summaryrefslogtreecommitdiff
path: root/src/nspawn
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #10901 from poettering/startswith-listYu Watanabe2018-11-261-11/+4
|\ | | | | add new STARTSWITH_SET() macro
| * tree-wide: port more code over to PATH_STARTSWITH_SET()Lennart Poettering2018-11-261-11/+4
| |
* | cgroup: be more careful with which controllers we can enable/disable on a cgroupLennart Poettering2018-11-231-1/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changes cg_enable_everywhere() to return which controllers are enabled for the specified cgroup. This information is then used to correctly track the enablement mask currently in effect for a unit. Moreover, when we try to turn off a controller, and this works, then this is indicates that the parent unit might succesfully turn it off now, too as our unit might have kept it busy. So far, when realizing cgroups, i.e. when syncing up the kernel representation of relevant cgroups with our own idea we would strictly work from the root to the leaves. This is generally a good approach, as when controllers are enabled this has to happen in root-to-leaves order. However, when controllers are disabled this has to happen in the opposite order: in leaves-to-root order (this is because controllers can only be enabled in a child if it is already enabled in the parent, and if it shall be disabled in the parent then it has to be disabled in the child first, otherwise it is considered busy when it is attempted to remove it in the parent). To make things complicated when invalidating a unit's cgroup membershup systemd can actually turn off some controllers previously turned on at the very same time as it turns on other controllers previously turned off. In such a case we have to work up leaves-to-root *and* root-to-leaves right after each other. With this patch this is implemented: we still generally operate root-to-leaves, but as soon as we noticed we successfully turned off a controller previously turned on for a cgroup we'll re-enqueue the cgroup realization for all parents of a unit, thus implementing leaves-to-root where necessary.
* coccinelle: make use of SYNTHETIC_ERRNOZbigniew Jędrzejewski-Szmek2018-11-224-265/+204
| | | | | | | | | | | Ideally, coccinelle would strip unnecessary braces too. But I do not see any option in coccinelle for this, so instead, I edited the patch text using search&replace to remove the braces. Unfortunately this is not fully automatic, in particular it didn't deal well with if-else-if-else blocks and ifdefs, so there is an increased likelikehood be some bugs in such spots. I also removed part of the patch that coccinelle generated for udev, where we returns -1 for failure. This should be fixed independently.
* Merge pull request #10860 from keszybz/more-cleanup-2Lennart Poettering2018-11-211-0/+1
|\ | | | | Do more stuff from main macros
| * Split out pretty-print.c and move pager.c and main-func.h to shared/Zbigniew Jędrzejewski-Szmek2018-11-201-0/+1
| | | | | | | | | | This is high-level functionality, and fits better in shared/ (which is for our executables), than in basic/ (which is also for libraries).
* | nspawn: use EXIT_EXCEPTION where appropriateLennart Poettering2018-11-201-2/+3
|/
* Merge pull request #10753 from keszybz/pager-no-interruptLennart Poettering2018-11-141-1/+1
|\ | | | | Add mode in journalctl where ^C is handled by the pager
| * basic/pager: convert the pager options to a flags argumentZbigniew Jędrzejewski-Szmek2018-11-141-1/+1
| | | | | | | | | | Pretty much everything uses just the first argument, and this doesn't make this common pattern more complicated, but makes it simpler to pass multiple options.
* | nspawn: add a hint to the message we emit when a child diesZbigniew Jędrzejewski-Szmek2018-11-131-1/+2
|/ | | | | | | | | From #10526: $ sudo systemd-nspawn -i image Spawning container image on /home/zbyszek/src/mkosi/image. Press ^] three times within 1s to kill container. Short read while reading cgroup mode.
* nspawn: rework how we allocate/kill scopesLennart Poettering2018-11-093-3/+70
| | | | Fixes: #6347
* nspawn: merge two variable declaration linesLennart Poettering2018-11-091-2/+1
|
* nspawn: simplify machine terminate bus callLennart Poettering2018-11-093-29/+9
| | | | | | We have the machine name anyway, let's use TerminateMachine() on machined's Manager object directly with it. That way it's a single method call only, instead of two, to terminate the machine.
