summaryrefslogtreecommitdiff
path: root/tmpfiles.d
Commit message (Collapse)AuthorAgeFilesLines
* sysusers,tmpfiles: re-create systemd-network, systemd-resolve and ↵Yu Watanabe2018-07-161-3/+3
| | | | | | | | | | | | | | systemd-timesync This partially reverts d4e9e574ea0b5d23598a317e68399584d229568b, 0187368cadea183e18c6d575a9d6b7f491a402af, and 4240cb02fda90ba11dfc0114201e42691132c6a9. The services systemd-networkd, systemd-resolved, and systemd-timesyncd enable DynamicUsers= and have bus interfaces. Unfortunately, these has many problems now. Let us create the relevant users, at least, tentatively. Fixes #9503.
* tmpfiles: specify access mode for /run/systemd/netifYu Watanabe2018-06-251-3/+3
| | | | | | This partially reverts 2af767729489f6baa98a2641b2007acab44ed353. As the directories are certainly readable and not-writable by non-privileged users.
* tmpfile: do not specify mode and owner to /run/systemd/netifYu Watanabe2018-06-221-3/+3
| | | | Fixes #9369.
* Drop my copyright headersZbigniew Jędrzejewski-Szmek2018-06-141-2/+0
| | | | | | | perl -i -0pe 's/\s*Copyright © .... Zbigniew Jędrzejewski.*?\n/\n/gms' man/*xml git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/(#\n)?# +Copyright © [0-9, -]+ Zbigniew Jędrzejewski.*?\n//gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s*\/\*\*\*\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*?\s*\*\*\*\/\s*/\n\n/gms' git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*//gms'
* tree-wide: beautify remaining copyright statementsLennart Poettering2018-06-141-1/+1
| | | | | | Let's unify an beautify our remaining copyright statements, with a unicode ©. This means our copyright statements are now always formatted the same way. Yay.
* add new portable service frameworkLennart Poettering2018-05-242-0/+5
| | | | | | | | | | | This adds a small service "systemd-portabled" and a matching client "portablectl", which implement the "portable service" concept. The daemon implements the actual operations, is PolicyKit-enabled and is activated on demand with exit-on-idle. Both the daemon and the client are an optional build artifact, enabled by default rhough.
* network: set DynamicUser= to systemd-networkd.serviceYu Watanabe2018-05-221-3/+3
|
* tmpfiles: create /var/{lib,log,cache}/private during early bootLennart Poettering2018-05-181-0/+4
| | | | | | | | | This directory is used by the DynamicUer= stuff when used in combination with StateDirectory=/LogDirectory=/CacheDirectory=. Let's make sure the dir exists early on with the right perms. This is not strictly necessary as we'll also create the dir on demand if it is missing, but in the interest of grabbing the name early on, and making things more explicit let's also list this in a tmpfiles.d/ snippet.
* meson: generate m4 preprocessor from config.h (#8914)Yu Watanabe2018-05-071-1/+1
|
* meson: install nspawn tmpfiles snippet only when machined is turned onLennart Poettering2018-04-171-1/+1
|
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* nologin: extend the /run/nologin descriptions a bit (#8244)Lennart Poettering2018-02-221-1/+1
| | | | | | | | | | | This is an attempt to improve #8228 a bit, by extending the /run/nologin a bit, but still keeping it somewhat brief. On purpose I used the vague wording "unprivileged user" rather than "non-root user" so that pam_nologin can be updated to disable its behaviour for members of the "wheel" group one day, and our messages would still make sense. See #8228.
* Add license headers and SPDX identifiers to meson.build filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+17
| | | | | | | So far I avoided adding license headers to meson files, but they are pretty big and important and should carry license headers like everything else. I added my own copyright, even though other people modified those files too. But this is mostly symbolic, so I hope that's OK.
* resolved: create private stub resolve file for /etc/resolv.conf integration ↵Dimitri John Ledkov2017-10-241-1/+1
| | | | | | | | | | | (#7014) This creates a second private resolve.conf file which lists the stub resolver and the resolved acquired search domains. This runtime file should be used as a symlink target for /etc/resolv.conf such that non-nss based applications can resolve search domains. Fixes: #7009
* tmpfiles: remove old ICE and X11 sockets at boot (#6979)Frederic Crozat2017-10-061-5/+6
| | | | | | tmpfiles: remove old ICE and X11 sockets at boot When not using tmpfs based /tmp, leftover sockets might prevent X startup. Ensure directory is clean at boot time.
* tmpfiles: change btmp mode 0600 → 0660 (#6997)Lennart Poettering2017-10-041-1/+1
| | | | | As discussed in #6994. Fixes: #6994
* build-sys: s/ENABLE_RESOLVED/ENABLE_RESOLVE/Zbigniew Jędrzejewski-Szmek2017-10-041-1/+1
| | | | | | The configuration option was called -Dresolve, but the internal define was …RESOLVED. This options governs more than just resolved itself, so let's settle on the version without "d".
