summaryrefslogtreecommitdiff
path: root/units/systemd-machined.service.in
Commit message (Collapse)AuthorAgeFilesLines
* add CAP_LINUX_IMMUTABLE to systemd-machined, so it can handle machinectl ↵Dan Streetman2022-09-161-1/+1
| | | | | | read-only requests Without this, the 'machinectl read-only ...' command always fails.
* meson: use jinja2 for unit templatesZbigniew Jędrzejewski-Szmek2021-05-191-2/+2
| | | | | | | | | We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit.
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* man,units: link to the new dbus-api man pagesZbigniew Jędrzejewski-Szmek2020-09-301-1/+2
|
* units: disable ProtectKernelLogs for machinedGuillaume Douézan-Grard2020-03-021-1/+0
| | | | | | | | | | | machined needs access to the host mount namespace to propagate bind mounts created with the "machinectl bind" command. However, the "ProtectKernelLogs" directive relies on mount namespaces to make the kernel ring buffer inaccessible. This commit removes the "ProtectKernelLogs=yes" directive from machined service file introduced in 6168ae5. Closes #14559.
* units: set ProtectKernelLogs=yes on relevant unitsKevin Kuehler2019-11-151-0/+1
| | | | | | We set ProtectKernelLogs=yes on all long running services except for udevd, since it accesses /dev/kmsg, and journald, since it calls syslog and accesses /dev/kmsg.
* meson: allow WatchdogSec= in services to be configuredZbigniew Jędrzejewski-Szmek2019-10-251-1/+1
| | | | | | | | | | | | | | | | As discussed on systemd-devel [1], in Fedora we get lots of abrt reports about the watchdog firing [2], but 100% of them seem to be caused by resource starvation in the machine, and never actual deadlocks in the services being monitored. Killing the services not only does not improve anything, but it makes the resource starvation worse, because the service needs cycles to restart, and coredump processing is also fairly expensive. This adds a configuration option to allow the value to be changed. If the setting is not set, there is no change. My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases where a service is actually hanging. [1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
* units: enable ProtectHostname=yesTopi Miettinen2019-02-201-0/+1
|
* units: set NoNewPrivileges= for all long-running servicesLennart Poettering2018-11-121-7/+8
| | | | | | | | | | | | | | | | | Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219
* units: switch from system call blacklist to whitelistLennart Poettering2018-06-141-1/+2
| | | | | | | | | | | | | | | | | | | | | This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything.
* Add SPDX license headers to unit filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+2
|
* units: prohibit all IP traffic on all our long-running services (#6921)Lennart Poettering2017-10-041-0/+1
| | | Let's lock things down further.
* units: set LockPersonality= for all our long-running services (#6819)Lennart Poettering2017-09-141-0/+1
| | | | Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
* units: use https for the freedesktop url (#6227)AsciiWolf2017-06-281-1/+1
|
* machined: add RequiresMountsFor=/var/lib/machinesFelipe Sateler2017-06-211-0/+1
| | | | | Since any part of the path could be remote mounted, make sure they are before starting machined
* units: make use of @reboot and @swap in our long-running service ↵Lennart Poettering2017-02-091-1/+1
| | | | | | SystemCallFilter= settings Tighten security up a bit more.
* units: set SystemCallArchitectures=native on all our long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: further lock down our long-running servicesLennart Poettering2016-09-251-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
* units: machined needs mount-related syscalls for its namespacing operationsLennart Poettering2016-06-211-1/+1
| | | | | | | | Specifically "machinectl shell" (or its OpenShell() bus call) is implemented by entering the file system namespace of the container and opening a TTY there. In order to enter the file system namespace, chroot() is required, which is filtered by SystemCallFilter='s @mount group. Hence, let's make this work again and drop @mount from the filter list.
* units: tighten system call filters a bitLennart Poettering2016-06-131-1/+1
| | | | | Take away kernel keyring access, CPU emulation system calls and various debug system calls from the various daemons we have.
