summaryrefslogtreecommitdiff
path: root/man
Commit message (Collapse)AuthorAgeFilesLines
* core: Try to initialize TERM from systemd.tty.term.console as wellDaan De Meyer2023-05-121-2/+4
| | | | | | We already have the systemd.tty.xxx kernel cmdline arguments for configuring tty's for services, let's make sure the term cmdline argument applies to pid1 as well.
* Merge pull request #27539 from esposem/ukify_pesignLuca Boccassi2023-05-111-3/+31
|\ | | | | ukify: support pesign as alternative to sbsign
| * ukify: support pesign as alternative to sbsignEmanuele Giuseppe Esposito2023-05-101-2/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | sbsign is not available everywhere, for example RHEL does not have it. Add pesign as alternative to it. pesign will use options "--secureboot-certificate-name" (mandatory) and "--secureboot-certificate-dir" (optional), while sbsign will use "--secureboot-private-key" and "--secureboot-certificate". By default, use sbsign. If no key/cert is provided or sbsign is not found, try pesign. Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
| * ukify: typo in doc and print when package is missingEmanuele Giuseppe Esposito2023-05-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | If a package is missing, a subprocess is started with None as command argument. Error raised by subprocess is therefore not helpful at all to understand what needs to be done to fix that error. Also fix doc since systemd-stub will look for .cmdline files, and not .cmdline.efi files. Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
* | tmpfiles: Add merge support for copy files actionDaan De Meyer2023-05-101-9/+9
| | | | | | | | | | If '+' is specified with 'C', let's merge the tree with any existing tree.
* | doc: remove legacy DefaultControlGroup from dbus propertiesMiao Wang2023-05-081-4/+0
|/ | | DefaultControlGroup does not exist any more.
* crypttab: Support for VeraCrypt PIM and detached headers for ↵Klaus Zipfel2023-05-061-5/+23
| | | | | TrueCrypt/VeraCrypt (#27548) * Added veracrypt-pim=<PIM> LUKS option for crypttab
* Merge pull request #27262 from keszybz/ukify-installZbigniew Jędrzejewski-Szmek2023-05-061-194/+325
|\ | | | | Add kernel-install plugin that calls ukify
| * man: describe all the changes to ukifyZbigniew Jędrzejewski-Szmek2023-05-051-194/+325
| | | | | | | | | | | | | | | | | | | | | | | | | | | | As in mkosi(1), let's describe the config file and commandline options together. This is nice for us, because we don't need to duplicate descriptions and we're less likely to forget to update one place or the other. This is also nice for users, because they can easily figure out what can be configured where. The options are now ordered by config file section. --summary was not described before. More examples are added.
* | man: small fixes to systemd.time Calendar EventsChristopher Gurnee2023-05-051-2/+2
| |
* | sd-daemon: add sd_pid_notify_barrier() call and use it in systemd-notifyLennart Poettering2023-05-031-2/+12
|/ | | | | Previously we'd honour --pid= from the main notification we send, but not from the barrier. This is confusing at best. Let's fix that.
* man: clarify RoutingPolicyRule.TypeOfService docsBrad Fitzpatrick2023-04-301-1/+10
|
* core/systemctl: when switching root default to /sysroot/Lennart Poettering2023-04-281-9/+10
| | | | | | | | | We hardcode the path the initrd uses to prepare the final mount point at so many places, let's also imply it in "systemctl switch-root" if not specified. This adds the fallback both to systemctl and to PID 1 (this is because both to — different – checks on the path).
* Merge pull request #25622 from YHNdnzj/tmpfiles-X-bit-supportMike Yuan2023-04-271-7/+9
|\ | | | | tmpfiles: add conditionalized execute permission (X) support
| * tmpfiles: add conditionalized execute bit (X) supportMike Yuan2023-04-271-7/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to setfacl(1), "the character X stands for the execute permission if the file is a directory or already has execute permission for some user." After this commit, parse_acl() would return 3 acl objects. The newly-added acl_exec object contains entries that are subject to conditionalized execute bit mangling. In tmpfiles, we would iterate the acl_exec object, check the permission of the target files, and remove the execute bit if necessary. Here's an example entry: A /tmp/test - - - - u:test:rwX Closes #25114
* | core: add DelegateSubgroup= settingLennart Poettering2023-04-272-4/+56
|/ | | | | | | | | | | | | | | This implements a minimal subset of #24961, but in a lot more restrictive way: we only allow one level of subcgroup (as that's enough to address the no-processes in inner cgroups rule), and does not change anything about threaded cgroup logic or similar, or make any of this new behaviour mandatory. All this does is this: all non-control processes we invoke for a unit we'll invoke in a subgroup by the specified name. We'll later port all our current services that use cgroup delegation over to this, i.e. user@.service, systemd-nspawn@.service and systemd-udevd.service.