* build-sys: s/HAVE_UTMP/ENABLE_UTMP/Zbigniew Jędrzejewski-Szmek2017-10-041-1/+1
| | | | | "Have" should be about the external environment and dependencies. Anything which is a pure yes/no choice should be "enable".
* build-sys: use #if Y instead of #ifdef Y everywhereZbigniew Jędrzejewski-Szmek2017-10-041-3/+3
| | | | | | | | | | | | | | | The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
* tmpfiles.d/journal-nocow: fix typo (#6804)Lukáš Nykrýn2017-09-121-1/+1
|
* tmpfiles: drop systemd-remote.confYu Watanabe2017-08-082-18/+0
| | | | | | The directories are only used by the specific services, and created before the services are started. So, it is not necessary to create them by systemd-tmpfiles.
* build-sys: drop gitignore patterns for in-tree buildsZbigniew Jędrzejewski-Szmek2017-07-181-4/+0
| | | | ... and other autotools-generated files.
* build-sys: drop automake supportZbigniew Jędrzejewski-Szmek2017-07-181-1/+0
| | | | | v2: - also mention m4
* tmpfiles: create /var/log/lastlog if it does not existMichael Biebl2017-06-291-0/+1
| | | | | | | | | | Create /var/log/lastlog the same way we create utmp and wtmp. This is useful for stateless systems where /var is volatile and a missing /var/log/lastlog otherwise creates error messages like Jun 27 20:00:00 huron sshd[1234]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory Fixes #6234
* meson: do not use path separator for target name (#6177)Yu Watanabe2017-06-221-1/+1
| | | Fixes #6158.
* build: *really* install tmpfiles.d/systemd-remote.conf when necessary (#6061)Franck Bui2017-05-311-0/+2
| | | | | | | | | | | | | This fixes commit 5e354b22520bbb02e which was an attempt to avoid installation of tmpfiles.d/systemd-remote.conf when it was not needed (ie HAVE_REMOTE=false). Before this fix and with the autotool build, systemd-remote.conf was distributed and also installed (although it was empty) even though HAVE_REMOTE=false. That's what happens when doing last second changes without retesting... While at it, update tmpfiles.d/.gitignore (var.conf was missing as well since commit a083537e5d11b).
* build: only install tmpfiles.d/systemd-remote.conf when necessary (#6051)Franck Bui2017-05-302-13/+25
| | | | | Also only include the relevant parts for systemd-journal-remote and systemd-journal-upload when needed.
* tmpfiles: Remove unnecessary utmp file creation (#6006)codekipper2017-05-242-2/+4
| | | | If utmp is disabled (--disable-utmp) then there is no need to create the wtmp and btmp files.
* meson: use booleans for conf.set and drop unecessary conditionalsZbigniew Jędrzejewski-Szmek2017-05-021-2/+2
| | | | | | | | | Using conf.set() with a boolean argument does the right thing: either #ifdef or #undef. This means that conf.set can be used unconditionally. Previously I used '1' as the placeholder value, and that needs to be changed to 'true' for consistency (under meson 1 cannot be used in boolean context). All checks need to be adjusted.
* meson: reindent all files with 8 spacesZbigniew Jędrzejewski-Szmek2017-04-231-20/+19
| | | | | | | The indentation for emacs'es meson-mode is added .dir-locals. All files are reindented automatically, using the lasest meson-mode from git. Indentation should now be fairly consistent.
* meson: use join_paths consistentlyMichael Biebl2017-04-231-1/+1
| | | | | With -Dsplit-usr=true, we set rootprefix to /. This leads to //lib/systemd or //lib/udev for various dir variables. Using join_paths() avoids this.
