The mentioned commit switched scope unit's "pids" deserialization
to call unit_watch_pid() already, meaning all later invocations
in scope_coldplug() are no-op. Remove the cruft altogether.
Support global sysext/confext in systemd-stub/systemd-sysext (#38113)
Systemd-stub supports loading addons, credentials, system and
configuration
extensions from ESP and while addons and credentials can be both global
and
per-UKI, sysext/confext are only per-UKI.
Add support for global sysext/confext to systemd-stub/systemd-sysext.
machined: make registration of unpriv user's VMs/containers work (#37855)
This adds missing glue to reasonably allow unpriv users VMs/containers
to register with the system machined.
This primarily adds two things:
1. machined can now properly track VMs/containers residing in subcgroups
of units, because that's effectively what happens for per-user
VMs/containers: they are placed below the system unit `user@….service`
in some user unit.
2. machines registered with machined now have an owning UID: users can
operate on their own machines withour re-authentication, but not on
others.
Note that this is only a first step regarding machined's hookup of
nspawn/vmspawn in the long run for unpriv operation.
I think eventually we should make it so that there's both a per-user and
a per-system machined instance (so far, and even with this PR there's
still one per-system instance), and per-user containers/VMs would
registering with *both*. Having two instances makes sense I think,
because it would mean we can make machined reasonably manage the
per-user image discovery, and also do the per-system network/hostname
handling.
test: add testcase for unpriv machined nspawns reg + killing
Let's add a superficial test for the code we just added: spawn a
container unpriv, make sure registration fully worked, then kill it via
machinectl, to ensure it all works properly.
vmspawn systems might take quite a while to boot in particular if they
go through uefi and wait for a network lease. Hence let's increase the
start timeout to 2min (from 45s). We'll do that for both nspawn and
vmspawn, even though the UEFI thing certainly doesn't apply there (but
the DHCP thing still does).
This mimics the switch of the same name from nspawn: it controls whether
we expect a READY=1 message from the payload or not. Previously we'd
always expect that. This makes it configurable, just like it is in
nspawn.
There's one fundamental difference in behaviour though: in nspawn it
defaults to off, in vmspawn it defaults to on. (for historical reasons,
ideally we'd default to on in both cases, but changing is quite a compat
break both directly and indirectly: since timeouts might get triggered).
vmspawn: substantially beef up cgroup logic, to match more closely what nspawn does
This beefs up the cgroup logic, adding --slice=, --property= to vmspawn
the same way it already exists in nspawn.
There are a bunch of differences though: we don't delegate the cgroup
access in the allocated unit (since qemu wouldn't need that), and we do
registration via varlink not dbus. Hence, while this follows a similar
logic now, it differs in a lot of details.
This makes in particular one change: when invoked on the command line
we'll only add the qemu instance to the allocated scope, not the vmspawn
process itself (this follows more closely how nspawn does this where
only the container payload has its scope, not nspawn itself). This is
quite tricky to implement: unlike in nspawn we have auxiliary services
to start, with depencies to the scope. This means we need to start the
scope early, so that we know the scope's name. But the command line to
invoke is only assembled from the data we learn about the auxiliary
services, hence much later. To addres we'll now fork off the child that
eventually will become early, then move it to a scope, prepare the
cmdline and then very late send the cmdline (and the fds we want to
pass) to the prepared child, which then execs it.
Just like in nspawn, there's a chance we need to PK authenticate the
registration, hence let's spawn off the agent for that during that
phase, and terminate it once we don't need it anymore.
This cleans up allocation of a scope unit for the container: when
invoked in user context we'll now allocate a scope through the per-user
service manager instead of the per-system manager. This makes a ton more
sense, since it's the user that invokes things after all. And given that
machined now can register containers in the user manager there's nothing
stopping us to clean this up.
Note that this means we'll connect to two busses if run unpriv: once to
the per-user bus to allocate the scope unit, and once to the per-system
bus to register it with machined.
machined: also track 'supervisor' process of a machine
So far, machined strictly tracked the "leader" process of a machine,
i.e. the topmost process that is actually the payload of the machine.
Its runtime also defines the runtime of the machine, and we can directly
interact with it if we need to, for example for containers to join the
namespaces, or kill it.
