summaryrefslogtreecommitdiff
path: root/units
Commit message (Collapse)AuthorAge
* initctl: move /dev/initctl fifo into /run, replace it by symlinkLennart Poettering2014-06-04
| | | | With this change we have no fifos/sockets remaining in /dev.
* journald: move /dev/log socket to /runLennart Poettering2014-06-04
| | | | | | This way we can make the socket also available for sandboxed apps that have their own private /dev. They can now simply symlink the socket from /dev.
* bus-proxy: drop priviliges if we canLennart Poettering2014-06-04
| | | | | | Either become uid/gid of the client we have been forked for, or become the "systemd-bus-proxy" user if the client was root. We retain CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
* remove ReadOnlySystem and ProtectedHome from udevd and logindKay Sievers2014-06-04
| | | | | logind needs access to /run/user/, udevd fails during early boot with these settings
* core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering2014-06-03
| | | | | | | | | | | | | | ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
* resolved: run as unpriviliged "systemd-resolve" userTom Gundersen2014-06-03
| | | | | | This service is not yet network facing, but let's prepare nonetheless. Currently all caps are dropped, but some may need to be kept in the future.
* networkd: drop CAP_SYS_MODULETom Gundersen2014-06-03
| | | | | | | | | | | | | | | | | | | Rely on modules being built-in or autoloaded on-demand. As networkd is a network facing service, we want to limits its capabilities, as much as possible. Also, we may not have CAP_SYS_MODULE in a container, and we want networkd to work the same there. Module autoloading does not always work, but should be fixed by the kernel patch f98f89a0104454f35a: 'net: tunnels - enable module autoloading', which is currently in net-next and which people may consider backporting if they want tunneling support without compiling in the modules. Early adopters may also use a module-load.d snippet and order systemd-modules-load.service before networkd to force the module loading of tunneling modules. This sholud fix the various build issues people have reported.
* networkd: run as unpriviliged "systemd-network" userLennart Poettering2014-06-01
| | | | | | This allows us to run networkd mostly unpriviliged with the exception of CAP_NET_* and CAP_SYS_MODULE. I'd really like to get rid of the latter though...
* units: remove CAP_SYS_PTRACE capability from hostnamed/networkdLennart Poettering2014-06-01
| | | | | | | The ptrace capability was only necessary to detect virtualizations environments. Since we changed the logic to determine this to not require priviliges, there's no need to carry the CAP_SYS_PTRACE capability anymore.
* units: use KillMode=mixed for systemd-nspawn@.serviceJonathan Liu2014-05-30
| | | | | This causes the container to shut down cleanly when the service is stopped.
* timesyncd: only update stamp file when we are synchronizedKay Sievers2014-05-24
| | | | | | | | Create initial stamp file with compiled-in time to prevent bootups with clocks in the future from storing invalid timestamps. At shutdown, only update the timestamp if we got an authoritative time to store.
* timesyncd: order after tmpfiles to get a working network monitorKay Sievers2014-05-22
|
* timesyncd: save clock to disk everytime we get an NTP fix, and bump clock at ↵Lennart Poettering2014-05-21
| | | | | | | | | | | | | | | | boot using this This is useful to make sure the system clock stays monotonic even on systems that lack an RTC. Also, why we are at it, also use the systemd release time for bumping the clock, since it's a slightly less bad than starting with jan 1st, 1970. This also moves timesyncd into the early bootphase, in order to make sure this initial bump is guaranteed to have finished by the time we start real daemons which might write to the file systemd and thus shouldn't leave 1970's timestamps all over the place...
* resolved: add daemon to manage resolv.confTom Gundersen2014-05-19
| | | | Also remove the equivalent functionality from networkd.
* timesyncd: enable watchdog supportLennart Poettering2014-05-18
|
* timesyncd: run timesyncd as unpriviliged user "systemd-timesync" (but still ↵Lennart Poettering2014-05-18
| | | | with CAP_SYS_TIME)
* Revert "networkd: order after udev kernel socket"Tom Gundersen2014-05-16
| | | | | | This reverts commit a555350d47c4b70d716a63424933b34902c98300. This did not fix the problem, just made it harder to hit.
