summaryrefslogtreecommitdiff
path: root/man
Commit message (Collapse)AuthorAgeFilesLines
* cgroup: Polish hierarchically aware protection docs a bitChris Down2020-06-081-2/+6
| | | | | | | | | | | I missed adding a section in `systemd.resource-control` about DefaultMemoryMin in #12332. Also, add a NEWS entry going over the general concept. (cherry picked from commit acdb4b5236f38bbefbcc4a47fdbb9cd558b4b5c5) Related: #1763435
* cgroup: Implement default propagation of MemoryLow with DefaultMemoryLowChris Down2020-06-081-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In cgroup v2 we have protection tunables -- currently MemoryLow and MemoryMin (there will be more in future for other resources, too). The design of these protection tunables requires not only intermediate cgroups to propagate protections, but also the units at the leaf of that resource's operation to accept it (by setting MemoryLow or MemoryMin). This makes sense from an low-level API design perspective, but it's a good idea to also have a higher-level abstraction that can, by default, propagate these resources to children recursively. In this patch, this happens by having descendants set memory.low to N if their ancestor has DefaultMemoryLow=N -- assuming they don't set a separate MemoryLow value. Any affected unit can opt out of this propagation by manually setting `MemoryLow` to some value in its unit configuration. A unit can also stop further propagation by setting `DefaultMemoryLow=` with no argument. This removes further propagation in the subtree, but has no effect on the unit itself (for that, use `MemoryLow=0`). Our use case in production is simplifying the configuration of machines which heavily rely on memory protection tunables, but currently require tweaking a huge number of unit files to make that a reality. This directive makes that significantly less fragile, and decreases the risk of misconfiguration. After this patch is merged, I will implement DefaultMemoryMin= using the same principles. (cherry picked from commit c52db42b78f6fbeb7792cc4eca27e2767a48b6ca) Related: #1763435
* core: add MemoryMinTejun Heo2020-06-081-0/+21
| | | | | | | | | | | | The kernel added support for a new cgroup memory controller knob memory.min in bf8d5d52ffe8 ("memcg: introduce memory.min") which was merged during v4.18 merge window. Add MemoryMin to support memory.min. (cherry picked from commit 484226357789991de0b3363beb69258be06b4c92) Resolves: #1763435
* core: add CPUQuotaPeriodSec=Filipe Brandenburger2020-06-081-0/+19
| | | | | | | | | | | | | | | | | | | This new setting allows configuration of CFS period on the CPU cgroup, instead of using a hardcoded default of 100ms. Tested: - Legacy cgroup + Unified cgroup - systemctl set-property - systemctl show - Confirmed that the cgroup settings (such as cpu.cfs_period_ns) were set appropriately, including updating the CPU quota (cpu.cfs_quota_ns) when CPUQuotaPeriodSec= is updated. - Checked that clamping works properly when either period or (quota * period) are below the resolution of 1ms, or if period is above the max of 1s. (cherry picked from commit 10f28641115733c61754342d5dcbe70b083bea4b) Resolves: #1770379
* core: add IODeviceLatencyTargetSecTejun Heo2020-06-081-5/+24
| | | | | | | | | | | This adds support for the following proposed latency based IO control mechanism. https://lkml.org/lkml/2018/6/5/428 (cherry picked from commit 6ae4283cb14c4e4a895f4bbba703804e4128c86c) Resolves: #1831519
* core: ExecCondition= for servicesAnita Zhang2020-05-261-0/+20
| | | | | | | | Closes #10596 (cherry picked from commit 31cd5f63ce86a0784c4ef869c4d323a11ff14adc) Resolves: #1737283
* Add support for opening files for appendingZsolt Dollenstein2020-05-191-5/+11
| | | | | | | | Addresses part of #8983 (cherry picked from commit 566b7d23eb747e9c5a74e5647693077b52395fc5) Resolves: #1809175
* man: be clearer that .timer time expressions need to be reset to override themLennart Poettering2020-05-191-13/+18
| | | | | | | | | | | let's be clearer about the overriding concept for OnCalendar= settings. Prompted by this thread: https://lists.freedesktop.org/archives/systemd-devel/2019-March/042351.html (cherry picked from commit 58031d99c6320855b86f4890baa9165597e3d841) Resolves: #1816908
* pid1: add new kernel cmdline arg systemd.cpu_affinity=Lennart Poettering2020-04-271-0/+11
