Mike Yuan [Sat, 15 Jun 2024 15:27:33 +0000 (17:27 +0200)]
man,units: drop "temporary" from description of systemd-tmpfiles
Historically, systemd-tmpfiles was designed to manager temporary
files, but nowadays it has become a generic tool for managing
all kinds of files. To avoid user confusion, let's remove "temporary"
from the tool's description.
json: extend JsonDispatch flags with nullable and refuse-null flags
currently when dispatching json objects into C structs we either insist
on the field type or we don't. Let's extend this model a bit: depending
on two new fields either allow or refuse null types in addition to the
specified type.
This is useful for example when dispatch enums as this allows us
explicitly refuse null in various scenarios where we allow multiple
types.
pretty-print: enable stdio buffering while outputting progress bar
Writing the progress bar so far was irritatingly slow, which was caused
by the fact that the various things we output so far resulted in one
write() syscall each because STDERR is unbuffered by default.
Let's fix that, and temporarily turn on full buffering for stderr,
restoring the normal unbuffered output right after.
This makes progress bar print visibly more efficient (and flicker free
too, since terminals no longer will move the cursor around during
output).
../src/shared/loop-util.c: In function ‘loop_configure_fallback’:
../src/shared/loop-util.c:237:31: error: ‘LOOP_SET_BLOCK_SIZE’ undeclared (first use in this function); did you mean ‘LOOP_SET_DIRECT_IO’?
if (ioctl(fd, LOOP_SET_BLOCK_SIZE, (unsigned long) c->block_size) < 0)
^~~~~~~~~~~~~~~~~~~
LOOP_SET_DIRECT_IO
Nick Rosbrook [Fri, 14 Jun 2024 21:31:22 +0000 (17:31 -0400)]
man: add a bit of a warning to systemd-tmpfiles --purge
Mention that by default, /home is managed by tmpfiles.d/home.conf, and
recommend that users run systemd-tmpfiles --dry-run --purge first to
see exactly what will be removed.
pcrlock: move event_log_reduce_to_safe_pcrs() down a bit
Let's keep the verb_lock_xyz() and verb_unlock_xyz() calls together, and
move event_log_reduce_to_safe_pcrs() which so far was in betwee them all
further down closer to where the function is actually used.
pcrlock: don't override conf_root parameter for boot_entry_token_ensure()
if we pass NULL boot_entry_token_ensure() will use its own default,
which is the same as what we passed so far explicitly, hence let's make
use of that.
vmspawn: report "systemd-vmspawn" as "service" to machined
The "service" field that one is supposed to pass to machine is supposed
to indicate the implementation of the client, not the service unit the
client runs in (which is typically even a scope unit, not a system
unit). Hence fix that, and make it closely match what systemd-nspawn
does.
copy: rework how we determine the number of bytes to copy in copy_bytes_full()
Let's freshly calculate "m" on each iteration and always start with the maximum
size we can. If sendfile() is used we must adhere to its limit of
SSIZE_MAX minus the current offset. Otherwise we can copy more, i.e.
SSIZE_MAX without any restrictions.
Also, if we get too close to having copied SSIZE_MAX, let's turn off
sendfile() for the rest.
iovec-util: add exported constant empty but valid (i.e. non-NULL) iovec
Also, make sure the NUL byte iovec becomes an exported constant too.
This is better than the previous situation where this was a macro
resolving to a compount expression, since the lifetime of the expression
is limited to its invoking scope. By turning this into a proper variable
the lifetime becomes unbounded, which makes it easier to use in various
scenarios, such as "if" blocks.
Kamil Szczęk [Fri, 7 Jun 2024 14:48:41 +0000 (16:48 +0200)]
cryptsetup: manual FIDO2 PIN, UP and UV configuration
When in FIDO2 mode with manual parameters, i.e. when not reading the
parameters off the LUKS2 header, the current behavior in regards to PIN,
UP and UV features is to default to v248 logic, where we use PIN + UP
when needed, and do not configure UV at all. Let's allow users to
configure those features in manual mode too.
varlinkctl: tell user we are expecting method call parameters on STDIN
When calling a method and the user hasn't provided any method call
parameters on the command line we expect them on stdin instead. This
might be confusing for people using varlinkctl for the first time, since
omitting the parameters will just throw you at a blinking cursor.
