summaryrefslogtreecommitdiff
path: root/sysctl.d
Commit message (Collapse)AuthorAgeFilesLines
* Enable regular file and FIFO protectionLucas Werkmeister2019-01-161-0/+4
| | | | | | These sysctls were added in Linux 4.19 (torvalds/linux@30aba6656f), and we should enable them just like we enable the older hardlink/symlink protection since v199. Implements #11414.
* sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2Lubomir Rintel2018-11-281-1/+1
| | | | | | | | | | | | | | | | | | | This switches the RFC3704 Reverse Path filtering from Strict mode to Loose mode. The Strict mode breaks some pretty common and reasonable use cases, such as keeping connections via one default route alive after another one appears (e.g. plugging an Ethernet cable when connected via Wi-Fi). The strict filter also makes it impossible for NetworkManager to do connectivity check on a newly arriving default route (it starts with a higher metric and is bumped lower if there's connectivity). Kernel's default is 0 (no filter), but a Loose filter is good enough. The few use cases where a Strict mode could make sense can easily override this. The distributions that don't care about the client use cases and prefer a strict filter could just ship a custom configuration in /usr/lib/sysctl.d/ to override this.
* Revert "sysctl.d: request ECN on both in and outgoing connections"Thomas Hindoe Paaboel Andersen2018-08-201-3/+0
| | | | | | | Turning on ECN still causes slow or broken network on linux. Our tcp is not yet ready for wide spread use of ECN. This reverts commit 919472741dba6ad0a3f6c2b76d390a02d0e2fdc3.
* Drop my copyright headersZbigniew Jędrzejewski-Szmek2018-06-141-2/+0
| | | | | | | perl -i -0pe 's/\s*Copyright © .... Zbigniew Jędrzejewski.*?\n/\n/gms' man/*xml git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/(#\n)?# +Copyright © [0-9, -]+ Zbigniew Jędrzejewski.*?\n//gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s*\/\*\*\*\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*?\s*\*\*\*\/\s*/\n\n/gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*//gms'
* tree-wide: beautify remaining copyright statementsLennart Poettering2018-06-141-1/+1
| | | | | | Let's unify an beautify our remaining copyright statements, with a unicode ©. This means our copyright statements are now always formatted the same way. Yay.
* sysctl.d: request ECN on both in and outgoing connections (#9143)Thomas H. P. Andersen2018-05-311-0/+3
| | | | | | | | | | | | To further avoid bufferbloat Explicit Congestion Notification (ECN) should be enabled for both in and outgoing connections. The kernel default is to enable it when requested for incoming connections, but not to request it on outgoing connections. This patch enables it for both. A long time ago enabling these was causing problems, but these issues have since been dealt with. Fixes #9087.
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* coredump: accept hostname on command line (#8033)Jakub Filak2018-02-151-1/+1
| | | | | | | | | | | | | | | | | | This commint adds a new command line parameter to sytemd-coredump. The parameter should be mappend to core_pattern's placeholder %h - hostname. The field _HOSTNAME holds the name from the kernel's namespaces which might be different then the one comming from process' namespaces. It is true that the real hostname is usually available in the field COREDUMP_ENVIRON (environment variables) but I believe it is more reliable to use the value passed by kernel. ---- The length of iovec is no longer static and hence I corrected the declarations of the functions set_iovec_field and set_iovec_field_free. Thank you @yuwata and @poettering!
* Do not set `net.ipv4.conf.default.*`Hristo Venev2017-12-051-3/+0
| | | | | | It is redundant because in these cases the values in `net.ipv4.conf.all.*` take precedence. Also, setting the `default` does nothing for devices that already exist.
* Add license headers and SPDX identifiers to meson.build filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+17
| | | | | | | So far I avoided adding license headers to meson files, but they are pretty big and important and should carry license headers like everything else. I added my own copyright, even though other people modified those files too. But this is mostly symbolic, so I hope that's OK.
* build-sys: use #if Y instead of #ifdef Y everywhereZbigniew Jędrzejewski-Szmek2017-10-041-1/+1
| | | | | | | | | | | | | | | The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
* build-sys: drop gitignore patterns for in-tree buildsZbigniew Jędrzejewski-Szmek2017-07-181-1/+0
| | | | ... and other autotools-generated files.
