Due to the brokeness of much of the userspace audit code we cannot
really start too many systems without the audit caps set. To make nspawn
easier to use just add the audit caps by default.
To boot up containers successfully the kernel's auditing needs to be
turned off still (use "audit=0" on the kernel command line), but at
least no manual caps have to be passed anymore.
In the long run auditing will be fixed for containers and ve virtualized
properly at which time it should be safe to enable these caps anyway.
Michal Vyskocil [Fri, 18 Jan 2013 09:05:10 +0000 (10:05 +0100)]
util: continuation support for load_env_file
Variable definitions can be written on more than one line - if each ends
with a backslash, then is concatenated with a previous one. Only
backslash and unix end of line (\n) are treated as a continuation.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=58083
[zj: squashed two patches together; cleaned up grammar; removed
comment about ignoring trailing backslash -- it is not ignored.]
The request must not be answered immediately (at first call to
response_handler()), but on the second. This is also important
for authentication, which cannot be performed on the first call.
Before:
% wget -O/dev/null -S https://localhost:19531/
--2012-11-28 18:29:43-- https://localhost:19531/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:19531... connected.
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
Connection: close
Content-Length: 87
Location: /browse
Content-Type: text/html
Date: Wed, 28 Nov 2012 17:29:44 GMT
Location: /browse [following]
--2012-11-28 18:29:43-- https://localhost:19531/browse
Connecting to localhost (localhost)|127.0.0.1|:19531... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Connection: close
Content-Length: 23260
Content-Type: text/html
Date: Wed, 28 Nov 2012 17:29:44 GMT
Length: 23260 (23K) [text/html]
For now the certificates are passed around as options to the
program. This might not be the most convenient under "production",
but makes for fairly easy testing.
Kay Sievers [Thu, 17 Jan 2013 16:00:50 +0000 (17:00 +0100)]
TODO: remove vconsole items
We should not pimp up the kernel's VC stuff, it's too linited and
fragile.
At the moment not even the font uploaded early during bootup does
survive the KMS driver taking over the framebuffer driver. We
surely don't want to make promises about colors or resolution.
The future is fullscreen KMS/kmscon/wayland/... based terminals using
X fonts, keymaps, input methods, and not the old school too limited
kernel VC stuff. So leave the kernel VCs as they are, and don't expect
wonders.
Nestor Ovroy [Thu, 17 Jan 2013 13:55:30 +0000 (05:55 -0800)]
core: corrects check of strduped controller string
In commit 246aa6d (core: add bus API and systemctl commands for altering
cgroup parameters during runtime), when rewriting unit_add_one_default_cgroup
to prefered style, the check of strduped b->controller was incorrectly
changed to check the containing structure. Correct it.
service: ignore dependencies on $syslog and $local_fs in LSB scripts
We no longer allow early-boot init scripts, however in late boot the
syslog socket and local mounts are established anyway, so let's simplify
our dep graph a bit.
If $syslog doesn't resolve to syslog.target anymore there's no reason to
keep syslog.target around anymore. Let's remove it.
Note that many 3rd party service unit files order themselves after
syslog.target. These will be dangling dependencies now, which should be
unproblematic, however.
Kay Sievers [Wed, 16 Jan 2013 02:46:38 +0000 (03:46 +0100)]
service: sysv - remove distribution specific targets
Systemd should not introduce any new facilities. Distributions which still
need to support their non-standard/legacy facilities should add them as
patches to their packaging.
The following facilities are no longer recognized:
$x-display-manager
$mail-transfer-agent
$mail-transport-agent
$mail-transfer-agent
$smtp
$null
This target is no longer available:
mail-transfer-agent.target
shutdown: in the final umount loop don't use MNT_FORCE
MNT_FORCE is honoured by NFS and FUSE and allows unmounting of the FS
even if consumers still use it. For our brute-force loop we rely on
EBUSY being reported as long as a file system is still used by a
loopback device or suchlike. Hence, drop MNT_FORCE to make EBUSY
reliable.
David Herrmann [Sun, 13 Jan 2013 11:28:38 +0000 (12:28 +0100)]
journalctl: quit on I/O error
This makes journalctl quit on ferror() conditions on stdout. It fixes an
annoying bug if you pipe its output through 'less' and press 'q'. Without
this fix journalctl will continue reading all journal data until EOF which
can take quite some time. For instance on my machine:
david-nb ~ # time journalctl | wc -l
327240
real 1m13.039s
user 1m0.217s
sys 0m10.467s
However, expected behavior is journalctl to quit when its pager closed the
output pipe.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
systemctl: be smarter when mangling snapshot names
For "systemctl snapshot" it makes no sense to complete an incomplete
name with ".service" as we previously did, use ".snapshot" instead.
Also, don't bother with mount units or suchlike, we know that this must
be a snapshot and hence is the only sane way for completion.