pam_systemd: always set XDG_SESSION_{CLASS|TYPE|DESKTOP}
We likely get the data from the env block, but we might also determine
it from elsewhere (such as PAM module parameters). Let's set the env
vars on the env block explicitly, so that they are available always, and
apps can rely on it.
pam_systemd: also make $XDG_SESSION_DESKTOP configurable via PAM module command line
Let's make this symmetric with XDG_SESSION_CLASS and XDG_SESSION_TYPE,
so that PAM stacks can configure this easily without involving env vars,
in case there are PAM session managers which only support a single
desktop anyway.
pam_systemd: drop setting DBUS_SESSION_BUS_ADDRESS
Since D-Bus 1.9.14 (2015-03-02) dbus looks in $XDG_RUNTIME_DIR/bus for
the system bus on its own, hence we can finally drop setting this
environment variable. gdbus since glib 2.45.3 (June 2015) also supports
it.
network: make log level lower when operations are automatically re-tried later
When networkd has not connected and setting hostname/timezone is
requested, the operation is delayed, not canceled. So, logging in
debug level is sufficient for the corresponding log message.
nss: do not modify errno when NSS_STATUS_NOTFOUND or NSS_STATUS_SUCCESS
This also adds PROTECT_ERRNO for all nss module functions.
C.f. glibc NSS documents https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html
and discussion in https://sourceware.org/bugzilla/show_bug.cgi?id=23410.
Add CC0 as the license. SPDX does not have a "public domain" tag, but CC0 is
more or less equivalent. We should have *some* header to avoid doubts in the
future.
After upgrading to emacs-26.1-1.fc28.x86_64 I noticed that our
.dir-locals.el files weren't honoured anymore (specifically the fill
column variable is not correctly set for c-mode files). I finally
tracked this down to the order in which items are listed in
.dir-locals.el: if the "nil" one is listed last everything works,
otherwise, it's the one that is applied instead of the c-mode one.
This patch simply swaps the entries, and puts the "nil" one last. My
emacs lisp fu is a bit too limited to understand the full impact for
this, and why emacs 26.1 changed behaviour in this regard, but from an
outsider's view the order shouldn't negatively affect things otherwise,
hence this patch.
Yu Watanabe [Thu, 10 May 2018 07:04:16 +0000 (16:04 +0900)]
meson: use integer type in options
This bumps the minimum required version of meson to 0.45 and
python to 3.5, as integer type option is supported since meson-0.45
and meson-0.45 requires python-3.5.
meson: allow building resolved and machined without nss modules
This adds -Dnss-resolve= and -Dnss-mymachines= meson options.
By using this option, e.g., resolved can be built without nss-resolve.
When no nss modules are built, then test-nss is neither built.
Also, This changes the option name -Dmyhostname= to -Dnss-myhostname=
for consistency to other nss related options.
Jon Ringle [Fri, 20 Jul 2018 15:22:43 +0000 (11:22 -0400)]
Make final kill signal configurable
Usecase is to allow changing the final kill from SIGKILL to SIGQUIT which
should create a core dump useful for debugging why the service didn't stop
with the SIGTERM
We often open the parent directory of a path. Let's add a common helper
for that, that shortens our code a bit and adds some extra safety
checks, for example it will fail if used on the root directory (which
doesn't really have a parent).
The helper is actually generalized from a function in btrfs-util.[ch]
which already existed for this purpose.
tests: skip test_get_process_cmdline_harder if `mount --make-rslave /` fails with EPERM or EACCESS
That call to mount was added as a safeguard against a kernel bug which was fixed in
torvalds/linux@bbd5192.
In principle, the error could be ignored because
* normally everything mounted on /proc/PID should disappear as soon as the PID has gone away
* test-mount-util that had been confused by those phantom entries in /proc/self/mountinfo was
taught to ignore them in 112cc3b.
On the other hand, in practice, if the mount fails, then the next one is extremely unlikely to
succeed, so it seems to be reasonable to just skip the rest of `test_get_process_cmdline_harder`
if that happens.
Carlo Caione [Fri, 20 Jul 2018 21:22:50 +0000 (22:22 +0100)]
login1: policy: Authorize active users to boot to firmware
Currently to set the flag to reboot into the firmware setup an
authentication by an administrative user is required. Since we are
already enabling active users to reboot the system, it is advisable to
let the user decide if he wants to boot into the firmware setup without
any more hassle.
Currently, mount_sysfs() only creates /sys/fs/cgroup if cg_ns_supported().
The comment explains that we need to "Create mountpoint for
cgroups. Otherwise we are not allowed since we remount /sys read-only.";
that is: that we need to do it now, rather than later. However, the
comment doesn't do anything to explain why we only need to do this if
cg_ns_supported(); shouldn't we _always_ need to do it?
The answer is that if !use_cgns, then this was already done by the outer
child, so mount_sysfs() only needs to do it if use_cgns. Now,
mount_sysfs() doesn't know whether use_cgns, but !cg_ns_supported() implies
!use_cgns, so we can optimize" the case where we _know_ !use_cgns, and deal
with a no-op mkdir_p() in the false-positive where cgns_supported() but
!use_cgns.
