| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Remove incorrect claim that C escapes (such as \t and \n) are recognized and that control characters are disallowed. Specify the allowed characters and escapes with single quotes, with double quotes, and without quotes.
|
| |
|
|
|
|
|
|
| |
Add a new setting that follows the same principle and implementation
as ExtensionImages, but using directories as sources.
It will be used to implement support for extending portable images
with directories, since portable services can already use a directory
as root.
|
| | |
|
| |
|
|
|
| |
Decsribe when $MONITOR_METADATA will be set and how it's contents are
defined.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Let's not mention a redundant setting of "none". Let's instead only
mention "best-effort", which is the same. Also mention the default
settings properly.
(Also, while we are at it, don#t document the numeric alias, that's
totally redundant and harder to use, so no need to push people towards
it.)
|
| |
|
|
| |
Update also manual page to explain how the transition can still fail.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When combined with a tmpfs on /run or /var/lib, allows to create
arbitrary and ephemeral symlinks for StateDirectory or RuntimeDirectory.
This is especially useful when sharing these directories between
different services, to make the same state/runtime directory 'backend'
appear as different names to each service, so that they can be added/removed
to a sharing agreement transparently, without code changes.
An example (simplified, but real) use case:
foo.service:
StateDirectory=foo
bar.service:
StateDirectory=bar
foo.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:foo
bar.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:bar
foo and bar use respectively /var/lib/foo and /var/lib/bar. Then
the orchestration layer decides to stop this sharing, the drop-in
can be removed. The services won't need any update and will keep
working and being able to store state, transparently.
To keep backward compatibility, new DBUS messages are added.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
which binaries executed by Exec*= should be found
Currently there does not exist a way to specify a path relative to which
all binaries executed by Exec should be found. The only way is to
specify the absolute path.
This change implements the functionality to specify a path relative to which
binaries executed by Exec*= can be found.
Closes #6308
|
| |
|
|
|
|
|
|
|
| |
They are somewhat similar, but not easy to discover, esp. considering that
they are described in different pages.
For PrivateDevices=, split out the first paragraph that gives the high-level
overview. (The giant second paragraph could also use some heavy editing to break
it up into more digestible chunks, alas.)
|
| | |
|
| |
|
|
|
|
| |
There is some inconsistency, partially caused by the awkward naming
of the docs/ pages. But let's be consistent and use the "official" title.
If we ever change plural↔singular, we should use the same form everywhere.
|
| |
|
|
| |
Fixes #20297.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The mount option has special meaning when SELinux is enabled. To make
NoNewPrivileges=yes not break SELinux enabled systems, let's not set the
mount flag on such systems.
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 1753d3021564671fba3d3196a84da657d15fb632.
Let's re-enable that feature now. As reported when the original commit
was merged, this causes some trouble on SELinux enabled systems. So,
in the subsequent commit, the feature will be disabled when SELinux is enabled.
But, anyway, this commit just re-enable that feature unconditionally.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit d8e3c31bd8e307c8defc759424298175aa0f7001.
A poorly documented fact is that SELinux unfortunately uses nosuid mount flag
to specify that also a fundamental feature of SELinux, domain transitions, must
not be allowed either. While this could be mitigated case by case by changing
the SELinux policy to use `nosuid_transition`, such mitigations would probably
have to be added everywhere if systemd used automatic nosuid mount flags when
`NoNewPrivileges=yes` would be implied. This isn't very desirable from SELinux
policy point of view since also untrusted mounts in service's mount namespaces
could start triggering domain transitions.
Alternatively there could be directives to override this behavior globally or
for each service (for example, new directives `SUIDPaths=`/`NoSUIDPaths=` or
more generic mount flag applicators), but since there's little value of the
commit by itself (setting NNP already disables most setuid functionality), it's
simpler to revert the commit. Such new directives could be used to implement
the original goal.
|
| |
|
|
|
|
| |
When `NoNewPrivileges=yes`, the service shouldn't have a need for any
setuid/setgid programs, so in case there will be a new mount namespace anyway,
mount the file systems with MS_NOSUID.
|
| |
|
|
| |
Fixes: #17523
|
| |
|
|
|
|
|
|
|
|
| |
This commit applies the filtering imposed by LogLevelMax on a unit's
processes to messages logged by PID1 about the unit as well.
The target use case for this feature is a service that runs on a timer
many times an hour, where the system administrator decides that writing
a generic success message to the journal every few minutes or seconds
adds no diagnostic value and isn't worth the clutter or disk I/O.
|
| |
|
|
| |
Closes #15753.
|
| |
|
|
|
|
|
| |
This allows "LoadCredentials=foo" to be used as shortcut for
"LoadCredentials=foo:foo", i.e. it's a very short way to inherit a
credential under its original name from the service manager into a
service.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using hidepid=invisible on procfs, the kernel will check if the
gid of the process trying to access /proc is the same as the gid of
the process that mounted the /proc instance, or if it has the ptrace
capability:
https://github.com/torvalds/linux/blob/v5.10/fs/proc/base.c#L723
https://github.com/torvalds/linux/blob/v5.10/fs/proc/root.c#L155
Given we set up the /proc instance as root for system services,
The same restriction applies to CAP_SYS_PTRACE, if a process runs with
it then hidepid=invisible has no effect.