| | | | | | | | | | | | | Let's allow configuration of the CPU affinity via the kernel cmdline, overriding CPUAffinity= in /etc/systemd/system.conf Prompted by: https://lists.freedesktop.org/archives/systemd-devel/2019-November/043754.html (cherry picked from commit 68d58f38693e586b5ce5785274f8e42a79625196) Resolves: #1812894
* cgroup: introduce support for cgroup v2 CPUSET controllerv239-27Pavel Hrdina2020-02-211-0/+30
| | | | | | | | | | | | | | | | | | Introduce support for configuring cpus and mems for processes using cgroup v2 CPUSET controller. This allows users to limit which cpus and memory NUMA nodes can be used by processes to better utilize system resources. The cgroup v2 interfaces to control it are cpuset.cpus and cpuset.mems where the requested configuration is written. However, it doesn't mean that the requested configuration will be actually used as parent cgroup may limit the cpus or mems as well. In order to reflect the real configuration cgroup v2 provides read-only files cpuset.cpus.effective and cpuset.mems.effective which are exported to users as well. (cherry picked from commit 047f5d63d7a1ab75073f8485e2f9b550d25b0772) Related: #1724617
* core: imply NNP and SUID/SGID restriction for DynamicUser=yes servicev239-26Lennart Poettering2020-02-191-6/+10
| | | | | | | | | | | | Let's be safe, rather than sorry. This way DynamicUser=yes services can neither take benefit of, nor create SUID/SGID binaries. Given that DynamicUser= is a recent addition only we should be able to get away with turning this on, even though this is strictly speaking a binary compatibility breakage. (cherry picked from commit bf65b7e0c9fc215897b676ab9a7c9d1c688143ba) Resolves: #1687512
* man: document the new RestrictSUIDSGID= settingLennart Poettering2020-02-191-12/+29
| | | | | (cherry picked from commit 7445db6eb70e8d5989f481d0c5a08ace7047ae5b) Related: #1687512
* sd-event: add sd_event_source_disable_unref() helperZbigniew Jędrzejewski-Szmek2020-02-062-12/+22
| | | | | (cherry picked from commit afd15bbb4b6414b9356799c63029e36642dae8e4) Related: CVE-2020-1712
* cryptsetup: add documentation for keyfile-timeoutshinygold2019-12-181-1/+13
| | | | | | (cherry picked from commit 4e1334512debb27f4a0c4a6da237a4b8d59fea08) Related: #1763155
* debug-generator: enable custom systemd.debug_shell ttyv239-20Jan Synacek2019-12-052-4/+10
| | | | | | (cherry picked from commit 93912e872fb14e9c372e090409e429084a6450f5) Resolves: #1723722
* core: introduce NUMAPolicy and NUMAMask optionsMichal Sekletár2019-12-052-0/+47
| | | | | | | | | | | | | | | | | Make possible to set NUMA allocation policy for manager. Manager's policy is by default inherited to all forked off processes. However, it is possible to override the policy on per-service basis. Currently we support, these policies: default, prefer, bind, interleave, local. See man 2 set_mempolicy for details on each policy. Overall NUMA policy actually consists of two parts. Policy itself and bitmask representing NUMA nodes where is policy effective. Node mask can be specified using related option, NUMAMask. Default mask can be overwritten on per-service level. (cherry-picked from commit fe9c54b2188e6cd23262a319f96b13215f2c5e9c) Resolves: #1734787
* pid1: parse CPUAffinity= in incremental fashionZbigniew Jędrzejewski-Szmek2019-12-052-6/+9
| | | | | | | | | | | | This makes the handling of this option match what we do in unit files. I think consistency is important here. (As it happens, it is the only option in system.conf that is "non-atomic", i.e. where there's a list of things which can be split over multiple assignments. All other options are single-valued, so there's no issue of how to handle multiple assignments.) (cherry picked from commit 61fbbac1d517a0b3498a689c736c6ca918497904) Related: #1734787
* core: implement per unit journal rate limitingAnita Zhang2019-10-212-1/+23
| | | | | | | | | | | | | Add LogRateLimitIntervalSec= and LogRateLimitBurst= options for services. If provided, these values get passed to the journald client context, and those values are used in the rate limiting function in the journal over the the journald.conf values. Part of #10230 (cherry picked from commit 90fc172e191f44979005a524521112f2bd1ff21b) Resolves: #1719577
* udev: introduce CONST key nameJan Synacek2019-10-211-0/+26
