Dave Reisner [Tue, 18 Feb 2014 19:44:14 +0000 (14:44 -0500)]
nspawn: allow 32-bit chroots from 64-bit hosts
Arch Linux uses nspawn as a container for building packages and needs
to be able to start a 32bit chroot from a 64bit host. 24fb11120756
disrupted this feature when seccomp handling was added.
SECCOMP_CFLAGS must be in the global CFLAGS as <seccomp.h> is
included in core/execute.h. when seccomp.h is not in the standard
path.(i.e openSUSE has it in /usr/include/pkg/libseccomp/, precisely to
catch this kind of bugs) compiling systemd fails.
Patrik Flykt [Tue, 18 Feb 2014 14:07:40 +0000 (16:07 +0200)]
libsystemd-dhcp: Add a full DHCP address acquisition test case
Upon startup the DHCP library will immediately send a DHCP Discover.
Handle the additional DHCP Discover checking and DHCP Offer sending
in test_addr_acq_recv_discover(). Write a zero UDP checksum, the
received XID and the faked MAC address into place to create a DHCP
message the library can accept.
Follow exactly the same steps when receiving a DHCP Request in
test_addr_acq_recv_request() and send the Ack. Check that the proper
addresses have been found by the DHCP library before exiting the
main loop and finishing the test.
Jan Engelhardt [Mon, 17 Feb 2014 14:31:28 +0000 (15:31 +0100)]
doc: reword "shared per-thread" wording
Either it is shared across threads, or it is per-thread: decide.
Reading the source code, I see a thread_local identifier, so that's
that. But that does not yet preclude that a program may pass around
the pointer returned from the function among its own threads.
Jan Engelhardt [Mon, 17 Feb 2014 02:37:18 +0000 (03:37 +0100)]
doc: resolve missing/extraneous words or inappropriate forms
Issues fixed:
* missing words required by grammar
* duplicated or extraneous words
* inappropriate forms (e.g. singular/plural), and declinations
* orthographic misspellings
If we put a closing bracket on its own line, gperf will complain about
empty lines. Only occurs if the option in question is disabled. So fix the
m4 macros to work properly in both cases.
Previously a cgroup setting down tree would result in cgroup membership
additions being propagated up the tree and to the siblings, however a
unit could never lose cgroup memberships again. With this change we'll
make sure that both cgroup additions and removals propagate properly.
If PID 1 debug logging is enabled, it is nice to keep those settings
when switching to systemd-shutdown binary, independently of whether
this was done through /proc/cmdline options, or through runtime
manipulations.
Extract looping over /proc/cmdline into a shared function
In cryptsetup-generator automatic cleanup had to be replaced
with manual cleanup, and the code gets a bit longer. But existing
code had the issue that it returned negative values from main(),
which was wrong, so should be reworked anyway.
Djalal Harouni [Thu, 13 Feb 2014 22:03:23 +0000 (23:03 +0100)]
logind: close race on session state during logins
At login there is a small race window where session_get_state() will
return SESSION_ACTIVE instead of SESSION_OPENING. This must be fixed
since during that time there are calls to session_save() to save
session states and we want to write the correct state.
When we queue the start scope and service jobs, we wait for both of them
to finish before calling and continue processing in:
"session_jobs_reply() => session_send_create_reply()"
to create the session fifo and notify clients.
However, in the match_job_removed() D-Bus signal, we may hit situations
where the scope job has successfully finished and we are still waiting
for the user service job to finish. During that time the
"session->scope_job" will be freed and set to NULL, this makes
session_get_state() return SESSION_ACTIVE before it is really active, it
should return SESSION_OPENING since we are still waiting for the service
job to finish in order to create the session fifo.
To fix this, we also check if the session fifo fd was created, if so then
the session has entered the SESSION_ACTIVE state, if not then it is still
in the SESSION_OPENING state and it is waiting for the scope and service
jobs to finish.
Tom Gundersen [Sun, 16 Feb 2014 20:12:47 +0000 (21:12 +0100)]
nspawn: add new --network-bridge= switch
This adds the host side of the veth link to the given bridge.
