| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
| |
Create a private cgroup tree associated with no controllers, and use it
to map PIDs to sessions. Since we use our own path structure, remove
internal cgroup-related helpers that interpret the cgroup path structure
to pull out users, slices, and scopes.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* elogind does not support systemd services and units. But at least
the units are needed to support the systemd cgroup slice/scope
system.
* Remove systemd subscription to scope, service and slice jobs.
These can not be supported in any way, as they depend on systemd
running the machine.
* The functions session_start_scope(), user_start_service() and
user_start_slice() no longer try to call systemd via dbus for
assistance.
This way they generate their proper scope, service and slice names,
and store them in the Managers HashMaps for session and user units.
This should enable us to reverse track pids to users and such
stuff, as that is what systemd-logind does, not knowing whether any
unit *really* has been started or not.
However, this will not work out of the box until we find a way to
integrate cg_create_everywhere() into elogind without becoming
dependent of systemd unit, service and job knowledge again.
|
| |
|
|
| |
during git am transfer.
|
| |
|
|
|
| |
Prep v220: Update logind and loginctl to upstream version.
Prep v220: src/shared/rm-rf.c does not need to be able to handle btrfs subvolumes for elogind.
|
| |
|
|
|
|
|
| |
Create a private cgroup tree associated with no controllers, and use it
to map PIDs to sessions. Since we use our own path structure, remove
internal cgroup-related helpers that interpret the cgroup path structure
to pull out users, slices, and scopes.
|
| |
|
|
|
|
| |
This removes attempts by logind to listen to systemd messages over the
bus, and to start and/or manage units associated with sessions and
users.
|
| |
|
|
|
|
|
|
|
|
| |
* src/login/logind-user.c (user_start): Don't start slices and
systemd-user services.
* src/login/logind-dbus.c (method_create_session): Send a reply directly
instead of waiting on systemd that isn't there.
* configure.ac: Bump version.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, this had a race condition during a user's first login.
Some component calls CreateSession (most likely by a PAM service
other than 'systemd-user' running pam_systemd), with the following
results:
- logind:
* create the user's XDG_RUNTIME_DIR
* tell pid 1 to create user-UID.slice
* tell pid 1 to start user@UID.service
Then these two processes race:
- logind:
* save information including XDG_RUNTIME_DIR to /run/systemd/users/UID
- the subprocess of pid 1 responsible for user@service:
* start a 'systemd-user' PAM session, which reads XDG_RUNTIME_DIR
and puts it in the environment
* run systemd --user, which requires XDG_RUNTIME_DIR in the
environment
If logind wins the race, which usually happens, everything is fine;
but if the subprocesses of pid 1 win the race, which can happen
under load, then systemd --user exits unsuccessfully.
To avoid this race, we have to write out /run/systemd/users/UID
even though the service has not "officially" started yet;
previously this did an early-return without saving anything.
Record its state as OPENING in this case.
Bug: https://github.com/systemd/systemd/issues/232
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
| |
|
|
|
| |
As discussed in #257: we should ensure the selinux label is correctly
applied to each user's XDG_RUNTIME_DIR.
|
| |
|
|
| |
Let's use it as initializer where appropriate.
|
| |
|
|
|
|
|
| |
Fix CID 1304686: Dereference after null check (FORWARD_NULL)
However, this commit does not fix any bug in logind. It helps to keep
the elect_display_compare() function generic.
|
| | |
|
| |
|
|
|
| |
This makes path_is_mount_point() consistent with fd_is_mount_point() wrt.
flags.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous implementation of user_elect_display() could easily end up
overwriting the user’s valid graphical session with a new TTY session.
For example, consider the situation where there is one session:
c1, type = SESSION_X11, !stopping, class = SESSION_USER
it is initially elected as the user’s display (i.e. u->display = c1).
If another session is started, on a different VT, the sessions_by_user
list becomes:
c1, type = SESSION_X11, !stopping, class = SESSION_USER
c2, type = SESSION_TTY, !stopping, class = SESSION_USER
In the previous code, graphical = c1 and text = c2, as expected.
However, neither graphical nor text fulfil the conditions for setting
u->display = graphical (because neither is better than u->display), so
the code falls through to check the text variable. The conditions for
this match, as u->display->type != SESSION_TTY (it’s actually
SESSION_X11). Hence u->display is set to c2, which is incorrect, because
session c1 is still valid.
Refactor user_elect_display() to use a more explicit filter and
pre-order comparison over the sessions. This can be demonstrated to be
stable and only ever ‘upgrade’ the session to a more graphical one.
https://bugs.freedesktop.org/show_bug.cgi?id=90769
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A variety of changes:
- Make sure all our calls distuingish OOM from other errors if OOM is
not the only error possible.
- Be much stricter when parsing escaped paths, do not accept trailing or
leading escaped slashes.
- Change unit validation to take a bit mask for allowing plain names,
instance names or template names or an combination thereof.
- Refuse manipulating invalid unit name
|
| | |
|
| |
|
|
|
|
|
|
| |
- Move to its own file rm-rf.c
- Change parameters into a single flags parameter
- Remove "honour sticky" logic, it's unused these days
|
| |
|
|
|
|
|
| |
Create a private cgroup tree associated with no controllers, and use it
to map PIDs to sessions. Since we use our own path structure, remove
internal cgroup-related helpers that interpret the cgroup path structure
to pull out users, slices, and scopes.
|
| |
|
|
|
|
| |
This removes attempts by logind to listen to systemd messages over the
bus, and to start and/or manage units associated with sessions and
users.
|
| |
|
|
|
|
|
|
|
|
| |
* src/login/logind-user.c (user_start): Don't start slices and
systemd-user services.
