From 38df8d3f521c8d76c507c092f4a8e4bb84f9f48a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 5 Apr 2019 13:46:33 +0200 Subject: sd-id128: expose ID128_UUID_FORMAT_STR It is generally useful, and can be made public in the same manner that SD_ID128_FORMAT_STR is. --- man/rules/meson.build | 1 + man/sd-id128.xml | 6 ++++++ 2 files changed, 7 insertions(+) (limited to 'man') diff --git a/man/rules/meson.build b/man/rules/meson.build index d949900ddc..6f9f4c4443 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -101,6 +101,7 @@ manpages = [ 'SD_ID128_MAKE', 'SD_ID128_MAKE_STR', 'SD_ID128_NULL', + 'SD_ID128_UUID_FORMAT_STR', 'sd_id128_equal', 'sd_id128_is_null', 'sd_id128_t'], diff --git a/man/sd-id128.xml b/man/sd-id128.xml index 74d838df2e..22d5e0e3ed 100644 --- a/man/sd-id128.xml +++ b/man/sd-id128.xml @@ -24,6 +24,7 @@ SD_ID128_NULL SD_ID128_CONST_STR SD_ID128_FORMAT_STR + SD_ID128_UUID_FORMAT_STR SD_ID128_FORMAT_VAL sd_id128_equal sd_id128_is_null @@ -119,6 +120,11 @@ int main(int argc, char **argv) { return 0; } + SD_ID128_UUID_FORMAT_STR() is similar to + SD_ID128_FORMAT_STR() but includes separating hyphens to conform to the + "canonical representation". + + Use sd_id128_equal() to compare two 128-bit IDs: int main(int argc, char *argv[]) { -- cgit v1.2.3 From 8e74bf7f9c9f0e46066590603c3a7d1e04dbe6c4 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 19 Mar 2019 19:54:08 +0100 Subject: man: document new OOMPolicy= setting --- man/systemd-system.conf.xml | 11 +++++++++++ man/systemd.exec.xml | 16 +++++++++++----- man/systemd.service.xml | 23 +++++++++++++++++++++++ 3 files changed, 45 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index d23b3fb45d..5d1e4d1b97 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -364,6 +364,17 @@ limits are only defaults for units, they are not applied to PID 1 itself. + + + DefaultOOMPolicy= + + Configure the default policy for reacting to processes being killed by the Linux + Out-Of-Memory (OOM) killer. This may be used to pick a global default for the per-unit + OOMPolicy= setting. See + systemd.service5 + for details. Note that this default is not used for services that have Delegate= + turned on. + diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 688147ea32..df1e1e8681 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -651,11 +651,17 @@ CapabilityBoundingSet=~CAP_B CAP_C OOMScoreAdjust= - Sets the adjustment level for the Out-Of-Memory killer for executed processes. Takes an integer - between -1000 (to disable OOM killing for this process) and 1000 (to make killing of this process under memory - pressure very likely). See proc.txt for - details. + Sets the adjustment value for the Linux kernel's Out-Of-Memory (OOM) killer score for + executed processes. Takes an integer between -1000 (to disable OOM killing of processes of this unit) + and 1000 (to make killing of processes of this unit under memory pressure very likely). See proc.txt for details. If + not specified defaults to the OOM score adjustment level of the service manager itself, which is + normally at 0. + + Use the OOMPolicy= setting of service units to configure how the service + manager shall react to the kernel OOM killer terminating a process of the service. See + systemd.service5 + for details. diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 5b88417530..1f40c2ff37 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -963,6 +963,29 @@ above. + + OOMPolicy= + + Configure the Out-Of-Memory (OOM) killer policy. On Linux, when memory becomes scarce + the kernel might decide to kill a running process in order to free up memory and reduce memory + pressure. This setting takes one of continue, stop or + kill. If set to continue and a process of the service is + killed by the kernel's OOM killer this is logged but the service continues running. If set to + stop the event is logged but the service is terminated cleanly by the service + manager. If set to kill and one of the service's processes is killed by the OOM + killer the kernel is instructed to kill all remaining processes of the service, too. Defaults to the + setting DefaultOOMPolicy= in + system.conf5 is + set to, except for services where Delegate= is turned on, where it defaults to + continue. + + Use the OOMScoreAdjust= setting to configure whether processes of the unit + shall be considered preferred or less preferred candidates for process termination by the Linux OOM + killer logic. See + systemd.exec5 for + details. + + Check -- cgit v1.2.3 From 18a388225035c0ed9897e0327006b501424249df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 10 Apr 2019 10:12:43 +0200 Subject: man: add a page for systemd-udev-settle.service --- man/rules/meson.build | 1 + man/systemd-udev-settle.service.xml | 51 +++++++++++++++++++++++++++++++++++++ man/udevadm.xml | 4 +++ 3 files changed, 56 insertions(+) create mode 100644 man/systemd-udev-settle.service.xml (limited to 'man') diff --git a/man/rules/meson.build b/man/rules/meson.build index d949900ddc..762e72cabe 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -774,6 +774,7 @@ manpages = [ 'systemd-tmpfiles-setup.service'], ''], ['systemd-tty-ask-password-agent', '1', [], ''], + ['systemd-udev-settle.service', '8', [], ''], ['systemd-udevd.service', '8', ['systemd-udevd', diff --git a/man/systemd-udev-settle.service.xml b/man/systemd-udev-settle.service.xml new file mode 100644 index 0000000000..6fbd99111f --- /dev/null +++ b/man/systemd-udev-settle.service.xml @@ -0,0 +1,51 @@ + + + + + + + + systemd-udev-settle.service + systemd + + + + systemd-udev-settle.service + 8 + + + + systemd-udev-settle.service + Wait for all pending udev events to be handled + + + + systemd-udev-settle.service + + + Description + This service calls udevadm settle to wait until all events that have been queued + by udev7 have been + processed. It is a crude way to wait until "all" hardware has been discovered. Services may pull in this + service and order themselves after it to wait for the udev queue to be empty. + + Using this service is not recommended. There can be no guarantee that hardware + is fully discovered at any specific time, because the kernel does hardware detection asynchronously, and + certain busses and devices take a very long time to become ready, and also additional hardware may be + plugged in at any time. Instead, services should subscribe to udev events and react to any new hardware as + it is discovered. Services that, based on configuration, expect certain devices to appear, may warn or + report failure after a timeout. This timeout should be tailored to the hardware type. Waiting for + systemd-udev-settle.service usually slows boot significantly, because it means waiting + for all unrelated events too. + + + + See Also + + udev7, + udevadm8 + + + diff --git a/man/udevadm.xml b/man/udevadm.xml index 467402ca75..a591ab8c34 100644 --- a/man/udevadm.xml +++ b/man/udevadm.xml @@ -362,6 +362,10 @@ + + See + systemd-udev-settle.service8 + for more information. udevadm control <replaceable>option</replaceable> -- cgit v1.2.3 From 81962db798a557839df072018e3b019e2787cc4e Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 3 Apr 2019 16:57:36 +0530 Subject: network: Introduce MACsec Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. Closes #5754 --- man/systemd.netdev.xml | 121 ++++++++++++++++++++++++++++++++++++++++++++++++ man/systemd.network.xml | 8 ++++ 2 files changed, 129 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 1836b5fe00..9b131a16b6 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -151,6 +151,9 @@ l2tp A Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself + macsec + Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats. + vrf A Virtual Routing and Forwarding (VRF) interface to create separate routing and forwarding domains. @@ -851,6 +854,124 @@ + + [MACsec] Section Options + The [MACsec] section only applies for network devices of kind + macsec, and accepts the following keys: + + + + Port= + + Specifies the port to be used for the MACsec transmit channel. The port is used to make + secure channel identifier (SCI). Takes a value between 1 and 65535. Defaults to unset. + + + + + Encrypt= + + Takes a boolean. When true, enable encryption. Defaults to unset. + + + + + + [MACsecReceiveChannel] Section Options + The [MACsecReceiveChannel] section only applies for network devices of + kind macsec, and accepts the following keys: + + + + Port= + + Specifies the port to be used for the MACsec receive channel. The port is used to make + secure channel identifier (SCI). Takes a value between 1 and 65535. This option is + compulsory, and is not set by default. + + + + MACAddress= + + Specifies the MAC address to be used for the MACsec receive channel. The MAC address + used to make secure channel identifier (SCI). This option is compulsory, and is not set by + default. + + + + + + [MACsecTransmitAssociation] Section Options + The [MACsecTransmitAssociation] section only applies for network devices + of kind macsec, and accepts the following keys: + + + + PacketNumber= + + Specifies the packet number to be used for replay protection and the construction of + the initialization vector (along with the secure channel identifier [SCI]). Takes a value + between 1-4,294,967,295. Defaults to unset. + + + + + KeyId= + + Specifies the identification for the key. Takes a number between 0-255. This option + is compulsory, and is not set by default. + + + + Key= + + Specifies the encryption key used in the transmission channel. The same key must be + configured on the peer’s matching receive channel. This option is compulsory, and is not set + by default. Takes a 128-bit key encoded in a hexadecimal string, for example + dffafc8d7b9a43d5b9a3dfbbf6a30c16. + + + + + + [MACsecReceiveAssociation] Section Options + The [MACsecReceiveAssociation] section only applies for + network devices of kind macsec, and accepts the + following keys: + + + + Port= + + Accepts the same key in [MACsecReceiveChannel] section. + + + + MACAddress= + + Accepts the same key in [MACsecReceiveChannel] section. + + + + PacketNumber= + + Accepts the same key in [MACsecTransmitAssociation] section. + + + + KeyId= + + Accepts the same key in [MACsecTransmitAssociation] section. + + + + Key= + + Accepts the same key in [MACsecTransmitAssociation] section. + + + + [Tunnel] Section Options diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 4127084703..2d8eeee88f 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -768,6 +768,14 @@ This option may be specified more than once. + + MACsec= + + The name of a MACsec device to create on the link. See + systemd.netdev5. + This option may be specified more than once. + + ActiveSlave= -- cgit v1.2.3 From eb4705fb36e681a8e8821abc55e7e5baf37de939 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 10 Apr 2019 18:07:10 +0900 Subject: network: add MACsec*Association.KeyFile= setting --- man/systemd.netdev.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 9b131a16b6..7ab9faac6d 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -931,6 +931,16 @@ dffafc8d7b9a43d5b9a3dfbbf6a30c16. + + KeyFile= + + Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal + string, which will be used in the transmission channel. When this option is specified, + Key= is ignored. Note that the file must be readable by the user + systemd-network, so it should be, e.g., owned by + root:systemd-network with a 0640 file mode. + + @@ -970,6 +980,12 @@ Accepts the same key in [MACsecTransmitAssociation] section. + + KeyFile= + + Accepts the same key in [MACsecTransmitAssociation] section. + + -- cgit v1.2.3 From a7b9c52f1f79feae800647b77796115f899222cc Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 5 Apr 2019 15:33:52 +0900 Subject: network: add MACsec*Association.Activate= setting --- man/systemd.netdev.xml | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 7ab9faac6d..030de47438 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -941,6 +941,13 @@ root:systemd-network with a 0640 file mode. + + Activate= + + Takes a boolean. If enabled, then the security association is activated. Defaults to + unset. + + @@ -986,6 +993,12 @@ Accepts the same key in [MACsecTransmitAssociation] section. + + Activate= + + Accepts the same key in [MACsecTransmitAssociation] section. + + -- cgit v1.2.3 From b0e13c3122d6836dec2ee32b2d44f0b4c163943a Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 5 Apr 2019 15:52:26 +0900 Subject: network: add MACsecTransmitAssociation.UseForEncoding= setting --- man/systemd.netdev.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 030de47438..a58de37b3c 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -948,6 +948,14 @@ unset. + + UseForEncoding= + + Takes a boolean. If enabled, then the security association is used for encoding. Only + one [MACsecTransmitAssociation] section can enable this option. When enabled, + Activate=yes is implied. Defaults to unset. + + -- cgit v1.2.3 From cc5549ca12616376a4e4ef04fd4e2fb53d6d098c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 4 Apr 2019 14:10:42 +0200 Subject: scripts: use 4 space indentation We had all kinds of indentation: 2 sp, 3 sp, 4 sp, 8 sp, and mixed. 4 sp was the most common, in particular the majority of scripts under test/ used that. Let's standarize on 4 sp, because many commandlines are long and there's a lot of nesting, and with 8sp indentation less stuff fits. 4 sp also seems to be the default indentation, so this will make it less likely that people will mess up if they don't load the editor config. (I think people often use vi, and vi has no support to load project-wide configuration automatically. We distribute a .vimrc file, but it is not loaded by default, and even the instructions in it seem to discourage its use for security reasons.) Also remove the few vim config lines that were left. We should either have them on all files, or none. Also remove some strange stuff like '#!/bin/env bash', yikes. --- man/50-xdg-data-dirs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/50-xdg-data-dirs.sh b/man/50-xdg-data-dirs.sh index 073174cb40..89e9fbb599 100755 --- a/man/50-xdg-data-dirs.sh +++ b/man/50-xdg-data-dirs.sh @@ -5,7 +5,7 @@ XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share/:/usr/share}" # add a directory if it exists if [[ -d /opt/foo/share ]]; then - XDG_DATA_DIRS=/opt/foo/share:${XDG_DATA_DIRS} + XDG_DATA_DIRS=/opt/foo/share:${XDG_DATA_DIRS} fi # write our output -- cgit v1.2.3 From c52db42b78f6fbeb7792cc4eca27e2767a48b6ca Mon Sep 17 00:00:00 2001 From: Chris Down Date: Thu, 28 Mar 2019 12:50:50 +0000 Subject: cgroup: Implement default propagation of MemoryLow with DefaultMemoryLow In cgroup v2 we have protection tunables -- currently MemoryLow and MemoryMin (there will be more in future for other resources, too). The design of these protection tunables requires not only intermediate cgroups to propagate protections, but also the units at the leaf of that resource's operation to accept it (by setting MemoryLow or MemoryMin). This makes sense from an low-level API design perspective, but it's a good idea to also have a higher-level abstraction that can, by default, propagate these resources to children recursively. In this patch, this happens by having descendants set memory.low to N if their ancestor has DefaultMemoryLow=N -- assuming they don't set a separate MemoryLow value. Any affected unit can opt out of this propagation by manually setting `MemoryLow` to some value in its unit configuration. A unit can also stop further propagation by setting `DefaultMemoryLow=` with no argument. This removes further propagation in the subtree, but has no effect on the unit itself (for that, use `MemoryLow=0`). Our use case in production is simplifying the configuration of machines which heavily rely on memory protection tunables, but currently require tweaking a huge number of unit files to make that a reality. This directive makes that significantly less fragile, and decreases the risk of misconfiguration. After this patch is merged, I will implement DefaultMemoryMin= using the same principles. --- man/systemd.resource-control.xml | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'man') diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 4a8c57f45a..e7fb46873c 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -265,6 +265,10 @@ This setting is supported only if the unified control group hierarchy is used and disables MemoryLimit=. + + Units may can have their children use a default memory.low value by specifying + DefaultMemoryLow=, which has the same usage as MemoryLow=. This setting + does not affect memory.low in the unit itself. -- cgit v1.2.3 From dc653bf487bae9d1ddf794442bf4176fee173b41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Kl=C3=B6tzke?= Date: Wed, 29 Nov 2017 07:43:44 +0100 Subject: service: handle abort stops with dedicated timeout When shooting down a service with SIGABRT the user might want to have a much longer stop timeout than on regular stops/shutdowns. Especially in the face of short stop timeouts the time might not be sufficient to write huge core dumps before the service is killed. This commit adds a dedicated (Default)TimeoutAbortSec= timer that is used when stopping a service via SIGABRT. In all other cases the existing TimeoutStopSec= is used. The timer value is unset by default to skip the special handling and use TimeoutStopSec= for state 'stop-watchdog' to keep the old behaviour. If the service is in state 'stop-watchdog' and the service should be stopped explicitly we still go to 'stop-sigterm' and re-apply the usual TimeoutStopSec= timeout. --- man/systemd-system.conf.xml | 12 ++++++++---- man/systemd.service.xml | 29 +++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 4 deletions(-) (limited to 'man') diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index 5d1e4d1b97..41baff8bfe 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -239,13 +239,15 @@ DefaultTimeoutStartSec= DefaultTimeoutStopSec= + DefaultTimeoutAbortSec= DefaultRestartSec= - Configures the default timeouts for starting - and stopping of units, as well as the default time to sleep + Configures the default timeouts for starting, + stopping and aborting of units, as well as the default time to sleep between automatic restarts of units, as configured per-unit in TimeoutStartSec=, - TimeoutStopSec= and + TimeoutStopSec=, + TimeoutAbortSec= and RestartSec= (for services, see systemd.service5 for details on the per-unit settings). Disabled by default, when @@ -255,7 +257,9 @@ TimeoutSec= value. DefaultTimeoutStartSec= and DefaultTimeoutStopSec= default to - 90s. DefaultRestartSec= defaults to + 90s. DefaultTimeoutAbortSec= is not set by default + so that all units fall back to TimeoutStopSec=. + DefaultRestartSec= defaults to 100ms. diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 1f40c2ff37..c2b3e21076 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -573,6 +573,35 @@ + + TimeoutAbortSec= + This option configures the time to wait for the service to terminate when it was aborted due to a + watchdog timeout (see WatchdogSec=). If the service has a short TimeoutStopSec= + this option can be used to give the system more time to write a core dump of the service. Upon expiration the service + will be forcibly terminated by SIGKILL (see KillMode= in + systemd.kill5). The core file will + be truncated in this case. Use TimeoutAbortSec= to set a sensible timeout for the core dumping per + service that is large enough to write all expected data while also being short enough to handle the service failure + in due time. + + + Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass an empty value to skip + the dedicated watchdog abort timeout handling and fall back TimeoutStopSec=. Pass + infinity to disable the timeout logic. Defaults to DefaultTimeoutAbortSec= from + the manager configuration file (see + systemd-system.conf5). + + + If a service of Type=notify handles SIGABRT itself (instead of relying + on the kernel to write a core dump) it can send EXTEND_TIMEOUT_USEC=… to + extended the abort time beyond TimeoutAbortSec=. The first receipt of this message + must occur before TimeoutAbortSec= is exceeded, and once the abort time has exended beyond + TimeoutAbortSec=, the service manager will allow the service to continue to abort, provided + the service repeats EXTEND_TIMEOUT_USEC=… within the interval specified, or terminates itself + (see sd_notify3). + + + TimeoutSec= A shorthand for configuring both -- cgit v1.2.3 From 967de8faceaa83c11a1215515cb135d7a8c0c32c Mon Sep 17 00:00:00 2001 From: Florian Dollinger Date: Sun, 14 Apr 2019 14:26:39 +0200 Subject: Document (final) assignment on the RUN (#12310) As described in #12291, final assignments and assignments are clearing both command types. --- man/udev.xml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'man') diff --git a/man/udev.xml b/man/udev.xml index 5a78be3208..98d17bbb54 100644 --- a/man/udev.xml +++ b/man/udev.xml @@ -437,6 +437,8 @@ Note that running programs that access the network or mount/unmount filesystems is not allowed inside of udev rules, due to the default sandbox that is enforced on systemd-udevd.service. + Please also note that := and = are clearing + both, program and builtin commands. -- cgit v1.2.3 From d5c8d8233c2efbbd1e600d1a683ea04cd36cbac8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 21 Apr 2019 22:23:45 +0200 Subject: busctl: add introspect --xml-interface This wraps the call to org.freedesktop.DBus.Introspectable.Introspect. Using "busctl call" directly is inconvenient because busctl escapes the string before printing. Example: $ busctl introspect --xml org.freedesktop.systemd1 /org/freedesktop/systemd1 | pygmentize -lxml | less -RF --- man/busctl.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'man') diff --git a/man/busctl.xml b/man/busctl.xml index e4c7fcb283..328c101622 100644 --- a/man/busctl.xml +++ b/man/busctl.xml @@ -140,6 +140,16 @@ + + + + + When used with the introspect call, dump the XML description received from + the D-Bus org.freedesktop.DBus.Introspectable.Introspect call instead of the + normal output. + + + MODE -- cgit v1.2.3 From afb9c0c95817e687d27b9fa21d4e7db6075c583d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 21 Apr 2019 22:39:30 +0200 Subject: man: document sd_bus_add_{object,fallback}_vtable The interface provided by those two functions is huge, so this text could probably be made two or three times as long if all details were described. But I think it's a good start. --- man/rules/meson.build | 15 ++ man/sd-bus.xml | 1 + man/sd_bus_add_object_vtable.xml | 473 +++++++++++++++++++++++++++++++++++++++ man/vtable-example.c | 70 ++++++ man/vtable-example.xml | 54 +++++ 5 files changed, 613 insertions(+) create mode 100644 man/sd_bus_add_object_vtable.xml create mode 100644 man/vtable-example.c create mode 100644 man/vtable-example.xml (limited to 'man') diff --git a/man/rules/meson.build b/man/rules/meson.build index 9674cbb30b..6894158466 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -115,6 +115,21 @@ manpages = [ 'sd_bus_match_signal', 'sd_bus_match_signal_async'], ''], + ['sd_bus_add_object_vtable', + '3', + ['SD_BUS_METHOD', + 'SD_BUS_METHOD_WITH_NAMES', + 'SD_BUS_METHOD_WITH_NAMES_OFFSET', + 'SD_BUS_METHOD_WITH_OFFSET', + 'SD_BUS_PARAM', + 'SD_BUS_PROPERTY', + 'SD_BUS_SIGNAL', + 'SD_BUS_SIGNAL_WITH_NAMES', + 'SD_BUS_VTABLE_END', + 'SD_BUS_VTABLE_START', + 'SD_BUS_WRITABLE_PROPERTY', + 'sd_bus_add_fallback_vtable'], + ''], ['sd_bus_attach_event', '3', ['sd_bus_detach_event', 'sd_bus_get_event'], ''], ['sd_bus_close', '3', ['sd_bus_flush'], ''], ['sd_bus_creds_get_pid', diff --git a/man/sd-bus.xml b/man/sd-bus.xml index 6c925e3161..e9a66d87dd 100644 --- a/man/sd-bus.xml +++ b/man/sd-bus.xml @@ -41,6 +41,7 @@ See sd_bus_add_match3, +sd_bus_add_object_vtable3, sd_bus_attach_event3, sd_bus_creds_get_pid3, sd_bus_creds_new_from_pid3, diff --git a/man/sd_bus_add_object_vtable.xml b/man/sd_bus_add_object_vtable.xml new file mode 100644 index 0000000000..92be236afd --- /dev/null +++ b/man/sd_bus_add_object_vtable.xml @@ -0,0 +1,473 @@ + + + + + + + + sd_bus_add_object_vtable + systemd + + + + sd_bus_add_object_vtable + 3 + + + + sd_bus_add_object_vtable + sd_bus_add_fallback_vtable + SD_BUS_VTABLE_START + SD_BUS_VTABLE_END + SD_BUS_METHOD_WITH_NAMES_OFFSET + SD_BUS_METHOD_WITH_NAMES + SD_BUS_METHOD_WITH_OFFSET + SD_BUS_METHOD + SD_BUS_SIGNAL_WITH_NAMES + SD_BUS_SIGNAL + SD_BUS_WRITABLE_PROPERTY + SD_BUS_PROPERTY + SD_BUS_PARAM + + Declare properties and methods for a D-Bus path + + + + + #include <systemd/sd-bus-vtable.h> + + + typedef int (*sd_bus_message_handler_t) + sd_bus_message *m + void *userdata + sd_bus_error *ret_error + + + + typedef int (*sd_bus_property_get_t) + sd_bus *bus + const char *path + const char *interface + const char *property + sd_bus_message *reply + void *userdata + sd_bus_error *ret_error + + + + typedef int (*sd_bus_property_set_t) + sd_bus *bus + const char *path + const char *interface + const char *property + sd_bus_message *value + void *userdata + sd_bus_error *ret_error + + + + typedef int (*sd_bus_object_find_t) + const char *path + const char *interface + void *userdata + void **ret_found + sd_bus_error *ret_error + + + + int sd_bus_add_object_vtable + sd_bus *bus + sd_bus_slot **slot + const char *path + const char *interface + const sd_bus_vtable *vtable + void *userdata + + + + int sd_bus_add_fallback_vtable + sd_bus *bus + sd_bus_slot **slot + const char *prefix + const char *interface + const sd_bus_vtable *vtable + sd_bus_object_find_t find + void *userdata + + + + SD_BUS_VTABLE_START(flags) + + + SD_BUS_VTABLE_END + + + SD_BUS_METHOD_WITH_NAMES_OFFSET( + member, + signature, + in_names, + result, + out_names, + handler, + offset, + flags) + + + + SD_BUS_METHOD_WITH_NAMES( + member, + signature, + in_names, + result, + out_names, + handler, + flags) + + + + SD_BUS_METHOD_WITH_OFFSET( + member, + signature, + result, + handler, + offset, + flags) + + + + SD_BUS_METHOD( + member, + signature, + result, + handler, + flags) + + + + SD_BUS_SIGNAL_WITH_NAMES( + member, + signature, + names, + flags) + + + + SD_BUS_SIGNAL( + member, + signature, + flags) + + + + SD_BUS_WRITABLE_PROPERTY( + member, + signature, + get, + set, + offset, + flags) + + + + SD_BUS_PROPERTY( + member, + signature, + get, + offset, + flags) + + + + SD_BUS_PARAM(name) + + + + + + Description + + sd_bus_add_object_vtable() is used to declare attributes for the path object + path path connected to the bus connection bus under the + interface interface. The table vtable may contain property + declarations using SD_BUS_PROPERTY() or + SD_BUS_WRITABLE_PROPERTY(), method declarations using + SD_BUS_METHOD(), SD_BUS_METHOD_WITH_NAMES(), + SD_BUS_METHOD_WITH_OFFSET(), or + SD_BUS_METHOD_WITH_NAMES_OFFSET(), and signal declarations using + SD_BUS_SIGNAL_WITH_NAMES() or SD_BUS_SIGNAL(), see below. The + userdata parameter contains a pointer that will be passed to various callback + functions. It may be specified as NULL if no value is necessary. + + sd_bus_add_object_vtable() is similar to + sd_bus_add_object_vtable(), but is used to register "fallback" attributes. When + looking for an attribute declaration, bus object paths registered with + sd_bus_add_object_vtable() are checked first. If no match is found, the fallback + vtables are checked for each prefix of the bus object path, i.e. with the last slash-separated components + successively removed. This allows the vtable to be used for an arbitrary number of dynamically created + objects. + + Parameter find is a function which is used to locate the target object + based on the bus object path path. It must return 1 and + set the ret_found output parameter if the object is found, return + 0 if the object was not found, and return a negative errno-style error code or + initialize the error structure ret_error on error. The pointer passed in + ret_found will be used as the userdata parameter for the + callback functions (offset by the offset offsets as specified in the vtable + entries). + + For both functions, a match slot is created internally. If the output parameter + slot is NULL, a "floating" slot object is created, see + sd_bus_slot_set_floating3. + Otherwise, a pointer to the slot object is returned. In that case, the reference to the slot object + should be dropped when the vtable is not needed anymore, see + sd_bus_slot_unref3. + + + + The <structname>sd_bus_vtable</structname> array + + The array consists of the structures of type sd_bus_vtable, but it + should never be filled in manually, but through one of the following macros: + + + + SD_BUS_VTABLE_START() + SD_BUS_VTABLE_END + + Those must always be the first and last element. + + + + SD_BUS_METHOD_WITH_NAMES_OFFSET() + SD_BUS_METHOD_WITH_NAMES() + SD_BUS_METHOD_WITH_OFFSET() + SD_BUS_METHOD() + + Declare a D-Bus method with the name member, parameter + signature signature, result signature result. + Parameters in_names and out_names specify the + argument names of the input and output arguments in the function signature. The handler function + handler must be of type sd_bus_message_handler_t. + It will be called to handle the incoming messages that call this method. It receives a pointer that + is the userdata parameter passed to the registration function offset by + offset bytes. This may be used to pass pointers to different fields in + the same data structure to different methods in the same + vtable. in_names and out_names should be + created using the SD_BUS_PARAM() macro, see below. Parameter + flags is a combination of flags, see below. + + SD_BUS_METHOD_WITH_NAMES(), + SD_BUS_METHOD_WITH_OFFSET(), and SD_BUS_METHOD() are + variants which specify zero offset (userdata parameter is passed with + no change), leave the names unset (i.e. no parameter names), or both. + + + + + SD_BUS_SIGNAL_WITH_NAMES() + SD_BUS_SIGNAL() + + Declare a D-Bus signal with the name member, + parameter signature signature, and argument names + names. names should be + created using the SD_BUS_PARAM() macro, see below. + Parameter flags is a combination of flags, see below. + + + Equivalent to SD_BUS_SIGNAL_WITH_NAMES() with the + names paramater unset (i.e. no parameter names). + + + + + SD_BUS_WRITABLE_PROPERTY() + SD_BUS_PROPERTY() + + Declare a D-Bus property with the name member and value + signature signature. Parameters get and + set are the getter and setter methods. They are called with a pointer + that is the userdata parameter passed to the registration function + offset by offset bytes. This may be used pass pointers to different + fields in the same data structure to different setters and getters in the same vtable. Parameter + flags is a combination of flags, see below. + + The setter and getter methods may be omitted (specified as NULL), if the + property has one of the basic types or as in case of read-only properties. In + those cases, the userdata and offset + parameters must together point to valid variable of the corresponding type. A default setter and + getters will be provided, which simply copy the argument between this variable and the message. + + + SD_BUS_PROPERTY() is used to define a read-only property. + + + + + SD_BUS_PARAM() + Parameter names should be wrapped in this macro, see the example below. + + + + + + + Flags + + The flags parameter is used to specify a combination of + D-Bus annotations. + + + + + SD_BUS_VTABLE_DEPRECATED + + Mark this vtable entry as deprecated using the + org.freedesktop.DBus.Deprecated annotation in introspection data. If + specified for SD_BUS_VTABLE_START(), the annotation is applied to the + enclosing interface. + + + + SD_BUS_VTABLE_HIDDEN + + Make this vtable entry hidden. It will not be shown in introspection data. If + specified for SD_BUS_VTABLE_START(), all entries in the array are hidden. + + + + + + SD_BUS_VTABLE_UNPRIVILEGED + + Mark this vtable entry as unprivileged. If not specified, the + org.freedesktop.systemd1.Privileged annotation with value + true will be shown in introspection data. + + + + + SD_BUS_VTABLE_METHOD_NO_REPLY + + Mark his vtable entry as a method that will not return a reply using the + org.freedesktop.DBus.Method.NoReply annotation in introspection data. + + + + + SD_BUS_VTABLE_CONST + SD_BUS_VTABLE_EMITS_CHANGE + SD_BUS_VTABLE_EMITS_INVALIDATION + + Those three flags correspond to different values of the + org.freedesktop.DBus.Property.EmitsChangedSignal annotation, which specifies + whether the org.freedesktop.DBus.Properties.PropertiesChanged signal is + emitted whenever the property changes. SD_BUS_VTABLE_CONST corresponds to + const and means that the property never changes during the lifetime of the + object it belongs to, so no signal needs to be emitted. + SD_BUS_VTABLE_EMITS_CHANGE corresponds to true and means + that the signal is emitted. SD_BUS_VTABLE_EMITS_INVALIDATION corresponds to + invalides and means that the signal is emitted, but the value is not included + in the signal. + + + + + SD_BUS_VTABLE_PROPERTY_EXPLICIT + + Mark this vtable property entry as requiring explicit request to for the value to + be shown (generally because the value is large or slow to calculate). This entry cannot be combined + with SD_BUS_VTABLE_EMITS_CHANGE, and will not be shown in property listings by + default (e.g. busctl introspect). This corresponds to the + org.freedesktop.systemd1.Explicit annotation in introspection data. + + + + + + + + Examples + + + Create a simple listener on the bus + + + + This creates a simple client on the bus (the user bus, when run as normal user). + We may use the D-Bus org.freedesktop.DBus.Introspectable.Introspect + call to acquire the XML description of the interface: + + + + + + + Return Value + + On success, sd_bus_add_object_vtable and + sd_bus_add_fallback_vtable calls return 0 or a positive integer. On failure, they + return a negative errno-style error code. + + + Errors + + Returned errors may indicate the following problems: + + + + -EINVAL + + One of the required parameters is NULL or invalid. A reserved + D-Bus interface was passed as the interface parameter. + + + + -ENOPKG + + The bus cannot be resolved. + + + + -ECHILD + + The bus was created in a different process. + + + + -ENOMEM + + Memory allocation failed. + + + + -EPROTOTYPE + + sd_bus_add_object_vtable and + sd_bus_add_fallback_vtable have been both called + for the same bus object path, which is not allowed. + + + + -EEXIST + + This vtable has already been registered for this + interface and path. + + + + + + + + + + See Also + + + sd-bus3, + busctl1 + + + diff --git a/man/vtable-example.c b/man/vtable-example.c new file mode 100644 index 0000000000..a2a6cd18d7 --- /dev/null +++ b/man/vtable-example.c @@ -0,0 +1,70 @@ +#include +#include +#include +#include +#include +#include + +#define _cleanup_(f) __attribute__((cleanup(f))) + +typedef struct object { + char *name; + uint32_t number; +} object; + +static int method(sd_bus_message *m, void *userdata, sd_bus_error *error) { + printf("Got called with userdata=%p\n", userdata); + return 1; +} + +static const sd_bus_vtable vtable[] = { + SD_BUS_VTABLE_START(0), + SD_BUS_METHOD( + "Method1", "s", "s", method, 0), + SD_BUS_METHOD_WITH_NAMES_OFFSET( + "Method2", + "so", SD_BUS_PARAM(string) SD_BUS_PARAM(path), + "s", SD_BUS_PARAM(returnstring), + method, offsetof(object, number), + SD_BUS_VTABLE_DEPRECATED), + SD_BUS_WRITABLE_PROPERTY( + "AutomaticStringProperty", "s", NULL, NULL, + offsetof(object, name), + SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE), + SD_BUS_WRITABLE_PROPERTY( + "AutomaticIntegerProperty", "u", NULL, NULL, + offsetof(object, number), + SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION), + SD_BUS_VTABLE_END +}; + +#define check(x) ({ \ + int r = x; \ + errno = r < 0 ? -r : 0; \ + printf(#x ": %m\n"); \ + if (r < 0) \ + return EXIT_FAILURE; \ + }) + +int main(int argc, char **argv) { + _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; + + sd_bus_default(&bus); + + object object = { .number = 666 }; + check((object.name = strdup("name")) != NULL); + + check(sd_bus_add_object_vtable(bus, NULL, "/object", + "org.freedesktop.systemd.VtableExample", + vtable, + &object)); + + while (true) { + check(sd_bus_wait(bus, UINT64_MAX)); + check(sd_bus_process(bus, NULL)); + } + + free(object.name); + + return 0; +} diff --git a/man/vtable-example.xml b/man/vtable-example.xml new file mode 100644 index 0000000000..a3cdeae704 --- /dev/null +++ b/man/vtable-example.xml @@ -0,0 +1,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + -- cgit v1.2.3 From 99b43caf26787ac9376e10c14f6a5bcf056f900c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Kl=C3=B6tzke?