Merge pull request #15795 from gdamjan/master

author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Wed, 13 May 2020 06:32:57 +0000 (08:32 +0200)

committer GitHub <noreply@github.com>

Wed, 13 May 2020 06:32:57 +0000 (08:32 +0200)
author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 13 May 2020 06:32:57 +0000 (08:32 +0200)
committer GitHub <noreply@github.com>
Wed, 13 May 2020 06:32:57 +0000 (08:32 +0200)
diff --git a/.mkosi/mkosi.fedora b/.mkosi/mkosi.fedora

index 8afaa3ce55398940becde53aabe62c9c8d071c2f..a26b36a163e7722dc8a47b17fe3e48743ae5a4e2 100644 (file)
--- a/.mkosi/mkosi.fedora
+++ b/.mkosi/mkosi.fedora
@@ -66,14 +66,10 @@ BuildPackages=
          zstd
  
  Packages=
-        coreutils
-        cryptsetup-libs
-        kmod-libs
-        e2fsprogs
-        libidn2
-        libseccomp
+        # libzstd can be dropped once the Fedora RPM gets a dependency on it
+        libzstd
+        # procps-ng provides a set of useful utilies (ps, free, etc)
          procps-ng
-        util-linux
  
  BuildDirectory=mkosi.builddir
  Cache=mkosi.cache
diff --git a/TODO b/TODO

index f2309228c88a80dd32a45a035bd1a83f0fc766b0..ed2a93e8db4b8abf9464deb198ab00c304667414 100644 (file)
--- a/TODO
+++ b/TODO
@@ -31,6 +31,13 @@ Features:
  
  * pid1: support new clone3() fork-into-cgroup feature
  
+* pid1: also remove PID files of a service when the service starts, not just
+  when it exits
+
+* make "systemd-dissect" an official supported tool, i.e. move to /usr/bin/ and
+  provide man page. Given that we now have a tool that can generate images like
+  this, it's useful to have one that can dump contents of them, too.
+
  * All tools that support --root= should also learn --image= so that they can
    operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles,
    sysusers, systemctl, repart, journalctl, coredumpctl.
diff --git a/src/core/core-varlink.c b/src/core/core-varlink.c

index 8a2984a2d4c936c645898cad96bca285825294c5..eca27f4d7d116c59cc8f9a87218c0fec9044b69a 100644 (file)
--- a/src/core/core-varlink.c
+++ b/src/core/core-varlink.c
@@ -289,11 +289,13 @@ int manager_varlink_init(Manager *m) {
          if (r < 0)
                  return log_error_errno(r, "Failed to register varlink methods: %m");
  
-        (void) mkdir_p("/run/systemd/userdb", 0755);
+        if (!MANAGER_IS_TEST_RUN(m)) {
+                (void) mkdir_p("/run/systemd/userdb", 0755);
  
-        r = varlink_server_listen_address(s, "/run/systemd/userdb/io.systemd.DynamicUser", 0666);
-        if (r < 0)
-                return log_error_errno(r, "Failed to bind to varlink socket: %m");
+                r = varlink_server_listen_address(s, "/run/systemd/userdb/io.systemd.DynamicUser", 0666);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to bind to varlink socket: %m");
+        }
  
          r = varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
          if (r < 0)
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c

index ffe3d4cc64127419d14ca53b36b6843a825d9e1e..dd44d5eb9203d2e4d727c592b3d27d7f66c86c77 100644 (file)
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -23,6 +23,7 @@
  #include "macro.h"
  #include "mkdir.h"
  #include "mount-setup.h"
+#include "mount-util.h"
  #include "mountpoint-util.h"
  #include "nulstr-util.h"
  #include "path-util.h"
@@ -60,51 +61,51 @@ typedef struct MountPoint {
  #endif
  