| | | | | | | | | | | | | | | | Currently, there is no way to match against system-wide constants, such as architecture or virtualization type, without forking helper binaries. That potentially results in a huge number of spawned processes which output always the same answer. This patch introduces a special CONST keyword which takes a hard-coded string as its key and returns a value assigned to that key. Currently implemented are CONST{arch} and CONST{virt}, which can be used to match against the system's architecture and virtualization type. (based on commit 4801d8afe2ff1c1c075c9f0bc5631612172e0bb7) Resolves: #1762679
* man: reorder and add examples to systemd-analyze(1)Zbigniew Jędrzejewski-Szmek2019-09-251-249/+429
| | | | | | | | | | | The number of verbs supported by systemd-analyze has grown quite a bit, and the man page has become an unreadable wall of text. Let's put each verb in a separate subsection, grouping similar verbs together, and add a lot of examples to guide the user. (cherry picked from commit d323a99001c1f7625e8ac902e18deb514a4ca18d) Related: #1750343
* man: document systemd-analyze securityJan Synacek2019-09-251-0/+29
| | | | | | (cherry-picked from commit ee93c1e664a7bbc59f1578e285c871999507b14d) Resolves: #1750343
* man: note that journal does not validate syslog fieldsJan Synacek2019-07-261-0/+5
| | | | | | (cherry picked from commit 63ea8032f28052f7cda860e5324c0a83dee7ed23) Resolves: #1707175
* man: document the new Type=exec typeLennart Poettering2019-05-032-71/+97
| | | | | | | | | | And while we are at it, let's rearrange and extend the Type= documentation a bit. Let's make it an itemized list, and let's add a paragraph explaining which type best to use. (cherry picked from commit 79905a246d645d21633f09f564b3672d5085a85c) Resolves: #1683334
* meson: allow building resolved and machined without nss modulesYu Watanabe2019-05-034-6/+6
| | | | | | | | | | | | | | | This adds -Dnss-resolve= and -Dnss-mymachines= meson options. By using this option, e.g., resolved can be built without nss-resolve. When no nss modules are built, then test-nss is neither built. Also, This changes the option name -Dmyhostname= to -Dnss-myhostname= for consistency to other nss related options. Closes #9596. (cherry picked from commit 08540a9591efe105439be81fc43d6dc65b715978) Resolves: #1696224
* cryptsetup-generator: introduce basic keydev supportMichal Sekletar2018-12-111-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV (cherry-picked from commit 70f5f48eb891b12e969577b464de61e15a2593da) Resolves: #1656869
* debug-generator: introduce rd.* version of all optionsLukas Nykryn2018-12-041-8/+19
| | | | | | (cherry picked from commit a7dd6d04b07f58df5c0294743d76df0be0b4b928) Resolves: #1643429
* cryptsetup: add support for sector-size= option (#9936)Dimitri John Ledkov2018-10-291-0/+9
| | | | | | | | | | Bug-Ubuntu: https://launchpad.net/bugs/1776626 Closes #8881. (cherry picked from commit a9fc640671ef60ac949f1ace6fa687ff242fc233) Resolves: #1572563
* Revert "udev: remove WAIT_FOR key"Michal Sekletar2018-08-021-0/+9
| | | | | | This reverts commit f2b8052fb648b788936dd3e85be6a9aca90fbb2f. Resolves: #1523213
* pid1: bump DefaultTasksMax to 80% of the kernel pid.max valuerpm-build2018-08-021-1/+1
| | | | | | This should be hopefully high enough even for the very big deployments. Resolves: #1523236
* logind: set RemoveIPC to false by defaultrpm-build2018-08-021-1/+1
| | | | Resolves: #1523233
* man: small fixups for systemd-boot(8)Zbigniew Jędrzejewski-Szmek2018-06-221-4/+4
| | | | | - "UEFI firmware" is a name, no need for an article - The specification is more than "recommendation"
* man: correct the meaning of TimeoutStopSec= (#9325)Jan Synacek2018-06-221-6/+6
| | | | Fixes: #9325
* man: systemd.offline-updates: Document system-update-pre.target usageHans de Goede2018-06-211-0/+11
|
* condition: add new conditon ConditionSecurity=uefi-securebootLennart Poettering2018-06-201-8/+6
| | | | | We have the detector call for this anyway, and it's useful for conditioning out dbxtool.service, hence let's add this tiny new option.
* Merge pull request #9363 from yuwata/specifier-config-dirZbigniew Jędrzejewski-Szmek2018-06-201-0/+5
|\ | | | | core: add unit specifier for configuration directory root
| * core: add unit specifier for configuration directory rootYu Watanabe2018-06-211-0/+5
| | | | | | | | Follow-up for 14068e17f32a06e6a1f8f72416018bc653b8ea2d.