= Date: Wed, 7 Mar 2018 14:16:49 +0100 Subject: core: immediately trigger watchdog action on WATCHDOG=trigger A service might be able to detect errors by itself that may require the system to take the same action as if the service locked up. Add a WATCHDOG=trigger state change notification to sd_notify() to let the service manager know about the self-detected misery and instantly trigger the configured watchdog behaviour. --- man/sd_notify.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'man') diff --git a/man/sd_notify.xml b/man/sd_notify.xml index 0084bf3882..00640cb290 100644 --- a/man/sd_notify.xml +++ b/man/sd_notify.xml @@ -173,6 +173,18 @@ watchdog is enabled. + + WATCHDOG=trigger + + Tells the service manager that the service detected an internal error that should be handled by + the configured watchdog options. This will trigger the same behaviour as if WatchdogSec= is + enabled and the service did not send WATCHDOG=1 in time. Note that + WatchdogSec= does not need to be enabled for WATCHDOG=trigger to trigger + the watchdog action. See + systemd.service5 for + information about the watchdog behavior. + + WATCHDOG_USEC=… -- cgit v1.2.3 From db8d154dc4bffd736cf6526b3c04f36f8eb5a5e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 23 Apr 2019 10:28:38 +0200 Subject: man: describe interaction with ProtectHome=/InaccessiblePaths= in BindMount= https://github.com/systemd/systemd/issues/7153#issuecomment-485252308 Apparently this is still confusing for people. Longer-term, I think we should just make BindMount= automatically "upgrade" (or "downgrade", depending on how you look at this), any InaccessiblePath= mountpoints to "tmpfs". I don't see much point in forcing users to remember this interaction. But let's at least document the status quo, we can always update the docs if the code changes. --- man/systemd.exec.xml | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index df1e1e8681..b69691b3c4 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -180,6 +180,13 @@ is used. In this case the source path refers to a path on the host file system, while the destination path refers to a path below the root directory of the unit. + Note that the destination directory must exist or systemd must be able to create it. Thus, it + is not possible to use those options for mount points nested underneath paths specified in + InaccessiblePaths=, or under /home/ and other protected + directories if ProtectHome=yes is + specified. TemporaryFileSystem= with :ro or + ProtectHome=tmpfs should be used instead. + @@ -822,23 +829,25 @@ CapabilityBoundingSet=~CAP_B CAP_C ProtectHome= Takes a boolean argument or the special values read-only or - tmpfs. If true, the directories /home, /root and - /run/user are made inaccessible and empty for processes invoked by this unit. If set to - read-only, the three directories are made read-only instead. If set to tmpfs, - temporary file systems are mounted on the three directories in read-only mode. The value tmpfs - is useful to hide home directories not relevant to the processes invoked by the unit, while necessary directories - are still visible by combining with BindPaths= or BindReadOnlyPaths=. + tmpfs. If true, the directories /home, + /root, and /run/user are made inaccessible and empty for + processes invoked by this unit. If set to read-only, the three directories are + made read-only instead. If set to tmpfs, temporary file systems are mounted on the + three directories in read-only mode. The value tmpfs is useful to hide home + directories not relevant to the processes invoked by the unit, while still allowing necessary + directories to be made visible when listed in BindPaths= or + BindReadOnlyPaths=. Setting this to yes is mostly equivalent to set the three directories in InaccessiblePaths=. Similarly, read-only is mostly equivalent to ReadOnlyPaths=, and tmpfs is mostly equivalent to - TemporaryFileSystem=. + TemporaryFileSystem= with :ro. - It is recommended to enable this setting for all long-running services (in particular network-facing - ones), to ensure they cannot get access to private user data, unless the services actually require access to - the user's private data. This setting is implied if DynamicUser= is set. This setting cannot - ensure protection in all cases. In general it has the same limitations as ReadOnlyPaths=, - see below. + It is recommended to enable this setting for all long-running services (in particular + network-facing ones), to ensure they cannot get access to private user data, unless the services + actually require access to the user's private data. This setting is implied if + DynamicUser= is set. This setting cannot ensure protection in all cases. In + general it has the same limitations as ReadOnlyPaths=, see below. @@ -1053,7 +1062,7 @@ StateDirectory=aaa/bbb ccc This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary files or directories can be still accessed by combining with BindPaths= or - BindReadOnlyPaths=. See the example below. + BindReadOnlyPaths=: Example: if a unit has the following, TemporaryFileSystem=/var:ro -- cgit v1.2.3 From 84ea567eb4326eb970a33188649fde6bea2a0d4e Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 20 Apr 2019 14:40:24 +0200 Subject: udev,network: warn when .link or .network file has no [Match] section Closes #12098. --- man/systemd.link.xml | 9 +++++++-- man/systemd.network.xml | 10 +++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemd.link.xml b/man/systemd.link.xml index af9799e8c0..ea744bd251 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -60,8 +60,13 @@ [Match] Section Options - A link file is said to match a device if each of the entries in the [Match] section matches, or if - the section is empty. The following keys are accepted: + A link file is said to match a device if all matches specified by the + [Match] section are satisfied. When a link file does not contain valid settings + in [Match] section, then the file will match all devices and + systemd-udevd warns about that. Hint: to avoid the warning and to make it clear + that all interfaces shall be matched, add the following: + OriginalName=* + The following keys are accepted: diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 2d8eeee88f..be982cbb1a 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -77,9 +77,13 @@ is applied, all later files are ignored, even if they match as well. - A network file is said to match a device if each of the - entries in the [Match] section matches, or if - the section is empty. The following keys are accepted: + A network file is said to match a network interface if all matches specified by the + [Match] section are satisfied. When a network file does not contain valid + settings in [Match] section, then the file will match all interfaces and + systemd-networkd warns about that. Hint: to avoid the warning and to make it + clear that all interfaces shall be matched, add the following: + Name=* + The following keys are accepted: -- cgit v1.2.3 From 6e9d2465923f8b3577cd7cfc7ef886808ded8122 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Rosen?= Date: Fri, 26 Apr 2019 00:49:57 +0200 Subject: Document /etc/initrd-release When systemd is started, it detects initrd by checking for that file The usage of that file is not documented anywhere, so mention it early in the most relevant man-page I could find. --- man/bootup.xml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/bootup.xml b/man/bootup.xml index 9468a61319..d371523400 100644 --- a/man/bootup.xml +++ b/man/bootup.xml @@ -156,7 +156,9 @@ using systemd as well. In this case, boot up inside the initrd follows the following structure. - The default target in the initrd is + systemd detects that it is run within an initrd by checking + for the file /etc/initrd-release. + The default target in the initrd is initrd.target. The bootup process begins identical to the system manager bootup (see above) until it reaches basic.target. From there, systemd -- cgit v1.2.3 From 90fb1f09386fd5d9e06ae8d589825bb3f5cd7777 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 26 Apr 2019 14:13:53 +0200 Subject: basic/virt: treat "podman" as separate container type We would detect podman as container-other. Let's assign a name to it. Inspired by https://github.com/containers/libpod/issues/2996. --- man/systemd-detect-virt.xml | 9 +++++++-- man/systemd.unit.xml | 1 + 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml index 28d997cfa9..d599ac20f1 100644 --- a/man/systemd-detect-virt.xml +++ b/man/systemd-detect-virt.xml @@ -62,7 +62,7 @@ - VM + VM qemu QEMU software virtualization, without KVM @@ -128,7 +128,7 @@ - Container + Container openvz OpenVZ/Virtuozzo @@ -153,6 +153,11 @@ Docker container manager + + podman + Podman container manager + + rkt rkt app container runtime diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 81a02253ed..7562c9f324 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1089,6 +1089,7 @@ lxc-libvirt, systemd-nspawn, docker, + podman, rkt, wsl, acrn to test -- cgit v1.2.3 From 5238e9575906297608ff802a27e2ff9effa3b338 Mon Sep 17 00:00:00 2001 From: Ben Boeckel Date: Fri, 26 Apr 2019 20:22:40 -0400 Subject: codespell: fix spelling errors --- man/resolvectl.xml | 2 +- man/sd_bus_add_object_vtable.xml | 2 +- man/sd_bus_close.xml | 2 +- man/sd_bus_message_new_method_error.xml | 2 +- man/sd_bus_message_rewind.xml | 4 ++-- man/sd_bus_message_verify_type.xml | 2 +- man/systemd-analyze.xml | 2 +- man/systemd-boot.xml | 2 +- man/systemd-gpt-auto-generator.xml | 2 +- man/systemd-networkd-wait-online.service.xml | 2 +- man/systemd-resolved.service.xml | 2 +- man/systemd-udev-settle.service.xml | 2 +- man/systemd.exec.xml | 4 ++-- man/systemd.mount.xml | 2 +- man/systemd.netdev.xml | 4 ++-- man/systemd.network.xml | 6 +++--- man/systemd.nspawn.xml | 2 +- man/systemd.swap.xml | 2 +- man/systemd.timer.xml | 2 +- man/systemd.unit.xml | 6 +++--- man/user-system-options.xml | 2 +- 21 files changed, 28 insertions(+), 28 deletions(-) (limited to 'man') diff --git a/man/resolvectl.xml b/man/resolvectl.xml index f986e98ba3..d4c04a1e32 100644 --- a/man/resolvectl.xml +++ b/man/resolvectl.xml @@ -255,7 +255,7 @@ through external means. The command expects IPv4 or IPv6 address specifications of DNS servers to use. The command expects valid DNS domains, possibly prefixed with ~, and configures a per-interface search or route-only domain. The - command expects a boolean paremeter, and configures whether the link may be + command expects a boolean parameter, and configures whether the link may be used as default route for DNS lookups, i.e. if it is suitable for lookups on domains no other link explicitly is configured for. The , , and commands may be used to configure the per-interface LLMNR, MulticastDNS, DNSSEC diff --git a/man/sd_bus_add_object_vtable.xml b/man/sd_bus_add_object_vtable.xml index 92be236afd..6cbb84e7ff 100644 --- a/man/sd_bus_add_object_vtable.xml +++ b/man/sd_bus_add_object_vtable.xml @@ -277,7 +277,7 @@ Equivalent to SD_BUS_SIGNAL_WITH_NAMES() with the - names paramater unset (i.e. no parameter names). + names parameter unset (i.e. no parameter names). diff --git a/man/sd_bus_close.xml b/man/sd_bus_close.xml index b09f488874..d81c593878 100644 --- a/man/sd_bus_close.xml +++ b/man/sd_bus_close.xml @@ -44,7 +44,7 @@ sd_bus_close() disconnects the specified bus connection. When this call is invoked and the specified bus object refers to an active connection it is immediately terminated. No further messages may be - sent or receieved on it. Any messages queued in the bus object (both incoming and outgoing) are released. If + sent or received on it. Any messages queued in the bus object (both incoming and outgoing) are released. If invoked on NULL bus object or when the bus connection is already closed this function executes no operation. This call does not free or unreference the bus object itself. Use sd_bus_unref3 for that. diff --git a/man/sd_bus_message_new_method_error.xml b/man/sd_bus_message_new_method_error.xml index 27cec8ed01..0c471c534f 100644 --- a/man/sd_bus_message_new_method_error.xml +++ b/man/sd_bus_message_new_method_error.xml @@ -116,7 +116,7 @@ project='man-pages'>printf3 format string format and corresponding arguments. %m may be used in the format string to refer to the error - string corresponding to the specified errno code. The error message is initalized + string corresponding to the specified errno code. The error message is initialized using the error identifier generated from error and the formatted string. (If error is zero, no error is actually set, and an error reply with no information is created.) diff --git a/man/sd_bus_message_rewind.xml b/man/sd_bus_message_rewind.xml index aa8aea987b..cbfa2511d2 100644 --- a/man/sd_bus_message_rewind.xml +++ b/man/sd_bus_message_rewind.xml @@ -19,7 +19,7 @@ sd_bus_message_rewind - Return to begining of message or current container + Return to beginning of message or current container @@ -38,7 +38,7 @@ Description sd_bus_message_rewind() moves the "read pointer" in the message - m to either the begining of the message (if + m to either the beginning of the message (if complete is true) or to the beginning of the currently open container. If no container is open, complete has no effect. diff --git a/man/sd_bus_message_verify_type.xml b/man/sd_bus_message_verify_type.xml index c3230e5833..e03a253885 100644 --- a/man/sd_bus_message_verify_type.xml +++ b/man/sd_bus_message_verify_type.xml @@ -70,7 +70,7 @@ m or both type and contents are NULL. - Arguments do not satisfy other contraints listed above. + Arguments do not satisfy other constraints listed above. diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index f559b858f9..abc05e9303 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -337,7 +337,7 @@ $ eog targets.svg Note that this verb prints the list that is compiled into systemd-analyze - itself, and does not comunicate with the running manager. Use + itself, and does not communicate with the running manager. Use systemctl [--user] [--global] show -p UnitPath --value to retrieve the actual list that the manager uses, with any empty directories omitted. diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml index 3b1319687f..2575ab3fe5 100644 --- a/man/systemd-boot.xml +++ b/man/systemd-boot.xml @@ -357,7 +357,7 @@ systemd-boot implements a simple boot counting mechanism on top of the Boot Loader Specification, for automatic and unattended - fallback to older kernel versions/boot loader entries when a specific entry continously fails. Any boot loader + fallback to older kernel versions/boot loader entries when a specific entry continuously fails. Any boot loader entry file and unified kernel image file that contains a + followed by one or two numbers (if two they need to be separated by a -), before the .conf or .efi suffix is subject to boot counting: the first of the two numbers ('tries left') is diff --git a/man/systemd-gpt-auto-generator.xml b/man/systemd-gpt-auto-generator.xml index 0d6d4e307e..d94d6ac715 100644 --- a/man/systemd-gpt-auto-generator.xml +++ b/man/systemd-gpt-auto-generator.xml @@ -234,7 +234,7 @@ root= When used with the special value gpt-auto, automatic discovery of - the root parition based on the GPT partition type is enabled. Any other value disables this + the root partition based on the GPT partition type is enabled. Any other value disables this generator. diff --git a/man/systemd-networkd-wait-online.service.xml b/man/systemd-networkd-wait-online.service.xml index 7c82f68fb3..51b865dc0b 100644 --- a/man/systemd-networkd-wait-online.service.xml +++ b/man/systemd-networkd-wait-online.service.xml @@ -55,7 +55,7 @@ one is necessary to access some network resources. When used, all other interfaces are ignored. This option may be used more than once to wait for multiple network interfaces. When this option is specified multiple times, then systemd-networkd-wait-online waits - for all specified interfaces to be online. Optinally, required minimum operational state can be + for all specified interfaces to be online. Optionally, required minimum operational state can be specified after a colon :. Please see networkctl1 for possible operational states. If the operational state is not specified here, then diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml index 807c3238b8..53c46a1018 100644 --- a/man/systemd-resolved.service.xml +++ b/man/systemd-resolved.service.xml @@ -163,7 +163,7 @@ Otherwise the query is failed as no suitable DNS servers could be determined. - The "DNS default route" option is a boolean setting configureable with resolvectl or in + The "DNS default route" option is a boolean setting configurable with resolvectl or in .network files. If not set, it is implicitly determined based on the configured DNS domains for a link: if there's any route-only domain (not matching ~.) it defaults to false, otherwise to true. diff --git a/man/systemd-udev-settle.service.xml b/man/systemd-udev-settle.service.xml index 6fbd99111f..3698bfaf19 100644 --- a/man/systemd-udev-settle.service.xml +++ b/man/systemd-udev-settle.service.xml @@ -33,7 +33,7 @@ Using this service is not recommended. There can be no guarantee that hardware is fully discovered at any specific time, because the kernel does hardware detection asynchronously, and - certain busses and devices take a very long time to become ready, and also additional hardware may be + certain buses and devices take a very long time to become ready, and also additional hardware may be plugged in at any time. Instead, services should subscribe to udev events and react to any new hardware as it is discovered. Services that, based on configuration, expect certain devices to appear, may warn or report failure after a timeout. This timeout should be tailored to the hardware type. Waiting for diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index b69691b3c4..719c2c5ff3 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1304,7 +1304,7 @@ BindReadOnlyPaths=/var/lib/systemd running in user mode, or in system mode, but without the CAP_SYS_ADMIN capability (e.g. setting User=nobody), NoNewPrivileges=yes is implied. By default, no restrictions apply, all address families are accessible to processes. If assigned the empty string, any - previous address familiy restriction changes are undone. This setting does not affect commands prefixed with + previous address family restriction changes are undone. This setting does not affect commands prefixed with +. Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive @@ -1928,7 +1928,7 @@ SystemCallErrorNumber=EPERM Note that services which specify and use StandardInput= or StandardOutput= with //, should specify - , to make sure that the tty intialization is + , to make sure that the tty initialization is finished before they start. diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml index d0ccd39e38..022e227e83 100644 --- a/man/systemd.mount.xml +++ b/man/systemd.mount.xml @@ -312,7 +312,7 @@ The file system will be initialized on the device. If the device is not "empty", i.e. it contains any signature, the operation will be skipped. It is hence expected that this option - remains set even after the device has been initalized. + remains set even after the device has been initialized. Note that this option can only be used in /etc/fstab, and will be ignored when part of the diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index a58de37b3c..b71320e20d 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -829,13 +829,13 @@ Name= - Specifies the name of the sesssion. This option is compulsory. + Specifies the name of the session. This option is compulsory. SessionId= - Specifies the sesssion id. The value used must match the SessionId= value being used at the peer. + Specifies the session id. The value used must match the SessionId= value being used at the peer. Ranges a number between 1 and 4294967295). This option is compulsory. diff --git a/man/systemd.network.xml b/man/systemd.network.xml index be982cbb1a..4381090d34 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -637,7 +637,7 @@ Note that if this option is enabled a userspace implementation of the IPv6 RA protocol is used, and the kernel's own implementation remains disabled, since `networkd` needs to know all details supplied in the advertisements, and these are not available from the kernel if the kernel's - own implemenation is used. + own implementation is used. @@ -1077,7 +1077,7 @@ InvertRule= - A boolean. Specifies wheather the rule to be inverted. Defaults to false. + A boolean. Specifies whether the rule to be inverted. Defaults to false. @@ -1197,7 +1197,7 @@ InitialAdvertisedReceiveWindow= - The TCP initial advertised receive window is the amount of receive data (in bytes) that can initally be buffered at one time + The TCP initial advertised receive window is the amount of receive data (in bytes) that can initially be buffered at one time on a connection. The sending host can send only that amount of data before waiting for an acknowledgment and window update from the receiving host. Takes a size in bytes between 1 and 4294967295 (2^32 - 1). The usual suffixes K, M, G are supported and are understood to the base of 1024. When unset, the kernel's default will be used. diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml index 1485a26f02..70c6ff33a6 100644 --- a/man/systemd.nspawn.xml +++ b/man/systemd.nspawn.xml @@ -429,7 +429,7 @@ Inaccessible= Masks the specified file or directly in the container, by over-mounting it with an empty file - node of the same type with the most restrictive access mode. Takes a file system path as arugment. This option + node of the same type with the most restrictive access mode. Takes a file system path as argument. This option may be used multiple times to mask multiple files or directories. This option is equivalent to the command line switch , see systemd-nspawn1 for details diff --git a/man/systemd.swap.xml b/man/systemd.swap.xml index 66d63503db..d2a9123b0b 100644 --- a/man/systemd.swap.xml +++ b/man/systemd.swap.xml @@ -148,7 +148,7 @@ The swap structure will be initialized on the device. If the device is not "empty", i.e. it contains any signature, the operation will be skipped. It is hence expected - that this option remains set even after the device has been initalized. + that this option remains set even after the device has been initialized. Note that this option can only be used in /etc/fstab, and will be ignored when part of the Options= setting in a unit file. diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml index 6a13e52ccf..13b9ed35d2 100644 --- a/man/systemd.timer.xml +++ b/man/systemd.timer.xml @@ -314,7 +314,7 @@ RemainAfterElapse= Takes a boolean argument. If true, an elapsed - timer will stay loaded, and its state remains queriable. If + timer will stay loaded, and its state remains queryable. If false, an elapsed timer unit that cannot elapse anymore is unloaded. Turning this off is particularly useful for transient timer units that shall disappear after they first diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 81a02253ed..fdeaef3db4 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -512,7 +512,7 @@ description., Reached target description., Failed to start description.), so it should be capitalized, and should - not be a full sentence or a phrase with a continous verb. Bad examples include + not be a full sentence or a phrase with a continuous verb. Bad examples include exiting the container or updating the database once per day.. @@ -886,7 +886,7 @@ of powering down the system with similar semantics. causes the manager to exit following the normal shutdown procedure, and causes it terminate without shutting down services. When or is used by default the exit status of the - main process of the unit (if this applies) is returned from the service manager. However, this may be overriden + main process of the unit (if this applies) is returned from the service manager. However, this may be overridden with FailureActionExitStatus=/SuccessActionExitStatus=, see below. @@ -1273,7 +1273,7 @@ <, <=, =, !=, >=, >. Compares the number of CPUs in the CPU affinity mask configured of the service manager itself with the specified number, adhering to the specified - comparision operator. On physical systems the number of CPUs in the affinity mask of the service + comparison operator. On physical systems the number of CPUs in the affinity mask of the service manager usually matches the number of physical CPUs, but in special and virtual environments might differ. In particular, in containers the affinity mask usually matches the number of CPUs assigned to the container and not the physically available ones. diff --git a/man/user-system-options.xml b/man/user-system-options.xml index 195c2e4163..8034735658 100644 --- a/man/user-system-options.xml +++ b/man/user-system-options.xml @@ -30,7 +30,7 @@ Execute the operation remotely. Specify a hostname, or a username and hostname separated by @, to connect to. The hostname may optionally be suffixed by a - port ssh is listening on, seperated by :, and then a + port ssh is listening on, separated by :, and then a container name, separated by /, which connects directly to a specific container on the specified host. This will use SSH to talk to the remote machine manager -- cgit v1.2.3 From ed0cb346821972ec2c505ee11ed3d383aba6256e Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 29 Apr 2019 18:22:22 +0200 Subject: tree-wide: code improvements suggested by Coccinelle --- man/vtable-example.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/vtable-example.c b/man/vtable-example.c index a2a6cd18d7..98c20eec52 100644 --- a/man/vtable-example.c +++ b/man/vtable-example.c @@ -59,7 +59,7 @@ int main(int argc, char **argv) { vtable, &object)); - while (true) { + for (;;) { check(sd_bus_wait(bus, UINT64_MAX)); check(sd_bus_process(bus, NULL)); } -- cgit v1.2.3 From c2c2793f39352c554b05ebf299374ed02290d816 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Tue, 30 Apr 2019 14:53:39 +0530 Subject: networkd: Add support to configure destination address for bridge FDB Closes #5145. Example conf: ``` [Match] Name=vxlan1309 [BridgeFDB] MACAddress=00:00:00:00:00:00 Destination=10.0.0.2 [BridgeFDB] MACAddress=00:00:00:00:00:00 Destination=10.0.0.4 [BridgeFDB] MACAddress=00:00:00:00:00:00 Destination=10.0.0.5 ``` --- man/systemd.network.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 4381090d34..604eea4c18 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1913,6 +1913,12 @@ key is mandatory. + + Destination= + + Takes an IP address of the destination VXLAN tunnel endpoint. + + VLANId= -- cgit v1.2.3 From 8bc17bb3f707c99b6c9ad295563c92b38141a1f4 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 1 May 2019 12:13:23 +0530 Subject: networkd: Option to use LinkLocalAddressing only when DHCP fails When LinkLocalAddressing=fallback or LinkLocalAddressing=ipv4-fallback then IPv4LL will be started only when DHCP fails. Closes #9648. --- man/systemd.network.xml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 604eea4c18..b86bcf03ef 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -326,9 +326,16 @@ LinkLocalAddressing= Enables link-local address autoconfiguration. Accepts yes, - no, ipv4, or ipv6. If - Bridge= is set, defaults to no, and if not, - defaults to ipv6. + no, ipv4, ipv6, + fallback, or ipv4-fallback. If + fallback or ipv4-fallback is specified, then an IPv4 + link-local address is configured only when DHCPv4 fails. If fallback, + an IPv6 link-local address is always configured, and if ipv4-fallback, + the address is not configured. Note that, the fallback mechanism works only when DHCPv4 + client is enabled, that is, it requires DHCP=yes or + DHCP=ipv4. If Bridge= is set, defaults to + no, and if not, defaults to ipv6. + -- cgit v1.2.3 From 1c30b174edc001537350036245ea632cb4e91cbb Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 4 May 2019 16:21:43 +0200 Subject: network: rename WireGuard.FwMark -> FirewallMark For the consistency with FirewallMark= in [RoutingPolicyRule] section. --- man/systemd.netdev.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index b71320e20d..0bbfc611f8 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1416,9 +1416,9 @@ - FwMark= + FirewallMark= - Sets a firewall mark on outgoing WireGuard packets from this interface. + Sets a firewall mark on outgoing WireGuard packets from this interface. Takes a number between 1 and 4294967295. -- cgit v1.2.3 From 715cedfbf03a2eb1d4dca5d1b2b876e52a3b652d Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Sat, 4 May 2019 17:10:54 +0530 Subject: networkd: Allow DHCP4 client to set the number to attempt to reconfigure. Otherwise current value is 6 and after 6 it will give up. --- man/systemd.network.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index b86bcf03ef..7353b57419 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1396,6 +1396,16 @@ + + MaxAttempts= + + Specifies how many times the DHCPv4 client configuration should be attempted. Takes a + number or infinity. Defaults to infinity. + Note that the time between retries is increased exponentially, so the network will not be + overloaded even if this number is high. + + + DUIDType= -- cgit v1.2.3 From ca49c7f9aa41ebd7380e99a706e0f25a42259448 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Mon, 6 May 2019 17:28:48 +0530 Subject: networkd: VXLAN ID define range in the man --- man/systemd.netdev.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 0bbfc611f8..4cb3258c11 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -529,7 +529,7 @@ Id= - The VXLAN ID to use. + The VXLAN ID to use. Takes a number in the range 1-16777215. -- cgit v1.2.3 From 6f213e4a3465f7c9c986fff0b701cc0e00fb636b Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Tue, 7 May 2019 10:31:22 +0530 Subject: networkd: VXLAN rename Id to VNI It makes more sense to call VXLAN ID as 1. the VXLAN Network Identifier (VNI) (or VXLAN Segment ID) 2. test-network: rename VXLAN Id to VNI 3. fuzzer: Add VXLAN VNI directive to fuzzer --- man/systemd.netdev.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 4cb3258c11..3841ad54b7 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -527,9 +527,9 @@ - Id= + VNI= - The VXLAN ID to use. Takes a number in the range 1-16777215. + The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number in the range 1-16777215. -- cgit v1.2.3 From 83cb24ac20baf19f7834931dcf6e03486b4c9c30 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Tue, 7 May 2019 10:44:06 +0530 Subject: networkd: VXLan Make group and remote variable separate VXLAN Document Group= --- man/systemd.netdev.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 3841ad54b7..1f2f4bd9c8 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -543,6 +543,12 @@ Configures local IP address. + + + Group= + + Configures VXLAN multicast group IP address. All members of a VXLAN must use the same multicast group address. + TOS= -- cgit v1.2.3 From 4cc0fd7531bd761f5fc4415b95bcc1dcd9d72e6f Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Tue, 7 May 2019 00:40:57 +0530 Subject: networkd: VXLAN add support to configure Generic Protocol Extension See https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07 --- man/systemd.netdev.xml | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 1f2f4bd9c8..7fddedf6e8 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -655,6 +655,15 @@ VXLAN Group Policy document. Defaults to false. + + GenericProtocolExtension= + + Takes a boolean. When true, Generic Protocol Extension extends the existing VXLAN protocol + to provide protocol typing, OAM, and versioning capabilities. For details about the VXLAN GPE + Header, see the + Generic Protocol Extension for VXLAN document. Defaults to false. + + DestinationPort= -- cgit v1.2.3 From 61b824c5619a3f5f4fa1c02a3258c36deeb689ca Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Mon, 6 May 2019 19:58:52 +0530 Subject: networkd: bridge fdb add support to configure VXLAN VNI --- man/systemd.network.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 7353b57419..f24bf40159 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1944,6 +1944,14 @@ table entry. + + VNI= + + The VXLAN Network Identifier (or VXLAN Segment ID) to use to connect to + the remote VXLAN tunnel endpoint. Takes a number in the range 1-16777215. + Defaults to unset. + + -- cgit v1.2.3 From acdb4b5236f38bbefbcc4a47fdbb9cd558b4b5c5 Mon Sep 17 00:00:00 2001 From: Chris Down Date: Tue, 30 Apr 2019 14:22:04 -0400 Subject: cgroup: Polish hierarchically aware protection docs a bit I missed adding a section in `systemd.resource-control` about DefaultMemoryMin in #12332. Also, add a NEWS entry going over the general concept. --- man/systemd.resource-control.xml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index e7fb46873c..95209a8a6a 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -245,6 +245,10 @@ This setting is supported only if the unified control group hierarchy is used and disables MemoryLimit=. + + Units may have their children use a default memory.min value by specifying + DefaultMemoryMin=, which has the same semantics as MemoryMin=. This setting + does not affect memory.min in the unit itself. @@ -266,8 +270,8 @@ This setting is supported only if the unified control group hierarchy is used and disables MemoryLimit=. - Units may can have their children use a default memory.low value by specifying - DefaultMemoryLow=, which has the same usage as MemoryLow=. This setting + Units may have their children use a default memory.low value by specifying + DefaultMemoryLow=, which has the same semantics as MemoryLow=. This setting does not affect memory.low in the unit itself. -- cgit v1.2.3 From 1087623bacc2a7e1f3090f31b0b7721cae16a003 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Sat, 4 May 2019 20:21:13 +0530 Subject: networkd: Add support to configure proxy ARP and proxy ARP Wifi --- man/systemd.network.xml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index f24bf40159..44354f8bf2 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1893,6 +1893,21 @@ When unset, the kernel's default will be used. + + ProxyARP= + + Takes a boolean. Configures whether proxy ARP to be enabled on this port. + When unset, the kernel's default will be used. + + + + ProxyARPWiFi= + + Takes a boolean. Configures whether proxy ARP to be enabled on this port + which meets extended requirements by IEEE 802.11 and Hotspot 2.0 specifications. + When unset, the kernel's default will be used. + + Cost= -- cgit v1.2.3 From 1c8b0eccc788e94a9ff1987948e9af35efc246cd Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 8 May 2019 20:09:42 +0530 Subject: networkd: Assign VXLAN destination port to when GPE is set When VXLAN destination port is unset and GPE is set then assign 4790 to destination port. Kernel does the same as well as iproute. IANA VXLAN-GPE port is 4790 --- man/systemd.netdev.