType type);
int is_idmapping_supported(const char *path); int is_idmapping_supported(const char *path);

View File

@ -585,14 +585,6 @@ static int running_in_cgroupns(void) {
if (!cg_ns_supported()) if (!cg_ns_supported())
return false; return false;
r = namespace_is_init(NAMESPACE_CGROUP);
if (r < 0)
log_debug_errno(r, "Failed to test if in root cgroup namespace, ignoring: %m");
else if (r > 0)
return false;
// FIXME: We really should drop the heuristics below.
r = cg_all_unified(); r = cg_all_unified();
if (r < 0) if (r < 0)
return r; return r;
@ -653,16 +645,6 @@ static int running_in_cgroupns(void) {
} }
} }
static int running_in_pidns(void) {
int r;
r = namespace_is_init(NAMESPACE_PID);
if (r < 0)
return log_debug_errno(r, "Failed to test if in root PID namespace, ignoring: %m");
return !r;
}
static Virtualization detect_container_files(void) { static Virtualization detect_container_files(void) {
static const struct { static const struct {
const char *file_path; const char *file_path;
@ -808,21 +790,12 @@ check_files:
r = running_in_cgroupns(); r = running_in_cgroupns();
if (r > 0) { if (r > 0) {
log_debug("Running in a cgroup namespace, assuming unknown container manager.");
v = VIRTUALIZATION_CONTAINER_OTHER; v = VIRTUALIZATION_CONTAINER_OTHER;
goto finish; goto finish;
} }
if (r < 0) if (r < 0)
log_debug_errno(r, "Failed to detect cgroup namespace: %m"); log_debug_errno(r, "Failed to detect cgroup namespace: %m");
/* Finally, the root pid namespace has an hardcoded inode number of 0xEFFFFFFC since kernel 3.8, so
* if all else fails we can check the inode number of our pid namespace and compare it. */
if (running_in_pidns() > 0) {
log_debug("Running in a pid namespace, assuming unknown container manager.");
v = VIRTUALIZATION_CONTAINER_OTHER;
goto finish;
}
/* If none of that worked, give up, assume no container manager. */ /* If none of that worked, give up, assume no container manager. */
v = VIRTUALIZATION_NONE; v = VIRTUALIZATION_NONE;
goto finish; goto finish;
@ -890,14 +863,6 @@ int running_in_userns(void) {
_cleanup_free_ char *line = NULL; _cleanup_free_ char *line = NULL;
int r; int r;
r = namespace_is_init(NAMESPACE_USER);
if (r < 0)
log_debug_errno(r, "Failed to test if in root user namespace, ignoring: %m");
else if (r > 0)
return false;
// FIXME: We really should drop the heuristics below.
r = userns_has_mapping("/proc/self/uid_map"); r = userns_has_mapping("/proc/self/uid_map");
if (r != 0) if (r != 0)
return r; return r;

View File

@ -1048,6 +1048,9 @@ static void device_enumerate(Manager *m) {
_cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL; _cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL;
Device *d; Device *d;
if (device_is_processed(dev) <= 0)
continue;
if (device_setup_units(m, dev, &ready_units, &not_ready_units) < 0) if (device_setup_units(m, dev, &ready_units, &not_ready_units) < 0)
continue; continue;

View File

@ -213,23 +213,9 @@ TEST(idmapping_supported) {
assert_se(is_idmapping_supported("/etc") >= 0); assert_se(is_idmapping_supported("/etc") >= 0);
} }
TEST(namespace_is_init) {
int r;
for (NamespaceType t = 0; t < _NAMESPACE_TYPE_MAX; t++) {
r = namespace_is_init(t);
if (r == -EBADR)
log_info_errno(r, "In root namespace of type '%s': don't know", namespace_info[t].proc_name);
else {
ASSERT_OK(r);
log_info("In root namespace of type '%s': %s", namespace_info[t].proc_name, yes_no(r));
}
}
}
static int intro(void) { static int intro(void) {
if (!have_namespaces()) if (!have_namespaces())
return log_tests_skipped("Don't have namespace support or lacking privileges"); return log_tests_skipped("Don't have namespace support");
return EXIT_SUCCESS; return EXIT_SUCCESS;
} }

