In logind we generally want to stop user@.service for a user once they
log out. So the usual rule is that whenever a User object is around that
has no pinning sessions we should close it.
Except that it isn't that easy. We allow that user@.service is also
manually started, in which case the User object is created but not
pinned by any session.
Let's rework how this is handled: we define two different GC modes. In
one GC mode we'll keep the User object around whenever *any* session
exists (thus: including the user@.service session), and one where we
only keep it around whenever a *pinning* session exists (i.e. when a
user actually logs in, but the user@.service session doesn't count like
that).
And the trick is now that we start out in the *any* GC mode, and switch
to the *pinning* GC mode once the first user session logs in.
This should make things more robust as we know exactly in which state we
are and when to GC a user.
logind: rework logic to decide whether lock + idle + display applies to a session
Let's streamline the logic that decides whether the screen lock, idle
timeout or display election mechanism applies to a session class. Let's
add explicitly SESSION_CLASS_IS_XYZ() macros for each, and then resue
them at all suitable places, and refuse any attempts to use the
functionality on the wrong clases with a friendly error message.
This is the same as the "background" class, but does *not* pull in a
service manager. It might be useful for things like select cron jobs
that do not intend to call per-user IPC calls.
logind: track user service managers as 'manager' session class
Previously, all user code was part of a session except for the code run
as part of user@.service, which wasn't. This tries to make this more
uniform: we'll track the user@.service runtime also as a session, but of
the special type "manager".
This means we have a really good overview finally of all user code that
is running and can make decisions on what to start when and how long to
keep it around. The pam_systemd client side will now be reasonably
uniform: it just calls the CreateSession() bus call with the right
class, and we'll return any data it needs. This means the weird
"side-channel" we previously used to initialize XDG_RUNTIME_DIR for the
user@.service goes away (see next commit).
This conditionalizes various behaviours now cleanly depending on the
session class:
1. SESSION_CLASS_WANTS_SCOPE() will be true for all classes except for
the manager class. It declares whther the client shall be migrated
into their own scope, which we generally want for sessions but not
for the manager, since it already has its own service unit.
2. SESSION_CLASS_WANTS_SERVICE_MANAGER() will be true for all classes
except for the manager class. It declares whether we shall start the
service manager if a session of this class is around. Of course, this
is off for the service manager, since this would always pin itself.
3. SESSION_CLASS_PIN_USER() will be true for all classes except for the
manager class. It declares whether the we shall keep the User
structure around for a user as long as the session is around.
Now you might wonder why have these as three functions, even though they
mostly give the same answers?
That's because this all is preparation to add further session classes
later that will return different answers for the three calls. (For
example, a later patch adds "background-light" which will return true
for SESSION_CLASS_WANTS_SCOPE() and SESSION_CLASS_PIN_USER(), but false
for SESSION_CLASS_WANTS_SERVICE_MANAGER(). i.e. it will get a scope, and
pin user tracking, but not start a service manager.
ssh-proxy: add ssh ProxyCommand tool that can connect to AF_UNIX + AF_VSOCK sockets
This adds a tiny binary that is hooked into SSH client config via
ProxyCommand and which simply connects to an AF_UNIX or AF_VSOCK socket
of choice.
The syntax is as simple as this:
ssh unix/some/path # (this connects to AF_UNIX socket /some/path)
or:
ssh vsock/4711
I used "/" as separator of the protocol ID and the value since ":" is
already taken by SSH itself when doing sftp. And "@" is already taken
for separating the user name.
analyze: clarify that `security --offline=true` requires an argument
Without `--root` or `--image`, the `security` command inspects all currently
loaded service units if no unit name is specified. But with `--root` or
`--image` with `--offline=true`, the `security` command exits silently if no
unit name is specified.
Also, fixed description of `--root` and `--image` in the man page, and added
missing `--unit` option to help text.