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 7fddedf6e8..fc33f89a38 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -661,7 +661,8 @@ Takes a boolean. When true, Generic Protocol Extension extends the existing VXLAN protocol to provide protocol typing, OAM, and versioning capabilities. For details about the VXLAN GPE Header, see the - Generic Protocol Extension for VXLAN document. Defaults to false. + Generic Protocol Extension for VXLAN document. If destination port is not specified and + Generic Protocol Extension is set then default port of 4790 is used. Defaults to false. -- cgit v1.2.3 From 1189c00a3c41e0982fb598909911f5a58c278adc Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 8 May 2019 22:31:08 +0530 Subject: networkd: VXLAN add support to configure IP Don't fragment. Allow users to set the IPv4 DF bit in outgoing packets, or to inherit its value from the IPv4 inner header. If the encapsulated protocol is IPv6 and DF is configured to be inherited, always set it. --- man/systemd.netdev.xml | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index fc33f89a38..416874fbaf 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -691,6 +691,15 @@ The valid range is 0-1048575. + + + IPDoNotFragment= + + Allows to set the IPv4 Do not Fragment (DF) bit in outgoing packets, or to inherit its + value from the IPv4 inner header. Takes a boolean value, or inherit. Set + to inherit if the encapsulated protocol is IPv6. When unset, the kernel's + default will be used. + -- cgit v1.2.3 From 0fadb2a46fca9f9c67d29d82ababc7a2d378c401 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Thu, 9 May 2019 02:32:12 +0200 Subject: network: add support to configure proxy ARP/WIFI --- man/systemd.network.xml | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 44354f8bf2..a12f72d0f2 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1908,6 +1908,17 @@ When unset, the kernel's default will be used. + + MulticastRouter= + + Configures this port for having multicast routers attached. A port with a multicast + router will receive all multicast traffic. Takes one of no + to disable multicast routers on this port, query to let the system detect + the presence of routers, permanent to permanently enable multicast traffic + forwarding on this port, or temporary to enable multicast routers temporarily + on this port, not depending on incoming queries. When unset, the kernel's default will be used. + + Cost= -- cgit v1.2.3 From 87b3c9193ddc7e69e5d23542b836f74e167985c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 9 May 2019 08:12:03 +0200 Subject: man: merge items specified as separate lists into one list --- man/sd_bus_set_description.xml | 8 -------- man/sd_bus_slot_set_description.xml | 4 ---- 2 files changed, 12 deletions(-) (limited to 'man') diff --git a/man/sd_bus_set_description.xml b/man/sd_bus_set_description.xml index cfcebdfb29..3c5580e27c 100644 --- a/man/sd_bus_set_description.xml +++ b/man/sd_bus_set_description.xml @@ -130,33 +130,25 @@ An argument is invalid. - - -ENOPKG The bus cannot be resolved. - - -EPERM The bus has already been started. - - -ECHILD The bus was created in a different process. - - -ENOMEM diff --git a/man/sd_bus_slot_set_description.xml b/man/sd_bus_slot_set_description.xml index 13dd6f8815..9bc2ba8592 100644 --- a/man/sd_bus_slot_set_description.xml +++ b/man/sd_bus_slot_set_description.xml @@ -72,17 +72,13 @@ An required argument is NULL. - - -ENXIO The bus slot object has no description. - - -ENOMEM -- cgit v1.2.3 From e9bbff18e1cb7fc2ec209255c523780ad2e3dfce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 9 May 2019 13:23:50 +0200 Subject: meson: add build/man/man and build/man/html to build and display pages Man page generation is generally very slow. I prefer to use -Dman=false when developing systemd, and only build specific pages when introducing changes. Those two little helper tools make it easy: $ build/man/man systemd.link $ build/man/html systemd.link will show systemd.link.8 and systemd.link.html from the build directory build/. --- man/html.in | 12 ++++++++++++ man/man.in | 15 +++++++++++++++ man/meson.build | 12 ++++++++++++ 3 files changed, 39 insertions(+) create mode 100755 man/html.in create mode 100755 man/man.in (limited to 'man') diff --git a/man/html.in b/man/html.in new file mode 100755 index 0000000000..d4debcc340 --- /dev/null +++ b/man/html.in @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +if [ -z "$1" ]; then + echo "Use: $0 page-name (with no section suffix)" + exit 1 +fi + +target="man/$1.html" +ninja -C "@BUILD_ROOT@" "$target" +set -x +exec xdg-open build/"$target" diff --git a/man/man.in b/man/man.in new file mode 100755 index 0000000000..5700a642bd --- /dev/null +++ b/man/man.in @@ -0,0 +1,15 @@ +#!/bin/sh +set -e + +if [ -z "$1" ]; then + echo "Use: $0 page-name (with no section suffix)" + exit 1 +fi + +target=$(ninja -C "@BUILD_ROOT@" -t query man/man | grep -E -m1 "man/$1\.[0-9]$" | awk '{print $2}') +if [ -z "$target" ]; then + echo "Cannot find page $1" + exit 1 +fi +ninja -C "@BUILD_ROOT@" "$target" +exec man build/"$target" diff --git a/man/meson.build b/man/meson.build index ae9c941fcd..f3992b2834 100644 --- a/man/meson.build +++ b/man/meson.build @@ -204,3 +204,15 @@ if git.found() 'mv t @0@/rules/meson.build'.format(meson.current_source_dir())], depend_files : custom_entities_ent) endif + +############################################################ + +configure_file( + input : 'man.in', + output : 'man', + configuration : substs) + +configure_file( + input : 'html.in', + output : 'html', + configuration : substs) -- cgit v1.2.3 From 3ff7a50d66e3f851d3d9f132b740a7fb2055aa1d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 5 Apr 2019 18:59:25 +0200 Subject: man: document the two new journalctl commands --- man/journalctl.xml | 40 ++++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) (limited to 'man') diff --git a/man/journalctl.xml b/man/journalctl.xml index a3c67f5e82..0ecab521fa 100644 --- a/man/journalctl.xml +++ b/man/journalctl.xml @@ -887,18 +887,34 @@ - Asks the journal daemon to flush any log data - stored in /run/log/journal into - /var/log/journal, if persistent storage - is enabled. This call does not return until the operation is - complete. Note that this call is idempotent: the data is only - flushed from /run/log/journal into - /var/log/journal once during system - runtime, and this command exits cleanly without executing any - operation if this has already happened. This command - effectively guarantees that all data is flushed to - /var/log/journal at the time it - returns. + Asks the journal daemon to flush any log data stored in + /run/log/journal/ into /var/log/journal/, if persistent + storage is enabled. This call does not return until the operation is complete. Note that this call is + idempotent: the data is only flushed from /run/log/journal/ into + /var/log/journal once during system runtime (but see + below), and this command exits cleanly without executing any + operation if this has already happened. This command effectively guarantees that all data is flushed + to /var/log/journal at the time it returns. + + + + + + Asks the journal daemon for the reverse operation to : if + requested the daemon will write further log data to /run/log/journal/ and stops + writing to /var/log/journal/. A subsequent call to + causes the log output to switch back to /var/log/journal/, see + above. + + + + + + Similar to but executes no operation if the root file + system and /var/lib/journal/ reside on the same mount point. This operation is + used during system shutdown in order to make the journal daemon stop writing data to + /var/log/journal/ in case that directory is located on a mount point that needs + to be unmounted. -- cgit v1.2.3 From 0b1e5b6ed8c6b9a2bc53709eb75e381d360f05bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 9 May 2019 12:34:30 +0200 Subject: man: describe naming schemes in a new man page I decided to make this a separate man page because it is freakin' long. This content could equally well go in systemd-udevd.service(8), systemd.link(5), or a new man page for the net_id builtin. v2: - rename to systemd.net-naming-scheme - add udevadm test-builtin net_id example --- man/rules/meson.build | 1 + man/systemd-udevd.service.xml | 20 +- man/systemd.link.xml | 10 +- man/systemd.net-naming-scheme.xml | 418 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 435 insertions(+), 14 deletions(-) create mode 100644 man/systemd.net-naming-scheme.xml (limited to 'man') diff --git a/man/rules/meson.build b/man/rules/meson.build index 6894158466..13feadc66f 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -824,6 +824,7 @@ manpages = [ ['systemd.kill', '5', [], ''], ['systemd.link', '5', [], ''], ['systemd.mount', '5', [], ''], + ['systemd.net-naming-scheme', '7', [], ''], ['systemd.netdev', '5', [], 'ENABLE_NETWORKD'], ['systemd.network', '5', [], 'ENABLE_NETWORKD'], ['systemd.nspawn', '5', [], ''], diff --git a/man/systemd-udevd.service.xml b/man/systemd-udevd.service.xml index cf8087ccb3..c267bb2b11 100644 --- a/man/systemd-udevd.service.xml +++ b/man/systemd-udevd.service.xml @@ -171,15 +171,12 @@ net.naming-scheme= Network interfaces are renamed to give them predictable names when possible (unless - net.ifnames=0 is specified, see above). The names are derived from various - device metadata fields. Newer versions of systemd-udevd.service take more of - these fields into account, improving (and thus possibly changing) the names used for the same - devices. With this kernel command line option it is possible to pick a specific version of this - algorithm. It expects a naming scheme identifier as argument. Currently the following identifiers - are known: v238, v239, v240 which each - implement the naming scheme that was the default in the indicated systemd version. In addition, - latest may be used to designate the latest scheme known (to this particular - version of systemd-udevd.service). + net.ifnames=0 is specified, see above). With this kernel command line option it + is possible to pick a specific version of this algorithm and override the default chosen at + compilation time. Expects one of the naming scheme identifiers listed in + systemd.net-naming-scheme7, + or latest to select the latest scheme known (to this particular version of + systemd-udevd.service). Note that selecting a specific scheme is not sufficient to fully stabilize interface naming: the naming is generally derived from driver attributes exposed by the kernel. As the kernel is @@ -188,9 +185,8 @@ - - + + See Also diff --git a/man/systemd.link.xml b/man/systemd.link.xml index ea744bd251..b1be32955e 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -278,6 +278,7 @@ The name is set based on information given by the firmware for on-board devices, as exported by the udev property ID_NET_NAME_ONBOARD. + See systemd.net-naming-scheme7. @@ -287,6 +288,7 @@ The name is set based on information given by the firmware for hot-plug devices, as exported by the udev property ID_NET_NAME_SLOT. + See systemd.net-naming-scheme7. @@ -295,7 +297,9 @@ The name is set based on the device's physical location, as exported by the udev property - ID_NET_NAME_PATH. + ID_NET_NAME_PATH. + See systemd.net-naming-scheme7. + @@ -303,7 +307,9 @@ The name is set based on the device's persistent MAC address, as exported by the udev property - ID_NET_NAME_MAC. + ID_NET_NAME_MAC. + See systemd.net-naming-scheme7. + diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml new file mode 100644 index 0000000000..f86ad8d63a --- /dev/null +++ b/man/systemd.net-naming-scheme.xml @@ -0,0 +1,418 @@ + + + + + + + systemd.net-naming-scheme + systemd + + + + systemd.net-naming-scheme + 7 + + + + systemd.net-naming-scheme + Network device naming schemes + + + + Description + + Network interfaces may be renamed to give them predictable names when there's enough information to + generate appropriate names and the use of certain types of names is configured. This page describes the + first part, i.e. what possible names may be generated. Those names are generated by the + systemd-udevd.service8 + builtin net_id and exported as udev properties + (ID_NET_NAME_ONBOARD=, ID_NET_LABEL_ONBOARD=, + ID_NET_NAME_PATH=, ID_NET_NAME_SLOT=). + + Names are derived from various device metadata attributes. Newer versions of udev take more of + these attributes into account, improving (and thus possibly changing) the names used for the same + devices. Differents version of the naming rules are called "naming schemes". The default naming scheme is + chosen at compilation time. Usually this will be the latest implemented version, but it is also possible + to set one of the older versions to preserve compatibility. This may be useful for example for + distributions, which may introduce new versions of systemd in stable releases without changing the naming + scheme. The naming scheme may also be overriden using the net.naming-scheme= kernel + command line switch, see + systemd-udevd.service8. + Available naming schemes are described below. + + After the udev proprties have been generated, appropriate udev rules may be used to actually rename + devices based on those properties. See the description of NamePolicy= in + systemd.link5. + + + + + Naming + + All names start with a two-character prefix that signifies the interface type. + + + Two character prefixes based on the type of interface + + + + + Prefix + Description + + + + + en + Ethernet + + + ib + InfiniBand + + + sl + serial line IP (slip) + + + wl + Wireless local area network (WLAN) + + + ww + Wireless wide area network (WWAN) + + + +
+ + The udev net_id builtin exports the following udev device properties: + + + + ID_NET_NAME_ONBOARD=prefixonumber + + This name is set based on the ordering information given by the firmware for + on-board devices. The name consists of the prefix, letter o, and a number + specified by the firmware. This is only available for PCI devices. + + + + + ID_NET_LABEL_ONBOARD=prefix label + + This property is set based on label given by the firmware for on-board devices. The + name consists of the prefix concatenated with the label. This is only available for PCI devices. + + + + + + ID_NET_NAME_MAC=prefixxAABBCCDDEEFF + + This name consists of the prefix, letter x, and 12 hexadecimal + digits of the MAC address. It is available if the device has a fixed MAC address. Because this name + is based on an attribute of the card itself, it remains "stable" when the device is moved (even + between machines), but will change when the hardware is replaced. + + + + + ID_NET_NAME_SLOT=prefix[Pdomain]sslot[ffunction][nport_name|ddev_port] + ID_NET_NAME_SLOT=prefix[Pdomain]sslot[ffunction][nport_name|ddev_port]bnumber + ID_NET_NAME_SLOT=prefix[Pdomain]sslot[ffunction][nport_name|ddev_port]uport…[cconfig][iinterface] + ID_NET_NAME_SLOT=prefix[Pdomain]sslot[ffunction][nport_name|ddev_port]vslot + + This property describes the slot position. Different schemes are used depending on + the bus type, as described in the table below. In all cases, PCI slot information must be known. In + case of USB, BCMA, and SR-VIO devices, the full name consists of the prefix, PCI slot identifier, + and USB or BCMA or SR-VIO slot identifier. The first two parts are denoted as "…" in the table + below. + + + Slot naming schemes + + + + + Format + Description + + + + + + prefix [Pdomainsslot [ffunction] [nport_name | ddev_port] + PCI slot number + + + + … bnumber + Broadcom bus (BCMA) core number + + + + … uport… [cconfig] [iinterface] + USB port number chain + + + + … vslot + SR-VIO slot number + + + +
+ + The PCI domain is only prepended when it is not 0. All multi-function PCI devices will carry + the ffunction number in the device name, including + the function 0 device. For non-multi-function devices, the number is suppressed if 0. The port name + port_name is used, or the port number + ddev_port if the name is not known. + + For BCMA devices, the core number is suppressed when 0. + + For USB devices the full chain of port numbers of hubs is composed. If the name gets longer + than the maximum number of 15 characters, the name is not exported. The usual USB configuration + number 1 and interface number 0 values are suppressed. + + + SR-IOV virtual devices are named based on the name of the parent interface, with a suffix of + v and the virtual device number, with any leading zeros removed. The bus + number is ignored. This device type is found in IBM PowerVMs. + + + + ID_NET_NAME_PATH=prefixcbus_id + ID_NET_NAME_PATH=prefixavendormodeliinstance + ID_NET_NAME_PATH=prefixiaddressnport_name + ID_NET_NAME_PATH=prefix[Pdomain]pbussslot[ffunction][nphys_port_name|ddev_port] + ID_NET_NAME_PATH=prefix[Pdomain]pbussslot[ffunction][nphys_port_name|ddev_port]bnumber + ID_NET_NAME_PATH=prefix[Pdomain]pbussslot[ffunction][nphys_port_name|ddev_port]uport…[cconfig][iinterface] + + This property describes the device installation location. Different schemes are + used depending on the bus type, as described in the table below. For BCMA and USB devices, PCI path + information must known, and the full name consists of the prefix, PCI slot identifier, and USB or + BCMA location. The first two parts are denoted as "…" in the table below. + + + Path naming schemes + + + + + Format + Description + + + + + + prefix cbus_id + CCW or grouped CCW device identifier + + + + prefix avendor model iinstance + ACPI path names for ARM64 platform devices + + + + prefix iaddress nport_name + Netdevsim (simulated networking device) device number and port name + + + + prefix [Pdomainpbus sslot [ffunction] [nphys_port_name | ddev_port] + PCI geographical location + + + + … bnumber + Broadcom bus (BCMA) core number + + + + … uport… [cconfig] [iinterface] + USB port number chain + + + + +
+ + CCW and grouped CCW devices are found in IBM System Z mainframes. Any leading zeros and + dots are suppressed. + + For PCI, BCMA, and USB devices, the same rules as described above for slot naming are + used. + + + + + + + History + + The following "naming schemes" have been defined: + + + + v238 + + This is the naming naming that was implemented in systemd 238. + + + + v239 + + Naming was changed for virtual network interfaces created with SR-IOV and NPAR and + for devices where the PCI network controller device does not have a slot number associated. + + SR-IOV virtual devices are named based on the name of the parent interface, with a suffix of + vport, where port is the + virtual device number. Previously those virtual devices were named as if completely independent. + + + The ninth and later NPAR virtual devices are named following the scheme used for the first + eight NPAR partitions. Previously those devices were not renamed and the kernel default + ("ethN") was used. + + Names are also generated for PCI devices where the PCI network controller device does not + have an associated slot number itself, but one of its parents does. Previously those devices were + not renamed and the kernel default was used. + + + + + v240 + + The ib prefix and stable names for infiniband devices are + introduced. Previously those devices were not renamed. + + The ACPI index field (used in ID_NET_NAME_ONBOARD=) is now also used when + 0. + + A new naming policy NamePolicy=keep was introduced. With this policy, if + the network device name was already set by userspace, the device will not be renamed + again. Previously, this naming policy applied implicitly, and now it must be explicitly + requested. Effectively, this means that network devices will be renamed according to the + configuration, even if they have been renamed already, if keep is not + specified as the naming policy in the .link file. See + systemd.link5 + for a description of NamePolicy=. + + + + v243 + + Support for netdevsim (simulated networking devices) was added. Previously those devices were + not renamed. + + + Note that latest may be used to denote the latest scheme known (to this + particular version of systemd. + + + + + Examples + + + Using <command>udevadm test-builtin</command> to display device properties + + $ udevadm test-builtin net_id /sys/class/net/enp0s31f6 +... +Using default interface naming scheme 'v243'. +ID_NET_NAMING_SCHEME=v243 +ID_NET_NAME_MAC=enx54ee75cb1dc0 +ID_OUI_FROM_DATABASE=Wistron InfoComm(Kunshan)Co.,Ltd. +ID_NET_NAME_PATH=enp0s31f6 +... + + + + PCI Ethernet card with firmware index "1" + + ID_NET_NAME_ONBOARD=eno1 +ID_NET_NAME_ONBOARD_LABEL=enEthernet Port 1 + + + + + + PCI Ethernet card in hotplug slot with firmware index number + + # /sys/devices/pci0000:00/0000:00:1c.3/0000:05:00.0/net/ens1 +ID_NET_NAME_MAC=enx000000000466 +ID_NET_NAME_PATH=enp5s0 +ID_NET_NAME_SLOT=ens1 + + + + PCI Ethernet multi-function card with 2 ports + + # /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/net/enp2s0f0 +ID_NET_NAME_MAC=enx78e7d1ea46da +ID_NET_NAME_PATH=enp2s0f0 + +# /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.1/net/enp2s0f1 +ID_NET_NAME_MAC=enx78e7d1ea46dc +ID_NET_NAME_PATH=enp2s0f1 + + + + PCI WLAN card + + # /sys/devices/pci0000:00/0000:00:1c.1/0000:03:00.0/net/wlp3s0 +ID_NET_NAME_MAC=wlx0024d7e31130 +ID_NET_NAME_PATH=wlp3s0 + + + + PCI IB host adapter with 2 ports + + # /sys/devices/pci0000:00/0000:00:03.0/0000:15:00.0/net/ibp21s0f0 +ID_NET_NAME_PATH=ibp21s0f0 + +# /sys/devices/pci0000:00/0000:00:03.0/0000:15:00.1/net/ibp21s0f1 +ID_NET_NAME_PATH=ibp21s0f1 + + + + USB built-in 3G modem + + # /sys/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.4/2-1.4:1.6/net/wwp0s29u1u4i6 +ID_NET_NAME_MAC=wwx028037ec0200 +ID_NET_NAME_PATH=wwp0s29u1u4i6 + + + + USB Android phone + + # /sys/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2/2-1.2:1.0/net/enp0s29u1u2 +ID_NET_NAME_MAC=enxd626b3450fb5 +ID_NET_NAME_PATH=enp0s29u1u2 + + + + s390 grouped CCW interface + + # /sys/devices/css0/0.0.0007/0.0.f5f0/group_device/net/encf5f0 +ID_NET_NAME_MAC=enx026d3c00000a +ID_NET_NAME_PATH=encf5f0 + + + + + See Also + + udev7, + udevadm8, + the + original page describing stable interface names + + + + -- cgit v1.2.3 From 8c053c83ae3c18342c4faaa0043d787884056614 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 9 May 2019 12:41:52 +0200 Subject: udev: drop "en" prefix from ID_NET_NAME_ONBOARD The comment in udev-builtin-net_id.c (removed in grandparent commit) showed the property without the prefix. I assume that was always the intent, because it doesn't make much sense to concatenate anything to an arbitrary user-specified field. --- man/systemd.net-naming-scheme.xml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml index f86ad8d63a..eb8faad254 100644 --- a/man/systemd.net-naming-scheme.xml +++ b/man/systemd.net-naming-scheme.xml @@ -309,6 +309,9 @@ Support for netdevsim (simulated networking devices) was added. Previously those devices were not renamed. + + Previously two-letter interface type prefix was prepended to + ID_NET_LABEL_ONBOARD=. This is not done anymore. Note that latest may be used to denote the latest scheme known (to this @@ -336,9 +339,8 @@ ID_NET_NAME_PATH=enp0s31f6 PCI Ethernet card with firmware index "1" ID_NET_NAME_ONBOARD=eno1 -ID_NET_NAME_ONBOARD_LABEL=enEthernet Port 1 +ID_NET_NAME_ONBOARD_LABEL=Ethernet Port 1 - -- cgit v1.2.3 From 727b5734187853bd85edb3c5588f4341269302ca Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 1 May 2019 04:17:41 +0530 Subject: networkd: Add support for blacklisting servers closes #6260 fuzzer: Add DHCP support for blacklisting servers --- man/systemd.network.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index f24bf40159..386c18b25c 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1566,6 +1566,13 @@ + + BlackList= + + A whitespace-separated list of IPv4 addresses. DHCP offers from servers in the list are rejected. + + + -- cgit v1.2.3 From aac350192b37f4ae5523a99260d59ee6b5515226 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Thu, 9 May 2019 21:37:46 +0530 Subject: networkd: Geneve add support configure IP don't fragment --- man/systemd.netdev.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 416874fbaf..454878d680 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -764,7 +764,13 @@ Specifies the flow label to use in outgoing packets. - + + + IPDoNotFragment= + + Accepts the same key in [VXLAN] section. + + -- cgit v1.2.3 From 328184d1fce13ff0345b3fbecbac6714eef86fbf Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Fri, 10 May 2019 15:11:47 +0530 Subject: networkd: Geneve Allow TTL to be zero. Also verify VNI is set --- man/systemd.netdev.xml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 454878d680..21c7ba8270 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -713,7 +713,7 @@ Id= - Specifies the Virtual Network Identifier (VNI) to use. Ranges [0-16777215]. + Specifies the Virtual Network Identifier (VNI) to use. Ranges [0-16777215]. This field is mandatory. @@ -731,7 +731,9 @@ TTL= - Specifies the TTL value to use in outgoing packets. Ranges [1-255]. + Specifies the TTL value to use in outgoing packets. Takes a number in the range 0-255. + When unset or set to 0, the kernel's default will be used meaning that packets TTL will be set from + /proc/sys/net/ipv4/ip_default_ttl. -- cgit v1.2.3 From afd15bbb4b6414b9356799c63029e36642dae8e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 8 May 2019 14:39:57 +0200 Subject: sd-event: add sd_event_source_disable_unref() helper --- man/rules/meson.build | 4 +++- man/sd_event_source_unref.xml | 30 +++++++++++++++++++----------- 2 files changed, 22 insertions(+), 12 deletions(-) (limited to 'man') diff --git a/man/rules/meson.build b/man/rules/meson.build index 6894158466..944d2bf286 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -445,7 +445,9 @@ manpages = [ ['sd_event_source_set_userdata', '3', ['sd_event_source_get_userdata'], ''], ['sd_event_source_unref', '3', - ['sd_event_source_ref', 'sd_event_source_unrefp'], + ['sd_event_source_disable_unref', + 'sd_event_source_ref', + 'sd_event_source_unrefp'], ''], ['sd_event_wait', '3', diff --git a/man/sd_event_source_unref.xml b/man/sd_event_source_unref.xml index 01e3008eed..4e2fb8cb39 100644 --- a/man/sd_event_source_unref.xml +++ b/man/sd_event_source_unref.xml @@ -19,6 +19,7 @@ sd_event_source_unref sd_event_source_unrefp sd_event_source_ref + sd_event_source_disable_unref Increase or decrease event source reference counters @@ -42,6 +43,10 @@ sd_event_source *source + + sd_event_source* sd_event_source_disable_unref + sd_event_source *source + @@ -77,23 +82,26 @@ the passed event source object is NULL. - Note that event source objects stay alive and may be - dispatched as long as they have a reference counter greater than - zero. In order to drop a reference of an event source and make - sure the associated event source handler function is not called - anymore it is recommended to combine a call of + Note that event source objects stay alive and may be dispatched as long as they have a reference + counter greater than zero. In order to drop a reference of an event source and make sure the associated + event source handler function is not called anymore it is recommended to combine a call of sd_event_source_unref() with a prior call to - sd_event_source_set_enabled() with - SD_EVENT_OFF. + sd_event_source_set_enabled() with SD_EVENT_OFF or call + sd_event_source_disable_unref(), see below. + + sd_event_source_disable_unref() combines a call to + sd_event_source_set_enabled() with SD_EVENT_OFF with + sd_event_source_unref(). This ensures that the source is disabled before the local + reference to it is lost. The source parameter is allowed to be + NULL. Return Value - sd_event_source_unref() always returns - NULL. - sd_event_source_ref() always returns the - event source object passed in. + sd_event_source_unref() and + sd_event_source_disable_unref() always return NULL. + sd_event_source_ref() always returns the event source object passed in. -- cgit v1.2.3 From aa7585fd8e4fac0c983208a388592ba37d3dff51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 10 May 2019 09:54:10 +0200 Subject: sd-event: add sd_event_source_disable_unrefp() too I do not have any immediate use for it, but let's add it for completeness. --- man/rules/meson.build | 1 + man/sd_event_source_unref.xml | 12 ++++++++++++ 2 files changed, 13 insertions(+) (limited to 'man') diff --git a/man/rules/meson.build b/man/rules/meson.build index 944d2bf286..bc71e0645b 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -446,6 +446,7 @@ manpages = [ ['sd_event_source_unref', '3', ['sd_event_source_disable_unref', + 'sd_event_source_disable_unrefp', 'sd_event_source_ref', 'sd_event_source_unrefp'], ''], diff --git a/man/sd_event_source_unref.xml b/man/sd_event_source_unref.xml index 4e2fb8cb39..81131fa737 100644 --- a/man/sd_event_source_unref.xml +++ b/man/sd_event_source_unref.xml @@ -20,6 +20,7 @@ sd_event_source_unrefp sd_event_source_ref sd_event_source_disable_unref + sd_event_source_disable_unrefp Increase or decrease event source reference counters @@ -47,6 +48,11 @@ sd_event_source* sd_event_source_disable_unref sd_event_source *source + + + void sd_event_source_disable_unrefp + sd_event_source **source + @@ -94,6 +100,12 @@ sd_event_source_unref(). This ensures that the source is disabled before the local reference to it is lost. The source parameter is allowed to be NULL. + + sd_event_source_disable_unrefp() is similar to + sd_event_source_unrefp(), but in addition disables the source first. This call is + useful in conjunction with GCC's and LLVM's + Clean-up Variable + Attribute. Note that this function is defined as inline function. -- cgit v1.2.3 From f4a8ca329a30896359226eaf7ba3f6812f4f0bff Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Fri, 10 May 2019 17:35:24 +0530 Subject: networkd: VXLAN support keyword 'inherit' for TTL --- man/systemd.netdev.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 21c7ba8270..0143bfb1c6 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -559,10 +559,10 @@ TTL= - A fixed Time To Live N on Virtual eXtensible Local - Area Network packets. N is a number in the range 1–255. 0 - is a special value meaning that packets inherit the TTL - value. + A fixed Time To Live N on Virtual eXtensible Local Area Network packets. + Takes inherit or a number in the range 0–255. 0 is a special + value meaning inherit the inner protocol's TTL value. inherit + means that it will inherit the outer protocol's TTL value. -- cgit v1.2.3 From d70c9bbd6ca598365b14c2004ea3ab6a5c3b3aad Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Sat, 11 May 2019 08:08:57 +0530 Subject: networkd: Geneve add support for inherit for TTL --- man/systemd.netdev.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 0143bfb1c6..42632a6540 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -731,8 +731,8 @@ TTL= - Specifies the TTL value to use in outgoing packets. Takes a number in the range 0-255. - When unset or set to 0, the kernel's default will be used meaning that packets TTL will be set from + Accepts the same key in [VXLAN] section except when unset or + set to 0, the kernel's default will be used meaning that packets TTL will be set from /proc/sys/net/ipv4/ip_default_ttl. -- cgit v1.2.3 From ccc162e03c9608b53577bc2155111891ed6fc012 Mon Sep 17 00:00:00 2001 From: Simon Schricker Date: Mon, 13 May 2019 10:47:43 +0200 Subject: man: mention garbage collection of failed conditions See discussion: https://github.com/systemd/systemd/issues/2234 --- man/systemd.unit.xml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 4b283880c3..84af5109b8 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1020,7 +1020,9 @@ or runtime environment doesn't require their functionality. Use the various AssertArchitecture=, AssertVirtualization=, … options for a similar mechanism that causes the job to fail (instead of being skipped) and results in logging about the failed check - (instead of being silently processed). For details about assertion conditions see below. + (instead of being silently processed). For details about assertion conditions see below. Units with failed + conditions are considered to be in a clean state and will be garbage collected if they are not referenced. + This means, that when queried, the condition failure may or may not show up in the state of the unit. ConditionArchitecture= may be used to check whether the system is running on a specific -- cgit v1.2.3 From bdb397ed10fb7c7d71fcf1bed2d919680f60889d Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 8 May 2019 19:43:21 +0530 Subject: networkd: bridge FDB support more NTF_* flags Add support to configure NTF_ROUTER and NTF_USE --- man/systemd.network.xml | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 3ff1a036ff..ca82f33bb4 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1985,6 +1985,19 @@ Defaults to unset. + + AssociatedWith= + + Specifies where the address is associated with. Takes one of use, + self, master or router. + use means the address is in use. User space can use this option to + indicate to the kernel that the fdb entry is in use. self means + the address is associated with the port drivers fdb. Usually hardware. master + means the address is associated with master devices fdb. router means + the destination address is associated with a router. Note that it's valid if the referenced + device is a VXLAN type device and has route shortcircuit enabled. Defaults to self. + + -- cgit v1.2.3 From 633c7258655ba94b2b9c24689de150717839e78b Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Mon, 13 May 2019 16:45:33 +0530 Subject: networkd: route add support to configure fastopen_no_cookie This patch adds fastopen_no_cookie option to enable/disable TCP fastopen without a cookie on a per-route basis. --- man/systemd.network.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 3ff1a036ff..0395f2c330 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1218,6 +1218,14 @@ + + FastOpenNoCookie= + + Takes a boolean. When true enables TCP fastopen without a cookie on a per-route basis. + When unset, the kernel's default will be used. + + + MTUBytes= -- cgit v1.2.3 From 1501b429a94176bed0753e724541d5b097a92863 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Mon, 13 May 2019 20:00:28 +0530 Subject: networkd: DHCP client add support to send RELEASE packet closes #10820 --- man/systemd.network.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index ca82f33bb4..2f94dc518d 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1470,6 +1470,14 @@ + + SendRelease= + + When true, the DHCPv4 client sends a DHCP release packet when it stops. + Defaults to false. + + + RapidCommit= -- cgit v1.2.3 From 5d5003ab355154fea5a332068e725fbbdf9385d3 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 14 May 2019 16:43:14 +0900 Subject: network: add DefaultRouteOnDevice= setting in [Network] section When enabled, then default route bound to the interface will be created. This is useful when adding routes on point-to-point interfaces. Closes #788. --- man/systemd.network.xml | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 2ce7c7096e..dd0535a06e 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -347,6 +347,15 @@ + + DefaultRouteOnDevice= + + Takes a boolean. If set to true, sets up the default route bound to the interface. + Defaults to false. This is useful when creating routes on point-to-point interfaces. + This is equivalent to e.g. the following. + ip route add default dev veth99 + + IPv6Token= -- cgit v1.2.3 From 63ea8032f28052f7cda860e5324c0a83dee7ed23 Mon Sep 17 00:00:00 2001 From: Jan Synacek Date: Tue, 14 May 2019 10:45:08 +0200 Subject: man: note that journal does not validate syslog fields --- man/systemd.journal-fields.xml | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'man') diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml index 960b2ec633..fa374bf0f8 100644 --- a/man/systemd.journal-fields.xml +++ b/man/systemd.journal-fields.xml @@ -104,6 +104,11 @@ usually derived from glibc's program_invocation_short_name variable, see program_invocation_short_name3.) + Note that the journal service does not validate the values of any structured + journal fields whose name is not prefixed with an underscore, and this includes any + syslog related fields such as these. Hence, applications that supply a facility, PID, + or log level are expected to do so properly formatted, i.e. as numeric integers formatted + as decimal strings. -- cgit v1.2.3 From 69c317a07f86166a3b23a928dd4b042a43c18290 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 15 May 2019 15:42:30 +0530 Subject: networkd: introduce netdev ipvtap This patch adds netdev ipvtap that is based on the IP-VLAN network interface, called ipvtap. An ipvtap device can be created in the same way as an ipvlan device, using 'kind ipvtap', and then accessed using the tap user space interface. --- man/systemd.netdev.