* nspawn: make use of the new sd_bus_set_close_on_exit() call in nspawnLennart Poettering2018-11-091-0/+4
|
* tree-wide: set WRITE_STRING_FILE_DISABLE_BUFFER flag when we write files ↵Yu Watanabe2018-11-062-4/+4
| | | | under /proc or /sys
* nspawn: beef up netns checking a bit, for compat with old kernelsLennart Poettering2018-10-311-3/+5
| | | | Fixes: #10544
* nspawn: add proper error message if setns() on network namespace fd failsLennart Poettering2018-10-311-1/+1
| | | | Addresses: https://github.com/systemd/systemd/pull/10589#issuecomment-434670595
* sd-device: make sd_device_get_is_initialized() returns is_initialized by ↵Yu Watanabe2018-10-291-4/+3
| | | | return value
* add ephemeral to nspawn-settings.Jiuyang liu2018-10-243-3/+10
|
* systemd-nspawn: do not crash on /var/log/journal creation if not requiredZbigniew Jędrzejewski-Szmek2018-10-221-12/+10
| | | | | | | | When running a read-only file system, we might not be able to create /var/log/journal. Do not fail on this, unless actually requested by the --link-journal options. $ systemd-nspawn --image=image.squashfs ...
* nspawn: do not include '%m' in log message if errno is zeroYu Watanabe2018-10-201-1/+1
|
* Merge pull request #10389 from poettering/nspawn-path-fixYu Watanabe2018-10-191-0/+11
|\ | | | | nspawn $PATH execvpe() fix
| * nspawn: use container $PATH (not host $PATH) when searching for PID 1 ↵Lennart Poettering2018-10-181-0/+11
| | | | | | | | | | | | binaries to execute Fixes: #10377
* | tree-wide: introduce setsockopt_int() helper and make use of it everywhereLennart Poettering2018-10-181-2/+2
| | | | | | | | | | | | As suggested by @heftig: https://github.com/systemd/systemd/commit/6d5e65f6454212cd400d0ebda34978a9f20cc26a#commitcomment-30938667
* | Merge pull request #10407 from yuwata/netlink-slotLennart Poettering2018-10-181-2/+2
|\ \ | |/ |/| sd-netlink: introduce sd_netlink_slot object and relevant functions
| * sd-netlink: make sd_netlink_slot take its descriptionYu Watanabe2018-10-161-2/+2
| |
| * sd-netlink: introduce sd_netlink_slotYu Watanabe2018-10-151-2/+2
| |
* | nspawn: TAKE_FD() is your friendLennart Poettering2018-10-151-11/+5
| |
* | tree-wide: use sockaddr_un_unlink() at two more places where appropriateLennart Poettering2018-10-151-1/+1
| |
* | tree-wide: add a single version of "static const int one = 1"Lennart Poettering2018-10-151-2/+1
| | | | | | | | | | | | | | | | | | | | All over the place we define local variables for the various sockopts that take a bool-like "int" value. Sometimes they are const, sometimes static, sometimes both, sometimes neither. Let's clean this up, introduce a common const variable "const_int_one" (as well as one matching "const_int_zero") and use it everywhere, all acorss the codebase.
* | tree-wide: use structured initialization for sockaddr_unLennart Poettering2018-10-151-3/+3
|/
* be consistent about sun_path lengthDavid Tardon2018-10-121-1/+1
| | | | | Most places use the whole buffer for name, without leaving extra space for the trailing NUL.
* nspawn: add comments explaining the namespacing situation and the ↵Lennart Poettering2018-10-091-0/+16
| | | | inner/outer children
* nspawn: optionally don't mount a tmpfs over /tmp (#10294)Lennart Poettering2018-10-083-3/+14
| | | | | | nspawn: optionally, don't mount a tmpfs on /tmp Fixes: #10260
* nspawn: when --quiet is passed, simply downgrade log messages to LOG_DEBUG ↵Lennart Poettering2018-09-261-10/+9
| | | | | | | | | | (#10181) With this change almost all log messages that are suppressed through --quiet are not actually suppressed anymore, but simply downgraded to LOG_DEBUG. Previously we did it this way for some log messages and fully suppressed them for others. With this it's pretty much systematic. Inspired by #10122.