ProtectProc effectively can only be used with User= or DynamicUser=yes,
without CAP_SYS_PTRACE.
Update the documentation to explicitly state these limitations.
Fixes #18997
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Tables with only one column aren't really tables, they are lists. And if
each cell only consists of a single word, they are probably better
written in a single line. Hence, shorten the man page a bit, and list
boot loader spec partition types in a simple sentence.
Also, drop "root-secondary" from the list. When dissecting images we'll
upgrade "root-secondary" to "root" if we mount it, and do so only if
"root" doesn't exist. Hence never mention "root-secondary" as we never
will mount a partition under that id.
|
| |
|
|
| |
Fixes #18914.
|
| | |
|
| |
|
|
| |
Fixes #10604.
|
| |
|
|
|
| |
Add support for overlaying images for services on top of their
root fs, using a read-only overlay.
|
| |
|
|
| |
Fixes: #18710
|
| |
|
|
|
|
|
| |
A "Credentials" section name in systemd.exec man page was used
both for User/Group and for actual credentials support in systemd.
Rename the first instance to "User/Group Identity"
|
| |
|
|
|
| |
It may be useful to detect a command is directly executed by systemd
manager, or indirectly as a child of another process.
|
| |\
| |
| | |
Various man page cleanups
|
| | |
| |
| |
| | |
… and in few other places ;)
|
| | |
| |
| |
| | |
Fixes #18397.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC`
mount flag for the file system tree. This can be used to implement file system
W^X policies, and for example with allow-listing mode (NoExecPaths=/) a
compromised service would not be able to execute a shell, if that was not
explicitly allowed.
Example:
[Service]
NoExecPaths=/
ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib
Closes: #17942.
|
| |
|
|
| |
Fixes: #18051
|
| |\
| |
| | |
Two StandardOutput=truncate:file improvements
|
| | |
| |
| |
| | |
Co-authored-by: Lennart Poettering <lennart@poettering.net>
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow to setup new bind mounts for a service at runtime (via either
DBUS or a new 'systemctl bind' verb) with a new helper that forks into
the unit's mount namespace.
Add a new integration test to cover this.
Useful for zero-downtime addition to services that are running inside
mount namespaces, especially when using RootImage/RootDirectory.
If a service runs with a read-only root, a tmpfs is added on /run
to ensure we can create the airlock directory for incoming mounts
under /run/host/incoming.
|
| |/
|
|
|
|
| |
We need a writable /run for most operations, but in case a read-only
RootImage (or similar) is used, by default there's no additional
tmpfs mount on /run. Change this behaviour and document it.
|
| |
|
|
|
|
| |
This adds the ability to specify truncate:PATH for StandardOutput= and
StandardError=, similar to the existing append:PATH. The code is mostly
copied from the related append: code. Fixes #8983.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Importing the full environment is convenient, but it doesn't work too well in
practice, because we get a metric ton of shell-specific crap that should never
end up in the global environment block:
$ systemctl --user show-environment
...
SHELL=/bin/zsh
AUTOJUMP_ERROR_PATH=/home/zbyszek/.local/share/autojump/errors.log
AUTOJUMP_SOURCED=1
CONDA_SHLVL=0
CVS_RSH=ssh
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
DESKTOP_SESSION=gnome
DISPLAY=:0
FPATH=/usr/share/Modules/init/zsh-functions:/usr/local/share/zsh/site-functions:/usr/share/zsh/site-functions:/usr/share/zsh/5.8/functions
GDMSESSION=gnome
GDM_LANG=en_US.UTF-8
GNOME_SETUP_DISPLAY=:1
GUESTFISH_INIT=$'\\e[1;34m'
GUESTFISH_OUTPUT=$'\\e[0m'
GUESTFISH_PS1=$'\\[\\e[1;32m\\]><fs>\\[\\e[0;31m\\] '
GUESTFISH_RESTORE=$'\\e[0m'
HISTCONTROL=ignoredups
HISTSIZE=1000
LOADEDMODULES=
OLDPWD=/home/zbyszek
PWD=/home/zbyszek
QTDIR=/usr/lib64/qt-3.3
QTINC=/usr/lib64/qt-3.3/include
QTLIB=/usr/lib64/qt-3.3/lib
QT_IM_MODULE=ibus
SDL_VIDEO_MINIMIZE_ON_FOCUS_LOSS=0
SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/2612,unix/unix:/tmp/.ICE-unix/2612
SHLVL=0
STEAM_FRAME_FORCE_CLOSE=1
TERM=xterm-256color
USERNAME=zbyszek
WISECONFIGDIR=/usr/share/wise2/
...
Plenty of shell-specific and terminal-specific stuff that have no global
significance.
Let's start warning when this is used to push people towards importing only
specific variables.
Putative NEWS entry:
* systemctl import-environment will now emit a warning when called without
any arguments (i.e. to import the full environment block of the called
program). This command will usually be invoked from a shell, which means
that it'll inherit a bunch of variables which are specific to that shell,
and usually to the tty the shell is connected to, and don't have any
meaning in the global context of the system or user service manager.
Instead, only specific variables should be imported into the manager
environment block.
Similarly, programs which update the manager environment block by directly
calling the D-Bus API of the manager, should also push specific variables,
and not the full inherited environment.
|