* man: use ukify more in systemd-measure examplesZbigniew Jędrzejewski-Szmek2023-04-272-71/+90
| | | | | | | | | | | | | | | | ukify supports signing with multiple keys, so show an example of this, and just let ukify print the calls to systemd-measure that will be done. This also does other small cleanups: - Use more realistic names in examples - Use $ as the prompt for commands that don't require root (most don't). Once we switch to operations that don't require a TPM, we should be able to get rid of the remaining calls that require root. - Ellipsize or linebreak various parts - Use --uname. We warn if it is not specified and we have to do autodetection, so let's nudge people towards including it rather than not. Follow-up for e069c57f0616d39363d36ac7f9c3e6ec8be01ab1.
* ukify: allow building PE addonLuca Boccassi2023-04-261-9/+24
| | | | | Make the kernel optional too, so that we can easily build and sign a PE addon, that can be used to carry extra command line options.
* Merge pull request #27398 from yuwata/udev-rule-negative-matchZbigniew Jędrzejewski-Szmek2023-04-261-6/+9
|\ | | | | udev-rule: fix negative match
| * udev-rules: fix negative match rule for SYMLINK and TAGYu Watanabe2023-04-261-6/+9
| | | | | | | | Fixes #27396.
* | creds: make --pretty behave in a slightly more expected mannerFrantisek Sumsal2023-04-251-1/+2
| |
* | Support /etc/system-update for OSTree systemsEric Curtin2023-04-253-25/+32
| | | | | | | | | | | | This is required when / is immutable and cannot be written at runtime. Co-authored-by: Richard Hughes <richard@hughsie.com>
* | Merge pull request #27347 from bluca/sd_bus_nonceLennart Poettering2023-04-2544-44/+44
|\ \ | | | | | | sd: avoid closing sd-bus in a fork, store module-global id for sd-bus/sd-session/sd-journal
| * | sd-event: store and compare per-module static origin idLuca Boccassi2023-04-2521-21/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | sd-event objects use hashmaps, which use module-global state, so it is not safe to pass a sd-event object created by a module instance to another module instance (e.g.: when two libraries static linking sd-event are pulled in a single process). Initialize a random per-module origin id and store it in the object, and compare it when entering a public API, and error out if they don't match, together with the PID.
| * | sd-journal: store and compare per-module static origin idLuca Boccassi2023-04-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | sd-journal objects use hashmaps, which use module-global state, so it is not safe to pass a sd-journal object created by a module instance to another module instance (e.g.: when two libraries static linking sd-journal are pulled in a single process). Initialize a random per-module origin id and store it in the object, and compare it when entering a public API, and error out if they don't match, together with the PID.
| * | sd-bus: store and compare per-module static origin idLuca Boccassi2023-04-2522-22/+22
| |/ | | | | | | | | | | | | | | | | sd-bus objects use hashmaps, which use module-global state, so it is not safe to pass a sd-bus object created by a module instance to another module instance (e.g.: when two libraries static linking sd-bus are pulled in a single process). Initialize a random per-module origin id and store it in the object, and compare it when entering a public API, and error out if they don't match, together with the PID.
* | sd-daemon: add sd_pid_notifyf_with_fds()Lennart Poettering2023-04-252-7/+24
| | | | | | | | | | | | | | | | | | | | | | | | I guess it was only a question of time until we need to add the final frontier of notification functions: one that combines the features of all the others: 1. specifiying a source PID 2. taking a list of fds to send along 3. accepting a format string for the status string Hence, let's add it.
* | man: /usr/lib/systemd/random-seed -> /usr/lib/systemd/systemd-random-seedVitaly Kuznetsov2023-04-251-1/+1
| | | | | | | | | | | | /usr/lib/systemd/random-seed is not a thing. Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
* | sd-login: add SetTTY session object #26611Thorsten Kukuk2023-04-251-0/+8
|/
* Merge pull request #27113 from keszybz/variable-expansion-reworkZbigniew Jędrzejewski-Szmek2023-04-241-1/+62
|\ | | | | Rework serialization of command lines in pid1 and make run not expand variables
| * run: expand variables also with --scopeZbigniew Jędrzejewski-Szmek2023-04-241-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This makes syntax be the same for commands which are started by the manager and those which are spawned directly (when --scope is used). Before: $ systemd-run -q -t echo '$TERM' xterm-256color $ systemd-run -q --scope echo '$TERM' $TERM Now: $ systemd-run -q --scope echo '$TERM' xterm-256color Previous behaviour can be restored via --expand-environment=no: $ systemd-run -q --scope --expand-environment=no echo '$TERM' $TERM Fixes #22948. At some level, this is a compat break. Fortunately --scope is not very widely used, so I think we can get away with this. Having different syntax depending on whether --scope was used or not was bad UX. A NEWS entry will be required.
