nspawn: allow configuration of user namespaces in .nspawn files
In order to implement this we change the bool arg_userns into an enum
UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the
arg_uid_range_pick bool with it.
nspawn: optionally, automatically allocate a UID/GID range for userns containers
This adds the new value "pick" to --private-users=. When specified a new
UID/GID range of 65536 users is automatically and randomly allocated from the
host range 0x00080000-0xDFFF0000 and used for the container. The setting
implies --private-users-chown, so that container directory is recursively
chown()ed to the newly allocated UID/GID range, if that's necessary. As an
optimization before picking a randomized UID/GID the UID of the container's
root directory is used as starting point and used if currently not used
otherwise.
To protect against using the same UID/GID range multiple times a few mechanisms
are in place:
- The first and the last UID and GID of the range are checked with getpwuid()
and getgrgid(). If an entry already exists a different range is picked. Note
that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1.
- A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the
ranges are taken in a non-overlapping fashion, and always start on 64K
boundaries this allows us to maintain a single lock file for each range that
can be randomly picked. This protects nspawn from picking the same range in
two parallel instances.
- If possible the /etc/passwd lock file is taken while a new range is selected
until the container is up. This means adduser/addgroup should safely avoid
the range as long as nss-mymachines is used, since the allocated range will
then show up in the user database.
The UID/GID range nspawn picks from is compiled in and not configurable at the
moment. That should probably stay that way, since we already provide ways how
users can pick their own ranges manually if they don't like the automatic
logic.
The new --private-users=pick logic makes user namespacing pretty useful now, as
it relieves the user from managing UID/GID ranges.
nspawn: optionally fix up OS tree uid/gids for userns
This adds a new --private-userns-chown switch that may be used in combination
with --private-userns. If it is passed a recursive chmod() operation is run on
the OS tree, fixing all file owner UID/GIDs to the right ranges. This should
make user namespacing pretty workable, as the OS trees don't need to be
prepared manually anymore.
util: copy_file_range() returns EBADF when used on a tty
In nspawn we invoke copy_bytes() on a TTY fd. copy_file_range() returns EBADF
on a TTY and this error is considered fatal by copy_bytes() so far. Correct
that, so that nspawn's copy_bytes() operation works again.
journal-remote : Ensure reallocation of source->buf does not result in source->size < source->filled (#3086)
While the function journal-remote-parse.c:get_line() enforces an assertion that source->filled <= source->size, in function journal-remote-parse.c:process_source() there is a chance that source->size will be decreased to a lower value than source->filled, when source->buf is reallocated. Therefore a check is added that ensures that source->buf is reallocated only when source->filled is smaller than target / 2.
core: don't dispatch load queue when setting Slice= for transient units
Let's be more careful when setting up the Slice= property of transient units:
let's use manager_load_unit_prepare() instead of manager_load_unit(), so that
the load queue isn't dispatched right away, because our own transient unit is
in it, and we don#t want to have it loaded until we finished initializing it.
units: order systemd-user-sessions.service after network.target
That way we can be sure that local users are logged out before the network is
shut down when the system goes down, so that SSH session should be ending
cleanly before the system goes down.
coredump,basic: generalize O_TMPFILE handling a bit
This moves the O_TMPFILE handling from the coredumping code into common library
code, and generalizes it as open_tmpfile_linkable() + link_tmpfile(). The
existing open_tmpfile() function (which creates an unlinked temporary file that
cannot be linked into the fs) is renamed to open_tmpfile_unlinkable(), to make
the distinction clear. Thus, code may now choose between:
a) open_tmpfile_linkable() + link_tmpfile()
b) open_tmpfile_unlinkable()
Depending on whether they want a file that may be linked back into the fs later
on or not.
In a later commit we should probably convert fopen_temporary() to make use of
open_tmpfile_linkable().