View File

@ -52,14 +52,14 @@ directory (`OutputDirectory=`) to point to the other directory using `mkosi.loca
After the image has been built, the integration tests can be run with: After the image has been built, the integration tests can be run with:
```shell ```shell
$ env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild --suite integration-tests --num-processes "$(($(nproc) / 4))" $ SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild --suite integration-tests --num-processes "$(($(nproc) / 4))"
``` ```
As usual, specific tests can be run in meson by appending the name of the test As usual, specific tests can be run in meson by appending the name of the test
which is usually the name of the directory e.g. which is usually the name of the directory e.g.
```shell ```shell
$ env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -v TEST-01-BASIC $ SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -v TEST-01-BASIC
``` ```
See `meson introspect build --tests` for a list of tests. See `meson introspect build --tests` for a list of tests.
@ -69,7 +69,7 @@ To interactively debug a failing integration test, the `--interactive` option
newer: newer:
```shell ```shell
$ env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -i TEST-01-BASIC $ SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -i TEST-01-BASIC
``` ```
Due to limitations in meson, the integration tests do not yet depend on the Due to limitations in meson, the integration tests do not yet depend on the
@ -78,7 +78,7 @@ running the integration tests. To rebuild the image and rerun a test, the
following command can be used: following command can be used:
```shell ```shell
$ meson compile -C build mkosi && env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -v TEST-01-BASIC $ meson compile -C build mkosi && SYSTEMD_INTEGRATION_TESTS=1 meson test -C build --no-rebuild -v TEST-01-BASIC
``` ```
The integration tests use the same mkosi configuration that's used when you run The integration tests use the same mkosi configuration that's used when you run
@ -92,7 +92,7 @@ To iterate on an integration test, let's first get a shell in the integration te
the following: the following:
```shell ```shell
$ meson compile -C build mkosi && env SYSTEMD_INTEGRATION_TESTS=1 TEST_SHELL=1 meson test -C build --no-rebuild -i TEST-01-BASIC $ meson compile -C build mkosi && SYSTEMD_INTEGRATION_TESTS=1 TEST_SHELL=1 meson test -C build --no-rebuild -i TEST-01-BASIC
``` ```
This will get us a shell in the integration test environment after booting the machine without running the This will get us a shell in the integration test environment after booting the machine without running the

View File

@ -3,7 +3,6 @@
integration_tests += [ integration_tests += [
integration_test_template + { integration_test_template + {
'name' : fs.name(meson.current_source_dir()), 'name' : fs.name(meson.current_source_dir()),
'coredump-exclude-regex' : '/(bash|python3.[0-9]+|systemd-executor)$',
'cmdline' : integration_test_template['cmdline'] + [ 'cmdline' : integration_test_template['cmdline'] + [
''' '''

View File

@ -4,7 +4,6 @@ integration_tests += [
integration_test_template + { integration_test_template + {
'name' : fs.name(meson.current_source_dir()), 'name' : fs.name(meson.current_source_dir()),
'unit' : files('TEST-16-EXTEND-TIMEOUT.service'), 'unit' : files('TEST-16-EXTEND-TIMEOUT.service'),
'coredump-exclude-regex' : '/(bash|sleep)$',
}, },
] ]

View File

@ -4,6 +4,5 @@ integration_tests += [
integration_test_template + { integration_test_template + {
'name' : fs.name(meson.current_source_dir()), 'name' : fs.name(meson.current_source_dir()),
'vm' : true, 'vm' : true,
'coredump-exclude-regex' : '/(sleep|udevadm)$',
}, },
] ]

View File

@ -3,6 +3,5 @@
integration_tests += [ integration_tests += [
integration_test_template + { integration_test_template + {
'name' : fs.name(meson.current_source_dir()), 'name' : fs.name(meson.current_source_dir()),
'coredump-exclude-regex' : '/(sleep|bash|systemd-notify)$',
}, },
] ]

View File

@ -4,7 +4,5 @@ integration_tests += [
integration_test_template + { integration_test_template + {
'name' : fs.name(meson.current_source_dir()), 'name' : fs.name(meson.current_source_dir()),
'priority' : 10, 'priority' : 10,
# TODO: Remove when https://github.com/systemd/systemd/issues/35335 is fixed.
'coredump-exclude-regex' : '/systemd-localed',
}, },
] ]

View File

@ -5,7 +5,6 @@ integration_tests += [
'name' : fs.name(meson.current_source_dir()), 'name' : fs.name(meson.current_source_dir()),
'storage': 'persistent', 'storage': 'persistent',
'vm' : true, 'vm' : true,
'coredump-exclude-regex' : '/(test-usr-dump|test-dump|bash)$',
}, },
] ]