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 42632a6540..f11c3e142a 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -115,6 +115,9 @@ ipvlan An ipvlan device is a stacked device which receives packets from its underlying device based on IP address filtering. + ipvtap + An ipvtap device is a stacked device which receives packets from its underlying device based on IP address filtering and can be accessed using the tap user space interface. + macvlan A macvlan device is a stacked device which receives packets from its underlying device based on MAC address filtering. @@ -519,6 +522,15 @@ + + [IPVTAP] Section Options + + The [IPVTAP] section only applies for + netdevs of kind ipvtap and accepts the + same key as [IPVLAN]. + + + [VXLAN] Section Options The [VXLAN] section only applies for -- cgit v1.2.3 From 4502a61c8a8061025a30a501d4b6cd144bb142e2 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 15 May 2019 14:47:18 +0530 Subject: networkd: FOU tunnel support Local and Peer tunnel addresses --- man/systemd.netdev.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 42632a6540..baef86c8b7 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1298,6 +1298,18 @@ Encapsulation=GenericUDPEncapsulation, this must not be specified. + + Peer= + + Configures peer IP address. + + + + Local= + + Configures local IP address. + + -- cgit v1.2.3 From 2cae4711f3141dd6447cae5ee706062f912490e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 17 May 2019 09:39:22 +0200 Subject: analyze: add 'timestamp' verb We had 'calendar' and 'timespan', but the third one was missing. Also consistently order the verbs as calendar/timestamp/timespan in help. The output from 'timespan' is highlighted more. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1711065. --- man/systemd-analyze.xml | 50 +++++++++++++++++++++++++++++++++++++++++++------ man/systemd.time.xml | 4 ++++ 2 files changed, 48 insertions(+), 6 deletions(-) (limited to 'man') diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index abc05e9303..cc29e26240 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -93,7 +93,13 @@ systemd-analyze OPTIONS calendar - SPECS + SPEC + + + systemd-analyze + OPTIONS + timestamp + TIMESTAMP systemd-analyze @@ -360,7 +366,8 @@ $ eog targets.svg systemd.time7. By default, only the next time the calendar expression will elapse is shown; use to show the specified number of next times the expression - elapses. + elapses. Each time the expression elapses forms a timestamp, see the timestamp + verb below. Show leap days in the near future @@ -382,13 +389,44 @@ Normalized form: *-02-29 00:00:00 + + <command>systemd-analyze timestamp <replaceable>TIMESTAMP</replaceable>...</command> + + This command parses a timestamp (i.e. a single point in time) and outputs the normalized form and + the difference between this timestamp and now. The timestamp should adhere to the syntax documented in + systemd.time7, + section "PARSING TIMESTAMPS". + + + Show parsing of timestamps + + $ systemd-analyze timestamp yesterday now tomorrow + Original form: yesterday +Normalized form: Thu 2019-05-16 00:00:00 CEST + (in UTC): Wed 2019-05-15 22:00:00 UTC + From now: 1 day 9h ago + + Original form: now +Normalized form: Fri 2019-05-17 09:34:14 CEST + (in UTC): Fri 2019-05-17 07:34:14 UTC + From now: 32us ago + + Original form: tomorrow +Normalized form: Sat 2019-05-18 00:00:00 CEST + (in UTC): Fri 2019-05-17 22:00:00 UTC + From now: 14h left + + + + <command>systemd-analyze timespan <replaceable>EXPRESSION</replaceable>...</command> - This command parses a time span and outputs the normalized form and the equivalent value in - microseconds. The time span should adhere to the same syntax documented in - systemd.time7. - Values without associated magnitudes are parsed as seconds. + This command parses a time span (i.e. a difference between two timestamps) and outputs the + normalized form and the equivalent value in microseconds. The time span should adhere to the syntax + documented in + systemd.time7, + section "PARSING TIME SPANS". Values without units are parsed as seconds. Show parsing of timespans diff --git a/man/systemd.time.xml b/man/systemd.time.xml index 4a6b808c02..c7d5f24b3c 100644 --- a/man/systemd.time.xml +++ b/man/systemd.time.xml @@ -173,6 +173,10 @@ tomorrow Pacific/Auckland → Thu 2012-11-23 19:00:00 2 months 5 days ago Note that a relative timestamp is also accepted where a timestamp is expected (see above). + + Use the timestamp command of + systemd-analyze1 to + validate and normalize timestamps for testing purposes. -- cgit v1.2.3 From a37ef4550eb132764ec08c517f800148cb785f57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 17 May 2019 15:14:49 +0200 Subject: man: add missing = Fixes #12598. --- man/systemd.mount.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml index 022e227e83..178dc188a5 100644 --- a/man/systemd.mount.xml +++ b/man/systemd.mount.xml @@ -182,7 +182,7 @@ mount options are understood by systemd which influence how dependencies are created for mount points. systemd will create a dependency of type Wants= or - (see option + (see option below), from either local-fs.target or remote-fs.target, depending whether the file system is local or remote. -- cgit v1.2.3 From 2eca7635f4c184e4efa8452f9790793a167af0c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 17 May 2019 15:40:44 +0200 Subject: man: rework forward/reverse table in systemd.unit(5) Fixes #12600. --- man/systemd.unit.xml | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) (limited to 'man') diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 84af5109b8..3079db1a6b 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1365,22 +1365,23 @@ "Forward" and "reverse" unit properties - + - + + "Forward" property "Reverse" property - Where used + Where used Before= After= - Both are unit file options + [Unit] section After= @@ -1389,42 +1390,48 @@ Requires= RequiredBy= - A unit file option; an option in the [Install] section + [Unit] section + [Install] section Wants= WantedBy= - A unit file option; an option in the [Install] section + [Unit] section + [Install] section PartOf= ConsistsOf= - A unit file option; an automatic property + [Unit] section + an automatic property BindsTo= BoundBy= - A unit file option; an automatic property + [Unit] section + an automatic property Requisite= RequisiteOf= - A unit file option; an automatic property + [Unit] section + an automatic property Triggers= TriggeredBy= - Automatic properties, see notes below + Automatic properties, see notes below Conflicts= ConflictedBy= - A unit file option; an automatic property + [Unit] section + an automatic property PropagatesReloadTo= ReloadPropagatedFrom= - Both are unit file options + [Unit] section ReloadPropagatedFrom= -- cgit v1.2.3 From 8f02c9b0850152e2c0d09e53e9572a5c478f30c9 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Thu, 16 May 2019 12:16:19 +0530 Subject: networkd: FOU netdev add support to configure peer port --- man/systemd.netdev.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 0b0fff1f65..c746ed31f8 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1300,6 +1300,12 @@ for delivery to the real destination. This option is mandatory. + + PeerPort= + + Specifies the peer port number. Defaults to unset. Note that when peer port is set Peer= address is mandotory. + + Protocol= @@ -1313,7 +1319,7 @@ Peer= - Configures peer IP address. + Configures peer IP address. Note that when peer address is set PeerPort= is mandotory. -- cgit v1.2.3 From 9b88f20aba6a78baf18d89e99ff31d5ee40856b8 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Thu, 16 May 2019 15:19:08 +0530 Subject: networkd: route add MPLS TTL propagate --- man/systemd.network.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index dd0535a06e..4279326bc2 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1235,6 +1235,14 @@ + + TTLPropagate= + + Takes a boolean. When true enables TTL propagation at Label Switched Path (LSP) egress. + When unset, the kernel's default will be used. + + + MTUBytes= -- cgit v1.2.3 From ad2997a7b0ad77810ff67e99abc5f8fc614365ba Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 18 May 2019 12:23:01 +0900 Subject: man: move Blacklist= in [DHCP] section --- man/systemd.network.xml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 4279326bc2..2191eeb797 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1532,6 +1532,13 @@ + + BlackList= + + A whitespace-separated list of IPv4 addresses. DHCP offers from servers in the list are rejected. + + + @@ -1599,13 +1606,6 @@ - - BlackList= - - A whitespace-separated list of IPv4 addresses. DHCP offers from servers in the list are rejected. - - - -- cgit v1.2.3 From fba4e9450602092c58f8676c454f8e534f4e50f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 19 May 2019 11:55:36 +0200 Subject: bootctl: add -x shortcut for --print-boot-path It's a quite useful option, let's match -p. --- man/bootctl.xml | 1 + 1 file changed, 1 insertion(+) (limited to 'man') diff --git a/man/bootctl.xml b/man/bootctl.xml index a80a37309c..3e1f9b588b 100644 --- a/man/bootctl.xml +++ b/man/bootctl.xml @@ -65,6 +65,7 @@ + This option modifies the behaviour of status. Prints only the path to the Extended Boot Loader partition if it exists, and the path to the ESP otherwise to -- cgit v1.2.3 From aa467bcae16f7090813d6e549487e73a95157f69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 19 May 2019 12:01:32 +0200 Subject: bootctl: do not allow -x and -p to be used together -x already prints the path to ESP in some circumstances, and allowing both to be printed seems confusing. --- man/bootctl.xml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'man') diff --git a/man/bootctl.xml b/man/bootctl.xml index 3e1f9b588b..46b9738b14 100644 --- a/man/bootctl.xml +++ b/man/bootctl.xml @@ -60,18 +60,18 @@ - This option modifies the behaviour of status. Prints only the - path to the EFI System Partition (ESP) to standard output and exits. + This option modifies the behaviour of status. Only prints the path + to the EFI System Partition (ESP) to standard output and exits. - This option modifies the behaviour of status. Prints only the - path to the Extended Boot Loader partition if it exists, and the path to the ESP otherwise to - standard output and exit. This command is useful to determine where to place boot loader entries, as - they are preferably placed in the Extended Boot Loader partition if it exists and in the ESP - otherwise. + This option modifies the behaviour of status. Only prints the path + to the Extended Boot Loader partition if it exists, and the path to the ESP otherwise to standard + output and exit. This command is useful to determine where to place boot loader entries, as they are + preferably placed in the Extended Boot Loader partition if it exists and in the ESP otherwise. + -- cgit v1.2.3 From e520ce64405dedfc1bdd3888f926a69f7d812ab9 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Fri, 17 May 2019 21:51:20 +0530 Subject: networkd: Ability to selectively ignore IPv6 prefixes supplied via router advertisement Closes https://github.com/systemd/systemd/issues/10647 --- man/systemd.network.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 2191eeb797..695bcaa0a4 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1606,6 +1606,13 @@ + + BlackList= + + A whitespace-separated list of IPv6 prefixes. IPv6 prefixes supplied via router advertisements in the list are ignored. + + + -- cgit v1.2.3 From 336351dc52dcbe93b54e121b5acc94d83c93cf61 Mon Sep 17 00:00:00 2001 From: Kashyap Chamarthy Date: Mon, 20 May 2019 17:08:04 +0200 Subject: man: systemd-nspawn: Update syntax to launch an image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To access a shell on a disk image, the man page on Fedora-29 says to run: `systemd-nspawn -M Fedora-Cloud-Base-28-1.1.x86_64.raw`. Let's try. List existing images: $> machinectl list-images | awk '{print $1,$2}'; NAME TYPE Fedora-Cloud-Base-30… raw 1 images Now invoke `systemd-nspawn` as noted in the man page: $> systemd-nspawn -M Fedora-Cloud-Base-30-1.2.x86_64.raw No image for machine 'Fedora-Cloud-Base-30-1.2.x86_64.raw'. Removing the ".raw" extension launches the image and gives a shell. Update the man page to reflect that. Frantisek Sumsal on #systemd (Freenode) noted the reason: "In older versions systemd -M accepted both image-name.raw and image-name as a valid image names, however, on Fedora 29 (systemd-239) with all the BTRFS stuff around it accepts only -M image-name (without the extension)" - - - While at it, update the fedora_{latest_version, cloud_release} variables. Signed-off-by: Kashyap Chamarthy --- man/systemd-nspawn.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'man') diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 5ba162b93c..f1d6f14812 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -1,8 +1,8 @@ - + + ]> @@ -1343,7 +1343,7 @@ # machinectl pull-raw --verify=no \ https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz -# systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw +# systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64 This downloads an image using machinectl1 -- cgit v1.2.3 From ea62aa24ae49091e88e18ab9a7e310eb5faf4520 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 21 May 2019 09:50:05 +0200 Subject: analyze: also print unix time in "timestamp" --- man/systemd-analyze.xml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'man') diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index cc29e26240..651a73848e 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -402,18 +402,21 @@ Normalized form: *-02-29 00:00:00 $ systemd-analyze timestamp yesterday now tomorrow Original form: yesterday -Normalized form: Thu 2019-05-16 00:00:00 CEST - (in UTC): Wed 2019-05-15 22:00:00 UTC +Normalized form: Mon 2019-05-20 00:00:00 CEST + (in UTC): Sun 2019-05-19 22:00:00 UTC + UNIX seconds: @15583032000 From now: 1 day 9h ago Original form: now -Normalized form: Fri 2019-05-17 09:34:14 CEST - (in UTC): Fri 2019-05-17 07:34:14 UTC - From now: 32us ago +Normalized form: Tue 2019-05-21 09:48:39 CEST + (in UTC): Tue 2019-05-21 07:48:39 UTC + UNIX seconds: @1558424919.659757 + From now: 43us ago Original form: tomorrow -Normalized form: Sat 2019-05-18 00:00:00 CEST - (in UTC): Fri 2019-05-17 22:00:00 UTC +Normalized form: Wed 2019-05-22 00:00:00 CEST + (in UTC): Tue 2019-05-21 22:00:00 UTC + UNIX seconds: @15584760000 From now: 14h left -- cgit v1.2.3 From 75eed300a9339c5150d1210679fa2c3579f5250a Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 20 May 2019 13:27:20 +0900 Subject: network: Allow IFF_VNET_HDR to also be set for tun devices f5f07dbf06f6df9d12e092c05ad8cfbe244d203f adds VnetHeader= for tap devices, but the flag is also used for tun devices. This adds VnetHeader= setting in [Tun] section. --- man/systemd.netdev.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index c746ed31f8..4b26d9670b 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1408,7 +1408,7 @@ VNetHeader= Takes a boolean. Configures - IFF_VNET_HDR flag for a tap device. It allows sending + IFF_VNET_HDR flag for a tun or tap device. It allows sending and receiving larger Generic Segmentation Offload (GSO) packets. This may increase throughput significantly. Defaults to -- cgit v1.2.3 From 35433040575584c9ab39400774ae9c7cfb82678c Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 20 May 2019 14:13:11 +0900 Subject: network: deprecate OneQueue= for tun or tap devices IFF_ONE_QUEUE has no effect since kernel-3.8. See kernel's commit 5d097109257c03a71845729f8db6b5770c4bbedc. --- man/systemd.netdev.xml | 9 --------- 1 file changed, 9 deletions(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 4b26d9670b..26a5dbbd1e 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1379,15 +1379,6 @@ keys: - - OneQueue= - Takes a boolean. Configures whether - all packets are queued at the device (enabled), or a fixed - number of packets are queued at the device and the rest at the - qdisc. Defaults to - no. - - MultiQueue= Takes a boolean. Configures whether -- cgit v1.2.3 From 727036325a000f2c62d90b86d659a64fb6affb5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 21 May 2019 17:08:35 +0200 Subject: man: add note which tmpfiles services read which files Fixes #12596. --- man/systemd-tmpfiles.xml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml index f05e5ea2e5..7720ef53fa 100644 --- a/man/systemd-tmpfiles.xml +++ b/man/systemd-tmpfiles.xml @@ -65,6 +65,22 @@ tmpfiles.d5 are searched for a matching file and the file found that has the highest priority is executed. + + System services (systemd-tmpfiles-setup.service, + systemd-tmpfiles-setup-dev.service, + systemd-tmpfiles-clean.service) invoke systemd-tmpfiles to create + system files and to perform system wide cleanup. Those services read administrator-controlled + configuration files in tmpfiles.d/ directories. User services + (systemd-tmpfiles-setup.service, + systemd-tmpfiles-clean.service) also invoke systemd-tmpfiles, but + it reads a separate set of files, which includes user-controlled files under + ~/.config/user-tmpfiles.d/ and ~/.local/share/user-tmpfiles.d/, + and administrator-controller files under /usr/share/user-tmpfiles.d/. Users may use + this to create and clean up files under their control, but the system instance performs global cleanup + and is not influenced by user configuration. Note that this means a time-based cleanup configured in the + system instance, such as the one typically configured for /tmp, will thus also + affect files created by the user instance if they are placed in /tmp, even if the + user instance's time-based cleanup is turned off. @@ -174,7 +190,7 @@ It is possible to combine , , and - in one invocation (in which case removal and clean-up are executed before creation of new files). For example, + in one invocation (in which case removal and cleanup are executed before creation of new files). For example, during boot the following command line is executed to ensure that all temporary and volatile directories are removed and created according to the configuration file: -- cgit v1.2.3 From b4e2407716731d1ce099bad1c2778f7a4424ed2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 21 May 2019 19:31:49 +0200 Subject: man: add note that %h/%u/%U are mostly useless Fixes #12389. --- man/systemd.unit.xml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'man') diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 3079db1a6b..d13212ebcc 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1607,7 +1607,9 @@ %h User home directory - This is the home directory of the user running the service manager instance. In case of the system manager this resolves to /root. + This is the home directory of the user running the service manager instance. In case of the system manager this resolves to /root. + +Note that this setting is not influenced by the User= setting configurable in the [Service] section of the service unit. %H @@ -1697,12 +1699,16 @@ %u User name - This is the name of the user running the service manager instance. In case of the system manager this resolves to root. + This is the name of the user running the service manager instance. In case of the system manager this resolves to root. + +Note that this setting is not influenced by the User= setting configurable in the [Service] section of the service unit. %U User UID - This is the numeric UID of the user running the service manager instance. In case of the system manager this resolves to 0. + This is the numeric UID of the user running the service manager instance. In case of the system manager this resolves to 0. + +Note that this setting is not influenced by the User= setting configurable in the [Service] section of the service unit. %v -- cgit v1.2.3 From 35b966ca23da240d30ac18ab615e2d0ec081681a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 21 May 2019 19:38:19 +0200 Subject: man: tweak description of #12247 a bit It wasn't really wrong, but maybe we can make it a bit clearer. Fixes #12247. --- man/sd_bus_request_name.xml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/sd_bus_request_name.xml b/man/sd_bus_request_name.xml index 0f6a4ec313..7229ef517a 100644 --- a/man/sd_bus_request_name.xml +++ b/man/sd_bus_request_name.xml @@ -65,9 +65,9 @@ Description - sd_bus_request_name() requests a well-known service name on a bus. It takes a bus - connection, a valid bus name and a flags parameter. The flags parameter is a combination of the following - flags: + sd_bus_request_name() requests a well-known service name on a bus. It takes a + bus connection, a valid bus name, and a flags parameter. The flags parameter is a combination of zero or + more of the following flags: @@ -82,8 +82,9 @@ SD_BUS_NAME_REPLACE_EXISTING - Take over the name if it is already acquired by another peer, and that other peer has permitted - takeover by setting SD_BUS_NAME_ALLOW_REPLACEMENT while acquiring it. + Take over the name if it was already acquired by another peer, and that other peer + has permitted takeover by setting SD_BUS_NAME_ALLOW_REPLACEMENT while acquiring + it. -- cgit v1.2.3 From 847af199e5af43149eb07622e49952fd8dde4768 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 22 May 2019 11:09:36 +0200 Subject: man: reword systemd.socket(5) description to avoid "file" when talking about services This text was written a long time ago, when we mostly talked about "service files". Strictly speaking, we don't need a "file", because the service might be just an instance of a template, or an alias to another service. So let's use the more modern parlance of "service units". https://bugzilla.redhat.com/show_bug.cgi?id=1623781#c21 --- man/systemd.socket.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'man') diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index e29602b068..84faf89c2e 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -51,11 +51,11 @@ which configure resource control settings for the processes of the socket. - For each socket file, a matching service file must exist, + For each socket unit, a matching service unit must exist, describing the service to start on incoming traffic on the socket (see systemd.service5 - for more information about .service files). The name of the + for more information about .service units). The name of the .service unit is by default the same as the name of the .socket unit, but can be altered with the option described below. Depending on the setting of the @@ -66,7 +66,7 @@ socket file foo.socket needs a matching service foo.service if is set. If - is set, a service template file + is set, a service template foo@.service must exist from which services are instantiated for each incoming connection. -- cgit v1.2.3 From 44508946534eee032927c263b79464832656dd6e Mon Sep 17 00:00:00 2001 From: Michael Biebl Date: Tue, 14 May 2019 17:40:45 +0200 Subject: Drop support for /usr/sbin/halt.local /usr/sbin/halt.local is a Fedora/Red Hat anachronism from pre-systemd times. --- man/systemd-rc-local-generator.xml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'man') diff --git a/man/systemd-rc-local-generator.xml b/man/systemd-rc-local-generator.xml index 514d1021d6..81744c2025 100644 --- a/man/systemd-rc-local-generator.xml +++ b/man/systemd-rc-local-generator.xml @@ -17,7 +17,7 @@ systemd-rc-local-generator - Compatibility generator for starting /etc/rc.local and /usr/sbin/halt.local during boot and shutdown + Compatibility generator for starting /etc/rc.local during boot @@ -35,14 +35,10 @@ script is run after network.target, but in parallel with most other regular system services. - systemd-rc-local-generator also checks whether /usr/sbin/halt.local - exists and is executable, and if it is pulls the halt-local.service unit into the shutdown - process. This unit is responsible for running this script during later shutdown. - - Support for both /etc/rc.local and /usr/sbin/halt.local is provided + Support for /etc/rc.local is provided for compatibility with specific System V systems only. However, it is strongly recommended to avoid making use of - these scripts today, and instead provide proper unit files with appropriate dependencies for any scripts to run - during the boot or shutdown processes. + this script today, and instead provide proper unit files with appropriate dependencies for any scripts to run + during the boot process. systemd-rc-local-generator implements systemd.generator7. -- cgit v1.2.3 From 2fc1afca5917b9ef4fe293fe6fd75615ca364a5d Mon Sep 17 00:00:00 2001 From: Oliver Harley Date: Sun, 26 May 2019 07:31:29 +0200 Subject: --bind-device does not take a bool See https://github.com/systemd/systemd/blob/e95be7def26c6c5feaf08a4135aa4f50c53263a8/src/mount/mount-tool.c#L164 Also makes the man page consistent with the `--help` option --- man/systemd-mount.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'man') diff --git a/man/systemd-mount.xml b/man/systemd-mount.xml index e557ee80a1..4a7c33f558 100644 --- a/man/systemd-mount.xml +++ b/man/systemd-mount.xml @@ -211,11 +211,11 @@ - + - Takes a boolean argument, defaults to off. This option only has an effect in automount mode, - and controls whether the automount unit shall be bound to the backing device's lifetime. If enabled, the - automount point will be removed automatically when the backing device vanishes. If disabled the automount point + This option only has an effect in automount mode, + and controls whether the automount unit shall be bound to the backing device's lifetime. If set, the + automount point will be removed automatically when the backing device vanishes. By default the automount point stays around, and subsequent accesses will block until backing device is replugged. This option has no effect in case of non-device mounts, such as network or virtual file system mounts. -- cgit v1.2.3 From d61e4c5b6e312020b22aca5acd3765df1ce61f27 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 23 May 2019 11:36:25 +0900 Subject: network: add nlmon support nlmon is a Netlink monitor device. --- man/systemd.netdev.xml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 26a5dbbd1e..066793c6e6 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -171,7 +171,10 @@ WireGuard Secure Network Tunnel. netdevsim - A simulator. This simulated networking device is used for testing various networking APIs and at this time is particularly focused on testing hardware offloading related interfaces. + A simulator. This simulated networking device is used for testing various networking APIs and at this time is particularly focused on testing hardware offloading related interfaces. + + nlmon + A Netlink monitor device. Use an nlmon device when you want to monitor system Netlink messages. fou Foo-over-UDP tunneling. -- cgit v1.2.3 From 9cd8c76661b8ba17863de3c991fd5b0ecf15a421 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 22 May 2019 15:16:41 +0530 Subject: networkctl: add support to delete virtual netdevs We now don't have the support to delete netdevs and dependent upon iproute to delete. With this we can delete via networkctl and use in our test cases too. Note that it supports deleting multiple links at once. ``` sudo ./networkctl delete test1 test2 test3 test4 ``` --- man/networkctl.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'man') diff --git a/man/networkctl.xml b/man/networkctl.xml index 6c28c4bb2d..77f1e1fdfc 100644 --- a/man/networkctl.xml +++ b/man/networkctl.xml @@ -271,6 +271,13 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR) + + + delete + + Deletes virtual netdevs. Takes interface name or index number. + + -- cgit v1.2.3 From b8d88b26f3020c602a240b5b5003e19903490d70 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 23 May 2019 16:14:10 +0200 Subject: man: add vrf section --- man/systemd.netdev.xml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 066793c6e6..f1e47506fa 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1834,7 +1834,22 @@ For more detail information see Linux Ethernet Bonding Driver HOWTO + + + [VRF] Section Options + The [VRF] section only applies for + netdevs of kind vrf and accepts the + following key: + + + + Table= + + The numeric routing table identifier. This option is compulsory. + + + -- cgit v1.2.3 From 488d0ba10a6ec7649d68f402d7c617bd311ccc85 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 29 May 2019 17:17:08 +0900 Subject: man: re-indent systemd.netdev.xml --- man/systemd.netdev.xml | 707 +++++++++++++++++++++++++------------------------ 1 file changed, 360 insertions(+), 347 deletions(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index f1e47506fa..d083fb9a6f 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -250,219 +250,218 @@ - [NetDev] Section Options - The [NetDev] section accepts the - following keys: - - - - Description= - - A free-form description of the netdev. - - - - Name= - - The interface name used when creating the netdev. - This option is compulsory. - - - - Kind= - - The netdev kind. This option is compulsory. See the - Supported netdev kinds section for the - valid keys. - - - - MTUBytes= - - The maximum transmission unit in bytes to set for the device. The usual suffixes K, M, G, - are supported and are understood to the base of 1024. For tun or - tap devices, MTUBytes= setting is not currently supported in - [NetDev] section. Please specify it in [Link] section of - corresponding - systemd.network5 - files. - - - - MACAddress= - - The MAC address to use for the device. For tun or tap - devices, setting MACAddress= in the [NetDev] section is not - supported. Please specify it in [Link] section of the corresponding - systemd.network5 - file. If this option is not set, vlan devices inherit the MAC address of the - physical interface. For other kind of netdevs, if this option is not set, then MAC address is - generated based on the interface name and the - machine-id5. - - - - + The [NetDev] section accepts the + following keys: + + + + Description= + + A free-form description of the netdev. + + + + Name= + + The interface name used when creating the netdev. + This option is compulsory. + + + + Kind= + + The netdev kind. This option is compulsory. See the + Supported netdev kinds section for the + valid keys. + + + + MTUBytes= + + The maximum transmission unit in bytes to set for the device. The usual suffixes K, M, G, + are supported and are understood to the base of 1024. For tun or + tap devices, MTUBytes= setting is not currently supported in + [NetDev] section. Please specify it in [Link] section of + corresponding + systemd.network5 + files. + + + + MACAddress= + + The MAC address to use for the device. For tun or tap + devices, setting MACAddress= in the [NetDev] section is not + supported. Please specify it in [Link] section of the corresponding + systemd.network5 + file. If this option is not set, vlan devices inherit the MAC address of the + physical interface. For other kind of netdevs, if this option is not set, then MAC address is + generated based on the interface name and the + machine-id5. + + + + - + [Bridge] Section Options - The [Bridge] section only applies for - netdevs of kind bridge, and accepts the - following keys: - - - - HelloTimeSec= - - HelloTimeSec specifies the number of seconds between two hello packets - sent out by the root bridge and the designated bridges. Hello packets are - used to communicate information about the topology throughout the entire - bridged local area network. - - - - MaxAgeSec= - - MaxAgeSec specifies the number of seconds of maximum message age. - If the last seen (received) hello packet is more than this number of - seconds old, the bridge in question will start the takeover procedure - in attempt to become the Root Bridge itself. - - - - ForwardDelaySec= - - ForwardDelaySec specifies the number of seconds spent in each - of the Listening and Learning states before the Forwarding state is entered. - - - - AgeingTimeSec= - - This specifies the number of seconds a MAC Address will be kept in - the forwarding database after having a packet received from this MAC Address. - - - - Priority= - - The priority of the bridge. An integer between 0 and 65535. A lower value - means higher priority. The bridge having the lowest priority will be elected as root bridge. - - - - GroupForwardMask= - - A 16-bit bitmask represented as an integer which allows forwarding of link - local frames with 802.1D reserved addresses (01:80:C2:00:00:0X). A logical AND - is performed between the specified bitmask and the exponentiation of 2^X, the - lower nibble of the last octet of the MAC address. For example, a value of 8 - would allow forwarding of frames addressed to 01:80:C2:00:00:03 (802.1X PAE). - - - - DefaultPVID= - - This specifies the default port VLAN ID of a newly attached bridge port. - Set this to an integer in the range 1–4094 or none to disable the PVID. - - - - MulticastQuerier= - - Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER option in the kernel. - If enabled, the kernel will send general ICMP queries from a zero source address. - This feature should allow faster convergence on startup, but it causes some - multicast-aware switches to misbehave and disrupt forwarding of multicast packets. - When unset, the kernel's default will be used. - - - - - MulticastSnooping= - - Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option in the kernel. - If enabled, IGMP snooping monitors the Internet Group Management Protocol (IGMP) traffic - between hosts and multicast routers. When unset, the kernel's default will be used. - - - - - VLANFiltering= - - Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING option in the kernel. - If enabled, the bridge will be started in VLAN-filtering mode. When unset, the kernel's default will be used. - - - - - STP= - - Takes a boolean. This enables the bridge's Spanning Tree Protocol (STP). - When unset, the kernel's default will be used. - - - - + The [Bridge] section only applies for + netdevs of kind bridge, and accepts the + following keys: + + + + HelloTimeSec= + + HelloTimeSec specifies the number of seconds between two hello packets + sent out by the root bridge and the designated bridges. Hello packets are + used to communicate information about the topology throughout the entire + bridged local area network. + + + + MaxAgeSec= + + MaxAgeSec specifies the number of seconds of maximum message age. + If the last seen (received) hello packet is more than this number of + seconds old, the bridge in question will start the takeover procedure + in attempt to become the Root Bridge itself. + + + + ForwardDelaySec= + + ForwardDelaySec specifies the number of seconds spent in each + of the Listening and Learning states before the Forwarding state is entered. + + + + AgeingTimeSec= + + This specifies the number of seconds a MAC Address will be kept in + the forwarding database after having a packet received from this MAC Address. + + + + Priority= + + The priority of the bridge. An integer between 0 and 65535. A lower value + means higher priority. The bridge having the lowest priority will be elected as root bridge. + + + + GroupForwardMask= + + A 16-bit bitmask represented as an integer which allows forwarding of link + local frames with 802.1D reserved addresses (01:80:C2:00:00:0X). A logical AND + is performed between the specified bitmask and the exponentiation of 2^X, the + lower nibble of the last octet of the MAC address. For example, a value of 8 + would allow forwarding of frames addressed to 01:80:C2:00:00:03 (802.1X PAE). + + + + DefaultPVID= + + This specifies the default port VLAN ID of a newly attached bridge port. + Set this to an integer in the range 1–4094 or none to disable the PVID. + + + + MulticastQuerier= + + Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER option in the kernel. + If enabled, the kernel will send general ICMP queries from a zero source address. + This feature should allow faster convergence on startup, but it causes some + multicast-aware switches to misbehave and disrupt forwarding of multicast packets. + When unset, the kernel's default will be used. + + + + + MulticastSnooping= + + Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option in the kernel. + If enabled, IGMP snooping monitors the Internet