* meson: create dirs and touch /usrZbigniew Jędrzejewski-Szmek2017-04-231-0/+5
| | | | | | | | | This is the equivalent of $(INSTALL_DIRS) and install-touch-usr-hook. I did not bother to create the directories into which we install files, since they will be created anyway. v2: - remove bashism
* meson: build systemd using mesonZbigniew Jędrzejewski-Szmek2017-04-231-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's crucial that we can build systemd using VS2010! ... er, wait, no, that's not the official reason. We need to shed old systems by requring python 3! Oh, no, it's something else. Maybe we need to throw out 345 years of knowlege accumulated in autotools? Whatever, this new thing is cool and shiny, let's use it. This is not complete, I'm throwing it out here for your amusement and critique. - rules for sd-boot are missing. Those might be quite complicated. - rules for tests are missing too. Those are probably quite simple and repetitive, but there's lots of them. - it's likely that I didn't get all the conditions right, I only tested "full" compilation where most deps are provided and nothing is disabled. - busname.target and all .busname units are skipped on purpose. Otherwise, installation into $DESTDIR has the same list of files and the autoconf install, except for .la files. It'd be great if people had a careful look at all the library linking options. I added stuff until things compiled, and in the end there's much less linking then in the old system. But it seems that there's still a lot of unnecessary deps. meson has a `shared_module` statement, which sounds like something appropriate for our nss and pam modules. Unfortunately, I couldn't get it to work. For the nss modules, we need an .so version of '2', but `shared_module` disallows the version argument. For the pam module, it also didn't work, I forgot the reason. The handling of .m4 and .in and .m4.in files is rather awkward. It's likely that this could be simplified. If make support is ever dropped, I think it'd make sense to switch to a different templating system so that two different languages and not required, which would make everything simpler yet. v2: - use get_pkgconfig_variable - use sh not bash - use add_project_arguments v3: - drop required:true and fix progs/prog typo v4: - use find_library('bz2') - add TTY_GID definition - define __SANE_USERSPACE_TYPES__ - use join_paths(prefix, ...) is used on all paths to make them all absolute v5: - replace all declare_dependency's with [] - add more conf.get guards around optional components v6: - drop -pipe, -Wall which are the default in meson - use compiler.has_function() and compiler.has_header_symbol instead of the hand-rolled checks. - fix duplication in 'liblibsystemd' library name - use the right .sym file for pam_systemd - rename 'compiler' to 'cc': shorter, and more idiomatic. v7: - use ENABLE_ENVIRONMENT_D not HAVE_ENVIRONMENT_D - rename prefix to prefixdir, rootprefix to rootprefixdir ("prefix" is too common of a name and too easy to overwrite by mistake) - wrap more stuff with conf.get('ENABLE...') == 1 - use rootprefix=='/' and rootbindir as install_dir, to fix paths under split-usr==true. v8: - use .split() also for src/coredump. Now everything is consistent ;) - add rootlibdir option and use it on the libraries that require it v9: - indentation v10: - fix check for qrencode and libaudit v11: - unify handling of executable paths, provide options for all progs This makes the meson build behave slightly differently than the autoconf-based one, because we always first try to find the executable in the filesystem, and fall back to the default. I think different handling of loadkeys, setfont, and telinit was just a historical accident. In addition to checking in $PATH, also check /usr/sbin/, /sbin for programs. In Fedora $PATH includes /usr/sbin, (and /sbin is is a symlink to /usr/sbin), but in Debian, those directories are not included in the path. C.f. https://github.com/mesonbuild/meson/issues/1576. - call all the options 'xxx-path' for clarity. - sort man/rules/meson.build properly so it's stable
* tmpfiles.d: set primary group rights to r-w (#5265)lewo2017-02-071-6/+6
| | | | | | | | | | If the /var/log/journal directory is created with rigths 700, the application of an ACL rules without any primary group right sets it to 0. A chmod 755 on this file will then only set the ACL mask and let the ACL primary group right to 0. The directory is then unreadable for the primary group. This patch explicitly sets the primary group to avoid this problem. Fixes #5264.
* tmpfiles: automatically remove old private tmp dirs after rebootLennart Poettering2016-12-271-0/+4
| | | | | | | | Let's automatically destory per-unit private temporary directories, as they are created by PrivateTmp=yes on each boot, if we notice them to be around, in case they are left-overs from the last boot. Fixes: #4401
* treewide: fix typos and remove accidental repetition of wordsTorstein Husebø2016-07-111-1/+1
|
* resolved: respond to local resolver requests on 127.0.0.53:53Lennart Poettering2016-06-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to improve compatibility with local clients that speak DNS directly (and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process any queries made that way. Note that resolved does not implement a full DNS server on this port, but simply enough to allow normal, local clients to resolve RRs through resolved. Specifically it does not implement queries without the RD bit set (these are requests where recursive lookups are explicitly disabled), and neither queries with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with validation turned off). It also refuses zone transfers and obsolete RR types. All lookups done this way will be rejected with a clean error code, so that the client side can repeat the query with a reduced feature set. The code will set the DNSSEC AD flag however, depending on whether the data resolved has been validated (or comes from a local, trusted source). Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary, but this is only partially useful as DNS packets cannot carry IP scope data (i.e. the ifindex), and hence link-local addresses returned cannot be used properly (and given that LLMNR/mDNS are mostly about link-local communication this is quite a limitation). Also, given that DNS tends to use IDNA for non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1. In general this should improve compatibility with clients bypassing NSS but it is highly recommended for clients to instead use NSS or our native bus API. This patch also beefs up the DnsStream logic, as it reuses the code for local TCP listening. DnsStream now provides proper reference counting for its objects. In order to avoid feedback loops resolved will no silently ignore 127.0.0.53 specified as DNS server when reading configuration. resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave the latter free for local, external DNS servers or forwarders. This also changes the "etc.conf" tmpfiles snippet to create a symlink from /etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this stub the default mode of operation if /etc is not populated.