View File

@ -6,7 +6,6 @@
import argparse import argparse
import json import json
import os import os
import re
import shlex import shlex
import subprocess import subprocess
import sys import sys
@ -33,59 +32,6 @@ ExecStart=false
""" """
def process_coredumps(args: argparse.Namespace, journal_file: Path) -> bool:
# Collect executable paths of all coredumps and filter out the expected ones.
if args.coredump_exclude_regex:
exclude_regex = re.compile(args.coredump_exclude_regex)
else:
exclude_regex = None
result = subprocess.run(
[
args.mkosi,
'--directory', os.fspath(args.meson_source_dir),
'--extra-search-path', os.fspath(args.meson_build_dir),
'sandbox',
'coredumpctl',
'--file', journal_file,
'--json=short',
],
stdout=subprocess.PIPE,
text=True,
) # fmt: skip
# coredumpctl returns a non-zero exit status if there are no coredumps.
if result.returncode != 0:
return False
coredumps = json.loads(result.stdout)
coredumps = [
coredump for coredump in coredumps if not exclude_regex or not exclude_regex.search(coredump['exe'])
]
if not coredumps:
return False
subprocess.run(
[
args.mkosi,
'--directory', os.fspath(args.meson_source_dir),
'--extra-search-path', os.fspath(args.meson_build_dir),
'sandbox',
'coredumpctl',
'--file', journal_file,
'--no-pager',
'info',
*(coredump['exe'] for coredump in coredumps),
],
check=True,
) # fmt: skip
return True
def main() -> None: def main() -> None:
parser = argparse.ArgumentParser(description=__doc__) parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('--mkosi', required=True) parser.add_argument('--mkosi', required=True)
@ -98,7 +44,6 @@ def main() -> None:
parser.add_argument('--slow', action=argparse.BooleanOptionalAction) parser.add_argument('--slow', action=argparse.BooleanOptionalAction)
parser.add_argument('--vm', action=argparse.BooleanOptionalAction) parser.add_argument('--vm', action=argparse.BooleanOptionalAction)
parser.add_argument('--exit-code', required=True, type=int) parser.add_argument('--exit-code', required=True, type=int)
parser.add_argument('--coredump-exclude-regex', required=True)
parser.add_argument('mkosi_args', nargs='*') parser.add_argument('mkosi_args', nargs='*')
args = parser.parse_args() args = parser.parse_args()
@ -169,9 +114,7 @@ def main() -> None:
""" """
) )
journal_file = (args.meson_build_dir / (f'test/journal/{name}.journal')).absolute() journal_file = None
journal_file.unlink(missing_ok=True)
if not sys.stderr.isatty(): if not sys.stderr.isatty():
dropin += textwrap.dedent( dropin += textwrap.dedent(
""" """
@ -179,6 +122,9 @@ def main() -> None:
FailureAction=exit FailureAction=exit
""" """
) )
journal_file = (args.meson_build_dir / (f'test/journal/{name}.journal')).absolute()
journal_file.unlink(missing_ok=True)
elif not shell: elif not shell:
dropin += textwrap.dedent( dropin += textwrap.dedent(
""" """
@ -248,16 +194,15 @@ def main() -> None:
) )
exit(77) exit(77)
coredumps = process_coredumps(args, journal_file) if journal_file and (
keep_journal == '0' or (result.returncode in (args.exit_code, 77) and keep_journal == 'fail')
if keep_journal == '0' or (
keep_journal == 'fail' and result.returncode in (args.exit_code, 77) and not coredumps
): ):
journal_file.unlink(missing_ok=True) journal_file.unlink(missing_ok=True)
if shell or (result.returncode in (args.exit_code, 77) and not coredumps): if shell or result.returncode in (args.exit_code, 77):
exit(0 if shell or result.returncode == args.exit_code else 77) exit(0 if shell or result.returncode == args.exit_code else 77)
if journal_file:
ops = [] ops = []
if os.getenv('GITHUB_ACTIONS'): if os.getenv('GITHUB_ACTIONS'):
@ -283,7 +228,10 @@ def main() -> None:
ops += [f'journalctl --file {journal_file} --no-hostname -o short-monotonic -u {args.unit} -p info'] ops += [f'journalctl --file {journal_file} --no-hostname -o short-monotonic -u {args.unit} -p info']
print("Test failed, relevant logs can be viewed with: \n\n" f"{(' && '.join(ops))}\n", file=sys.stderr) print(
"Test failed, relevant logs can be viewed with: \n\n" f"{(' && '.join(ops))}\n",
file=sys.stderr,
)
# 0 also means we failed so translate that to a non-zero exit code to mark the test as failed. # 0 also means we failed so translate that to a non-zero exit code to mark the test as failed.
exit(result.returncode or 1) exit(result.returncode or 1)