Group Management Protocol (IGMP) traffic + between hosts and multicast routers. When unset, the kernel's default will be used. + + + + + VLANFiltering= + + Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING option in the kernel. + If enabled, the bridge will be started in VLAN-filtering mode. When unset, the kernel's default will be used. + + + + + STP= + + Takes a boolean. This enables the bridge's Spanning Tree Protocol (STP). + When unset, the kernel's default will be used. + + + + [VLAN] Section Options - The [VLAN] section only applies for - netdevs of kind vlan, and accepts the - following key: - - - - Id= - - The VLAN ID to use. An integer in the range 0–4094. - This option is compulsory. - - - - GVRP= - - Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a protocol that - allows automatic learning of VLANs on a network. - When unset, the kernel's default will be used. - - - - - MVRP= - - Takes a boolean. Multiple VLAN Registration Protocol (MVRP) formerly known as GARP VLAN - Registration Protocol (GVRP) is a standards-based Layer 2 network protocol, - for automatic configuration of VLAN information on switches. It was defined - in the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's default will be used. - - - - - LooseBinding= - - Takes a boolean. The VLAN loose binding mode, in which only the operational state is passed - from the parent to the associated VLANs, but the VLAN device state is not changed. - When unset, the kernel's default will be used. - - - - ReorderHeader= - - Takes a boolean. The VLAN reorder header is set VLAN interfaces behave like physical interfaces. - When unset, the kernel's default will be used. - - - + The [VLAN] section only applies for + netdevs of kind vlan, and accepts the + following key: + + + + Id= + + The VLAN ID to use. An integer in the range 0–4094. + This option is compulsory. + + + + GVRP= + + Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a protocol that + allows automatic learning of VLANs on a network. + When unset, the kernel's default will be used. + + + + + MVRP= + + Takes a boolean. Multiple VLAN Registration Protocol (MVRP) formerly known as GARP VLAN + Registration Protocol (GVRP) is a standards-based Layer 2 network protocol, + for automatic configuration of VLAN information on switches. It was defined + in the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's default will be used. + + + + + LooseBinding= + + Takes a boolean. The VLAN loose binding mode, in which only the operational state is passed + from the parent to the associated VLANs, but the VLAN device state is not changed. + When unset, the kernel's default will be used. + + + + ReorderHeader= + + Takes a boolean. The VLAN reorder header is set VLAN interfaces behave like physical interfaces. + When unset, the kernel's default will be used. + + + @@ -485,17 +484,15 @@ - - + [MACVTAP] Section Options The [MACVTAP] section applies for netdevs of kind macvtap and accepts the same key as [MACVLAN]. - - + [IPVLAN] Section Options @@ -507,22 +504,21 @@ Mode= - - The IPVLAN mode to use. The supported options are - L2,L3 and L3S. - - + + The IPVLAN mode to use. The supported options are + L2,L3 and L3S. + + - + Flags= - - The IPVLAN flags to use. The supported options are - bridge,private and vepa. - - + + The IPVLAN flags to use. The supported options are + bridge,private and vepa. + + - @@ -531,11 +527,11 @@ The [IPVTAP] section only applies for netdevs of kind ipvtap and accepts the same key as [IPVLAN]. - [VXLAN] Section Options + The [VXLAN] section only applies for netdevs of kind vxlan, and accepts the following keys: @@ -565,7 +561,7 @@ Configures VXLAN multicast group IP address. All members of a VXLAN must use the same multicast group address. - + TOS= The Type Of Service byte value for a vxlan interface. @@ -661,36 +657,36 @@ Takes a boolean. When true, remote receive checksum offload in VXLAN is turned on. - - GroupPolicyExtension= - - Takes a boolean. When true, it enables Group Policy VXLAN extension security label mechanism - across network peers based on VXLAN. For details about the Group Policy VXLAN, see the - - VXLAN Group Policy document. Defaults to false. - - - - GenericProtocolExtension= - - Takes a boolean. When true, Generic Protocol Extension extends the existing VXLAN protocol - to provide protocol typing, OAM, and versioning capabilities. For details about the VXLAN GPE - Header, see the - Generic Protocol Extension for VXLAN document. If destination port is not specified and - Generic Protocol Extension is set then default port of 4790 is used. Defaults to false. - - - - DestinationPort= - - Configures the default destination UDP port on a per-device basis. - If destination port is not specified then Linux kernel default will be used. - Set destination port 4789 to get the IANA assigned value. If not set or if the - destination port is assigned the empty string the default port of 4789 is used. - - - - PortRange= + + GroupPolicyExtension= + + Takes a boolean. When true, it enables Group Policy VXLAN extension security label mechanism + across network peers based on VXLAN. For details about the Group Policy VXLAN, see the + + VXLAN Group Policy document. Defaults to false. + + + + GenericProtocolExtension= + + Takes a boolean. When true, Generic Protocol Extension extends the existing VXLAN protocol + to provide protocol typing, OAM, and versioning capabilities. For details about the VXLAN GPE + Header, see the + Generic Protocol Extension for VXLAN document. If destination port is not specified and + Generic Protocol Extension is set then default port of 4790 is used. Defaults to false. + + + + DestinationPort= + + Configures the default destination UDP port on a per-device basis. + If destination port is not specified then Linux kernel default will be used. + Set destination port 4789 to get the IANA assigned value. If not set or if the + destination port is assigned the empty string the default port of 4789 is used. + + + + PortRange= Configures VXLAN port range. VXLAN bases source UDP port based on flow to help the receiver to be able @@ -699,14 +695,14 @@ ports, and allows overriding via configuration. - - FlowLabel= + + FlowLabel= Specifies the flow label to use in outgoing packets. The valid range is 0-1048575. - + IPDoNotFragment= @@ -718,8 +714,10 @@ + [GENEVE] Section Options + The [GENEVE] section only applies for netdevs of kind geneve, and accepts the following keys: @@ -769,29 +767,31 @@ Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field. - - DestinationPort= - - Specifies destination port. Defaults to 6081. If not set or assigned the empty string, the default - port of 6081 is used. - - - - FlowLabel= + + DestinationPort= + + Specifies destination port. Defaults to 6081. If not set or assigned the empty string, the default + port of 6081 is used. + + + + FlowLabel= Specifies the flow label to use in outgoing packets. - - - IPDoNotFragment= + + + IPDoNotFragment= Accepts the same key in [VXLAN] section. - + + [L2TP] Section Options + The [L2TP] section only applies for netdevs of kind l2tp, and accepts the following keys: @@ -868,8 +868,10 @@ + [L2TPSession] Section Options + The [L2TPSession] section only applies for netdevs of kind l2tp, and accepts the following keys: @@ -902,8 +904,10 @@ + [MACsec] Section Options + The [MACsec] section only applies for network devices of kind macsec, and accepts the following keys: @@ -924,6 +928,7 @@ + [MACsecReceiveChannel] Section Options The [MACsecReceiveChannel] section only applies for network devices of @@ -948,8 +953,10 @@ + [MACsecTransmitAssociation] Section Options + The [MACsecTransmitAssociation] section only applies for network devices of kind macsec, and accepts the following keys: @@ -1006,8 +1013,10 @@ + [MACsecReceiveAssociation] Section Options + The [MACsecReceiveAssociation] section only applies for network devices of kind macsec, and accepts the following keys: @@ -1057,6 +1066,7 @@ + [Tunnel] Section Options @@ -1302,13 +1312,13 @@ will arrive with the encapsulation will be removed. Then they will be manually fed back into the network stack, and sent ahead for delivery to the real destination. This option is mandatory. - + PeerPort= Specifies the peer port number. Defaults to unset. Note that when peer port is set Peer= address is mandotory. - + Protocol= @@ -1333,47 +1343,51 @@ + [Peer] Section Options - The [Peer] section only applies for - netdevs of kind veth and accepts the - following keys: - - - - Name= - - The interface name used when creating the netdev. - This option is compulsory. - - - - MACAddress= - - The peer MACAddress, if not set, it is generated in - the same way as the MAC address of the main - interface. - - - + The [Peer] section only applies for + netdevs of kind veth and accepts the + following keys: + + + + Name= + + The interface name used when creating the netdev. + This option is compulsory. + + + + MACAddress= + + The peer MACAddress, if not set, it is generated in + the same way as the MAC address of the main + interface. + + + + - [VXCAN] Section Options - The [VXCAN] section only applies for - netdevs of kind vxcan and accepts the - following key: - - - - Peer= - - The peer interface name used when creating the netdev. - This option is compulsory. - - - + [VXCAN] Section Options + + The [VXCAN] section only applies for + netdevs of kind vxcan and accepts the + following key: + + + + Peer= + + The peer interface name used when creating the netdev. + This option is compulsory. + + + + [Tun] Section Options @@ -1421,9 +1435,7 @@ /dev/net/tun device. - - @@ -1445,12 +1457,12 @@ PrivateKey= The Base64 encoded private key for the interface. It can be - generated using the wg genkey command - (see wg8). - This option or PrivateKeyFile= is mandatory to use WireGuard. - Note that because this information is secret, you may want to set - the permissions of the .netdev file to be owned by root:systemd-network - with a 0640 file mode. + generated using the wg genkey command + (see wg8). + This option or PrivateKeyFile= is mandatory to use WireGuard. + Note that because this information is secret, you may want to set + the permissions of the .netdev file to be owned by root:systemd-network + with a 0640 file mode. @@ -1467,9 +1479,9 @@ ListenPort= Sets UDP port for listening. Takes either value between 1 and 65535 - or auto. If auto is specified, - the port is automatically generated based on interface name. - Defaults to auto. + or auto. If auto is specified, + the port is automatically generated based on interface name. + Defaults to auto. @@ -1492,23 +1504,23 @@ PublicKey= Sets a Base64 encoded public key calculated by wg pubkey - (see wg8) - from a private key, and usually transmitted out of band to the - author of the configuration file. This option is mandatory for this - section. + (see wg8) + from a private key, and usually transmitted out of band to the + author of the configuration file. This option is mandatory for this + section. PresharedKey= Optional preshared key for the interface. It can be generated - by the wg genpsk command. This option adds an - additional layer of symmetric-key cryptography to be mixed into the - already existing public-key cryptography, for post-quantum - resistance. - Note that because this information is secret, you may want to set - the permissions of the .netdev file to be owned by root:systemd-networkd - with a 0640 file mode. + by the wg genpsk command. This option adds an + additional layer of symmetric-key cryptography to be mixed into the + already existing public-key cryptography, for post-quantum + resistance. + Note that because this information is secret, you may want to set + the permissions of the .netdev file to be owned by root:systemd-networkd + with a 0640 file mode. @@ -1525,33 +1537,33 @@ AllowedIPs= Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks - from which this peer is allowed to send incoming traffic and to - which outgoing traffic for this peer is directed. The catch-all - 0.0.0.0/0 may be specified for matching all IPv4 addresses, and - ::/0 may be specified for matching all IPv6 addresses. + from which this peer is allowed to send incoming traffic and to + which outgoing traffic for this peer is directed. The catch-all + 0.0.0.0/0 may be specified for matching all IPv4 addresses, and + ::/0 may be specified for matching all IPv6 addresses. Endpoint= Sets an endpoint IP address or hostname, followed by a colon, and then - a port number. This endpoint will be updated automatically once to - the most recent source IP address and port of correctly - authenticated packets from the peer at configuration time. + a port number. This endpoint will be updated automatically once to + the most recent source IP address and port of correctly + authenticated packets from the peer at configuration time. PersistentKeepalive= Sets a seconds interval, between 1 and 65535 inclusive, of how often - to send an authenticated empty packet to the peer for the purpose - of keeping a stateful firewall or NAT mapping valid persistently. - For example, if the interface very rarely sends traffic, but it - might at anytime receive traffic from a peer, and it is behind NAT, - the interface might benefit from having a persistent keepalive - interval of 25 seconds. If set to 0 or "off", this option is - disabled. By default or when unspecified, this option is off. - Most users will not need this. + to send an authenticated empty packet to the peer for the purpose + of keeping a stateful firewall or NAT mapping valid persistently. + For example, if the interface very rarely sends traffic, but it + might at anytime receive traffic from a peer, and it is behind NAT, + the interface might benefit from having a persistent keepalive + interval of 25 seconds. If set to 0 or "off", this option is + disabled. By default or when unspecified, this option is off. + Most users will not need this. @@ -1777,9 +1789,9 @@ PacketsPerSlave= Specify the number of packets to transmit through a slave before - moving to the next one. When set to 0, then a slave is chosen at - random. The valid range is 0–65535. Defaults to 1. This option - only has effect when in balance-rr mode. + moving to the next one. When set to 0, then a slave is chosen at + random. The valid range is 0–65535. Defaults to 1. This option + only has effect when in balance-rr mode. @@ -1788,13 +1800,13 @@ GratuitousARP= Specify the number of peer notifications (gratuitous ARPs and - unsolicited IPv6 Neighbor Advertisements) to be issued after a - failover event. As soon as the link is up on the new slave, - a peer notification is sent on the bonding device and each - VLAN sub-device. This is repeated at each link monitor interval - (ARPIntervalSec or MIIMonitorSec, whichever is active) if the number is - greater than 1. The valid range is 0–255. The default value is 1. - These options affect only the active-backup mode. + unsolicited IPv6 Neighbor Advertisements) to be issued after a + failover event. As soon as the link is up on the new slave, + a peer notification is sent on the bonding device and each + VLAN sub-device. This is repeated at each link monitor interval + (ARPIntervalSec or MIIMonitorSec, whichever is active) if the number is + greater than 1. The valid range is 0–255. The default value is 1. + These options affect only the active-backup mode. @@ -2037,6 +2049,7 @@ AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24 Endpoint=wireguard.example.com:51820 + See Also -- cgit v1.2.3 From 61fbbac1d517a0b3498a689c736c6ca918497904 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 24 May 2019 08:35:51 +0200 Subject: pid1: parse CPUAffinity= in incremental fashion This makes the handling of this option match what we do in unit files. I think consistency is important here. (As it happens, it is the only option in system.conf that is "non-atomic", i.e. where there's a list of things which can be split over multiple assignments. All other options are single-valued, so there's no issue of how to handle multiple assignments.) --- man/systemd-system.conf.xml | 11 +++++++---- man/systemd.exec.xml | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index 41baff8bfe..f5d419c519 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -96,10 +96,13 @@ CPUAffinity= - Configures the CPU affinity for the service manager as well as the default CPU affinity for all - forked off processes. Takes a list of CPU indices or ranges separated by either whitespace or commas. CPU - ranges are specified by the lower and upper CPU indices separated by a dash. Individual services may override - the CPU affinity for their processes with the CPUAffinity= setting in unit files, see + Configures the CPU affinity for the service manager as well as the default CPU + affinity for all forked off processes. Takes a list of CPU indices or ranges separated by either + whitespace or commas. CPU ranges are specified by the lower and upper CPU indices separated by a + dash. This option may be specified more than once, in which case the specified CPU affinity masks are + merged. If the empty string is assigned, the mask is reset, all assignments prior to this will have + no effect. Individual services may override the CPU affinity for their processes with the + CPUAffinity= setting in unit files, see systemd.exec5. diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 719c2c5ff3..d65b842f44 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -754,7 +754,7 @@ CapabilityBoundingSet=~CAP_B CAP_C Controls the CPU affinity of the executed processes. Takes a list of CPU indices or ranges separated by either whitespace or commas. CPU ranges are specified by the lower and upper CPU indices separated - by a dash. This option may be specified more than once, in which case the specified CPU affinity masks are + by a dash. This option may be specified more than once, in which case the specified CPU affinity masks are merged. If the empty string is assigned, the mask is reset, all assignments prior to this will have no effect. See sched_setaffinity2 for -- cgit v1.2.3 From a459b24f7e4d9030135e4ea40575d42f4a8fffdf Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 25 May 2019 00:37:48 +0900 Subject: networkctl: optionally show link statistics --- man/networkctl.xml | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'man') diff --git a/man/networkctl.xml b/man/networkctl.xml index 77f1e1fdfc..7f68f249e4 100644 --- a/man/networkctl.xml +++ b/man/networkctl.xml @@ -58,6 +58,17 @@ + + + + + + + + Show link statistics with status. + + + -- cgit v1.2.3 From ae760f4b165353ef4f0e84179131791c7a619550 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 2 Jun 2019 01:02:09 +0900 Subject: udevadm: add --wait-for-initialization option to "udevadm info" --- man/udevadm.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'man') diff --git a/man/udevadm.xml b/man/udevadm.xml index a591ab8c34..396d418f83 100644 --- a/man/udevadm.xml +++ b/man/udevadm.xml @@ -175,6 +175,14 @@ Cleanup the udev database. + + + + + Wait for device to be initialized. If argument SECONDS + is not specified, the default is to wait forever. + + -- cgit v1.2.3 From 90f003a39f2082eb4b5f87812a43436792fb11b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 4 Jun 2019 12:56:14 +0200 Subject: meson: escape dots in man/man helper It was impossible to view systemd.nspawn(5), because systemd-nspawn(1) was matched also, and happened to be earlier in the list. The solution in this patch is pretty crude, but is should be enough for our purposes, since we don't have any regexp special characters in man page names except for the dot. --- man/man.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/man.in b/man/man.in index 5700a642bd..ab1c1fdc73 100755 --- a/man/man.in +++ b/man/man.in @@ -6,7 +6,8 @@ if [ -z "$1" ]; then exit 1 fi -target=$(ninja -C "@BUILD_ROOT@" -t query man/man | grep -E -m1 "man/$1\.[0-9]$" | awk '{print $2}') +page="$(echo "$1" | sed 's/\./\\./')" +target=$(ninja -C "@BUILD_ROOT@" -t query man/man | grep -E -m1 "man/$page\.[0-9]$" | awk '{print $2}') if [ -z "$target" ]; then echo "Cannot find page $1" exit 1 -- cgit v1.2.3 From 4fb334113bc2a71d75eaabeb3f81c98e5aaddc75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 4 Jun 2019 17:33:59 +0200 Subject: man/man: refer to the right build directory in the helpers I have no idea how this one slipped through. --- man/html.in | 2 +- man/man.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/html.in b/man/html.in index d4debcc340..bc9a668c23 100755 --- a/man/html.in +++ b/man/html.in @@ -9,4 +9,4 @@ fi target="man/$1.html" ninja -C "@BUILD_ROOT@" "$target" set -x -exec xdg-open build/"$target" +exec xdg-open "@BUILD_ROOT@/$target" diff --git a/man/man.in b/man/man.in index ab1c1fdc73..75680b860c 100755 --- a/man/man.in +++ b/man/man.in @@ -13,4 +13,4 @@ if [ -z "$target" ]; then exit 1 fi ninja -C "@BUILD_ROOT@" "$target" -exec man build/"$target" +exec man "@BUILD_ROOT@/$target" -- cgit v1.2.3 From 7e95efb50819a9c1eb85291041ef65fd89f4afb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 4 Jun 2019 13:44:46 +0200 Subject: man: mention quoting in description of Parameters= Also add a short example how to translate nspawn command line to .nspawn settings. Fixes #12703. --- man/systemd.nspawn.xml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'man') diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml index 70c6ff33a6..787d5fd699 100644 --- a/man/systemd.nspawn.xml +++ b/man/systemd.nspawn.xml @@ -119,8 +119,8 @@ specified parameters using Parameters= are passed as additional arguments to the init process. This setting corresponds to the switch on the systemd-nspawn command line. This option may not be combined with - ProcessTwo=yes. This option is the default if the - systemd-nspawn@.service template unit file is used. + ProcessTwo=yes. This option is specified by default in the + systemd-nspawn@.service template unit. @@ -145,13 +145,15 @@ Parameters= - Takes a space-separated list of - arguments. This is either a command line, beginning with the - binary name to execute, or – if Boot= is - enabled – the list of arguments to pass to the init - process. This setting corresponds to the command line - parameters passed on the systemd-nspawn - command line. + Takes a whitespace-separated list of arguments. Single (') and + double (") quotes may be used around arguments with whitespace. This is either a + command line, beginning with the binary name to execute, or – if Boot= is enabled + – the list of arguments to pass to the init process. This setting corresponds to the command line + parameters passed on the systemd-nspawn command line. + + Note: , is the same as + systemd-nspawn a b "c c", and , + is the same as systemd-nspawn --boot b 'c c'. -- cgit v1.2.3 From b0458daf947aa4cd3965dc2eeda95cd745fdd0b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 5 Jun 2019 14:57:06 +0200 Subject: man: add "quick reference" to tmpfiles.d(5) The synopsis section would describe config file paths, but not their syntax. Let's add a short table that so that it's possible to quickly remind oneself what the different letter mean. --- man/tmpfiles.d.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'man') diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index 67bd1dc724..26afc116b7 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -36,6 +36,37 @@ /usr/share/user-tmpfiles.d/*.conf + + #Type Path Mode User Group Age Argument +f /file/to/create mode user group - content +F /file/to/create-or-truncate mode user group - content +w /file/to/write-to - - - - content +d /directory/to/create-and-cleanup mode user group cleanup-age - +D /directory/to/create-and-remove mode user group cleanup-age - +e /directory/to/cleanup mode user group cleanup-age - +v /subvolume/to/create mode user group - - +v /subvolume-or-directory/to/create mode user group - - +Q /subvolume/to/create mode user group - - +p /fifo/to/create mode user group - - +L /symlink/to/create - - - - symlink/target/path +c /dev/char-device-to-create mode user group - - +b /dev/block-device-to-create mode user group - - +# p+, L+, c+, b+ create target unconditionally +C /target/to/create - - - - /source/to/copy +x /path-or-glob/to/ignore - - - - - +X /path-or-glob/to/ignore/recursively - - - - - +r /empty/dir/to/remove - - - - - +R /dir/to/remove/recursively - - - - - +z /path-or-glob/to/adjust/mode mode user group - MAC context +Z /path-or-glob/to/adjust/mode/recursively mode user group - MAC context +t /path-or-glob/to/set/xattrs - - - - xattrs +T /path-or-glob/to/set/xattrs/recursively - - - - xattrs +h /path-or-glob/to/set/attrs - - - - file attrs +H /path-or-glob/to/set/attrs/recursively - - - - file attrs +a /path-or-glob/to/set/acls - - - - POSIX ACLs +A /path-or-glob/to/set/acls/recursively - - - - POSIX ACLs +# a+, A+ append ACLs + -- cgit v1.2.3 From 8b6805a25bd6e2434bc402bff52656ae13216d21 Mon Sep 17 00:00:00 2001 From: Jonathan Rouleau Date: Wed, 5 Jun 2019 18:59:05 -0600 Subject: hibernate-resume: add resumeflags= kernel option Adds the resumeflags= kernel command line option to allow setting a custom device timeout for the resume device (defaults to the same as the root device). --- man/kernel-command-line.xml | 3 ++- man/systemd-hibernate-resume-generator.xml | 7 +++++++ 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml index 40b7766214..903ff924f5 100644 --- a/man/kernel-command-line.xml +++ b/man/kernel-command-line.xml @@ -402,10 +402,11 @@ resume= + resumeflags= Enables resume from hibernation using the specified - device. All + device and mount options. All fstab5-like paths are supported. For details, see systemd-hibernate-resume-generator8. diff --git a/man/systemd-hibernate-resume-generator.xml b/man/systemd-hibernate-resume-generator.xml index ff105d435c..f532a19a48 100644 --- a/man/systemd-hibernate-resume-generator.xml +++ b/man/systemd-hibernate-resume-generator.xml @@ -55,6 +55,13 @@ supported. + + resumeflags= + + Takes the resume device mount options to + use. Defaults rootflags= if not specified. + + noresume -- cgit v1.2.3 From c98d78d32abba6aadbe89eece7acf0742f59047c Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 3 Jun 2019 15:37:25 +0900 Subject: man: add documentation about KeepConfiguration --- man/systemd.network.xml | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 695bcaa0a4..d832e68d71 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -838,6 +838,22 @@ + + KeepConfiguration= + + Takes a boolean or one of static, dhcp-on-stop, + dhcp. When static, systemd-networkd + will not drop static addresses and routes on starting up process. When set to + dhcp-on-stop, systemd-networkd will not drop addresses + and routes on stopping the daemon. When dhcp, + the addresses and routes provided by a DHCP server will never be dropped even if the DHCP + lease expires. This is contrary to the DHCP specification, but may be the best choice if, + e.g., the root filesystem relies on this connection. The setting dhcp + implies dhcp-on-stop, and yes implies + dhcp and static. Defaults to + dhcp-on-stop. + + @@ -1381,17 +1397,6 @@ system. Defaults to no. - - CriticalConnection= - - When true, the connection will never be torn down - even if the DHCP lease expires. This is contrary to the - DHCP specification, but may be the best choice if, say, - the root filesystem relies on this connection. Defaults to - false. - - - ClientIdentifier= -- cgit v1.2.3 From 9a311429977daab43aa97b702e8f59337ff29f9b Mon Sep 17 00:00:00 2001 From: Theo Ouzhinski Date: Sat, 8 Jun 2019 17:43:59 -0400 Subject: man/systemd-veritysetup-generator: Fix grammar --- man/systemd-veritysetup-generator.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemd-veritysetup-generator.xml b/man/systemd-veritysetup-generator.xml index 305dda4b8e..bcacd59cf9 100644 --- a/man/systemd-veritysetup-generator.xml +++ b/man/systemd-veritysetup-generator.xml @@ -28,12 +28,12 @@ Description systemd-veritysetup-generator is a generator that translates kernel command line options - configuring integrity protected block devices (verity) into native systemd units early at boot and when + configuring integrity-protected block devices (verity) into native systemd units early at boot and when configuration of the system manager is reloaded. This will create systemd-veritysetup@.service8 units as necessary. - Currently, only a single verity device may be se up with this generator, backing the root file system of the + Currently, only a single verity device may be set up with this generator, backing the root file system of the OS. systemd-veritysetup-generator implements @@ -61,7 +61,7 @@ roothash= Takes a root hash value for the root file system. Expects a hash value formatted in hexadecimal - characters, of the appropriate length (i.e. most likely 256 bit/64 characters, or longer). If not specified via + characters of the appropriate length (i.e. most likely 256 bit/64 characters, or longer). If not specified via systemd.verity_root_data= and systemd.verity_root_hash=, the hash and data devices to use are automatically derived from the specified hash value. Specifically, the data partition device is looked for under a GPT partition UUID derived from the first 128bit of the root hash, the hash @@ -75,8 +75,8 @@ systemd.verity_root_data= systemd.verity_root_hash= - These two settings take block device paths as arguments, and may be use to explicitly configure - the data partition and hash partition to use for setting up the integrity protection for the root file + These two settings take block device paths as arguments and may be used to explicitly + configure the data partition and hash partition to use for setting up the integrity protection for the root file system. If not specified, these paths are automatically derived from the roothash= argument (see above). -- cgit v1.2.3 From 12880d14adbc93f17bff6ac8229a37e7b2928a58 Mon Sep 17 00:00:00 2001 From: "Peter A. Bigot" Date: Sun, 9 Jun 2019 12:15:09 -0500 Subject: man: fix reference to sd_bus_add_fallback_vtable --- man/sd_bus_add_object_vtable.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/sd_bus_add_object_vtable.xml b/man/sd_bus_add_object_vtable.xml index 6cbb84e7ff..1c222bc5f4 100644 --- a/man/sd_bus_add_object_vtable.xml +++ b/man/sd_bus_add_object_vtable.xml @@ -200,7 +200,7 @@ userdata parameter contains a pointer that will be passed to various callback functions. It may be specified as NULL if no value is necessary. - sd_bus_add_object_vtable() is similar to + sd_bus_add_fallback_vtable() is similar to sd_bus_add_object_vtable(), but is used to register "fallback" attributes. When looking for an attribute declaration, bus object paths registered with sd_bus_add_object_vtable() are checked first. If no match is found, the fallback -- cgit v1.2.3 From e69cacd2afa19ad4e739e358fe5a3fafe251bff4 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Wed, 12 Jun 2019 08:03:35 +0100 Subject: man: Fix typo in sd_notify man page Signed-off-by: Philip Withnall --- man/sd_notify.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/sd_notify.xml b/man/sd_notify.xml index 00640cb290..3046ca88ee 100644 --- a/man/sd_notify.xml +++ b/man/sd_notify.xml @@ -200,7 +200,7 @@ Tells the service manager to extend the startup, runtime or shutdown service timeout corresponding the current state. The value specified is a time in microseconds during which the service must send a new message. A service timeout will occur if the message isn't received, but only if the runtime of the - current state is beyond the original maximium times of TimeoutStartSec=, RuntimeMaxSec=, + current state is beyond the original maximum times of TimeoutStartSec=, RuntimeMaxSec=, and TimeoutStopSec=. See systemd.service5 for effects on the service timeouts. -- cgit v1.2.3 From f627573031fe4e7d13fab402b7e27e84a00acef8 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Wed, 12 Jun 2019 09:08:53 +0100 Subject: man: Add missing tags in various man pages A minor formatting improvement brought to you by the wonders of `git grep`. Signed-off-by: Philip Withnall --- man/systemctl.xml | 2 +- man/systemd.automount.xml | 6 +++--- man/systemd.mount.xml | 6 +++--- man/systemd.path.xml | 6 +++--- man/systemd.slice.xml | 4 ++-- man/systemd.socket.xml | 6 +++--- man/systemd.swap.xml | 6 +++--- man/systemd.target.xml | 4 ++-- man/systemd.timer.xml | 6 +++--- 9 files changed, 23 insertions(+), 23 deletions(-) (limited to 'man') diff --git a/man/systemctl.xml b/man/systemctl.xml index d991e979f1..5ebe1832bc 100644 --- a/man/systemctl.xml +++ b/man/systemctl.xml @@ -1341,7 +1341,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err indirect - The unit file itself is not enabled, but it has a non-empty Also= setting in the [Install] unit file section, listing other unit files that might be enabled, or it has an alias under a different name through a symlink that is not specified in Also=. For template unit file, an instance different than the one specified in DefaultInstance= is enabled. + The unit file itself is not enabled, but it has a non-empty Also= setting in the [Install] unit file section, listing other unit files that might be enabled, or it has an alias under a different name through a symlink that is not specified in Also=. For template unit file, an instance different than the one specified in DefaultInstance= is enabled. 