Explicitly syncing /etc/machine-id after writing it, is probably a good idea,
since it has a strong "commit" character and is generally a one-time thing.
shared: move unit-specific code from bus-util.h to bus-unit-util.h
Previously we'd have generally useful sd-bus utilities in bust-util.h,
intermixed with code that is specifically for writing clients for PID 1,
wrapping job and unit handling. Let's split the latter out and move it into
bus-unit-util.c, to make the sources a bit short and easier to grok.
loginctl,machinectl: also make use of new GetProcesses() bus call
This ports over machinectl and loginctl to also use the new GetProcesses() bus
call to show the process tree of a container or login session. This is similar
to how systemctl already has been ported over in a previous commit.
core,systemctl: add bus API to retrieve processes of a unit
This adds a new GetProcesses() bus call to the Unit object which returns an
array consisting of all PIDs, their process names, as well as their full cgroup
paths. This is then used by "systemctl status" to show the per-unit process
tree.
This has the benefit that the client-side no longer needs to access the
cgroupfs directly to show the process tree of a unit. Instead, it now uses this
new API, which means it also works if -H or -M are used correctly, as the
information from the specific host is used, and not the one from the local
system.
shared/install: always overwrite symlinks in .wants and .requires
Before:
$ systemctl preset getty@.service
Failed to preset unit, file /etc/systemd/system/getty.target.wants/getty@tty1.service
already exists and is a symlink to ../../../../usr/lib/systemd/system/getty@.service.
After:
$ systemctl preset getty@.service
Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service,
pointing to /usr/lib/systemd/system/getty@.service.
We don't really care where the symlink points to. For example, it might point
to /usr/lib or /etc, and systemd will always load the unit from /etc in
preference to /usr/lib. In fact, if we make a symlink like
/etc/systemd/system/multi-user.target.wants/b.service -> ../a.service, pid1
will still start b.service. The name of the symlink is the only thing that
matters, as far as systemd is concerned. For humans it's confusing when the
symlinks points to anything else than the actual unit file. At the very least,
the symlink is supposed to point to a file with the same name in some other
directory. Since we don't care where the symlink points, we can always replace
an existing symlink.
Another option I considered would be to simply leave an existing symlink in
place. That would work too, but replacing the symlink with the expected value
seems more intuitive.
Of course those considerations only apply to .wants and .requires. Symlinks
created with "link" and "alias" are a separate matter.
systemctl,pid1: do not warn about missing install info with "preset"
When "preset" was executed for a unit without install info, we'd warn similarly
as for "enable" and "disable". But "preset" is usually called for all units,
because the preset files are provided by the distribution, and the units are under
control of individual programs, and it's reasonable to call "preset" for all units
rather then try to do it only for the ones that can be installed.
We also don't warn about missing info for "preset-all". Thus it seems reasonable
to silently ignore units w/o install info when presetting.
(In addition, when more than one unit was specified, we'd issue the warning
only if none of them had install info. But this is probably something to fix
for enable/disable too.)
shared/install: nicer error message is symlinking chokes on an existing file
Fixes #1892.
Previously:
Failed to enable unit: Invalid argument
Now:
Failed to enable unit, file /etc/systemd/system/ssh.service already exists.
It would be nice to include the unit name in the message too. I looked into
this, but it would require major surgery on the whole installation logic,
because we first create a list of things to change, and then try to apply them
in a loop. To transfer the knowledge which unit was the source of each change,
the data structures would have to be extended to carry the unit name over into
the second loop. So I'm skipping this for now.
units: Add "GuessMainPID=no" to compatibility unit for rc-local (#3018)
With the current "Type=forking", systemd tries to guess the PID it
should wait on at reboot (because we have no "PIDFile="). Depending on
how wrong the guess is, we can end up hanging forever at reboot.
networkd: When link gets dirty mark manager dirty too (#3080)
If we not marking manager dirty when link is dirty then
the state file is not updated. This is a side effect of
issue 2850
setting CriticalConnection=yes
timesyncd NTP servers given by DHCP server are ignored.