* src/login/logind-dbus.c (method_create_session): Send a reply directly
instead of waiting on systemd that isn't there.
* configure.ac: Bump version.
|
| |
|
|
|
|
| |
This patch removes includes that are not used. The removals were found with
include-what-you-use which checks if any of the symbols from a header is
in use.
|
| | |
|
| |
|
|
|
|
| |
After all it is now much more like strjoin() than strappend(). At the
same time, add support for NULL sentinels, even if they are normally not
necessary.
|
| |
|
|
|
|
|
|
|
|
|
| |
In containers without CAP_SYS_ADMIN, it is not possible to mount tmpfs
(or any filesystem for that matter) on top of /run/user/$UID.
Previously, logind just failed in such a situation.
Now, logind will resort to chown+chmod of the directory instead. This
allows logind still to work in those environments, although without the
guarantees it provides (i.e. users not being able to DOS /run or other
users' /run/user/$UID space) when CAP_SYS_ADMIN is available.
|
| |
|
|
|
|
|
|
|
| |
If setup of per-user runtime dir fails, clean up afterwards by removing
the directory before returning from the function, so we don't leave the
directory behind.
If this is not done, the second time the user logs in logind would
assume that the directory is already set up, even though it isn't.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If the format string contains %m, clearly errno must have a meaningful
value, so we might as well use log_*_errno to have ERRNO= logged.
Using:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/'
Plus some whitespace, linewrap, and indent adjustments.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Using:
find . -name '*.[ch]' | while read f; do perl -i.mmm -e \
'local $/;
local $_=<>;
s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg;
print;'
$f
done
And a couple of manual whitespace fixups.
|
| |
|
|
| |
It corrrectly handles both positive and negative errno values.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As a followup to 086891e5c1 "log: add an "error" parameter to all
low-level logging calls and intrdouce log_error_errno() as log calls
that take error numbers", use sed to convert the simple cases to use
the new macros:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/'
Multi-line log_*() invocations are not covered.
And we also should add log_unit_*_errno().
|
| |
|
|
| |
new mac_{smack,selinux,apparmor}_xyz() convention
|
| | |
|
| |
|
|
| |
On request of Stef Walter.
|
| |
|
|
|
|
|
|
| |
When we dropped support for creating a per-user to the "main" X11
display we stopped returning useful data in the "Display" user property.
With this change this is fixed and we again expose an appropriate
(graphical session) in the property that is useful as the "main" one, if
one is needed.
|
| |
|
|
| |
No functional change expected :)
|
| |
|
|
| |
them fully log out
|
| |
|
|
|
|
|
| |
This way each user allocates from his own pool, with its own size limit.
This puts the size limit by default to 10% of the physical RAM size but
makes it configurable in logind.conf.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently if the user logs out, the GC may never call user_stop(),
this will not terminate the systemd user and (sd-pam) of that user.
To fix this, remove the USER_CLOSING state check that is blocking the
GC from calling user_stop(). Since if user_check_gc() returns false
this means that all the sessions of the user were removed which will
make user_get_state() return USER_CLOSING.
Conclusion: that test will never be statisfied.
So we remove the USER_CLOSING check and replace it with a check inside
user_stop() this way we know that user_stop() has already queued stop
jobs, no need to redo.
This ensures that the GC will get its two steps correctly as pointed out
by Lennart:
http://lists.freedesktop.org/archives/systemd-devel/2014-February/016825.html
Note: this also fixes another bug that prevents creating the user
private dbus socket which will break communications with the user
manager.
|
| |
|
|
|
| |
KillUserProcesses=yes/no should be ignored when termination is
explicitly requested.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In function user_get_state() remove the session_is_active() check, just
count on the session_get_state() function to get the correct session
state.
session_is_active() may return true before starting the session scope
and user service, this means it will return true even before the creation
of the session fifo_fd which will produce incorrect states.
So be consistent and just use session_get_state().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Simplify the shutdown logic a bit:
- Keep the session FIFO around in the PAM module, even after the session
shutdown hook has been finished. This allows logind to track precisely
when the PAM handler goes away.
- In the ReleaseSession() call start a timer, that will stop terminate
the session when elapsed.
- Never fiddle with the KillMode of scopes to configure whether user
processes should be killed or not. Instead, simply leave the scope
units around when we terminate a session whose processes should not be
killed.
- When killing is enabled, stop the session scope on FIFO EOF or after
the ReleaseSession() timeout. When killing is disabled, simply tell
PID 1 to abandon the scope.
Because the scopes stay around and hence all processes are always member
of a scope, the system shutdown logic should be more robust, as the
scopes can be shutdown as part of the usual shutdown logic.
|
| |
|
|
|
|
|
|
| |
Use PID_FMT/USEC_FMT/... in more places.
Also update logind error messages to print the full path to a file that
failed. This should make debugging easier for people who do not know
off the top of their head where logind stores it state.
|
| |
|
|
| |
Noticed-by: Jan Alexander Steffens <jan.steffens@gmail.com>
|
| |
|
|
|
|
| |
With the current logic, a user will never be garbage-collected, since its
manager will always be around. Change the logic such that a user is
garbage-collected when it has no sessions and linger is disabled.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
each invocation
We can determine the list entry type via the typeof() gcc construct, and
so we should to make the macros much shorter to use.
|
| | |
|
| |
|
|
| |
correctly
|
