core: define "exit" and "exit-force" actions for user units and only accept that
We would accept e.g. FailureAction=reboot-force in user units and then do an
exit in the user manager. Let's be stricter, and define "exit"/"exit-force" as
the only supported actions in user units.
v2:
- rename 'exit' to 'exit-force' and add new 'exit'
- add test for the parsing function
man: move description of *Action= modes to FailureAction=/SuccessAction=
FailureAction=/SuccessAction= were added later then StartLimitAction=, so it
was easiest to refer to the existing description. But those two settings are
somewhat simpler (they just execute the action unconditionally) while
StartLimitAction= has additional timing and burst parameters, and they are
about to take on a more prominent role, so let's move the description of
allowed values.
core: consider service with no start command immediately started
The service would always be in state == SERVICE_INACTIVE, but it needs to go
through state == SERVICE_START so that SuccessAction/FailureAction are executed.
Let's be safe than sorry, in particular as logind doesn't set it up
anymore, but user-runtime-dir@.service does, and logind doesn't really
track success of that.
So far we always used "yes" instead of "true" in all our unit files,
except for one outlier. Let's do this here too. No change in behaviour
whatsoever, except that it looks prettier ;-)
logind: automatically GC lingering users for who now user@.service (nor slice, not runtime dir service) is running anymore
This heavily borrows from @intelfx' PR #5546, but watches all three
units that are associated with a user now: the slice, the user@.service
and user-runtime-dir@.service.
The logic and reasoning behind it is the same though: there's no value
in keeping lingering users around if all their three services are gone.
logind: add a RequiresMountsFor= dependency from the session scope unit to the home directory of the user
This is useful so that during shutdown scope units are always terminated
before the mounts necessary for the home directory.
(Ideally we'd also add a similar dependency from the user@.service
instance to the home directory, but this isn't as easy as that service
is defined statically and not dynamically, and hence not easy to modify
dynamically, in particular when it comes to deps)
logind: change user-runtime-dir to query runtime dir size from logind via the bus
I think this is a slightly cleaner approach than parsing the
configuration file at multiple places, as this way there's only a single
reload cycle for logind.conf, and that's systemd-logind.service's
runtime.
This means that logind and dbus become a requirement of
user-runtime-dir, but given that XDG_RUNTIME_DIR is not set anyway
without logind and dbus around this isn't really any limitation.
This also simplifies linking a bit as this means user-runtime-dir
doesn't have to link against any code of logind itself.
logind: rework how we manage the slice and user-runtime-dir@.service unit for each user
Instead of managing it explicitly, let's simplify things and rely on
regular Wants=/Requires= dependencies to pull in these units from
user@.service and the session scope, and StopWhenUneeded= to stop these
auxiliary units again. This way, they can be pulled in easily by
unrelated units too.
This simplifies things quite a bit: for each session we now only need to
manage the session scope, and for each user the user@.service, the other
units are not something we need to manage anymore.
This patch also makes sure that if user@.service of a user is masked we
will continue to work, and user-runtime-dir@.service will still be
correctly pulled in, as it is now a dependency of the scope unit.
Let's propagate errors from stopping sessions via seat_stop(). This is
similar to how we propagate such errors in user_stop() for all sessions
associated with a user.
Note that we propagate these errors, but we don't abort the function.
logind: improve logging in manager_connect_console()
let's make sure we log about every failure
Also, complain about systems where /dev/tty0 exists but
/sys/class/tty/tty0/active does not. Such systems (usually container
environments) are pretty broken as they mount something that is not a VC
to /dev/tty0 and they really shouldn't.
Systems should either have a VC or not, but not badly fake one by
mounting things wildly.
This just adds a warning message, as before we'll simply turn off VC
handling in this case.
Let's not use the word "wrapper", as it's not clear what that is, and in
some way any unit file is a "wrapper"... let's simply say that it's
about the runtime directory.
logind: fix serialization/deserialization of user's "display session"
Previously this was serialized as part of the user object. This didn't
work however, as we load users first, and sessions seconds and hence
referencing a session from the user load logic cannot work.