* | man: update systemd-boot(7) man page in many waysLennart Poettering2018-06-201-38/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's fully document where the list of entries come from, including unified images and such. Let's add a "Files" section (replacing the "Configuration" section), and let's move it after they keybinding section (why? because keybinds are primary UI material, while configuration is one level more complex than that). Also, reword lot's of stuff to make it more precise. Fixes: #5127
* | man: fix URL to BLSLennart Poettering2018-06-203-5/+4
|/ | | | Let's refer to our own version now.
* units: make system-update-pre.target a passive unit (#9349)Lennart Poettering2018-06-201-6/+9
| | | | | | | This is an additional synchronization point normally not needed. Hence, let's make it passive, i.e. pull it in from the unit which wants to be ordered before the update service rather than by the update service itself.
* tree-wide: drop copyright headers from frequent contributorsZbigniew Jędrzejewski-Szmek2018-06-2032-62/+0
| | | | | | | | Fixes #9320. for p in Shapovalov Chevalier Rozhkov Sievers Mack Herrmann Schmidt Rudenberg Sahani Landden Andersen Watanabe; do git grep -e 'Copyright.*'$p -l|xargs perl -i -0pe 's|/([*][*])?[*]\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\s*[*]([*][*])?/\n*|\n|gms; s|\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\n*|\n|gms' done
* units: Add new system-update-pre.targetHans de Goede2018-06-191-0/+1
| | | | | | | | | | | | | | | | | | | | | systemd offline-updates allows dropping multiple system update units to be added to system-update.target.wants. As documented in systemd.offline-updates(7) only 1 of these units should actually be active (based on the /system-update symlink) and when that unit is done it should reboot the system. In some cases it is desirable to run a unit whenever booting in offline-updates mode indepedent of which update unit is going to handle the update. One example of this is integration with bootloader code which checks if the previous boot was succesful. Since the active unit will reboot the system when it is done, there is no guarantee that adding such a unit to system-update.target.wants will get it executed always. This commit adds a system-update-pre.target which can be used for units which should always run when booting in offline-updates mode.
* man: avoid "predicate" in coredumpctl match descriptionZbigniew Jędrzejewski-Szmek2018-06-191-3/+4
| | | | | | "Predicate" might not be clear to everyone, it is a CS term. Fixes #9324.
* Merge pull request #9307 from yuwata/man-sd-bootZbigniew Jędrzejewski-Szmek2018-06-154-60/+71
|\ | | | | man: use systemd-boot instead of sd-boot
| * man: re-format man page for bootctlYu Watanabe2018-06-151-42/+52
| |
| * man: use systemd-boot instead of sd-bootYu Watanabe2018-06-154-19/+20
| |
* | seccomp: add new system call filter, suitable as default whitelist for ↵Lennart Poettering2018-06-141-0/+12
|/ | | | | | | | | | | | | | | system services Currently we employ mostly system call blacklisting for our system services. Let's add a new system call filter group @system-service that helps turning this around into a whitelist by default. The new group is very similar to nspawn's default filter list, but in some ways more restricted (as sethostname() and suchlike shouldn't be available to most system services just like that) and in others more relaxed (for example @keyring is blocked in nspawn since it's not properly virtualized yet in the kernel, but is fine for regular system services).
* Merge pull request #9301 from keszybz/man-drop-authorgroupLennart Poettering2018-06-14259-2361/+0
|\ | | | | man: drop unused <authorgroup> tags from man sources
| * man: drop unused <authorgroup> tags from man sourcesZbigniew Jędrzejewski-Szmek2018-06-14259-2361/+0
| | | | | | | | | | | | | | | | | | | | | | | | Docbook styles required those to be present, even though the templates that we use did not show those names anywhere. But something changed semi-recently (I would suspect docbook templates, but there was only a minor version bump in recent years, and the changelog does not suggest anything related), and builds now work without those entries. Let's drop this dead weight. Tested with F26-F29, debian unstable. $ perl -i -0pe 's/\s*<authorgroup>.*<.authorgroup>//gms' man/*xml
* | Drop my copyright headersZbigniew Jędrzejewski-Szmek2018-06-1452-102/+0
|/ | | | | | | perl -i -0pe 's/\s*Copyright © .... Zbigniew Jędrzejewski.*?\n/\n/gms' man/*xml git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/(#\n)?# +Copyright © [0-9, -]+ Zbigniew Jędrzejewski.*?\n//gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s*\/\*\*\*\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*?\s*\*\*\*\/\s*/\n\n/gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*//gms'
* tree-wide: beautify remaining copyright statementsLennart Poettering2018-06-1495-99/+99
| | | | | | Let's unify an beautify our remaining copyright statements, with a unicode ©. This means our copyright statements are now always formatted the same way. Yay.
View Lorry Controller Status