Frantisek Sumsal [Thu, 11 Jan 2024 10:02:05 +0000 (11:02 +0100)]
test: fix dbus installation on Arch
Arch finally made dbus-broker the default dbus daemon [0], but unlike
Fedora they don't use Alias=dbus.service to make the dbus.symlink under
/etc, instead they create the symlink manually under /usr/lib, so let's
account for that.
network: take explicit ownership of our own interfaces
This is a follow-up for #30786 and uses it to assign
ID_NET_MANAGED_BY=io.systemd.Network to all all network interfaces that
we consider ours to manage. This should hopefully have the effect that
other well-behaving managers won't fight for these devices.
This doesn't bother with network interfaces we match inside containers,
since udev is not available there anyway.
Holger Assmann [Tue, 9 Jan 2024 14:05:19 +0000 (15:05 +0100)]
watchdog: ensure configured timeout is used instead of USEC_INFINITY
In some rare cases, a watchdog driver might neither be able to change
the watchdog timeout value, nor read it from the hardware at runtime.
With an otherwise functional watchdog setup, this constellation worked
until systemd v249. Since then, systemd ends up ignoring the timeout
defined by the system.conf and rather uses USEC_INFINITY. Consequently,
the watchdog is not pinged anymore and eventually resets the system.
We therefore want to ensure that the system keeps running with the
originally configured timeout.
pam-util: implement our own pam_prompt() replacement, that doesn't log loudly
pam_prompt() will log very noisely at high error levels if it is called
without a conversation function that works. This is however a frequent
case, given that ssh doesn't provide one. To tone down the misleading
logging a bit, implement our own pam_prompt_graceful() that is just like
pam_prompt(), but reports errors back the caller who then logs (which we
generally do anyway).
Introduce a _very_ simple DNS server using our internal DNS-related
code, that responds to queries with specifically crafted packets, to
cover scenarios that are difficult to reproduce with well-behaving DNS
servers.
Also, hide the test DNS server behind Knot using the dnsproxy module, so
we don't have to switch DNS servers during tests.
Yu Watanabe [Wed, 10 Jan 2024 02:34:44 +0000 (11:34 +0900)]
resolve: introduce DNSSEC_UPSTREAM_FAILURE
and include EDE code and message in the error messages.
This replaces 9ca133e97a0c8795b1f293ccea4965b4ad1accc4, and implements
originally suggested at
https://github.com/systemd/systemd/pull/30513#discussion_r1433823737
- add missing initialization for DnsQuery.answer_ede_rcode,
- clear EDE code and message in dns_transaction_reset_answer(),
otherwise the previous EDE code or message may be mistakenly reused
on restart. This fixes memory leak of DnsTransaction.answer_ede_msg.
- also clear EDE code and message in dns_query_reset_answer(),
otherwise ede message is leaked if dns_query_accept() is called
multiple times for the same DnsQuery.
Nick Rosbrook [Tue, 9 Jan 2024 16:40:52 +0000 (11:40 -0500)]
test: skip test_exec_networknamespacepath if netns setup fails
In some environments, such as a LXD container, the netns setup might
fail because ip netns exec fails trying to mount /sys:
$ systemd-detect-virt
lxc
$ ip link add dummy-test-exec type dummy
$ ip netns add test-execute-netns
$ ip netns exec test-execute-netns ip link add dummy-test-ns type dummy
mount of /sys failed: Operation not permitted
If this setup fails, test_exec_networknamespacepath will fail, so check
the exit codes for these setup calls and skip the test if necessary.
- fix indentation,
- drop incorrect comment, dns_packet_ede_rcode() can handle unknown EDE rcode.
- 0 is a valid EDE rcode,
- DnsTransaction.answer_ede_msg may be NULL, so needs to use strempty()
on logging,
- drop redundant ede_rcode temporary variable.
Yu Watanabe [Sat, 6 Jan 2024 18:28:19 +0000 (03:28 +0900)]
resolve: cleanup dns_packet_ede_rcode()
This makes the following:
- make dns_packet_ede_rcode() return -EINVAL when EDE code not found.
Otherwise, the caller may be confused that the packet has an unknown
error code.
- make the function escape EDE message only when non-utf8 message is received.
- the message handling logic is applied even if the error code is unknown, as
there is no reason that we escape EDE message only when an known error code
is received.
- reduce scope of variables,
- drop redundant 'else',
- append full stop to the log messages,
- drop redundant log message in the caller,
- split out error in the function and returned EDE error code.