Also refactor the creation of the veth interfaces a bit to set it up
from the host rather than the container. This simplifies the addition
to the bridge, but otherwise the behavior is unchanged.
Actually 'STDOUT' is something that doesn't appear anywhere: in the
stdlib we have 'stdin', and there's only the constant STDOUT_FILENO,
so there's no reason to use capitals. When refering to code,
STDOUT/STDOUT/STDERR are replaced with stdin/stdout/stderr, and in
other places they are replaced with normal phrases like standard
output, etc.
Jason St. John [Fri, 14 Feb 2014 01:25:23 +0000 (20:25 -0500)]
man: fix grammatical errors and other formatting issues
* standardize capitalization of STDIN, STDOUT, and STDERR
* reword some sentences for clarity
* reflow some very long lines to be shorter than ~80 characters
* add some missing <literal>, <constant>, <varname>, <option>, and <filename> tags
Yuxuan Shui [Fri, 14 Feb 2014 18:38:50 +0000 (02:38 +0800)]
core: fix detection of dead processes
Commit 5ba6985b moves the UNIT_VTABLE(u)->sigchld_event before systemd
actually reaps the zombie. Which leads to service_load_pid_file accepting
zombie as a valid pid.
This fixes timeouts like:
[ 2746.602243] systemd[1]: chronyd.service stop-sigterm timed out. Killing.
[ 2836.852545] systemd[1]: chronyd.service still around after SIGKILL. Ignoring.
[ 2927.102187] systemd[1]: chronyd.service stop-final-sigterm timed out. Killing.
[ 3017.352560] systemd[1]: chronyd.service still around after final SIGKILL. Entering failed mode.
That is, without --enable-kdbus and kdbus running.
With --enable-kdbus things are more complicated, because dbus might be
necessary, if kdbus is missing at runtime. If it is not necessary,
the socket will be started, which is not imporant, but not the service.
Dave Reisner [Fri, 14 Feb 2014 00:40:04 +0000 (01:40 +0100)]
man: systemd.service(5): clarify behavior of SuccessExitStatus
The behavior of this is a little cryptic in that $MAINPID must exit as
a direct result of receiving a signal in order for a listed signal to
be considered a success condition.
Michael Marineau [Fri, 31 Jan 2014 23:35:04 +0000 (15:35 -0800)]
shared: include root when canonicalizing conf paths
The conf_files_list family accepts an alternate root path to prefix all
directories in the list but path_strv_canonicalize_uniq doesn't use it.
This results in the suspicious behavior of resolving directory symlinks
based on the contents of / instead of the alternate root.
This adds a prefix argument to path_strv_canonicalize which will now
prepend the prefix, if given, to every path in the list. To avoid
answering what a relative path means when called with a root prefix
path_strv_canonicalize is now path_strv_canonicalize_absolute and only
considers absolute paths. Fortunately all users of already call
path_strv_canonicalize with a list of absolute paths.
Djalal Harouni [Thu, 13 Feb 2014 17:31:43 +0000 (18:31 +0100)]
logind: make sure to terminate systemd user on logouts
Currently if the user logs out, the GC may never call user_stop(),
this will not terminate the systemd user and (sd-pam) of that user.
To fix this, remove the USER_CLOSING state check that is blocking the
GC from calling user_stop(). Since if user_check_gc() returns false
this means that all the sessions of the user were removed which will
make user_get_state() return USER_CLOSING.
Conclusion: that test will never be statisfied.
So we remove the USER_CLOSING check and replace it with a check inside
user_stop() this way we know that user_stop() has already queued stop
jobs, no need to redo.
This ensures that the GC will get its two steps correctly as pointed out
by Lennart:
http://lists.freedesktop.org/archives/systemd-devel/2014-February/016825.html
Note: this also fixes another bug that prevents creating the user
private dbus socket which will break communications with the user
manager.
nspawn: make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOTSUPPORT in containers
The kernel still doesn't support audit in containers, so let's make use
of seccomp and simply turn it off entirely. We can get rid of this big
as soon as the kernel is fixed again.