Let's be a bit more helpful, and show a friendly message when we are
connected to a TTY (i.e. run interactively).
In some recent PRs (e.g. #32628) I started to systematically name return
parameters that shall only be initialized on failure (because they carry
additional error meta information, such as the line/column number of
parse failures or so). Let's make this official in the coding style.
For putting together "varlinkctl call" command lines it's useful to
quickly enumerate all methods implemented by a service. Hence, let's add
a new "list-methods" which uses the introspection data of a service to
quickly list methods.
This is implemented as a special flavour of the "introspect" logic,
and just suppresses all output except for the method names.
varlinkctl: make interface argument to "introspect" optional, and allow more than one
let's make it easier to use the introspection functionality of
"varlinkctl": if no interface name is shown, display the introspection
data of all available interfaces. Moreover, allow that multiple
interfaces can be listed, in which case we enumerate them all.
This relieves the user from having to list interfaces first in order to
find the ones which to introspect.
The flag is fairly generic these days and just selects a slightly
stricter validation, with details depending on the selected dispatch
function. Hence, let's give it more precise name, in particular one that
mirrors the SD_JSON_RELAXED flag nicely (which does the opposite:
relaxes parsing)
This is preparation for making our Varlink API a public API. Since our
Varlink API is built on top of our JSON API we need to make that public
first (it's a nice API, but JSON APIs there are already enough, this is
purely about the Varlink angle).
I made most of the json.h APIs public, and just placed them in
sd-json.h. Sometimes I wasn't so sure however, since the underlying data
structures would have to be made public too. If in doubt I didn#t risk
it, and moved the relevant API to src/libsystemd/sd-json/json-util.h
instead (without any sd_* symbol prefixes).
The kernel patch
https://lore.kernel.org/linux-usb/20240605153340.25694-1-gmazyland@gmail.com/
is now in net-next branch, and will be hopefully merged soon.
Note that Debian's 73-usb-net-by-mac.link now also supports the kernel patch:
https://salsa.debian.org/systemd-team/systemd/-/commit/c1afbb2dc295929085be86072c7942c8517ec598
So, hopefully, the change is ready. Let's reapply it.
creds-util: fix "weak" vs. "secure" display for tmpfs/noswap backed credentials
When we display passed credentials we show a brief safety level based on
how the credential is pass in: if it's backed by swappable memory we
give it a "weak" level. This check was so far done by checking if the
file is backed by ramfs. However, since 1155f44f48f8fd59c863d71b3938e34a0b2fec2a we actually prefer tmpfs with
the new "noswap" option for this.
Hence, fix this, and explicitly look for "noswap" among the mount
options in case we detect tmpfs.
When looking at how dlopen for various libs is implemented, I found that the
macros hide too much. I find it much easier to see what is going on if 'extern'
and '= NULL' are written explicitly. After all, we don't hide those for other
definitions, e.g. our style guide says that static variables should be
initialized with '= NULL'. With that change, it's much more obvious what is
a variable declaration and what is a variable initialization.
Daan De Meyer [Mon, 3 Jun 2024 10:35:29 +0000 (12:35 +0200)]
repart: Use CRYPT_ACTIVATE_PRIVATE
Let's skip udev device scanning when activating a LUKS volume in
systemd-repart as we don't depend on any udev symlinks and don't
expect anything except repart to access the volume.
Suggested by https://github.com/systemd/systemd/issues/33129#issuecomment-2143390941.
analyze: add verb for dumping SMBIOS Type #11 data
I find myself wanting to check this data with a quick command, and
browsing through /sys/ manually getting binary data sucks. Hence let's
do add a nice little analysis tool.
Ronan Pigott [Fri, 8 Mar 2024 20:40:08 +0000 (13:40 -0700)]
resolved: permit dnssec rrtype questions when we aren't validating
This check introduced in 91adc4db33f6 is intended to spare us from
encountering broken resolver behavior we don't want to deal with.
However if we aren't validating we more than likely don't know the state
of the upstream resolver's support for dnssec. Let's let clients try
these queries if they want.
This brings the behavior of sd-resolved in-line with previouly stated
change in the meaning of DNSSEC=no, which now means "don't validate"
rather than "don't validate, because the upstream resolver is declared to
be dnssec-unaware".
Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC")
projects / thirdparty / systemd.git / log
