man: fix display of keys which appear in two sections in directive index
When an index key appeared in multiple sections (e.g.
CPUAffinity= was present in both "SYSTEM MANAGER DIRECTIVES"
and "UNIT DIRECTIVES"), when lxml was used, the key would
be not be displayed in all but one of those sections, and
only an empty <term/> element would be present. This
happens because lxml allows only one parent for each node,
and when the same formatted element was used in multiple places,
it was actually moved between them. Fix this by making a copy
of the element. The bug was present since lxml support was
introduced.
[tomegun: in particular /sys/firmware/efi/efivars needs to be
mounted, which is not a problem if a systemd-initramfs containing
the correct module is being used. But not everyone uses an
initramfs...]
Jan Janssen [Fri, 17 May 2013 13:38:12 +0000 (15:38 +0200)]
Fix --no-ask-password
POSIX_ME_HARDER mode is disabled for localectl. It doesn't
make much sense in case of localectl, and there's little reason
for localectl to behave specially.
Michael Tremer [Sun, 19 May 2013 13:45:48 +0000 (15:45 +0200)]
systemctl: make systemctl is-enabled work for templated units
Patch resolves the problem that 'systemctl is-enabled' does
not work for templated units.
Without this patch, systemctl is-enabled something@abc.service
returned "No such file or directory", because it first checked
if /usr/lib/systemd/system/something@abc.service, etc. exists.
If systemctl is-enabled is called for templated units, this
check should be omitted and it should search for symlinks in
the .wants dirs right away.
This patch fixes the broken behaviour and resolves
https://bugs.freedesktop.org/show_bug.cgi?id=55318.
[zj: fixed the patch to still check for broken symlinks and
masked instances. Also removed untrue assumptions from
the patch description.]
Michael Olbrich [Sun, 19 May 2013 10:10:55 +0000 (12:10 +0200)]
service: kill processes with SIGKILL on watchdog failure
Just calling service_enter_dead() does not kill any processes.
As a result, the old process may still be running when the new one is
started.
After a watchdog failure the service is in an undefined state.
Using the normal shutdown mechanism makes no sense. Instead all processes
are just killed and the service can try to restart.
David Strauss [Sat, 18 May 2013 09:28:25 +0000 (02:28 -0700)]
Standardize on 'file system' and 'namespace' in man pages.
This change is based on existing usage in systemd and online.
'File-system' may make sense in adjectival form, but man pages
seem to prefer 'file system' even in those situations.
We want to allow clients to process an sd_bus_message on a different
thread than it was received on. Since unreffing a bus message might
readd some of its memfds to the memfd cache add some minimal locking
around the cache.
bus: keep kernel bus fd around during entire life-time of bus
We need this since we might need to invoke the release ioctl for
messages. Since we don't want to add any locking for that we simply keep
a reference to the bus and then rely that the fd stays valid all the
time.
utmp: turn systemd-update-utmp-shutdown.service into a normal runtime service
With this change systemd-update-utmp-shutdown.service is replaced by
systemd-update-utmp.service which is started at boot and stays around
until shutdown. This allows us to properly order the unit against both
/var/log and auditd.
units: rework systemd-random-seed-{load,save}.service to be a single service
That way ordering it with MountsRequiredFor= works properly, as this no
longer results in mount units start requests to be added to the shutdown
transaction that conflict with stop requests for the same unit.
This brings the check for ENABLE_GTK_DOC in line with
HAVE_INTROSPECTION and other similar checks. Only
the status line that is printed with uninstalled
gtk-doc is changed.
bus: rework message struct to keep header with fields in same malloc() block
This allows us to guarantee that the first payload_vec we pass to the
kernel for each message is guaranteed to include the full header and all
its field.
Auke Kok [Sat, 11 May 2013 20:40:08 +0000 (13:40 -0700)]
Add support for ConditionSecurity=ima
Just as with SMACK, we don't really know if a policy has been
loaded or not, as the policy interface is write-only. Assume
therefore that if ima is present in securityfs that it is
enabled.
Update the man page to reflect that "ima" is a valid option
now as well.
This will launch $(PYTHON) with $LD_LIBRARY_PATH and $PYTHONPATH
as ./configure-d and DESTDIR-ed. Use as:
make install DESTDIR=/var/tmp/inst python-shell
condition, man: Add support for ConditionSecurity=smack
According to Documentation/security/Smack.txt:
In keeping with the intent of Smack, configuration data is minimal
and not strictly required. The most important configuration step is
mounting the smackfs pseudo filesystem.
This means that checking the mount point should be enough.
Previous commit (20d408766) was broken. The problem is not connected
to DESTDIR being set or not, but to the fact that targets in
$GENERAL_ALIASES have directory components, so mkdir -p wasn't
recursing deep enough.
grawity> ln: failed to create symbolic link
‘/home/grawity/pkg/aur/systemd-git/pkg/systemd//etc/systemd/system/multi-user.target.wants/remote-fs.target’: No such file or directory