* timesyncd: limit capabilities to CAP_SYS_TIMELennart Poettering2014-05-15
|
* timesyncd: start after networkdTom Gundersen2014-05-13
| | | | This is needed for the network monitor to work (as it requires networkd to set up the correct directories first).
* networkd: unit - add cap to load modulesTom Gundersen2014-05-12
| | | | Remember to drop this when the kernel gains autoloading for all netdev kinds.
* timesyncd: add unit and man pageKay Sievers2014-04-29
|
* networkd-wait-online: improve interoptability and enable by defaultTom Gundersen2014-04-24
| | | | | | | | | | | | | | | | | | | | | | | | | To make sure we don't delay boot on systems where (some) network links are managed by someone else we don't block if something else has successfully brought up a link. We will still block until all links we are aware of that are managed by networkd have been configured, but if no such links exist, and someone else have configured a link sufficiently that it has a carrier, it may be that the link is ready so we should no longer block. Note that in all likelyhood the link is not ready (no addresses/routes configured), so whatever network managment daemon configured it should provide a similar wait-online service to block network-online.target until it is ready. The aim is to block as long as we know networking is not fully configured, but no longer. This will allow systemd-networkd-wait-online.service to be enabled on any system, even if we don't know whether networkd is the main/only network manager. Even in the case networking is fully configured by networkd, the default behavior may not be sufficient: if two links need to be configured, but the first is fully configured before the second one appears we will assume the network is up. To work around that, we allow specifying specific devices to wait for before considering the network up. This unit is enabled by default, just like systemd-networkd, but will only be pulled in if anyone pulls in network-online.target.
* remove bus-driverd, the interface is now handled natively by bus-proxydKay Sievers2014-04-22
|
* networkd: order after udev kernel socketTom Gundersen2014-04-19
| | | | Otherwise we will not be able to queuery whether devices are initialized on kdbus enabled systems.
* bus: provide org.freedesktop.systemd1.busname for systemd --userKay Sievers2014-03-26
|
* networkd: add CapabilityBoundingSetTom Gundersen2014-03-24
|
* units: networkd shouldn't have PrivateTmp= set, since it runs in early-bootLennart Poettering2014-03-24
| | | | | /tmp is only available in later boot, and we shouldn't create private subdirs in it hence, while we are still in early boot.
* unit: turn off mount propagation for udevdLennart Poettering2014-03-20
| | | | | Keep mounts done by udev rules private to udevd. Also, document how MountFlags= may be used for this.
* core: enable PrivateNetwork= for a number of our long running services where ↵Lennart Poettering2014-03-19
| | | | this is useful
* units: make use of PrivateTmp=yes and PrivateDevices=yes for all our ↵Lennart Poettering2014-03-19
| | | | long-running daemons
* busname: introduce Activating directiveDaniel Mack2014-03-19
| | | | | | | | Add a new config 'Activating' directive which denotes whether a busname is actually registered on the bus. It defaults to 'yes'. If set to 'no', the .busname unit only uploads policy, which will remain active as long as the unit is running.