  static const MountPoint mount_table[] = {
-        { "sysfs",       "/sys",                      "sysfs",      NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "sysfs",       "/sys",                      "sysfs",      NULL,                                           MS_NOSUID|MS_NOEXEC|MS_NODEV,
            NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "proc",        "/proc",                     "proc",       NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "proc",        "/proc",                     "proc",       NULL,                                           MS_NOSUID|MS_NOEXEC|MS_NODEV,
            NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755",                MS_NOSUID|MS_NOEXEC|MS_STRICTATIME,
+        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755" TMPFS_LIMITS_DEV,                    MS_NOSUID|MS_NOEXEC|MS_STRICTATIME,
            NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "securityfs",  "/sys/kernel/security",      "securityfs", NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "securityfs",  "/sys/kernel/security",      "securityfs", NULL,                                           MS_NOSUID|MS_NOEXEC|MS_NODEV,
            NULL,          MNT_NONE                   },
  #if ENABLE_SMACK
-        { "smackfs",     "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*",            MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "smackfs",     "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*",                                 MS_NOSUID|MS_NOEXEC|MS_NODEV,
            mac_smack_use, MNT_FATAL                  },
-        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777,smackfsroot=*" TMPFS_LIMITS_DEV_SHM, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
            mac_smack_use, MNT_FATAL                  },
  #endif
-        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777",               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777" TMPFS_LIMITS_DEV_SHM,               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
            NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "devpts",      "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
+        { "devpts",      "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID),             MS_NOSUID|MS_NOEXEC,
            NULL,          MNT_IN_CONTAINER           },
  #if ENABLE_SMACK
-        { "tmpfs",       "/run",                      "tmpfs",      "mode=755,smackfsroot=*",  MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+        { "tmpfs",       "/run",                      "tmpfs",      "mode=755,smackfsroot=*" TMPFS_LIMITS_RUN,      MS_NOSUID|MS_NODEV|MS_STRICTATIME,
            mac_smack_use, MNT_FATAL                  },
  #endif
-        { "tmpfs",       "/run",                      "tmpfs",      "mode=755",                MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+        { "tmpfs",       "/run",                      "tmpfs",      "mode=755" TMPFS_LIMITS_RUN,                    MS_NOSUID|MS_NODEV|MS_STRICTATIME,
            NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "cgroup2",     "/sys/fs/cgroup",            "cgroup2",    "nsdelegate",              MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "cgroup2",     "/sys/fs/cgroup",            "cgroup2",    "nsdelegate",                                   MS_NOSUID|MS_NOEXEC|MS_NODEV,
            cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
-        { "cgroup2",     "/sys/fs/cgroup",            "cgroup2",    NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "cgroup2",     "/sys/fs/cgroup",            "cgroup2",    NULL,                                           MS_NOSUID|MS_NOEXEC|MS_NODEV,
            cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
-        { "tmpfs",       "/sys/fs/cgroup",            "tmpfs",      "mode=755",                MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
+        { "tmpfs",       "/sys/fs/cgroup",            "tmpfs",      "mode=755" TMPFS_LIMITS_SYS_FS_CGROUP,          MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
            cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
-        { "cgroup2",     "/sys/fs/cgroup/unified",    "cgroup2",    "nsdelegate",              MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "cgroup2",     "/sys/fs/cgroup/unified",    "cgroup2",    "nsdelegate",                                   MS_NOSUID|MS_NOEXEC|MS_NODEV,
            cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
-        { "cgroup2",     "/sys/fs/cgroup/unified",    "cgroup2",    NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "cgroup2",     "/sys/fs/cgroup/unified",    "cgroup2",    NULL,                                           MS_NOSUID|MS_NOEXEC|MS_NODEV,
            cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
-        { "cgroup",      "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "cgroup",      "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd,xattr",                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
            cg_is_legacy_wanted, MNT_IN_CONTAINER     },
-        { "cgroup",      "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd",       MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "cgroup",      "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd",                            MS_NOSUID|MS_NOEXEC|MS_NODEV,
            cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
-        { "pstore",      "/sys/fs/pstore",            "pstore",     NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "pstore",      "/sys/fs/pstore",            "pstore",     NULL,                                           MS_NOSUID|MS_NOEXEC|MS_NODEV,
            NULL,          MNT_NONE                   },
  #if ENABLE_EFI
-        { "efivarfs",    "/sys/firmware/efi/efivars", "efivarfs",   NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "efivarfs",    "/sys/firmware/efi/efivars", "efivarfs",   NULL,                                           MS_NOSUID|MS_NOEXEC|MS_NODEV,
            is_efi_boot,   MNT_NONE                   },
  #endif
-        { "bpf",         "/sys/fs/bpf",               "bpf",        "mode=700",                MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "bpf",         "/sys/fs/bpf",               "bpf",        "mode=700",                                     MS_NOSUID|MS_NOEXEC|MS_NODEV,
            NULL,          MNT_NONE,                  },
  };
  