* tmpfiles: don't set the x bit for volatile system journal when ACL support ↵Franck Bui2016-05-031-3/+6
| | | | | | | | | | | | | | | | | | | | | is enabled (#3079) When ACL support is enabled, systemd-tmpfiles-setup service sets the following ACL entries to the volatile system journal: $ getfacl /run/log/journal/*/system.journal getfacl: Removing leading '/' from absolute path names # file: run/log/journal/xxx/system.journal # owner: root # group: systemd-journal user::rwx group::r-- group:wheel:r-x group:adm:r-x mask::r-x other::--- This patch makes sure that the exec bit is not set anymore for the volatile system journals.
* build-sys: allow references to adm group to be omitted (#3150)Franck Bui2016-05-011-5/+18
|
* build-sys: allow references to wheel group to be omittedZbigniew Jędrzejewski-Szmek2016-02-171-4/+15
| | | | https://github.com/systemd/systemd/issues/2492
* tmpfiles: drop /run/lock/lockdevMartin Pitt2016-02-011-8/+0
| | | | | | | | Hardly any software uses that any more, and better locking mechanisms like flock() have been available for many years. Also drop the corresponding "lock" group from sysusers.d/basic.conf.in, as nothing else is using this.
* journal-remote: change owner of /var/log/journal/remote and create ↵Yu Watanabe2016-01-151-2/+4
| | | | /var/lib/systemd/journal-upload
* tmpfiles: set acls on system.journal explicitlyZbigniew Jędrzejewski-Szmek2015-11-291-0/+2
| | | | https://github.com/systemd/systemd/issues/1397
* tmpfiles: also set acls on /var/log/journalZbigniew Jędrzejewski-Szmek2015-11-291-0/+2
| | | | | | | | This way, directories created later for containers or for journald-remote, will be readable by adm & wheel groups by default, similarly to /var/log/journal/%m itself. https://github.com/systemd/systemd/issues/1971
* tmpfiles.d: change all subvolumes to use quotaLennart Poettering2015-10-224-6/+6
| | | | | Let's make sure the subvolumes we create fit into a sensible definition of a quota tree.
* smack: label /etc/mtab as "_" when '--with-smack-run-label' is enabled.Sangjung Woo2015-09-101-0/+3
| | | | | | | | /etc/mtab should be labeled as "_", even though systemd has its own smack label using '--with-smack-run-label' configuration. This is mainly because all processes could read that file and the origin of this file (i.e. /proc/mounts) is labeled as "_". This labels /etc/mtab as "_" when '--with-smack-run-label' is enabled.
* tmpfiles: don't recursively descend into journal directories in /varLennart Poettering2015-07-091-1/+1
| | | | | | | | | | | | | | | Do so only in /run. We shouldn't alter ACLs for existing files in /var, but only for new files. If the admin made changes to the ACLs they shouls stay in place. We should still do recursive ACL changes for files in /run, since those are not persistent, and will hence lack ACLs on every boot. Also, /var/log/journal might be quit large, /run/log/journal is usually not, hence we should avoid the recursive descending on /var, but not on /run. Fixes #534
* tmpfiles: automatically remove old machine snapshots at bootLennart Poettering2015-06-152-1/+23
| | | | | | | | | | | | | | | Remove old temporary snapshots, but only at boot. Ideally we'd have "self-destroying" btrfs snapshots that go away if the last last reference to it does. To mimic a scheme like this at least remove the old snapshots on fresh boots, where we know they cannot be referenced anymore. Note that we actually remove all temporary files in /var/lib/machines/ at boot, which should be safe since the directory has defined semantics. In the root directory (where systemd-nspawn --ephemeral places snapshots) we are more strict, to avoid removing unrelated temporary files. This also splits out nspawn/container related tmpfiles bits into a new tmpfiles snippet to systemd-nspawn.conf
* tmpfiles: Fix comment typoColin Guthrie2015-06-011-1/+1
|
* tmpfiles: create /etc/resolv.conf symlink only on bootZbigniew Jędrzejewski-Szmek2015-05-211-1/+1
| | | | | | | | | | We will create the symlink on boot as a fallback to provide name resolution. But if the symlink was removed afterwards, it most likely should not be recreated. Creating it only on boot also solves the issue where it would be created prematurely during installation, before the system was actually booted. https://bugzilla.redhat.com/show_bug.cgi?id=1197204