Let's optionally also track the "supervisor" process of a machine, i.e.
the host process that manages the payload if there is one. This is
generally useful info, but in particular is useful because we might need
to communicate with it to shutdown a machine without cooperation of the
payload. Traditionally we did this by simply stopping the unit of the
machine, but this is not doable now that the host machined can be used
to track per-user machines.
In the long run we probably want a more bespoke protocol between
machined and supervisors (so that we can execute other commands too,
such as request cooperative reboots/shutdowns), but that's for later.
Some environments call the concept "monitor" rather than "supervisor" or
use some other term. I stuck to "supervisor" because nspawn uses this,
and ultimately one name is as good as another.
And of course, in other implementations of VM managers of containers
there might not be a single process tracking each VM/container. Because
of this, the concept of a supervisor is optional.
machined: use different polkit actions for registering and creating a machine
The difference between these two operations are large: one is relatively
superficial: for "registration" all resources remain associated with the
invoking user, only the cgroup is reported to machined which then keeps
track of the machine, too. OTOH "creation" a scope is allocated in
system context, hence the invoked code will be owned by the system, and
its resource usage charged against the system.
Hence, use two distinct polkit actions for this, so that we can relax
access to registration, but keep access to creation tough.
We also run in a VM if we're not running as root, yet we weren't
checking this when deciding whether to pass --capability=CAP_BPF or
not. Let's fix that.
Fixes the following memleak:
```
$ sudo valgrind --leak-check=full build/udevadm cat /usr/lib/udev/rules.d
==3975939==
==3975939== HEAP SUMMARY:
==3975939== in use at exit: 640 bytes in 1 blocks
==3975939== total heap usage: 7,657 allocs, 7,656 frees, 964,328 bytes allocated
==3975939==
==3975939== 640 bytes in 1 blocks are definitely lost in loss record 1 of 1
==3975939== at 0x4841866: malloc (vg_replace_malloc.c:446)
==3975939== by 0x4ACA71F: malloc_multiply (alloc-util.h:92)
==3975939== by 0x4ACF988: _hashmap_dump_entries_sorted (hashmap.c:2167)
==3975939== by 0x4ACFC76: _hashmap_dump_sorted (hashmap.c:2209)
==3975939== by 0x4AA60A4: hashmap_dump_sorted (hashmap.h:311)
==3975939== by 0x4AA9077: dump_files (conf-files.c:397)
==3975939== by 0x4AAA14E: conf_files_list_strv_full (conf-files.c:596)
==3975939== by 0x42426A: search_rules_file (udevadm-util.c:301)
==3975939== by 0x424768: search_rules_files (udevadm-util.c:334)
==3975939== by 0x41287D: cat_main (udevadm-cat.c:110)
==3975939== by 0x4A7B911: dispatch_verb (verbs.c:139)
==3975939== by 0x427272: udevadm_main (udevadm.c:121)
==3975939==
==3975939== LEAK SUMMARY:
==3975939== definitely lost: 640 bytes in 1 blocks
==3975939== indirectly lost: 0 bytes in 0 blocks
==3975939== possibly lost: 0 bytes in 0 blocks
==3975939== still reachable: 0 bytes in 0 blocks
==3975939== suppressed: 0 bytes in 0 blocks
==3975939==
==3975939== For lists of detected and suppressed errors, rerun with: -s
==3975939== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```
This renames and splits link_may_have_ipv6ll() into
link_ipv6ll_enabled_harder() and link_multicast_enabled(),
as they are completely irrelevant to each other.
Also, this makes link_ipv6ll_enabled_harder() work non-Wireguard
interfaces.
Load global sysext/confext from /.extra/global_{sysext,confext} which
systemd-stub puts there from ESP/loader/credentials/*.{sysext,confext}.raw.
Global extensions are handled the exact same way as per-UKI ones.
Systemd-stub support loading addons, credentials, system and configuration
extensions from ESP and while addons and credentials can be both global and
per-UKI, sysext/confext are only per-UKI.
Add support for loading ESP/loader/credentials/*.{sysext,confext}.raw to
systemd-stub.
Note: for backwards compatibility reasons, per-UKI sysexts can also be
*.raw (not only *.sysext.raw) but as global extensions are new, there's
no need to bring this legacy there.
Google Compute Engine are not only virtual but can be also physical
machines. Therefore checking only the dmi is not enough to detect if it
is a virtual machine. Therefore systemd-detect-virt return "google"
instead of "none" in c3-highcpu-metal machine.
SMBIOS will not help us to make the difference as for EC2 machines.