@@ -352,7 +353,7 @@ int mount_cgroup_controllers(void) {
          }
  
          /* Now that we mounted everything, let's make the tmpfs the cgroup file systems are mounted into read-only. */
-        (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");
+        (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755" TMPFS_LIMITS_SYS_FS_CGROUP);
  
          return 0;
  }
diff --git a/src/core/namespace.c b/src/core/namespace.c

index 36bc95a2df6f13b5af9c0e9f5ae69b6863bc5a3a..34eb469fb825990d84a2c704fd451cea13dc4e02 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -130,9 +130,9 @@ static const MountEntry protect_home_read_only_table[] = {
  
  /* ProtectHome=tmpfs table */
  static const MountEntry protect_home_tmpfs_table[] = {
-        { "/home",               TMPFS,        true, .read_only = true, .options_const = "mode=0755", .flags = MS_NODEV|MS_STRICTATIME },
-        { "/run/user",           TMPFS,        true, .read_only = true, .options_const = "mode=0755", .flags = MS_NODEV|MS_STRICTATIME },
-        { "/root",               TMPFS,        true, .read_only = true, .options_const = "mode=0700", .flags = MS_NODEV|MS_STRICTATIME },
+        { "/home",               TMPFS,        true, .read_only = true, .options_const = "mode=0755" TMPFS_LIMITS_EMPTY_OR_ALMOST, .flags = MS_NODEV|MS_STRICTATIME },
+        { "/run/user",           TMPFS,        true, .read_only = true, .options_const = "mode=0755" TMPFS_LIMITS_EMPTY_OR_ALMOST, .flags = MS_NODEV|MS_STRICTATIME },
+        { "/root",               TMPFS,        true, .read_only = true, .options_const = "mode=0700" TMPFS_LIMITS_EMPTY_OR_ALMOST, .flags = MS_NODEV|MS_STRICTATIME },
  };
  
  /* ProtectHome=yes table */
@@ -295,7 +295,7 @@ static int append_empty_dir_mounts(MountEntry **p, char **strv) {
                          .mode = EMPTY_DIR,
                          .ignore = false,
                          .read_only = true,
-                        .options_const = "mode=755",
+                        .options_const = "mode=755" TMPFS_LIMITS_EMPTY_OR_ALMOST,
                          .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
                  };
          }
@@ -341,7 +341,7 @@ static int append_tmpfs_mounts(MountEntry **p, const TemporaryFileSystem *tmpfs,
                                                 "Path is not absolute: %s",
                                                 t->path);
  
-                str = strjoin("mode=0755,", t->options);
+                str = strjoin("mode=0755" TMPFS_LIMITS_TEMPORARY_FS ",", t->options);
                  if (!str)
                          return -ENOMEM;
  