| * man/systemd-run: add examples explaining how variable expansion is performedZbigniew Jędrzejewski-Szmek2023-04-241-0/+36
| |
| * run: add --expand-environment=no to disable server-side envvar expansionZbigniew Jędrzejewski-Szmek2023-04-241-1/+25
| | | | | | | | | | | | | | | | | | | | This uses StartExecEx to get the equivalent of ExecStart=:. StartExecEx was added in b3d593673c5b8b0b7d781fd26ab2062ca6e7dbdb, so this will not work with older systemds. A hint is emitted if we get an error indicating lack of support. PID1 returns SD_BUS_ERROR_PROPERTY_READ_ONLY, but I'm checking for SD_BUS_ERROR_UNKNOWN_PROPERTY too for safety.
* | man: fix LogControl1 manpage exampleLuca Boccassi2023-04-241-8/+8
| | | | | | | | Follow-up for c6b8fffdfaf1f7c9a1dac73e1e54993a06c766c0
* | man: clarify sd_bus_defaultLuca Boccassi2023-04-221-7/+8
| | | | | | | | It picks the bus based on the cgroup slice.
* | man: add working example to LogControl1 manpageLuca Boccassi2023-04-222-0/+246
| | | | | | | | Add fully working and documented example that can be copied and pasted
* | Merge pull request #27349 from mrc0mmand/codespellLuca Boccassi2023-04-206-6/+6
|\ \ | | | | | | tree-wide: code spelling fixes
| * | tree-wide: code spelling fixesFrantisek Sumsal2023-04-206-6/+6
| | | | | | | | | | | | As reported by Fossies.
* | | Apply known iocost solutions to block devicesGustavo Noronha Silva2023-04-202-0/+77
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Meta's resource control demo project[0] includes a benchmark tool that can be used to calculate the best iocost solutions for a given SSD. [0]: https://github.com/facebookexperimental/resctl-demo A project[1] has now been started to create a publicly available database of results that can be used to apply them automatically. [1]: https://github.com/iocost-benchmark/iocost-benchmarks This change adds a new tool that gets triggered by a udev rule for any block device and queries the hwdb for known solutions. The format for the hwdb file that is currently generated by the github action looks like this: # This file was auto-generated on Tue, 23 Aug 2022 13:03:57 +0000. # From the following commit: # https://github.com/iocost-benchmark/iocost-benchmarks/commit/ca82acfe93c40f21d3b513c055779f43f1126f88 # # Match key format: # block:<devpath>:name:<model name>: # 12 points, MOF=[1.346,1.346], aMOF=[1.249,1.249] block:*:name:HFS256GD9TNG-62A0A:fwver:*: IOCOST_SOLUTIONS=isolation isolated-bandwidth bandwidth naive IOCOST_MODEL_ISOLATION=rbps=1091439492 rseqiops=52286 rrandiops=63784 wbps=192329466 wseqiops=12309 wrandiops=16119 IOCOST_QOS_ISOLATION=rpct=0.00 rlat=8807 wpct=0.00 wlat=59023 min=100.00 max=100.00 IOCOST_MODEL_ISOLATED_BANDWIDTH=rbps=1091439492 rseqiops=52286 rrandiops=63784 wbps=192329466 wseqiops=12309 wrandiops=16119 IOCOST_QOS_ISOLATED_BANDWIDTH=rpct=0.00 rlat=8807 wpct=0.00 wlat=59023 min=100.00 max=100.00 IOCOST_MODEL_BANDWIDTH=rbps=1091439492 rseqiops=52286 rrandiops=63784 wbps=192329466 wseqiops=12309 wrandiops=16119 IOCOST_QOS_BANDWIDTH=rpct=0.00 rlat=8807 wpct=0.00 wlat=59023 min=100.00 max=100.00 IOCOST_MODEL_NAIVE=rbps=1091439492 rseqiops=52286 rrandiops=63784 wbps=192329466 wseqiops=12309 wrandiops=16119 IOCOST_QOS_NAIVE=rpct=99.00 rlat=8807 wpct=99.00 wlat=59023 min=75.00 max=100.00 The IOCOST_SOLUTIONS key lists the solutions available for that device in the preferred order for higher isolation, which is a reasonable default for most client systems. This can be overriden to choose better defaults for custom use cases, like the various data center workloads. The tool can also be used to query the known solutions for a specific device or to apply a non-default solution (say, isolation or bandwidth). Co-authored-by: Santosh Mahto <santosh.mahto@collabora.com>
* | | Merge pull request #27327 from DaanDeMeyer/hotplugLennart Poettering2023-04-203-3/+20
|\ \ \ | | | | | | | | kmod-setup: Add early loading for virtio_console
| * | | log: Add knob to disable kmsg ratelimitingDaan De Meyer2023-04-203-3/+20
| |/ / | | | | | | | | | | | | This allows us to disable kmsg ratelimiting in the integration tests and mkosi for easier debugging.