* build-sys: drop automake supportZbigniew Jędrzejewski-Szmek2017-07-181-1/+0
| | | | | v2: - also mention m4
* meson: use booleans for conf.set and drop unecessary conditionalsZbigniew Jędrzejewski-Szmek2017-05-021-1/+1
| | | | | | | | | Using conf.set() with a boolean argument does the right thing: either #ifdef or #undef. This means that conf.set can be used unconditionally. Previously I used '1' as the placeholder value, and that needs to be changed to 'true' for consistency (under meson 1 cannot be used in boolean context). All checks need to be adjusted.
* meson: reindent all files with 8 spacesZbigniew Jędrzejewski-Szmek2017-04-231-11/+9
| | | | | | | The indentation for emacs'es meson-mode is added .dir-locals. All files are reindented automatically, using the lasest meson-mode from git. Indentation should now be fairly consistent.
* meson: use join_paths consistentlyMichael Biebl2017-04-231-1/+1
| | | | | With -Dsplit-usr=true, we set rootprefix to /. This leads to //lib/systemd or //lib/udev for various dir variables. Using join_paths() avoids this.
* meson: create dirs and touch /usrZbigniew Jędrzejewski-Szmek2017-04-231-0/+3
| | | | | | | | | This is the equivalent of $(INSTALL_DIRS) and install-touch-usr-hook. I did not bother to create the directories into which we install files, since they will be created anyway. v2: - remove bashism
* meson: build systemd using mesonZbigniew Jędrzejewski-Szmek2017-04-231-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's crucial that we can build systemd using VS2010! ... er, wait, no, that's not the official reason. We need to shed old systems by requring python 3! Oh, no, it's something else. Maybe we need to throw out 345 years of knowlege accumulated in autotools? Whatever, this new thing is cool and shiny, let's use it. This is not complete, I'm throwing it out here for your amusement and critique. - rules for sd-boot are missing. Those might be quite complicated. - rules for tests are missing too. Those are probably quite simple and repetitive, but there's lots of them. - it's likely that I didn't get all the conditions right, I only tested "full" compilation where most deps are provided and nothing is disabled. - busname.target and all .busname units are skipped on purpose. Otherwise, installation into $DESTDIR has the same list of files and the autoconf install, except for .la files. It'd be great if people had a careful look at all the library linking options. I added stuff until things compiled, and in the end there's much less linking then in the old system. But it seems that there's still a lot of unnecessary deps. meson has a `shared_module` statement, which sounds like something appropriate for our nss and pam modules. Unfortunately, I couldn't get it to work. For the nss modules, we need an .so version of '2', but `shared_module` disallows the version argument. For the pam module, it also didn't work, I forgot the reason. The handling of .m4 and .in and .m4.in files is rather awkward. It's likely that this could be simplified. If make support is ever dropped, I think it'd make sense to switch to a different templating system so that two different languages and not required, which would make everything simpler yet. v2: - use get_pkgconfig_variable - use sh not bash - use add_project_arguments v3: - drop required:true and fix progs/prog typo v4: - use find_library('bz2') - add TTY_GID definition - define __SANE_USERSPACE_TYPES__ - use join_paths(prefix, ...) is used on all paths to make them all absolute v5: - replace all declare_dependency's with [] - add more conf.get guards around optional components v6: - drop -pipe, -Wall which are the default in meson - use compiler.has_function() and compiler.has_header_symbol instead of the hand-rolled checks. - fix duplication in 'liblibsystemd' library name - use the right .sym file for pam_systemd - rename 'compiler' to 'cc': shorter, and more idiomatic. v7: - use ENABLE_ENVIRONMENT_D not HAVE_ENVIRONMENT_D - rename prefix to prefixdir, rootprefix to rootprefixdir ("prefix" is too common of a name and too easy to overwrite by mistake) - wrap more stuff with conf.get('ENABLE...') == 1 - use rootprefix=='/' and rootbindir as install_dir, to fix paths under split-usr==true. v8: - use .split() also for src/coredump. Now everything is consistent ;) - add rootlibdir option and use it on the libraries that require it v9: - indentation v10: - fix check for qrencode and libaudit v11: - unify handling of executable paths, provide options for all progs This makes the meson build behave slightly differently than the autoconf-based one, because we always first try to find the executable in the filesystem, and fall back to the default. I think different handling of loadkeys, setfont, and telinit was just a historical accident. In addition to checking in $PATH, also check /usr/sbin/, /sbin for programs. In Fedora $PATH includes /usr/sbin, (and /sbin is is a symlink to /usr/sbin), but in Debian, those directories are not included in the path. C.f. https://github.com/mesonbuild/meson/issues/1576. - call all the options 'xxx-path' for clarity. - sort man/rules/meson.build properly so it's stable
* sysctl.d: replace URL of SysRq key documentation (#5274)Peter Körner2017-02-081-1/+2
| | | | The kernel documentation page is not distribution specific and also more likely to be up to date than the Fedora wiki page referenced previously.