Martin Pitt [Thu, 21 Apr 2016 10:13:08 +0000 (12:13 +0200)]
build: fix test-nss.c build failure with --disable-{resolved,myhostname} (#3081)
When building without resolved and/or myhostname, test-nss.c failed to build
with
src/test/test-nss.c: In function 'main':
src/test/test-nss.c:417:32: error: 'MODULE1' undeclared (first use in this function)
NULSTR_FOREACH(module, MODULE1 MODULE2 MODULE3 MODULE4) {
^
Ensure that all MODULEx are always defined, and empty if the module is not
available (so that it will be a no-op in the string concatenation).
We enable lingering for anyone who wants this. It is still disabled by
default to avoid keeping long-running processes accidentally.
Admins might want to customize this policy on multi-user sites.
logind: make KillOnlyUsers override KillUserProcesses
Instead of KillOnlyUsers being a filter for KillUserProcesses, it can now be
used to specify users to kill, independently of the KillUserProcesses
setting. Having the settings orthogonal seems to make more sense. It also
makes KillOnlyUsers symmetrical to KillExcludeUsers.
This ensures that users sessions are properly cleaned up after.
The admin can still enable or disable linger for specific users to allow
them to run processes after they log out. Doing that through the user
session is much cleaner and provides better control.
dbus daemon can now be run in the user session (with --enable-user-session,
added in 1.10.2), and most distributions opted to pick this configuration.
In the normal case it makes a lot of sense to kill remaining processes.
The exception is stuff like screen and tmux. But it's easy enough to
work around, a simple example was added to the man page in previous
commit. In the long run those services should integrate with the systemd
users session on their own.
man: expand description of lingering and KillUserProcesses setting
The description in the man page was wrong, KillUserProcesses does
not kill all processes of the user. Describe what the setting
does, and also add links between the relavant sections of the
manual.
Also, add an extensive example which shows how to launch screen
in the background.
SELinux outputs semi-random messages like "Unknown permission start for class
system", and the user has to dig into message metadata to find out where
they are comming from. Add a prefix to give a hint.
networkd: bump MTU to 1280 for interfaces which have IPv6 enabled (#3077)
IPv6 protocol requires a minimum MTU of 1280 bytes on the interface.
This fixes #3046.
Introduce helper link_ipv6_enabled() to figure out whether IPV6 is enabled.
Introduce network_has_static_ipv6_addresses() to find out if any static
ipv6 address configured.
If IPv6 is not configured on any interface that is SLAAC, DHCPv6 and static
IPv6 addresses not configured, then IPv6 will be automatically disabled for that
interface, that is we write "1" to /proc/sys/net/ipv6/conf//disable_ipv6.
man: try to explain different actions in tmpfiles a bit better
- do not suggest that vendor configuration files should be in
/etc, use /usr/lib/tmpfiles.d instead
- split the first example, because the text talked about "needing
two directories", but then a smack attribute was also set, and
on a different path, which looked like a typo. Replace that
with the example from original patch [1] which added 't'.
- fix the example for /var/tmp/abrt. The 'x' line was redundant,
because /var/tmp/abrt/* is already filtered because "d /var/tmp/abrt"
overrides "d /var/tmp".
This changes the behaviour of pid1 in the following ways:
- obviously $TERM is now checked,
- $SYSTEMD_COLORS is now honoured too, before only SYSTEMD_LOG_COLORS was checked,
- isatty() is run on stdout not stderr.
basic/terminal-util: cache value for colors_enabled
After all it's something that we query over and over.
For example, systemctl calls colors_enabled() four times for each failing
service. The compiler is unable to optimize those calls away because they
(potentially) accesses external and global state through on_tty() and
getenv().
coredump: create unnamed temporary files if possible (O_TMPFILE) (#3065)
Don't leave temporary files if the coredump service is aborted during
the operation
Yeah, these are temporary files that systemd-coredump needs while
processing the coredumps. Of course, if the coredump service is aborted
during the operation we better shouldn't leave those files around. This
is hence a bug to fix in our coredumping code.