* nspawn: chown() the legacy hierarchy when it's used in a containerEvgeny Vereshchagin2018-09-261-1/+1
| | | | | | | This is a follow-up to 720f0a2f3c928cc9379501a52146be9fbb4d9be2. Closes https://github.com/systemd/systemd/issues/10026 Closes https://github.com/systemd/systemd/issues/9563
* Merge pull request #10158 from keszybz/seccomp-log-tighteningLennart Poettering2018-09-261-11/+7
|\ | | | | Seccomp log tightening
| * seccomp: tighten checking of seccomp filter creationZbigniew Jędrzejewski-Szmek2018-09-241-9/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In seccomp code, the code is changed to propagate errors which are about anything other than unknown/unimplemented syscalls. I *think* such errors should not happen in normal usage, but so far we would summarilly ignore all errors, so that part is uncertain. If it turns out that other errors occur and should be ignored, this should be added later. In nspawn, we would count the number of added filters, but didn't use this for anything. Drop that part. The comments suggested that seccomp_add_syscall_filter_item() returned negative if the syscall is unknown, but this wasn't true: it returns 0. The error at this point can only be if the syscall was known but couldn't be added. If the error comes from our internal whitelist in nspawn, treat this as error, because it means that our internal table is wrong. If the error comes from user arguments, warn and ignore. (If some syscall is not known at current architecture, it is still silently ignored.)
| * seccomp: reduce logging about failure to add syscall to seccompZbigniew Jędrzejewski-Szmek2018-09-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Our logs are full of: Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call oldstat() / -10037, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call get_thread_area() / -10076, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call set_thread_area() / -10079, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call oldfstat() / -10034, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call oldolduname() / -10036, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call oldlstat() / -10035, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call waitpid() / -10073, ignoring: Numerical argument out of domain ... This is pointless and makes debug logs hard to read. Let's keep the logs in test code, but disable it in nspawn and pid1. This is done through a function parameter because those functions operate recursively and it's not possible to make the caller to log meaningfully. There should be no functional change, except the skipped debug logs.
* | fs-util: make symlink_idempotent() optionally create relative linkYu Watanabe2018-09-241-2/+2
|/
* nspawn: suppress one more log message when --quiet is passedYu Watanabe2018-09-191-1/+2
| | | | Fixes #10119.
* tree-wide: use typesafe_qsort()Yu Watanabe2018-09-191-10/+4
|
* tests: use a helper function to parse environment and open loggingZbigniew Jędrzejewski-Szmek2018-09-141-3/+2
| | | | | The advantages are that we save a few lines, and that we can override logging using environment variables in more test executables.
* nspawn: use copy-static if systemd-resolved is up and image is writableafg2018-09-121-6/+1
|
* nspawn: always use mode 555 for /sysFranck Bui2018-09-111-1/+1
| | | | | | | | | | | | | When a network namespace is needed, /sys is mounted as tmpfs (see commit d8fc6a000fe21b0c1ba27f for details). But in this case mode 755 was used as initial permissions for /sys whereas the default mode for sysfs is 555. In practice using 755 doesn't have any impact because /sys is mounted read-only too but for consistency, let's use the correct mode. Fixes: #10050
* nspawn: replace udev_device by sd_deviceYu Watanabe2018-08-232-34/+16
|
* Merge pull request #9783 from poettering/get-user-creds-flagsZbigniew Jędrzejewski-Szmek2018-08-211-2/+30
|\ | | | | beef up get_user_creds() a bit and other improvements
| * nspawn: add two missing OOM checksLennart Poettering2018-08-201-0/+5
| |
| * nspawn: make sure to create /dev/char/x:y symlinks in nspawn containers tooLennart Poettering2018-08-201-2/+25
| | | | | | | | | | On the host udev creates these, but they are useful API, hence create them in nspawn containers too.
* | tree-wide: add clickable man page link to all --help textsLennart Poettering2018-08-201-4/+15
| | | | | | | | | | | | | | | | | | | | This is a bit like the info link in most of GNU's --help texts, but we don't do info but man pages, and we make them properly clickable on terminal supporting that, because awesome. I think it's generally advisable to link up our (brief) --help texts and our (more comprehensive) man pages a bit, so this should be an easy and straight-forward way to do it.
View Lorry Controller Status