* treewide: fix typos and remove accidental repetition of wordsTorstein Husebø2016-07-111-1/+1
|
* coredump: honour RLIMIT_CORE when saving/processing coredumpsLennart Poettering2016-02-101-1/+1
| | | | | | | | With this change processing/saving of coredumps takes the RLIMIT_CORE resource limit of the crashing process into account, given the user control whether specific processes shall core dump or not, and how large to make the core dump. Note that this effectively disables core-dumping for now, as RLIMIT_CORE defaults to 0 (i.e. is disabled) for all system processes.
* sysctl: use %P instead of %p in core patternLennart Poettering2015-11-171-1/+1
| | | | | | | That way we'll get the PID on the host, rather than the one in a PID namespace. Which should make the coredump handler less confusing. Fixes #1930.
* core: bump net.unix.max_dgram_qlen really early during bootLennart Poettering2015-11-021-3/+0
| | | | | Only that way it actually has an effect on all our sockets, including $NOTIFY_SOCKET.
* sysctl.d: bump number of queueable AF_UNIX/SOCK_DGRAM datagramsLennart Poettering2015-10-311-0/+3
| | | | | | | The default of 16 is pretty low, let's bump this to accomodate for more queued datagrams. This is useful for AF_UNIX/SOCK_DGRAM logging and sd_notify() sockets as this allows queuing more datagrams before things start to block, thus improving parallelization and logging performance.
* sysctl: add some hints how to override settingsZbigniew Jędrzejewski-Szmek2015-02-261-1/+8
| | | | | | | Also a link to decent documentation for sysrq keys. It is surprising hard to find. https://lists.fedoraproject.org/pipermail/devel/2015-February/208412.html
* sysctl.d: default to fq_codel, fight bufferbloatMichal Schmidt2014-10-201-0/+3
| | | | | | | | | | | | | | | | | | | | Quoting from Jon Corbet's report of Stephen Hemminger's talk at Linux Plumbers Conference 2014 (https://lwn.net/Articles/616241/): [...] So Stephen encouraged everybody to run a command like: sysctl -w net.core.default_qdisc=fq_codel That will cause fq_codel to be used for all future connections [Qdiscs apply to interfaces, not connections. Pointed out by TomH in the article comments. -- mschmidt] (up to the next reboot). Unfortunately, the default queuing discipline cannot be changed, since it will certainly disturb some user's workload somewhere. Let's have the recommended default in systemd. Thanks to Dave Täht for advice and the summary at https://lists.bufferbloat.net/pipermail/cerowrt-devel/2014-October/003701.html
* sysctl: always write net.ipv4.conf.all.xyz= in addition to ↵Lennart Poettering2014-08-151-0/+3
| | | | | | | | net.ipv4.conf.default.xyz= Otherwise we have a boot-time race, where interfaces that popped up after the sysctl service would get the settings applied, but all others wouldn't.
* sysctl.d: enable promote_secondaries by defaultTom Gundersen2014-07-251-0/+3
| | | | | | | | | | | | | | | Without this, secondary addresses would get deleted when the primary one is. This is not the desired behavior when one would like to transition from one address to another in the same subnet (such as when a new IP address is given over DHCP). In networkd, when given a new IP over DHCP we will add it, without explicitly removing the old one first (and hence never have a window without an IP address configured). Assuming the addresses are in the same subnet, that means that the old address is the primary and the new address is the secondary one. Once the old address expires, the kernel will drop it. With the old behavior this means that both addresses would be lost, which is clearly not what we want. With the new behavior, only the old address is lost, and the new one is promoted to primary. Reported by Michael Olbrich <m.olbrich@pengutronix.de>
* man: add systemd-coredump(8) and a bunch of linksZbigniew Jędrzejewski-Szmek2014-07-131-1/+3
|
* sysctl: default - add safe sysrq optionsKay Sievers2013-03-151-0/+3
|
* sysctl: add 50-default.confKay Sievers2013-03-152-1/+22
|
* sysctl: coredump.conf -> 50-coredump.confKay Sievers2013-03-151-0/+0
|
* man: fix compilation of exampleZbigniew Jędrzejewski-Szmek2013-03-071-1/+1
|
* relicense to LGPLv2.1 (with exceptions)Lennart Poettering2012-04-121-2/+2
| | | | | | | | | | | | | | We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
* journal: hook up coredumping with journalLennart Poettering2012-01-143-0/+12