See https://github.com/systemd/systemd/issues/2804#issuecomment-210578147
Another option is to simply use O_TMPFILE, and when it is not available
fall back to the current behaviour. After all, the files are cleaned up
eventually, through normal tmpfiles aging, and the offending file
systems are pretty exotic these days, or not in the upstream kernel.
See https://github.com/systemd/systemd/issues/2804#issuecomment-211496707
shared/install: change value of _UNIT_FILE_CHANGE_TYPE_INVALID
-1 could be confused with -EPERM. But we still need a negative enum
value to force gcc to use int for the enum type, even though it is
unused. Otherwise we get warnings.
shared/install,systemctl,core: report offending file on installation error
Fixes #2191:
$ systemctl --root=/ enable sddm
Created symlink /etc/systemd/system/display-manager.service, pointing to /usr/lib/systemd/system/sddm.service.
$ sudo build/systemctl --root=/ enable gdm
Failed to enable unit, file /etc/systemd/system/display-manager.service already exists and is a symlink to /usr/lib/systemd/system/sddm.service.
$ sudo build/systemctl --root= enable sddm
$ sudo build/systemctl --root= enable gdm
Failed to enable unit: File /etc/systemd/system/display-manager.service already exists and is a symlink to /usr/lib/systemd/system/sddm.service.
(I tried a few different approaches to pass the error information back to the
caller. Adding a new parameter to hold the error results in a gigantic patch
and a lot of hassle to pass the args arounds. Adding this information to the
changes array is straightforward and can be more easily extended in the
future.)
In case local installation is performed, the full set of errors can be reported
and we do that. When running over dbus, only the first error is reported.
sleep: Add debug feature to bypass hibernation memory checks. (#3064)
This new feature bypasses checking if a swap partition is mounted
or if there is enough swap space available for hibernation to
succeed.
This can be useful when a system with a Solid State Disk (SSD)
has no normal swap partition or file configured, and a custom
systemd unit is used to mount a swap file just before hibernating
and unmount it just after resuming.
Currently, 99-systemd.rules.in contains a line for network block
devices, which mark them as inactive until the first change event, and
as active from then on forward. This is not correct. A network block
device can be connected or disconnected; this state is signalled by the
presence or absense of a "pid" file, which contains the PID of the
nbd client userspace process that started the connection.
Update the rules file so that it checks for the presence of that file to
decide what to set SYSTEMD_READY to.
Note that current kernels do issue a change event upon connecting the
device, but not yet upon disconnecting. While it's possible to wait
until that's been fixed, the behaviour of the rule with TEST!="pid" in
the absence of a proper uevent is exactly the same as the behaviour of
the old rule; so it should be safe to apply now.
basic: user-utils.c needs missing.h for secure_getenv (#3059)
Otherwise building may fail with:
src/basic/user-util.c: In function 'get_home_dir':
src/basic/user-util.c:343:9: error: implicit declaration of function 'secure_getenv' [-Werror=implicit-function-declaration]
Dan Nicholson [Mon, 18 Apr 2016 02:52:45 +0000 (19:52 -0700)]
conf-parser: Set EXTRACT_RETAIN_ESCAPE when extracting words (#2917)
If you reference another unit with an escaped name, the escaped characters
should remain in the extracted word. This used to work correctly prior to
commit 34f253f0.
The problem can be seen when units with escaped names are referenced.
$ systemctl enable "dev-disk-by\x2dlabel-eos\x2dswap.swap"
Created symlink
/etc/systemd/system/dev-disk-byx2dlabel-eosx2dswap.device.wants/dev-disk-by\x2dlabel-eos\x2dswap.swap,
pointing to /usr/lib/systemd/system/dev-disk-by\x2dlabel-eos\x2dswap.swap.
The wants directory should be created with the x2ds escaped with \.
projects / thirdparty / systemd.git / log