Fix this by storing an IS_DISPLAY property along with each session, and
make the session with this set display session when it is loaded.
man: systemctl: clarify that --lines=0 is allowed (#10375)
The term “positive” is often read to exclude 0 (though “strictly
positive” is sometimes used to clarify this), so let’s explicitly state
that --lines=0 is legal and completely disables journal output.
networkd: fix attribute length for wireguard (#10380)
This is actually a u16, not a u32, so the kernel complains:
kernel: netlink: 'systemd-network': attribute type 5 has an invalid length
This is due to:
if (nla_attr_len[pt->type] && attrlen != nla_attr_len[pt->type]) {
pr_warn_ratelimited("netlink: '%s': attribute type %d has an invalid length.\n",
current->comm, type);
}
Presumably this has been working fine in functionality on little-endian
systems, but nobody bothered to try on big-endian systems.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
David Tardon [Wed, 3 Oct 2018 10:48:58 +0000 (12:48 +0200)]
console: avoid promotion to signed int
coverity message:
sign_extension: Suspicious implicit sign extension: "keydata.Key.ScanCode" with type "UINT16" (16 bits, unsigned) is promoted in "keydata.Key.ScanCode << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "keydata.Key.ScanCode << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
man: add missing references to sd_event_add_inotify()
These man pages list references to the various sd_event_add_xyz() calls
at the bottom, but sd_event_add_inotify() was never added there.
Moreover, some list references to sd_event_add_post() and
sd_event_add_exit() even though these have shared man pages with
sd_event_add_defer(), and given that the "SEE ALSO" section should
probably reference pages instead of functions let's drop this.
Then, let's always specify the sd_event_add_xyz() calls in the same
order.
Finally, in the sd_event_new(3) text explaining the basic logic,
actually mention sd_event_add_post() and sd_event_add_exit() as well, as
in that case we actually want to list functions, not man pages.
This makes use of assert_cc() to guard against missing CASE macros,
instead of a manual implementation that might result in a static
variable to be allocated.
More importantly though this changes the base type for the array used to
determine the number of arguments for the compile time check from "int"
to "long double". This is done in order to avoid warnings from "ubsan"
that possibly large constants are assigned to small types. "long double"
hopefully isn't vulnerable to that.
Also, while we are at it, beef it up, by adding json-seq support (i.e.
https://tools.ietf.org/html/rfc7464). This is particularly useful in
conjunction with jq's --seq switch.
This broke the compilation for coverity under travis. Our build script does
something like this:
$ CFLAGS='-D_Float128=long\ double -D_Float64=double -D_Float64x=long\ double -D_Float32=float -D_Float32x=double' meson cov-build -Dman=false
$ ninja -C build
...
[pid 27096] execve("/usr/bin/cc", ["/usr/bin/cc", "-D_Float128=long", "double", "-D_Float64=double", "-D_Float64x=long", "double", "-D_Float32=float", "-D_Float32x=double", "-E", "-dM", "-include", "linux/capability.h", "-include", "config.h", "-include", "../src/basic/missing.h", "-"], 0x55ab75ea4e80 /* 91 vars */) = 0
cc: error: double: No such file or directory
cc: error: double: No such file or directory
[pid 27096] +++ exited with 1 +++
I'm sure this could be fixed somehow, but since the original motivation for 56f56d5ad856d9bd1070693490b210e0a0ccde92 wasn't very strong, let's just revert
it as this seems to be the simplest solution.
manager: simplify error handling in manager_deserialize()
If a memory error occurred, we would still go through the path which sets the
error on ferror(). It is unlikely that ferror() returns true, but it's seems
cleaner to just propagate the error we already have.
The handling of fgets() returning NULL is also simplified: according to the man
page, it returns NULL only on EOF or error. So if feof() returns true, I don't
think we should call ferror() again.
While at it, let's set errno to 0 and check that it is set before returning it
as an error. The man pages for fgets() and feof() do not say anything about
setting errno.
manager: also use the reloading "cleanup" function in manager_startup
Here the behaviour is nominally changed, because we will decrease the
counter on error. But the only caller quits the program if error occurs,
so this makes no practical difference.
A new switch "-j" or "--json=" is added which transforms dbus
marshalling into json. This is extremely useful in combination with
tools such as "jq" to process bus calls further.
https://github.com/mesonbuild/meson/issues/1644 was resolved in 0.42:
https://github.com/mesonbuild/meson/pull/2191/commits/be4428005dff8b17af5696c8f05567de9af1a8c5,
but still no-go.