View File

@ -297,7 +297,6 @@ integration_test_template = {
'qemu-args' : [], 'qemu-args' : [],
'exit-code' : 123, 'exit-code' : 123,
'vm' : false, 'vm' : false,
'coredump-exclude-regex' : '',
} }
testdata_subdirs = [ testdata_subdirs = [
'auxv', 'auxv',
@ -392,7 +391,6 @@ foreach integration_test : integration_tests
'--storage', integration_test['storage'], '--storage', integration_test['storage'],
'--firmware', integration_test['firmware'], '--firmware', integration_test['firmware'],
'--exit-code', integration_test['exit-code'].to_string(), '--exit-code', integration_test['exit-code'].to_string(),
'--coredump-exclude-regex', integration_test['coredump-exclude-regex'],
] ]
if 'unit' in integration_test if 'unit' in integration_test

View File

@ -248,7 +248,6 @@ Bridge=mybridge
[Match] [Match]
Name=mybridge Name=mybridge
[Network] [Network]
IPv6AcceptRA=no
DNS=192.168.250.1 DNS=192.168.250.1
Address=192.168.250.33/24 Address=192.168.250.33/24
Gateway=192.168.250.1 Gateway=192.168.250.1
@ -541,7 +540,6 @@ MACAddress=12:34:56:78:9a:bc
[Match] [Match]
Name=dummy0 Name=dummy0
[Network] [Network]
IPv6AcceptRA=no
Address=192.168.42.100/24 Address=192.168.42.100/24
DNS=192.168.42.1 DNS=192.168.42.1
Domains= ~company Domains= ~company
@ -575,7 +573,6 @@ MACAddress=12:34:56:78:9a:bc
self.write_network('50-myvpn.network', '''[Match] self.write_network('50-myvpn.network', '''[Match]
Name=dummy0 Name=dummy0
[Network] [Network]
IPv6AcceptRA=no
Address=192.168.42.100/24 Address=192.168.42.100/24
DNS=192.168.42.1 DNS=192.168.42.1
Domains= ~company ~. Domains= ~company ~.
@ -930,7 +927,6 @@ cat <<EOF >/run/systemd/network/50-test.network
Name={ifr} Name={ifr}
[Network] [Network]
IPv6AcceptRA=no
Address=192.168.5.1/24 Address=192.168.5.1/24
{addr6} {addr6}
DHCPServer=yes DHCPServer=yes
@ -1010,7 +1006,6 @@ MACAddress=12:34:56:78:9a:bc
[Match] [Match]
Name=dummy0 Name=dummy0
[Network] [Network]
IPv6AcceptRA=no
Address=192.168.42.100/24 Address=192.168.42.100/24
DNS=192.168.42.1 DNS=192.168.42.1
Domains= one two three four five six seven eight nine ten Domains= one two three four five six seven eight nine ten
@ -1040,7 +1035,6 @@ MACAddress=12:34:56:78:9a:bc
[Match] [Match]
Name=dummy0 Name=dummy0
[Network] [Network]
IPv6AcceptRA=no
Address=192.168.42.100/24 Address=192.168.42.100/24
DNS=192.168.42.1 DNS=192.168.42.1
''') ''')
@ -1113,12 +1107,7 @@ class MatchClientTest(unittest.TestCase, NetworkdTestingUtilities):
def test_basic_matching(self): def test_basic_matching(self):
"""Verify the Name= line works throughout this class.""" """Verify the Name= line works throughout this class."""
self.add_veth_pair('test_if1', 'fake_if2') self.add_veth_pair('test_if1', 'fake_if2')
self.write_network('50-test.network', '''\ self.write_network('50-test.network', "[Match]\nName=test_*\n[Network]")
[Match]
Name=test_*
[Network]
IPv6AcceptRA=no
''')
subprocess.check_call(['systemctl', 'start', 'systemd-networkd']) subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
self.assert_link_states(test_if1='managed', fake_if2='unmanaged') self.assert_link_states(test_if1='managed', fake_if2='unmanaged')
@ -1129,13 +1118,11 @@ IPv6AcceptRA=no
mac = '00:01:02:03:98:99' mac = '00:01:02:03:98:99'
self.add_veth_pair('test_veth', 'test_peer', self.add_veth_pair('test_veth', 'test_peer',
['addr', mac], ['addr', mac]) ['addr', mac], ['addr', mac])
self.write_network('50-no-veth.network', '''\ self.write_network('50-no-veth.network', """\
[Match] [Match]
MACAddress={} MACAddress={}
Name=!nonexistent *peer* Name=!nonexistent *peer*
[Network] [Network]""".format(mac))
IPv6AcceptRA=no
'''.format(mac))
subprocess.check_call(['systemctl', 'start', 'systemd-networkd']) subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
self.assert_link_states(test_veth='managed', test_peer='unmanaged') self.assert_link_states(test_veth='managed', test_peer='unmanaged')