* | | man: try to make clearer that /var/ is generally not available in ↵Lennart Poettering2023-04-201-32/+25
|/ / | | | | | | | | | | | | | | | | | | | | /usr/lib/systemd/system-shutdown/ callouts I made the mistake to look into what is installed into /usr/lib/systemd/system-shutdown/ on Fedora. fwdupd among other things assumes /var/ is available from these callouts, though it is not in the general case. Hence, let's emphasize this in the documentation a bit more.
* | fsck: look for fsck binary not just in /sbinFlorian Klink2023-04-151-4/+4
| | | | | | | | | | | | | | | | | | This removes remaining hardcoded occurences of `/sbin/fsck`, and instead uses `find_executable` to find `fsck`. We also use `fsck_exists_for_fstype` to check for the `fsck.*` executable, which also checks in `$PATH`, so it's fair to assume fsck itself is also available.
* | preset: Add ignore directiveDaan De Meyer2023-04-141-12/+12
| | | | | | | | | | | | The ignore directive specifies to not do anything with the given unit and leave existing configuration intact. This allows distributions to gradually adopt preset files by shipping a ignore * preset file.
* | man/systemd-cryptenroll: update list of PCRs, link to uapi docsZbigniew Jędrzejewski-Szmek2023-04-141-159/+177
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Entia non sunt multiplicanda praeter necessitatem. We had a list of PCRs in the man page which was already half out-of-date. Instead, link to web page with the "authoritative" list. Here, drop the descriptions of what shim and grub do. Instead, just give some short descriptions and mention what systemd components do. systemd-pcrmachine.service and systemd-pcrfs@.service are now mentioned too. https://github.com/uapi-group/specifications/commit/d0e590b1e2648e76ece66157ceade3f45b165b14 extended the table in the specs repo. https://github.com/uapi-group/specifications/pull/59 adds some more text there too. Also, rework the recommendation: hint that PCR 11 is useful, and recommend binding to policy signatures instead of direct PCR values. This new text is intentionally vague: doing this correctly is hard, but let's at least not imply that just binding to PCR 7 is useful in any way. Also, change "string alias" to "name" in discussion of PCR names. Inspired by https://discussion.fedoraproject.org/t/future-of-encryption-in-fedora/80397/17
* | user units: implicitly enable PrivateUsers= when sandboxing options are setLuca Boccassi2023-04-131-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enabling these options when not running as root requires a user namespace, so implicitly enable PrivateUsers=. This has a side effect as it changes which users are visible to the unit. However until now these options did not work at all for user units, and in practice just a handful of user units in Fedora, Debian and Ubuntu mistakenly used them (and they have been all fixed since). This fixes the long-standing confusing issue that the user and system units take the same options but the behaviour is wildly (and sometimes silently) different depending on which is which, with user units requiring manually specifiying PrivateUsers= in order for sandboxing options to actually work and not be silently ignored.
* | Synposis and description of networkctl man page reflecting only part of its ↵ZjYwMj2023-04-131-2/+2
| | | | | | | | | | | | | | functionality (#27264) * Fix inaccurate synposis, and description Before the fix, they reflected only part of networkctl functionality.
* | systemd-confext: mount confexts as noexec and nosuidLuca Boccassi2023-04-141-1/+10
| | | | | | | | | | | | | | | | | | Confexts should not contain code, so mount confexts with noexec. We cannot mount invidial extensions as noexec, as the overlay ignores it and bypasses it, we need to use the flag on the whole overlay for it to be effective. But given there are legacy scripts still shipped in /etc, allow to override it with --noexec=false.
* | systemd-cryptenroll: add string aliases for tpm2 PCRsOMOJOLA JOSHUA DAMILOLA2023-04-131-8/+38
| | | | | | | | Fixes #26697. RFE.
* | Merge pull request #18789 from ↵Lennart Poettering2023-04-132-1/+97
|\ \ | | | | | | | | | | | | gportay/veritysetup-add-options-for-parity-with-cryptsetup-verity-utility veritysetup: Add options for parity support with the cryptsetup's verity utility
View Lorry Controller Status