0 diff --git a/man/systemd.automount.xml b/man/systemd.automount.xml index 48deb0220e..75302e07e9 100644 --- a/man/systemd.automount.xml +++ b/man/systemd.automount.xml @@ -35,9 +35,9 @@ this unit type. See systemd.unit5 for the common options of all unit configuration files. The common - configuration items are configured in the generic [Unit] and - [Install] sections. The automount specific configuration options - are configured in the [Automount] section. + configuration items are configured in the generic [Unit] and + [Install] sections. The automount specific configuration options + are configured in the [Automount] section. Automount units must be named after the automount directories they control. Example: the automount point /home/lennart must be configured in a unit file diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml index 178dc188a5..a72a33240d 100644 --- a/man/systemd.mount.xml +++ b/man/systemd.mount.xml @@ -34,9 +34,9 @@ this unit type. See systemd.unit5 for the common options of all unit configuration files. The common - configuration items are configured in the generic [Unit] and - [Install] sections. The mount specific configuration options are - configured in the [Mount] section. + configuration items are configured in the generic [Unit] and + [Install] sections. The mount specific configuration options are + configured in the [Mount] section. Additional options are listed in systemd.exec5, diff --git a/man/systemd.path.xml b/man/systemd.path.xml index de284d877e..39cca8cf51 100644 --- a/man/systemd.path.xml +++ b/man/systemd.path.xml @@ -34,9 +34,9 @@ this unit type. See systemd.unit5 for the common options of all unit configuration files. The common - configuration items are configured in the generic [Unit] and - [Install] sections. The path specific configuration options are - configured in the [Path] section. + configuration items are configured in the generic [Unit] and + [Install] sections. The path specific configuration options are + configured in the [Path] section. For each path file, a matching unit file must exist, describing the unit to activate when the path changes. By default, diff --git a/man/systemd.slice.xml b/man/systemd.slice.xml index 5019bf9976..7157dfa32d 100644 --- a/man/systemd.slice.xml +++ b/man/systemd.slice.xml @@ -55,9 +55,9 @@ systemd.unit5 for the common options of all unit configuration files. The common configuration items are configured - in the generic [Unit] and [Install] sections. The + in the generic [Unit] and [Install] sections. The slice specific configuration options are configured in - the [Slice] section. Currently, only generic resource control settings + the [Slice] section. Currently, only generic resource control settings as described in systemd.resource-control5 are allowed. diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 84faf89c2e..60ea63f742 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -35,9 +35,9 @@ this unit type. See systemd.unit5 for the common options of all unit configuration files. The common - configuration items are configured in the generic [Unit] and - [Install] sections. The socket specific configuration options are - configured in the [Socket] section. + configuration items are configured in the generic [Unit] and + [Install] sections. The socket specific configuration options are + configured in the [Socket] section. Additional options are listed in systemd.exec5, diff --git a/man/systemd.swap.xml b/man/systemd.swap.xml index d2a9123b0b..23547bb273 100644 --- a/man/systemd.swap.xml +++ b/man/systemd.swap.xml @@ -37,9 +37,9 @@ this unit type. See systemd.unit5 for the common options of all unit configuration files. The common - configuration items are configured in the generic [Unit] and - [Install] sections. The swap specific configuration options are - configured in the [Swap] section. + configuration items are configured in the generic [Unit] and + [Install] sections. The swap specific configuration options are + configured in the [Swap] section. Additional options are listed in systemd.exec5, diff --git a/man/systemd.target.xml b/man/systemd.target.xml index a706a4588a..3052b17786 100644 --- a/man/systemd.target.xml +++ b/man/systemd.target.xml @@ -34,8 +34,8 @@ This unit type has no specific options. See systemd.unit5 for the common options of all unit configuration files. The common - configuration items are configured in the generic [Unit] and - [Install] sections. A separate [Target] section does not exist, + configuration items are configured in the generic [Unit] and + [Install] sections. A separate [Target] section does not exist, since no target-specific options may be configured. Target units do not offer any additional functionality on diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml index 13b9ed35d2..340286d912 100644 --- a/man/systemd.timer.xml +++ b/man/systemd.timer.xml @@ -35,9 +35,9 @@ this unit type. See systemd.unit5 for the common options of all unit configuration files. The common - configuration items are configured in the generic [Unit] and - [Install] sections. The timer specific configuration options are - configured in the [Timer] section. + configuration items are configured in the generic [Unit] and + [Install] sections. The timer specific configuration options are + configured in the [Timer] section. For each timer file, a matching unit file must exist, describing the unit to activate when the timer elapses. By -- cgit v1.2.3 From 5337cccf9773306ec9aa4b73b331b34ad86a1dd8 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Wed, 12 Jun 2019 19:18:04 +0200 Subject: Document that gpt-auto-generator supports decrypting rootfs When systemd is running in initrd, we actually support decrypting a LUKS rootfs. Fixes #12786 --- man/systemd-gpt-auto-generator.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'man') diff --git a/man/systemd-gpt-auto-generator.xml b/man/systemd-gpt-auto-generator.xml index d94d6ac715..22cd638f1f 100644 --- a/man/systemd-gpt-auto-generator.xml +++ b/man/systemd-gpt-auto-generator.xml @@ -187,6 +187,12 @@ /dev/mapper/home and /dev/mapper/srv. Note that this might create conflicts if the same partition is listed in /etc/crypttab with a different device mapper device name. + + When systemd is running in the initrd the / partition may be encrypted in LUKS + format as well. In this case, a device mapper device is set up under the name /dev/mapper/root, + and a sysroot.mount is set up that mounts the device under /sysroot. + For more information, see bootup7. + Mount and automount units for the EFI System Partition (ESP) are generated on EFI systems. The ESP is mounted to /boot/ (except if an Extended Boot Loader partition exists, see -- cgit v1.2.3 From 2ebe027b448ce729f696e0715456a054ec4a824f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 17 Jun 2019 09:21:57 +0200 Subject: man: clean up naming scheme description a bit This is in preparation for later changes. Let's change the documentation of net.naming-scheme= to also say that it applies to MAC addresses. This commit doesn't actually implement that though. --- man/systemd.net-naming-scheme.xml | 45 ++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 22 deletions(-) (limited to 'man') diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml index eb8faad254..69d8ee9b28 100644 --- a/man/systemd.net-naming-scheme.xml +++ b/man/systemd.net-naming-scheme.xml @@ -22,29 +22,30 @@ Description - Network interfaces may be renamed to give them predictable names when there's enough information to - generate appropriate names and the use of certain types of names is configured. This page describes the - first part, i.e. what possible names may be generated. Those names are generated by the + Network interfaces names and MAC addresses may be generated based on certain stable interface + attributes. This is possible when there is enough information about the device to generate those + attributes and the use of this information is configured. This page describes interface naming, i.e. what + possible names may be generated. Those names are generated by the systemd-udevd.service8 builtin net_id and exported as udev properties (ID_NET_NAME_ONBOARD=, ID_NET_LABEL_ONBOARD=, ID_NET_NAME_PATH=, ID_NET_NAME_SLOT=). - Names are derived from various device metadata attributes. Newer versions of udev take more of - these attributes into account, improving (and thus possibly changing) the names used for the same - devices. Differents version of the naming rules are called "naming schemes". The default naming scheme is - chosen at compilation time. Usually this will be the latest implemented version, but it is also possible - to set one of the older versions to preserve compatibility. This may be useful for example for - distributions, which may introduce new versions of systemd in stable releases without changing the naming - scheme. The naming scheme may also be overriden using the net.naming-scheme= kernel - command line switch, see + Names and MAC addresses are derived from various stable device metadata attributes. Newer versions + of udev take more of these attributes into account, improving (and thus possibly changing) the names and + addresses used for the same devices. Different versions of those generation rules are called "naming + schemes". The default naming scheme is chosen at compilation time. Usually this will be the latest + implemented version, but it is also possible to set one of the older versions to preserve + compatibility. This may be useful for example for distributions, which may introduce new versions of + systemd in stable releases without changing the naming scheme. The naming scheme may also be overriden + using the net.naming-scheme= kernel command line switch, see systemd-udevd.service8. Available naming schemes are described below. After the udev proprties have been generated, appropriate udev rules may be used to actually rename - devices based on those properties. See the description of NamePolicy= in - systemd.link5. - + devices based on those properties. See the description of NamePolicy= and + MACAddressPolicy= in + systemd.link5. @@ -288,7 +289,7 @@ v240 - The ib prefix and stable names for infiniband devices are + The ib prefix and stable names for infiniband devices are introduced. Previously those devices were not renamed. The ACPI index field (used in ID_NET_NAME_ONBOARD=) is now also used when @@ -301,22 +302,22 @@ configuration, even if they have been renamed already, if keep is not specified as the naming policy in the .link file. See systemd.link5 - for a description of NamePolicy=. + for a description of NamePolicy=. v243 - Support for netdevsim (simulated networking devices) was added. Previously those devices were - not renamed. + Support for renaming netdevsim (simulated networking) devices was added. Previously + those devices were not renamed. Previously two-letter interface type prefix was prepended to - ID_NET_LABEL_ONBOARD=. This is not done anymore. + ID_NET_LABEL_ONBOARD=. This is not done anymore. - - Note that latest may be used to denote the latest scheme known (to this - particular version of systemd. + + Note that latest may be used to denote the latest scheme known (to this + particular version of systemd. -- cgit v1.2.3 From 96848152fa5e502673f31361ba998701aaa9bda3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 17 Jun 2019 09:42:46 +0200 Subject: udev: introduce NAMING_STABLE_VIRTUAL_MACS (retroactively) This is for 6d3646406560. It turns out that this is causing more problems than expected. Let's retroactively introduce naming scheme v241 to conditionalize this change. Follow-up for #12792 and 6d36464065601f7. See also https://bugzilla.suse.com/show_bug.cgi?id=1136600. $ SYSTEMD_LOG_LEVEL=debug NET_NAMING_SCHEME=v240 build/udevadm test-builtin net_setup_link /sys/class/net/br11 $ SYSTEMD_LOG_LEVEL=debug NET_NAMING_SCHEME=v241 build/udevadm test-builtin net_setup_link /sys/class/net/br11 ... @@ -20,11 +20,13 @@ link_config: could not set ethtool features for br11 Could not set offload features of br11: Operation not permitted br11: Device has name_assign_type=3 -Using interface naming scheme 'v240'. +Using interface naming scheme 'v241'. br11: Policy *keep*: keeping existing userspace name br11: Device has addr_assign_type=1 -br11: No stable identifying information found -br11: Could not generate persistent MAC: No data available +br11: Using "br11" as stable identifying information +br11: Using generated persistent MAC address +Could not set Alias=, MACAddress= or MTU= on br11: Operation not permitted +br11: Could not apply link config, ignoring: Operation not permitted Unload module index Unloaded link configuration context. ID_NET_DRIVER=bridge --- man/systemd.net-naming-scheme.xml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'man') diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml index 69d8ee9b28..4caac11156 100644 --- a/man/systemd.net-naming-scheme.xml +++ b/man/systemd.net-naming-scheme.xml @@ -305,6 +305,21 @@ for a description of NamePolicy=. + + v241 + + was extended to set MAC addresses + based on the device name. Previously addresses were only based on the + ID_NET_NAME_* attributes, which meant that interface names would + never be generated for virtual devices. Now a persistent address will be generated for most + devices, including in particular bridges. + + Note: when userspace does not set a MAC address for a bridge device, the kernel will + initially assign a random address, and then change it when the first device is enslaved to the + bridge. With this naming policy change, bridges get a persistent MAC address based on the bridge + name instead of the first enslaved device. + + v243 -- cgit v1.2.3 From 4310bfc20b84127e19bed68701caa3820c844682 Mon Sep 17 00:00:00 2001 From: Iwan Timmer Date: Mon, 18 Feb 2019 20:41:46 +0100 Subject: resolved: add strict mode for DNS-over-TLS Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755 --- man/resolved.conf.xml | 7 +++++-- man/systemd.network.xml | 11 +++++++---- 2 files changed, 12 insertions(+), 6 deletions(-) (limited to 'man') diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index c8ab6942c1..a647a4ace7 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -193,8 +193,11 @@ DNSOverTLS= - Takes false or - opportunistic. When set to opportunistic + Takes a boolean argument or opportunistic. + If true all connections to the server will be encrypted. Note that + this mode requires a DNS server that supports DNS-over-TLS and has + a valid certificate for it's IP. If the DNS server does not support + DNS-over-TLS all DNS requests will fail. When set to opportunistic DNS request are attempted to send encrypted with DNS-over-TLS. If the DNS server does not support TLS, DNS-over-TLS is disabled. Note that this mode makes DNS-over-TLS vulnerable to "downgrade" diff --git a/man/systemd.network.xml b/man/systemd.network.xml index d832e68d71..bad673b44e 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -395,12 +395,15 @@ DNSOverTLS= - Takes false or - opportunistic. When set to opportunistic, enables + Takes a boolean or opportunistic. + When true, enables DNS-over-TLS - support on the link. This option defines a - per-interface setting for + support on the link. + When set to opportunistic, compatibility with + non-DNS-over-TLS servers is increased, by automatically + turning off DNS-over-TLS servers in this case. + This option defines a per-interface setting for resolved.conf5's global DNSOverTLS= option. Defaults to false. This setting is read by -- cgit v1.2.3 From 6e9713f6753424417aa3cd21a012bfc0d49d31ab Mon Sep 17 00:00:00 2001 From: Jan Synacek Date: Fri, 21 Jun 2019 07:53:15 +0200 Subject: man: drop my copyright --- man/sd_journal_has_runtime_files.xml | 2 -- 1 file changed, 2 deletions(-) (limited to 'man') diff --git a/man/sd_journal_has_runtime_files.xml b/man/sd_journal_has_runtime_files.xml index 4b0075cbe0..7e6e7d4b9d 100644 --- a/man/sd_journal_has_runtime_files.xml +++ b/man/sd_journal_has_runtime_files.xml @@ -4,8 +4,6 @@ -- cgit v1.2.3 From 94c4bbe50677af776de408058475a7cbce8e013b Mon Sep 17 00:00:00 2001 From: "Peter A. Bigot" Date: Sat, 22 Jun 2019 12:43:49 -0500 Subject: man: fix references to VTABLE property flags --- man/sd_bus_add_object_vtable.xml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'man') diff --git a/man/sd_bus_add_object_vtable.xml b/man/sd_bus_add_object_vtable.xml index 1c222bc5f4..9d7e30a504 100644 --- a/man/sd_bus_add_object_vtable.xml +++ b/man/sd_bus_add_object_vtable.xml @@ -356,19 +356,19 @@ - SD_BUS_VTABLE_CONST - SD_BUS_VTABLE_EMITS_CHANGE - SD_BUS_VTABLE_EMITS_INVALIDATION + SD_BUS_VTABLE_PROPERTY_CONST + SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE + SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION Those three flags correspond to different values of the org.freedesktop.DBus.Property.EmitsChangedSignal annotation, which specifies whether the org.freedesktop.DBus.Properties.PropertiesChanged signal is - emitted whenever the property changes. SD_BUS_VTABLE_CONST corresponds to + emitted whenever the property changes. SD_BUS_VTABLE_PROPERTY_CONST corresponds to const and means that the property never changes during the lifetime of the object it belongs to, so no signal needs to be emitted. - SD_BUS_VTABLE_EMITS_CHANGE corresponds to true and means - that the signal is emitted. SD_BUS_VTABLE_EMITS_INVALIDATION corresponds to - invalides and means that the signal is emitted, but the value is not included + SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE corresponds to true and means + that the signal is emitted. SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION corresponds to + invalidates and means that the signal is emitted, but the value is not included in the signal. @@ -378,7 +378,7 @@ Mark this vtable property entry as requiring explicit request to for the value to be shown (generally because the value is large or slow to calculate). This entry cannot be combined - with SD_BUS_VTABLE_EMITS_CHANGE, and will not be shown in property listings by + with SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE, and will not be shown in property listings by default (e.g. busctl introspect). This corresponds to the org.freedesktop.systemd1.Explicit annotation in introspection data. -- cgit v1.2.3 From e0e65f7d097841630faac1f6813ec9bcf2083faa Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 14:20:36 +0200 Subject: man: document that DynamicUser=1 implied sandboxing cannot be turned off Fixes: #12476 --- man/systemd.exec.xml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index d65b842f44..f333c2c812 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -254,14 +254,15 @@ part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to these files or directories. If DynamicUser= is enabled, - RemoveIPC=, PrivateTmp= are implied. This ensures that the - lifetime of IPC objects and temporary files created by the executed processes is bound to the runtime - of the service, and hence the lifetime of the dynamic user/group. Since /tmp and - /var/tmp are usually the only world-writable directories on a system this - ensures that a unit making use of dynamic user/group allocation cannot leave files around after unit - termination. Furthermore NoNewPrivileges= and RestrictSUIDSGID= - are implicitly enabled to ensure that processes invoked cannot take benefit or create SUID/SGID files - or directories. Moreover ProtectSystem=strict and + RemoveIPC= and PrivateTmp= are implied (and cannot be turned + off). This ensures that the lifetime of IPC objects and temporary files created by the executed + processes is bound to the runtime of the service, and hence the lifetime of the dynamic + user/group. Since /tmp/ and /var/tmp/ are usually the only + world-writable directories on a system this ensures that a unit making use of dynamic user/group + allocation cannot leave files around after unit termination. Furthermore + NoNewPrivileges= and RestrictSUIDSGID= are implicitly enabled + (and cannot be disabled), to ensure that processes invoked cannot take benefit or create SUID/SGID + files or directories. Moreover ProtectSystem=strict and ProtectHome=read-only are implied, thus prohibiting the service to write to arbitrary file system locations. In order to allow the service to write to certain directories, they have to be whitelisted using ReadWritePaths=, but care must be taken so that -- cgit v1.2.3 From b30772a403399e7b36ff30a4f8ebbd4eb7cb190d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 14:22:43 +0200 Subject: man: correct that Sockets= may not be undone Fixes: #12415 --- man/systemd.service.xml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemd.service.xml b/man/systemd.service.xml index c2b3e21076..22329f6c2f 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -945,11 +945,9 @@ inverse of the Sockets= setting of the .service it refers to. - This option may appear more than once, in which case the - list of socket units is merged. If the empty string is - assigned to this option, the list of sockets is reset, and all - prior uses of this setting will have no - effect. + This option may appear more than once, in which case the list of socket units is merged. Note + that once set, clearing the list of sockets again (for example, by assigning the empty string to this + option) is not supported. -- cgit v1.2.3 From cd69e88ba3a692618048117b26fc9ea339aa1845 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 14:51:52 +0200 Subject: doc: make clear that --system and --user only make sense with --test Fixes: #12843 --- man/systemd.xml | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) (limited to 'man') diff --git a/man/systemd.xml b/man/systemd.xml index c51f0bf4d1..7ede4e3f40 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -70,8 +70,13 @@ - Determine startup sequence, dump it and exit. - This is an option useful for debugging only. + Determine the initial start-up transaction (i.e. the list of jobs enqueued at + start-up), dump it and exit. This option is useful for debugging only. Note that during regular + service manager start-up further units might be started than this operation shows, because hardware, + socket, bus or other kinds of activation might add additional jobs. Use to + request the initial transaction of the system service manager (this is also the implied default), + combine with to request the initial transaction of the per-user service + manager instead. @@ -94,23 +99,20 @@ not specified, defaults to default.target. + - For , tell systemd to - run a system instance, even if the process ID is not 1, i.e. - systemd is not run as init process. - does the opposite, running a user instance even if the process - ID is 1. Normally, it should not be necessary to pass these - options, as systemd automatically detects the mode it is - started in. These options are hence of little use except for - debugging. Note that it is not supported booting and - maintaining a full system with systemd running in - mode, but PID not 1. In practice, - passing explicitly is only useful in - conjunction with . + When used in conjunction with , selects whether to calculate + the initial transaction for the system instance or for a per-user instance. These options have no + effect when invoked without , as during regular + (i.e. non-) invocations the service manager will automatically detect whether + it shall operate in system or per-user mode, by checking whether the PID it is run as is 1 or + not. Note that it is not supported booting and maintaining a system with the service manager running + in mode but with a PID other than 1. + -- cgit v1.2.3 From eedaf7f322a850c5d9f49346d43420423fc6f593 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 15:21:22 +0200 Subject: man: drop references to "syslog" and "syslog+console" from man page These options are pretty much equivalent to "journal" and "journal+console" anyway, let's simplify things, and drop them from the documentation hence. For compat reasons let's keep them in the code. (Note that they are not 100% identical to 'journal', but I doubt the distinction in behaviour is really relevant to keep this in the docs. And we should probably should drop 'syslog' entirely from our codebase eventually, but it's problematic as long as we semi-support udev on non-systemd systems still.) --- man/systemd.exec.xml | 86 ++++++++++++++++++++++++++-------------------------- man/systemd.xml | 2 -- 2 files changed, 43 insertions(+), 45 deletions(-) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f333c2c812..8f7d64d017 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1936,12 +1936,12 @@ SystemCallErrorNumber=EPERM StandardOutput= - Controls where file descriptor 1 (STDOUT) of the executed processes is connected to. Takes one - of , , , , - , , , - , , - , , - or . + Controls where file descriptor 1 (STDOUT) of the executed processes is connected + to. Takes one of , , , + , , , + , , + , or + . duplicates the file descriptor of standard input for standard output. @@ -1952,23 +1952,20 @@ SystemCallErrorNumber=EPERM see below). If the TTY is used for output only, the executed process will not become the controlling process of the terminal, and will not fail or wait for other processes to release the terminal. - connects standard output with the journal which is accessible via - journalctl1. Note that - everything that is written to syslog or kmsg (see below) is implicitly stored in the journal as well, the - specific two options listed below are hence supersets of this one. - - connects standard output to the syslog3 system syslog - service, in addition to the journal. Note that the journal daemon is usually configured to forward everything - it receives to syslog anyway, in which case this option is no different from . + connects standard output with the journal, which is accessible via + journalctl1. Note + that everything that is written to kmsg (see below) is implicitly stored in the journal as well, the + specific option listed below is hence a superset of this one. (Also note that any external, + additional syslog daemons receive their log data from the journal, too, hence this is the option to + use when logging shall be processed with such a daemon.) connects standard output with the kernel log buffer which is accessible via dmesg1, in addition to the journal. The journal daemon might be configured to send all logs to kmsg anyway, in which case this option is no different from . - , and work - in a similar way as the three options above but copy the output to the system console as well. + and work in a similar way as the + two options above but copy the output to the system console as well. The option may be used to connect a specific file system object to standard output. The semantics are similar to the same option of @@ -1997,13 +1994,14 @@ SystemCallErrorNumber=EPERM systemd.socket5 for more details about named descriptors and their ordering. - If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the - kernel log buffer, the unit will implicitly gain a dependency of type After= on - systemd-journald.socket (also see the "Implicit Dependencies" section above). Also note - that in this case stdout (or stderr, see below) will be an AF_UNIX stream socket, and not - a pipe or FIFO that can be re-opened. This means when executing shell scripts the construct echo - "hello" > /dev/stderr for writing text to stderr will not work. To mitigate this use the construct - echo "hello" >&2 instead, which is mostly equivalent and avoids this pitfall. + If the standard output (or error output, see below) of a unit is connected to the journal or + the kernel log buffer, the unit will implicitly gain a dependency of type After= + on systemd-journald.socket (also see the "Implicit Dependencies" section + above). Also note that in this case stdout (or stderr, see below) will be an + AF_UNIX stream socket, and not a pipe or FIFO that can be re-opened. This means + when executing shell scripts the construct echo "hello" > /dev/stderr for + writing text to stderr will not work. To mitigate this use the construct echo "hello" + >&2 instead, which is mostly equivalent and avoids this pitfall. This setting defaults to the value set with DefaultStandardOutput= in systemd-system.conf5, which @@ -2121,12 +2119,12 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy SyslogIdentifier= - Sets the process name ("syslog tag") to prefix log lines sent to the logging - system or the kernel log buffer with. If not set, defaults to the process name of the executed process. This - option is only useful when StandardOutput= or StandardError= are set to - , or (or to the same settings in - combination with ) and only applies to log messages written to stdout or - stderr. + Sets the process name ("syslog tag") to prefix log lines sent to + the logging system or the kernel log buffer with. If not set, defaults to the process name of the + executed process. This option is only useful when StandardOutput= or + StandardError= are set to or (or to + the same settings in combination with ) and only applies to log messages + written to stdout or stderr. @@ -2137,12 +2135,13 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy , , , , , , , , , , , , - , , or . See - syslog3 - for details. This option is only useful when StandardOutput= or - StandardError= are set to , or - (or to the same settings in combination with ), and only applies - to log messages written to stdout or stderr. Defaults to . + , , or + . See syslog3 for + details. This option is only useful when StandardOutput= or + StandardError= are set to or (or to + the same settings in combination with ), and only applies to log messages + written to stdout or stderr. Defaults to . @@ -2154,7 +2153,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy . See syslog3 for details. This option is only useful when StandardOutput= or - StandardError= are set to , or + StandardError= are set to or (or to the same settings in combination with ), and only applies to log messages written to stdout or stderr. Note that individual lines output by executed processes may be prefixed with a different log level which can be used to override the default log level specified here. The @@ -2167,12 +2166,13 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy SyslogLevelPrefix= Takes a boolean argument. If true and StandardOutput= or - StandardError= are set to , or - (or to the same settings in combination with ), log lines - written by the executed process that are prefixed with a log level will be processed with this log level set - but the prefix removed. If set to false, the interpretation of these prefixes is disabled and the logged lines - are passed on as-is. This only applies to log messages written to stdout or stderr. For details about this - prefixing see sd-daemon3. + StandardError= are set to or (or to + the same settings in combination with ), log lines written by the executed + process that are prefixed with a log level will be processed with this log level set but the prefix + removed. If set to false, the interpretation of these prefixes is disabled and the logged lines are + passed on as-is. This only applies to log messages written to stdout or stderr. For details about + this prefixing see + sd-daemon3. Defaults to true. diff --git a/man/systemd.xml b/man/systemd.xml index 7ede4e3f40..dfd77a474d 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -234,8 +234,6 @@ , , , - , - , , . If the argument is omitted -- cgit v1.2.3 From e5134f00f8c7f5b278a46e4ed0a19fbd220601b2 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 15:30:10 +0200 Subject: man: document that sd_bus_creds_get_exec() is not suitable for security decisions Fixes: #12704 --- man/sd_bus_creds_get_pid.xml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'man') diff --git a/man/sd_bus_creds_get_pid.xml b/man/sd_bus_creds_get_pid.xml index 9e79d13cdd..a7690d5817 100644 --- a/man/sd_bus_creds_get_pid.xml +++ b/man/sd_bus_creds_get_pid.xml @@ -325,12 +325,14 @@ /proc/pid/task/tid/comm). - sd_bus_creds_get_exe() will retrieve - the path to the program executable (as stored in the - /proc/pid/exe - link, but with the (deleted) suffix removed). Note - that kernel threads do not have an executable path, in which case - -ENXIO is returned. + sd_bus_creds_get_exe() will retrieve the path to the program executable (as + stored in the /proc/pid/exe link, but with the + (deleted) suffix removed). Note that kernel threads do not have an executable path, in which + case -ENXIO is returned. Note that this property should not be used for more than explanatory + information, in particular it should not be used for security-relevant decisions. That's because the + executable might have been replaced or removed by the time the value can be processed. Moreover, the + kernel exports this information in an ambiguous way (i.e. a deleted executable cannot be safely + distinguished from one whose name suffix is (deleted). sd_bus_creds_get_cmdline() will retrieve an array of command line arguments (as stored in -- cgit v1.2.3 From b070c7c0e133362ab5e20875e7294908004266af Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Tue, 12 Mar 2019 18:58:26 +0100 Subject: core: introduce NUMAPolicy and NUMAMask options Make possible to set NUMA allocation policy for manager. Manager's policy is by default inherited to all forked off processes. However, it is possible to override the policy on per-service basis. Currently we support, these policies: default, prefer, bind, interleave, local. See man 2 set_mempolicy for details on each policy. Overall NUMA policy actually consists of two parts. Policy itself and bitmask representing NUMA nodes where is policy effective. Node mask can be specified using related option, NUMAMask. Default mask can be overwritten on per-service level. --- man/systemd-system.conf.xml | 19 +++++++++++++++++++ man/systemd.exec.xml | 28 ++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) (limited to 'man') diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index f5d419c519..9de04a7879 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -106,6 +106,25 @@ systemd.exec5. + + NUMAPolicy= + + Configures the NUMA memory policy for the service manager and the default NUMA memory policy + for all forked off processes. Individual services may override the default policy with the + NUMAPolicy= setting in unit files, see + systemd.exec5. + + + + NUMAMask= + + Configures the NUMA node mask that will be associated with the selected NUMA policy. Note that + and NUMA policies don't require explicit NUMA node mask and + value of the option can be empty. Similarly to NUMAPolicy=, value can be overriden + by individual services in unit files, see + systemd.exec5. + + RuntimeWatchdogSec= ShutdownWatchdogSec= diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 8f7d64d017..8963764bf6 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -762,6 +762,28 @@ CapabilityBoundingSet=~CAP_B CAP_C details. + + NUMAPolicy= + + Controls the NUMA memory policy of the executed processes. Takes a policy type, one of: + , , , and + . A list of NUMA nodes that should be associated with the policy must be specified + in NUMAMask=. For more details on each policy please see, + set_mempolicy2. For overall + overview of NUMA support in Linux see, + numa7 + + + + + NUMAMask= + + Controls the NUMA node list which will be applied alongside with selected NUMA policy. + Takes a list of NUMA nodes and has the same syntax as a list of CPUs for CPUAffinity= + option. Note that the list of NUMA nodes is not required for and + policies and for policy we expect a single NUMA node. + + IOSchedulingClass= @@ -2918,6 +2940,12 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy EXIT_CONFIGURATION_DIRECTORY Failed to set up unit's configuration directory. See ConfigurationDirectory= above. + + 242 + EXIT_NUMA_POLICY + Failed to set up unit's NUMA memory policy. See NUMAPolicy= and NUMAMask=above. + + -- cgit v1.2.3 From 330703fb22630ed3d1da983fe86337ff898b122a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 28 May 2019 16:50:10 +0200 Subject: man: beef up systemd.exec(5) Prompted by: https://lists.freedesktop.org/archives/systemd-devel/2019-May/042773.html --- man/systemd.exec.xml | 69 ++++++++++++++++++++++++++++++++++------------------ 1 file changed, 46 insertions(+), 23 deletions(-) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 8963764bf6..bacd539b15 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1540,24 +1540,29 @@ RestrictNamespaces=~cgroup net SystemCallFilter= - Takes a space-separated list of system call names. If this setting is used, all system calls - executed by the unit processes except for the listed ones will result in immediate process termination with the - SIGSYS signal (whitelisting). If the first character of the list is ~, - the effect is inverted: only the listed system calls will result in immediate process termination - (blacklisting). Blacklisted system calls and system call groups may optionally be suffixed with a colon - (:) and errno error number (between 0 and 4095) or errno name such as - EPERM, EACCES or EUCLEAN. This value will be - returned when a blacklisted system call is triggered, instead of terminating the processes immediately. This - value takes precedence over the one given in SystemCallErrorNumber=. If running in user - mode, or in system mode, but without the CAP_SYS_ADMIN capability (e.g. setting - User=nobody), NoNewPrivileges=yes is implied. This feature makes use of - the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering') and is useful for enforcing a - minimal sandboxing environment. Note that the execve, exit, - exit_group, getrlimit, rt_sigreturn, - sigreturn system calls and the system calls for querying time and sleeping are implicitly - whitelisted and do not need to be listed explicitly. This option may be specified more than once, in which case - the filter masks are merged. If the empty string is assigned, the filter is reset, all prior assignments will - have no effect. This does not affect commands prefixed with +. + Takes a space-separated list of system call names. If this setting is used, all + system calls executed by the unit processes except for the listed ones will result in immediate + process termination with the SIGSYS signal (whitelisting). (See + SystemCallErrorNumber= below for changing the default action). If the first + character of the list is ~, the effect is inverted: only the listed system calls + will result in immediate process termination (blacklisting). Blacklisted system calls and system call + groups may optionally be suffixed with a colon (:) and errno + error number (between 0 and 4095) or errno name such as EPERM, + EACCES or EUCLEAN (see errno3 for a + full list). This value will be returned when a blacklisted system call is triggered, instead of + terminating the processes immediately. This value takes precedence over the one given in + SystemCallErrorNumber=, see below. If running in user mode, or in system mode, + but without the CAP_SYS_ADMIN capability (e.g. setting + User=nobody), NoNewPrivileges=yes is implied. This feature + makes use of the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering') and is useful + for enforcing a minimal sandboxing environment. Note that the execve, + exit, exit_group, getrlimit, + rt_sigreturn, sigreturn system calls and the system calls + for querying time and sleeping are implicitly whitelisted and do not need to be listed + explicitly. This option may be specified more than once, in which case the filter masks are + merged. If the empty string is assigned, the filter is reset, all prior assignments will have no + effect. This does not affect commands prefixed with +. Note that on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this @@ -1717,6 +1722,22 @@ RestrictNamespaces=~cgroup net SystemCallFilter=@system-service SystemCallErrorNumber=EPERM + Note that various kernel system calls are defined redundantly: there are multiple system calls + for executing the same operation. For example, the pidfd_send_signal() system + call may be used to execute operations similar to what can be done with the older + kill() system call, hence blocking the latter without the former only provides + weak protection. Since new system calls are added regularly to the kernel as development progresses, + keeping system call blacklists comprehensive requires constant work. It is thus recommended to use + whitelisting instead, which offers the benefit that new system calls are by default implicitly + blocked until the whitelist is updated. + + Also note that a number of system calls are required to be accessible for the dynamic linker to + work. The dynamic linker is required for running most regular programs (specifically: all dynamic ELF + binaries, which is how most distributions build packaged programs). This means that blocking these + system calls (which include open(), openat() or + mmap()) will make most programs typically shipped with generic distributions + unusable. + It is recommended to combine the file system namespacing related options with SystemCallFilter=~@mount, in order to prohibit the unit's processes to undo the mappings. Specifically these are the options PrivateTmp=, @@ -1729,11 +1750,13 @@ SystemCallErrorNumber=EPERM SystemCallErrorNumber= - Takes an errno error number (between 1 and 4095) or errno name such as - EPERM, EACCES or EUCLEAN, to return when the - system call filter configured with SystemCallFilter= is triggered, instead of terminating - the process immediately. When this setting is not used, or when the empty string is assigned, the process will - be terminated immediately when the filter is triggered. + Takes an errno error number (between 1 and 4095) or errno name + such as EPERM, EACCES or EUCLEAN, to + return when the system call filter configured with SystemCallFilter= is triggered, + instead of terminating the process immediately. See errno3 for a + full list of error codes. When this setting is not used, or when the empty string is assigned, the + process will be terminated immediately when the filter is triggered. -- cgit v1.2.3 From fab347489fcfafbc8367c86afc637ce1b81ae59e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kai=20L=C3=BCke?