However, GCE use KVM hypervisor for these VM, we can use this
information to detect virtualization. [0]
Issue and changes has been tested on SUSE SLE-15-SP7 images with
systemd-254 for both GCE, bare-metal and VM.
Backticks are good in markdown files, where they signify text to be rendered
with a mono-space font. But our text files doesn't use markdown, and backticks
are just a particularly bad type of quote (ugly, assymetrical, with a special
significance in shell context). Update older NEWS entries to not use them.
tree-wide: include asm/sgidefs.h to make _MIPS_SIM_ABI32 and friends defined
The header provides _MIPS_SIM_ABI32 and friends. Glibc indirectly includes
the header through sys/syscall.h or unistd.h, but let's explicitly include
the header where we use _MIPS_SIM_ABI32 and friends.
The header linux/quota.h provides e.g. QIF_DQBLKSIZE or PRJQUOTA, which
is used where the quota-util.h is included.
Let's explicitly include the header with 'IWYU pragma: export' tag.
This new helper takes both a PID and and a pidfd ID, and initializes a
PidRef from it. It ensures they actually belong together and returns an
error if not.
It does not exist for CentOS Stream 10, it's only relevant for CentOS
Stream 9 in some corner cases which don't apply to us, so let's not enable
it to avoid complexity instead of only enabling it for CentOS Stream 9.
The same concern as expalined in #37960 exists also in
missing_syscall.h. If we use enough new glibc, a function we want to use
may be already provided by glibc, but our baseline glibc may not. And it
is hard to detect in our daily development.
This moves all prototypes of syscalls to relevant headers, and missing
syscall functions are defined in relevant .c files of libc wrapper. This
way, we can use usual header as is, e.g. when we want to write code with
`move_mount()`, we can simply use sys/mount.h without checking if it is
supported by our baseline glibc.
conf-files: make conf-file enumerators provide more detailed information of enumerated files (#38006)
This introduces `struct ConfFile` that stores detailed information of an
enumerated file, and introduces `conf_files_list_full()` and friends
that provide results in `ConfFile`.
Then make udev, hwdb, catalog, and cat-files use the new function and
struct to make them not read files outside of specified root directory.
tree-wide: several cleanups for generating symbol lists and gperf files
- pass our system include directories to make generators use our libc
wrappers and latest kernel headers,
- include relevant headers in generated gperf file,
- use files() rather than find_program(), as the result of
find_program() cannot be passed to 'input' of custom_target(),
- move generate-bpf-delegate-configs.py to src/core/, as it is only used
by libcore.
selinux-util: downgrade log level to LOG_DEBUG when error code is zero
Previously, the logger is only used in error paths, but since fe3f2ac0734e64dcd729b00992a6261cbf4cc846, the logger is also used in a
success path. Let's not log loudly on success.
Yu Watanabe [Sun, 29 Jun 2025 20:18:32 +0000 (05:18 +0900)]
pretty-print: several cleanups for cat_files()
- drop redundant error messages in cat_files(), as cat_file() internally
logs errors,
- show an empty line and filename before opening file, to make not mix
any error messages with the previous file,
- drop unnecessary fflush(),
- use RET_GATHER() and continue to show files even if some files cannot
be shown.
r = cg_create(SYSTEMD_CGROUP_CONTROLLER, test_a);
- if (IN_SET(r, -EPERM, -EACCES, -EROFS)) {
+ if (IN_SET(r, -EPERM, -EACCES, -EROFS, -ENOENT)) {
log_info_errno(r, "Skipping %s: %m", __func__);
return;
}
```
I confirmed that the `ERRNO_IS_NEG_FS_WRITE_REFUSED` macro is equivalent
to checking the first 3 error codes above, so the addition of the check
for `ENOENT` is still just as relevant as it was in 252, but adding it
into the macro would be inconsistent with its name, description, and
possible other uses. Hence, in this PR I'm adding the extra check into
the `if`.
Plumbing to perform SELinux checks in varlink API (#38146)
This PR does minimal changes to introduce varlink support. Ideally, the
code should switch to using `mac_selinux_get_our_label()` and new
`mac_selinux_get_peer_label()`. But I leave it for now to minimize
breakage. `mac_selinux_get_peer_label()` remains unused.
This is a prep step to merge
https://github.com/systemd/systemd/pull/38032
projects / thirdparty / systemd.git / log
