If the default target is not specified on the kernel command line, it
may not be obvious what we are booting into. See for example
https://github.com/systemd/systemd/issues/15062#issuecomment-597577464.
Susant Sahani [Mon, 9 Mar 2020 09:48:03 +0000 (10:48 +0100)]
network: tc- introduce PIE
Proportional Integral controller-Enhanced (PIE) is a control
theoretic active queue management scheme. It is based on the
proportional integral controller but aims to control delay.
udev: add debug logs for delaying and delegation of events
Up to now each uevent logs the following things at debug level:
- Device is queued
- Processing device
- Device processed
However when the device is queued it might still have to wait for
earlier devices to be processed before being able to start being
processed itself. When analysing logs this dependency information is
quite cruicial, so add respective debug log calls.
Valery0xff [Wed, 11 Mar 2020 00:20:36 +0000 (02:20 +0200)]
udev: fix SECLABEL{selinux} issue (#15064)
Add SECLABEL{selinux}="some value" cause udevadm crash
systemd-udevd[x]: Worker [x] terminated by signal 11 (SEGV)
It happens since 25de7aa7b90 (Yu Watanabe 2019-04-25 01:21:11 +0200)
when udev rules processing changed to token model. Yu forgot store
attr to SECLABEL token so fix it.
Topi Miettinen [Mon, 9 Mar 2020 12:01:06 +0000 (14:01 +0200)]
dissect-image: avoid scanning partitions
In case the dissected image has a filesystem, don't scan for partitions. This
avoids problems with services using a `RootImage=` in early boot when udevd is
not yet started.
Topi Miettinen [Sat, 7 Mar 2020 19:19:09 +0000 (21:19 +0200)]
mount-setup: make /dev noexec
/dev used to be mounted with "exec" flag due to /dev/MAKEDEV script but that's
history and it's now located in /sbin. mmap() with file descriptor to
"/dev/zero" (instead of modern mmap(,,,MAP_ANON...)) will still work.
libcap v2.33 introduces a new capability set called IAB[0] which is shown
in the output of `capsh --print` and interferes with the test checks. Let's
drop the IAB set from the output, for now, to mitigate this.
This could be (and probably should be) replaced in the future by the
newly introduced testing options[1][2] in libcap v2.32, namely:
--has-p=xxx
--has-i=xxx
--has-a=xxx
but this needs to wait until the respective libcap version gets a wider
adoption. Until then, let's stick with the relatively ugly sed.
James T. Lee [Sat, 7 Mar 2020 23:05:34 +0000 (18:05 -0500)]
boot: Ensure ARM UEFI binary does not contain FP/SIMD instructions
ARM toolchains will sometimes optimize otherwise floating-point-free
code with floating point and SIMD instructions. This was happening with
systemd-bootarm.efi and it was causing U-Boot to crash and reset the
CPU. U-Boot does not support the ARM VFP floating point coprocessor,
which is an optional piece of hardware anyway [1].
Ensure the compiler does not generate FP/SIMD instructions by supplying
the `-mgeneral-regs-only` option when building for ARM [2].
The other option you often see to solve these problems is
`-msoft-float`, but that changes the ABI and prevents linking with
libgnuefi.
I assume it’s supposed to be “see Home Directories for details” and not
“… and embeds these JSON records directly in the home directory images …
for details”, but the previous text suggested the latter reading to me.
Jörg Thalheim [Tue, 3 Mar 2020 23:31:25 +0000 (23:31 +0000)]
systemd-resolved: use hostname for certificate validation in DoT
Widely accepted certificates for IP addresses are expensive and only
affordable for larger organizations. Therefore if the user provides
the hostname in the DNS= option, we should use it instead of the IP
address.
Benjamin Berg [Thu, 5 Mar 2020 10:35:45 +0000 (11:35 +0100)]
core: Fix resolution of nested DM devices for cgroups
When using the cgroups IO controller, the device that is controlled
should always be the toplevel block device. This did not get resolved
correctly for an LVM volume inside a LUKS device, because the code would
only resolve one level of indirection.
Fix this by recursively looking up the originating block device for DM
devices.
units: skip modprobe@.service if the unit appears to be already loaded
Possible alternative to #14819.
For me, setting RemainAfterExit=yes would be OK, but if people think that it
might cause issues, then this could be a reasonable alternative that still
let's us skip the invocation of the separate binary.
As with the previous changes the same arguments apply
- distributions have scripts to rewrite shebangs on installation and
they know what locations to rely on.
- For tests/compilation we should rather rely on the user to have setup
there PATH correctly.
In particular this makes testing from git easier on NixOS where do not provide
/bin/bash to improve compose-ability.
Use Finished instead of Started for Type=oneshot services (#14851)
UnitStatusMessageFormats.finished_job, if present,
will be called with the same arguments as
job_get_done_status_message_format() to provide a format string
appropriate for the context
This commit replaces "Started" with "Finished" for started oneshot
units, as mentioned in the referenced issue
units: restore RemainAfterExit=yes in systemd-vconsole-setup.service
This reverts the second part of 8125e8d38e3aa099c7dce8b0161997b8842aebdc.
The first part was reverted in 750e550eba362096d56a35104c6a32631aa67b8e.
The problem starts when s-v-s.s is pulled in by something that is then pulled
in by sysinit.target. Every time a unit is started, systemd recursively checks
all dependencies, and since sysinit.target is pull in by almost anything, we'll
start s-v-s.s over and over. In particular, plymouth-start.service currently
has Wants=s-v-s.s and After=s-v-s.s.
units: do not ignore return value from systemd --user
This minus has been there since the unit was added in d42d27ead91e470cb12986d928441e56c0f543ca. I think the idea was not cause things
to fail if the user instance doesn't work. But ignoring the return value
doesn't seem to be the right way to approach the problem. In particular, if
the program fails to run, we'll get a bogus fail state, see
https://bugzilla.redhat.com/show_bug.cgi?id=1727895#c1:
with the minus:
$ systemctl start user@1002
Job for user@1002.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status user@1002.service" and "journalctl -xe" for details.
without the minus:
$ systemctl start user@1002
Job for user@1002.service failed because the control process exited with error code.
See "systemctl status user@1002.service" and "journalctl -xe" for details.