* getty: Start getty on 3270 terminals available on Linux on System zHendrik Brueckner2014-03-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the first 3270 terminal device that is associated with the Linux preferred console to the list of virtualization consoles. This is required to automatically start a getty if the conmode=3270 kernel parameter is specified for Linux on z/VM instances. Note that a queued upstream patch also enable the 3270 terminal device if it is associated with the Linux preferred console. How To successfully start agetty on a 3270 terminal, a change in the agetty parameter order is required. Previously, agetty would started like this: /sbin/agetty --keep-baud 3270/tty1 115200,38400,9600 TERM The agetty program interprets the "3270/tty1" as baud rate and fails to start with the "bad speed: 3270/tty1" error message. Fixing this in agetty is more complex rather than reordering the command line parameters like this: /sbin/agetty --keep-baud 115200,38400,9600 3270/tty1 TERM According to agetty sources and "agetty --help", agetty accepts the "tty", "baudrate tty", and "tty baudrate" specifications. P.S. The "tty: Set correct tty name in 'active' sysfs attribute" introduces a change to display the terminal device which is associated with the Linux preferred console. This change helps to let systemd handle this particular case only. Without the changes of this commit, no additional 3270 terminal device can be managed by systemd. https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?id=723abd87f6e536f1353c8f64f621520bc29523a3
* units: remove "AllowUser=root own", the bus owner can always own namesKay Sievers2014-03-08
|
* units: set 'AllowUser=root own' and 'AllowWorld=talk' own for all .busname filesDaniel Mack2014-03-07
|
* units: Do not unescape instance name in systemd-backlight@.serviceThomas Bächler2014-03-07
| | | | | | | The instance name is never escaped in the udev rule, but unescaped in the unit. This results in the following error message on Asus boards: Failed to get backlight or LED device 'backlight:eeepc/wmi': No such file or directory
* units: don't use the word 'Reboot' for Startup, but simply 'Boot'Lennart Poettering2014-03-06
|
* units: properly capitalize the unit descriptionLennart Poettering2014-03-06
|
* Use /var/run/dbus/system_bus_socket for the D-Bus socketZbigniew Jędrzejewski-Szmek2014-02-25
|
* units/serial-getty@.service: add [Install] sectionZbigniew Jędrzejewski-Szmek2014-02-24
| | | | | | | This makes it easier to manually enable and disable specific gettys, and also mirrors getty@.service. http://lists.freedesktop.org/archives/systemd-devel/2014-February/017329.html
* install: do not statically enable systemd-networkdJason A. Donenfeld2014-02-21
| | | | [tomegun: pruned the commit message as not to contradict the follow-up commit]
* units: systemd-logind fails hard without dbusZbigniew Jędrzejewski-Szmek2014-02-14
| | | | | | | | That is, without --enable-kdbus and kdbus running. With --enable-kdbus things are more complicated, because dbus might be necessary, if kdbus is missing at runtime. If it is not necessary, the socket will be started, which is not imporant, but not the service.
* units: make use of nspawn's --keep-unit switch in systemd-nspawn@.serviceLennart Poettering2014-02-11
|
* core: introduce new KillMode=mixed which sends SIGTERM only to the main ↵Lennart Poettering2014-01-29
| | | | | | | | process, but SIGKILL to all daemon processes This should fix some race with terminating systemd --user, where the system systemd instance might race against the user systemd instance when sending SIGTERM.
* networkd: don't hard depend on system busTom Gundersen2014-01-18
| | | | | | | | | We may not have a dbus daemon in the initrd (until we can rely on kdbus). In this case, simply ignore any attempts at using the bus. There is only one user for now, but surely more to come. In order to work reliably in the real root without kdbus, but at the same time don't delay boot when kdbus is in use, order ourselves after dbus.service.
* units: drop [Install] section from multi-user.target and graphical.targetLennart Poettering2014-01-17
| | | | | | | | They were supposed to make it easy to make the default.target a symlink to these targets, but this was never advertised and we have a better command for this now in "systemctl set-default". Since the install section makes the output of "systemctl list-unit-files" confusing (since it makes the units appear as "disabled"), let's drop the sections.
* sd-dhcp-client/networkd: add transient hostname supportTom Gundersen2014-01-16
|
* Improve messages about user mode a bitZbigniew Jędrzejewski-Szmek2014-01-08
|
* pam_systemd: export DBUS_SESSION_BUS_ADDRESSKay Sievers2014-01-08
|
* bus-driverd: support user modeKay Sievers2014-01-08
|
* bus-proxyd: support --user bus addressKay Sievers2014-01-08
|