@@ -686,7 +686,7 @@ static int mount_private_dev(MountEntry *m) {
  
          dev = strjoina(temporary_mount, "/dev");
          (void) mkdir(dev, 0755);
-        if (mount("tmpfs", dev, "tmpfs", DEV_MOUNT_OPTIONS, "mode=755") < 0) {
+        if (mount("tmpfs", dev, "tmpfs", DEV_MOUNT_OPTIONS, "mode=755" TMPFS_LIMITS_DEV) < 0) {
                  r = log_debug_errno(errno, "Failed to mount tmpfs on '%s': %m", dev);
                  goto fail;
          }
diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c

index 08c7b76dbaeb9378772f4b02289398aa8b22bc9e..bef2f27d3a53dcb503d86ebcc972b80707d49b4b 100644 (file)
--- a/src/fstab-generator/fstab-generator.c
+++ b/src/fstab-generator/fstab-generator.c
@@ -809,7 +809,7 @@ static int add_volatile_var(void) {
                           "/var",
                           NULL,
                           "tmpfs",
-                         "mode=0755",
+                         "mode=0755" TMPFS_LIMITS_VAR,
                           0,
                           0,
                           SPECIAL_LOCAL_FS_TARGET,
diff --git a/src/nspawn/nspawn-cgroup.c b/src/nspawn/nspawn-cgroup.c

index dcee851e934aa443949e3b37048e0c93fec98e99..a16ee5c60a23491ace496cd79b53310c7fbd118f 100644 (file)
--- a/src/nspawn/nspawn-cgroup.c
+++ b/src/nspawn/nspawn-cgroup.c
@@ -319,7 +319,7 @@ static int mount_legacy_cgns_supported(
                   * uid/gid as seen from e.g. /proc/1/mountinfo. So we simply
                   * pass uid 0 and not uid_shift to tmpfs_patch_options().
                   */
-                r = tmpfs_patch_options("mode=755", 0, selinux_apifs_context, &options);
+                r = tmpfs_patch_options("mode=755" TMPFS_LIMITS_SYS_FS_CGROUP, 0, selinux_apifs_context, &options);
                  if (r < 0)
                          return log_oom();
  
@@ -421,7 +421,7 @@ static int mount_legacy_cgns_unsupported(
          if (r == 0) {
                  _cleanup_free_ char *options = NULL;
  
-                r = tmpfs_patch_options("mode=755", uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &options);
+                r = tmpfs_patch_options("mode=755" TMPFS_LIMITS_SYS_FS_CGROUP, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &options);
                  if (r < 0)
                          return log_oom();
  
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c

index 59bd73d2eabb505114f6744dfc6ec3cd7310f031..33cc19a4251510f9db59d81a012221fb7cc27b67 100644 (file)
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -602,25 +602,25 @@ int mount_all(const char *dest,
                    MOUNT_IN_USERNS|MOUNT_MKDIR },
  
                  /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
-                { "tmpfs",           "/tmp",            "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+                { "tmpfs",           "/tmp",            "tmpfs", "mode=1777" TMPFS_LIMITS_TMP,     MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                    MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR },
-                { "tmpfs",           "/sys",            "tmpfs", "mode=555",  MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                { "tmpfs",           "/sys",            "tmpfs", "mode=555" TMPFS_LIMITS_SYS,      MS_NOSUID|MS_NOEXEC|MS_NODEV,
                    MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS|MOUNT_MKDIR },
-                { "sysfs",           "/sys",            "sysfs", NULL,        MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                { "sysfs",           "/sys",            "sysfs", NULL,                             MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
                    MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO|MOUNT_MKDIR },    /* skipped if above was mounted */
-                { "sysfs",           "/sys",            "sysfs", NULL,        MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                { "sysfs",           "/sys",            "sysfs", NULL,                             MS_NOSUID|MS_NOEXEC|MS_NODEV,
                    MOUNT_FATAL|MOUNT_MKDIR },                          /* skipped if above was mounted */
-                { "tmpfs",           "/dev",            "tmpfs", "mode=755",  MS_NOSUID|MS_STRICTATIME,
+                { "tmpfs",           "/dev",            "tmpfs", "mode=755" TMPFS_LIMITS_DEV,      MS_NOSUID|MS_STRICTATIME,
                    MOUNT_FATAL|MOUNT_MKDIR },
-                { "tmpfs",           "/dev/shm",        "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+                { "tmpfs",           "/dev/shm",        "tmpfs", "mode=1777" TMPFS_LIMITS_DEV_SHM, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                    MOUNT_FATAL|MOUNT_MKDIR },
-                { "tmpfs",           "/run",            "tmpfs", "mode=755",  MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+                { "tmpfs",           "/run",            "tmpfs", "mode=755" TMPFS_LIMITS_RUN,      MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                    MOUNT_FATAL|MOUNT_MKDIR },
  