= Date: Tue, 23 Apr 2019 12:14:20 +0200 Subject: bpf-firewall: custom BPF programs through IP(Ingress|Egress)FilterPath= Takes a single /sys/fs/bpf/pinned_prog string as argument, but may be specified multiple times. An empty assignment resets all previous filters. Closes https://github.com/systemd/systemd/issues/10227 --- man/systemd.resource-control.xml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'man') diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 95209a8a6a..e7b5dfbce6 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -618,6 +618,39 @@ + + IPIngressFilterPath=BPF_FS_PROGRAMM_PATH + IPEgressFilterPath=BPF_FS_PROGRAMM_PATH + + + Add custom network traffic filters implemented as BPF programs, applying to all IP packets + sent and received over AF_INET and AF_INET6 sockets. + Takes an absolute path to a pinned BPF program in the BPF virtual filesystem (/sys/fs/bpf/). + + + The filters configured with this option are applied to all sockets created by processes + of this unit (or in the case of socket units, associated with it). The filters are loaded in addition + to filters any of the parent slice units this unit might be a member of as well as any + IPAddressAllow= and IPAddressDeny= filters in any of these units. + By default there are no filters specified. + + If these settings are used multiple times in the same unit all the specified programs are attached. If an + empty string is assigned to these settings the program list is reset and all previous specified programs ignored. + + Note that for socket-activated services, the IP filter programs configured on the socket unit apply to + all sockets associated with it directly, but not to any sockets created by the ultimately activated services + for it. Conversely, the IP filter programs configured for the service are not applied to any sockets passed into + the service via socket activation. Thus, it is usually a good idea, to replicate the IP filter programs on both + the socket and the service unit, however it often makes sense to maintain one configuration more open and the other + one more restricted, depending on the usecase. + + Note that these settings might not be supported on some systems (for example if eBPF control group + support is not enabled in the underlying kernel or container manager). These settings will fail the service in + that case. If compatibility with such systems is desired it is hence recommended to attach your filter manually + (requires Delegate=yes) instead of using this setting. + + + DeviceAllow= -- cgit v1.2.3 From 9a02707561105573efc8778cfab957895af6c3ba Mon Sep 17 00:00:00 2001 From: camoz Date: Tue, 25 Jun 2019 10:28:19 +0200 Subject: systemd-nspawn(1): update example section Remove the retired flag -d from Example 4. "Boot a minimal Arch Linux distribution in a container". It has been retired here: https://git.archlinux.org/arch-install-scripts.git/commit/pacstrap.in?id=0af6884aca68dcb7eed0b85fbc2960903df3d968 --- man/systemd-nspawn.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index f1d6f14812..8c1a1e6871 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -1390,7 +1390,7 @@ Boot a minimal <ulink url="https://www.archlinux.org">Arch Linux</ulink> distribution in a container - # pacstrap -c -d ~/arch-tree/ base + # pacstrap -c ~/arch-tree/ base # systemd-nspawn -bD ~/arch-tree/ This installs a minimal Arch Linux distribution into the -- cgit v1.2.3 From cc9ba15efe9ba647ec11fbb069508d2f73832f64 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 25 Jun 2019 10:44:59 +0200 Subject: man: improve --test documentation Incorporates some suggestions from: https://github.com/systemd/systemd/pull/12868#discussion_r296738370 https://github.com/systemd/systemd/commit/cd69e88ba3a692618048117b26fc9ea339aa1845#commitcomment-34060775 --- man/systemd.xml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'man') diff --git a/man/systemd.xml b/man/systemd.xml index dfd77a474d..77c6cc3dd7 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -71,12 +71,13 @@ Determine the initial start-up transaction (i.e. the list of jobs enqueued at - start-up), dump it and exit. This option is useful for debugging only. Note that during regular - service manager start-up further units might be started than this operation shows, because hardware, - socket, bus or other kinds of activation might add additional jobs. Use to - request the initial transaction of the system service manager (this is also the implied default), - combine with to request the initial transaction of the per-user service - manager instead. + start-up), dump it and exit — without actually executing any of the determined jobs. This option is + useful for debugging only. Note that during regular service manager start-up additional units not + shown by this operation may be started, because hardware, socket, bus or other kinds of activation + might add additional jobs as the transaction is executed. Use to request + the initial transaction of the system service manager (this is also the implied default), combine + with to request the initial transaction of the per-user service manager + instead. -- cgit v1.2.3 From 33a5137cf0f24f5d0e0a34056e8699473d55b497 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 25 Jun 2019 10:47:13 +0200 Subject: man: say D-Bus, not dbus --- man/systemd.xml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'man') diff --git a/man/systemd.xml b/man/systemd.xml index 77c6cc3dd7..deba17dc42 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -89,9 +89,8 @@ - Dump exposed bus properties. This outputs - a terse but complete list of properties exposed to dbus. - + Dump exposed bus properties. This outputs a terse but complete list of properties + exposed on D-Bus. -- cgit v1.2.3 From c13fb257343aaeaa5508152257b5c43cdf25cb49 Mon Sep 17 00:00:00 2001 From: INSUN PYO Date: Tue, 25 Jun 2019 20:38:02 +0900 Subject: man: change true/false to yes/no for DefaultDependencies. --- man/systemd.unit.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'man') diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index d13212ebcc..38a239a0e8 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -832,7 +832,7 @@ DefaultDependencies= Takes a boolean argument. If - , (the default), a few default + , (the default), a few default dependencies will implicitly be created for the unit. The actual dependencies created depend on the unit type. For example, for service units, these dependencies ensure that the @@ -840,9 +840,9 @@ completed and is properly terminated on system shutdown. See the respective man pages for details. Generally, only services involved with early boot or late shutdown should set this - option to . It is highly recommended to + option to . It is highly recommended to leave this option enabled for the majority of common units. If - set to , this option does not disable + set to , this option does not disable all implicit dependencies, just non-essential ones. -- cgit v1.2.3 From bbd199c438b172034e40ecdfa47ecad5b3f94c1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 26 Jun 2019 14:56:04 +0200 Subject: man: move description of how conditions are combined to the beginning Originally the description of conditions was brief, so it was acceptable to put this part at the end. But now we have a myriad conditions, and this crucial bit of information is easy to miss. --- man/systemd.unit.xml | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) (limited to 'man') diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 38a239a0e8..81bce696bd 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1007,9 +1007,7 @@ ConditionMemory= ConditionCPUs= - Before starting a unit, verify that the specified condition is true. If it is not true, the @@ -1024,6 +1022,16 @@ conditions are considered to be in a clean state and will be garbage collected if they are not referenced. This means, that when queried, the condition failure may or may not show up in the state of the unit. + If multiple conditions are specified, the unit will be executed if all of them apply (i.e. a + logical AND is applied). Condition checks can be prefixed with a pipe symbol (|) + in which case a condition becomes a triggering condition. If at least one triggering condition is + defined for a unit, then the unit will be executed if at least one of the triggering conditions apply + and all of the non-triggering conditions. If you prefix an argument with the pipe symbol and an + exclamation mark, the pipe symbol must be passed first, the exclamation second. Except for + ConditionPathIsSymbolicLink=, all path checks follow symlinks. If any of these + options is assigned the empty string, the list of conditions is reset completely, all previous + condition settings (of any kind) will have no effect. + ConditionArchitecture= may be used to check whether the system is running on a specific architecture. Takes one of @@ -1279,23 +1287,7 @@ comparison operator. On physical systems the number of CPUs in the affinity mask of the service manager usually matches the number of physical CPUs, but in special and virtual environments might differ. In particular, in containers the affinity mask usually matches the number of CPUs assigned to - the container and not the physically available ones. - - If multiple conditions are specified, the unit will be - executed if all of them apply (i.e. a logical AND is applied). - Condition checks can be prefixed with a pipe symbol (|) in - which case a condition becomes a triggering condition. If at - least one triggering condition is defined for a unit, then the - unit will be executed if at least one of the triggering - conditions apply and all of the non-triggering conditions. If - you prefix an argument with the pipe symbol and an exclamation - mark, the pipe symbol must be passed first, the exclamation - second. Except for - ConditionPathIsSymbolicLink=, all path - checks follow symlinks. If any of these options is assigned - the empty string, the list of conditions is reset completely, - all previous condition settings (of any kind) will have no - effect. + the container and not the physically available ones. -- cgit v1.2.3 From d238709c14c89884b2fdfc72c8228a4f30874df1 Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Thu, 27 Jun 2019 09:54:20 +0200 Subject: docs: fix typos and duplicate words s/and and/and/ s/explicity/explicitly/ s/that that/that/ s/the the/the/ s/is is/it is/ s/overriden/overridden/ --- man/systemd-system.conf.xml | 2 +- man/systemd.net-naming-scheme.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index 9de04a7879..10eeb7e690 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -120,7 +120,7 @@ Configures the NUMA node mask that will be associated with the selected NUMA policy. Note that and NUMA policies don't require explicit NUMA node mask and - value of the option can be empty. Similarly to NUMAPolicy=, value can be overriden + value of the option can be empty. Similarly to NUMAPolicy=, value can be overridden by individual services in unit files, see systemd.exec5. diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml index 4caac11156..91ad57df03 100644 --- a/man/systemd.net-naming-scheme.xml +++ b/man/systemd.net-naming-scheme.xml @@ -37,7 +37,7 @@ schemes". The default naming scheme is chosen at compilation time. Usually this will be the latest implemented version, but it is also possible to set one of the older versions to preserve compatibility. This may be useful for example for distributions, which may introduce new versions of - systemd in stable releases without changing the naming scheme. The naming scheme may also be overriden + systemd in stable releases without changing the naming scheme. The naming scheme may also be overridden using the net.naming-scheme= kernel command line switch, see systemd-udevd.service8. Available naming schemes are described below. -- cgit v1.2.3 From edfea9fe0db025d8b90f07d969b48a1017399265 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 26 Jun 2019 14:58:45 +0200 Subject: analyze: add 'condition' verb We didn't have a straightforward way to parse and evaluate those strings. Prompted by #12881. --- man/systemd-analyze.xml | 33 +++++++++++++++++++++++++++++++++ man/systemd.unit.xml | 10 ++++++++-- 2 files changed, 41 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 651a73848e..5dce2ae8fb 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -83,6 +83,12 @@ OPTIONS unit-paths + + systemd-analyze + OPTIONS + condition + CONDITION + systemd-analyze OPTIONS @@ -348,6 +354,33 @@ $ eog targets.svg to retrieve the actual list that the manager uses, with any empty directories omitted. + + <command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command> + + This command will evaluate Condition*=... and + Assert*=... assignments, and print their values, and + the resulting value of the combined condition set. See + systemd.unit5 + for a list of available conditions and asserts. + + + Evaluate conditions that check kernel versions + + $ systemd-analyze condition 'ConditionKernelVersion = ! <4.0' \ + 'ConditionKernelVersion = >=5.1' \ + 'ConditionACPower=|false' \ + 'ConditionArchitecture=|!arm' \ + 'AssertPathExists=/etc/os-release' +test.service: AssertPathExists=/etc/os-release succeeded. +Asserts succeeded. +test.service: ConditionArchitecture=|!arm succeeded. +test.service: ConditionACPower=|false failed. +test.service: ConditionKernelVersion=>=5.1 succeeded. +test.service: ConditionKernelVersion=!<4.0 succeeded. +Conditions succeeded. + + + <command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command> diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 81bce696bd..045931038b 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1030,7 +1030,9 @@ exclamation mark, the pipe symbol must be passed first, the exclamation second. Except for ConditionPathIsSymbolicLink=, all path checks follow symlinks. If any of these options is assigned the empty string, the list of conditions is reset completely, all previous - condition settings (of any kind) will have no effect. + condition settings (of any kind) will have no effect. The condition verb of + systemd-analyze1 + can be used to test condition and assert expressions. ConditionArchitecture= may be used to check whether the system is running on a specific @@ -1326,7 +1328,11 @@ Note that neither assertion nor condition expressions result in unit state changes. Also note that both are checked at the time the job is to be executed, i.e. long after depending jobs and it itself were queued. Thus, neither condition nor assertion expressions are suitable for conditionalizing unit - dependencies. + dependencies. + + The condition verb of + systemd-analyze1 + can be used to test condition and assert expressions. -- cgit v1.2.3 From 6d22bd87f0d9505721dfa0ec5ae94f39a1691526 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 29 Jun 2019 04:03:06 +0900 Subject: udevadm: support special value 'help' for --action option --- man/udevadm.xml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'man') diff --git a/man/udevadm.xml b/man/udevadm.xml index 396d418f83..d12c39b765 100644 --- a/man/udevadm.xml +++ b/man/udevadm.xml @@ -228,7 +228,9 @@ Type of event to be triggered. Possible actions are add, remove, change, move, online, offline, bind, - and unbind. The default value is change. + and unbind. Also, the special value help can be used + to list the possible actions. The default value is change. + @@ -524,9 +526,10 @@ - + - The action string. + The action string. The special value help may be used to list + known values. -- cgit v1.2.3 From 910c6d09311ff41ee6f913ff4881f4d8059c2a33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 28 Jun 2019 10:58:06 +0200 Subject: Treat kernel version condition as a list of quoted checks Before only one comparison was allowed. Let's make this more flexible: ConditionKernelVersion = ">=4.0" "<=4.5" Fixes #12881. This also fixes expressions like "ConditionKernelVersion=>" which would evaluate as true. --- man/systemd.unit.xml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'man') diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 045931038b..0ac9ff4882 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1136,10 +1136,11 @@ ConditionKernelVersion= may be used to check whether the kernel version (as reported by uname -r) matches a certain expression (or if prefixed with the - exclamation mark does not match it). The argument must be a single string. If the string starts with - one of <, <=, =, - !=, >=, > a relative version - comparison is done, otherwise the specified string is matched with shell-style globs. + exclamation mark does not match it). The argument must be a list of (potentially quoted) expressions. + For each of the expressions, if it starts with one of <, + <=, =, !=, >=, + > a relative version comparison is done, otherwise the specified string is + matched with shell-style globs. Note that using the kernel version string is an unreliable way to determine which features are supported by a kernel, because of the widespread practice of backporting drivers, features, and fixes from newer upstream -- cgit v1.2.3 From 44005bfb4eaae840e481e7a0d0b74ac9ee418302 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 23 Jun 2019 01:44:13 +0900 Subject: network,udev: add Property= setting in [Match] section Closes #5665. --- man/systemd.link.xml | 15 +++++++++++++++ man/systemd.network.xml | 15 +++++++++++++++ 2 files changed, 30 insertions(+) (limited to 'man') diff --git a/man/systemd.link.xml b/man/systemd.link.xml index b1be32955e..8539422efc 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -115,6 +115,21 @@ property DEVTYPE. + + Property= + + A whitespace-separated list of udev property name with its value after a equal + (=). If multiple properties are specified, the test results are ANDed. + If the list is prefixed with a "!", the test is inverted. If a value contains white + spaces, then please quote whole key and value pair. If a value contains quotation, then + please escape the quotation with \. + + Example: if a .link file has the following: + Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\"" + then, the .link file matches only when an interface has all the above three properties. + + + Host= diff --git a/man/systemd.network.xml b/man/systemd.network.xml index bad673b44e..1509a07ac1 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -138,6 +138,21 @@ with a "!", the test is inverted. + + Property= + + A whitespace-separated list of udev property name with its value after a equal + (=). If multiple properties are specified, the test results are ANDed. + If the list is prefixed with a "!", the test is inverted. If a value contains white + spaces, then please quote whole key and value pair. If a value contains quotation, then + please escape the quotation with \. + + Example: if a .network file has the following: + Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\"" + then, the .network file matches only when an interface has all the above three properties. + + + Host= -- cgit v1.2.3 From c382025adf1e5ee15455f1b2b2f0b961c48f13d7 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 23 Jun 2019 04:05:51 +0900 Subject: man: fix wrong udev property name --- man/systemd.link.xml | 2 +- man/systemd.network.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.link.xml b/man/systemd.link.xml index 8539422efc..7ea9a71107 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -103,7 +103,7 @@ Driver= A whitespace-separated list of shell-style globs matching the driver currently bound to the - device, as exposed by the udev property DRIVER of its parent device, or if that + device, as exposed by the udev property ID_NET_DRIVER of its parent device, or if that is not set, the driver as exposed by ethtool -i of the device itself. diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 1509a07ac1..d32b60a2c9 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -113,7 +113,7 @@ A whitespace-separated list of shell-style globs matching the driver currently bound to the device, as - exposed by the udev property DRIVER + exposed by the udev property ID_NET_DRIVER of its parent device, or if that is not set the driver as exposed by ethtool -i of the device itself. If the list is prefixed with a "!", the -- cgit v1.2.3 From 93912e872fb14e9c372e090409e429084a6450f5 Mon Sep 17 00:00:00 2001 From: Jan Synacek Date: Thu, 25 Apr 2019 12:19:16 +0200 Subject: debug-generator: enable custom systemd.debug_shell tty --- man/custom-entities.ent.in | 1 + man/systemd-debug-generator.xml | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) (limited to 'man') diff --git a/man/custom-entities.ent.in b/man/custom-entities.ent.in index e2bd44e5e7..85805777a0 100644 --- a/man/custom-entities.ent.in +++ b/man/custom-entities.ent.in @@ -8,3 +8,4 @@ + diff --git a/man/systemd-debug-generator.xml b/man/systemd-debug-generator.xml index 1f9a79db82..305dc2ff37 100644 --- a/man/systemd-debug-generator.xml +++ b/man/systemd-debug-generator.xml @@ -1,7 +1,10 @@ + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ + +%entities; +]> @@ -56,9 +59,10 @@ option is specified, the debug shell service debug-shell.service is pulled into the boot - transaction. It will spawn a debug shell on tty9 during early - system startup. Note that the shell may also be turned on - persistently by enabling it with + transaction and a debug shell will be spawned during early boot. + By default, &DEBUGTTY; is used, but a specific tty can also be set, + either with or without the /dev/ prefix. + Note that the shell may also be turned on persistently by enabling it with systemctl1's enable command. is honored only by initial -- cgit v1.2.3 From 007b77ac6c01cb306ff890fbf655e10949118f83 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 3 Jul 2019 13:04:11 +0200 Subject: man: document tmpfiles.d/ user/group resolvability needs --- man/tmpfiles.d.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'man') diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index 67bd1dc724..ac6565ec93 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -495,6 +495,14 @@ w- /proc/sys/vm/swappiness - - - - 10 lines, when omitted or when set to -, the file ownership will not be modified. These parameters are ignored for x, r, R, L, t, and a lines. + + This field should generally only reference system users/groups, i.e. users/groups that are + guaranteed to be resolvable during early boot. If this field references users/groups that only become + resolveable during later boot (i.e. after NIS, LDAP or a similar networked directory service become + available), execution of the operations declared by the line will likely fail. Also see Notes on + Resolvability of User and Group Names for more information on requirements on system user/group + definitions. -- cgit v1.2.3 From a9a50bd68089cda36dadf8695565b135c9e21143 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Wed, 3 Jul 2019 14:00:48 +0100 Subject: man: Add some notes about variable $prefix for StateDirectory= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit tl;dr: It isn’t supported. Wording by Zbigniew Jędrzejewski-Szmek. See https://twitter.com/pid_eins/status/1102639279614906369 and https://gitlab.freedesktop.org/libfprint/fprintd/merge_requests/5#note_125536 onwards. Signed-off-by: Philip Withnall --- man/systemd.exec.xml | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index bacd539b15..56a029a82e 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -972,6 +972,15 @@ CapabilityBoundingSet=~CAP_B CAP_C configuration or lifetime guarantees, please consider using tmpfiles.d5. + The directories defined by these options are always created under the standard paths used by systemd + (/var, /run, /etc, …). If the service needs + directories in a different location, a different mechanism has to be used to create them. + + tmpfiles.d5 provides + functionality that overlaps with these options. Using these options is recommended, because the lifetime of + the directories is tied directly to the lifetime of the unit, and it is not necessary to ensure that the + tmpfiles.d configuration is executed before the unit is started. + Example: if a system service unit has the following, RuntimeDirectory=foo/bar baz the service manager creates /run/foo (if it does not exist), -- cgit v1.2.3 From caa8ca4286a44d2de178088ef4c5186ae3026a13 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Tue, 9 Jul 2019 19:53:28 +0530 Subject: networkd: DHCPv6 - separate DHCPv6 options from DHCPv4 options Closes https://github.com/systemd/systemd/issues/12917 --- man/systemd.network.xml | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index d32b60a2c9..a57c60080c 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1293,7 +1293,7 @@ [DHCP] Section Options The [DHCP] section configures the - DHCPv4 and DHCP6 client, if it is enabled with the + DHCPv4 client, if it is enabled with the DHCP= setting described above: @@ -1526,6 +1526,30 @@ + + BlackList= + + A whitespace-separated list of IPv4 addresses. DHCP offers from servers in the list are rejected. + + + + + + + + [DHCPv6] Section Options + The [DHCPv6] section configures the DHCPv6 client, if it is enabled with the + DHCPv6= setting described above: + + + + UseDNS= + UseNTP= + + As in the [DHCP] section. + + + RapidCommit= @@ -1555,15 +1579,8 @@ - - BlackList= - - A whitespace-separated list of IPv4 addresses. DHCP offers from servers in the list are rejected. - - - - + [IPv6AcceptRA] Section Options -- cgit v1.2.3 From 4f7331a85eee2134cc2383a9eeb0445593a6be15 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 10 Jul 2019 17:33:05 +0900 Subject: network: rename [DHCP] section to [DHCPv4] To keep the backward compatibility broken by the previous commit. --- man/systemd.network.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index a57c60080c..5841fbbbf7 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -324,8 +324,8 @@ specified through DHCP is not used for name resolution. See option below. - See the [DHCP] section below for further configuration options for the DHCP client - support. + See the [DHCPv4] or [DHCPv6] section below for + further configuration options for the DHCP client support. @@ -1291,8 +1291,8 @@ - [DHCP] Section Options - The [DHCP] section configures the + [DHCPv4] Section Options + The [DHCPv4] section configures the DHCPv4 client, if it is enabled with the DHCP= setting described above: @@ -1539,7 +1539,7 @@ [DHCPv6] Section Options The [DHCPv6] section configures the DHCPv6 client, if it is enabled with the - DHCPv6= setting described above: + DHCP= setting described above, or invoked by the IPv6 Router Advertisement: -- cgit v1.2.3 From 36cf45078c0d411d72f70327d2ae1d29e8079a34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 6 Jun 2019 19:22:20 +0200 Subject: Add config and kernel commandline option to use short identifiers No functional change, just docs and configuration and parsing. v2: - change ShortIdentifiers=yes|no to StatusUnitFormat=name|description. --- man/kernel-command-line.xml | 1 + man/systemd-system.conf.xml | 10 ++++++++++ man/systemd.xml | 10 ++++++++++ 3 files changed, 21 insertions(+) (limited to 'man') diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml index 903ff924f5..f9408a028d 100644 --- a/man/kernel-command-line.xml +++ b/man/kernel-command-line.xml @@ -59,6 +59,7 @@ systemd.confirm_spawn systemd.service_watchdogs systemd.show_status + systemd.status_unit_format= systemd.log_target= systemd.log_level= systemd.log_location= diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index 10eeb7e690..5b80479a0a 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -244,6 +244,16 @@ understood too. + + StatusUnitFormat= + + Takes either or as the value. If + , the system manager will use unit names in status messages, instead of the + longer and more informative descriptions set with Description=, see + systemd.unit5. + + + DefaultTimerAccuracySec= diff --git a/man/systemd.xml b/man/systemd.xml index deba17dc42..41c0f5f643 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -1027,6 +1027,16 @@ configuration file option. + + systemd.status_unit_format= + + Takes either or as the value. If + , the system manager will use unit names in status messages. If specified, + overrides the system manager configuration file option , see + systemd-system.conf5. + + + systemd.log_target= systemd.log_level= -- cgit v1.2.3 From 98d20a17a9f673ede7de6bfc72340b024af5071c Mon Sep 17 00:00:00 2001 From: 1848 Date: Mon, 8 Jul 2019 17:09:46 +0200 Subject: Added support for xfrm interfaces --- man/systemd.netdev.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ man/systemd.network.xml | 31 +++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index d083fb9a6f..3cce776cc2 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -179,6 +179,9 @@ fou Foo-over-UDP tunneling. + xfrm + A virtual tunnel interface like vti/vti6 but with several advantages. + @@ -1848,6 +1851,36 @@ Linux Ethernet Bonding Driver HOWTO + + [Xfrm] Section Options + + The [Xfrm] section accepts the following + keys: + + + + InterfaceId= + + Sets the ID/key of the xfrm interface which needs to be associated with a SA/policy. + Can be decimal or hexadecimal, valid range is 0-0xffffffff, defaults to 0. + + + + Independent= + + Takes a boolean. If set to no, the xfrm interface should have an + underlying device which can be used for hardware offloading. Defaults to no. + See systemd.network5 + for how to configure the underlying device. + + + + + For more detail information see + + Virtual xfrm interfaces + + [VRF] Section Options The [VRF] section only applies for @@ -2048,6 +2081,16 @@ PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA= AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24 Endpoint=wireguard.example.com:51820 + + + /etc/systemd/network/27-xfrm.netdev + [Xfrm] +Name=xfrm0 +Kind=xfrm + +[Xfrm] +Independent=yes + diff --git a/man/systemd.network.xml b/man/systemd.network.xml index d32b60a2c9..c48b294551 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -856,6 +856,14 @@ + + Xfrm= + + The name of the xfrm to create on the link. See + systemd.netdev5. + This option may be specified more than once. + + KeepConfiguration= @@ -2338,6 +2346,29 @@ Name=enp0s25 MACVTAP=macvtap-test + + + A Xfrm interface with physical underlying device. + + # /etc/systemd/network/27-xfrm.netdev +[NetDev] +Name=xfrm0 + +[Xfrm] +InterfaceId=7 + + # /etc/systemd/network/27-eth0.network +[Match] +Name=eth0 + +[Network] +Xfrm=xfrm0 + + This creates a xfrm0 interface and binds it to the eth0 device. + This allows hardware based ipsec offloading to the eth0 nic. + If offloading is not needed, xfrm interfaces can be assigned to the lo device. + + -- cgit v1.2.3 From 8c9c703c5532fa5353f8e8a95419885da7e03c19 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 10 Jul 2019 23:49:17 +0900 Subject: network: add AssignToLoopback= setting to [Tunnel] section networkd does not manage loopback interface lo. So, previously, we have no way to assign tunnel devices to lo. --- man/systemd.netdev.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 3cce776cc2..ff37f26990 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1215,6 +1215,13 @@ + + AssignToLoopback= + + Takes a boolean. If set to yes, the loopback interface lo + is used as the underlying device of the tunnel interface. Defaults to no. + + AllowLocalRemote= -- cgit v1.2.3 From 8c8208cb80eedcaad285fbd80cc3d354f2c52ebe Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 1 Apr 2019 17:28:29 +0200 Subject: =?UTF-8?q?man:=20document=20new=20"systemctl=20clean=E2=80=A6"=20?