View File

@ -1,71 +0,0 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
# shellcheck disable=SC2317
set -ex
set -o pipefail
# This is a reproducer of issue #35329,
# which is a regression caused by 405be62f05d76f1845f347737b5972158c79dd3e.
IFNAME=udevtestnetif
at_exit() {
set +e
systemctl stop testsleep.service
rm -f /run/udev/udev.conf.d/timeout.conf
rm -f /run/udev/rules.d/99-testsuite.rules
# Forcibly kills sleep command invoked by the udev rule before restarting,
# otherwise systemctl restart below will takes longer.
killall -KILL sleep
systemctl restart systemd-udevd.service
ip link del "$IFNAME"
}
trap at_exit EXIT
udevadm settle
mkdir -p /run/udev/udev.conf.d/
cat >/run/udev/udev.conf.d/timeout.conf <<EOF
event_timeout=1h
EOF
mkdir -p /run/udev/rules.d/
cat >/run/udev/rules.d/99-testsuite.rules <<EOF
SUBSYSTEM=="net", ACTION=="change", KERNEL=="${IFNAME}", OPTIONS="log_level=debug", RUN+="/usr/bin/sleep 1000"
EOF
systemctl restart systemd-udevd.service
ip link add "$IFNAME" type dummy
IFINDEX=$(ip -json link show "$IFNAME" | jq '.[].ifindex')
udevadm wait --timeout 10 "/sys/class/net/${IFNAME}"
# Check if the database file is created.
[[ -e "/run/udev/data/n${IFINDEX}" ]]
systemd-run \
-p After="sys-subsystem-net-devices-${IFNAME}.device" \
-p BindsTo="sys-subsystem-net-devices-${IFNAME}.device" \
-u testsleep.service \
sleep 1h
timeout 10 bash -c 'until systemctl is-active testsleep.service; do sleep .5; done'
udevadm trigger "/sys/class/net/${IFNAME}"
timeout 30 bash -c "until grep -F 'ID_PROCESSING=1' /run/udev/data/n${IFINDEX}; do sleep .5; done"
for _ in {1..3}; do
systemctl daemon-reexec
systemctl is-active testsleep.service
done
for _ in {1..3}; do
systemctl daemon-reload
systemctl is-active testsleep.service
done
# Check if the reexec and reload have finished during processing the event.
grep -F 'ID_PROCESSING=1' "/run/udev/data/n${IFINDEX}"
exit 0

View File

@ -6,14 +6,6 @@ set -o pipefail
# shellcheck source=test/units/test-control.sh # shellcheck source=test/units/test-control.sh
. "$(dirname "$0")"/test-control.sh . "$(dirname "$0")"/test-control.sh
if systemd-detect-virt --quiet --container; then
# This comes from the selinux package and tries to write
# some files under sysfs, which will be read-only in a container,
# so mask it. It's not our tmpfiles.d file anyway.
mkdir -p /run/tmpfiles.d/
ln -s /dev/null /run/tmpfiles.d/selinux-policy.conf
fi
run_subtests run_subtests
touch /testok touch /testok

View File

@ -5,7 +5,3 @@ set -o pipefail
SYSTEMD_IN_CHROOT=1 systemd-detect-virt --chroot SYSTEMD_IN_CHROOT=1 systemd-detect-virt --chroot
(! SYSTEMD_IN_CHROOT=0 systemd-detect-virt --chroot) (! SYSTEMD_IN_CHROOT=0 systemd-detect-virt --chroot)
if ! systemd-detect-virt -c; then
unshare --mount-proc --fork --user --pid systemd-detect-virt --container
fi