  #if HAVE_SELINUX
-                { "/sys/fs/selinux", "/sys/fs/selinux", NULL,    NULL,        MS_BIND,
+                { "/sys/fs/selinux", "/sys/fs/selinux", NULL,    NULL,                             MS_BIND,
                    0 },  /* Bind mount first */
-                { NULL,              "/sys/fs/selinux", NULL,    NULL,        MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
+                { NULL,              "/sys/fs/selinux", NULL,    NULL,                             MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
                    0 },  /* Then, make it r/o */
  #endif
          };
@@ -1023,7 +1023,7 @@ static int setup_volatile_state(const char *directory, uid_t uid_shift, const ch
          if (r < 0 && errno != EEXIST)
                  return log_error_errno(errno, "Failed to create %s: %m", directory);
  
-        options = "mode=755";
+        options = "mode=755" TMPFS_LIMITS_VOLATILE_STATE;
          r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
          if (r < 0)
                  return log_oom();
@@ -1068,7 +1068,7 @@ static int setup_volatile_yes(const char *directory, uid_t uid_shift, const char
          if (!mkdtemp(template))
                  return log_error_errno(errno, "Failed to create temporary directory: %m");
  
-        options = "mode=755";
+        options = "mode=755" TMPFS_LIMITS_ROOTFS;
          r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
          if (r < 0)
                  goto fail;
@@ -1135,7 +1135,7 @@ static int setup_volatile_overlay(const char *directory, uid_t uid_shift, const
          if (!mkdtemp(template))
                  return log_error_errno(errno, "Failed to create temporary directory: %m");
  
-        options = "mode=755";
+        options = "mode=755" TMPFS_LIMITS_ROOTFS;
          r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
          if (r < 0)
                  goto finish;
diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h

index 06fddacf16d03b60350abcc1cfefa1aa3528d658..024787912bcb3fce3609fe74622977e95e89b80b 100644 (file)
--- a/src/shared/mount-util.h
+++ b/src/shared/mount-util.h
@@ -6,6 +6,23 @@
  
  #include "macro.h"
  
+/* 4MB for contents of regular files, 64k inodes for directories, symbolic links and device specials,
+   using large storage array systems as a baseline */
+#define TMPFS_LIMITS_DEV             ",size=4m,nr_inodes=64k"
+/* Very little, if any use expected */
+#define TMPFS_LIMITS_EMPTY_OR_ALMOST ",size=4m,nr_inodes=1k"
+#define TMPFS_LIMITS_SYS             TMPFS_LIMITS_EMPTY_OR_ALMOST
+#define TMPFS_LIMITS_SYS_FS_CGROUP   TMPFS_LIMITS_EMPTY_OR_ALMOST
+/* 10% of RAM (using 16GB of RAM as a baseline) translates to 400k inodes (assuming 4k each) and 25%
+   translates to 1M inodes */
+#define TMPFS_LIMITS_TMP             ",size=10%,nr_inodes=400k"
+#define TMPFS_LIMITS_DEV_SHM         TMPFS_LIMITS_TMP
+#define TMPFS_LIMITS_RUN             TMPFS_LIMITS_TMP
+#define TMPFS_LIMITS_TEMPORARY_FS    TMPFS_LIMITS_TMP
+#define TMPFS_LIMITS_VAR             ",size=25%,nr_inodes=1m"
+#define TMPFS_LIMITS_ROOTFS          TMPFS_LIMITS_VAR
+#define TMPFS_LIMITS_VOLATILE_STATE  TMPFS_LIMITS_VAR
+
  int repeat_unmount(const char *path, int flags);
  int umount_recursive(const char *target, int flags);
  int bind_remount_recursive(const char *prefix, unsigned long new_flags, unsigned long flags_mask, char **blacklist);
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c