* units: add a basic SystemCallFilter (#3471)Topi Miettinen2016-06-091-0/+1
| | | | | | | Add a line SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace for daemons shipped by systemd. As an exception, systemd-timesyncd needs @clock system calls and systemd-localed is not privileged. ptrace(2) is blocked to prevent seccomp escapes.
* units: enable MemoryDenyWriteExecute (#3459)Topi Miettinen2016-06-081-0/+1
| | | | | Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute. Closes: #3459
* machined: add CAP_MKNOD to capabilities to run with (#3116)Lennart Poettering2016-04-251-1/+1
| | | | | | Container images from Debian or suchlike contain device nodes in /dev. Let's make sure we can clone them properly, hence pass CAP_MKNOD to machined. Fixes: #2867 #465
* units: increase watchdog timeout to 3min for all our servicesLennart Poettering2015-09-291-1/+1
| | | | | | | | Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
* units: add more caps to machinedLennart Poettering2015-07-271-1/+1
| | | | | | | | | | | Otherwise copying full directory trees between container and host won't work, as we cannot access some fiels and cannot adjust the ownership properly on the destination. Of course, adding these many caps to the daemon kinda defeats the purpose of the caps lock-down... but well... Fixes #433
* machined: move logic for bind mounting into containers from machinectl to ↵Lennart Poettering2015-02-171-6/+5
| | | | | | | machined This extends the bus interface, adding BindMountMachine() for bind mounting directories from the host into the container.
* Revert "units: add SecureBits"Lennart Poettering2015-02-111-1/+0
| | | | | | | | This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
* units: add SecureBitsTopi Miettinen2015-02-111-0/+1
| | | | | | No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
* machined/machinectl: add logic to show list of available imagesLennart Poettering2014-12-191-1/+1
| | | | | | | | | This adds a new bus call to machined that enumerates /var/lib/container and returns all trees stored in it, distuingishing three types: - GPT disk images, which are files suffixed with ".gpt" - directory trees - btrfs subvolumes
* machinectl: show /etc/os-release information of container in status outputLennart Poettering2014-07-031-1/+1
|
* units: add missing caps so that GetAddresses() can workLennart Poettering2014-06-191-1/+1
|
* units: fix minor typoLennart Poettering2014-06-061-1/+1
|
* core: rename ReadOnlySystem= to ProtectSystem= and add a third value for ↵Lennart Poettering2014-06-041-2/+2
| | | | | | | | | | also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
* core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering2014-06-031-0/+2
| | | | | | | | | | | | | | ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
* core: enable PrivateNetwork= for a number of our long running services where ↵Lennart Poettering2014-03-191-0/+1
| | | | this is useful
* units: make use of PrivateTmp=yes and PrivateDevices=yes for all our ↵Lennart Poettering2014-03-191-0/+2
| | | | long-running daemons
* units: systemd-machined now exits on idle and we shouldn't try to restart it ↵Lennart Poettering2013-12-231-2/+0
| | | | then
* event: hook up sd-event with the service watchdog logicLennart Poettering2013-12-111-0/+1
| | | | | | | | | | | | | Adds a new call sd_event_set_watchdog() that can be used to hook up the event loop with the watchdog supervision logic of systemd. If enabled and $WATCHDOG_USEC is set the event loop will ping the invoking systemd daemon right after coming back from epoll_wait() but not more often than $WATCHDOG_USEC/4. The epoll_wait() will sleep no longer than $WATCHDOG_USEC/4*3, to make sure the service manager is called in time. This means that setting WatchdogSec= in a .service file and calling sd_event_set_watchdog() in your daemon is enough to hook it up with the watchdog logic.
* machined: run machined at minimal capabilitiesLennart Poettering2013-07-191-0/+1
|
* units: add references to bus API documentation to logind+machinedLennart Poettering2013-07-191-1/+1
|
* machined: split out machine registration stuff from logindLennart Poettering2013-07-021-0/+19
Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.
View Lorry Controller Status