But is it really much of an optimization? We're potentially spending an
access(2) (cg_ns_supported() could be cached from a previous call) to
potentially save an lstat(2) and mkdir(2); and all of them are on virtual
fileystems, so they should all be pretty cheap.
So, simplify and drop the conditional. It's a dubious optimization that
requires more text to explain than it's worth.
Luke Shumaker [Sat, 10 Jun 2017 04:06:45 +0000 (00:06 -0400)]
cgroup-util: cg_kernel_controllers(): Fix comment about including "name="
Remove "arbitrary named hierarchies" from the list of things that
cg_kernel_controllers() might return, and clarify that "name="
pseudo-controllers are not included in the returned list.
/proc/cgroups does not contain "name=" pseudo-controllers, and
cg_kernel_controllers() makes no effort to enumerate them via a different
mechanism.
Luke Shumaker [Tue, 13 Jun 2017 22:06:09 +0000 (18:06 -0400)]
nspawn: Simplify tmpfs_patch_options() usage, and trickle that up
One of the things that tmpfs_patch_options does is take an (optional) UID,
and insert "uid=${UID},gid=${UID}" into the options string. So we need a
uid_t argument, and a way of telling if we should use it. Fortunately,
that is built in to the uid_t type by having UID_INVALID as a possible
value.
So this is really a feature that requires one argument. Yet, it is somehow
taking 4! That is absurd. Simplify it to only take one argument, and have
that trickle all the way up to mount_all()'s usage.
Now, in may of the uses, the argument becomes
uid_shift == 0 ? UID_INVALID : uid_shift
because it used to treat uid_shift=0 as invalid unless the patch_ids flag
was also set. This keeps the behavior the same. Note that in all cases
where it is invoked, if !use_userns (sometimes called !userns), then
uid_shift is 0; we don't have to add any checks for that.
That said, I'm pretty sure that "uid=0" and not setting "uid=" are the
same, but Christian Brauner seemed to not think so when implementing the
cgns support. https://github.com/systemd/systemd/pull/3589
Luke Shumaker [Fri, 7 Jul 2017 22:30:03 +0000 (18:30 -0400)]
nspawn: Simplify mkdir_userns() usage, and trickle that up
One of the things that mkdir_userns{,_p}() does is take an (optional) UID,
and chown the directory to that. So we need a uid_t argument, and a way of
telling if we should use that uid_t argument. Fortunately, that is built
in to the uid_t type by having UID_INVALID as a possible value.
However, currently mkdir_userns() also takes a MountSettingsMask and checks
a couple of bits in it to decide if it should perform the chown.
Drop the mask argument, and instead have the caller pass UID_INVALID if it
shouldn't chown.
man: split systemd.special(7) into separate system/user sections
User units were in the middle, which is just confusing. Let's discuss
all system units first, and all user units second.
I'm using "System manager units" and "user manager units" instead of the more
obvious "system units" and "user units", because there are also units like
"user@.service".
tests: prefer MS_SLAVE over MS_PRIVATE for turning off mount propagation
When we open our own little namespace for running our tests in, let's
turn off mount propagation only one way, rather than both ways. This is
better as this means we don't pin host mounts unnecessarily long in our
namespace, even though the host already got rid of them. This is because
MS_SLAVE in contrast to MS_PRIVATE allows umount events to propagate
from the host into our environment.
Various accountings are not implied by their controllers
The original manpage says "Implies BBBAccounting" many times but actually that accounting is not implied by the respective resource control in v239 with the unified cgroup hierarchy. This commit removes those false explanations.
Alan Jenkins [Thu, 21 Jun 2018 13:12:30 +0000 (14:12 +0100)]
core: remove support for API bus "started outside our own logic"
Looking at a recent Bad Day, my log contains over 100 lines of
systemd[23895]: Failed to connect to API bus: Connection refused
It is due to "systemd --user" retrying to connect to an API bus.[*] I
would prefer to avoid spamming the logs. I don't think it is good for us
to retry so much like this.
systemd was mislead by something setting DBUS_SESSION_BUS_ADDRESS. My best
guess is an unfortunate series of events caused gdm to set this. gdm has
code to start a session dbus if there is not a bus available already (and
in this case it exports the environment variable). I believe it does not
normally do this when running under systemd, because "systemd --user" and
hence "dbus.service" would already have been started by pam_systemd.
I see two possibilities
1. Rip out the check for DBUS_SESSION_BUS_ADDRESS entirely.
2. Only check for DBUS_SESSION_BUS_ADDRESS on startup. Not in the
"recheck" logic.
The justification for 2), is that the recheck is called from unit_notify(),
this is used to check whether the service just started (or stopped) was
"dbus.service". This reason for rechecking does not apply if we think
the session bus was started outside our logic.
But I think we can justify 1). dbus-daemon ships a statically-enabled
/usr/lib/systemd/user/dbus.service, which would conflict with an attempt to
use an external dbus. Also "systemd --user" is started from user@.service;
if you try to start it manually so that it inherits an environment
variable, it will conflict if user@.service was started by pam_systemd
(or loginctl enable-linger).
This allows aliases to be used for the basic modules we load from pid1 before
udev is started. In #9501 the kernel renamed autofs4 to autofs, with "autofs4"
as alias, but we wouldn't load the module, because we didn't follow aliases.
The kernel change was reverted, but it's probably better to support aliases.