index f7472c94b89fce24360ea41008767d9c88e3fe70..51cd0cf9d36cac767f8b8379e4f4032dc8b7e24c 100644 (file)
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -4182,7 +4182,7 @@ static void print_status_info(
  
          ss = streq_ptr(i->active_state, i->sub_state) ? NULL : i->sub_state;
          if (ss)
-                printf("   Active: %s%s (%s)%s",
+                printf("     Active: %s%s (%s)%s",
                         active_on, strna(i->active_state), ss, active_off);
          else
                  printf("     Active: %s%s%s",
diff --git a/src/volatile-root/volatile-root.c b/src/volatile-root/volatile-root.c

index af78a87d6feff1a8b50f07f672c39a80c06c4433..e55864d6cc14665b615d734dc0a17a20986d7260 100644 (file)
--- a/src/volatile-root/volatile-root.c
+++ b/src/volatile-root/volatile-root.c
@@ -29,7 +29,7 @@ static int make_volatile(const char *path) {
          if (r < 0)
                  return log_error_errno(r, "Couldn't generate volatile sysroot directory: %m");
  
-        r = mount_verbose(LOG_ERR, "tmpfs", "/run/systemd/volatile-sysroot", "tmpfs", MS_STRICTATIME, "mode=755");
+        r = mount_verbose(LOG_ERR, "tmpfs", "/run/systemd/volatile-sysroot", "tmpfs", MS_STRICTATIME, "mode=755" TMPFS_LIMITS_ROOTFS);
          if (r < 0)
                  goto finish_rmdir;
  
@@ -80,7 +80,7 @@ static int make_overlay(const char *path) {
          if (r < 0)
                  return log_error_errno(r, "Couldn't create overlay sysroot directory: %m");
  
-        r = mount_verbose(LOG_ERR, "tmpfs", "/run/systemd/overlay-sysroot", "tmpfs", MS_STRICTATIME, "mode=755");
+        r = mount_verbose(LOG_ERR, "tmpfs", "/run/systemd/overlay-sysroot", "tmpfs", MS_STRICTATIME, "mode=755" TMPFS_LIMITS_ROOTFS);
          if (r < 0)
                  goto finish;
  
diff --git a/units/tmp.mount b/units/tmp.mount

index 27bd0f235cd621e6b51e03bdf49fb31f7e52338e..7066e522612514c1ad0dc92f71953fee1e322d50 100644 (file)
--- a/units/tmp.mount
+++ b/units/tmp.mount
@@ -22,4 +22,4 @@ After=swap.target
  What=tmpfs
  Where=/tmp
  Type=tmpfs
-Options=mode=1777,strictatime,nosuid,nodev
+Options=mode=1777,strictatime,nosuid,nodev,size=10%,nr_inodes=400k
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Wed, 13 May 2020 06:32:57 +0000 (08:32 +0200)
committer	GitHub <noreply@github.com>
	Wed, 13 May 2020 06:32:57 +0000 (08:32 +0200)
.mkosi/mkosi.fedora		patch \| blob \| blame \| history
TODO		patch \| blob \| blame \| history
src/core/core-varlink.c		patch \| blob \| blame \| history
src/core/mount-setup.c		patch \| blob \| blame \| history
src/core/namespace.c		patch \| blob \| blame \| history
src/fstab-generator/fstab-generator.c		patch \| blob \| blame \| history
src/nspawn/nspawn-cgroup.c		patch \| blob \| blame \| history
src/nspawn/nspawn-mount.c		patch \| blob \| blame \| history
src/shared/mount-util.h		patch \| blob \| blame \| history
src/systemctl/systemctl.c		patch \| blob \| blame \| history
src/volatile-root/volatile-root.c		patch \| blob \| blame \| history
units/tmp.mount		patch \| blob \| blame \| history