= =?UTF-8?q?operation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- man/systemctl.xml | 33 +++++++++++++++++++++++++++++++++ man/systemd.exec.xml | 5 +++++ man/systemd.service.xml | 10 ++++++++++ man/systemd.timer.xml | 22 ++++++++++++---------- 4 files changed, 60 insertions(+), 10 deletions(-) (limited to 'man') diff --git a/man/systemctl.xml b/man/systemctl.xml index 5ebe1832bc..b2e3cbcb21 100644 --- a/man/systemctl.xml +++ b/man/systemctl.xml @@ -506,6 +506,21 @@ + + + + + Select what type of per-unit resources to remove when the clean command is + invoked, see below. Takes one of configuration, state, + cache, logs, runtime to select the + type of resource. This option may be specified more than once, in which case all specified resource + types are removed. Also accepts the special value all as a shortcut for + specifiying all five resource types. If this option is not specified defaults to the combination of + cache and runtime, i.e. the two kinds of resources that + are generally considered to be redundant and can be reconstructed on next invocation. + + + @@ -904,6 +919,24 @@ Sun 2017-02-26 20:57:49 EST 2h 3min left Sun 2017-02-26 11:56:36 EST 6h ago the signal to send. + + clean PATTERN + + + Remove the configuration, state, cache, logs or runtime data of the specified units. Use + to select which kind of resource to remove. For service units this may + be used to remove the directories configured with ConfigurationDirectory=, + StateDirectory=, CacheDirectory=, + LogsDirectory= and RuntimeDirectory=, see + systemd.exec5 + for details. For timer units this may be used to clear out the persistent timestamp data if + Persistent= is used and is selected, see + systemd.timer5. This + command only applies to units that use either of these settings. If is + not specified, both the cache and runtime data are removed (as these two types of data are + generally redundant and reproducible on the next invocation of the unit). + + is-active PATTERN diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 56a029a82e..48dd42ca3c 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -981,6 +981,11 @@ CapabilityBoundingSet=~CAP_B CAP_C the directories is tied directly to the lifetime of the unit, and it is not necessary to ensure that the tmpfiles.d configuration is executed before the unit is started. + To remove any of the directories created by these settings, use the systemctl clean + … command on the relevant units, see + systemctl1 for + details. + Example: if a system service unit has the following, RuntimeDirectory=foo/bar baz the service manager creates /run/foo (if it does not exist), diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 22329f6c2f..145f97206c 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -610,6 +610,16 @@ + + TimeoutCleanSec= + Configures a timeout on the clean-up operation requested through systemctl + clean …, see + systemctl1 for + details. Takes the usual time values and defaults to infinity, i.e. by default + no time-out is applied. If a time-out is configured the clean operation will be aborted forcibly when + the time-out is reached, potentially leaving resources on disk. + + RuntimeMaxSec= diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml index 340286d912..0f6518dbc2 100644 --- a/man/systemd.timer.xml +++ b/man/systemd.timer.xml @@ -286,16 +286,18 @@ Persistent= - Takes a boolean argument. If true, the time - when the service unit was last triggered is stored on disk. - When the timer is activated, the service unit is triggered - immediately if it would have been triggered at least once - during the time when the timer was inactive. This is useful to - catch up on missed runs of the service when the machine was - off. Note that this setting only has an effect on timers - configured with OnCalendar=. Defaults - to false. - + Takes a boolean argument. If true, the time when the service unit was last triggered + is stored on disk. When the timer is activated, the service unit is triggered immediately if it + would have been triggered at least once during the time when the timer was inactive. This is useful + to catch up on missed runs of the service when the system was powered down. Note that this setting + only has an effect on timers configured with OnCalendar=. Defaults to + false. + + Use systemctl clean --what=state … on the timer unit to remove the timestamp + file maintained by this option from disk. In particular, use this command before uninstalling a timer + unit. See + systemctl1 for + details. -- cgit v1.2.3 From b956364db01264199ff910e994e651730341911e Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 11 Jul 2019 02:23:41 +0900 Subject: network: rename Neighbor.MACAddress= to Neighbor.LinkLayerAddress= And make it support IPv4 address. Closes #13015. --- man/systemd.network.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index c544315601..612450dbd8 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1016,9 +1016,9 @@ - MACAddress= + LinkLayerAddress= - The hardware address of the neighbor. + The link layer address (MAC address or IP address) of the neighbor. -- cgit v1.2.3 From 94d6e299637db582f156612af32f167643caf4c9 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 7 Jul 2019 09:40:17 +0900 Subject: network: make Route.Type= support local, broadcast, anycast, multicast, nat, and xresolve Closes #12975. --- man/systemd.network.xml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 612450dbd8..70abb14c45 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1232,7 +1232,11 @@ Type= - Specifies the type for the route. If unicast, a regular route is defined, i.e. a + Specifies the type for the route. Takes one of unicast, + local, broadcast, anycast, + multicast, blackhole, unreachable, + prohibit, throw, nat, and + xresolve. If unicast, a regular route is defined, i.e. a route indicating the path to take to a destination network address. If blackhole, packets to the defined route are discarded silently. If unreachable, packets to the defined route are discarded and the ICMP message "Host Unreachable" is generated. If prohibit, packets -- cgit v1.2.3 From 41b90a1eb5cb87beab4603b52adbce36b723a6d6 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 8 Jul 2019 20:19:28 +0900 Subject: network: use string table to parse route table or scope --- man/systemd.network.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 70abb14c45..c9d6fd4d72 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1086,8 +1086,9 @@ Table= - Specifies the routing table identifier to lookup if the rule - selector matches. The table identifier for a route (a number between 1 and 4294967295). + Specifies the routing table identifier to lookup if the rule selector matches. Takes + one of default, main, and local, + or a number between 1 and 4294967295. Defaults to main. -- cgit v1.2.3 From b042dd687c8dc50cef6d7355d9790a2a1791ec27 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 12 Jul 2019 09:18:59 +0200 Subject: man: document that the supplementary groups list is initialized from User='s database entry Fixes: #12936 --- man/systemd.exec.xml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 48dd42ca3c..f9c3f41890 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -226,7 +226,12 @@ specified user and group must have been created statically in the user database no later than the moment the service is started, for example using the sysusers.d5 facility, which - is applied at boot or package install time. + is applied at boot or package install time. + + If the User= setting is used the supplementary group list is initialized + from the specified user's default group list, as defined in the system's user and group + database. Additional groups may be configured through the SupplementaryGroups= + setting (see below). -- cgit v1.2.3 From bfcb9d3a7d162553d1261700b67c341aceaa9b70 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 12 Jul 2019 09:25:22 +0200 Subject: man: be more explicit that Type=oneshot services are not "active" after starting Fixes: #13000 --- man/systemd.service.xml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 145f97206c..4ff009e773 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -191,11 +191,17 @@ main process of the service. systemd will proceed with starting follow-up units as soon as the parent process exits. - Behavior of is similar to ; however, the - service manager will consider the unit started after the main process exits. It will then start follow-up - units. RemainAfterExit= is particularly useful for this type of - service. Type= is the implied default if neither - Type= nor ExecStart= are specified. + Behavior of is similar to ; + however, the service manager will consider the unit up after the main process exits. It will then + start follow-up units. RemainAfterExit= is particularly useful for this type + of service. Type= is the implied default if neither + Type= nor ExecStart= are specified. Note that if this + option is used without RemainAfterExit= the service will never enter + active unit state, but directly transition from activating + to deactivating or dead since no process is configured that + shall run continously. In particular this means that after a service of this type ran (and which + has RemainAfterExit= not set) it will not show up as started afterwards, but + as dead. Behavior of is similar to ; however, it is expected that the service acquires a name on the D-Bus bus, as configured by -- cgit v1.2.3 From 15b0fdd5a6908307b92b75652dd6269b76b1b017 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 12 Jul 2019 09:36:17 +0200 Subject: man: document that "systemd-analyze blame/critical-chain" is not useful to track down job latency Fixes: #12272 --- man/systemd-analyze.xml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 5dce2ae8fb..7112362ac5 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -178,7 +178,13 @@ multi-user.target reached after 47.820s in userspace initialization of one service might be slow simply because it waits for the initialization of another service to complete. Also note: systemd-analyze blame doesn't display results for services with Type=simple, because systemd considers such services to be started - immediately, hence no measurement of the initialization delays can be done. + immediately, hence no measurement of the initialization delays can be done. Also note that this command + only shows the time units took for starting up, it does not show how long unit jobs spent in the + execution queue. In particular it shows the time units spent in activating state, + which is not defined for units such as device units that transition directly from + inactive to active. This command hence gives an impression of the + performance of program code, but cannot accurately reflect latency introduced by waiting for + hardware and similar events. <command>Show which units took the most time during boot</command> @@ -202,7 +208,12 @@ multi-user.target reached after 47.820s in userspace UNITs or for the default target otherwise). The time after the unit is active or started is printed after the "@" character. The time the unit takes to start is printed after the "+" character. Note that the output might be misleading as the initialization of services might - depend on socket activation and because of the parallel execution of units. + depend on socket activation and because of the parallel execution of units. Also, similar to the + blame command, this only takes into account the time units spent in + activating state, and hence does not cover units that never went through an + activating state (such as device units that transition directly from + inactive to active). Moreover it does not show information on + jobs (and in particular not jobs that timed out). <command>systemd-analyze time</command> -- cgit v1.2.3 From 114b90e10c87162ea5710c2c07f83707123676f7 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 12 Jul 2019 09:45:21 +0200 Subject: man: document that WakeSystem= requires privs Fixes: #11677 --- man/systemd.timer.xml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'man') diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml index 0f6518dbc2..ebf6de4eb2 100644 --- a/man/systemd.timer.xml +++ b/man/systemd.timer.xml @@ -303,13 +303,14 @@ WakeSystem= - Takes a boolean argument. If true, an elapsing - timer will cause the system to resume from suspend, should it - be suspended and if the system supports this. Note that this - option will only make sure the system resumes on the - appropriate times, it will not take care of suspending it - again after any work that is to be done is finished. Defaults - to false. + Takes a boolean argument. If true, an elapsing timer will cause the system to resume + from suspend, should it be suspended and if the system supports this. Note that this option will only + make sure the system resumes on the appropriate times, it will not take care of suspending it again + after any work that is to be done is finished. Defaults to + false. + + Note that this functionality requires privileges and is thus generally only available in the + system service manager. -- cgit v1.2.3 From 84f8e250ff999d91e2b44d41890ca840a383cb04 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 12 Jul 2019 09:54:40 +0200 Subject: man: CPUShares= is so 2015 Let's update our example to the brave new cgroupsv2 world, and use CPUWeight= in our example. --- man/systemctl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemctl.xml b/man/systemctl.xml index b2e3cbcb21..62a08981f0 100644 --- a/man/systemctl.xml +++ b/man/systemctl.xml @@ -1091,7 +1091,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err next reboot. The syntax of the property assignment follows closely the syntax of assignments in unit files. - Example: systemctl set-property foobar.service CPUShares=777 + Example: systemctl set-property foobar.service CPUWeight=200 If the specified unit appears to be inactive, the changes will be only stored on disk as described -- cgit v1.2.3 From 5b792edb6892aa57fd094195f3614eae6d97f05d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 12 Jul 2019 09:55:05 +0200 Subject: man: add example for setting multiple properties at once Fixes: #4908 --- man/systemctl.xml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemctl.xml b/man/systemctl.xml index 62a08981f0..6f93e1cd2c 100644 --- a/man/systemctl.xml +++ b/man/systemctl.xml @@ -1098,11 +1098,15 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err previously hence they will be effective when the unit will be started. - Note that this command allows changing multiple - properties at the same time, which is preferable over - setting them individually. Like with unit file configuration - settings, assigning an empty list will reset the property. - + Note that this command allows changing multiple properties at the same time, which is + preferable over setting them individually. + + Example: systemctl set-property foobar.service CPUWeight=200 MemoryMax=2G IPAccounting=yes + + Like with unit file configuration settings, assigning an empty setting usually resets a + property to its defaults. + + Example: systemctl set-property avahi-daemon.service IPAddressDeny= -- cgit v1.2.3 From a18d83c26422cae1022c6adafd401fbab5066fd5 Mon Sep 17 00:00:00 2001 From: Michael Zhivich Date: Fri, 12 Jul 2019 12:22:30 -0400 Subject: man: offline-updates: make dependence on system-update.target explicit Current operation of system-update-cleanup.service (removing /system-update symlink and rebooting) implies that any update must complete *before* system-update.target is reached. Update recommendations to include explicitly setting Before=system-update.target in services that use offline-updates mode. Signed-off-by: Michael Zhivich --- man/systemd.offline-updates.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.offline-updates.xml b/man/systemd.offline-updates.xml index cd9c1b5865..06390669de 100644 --- a/man/systemd.offline-updates.xml +++ b/man/systemd.offline-updates.xml @@ -133,7 +133,7 @@ The update service should declare DefaultDependencies=no, Requires=sysinit.target, After=sysinit.target, - After=system-update-pre.target + After=system-update-pre.target, Before=system-update.target and explicitly pull in any other services it requires. -- cgit v1.2.3 From ca420b62011ed46813eb5e98a5791f195ef6b326 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 14 Jul 2019 09:51:54 +0900 Subject: network: show known route protocol name nicely in debugging logs --- man/systemd.network.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index c9d6fd4d72..712de7d718 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1225,8 +1225,8 @@ Protocol= The protocol identifier for the route. Takes a number between 0 and 255 or the special values - kernel, boot and static. Defaults to - static. + kernel, boot, static, + ra and dhcp. Defaults to static. -- cgit v1.2.3 From b3454e1ebcfd3f53d5ca99c0e00d9ba1f450a45b Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 16 Jul 2019 10:46:27 +0900 Subject: doc: update explanation of IPv6AcceptRA= --- man/systemd.network.xml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 712de7d718..e9c46187ad 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -654,11 +654,10 @@ IPv6AcceptRA= - Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support for the interface. - If true, RAs are accepted; if false, RAs are ignored, independently of the local forwarding state. - If unset, the kernel's default is used, and RAs are accepted only when local forwarding - is disabled for that interface. When RAs are accepted, they may trigger the start of the DHCPv6 client if - the relevant flags are set in the RA data, or if no routers are found on the link. + Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support + for the interface. If true, RAs are accepted; if false, RAs are ignored, independently of the + local forwarding state. When RAs are accepted, they may trigger the start of the DHCPv6 + client if the relevant flags are set in the RA data, or if no routers are found on the link. Further settings for the IPv6 RA support may be configured in the [IPv6AcceptRA] section, see below. @@ -668,10 +667,11 @@ documentation regarding accept_ra, but note that systemd's setting of 1 (i.e. true) corresponds to kernel's setting of 2. - Note that if this option is enabled a userspace implementation of the IPv6 RA protocol is - used, and the kernel's own implementation remains disabled, since `networkd` needs to know all - details supplied in the advertisements, and these are not available from the kernel if the kernel's - own implementation is used. + Note that kernel's implementation of the IPv6 RA protocol is always disabled, + regardless of this setting. If this option is enabled, a userspace implementation of the IPv6 + RA protocol is used, and the kernel's own implementation remains disabled, since + systemd-networkd needs to know all details supplied in the advertisements, + and these are not available from the kernel if the kernel's own implementation is used. -- cgit v1.2.3 From 65856bf2083e366ce4e4a2fd9e388bce3f8d3135 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 27 May 2019 10:50:52 +0900 Subject: resolvectl: support networkd managed interfaces Closes #9808. --- man/resolvectl.xml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/resolvectl.xml b/man/resolvectl.xml index d4c04a1e32..a59fa4c66d 100644 --- a/man/resolvectl.xml +++ b/man/resolvectl.xml @@ -247,11 +247,8 @@ Get/set per-interface DNS configuration. These commands may be used to configure various DNS settings - for network interfaces that aren't managed by - systemd-networkd.service8. (These - commands will fail when used on interfaces that are managed by systemd-networkd, please - configure their DNS settings directly inside the .network files instead.) These commands - may be used to inform systemd-resolved about per-interface DNS configuration determined + for network interfaces. These commands may be used to inform systemd-resolved or + systemd-networkd about per-interface DNS configuration determined through external means. The command expects IPv4 or IPv6 address specifications of DNS servers to use. The command expects valid DNS domains, possibly prefixed with ~, and configures a per-interface search or route-only domain. The -- cgit v1.2.3 From 159a855b34c35484c28cf4b0178f93bc16447fac Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 28 May 2019 12:07:47 +0900 Subject: timedatectl: add 'ntp-servers' and 'revert' commands to modify link NTP servers --- man/timedatectl.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'man') diff --git a/man/timedatectl.xml b/man/timedatectl.xml index b4b99103de..262b9126e7 100644 --- a/man/timedatectl.xml +++ b/man/timedatectl.xml @@ -227,6 +227,20 @@ By default, empty properties are suppressed. Use to show those too. To select specific properties to show, use . + + + ntp-servers INTERFACE SERVER + + Set the interface specific NTP servers. This command can be used only when the + interface is managed by systemd-networkd. + + + + revert INTERFACE + + Revert the interface specific NTP servers. This command can be used only when + the interface is managed by systemd-networkd. + -- cgit v1.2.3 From 31cd5f63ce86a0784c4ef869c4d323a11ff14adc Mon Sep 17 00:00:00 2001 From: Anita Zhang Date: Fri, 28 Jun 2019 17:02:30 -0700 Subject: core: ExecCondition= for services Closes #10596 --- man/systemd.service.xml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'man') diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 4ff009e773..90c1257f37 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -427,6 +427,26 @@ + + ExecCondition= + Optional commands that are executed before the command(s) in ExecStartPre=. + Syntax is the same as for ExecStart=, except that multiple command lines are allowed and the + commands are executed one after the other, serially. + + The behavior is like an ExecStartPre= and condition check hybrid: when an + ExecCondition= command exits with exit code 1 through 254 (inclusive), the remaining + commands are skipped and the unit is not marked as failed. However, if an + ExecCondition= command exits with 255 or abnormally (e.g. timeout, killed by a + signal, etc.), the unit will be considered failed (and remaining commands will be skipped). Exit code of 0 or + those matching SuccessExitStatus= will continue execution to the next command(s). + + The same recommendations about not running long-running processes in ExecStartPre= + also applies to ExecCondition=. ExecCondition= will also run the commands + in ExecStopPost=, as part of stopping the service, in the case of any non-zero or abnormal + exits, like the ones described above. + + + ExecReload= Commands to execute to trigger a configuration -- cgit v1.2.3 From 4e1334512debb27f4a0c4a6da237a4b8d59fea08 Mon Sep 17 00:00:00 2001 From: shinygold <10763595+shinygold@users.noreply.github.com> Date: Tue, 16 Jul 2019 13:05:34 +0200 Subject: cryptsetup: add documentation for keyfile-timeout --- man/crypttab.xml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/crypttab.xml b/man/crypttab.xml index 5eb1c12232..76eef06bed 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -151,6 +151,17 @@ sequential order. + + + + Specifies the timeout for the device on + which the key file resides and falls back to a password if + it could not be mounted. See + systemd-cryptsetup-generator8 + for key files on external devices. + + + @@ -438,7 +449,8 @@ luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b swap /dev/sda7 /dev/urandom swap truecrypt /dev/sda2 /etc/container_password tcrypt -hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile +hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile +external /dev/sda3 keyfile:LABEL=keydev keyfile-timeout=10s -- cgit v1.2.3 From b5328434c91b10ad49647e2352e62b1fbdce329d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 24 Mar 2019 20:10:35 +0100 Subject: man: rework the description of Aliases and .wants/.requires directories The description of Alias= wasn't incorrect, but it sounded like Alias= creates a different type of dependency, while it's just a glorified way to create symlinks. Also recommend 'preset' in addition to 'enable'. Describe .wants/.requires dirs as equals, without implying that the [Install] section can only be used for .wants. The text was partially out of date (systemd-networkd.service now creates as alias in /etc, not /usr/lib, let's just not say anything about the full path). --- man/systemd.unit.xml | 58 +++++++++++++++++++++++++++++----------------------- 1 file changed, 32 insertions(+), 26 deletions(-) (limited to 'man') diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 0ac9ff4882..8307be1d33 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -123,34 +123,40 @@ do not need the prefix. Applications may use this to include additional information in the unit files. - Units can be aliased (have an alternative name), by creating a symlink from the new name - to the existing name in one of the unit search paths. For example, - systemd-networkd.service has the alias - dbus-org.freedesktop.network1.service, created during installation as the - symlink /usr/lib/systemd/system/dbus-org.freedesktop.network1.service. In - addition, unit files may specify aliases through the Alias= directive in the - [Install] section; those aliases are only effective when the unit is enabled. When the unit is - enabled, symlinks will be created for those names, and removed when the unit is disabled. For - example, reboot.target specifies - Alias=ctrl-alt-del.target, so when enabled it will be invoked whenever - CTRL+ALT+DEL is pressed. Alias names may be used in commands like enable, - disable, start, stop, - status, …, and in unit dependency directives Wants=, - Requires=, Before=, After=, …, with the - limitation that aliases specified through Alias= are only effective when the - unit is enabled. Aliases cannot be used with the preset command. + Units can be aliased (have an alternative name), by creating a symlink from the new name to the + existing name in one of the unit search paths. For example, systemd-networkd.service + has the alias dbus-org.freedesktop.network1.service, created during installation as + a symlink, so when systemd is asked through D-Bus to load + dbus-org.freedesktop.network1.service, it'll load + systemd-networkd.service. Alias names may be used in commands like + enable, disable, start, stop, + status, and similar, and in all unit dependency directives, including + Wants=, Requires=, Before=, + After=. Aliases cannot be used with the preset command. + + Unit files may specify aliases through the Alias= directive in the [Install] + section. When the unit is enabled, symlinks will be created for those names, and removed when the unit is + disabled. For example, reboot.target specifies + Alias=ctrl-alt-del.target, so when enabled, the symlink + /etc/systemd/systemd/ctrl-alt-del.service pointing to the + reboot.target file will be created, and when + CtrlAltDel is invoked, + systemd will look for the ctrl-alt-del.service and execute + reboot.service. systemd does not look at the [Install] section at + all during normal operation, so any directives in that section only have an effect through the symlinks + created during enablement. Along with a unit file foo.service, the directory - foo.service.wants/ may exist. All unit files symlinked from such a - directory are implicitly added as dependencies of type Wants= to the unit. - This is useful to hook units into the start-up of other units, without having to modify their - unit files. For details about the semantics of Wants=, see below. The - preferred way to create symlinks in the .wants/ directory of a unit file is - with the enable command of the - systemctl1 - tool which reads information from the [Install] section of unit files (see below). A similar - functionality exists for Requires= type dependencies as well, the directory - suffix is .requires/ in this case. + foo.service.wants/ may exist. All unit files symlinked from such a directory are + implicitly added as dependencies of type Wants= to the unit. Similar functionality + exists for Requires= type dependencies as well, the directory suffix is + .requires/ in this case. This functionality is useful to hook units into the + start-up of other units, without having to modify their unit files. For details about the semantics of + Wants=, see below. The preferred way to create symlinks in the + .wants/ or .requires/ directory of a unit file is by embedding + the dependency in [Install] section of the target unit, and creating the symlink in the file system with + the with the enable or preset commands of + systemctl1. Along with a unit file foo.service, a "drop-in" directory foo.service.d/ may exist. All files with the suffix .conf from this -- cgit v1.2.3 From 9fdae8d5b2a7e81ad6e9ad7e09aa80bfe7c290f0 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 17 Jul 2019 10:07:42 +0900 Subject: man: fix wrong section name --- man/systemd.network.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index e9c46187ad..cd1aa73f46 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1559,7 +1559,7 @@ UseDNS= UseNTP= - As in the [DHCP] section. + As in the [DHCPv4] section. -- cgit v1.2.3 From 37d7a7d984ec7679711c2d31789f033f3b6dc2c2 Mon Sep 17 00:00:00 2001 From: Jorge Niedbalski Date: Fri, 12 Jul 2019 15:34:24 -0400 Subject: resolved: switch cache option to a tri-state option (systemd#5552). Change the resolved.conf Cache option to a tri-state "no, no-negative, yes" values. If a lookup returns SERVFAIL systemd-resolved will cache the result for 30s (See 201d995), however, there are several use cases on which this condition is not acceptable (See systemd#5552 comments) and the only workaround would be to disable cache entirely or flush it , which isn't optimal. This change adds the 'no-negative' option when set it avoids putting in cache negative answers but still works the same heuristics for positive answers. Signed-off-by: Jorge Niedbalski --- man/resolved.conf.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index a647a4ace7..213be1d7b2 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -227,10 +227,11 @@ Cache= - Takes a boolean argument. If yes (the default), resolving a domain name + Takes a boolean or no-negative as argument. If yes (the default), resolving a domain name which already got queried earlier will return the previous result as long as it is still valid, and thus does not result in a new network request. Be aware that turning off caching comes at a performance penalty, which is particularly high when DNSSEC is used. + If no-negative, only positive answers are cached. Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching. -- cgit v1.2.3 From 6db904625d413739c480ddbe7667d3f40acc4ae0 Mon Sep 17 00:00:00 2001 From: Michael Biebl Date: Thu, 18 Jul 2019 01:24:00 +0200 Subject: meson: make nologin path build time configurable Some distros install nologin as /usr/sbin/nologin, others as /sbin/nologin. Since we can't really on merged-usr everywhere (where the path wouldn't matter), make the path build time configurable via -Dnologin-path=. Closes #13028 --- man/nss-mymachines.xml | 4 ++-- man/sysusers.d.xml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'man') diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml index ed03035e57..40b0abee34 100644 --- a/man/nss-mymachines.xml +++ b/man/nss-mymachines.xml @@ -98,8 +98,8 @@ MACHINE CLASS SERVICE OS VERSION ADDRESSES rawhide container systemd-nspawn fedora 30 169.254.40.164 fe80::94aa:3aff:fe7b:d4b9 $ getent passwd vu-rawhide-0 vu-rawhide-81 -vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/sbin/nologin -vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/sbin/nologin +vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin +vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin $ getent group vg-rawhide-0 vg-rawhide-81 vg-rawhide-0:*:20119552: diff --git a/man/sysusers.d.xml b/man/sysusers.d.xml index 4314732c67..2e93715be6 100644 --- a/man/sysusers.d.xml +++ b/man/sysusers.d.xml @@ -206,12 +206,12 @@ u root 0 "Superuser" /root /bin/zshShell The login shell of the user. If not specified, this will be set to - /sbin/nologin, except if the UID of the user is 0, in + /usr/sbin/nologin, except if the UID of the user is 0, in which case /bin/sh will be used. Only applies to lines of type u and should otherwise be left unset (or -). It is recommended to omit this, unless - a shell different /sbin/nologin must be used. + a shell different /usr/sbin/nologin must be used. -- cgit v1.2.3 From 4f0acdb36615d7e27bef9d951001daf3addc2f25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 18 Jul 2019 10:14:52 +0200 Subject: man: add note about systemctl stop return value Fixes #13104. (I know a lot more could be added to that man page. This patch only addresses that once specific complaint.) --- man/systemctl.xml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemctl.xml b/man/systemctl.xml index 6f93e1cd2c..0f06a88f42 100644 --- a/man/systemctl.xml +++ b/man/systemctl.xml @@ -816,8 +816,14 @@ Sun 2017-02-26 20:57:49 EST 2h 3min left Sun 2017-02-26 11:56:36 EST 6h ago stop PATTERN - Stop (deactivate) one or more units specified on the - command line. + Stop (deactivate) one or more units specified on the command line. + + This command will fail if the unit does exist or if stopping of the unit is prohibited (see + RefuseManualStop= in + systemd.unit5). + It will not fail if any of the commands configured to stop the unit + (ExecStop=, etc.) fail, because the manager will still forcibly terminate the + unit. -- cgit v1.2.3 From a24e12f0209b075e2db80cc3adac1c5afb17031e Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 17 Jul 2019 02:47:20 +0900 Subject: network: add DHCPv4.RoutesToDNS= setting --- man/systemd.network.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index cd1aa73f46..041bafc773 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1322,6 +1322,14 @@ project='man-pages'>resolv.conf5. + + RoutesToDNS= + + When true, the routes to the DNS servers received from the DHCP server will be + configured. When UseDNS= is disabled, this setting is ignored. + Defaults to false + + UseNTP= -- cgit v1.2.3 From 34d2f9204cf80cc003ef16b619457e79d0ba1c01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 18 Jul 2019 22:27:45 +0200 Subject: meson: update hint in man/rules/ --- man/rules/meson.build | 2 ++ 1 file changed, 2 insertions(+) (limited to 'man') diff --git a/man/rules/meson.build b/man/rules/meson.build index 6d47f09f48..e459697221 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -1,4 +1,6 @@ # Do not edit. Generated by make-man-rules.py. +# Update with: +# ninja -C build man/update-man-rules manpages = [ ['binfmt.d', '5', [], 'ENABLE_BINFMT'], ['bootctl', '1', [], 'ENABLE_EFI'], -- cgit v1.2.3 From 27e64442f829c653ff7a057cd5d12e0f422d545b Mon Sep 17 00:00:00 2001 From: Anita Zhang Date: Thu, 18 Jul 2019 14:52:35 -0700 Subject: docs: typo in arg name replace-irreversible -> replace-irreversibly --- man/systemd.xml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'man') diff --git a/man/systemd.xml b/man/systemd.xml index 41c0f5f643..c01cf46e81 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -582,7 +582,7 @@ exit.target unit when this signal is received. This is mostly equivalent to systemctl --user start exit.target - --job-mode=replace-irreversible. + --job-mode=replace-irreversibly. @@ -590,7 +590,7 @@ Upon receiving this signal the systemd system manager will start the ctrl-alt-del.target unit. This is mostly equivalent to - systemctl start ctrl-alt-del.target --job-mode=replace-irreversible. If + systemctl start ctrl-alt-del.target --job-mode=replace-irreversibly. If this signal is received more than 7 times per 2s, an immediate reboot is triggered. Note that pressing CtrlAltDel on the @@ -682,7 +682,7 @@ Halts the machine, starts the halt.target unit. This is mostly equivalent to systemctl start halt.target - --job-mode=replace-irreversible. + --job-mode=replace-irreversibly. @@ -692,7 +692,7 @@ Powers off the machine, starts the poweroff.target unit. This is mostly equivalent to systemctl start poweroff.target - --job-mode=replace-irreversible. + --job-mode=replace-irreversibly. @@ -702,7 +702,7 @@ Reboots the machine, starts the reboot.target unit. This is mostly equivalent to systemctl start reboot.target - --job-mode=replace-irreversible. + --job-mode=replace-irreversibly. @@ -712,7 +712,7 @@ Reboots the machine via kexec, starts the kexec.target unit. This is mostly equivalent to systemctl start kexec.target - --job-mode=replace-irreversible. + --job-mode=replace-irreversibly. -- cgit v1.2.3 From 9b4abc69b201e5d7295e1b0762883659f053e747 Mon Sep 17 00:00:00 2001 From: Eric DeVolder Date: Thu, 16 May 2019 08:59:01 -0500 Subject: pstore: Tool to archive contents of pstore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch introduces the systemd pstore service which will archive the contents of the Linux persistent storage filesystem, pstore, to other storage, thus preserving the existing information contained in the pstore, and clearing pstore storage for future error events. Linux provides a persistent storage file system, pstore[1], that can store error records when the kernel dies (or reboots or powers-off). These records in turn can be referenced to debug kernel problems (currently the kernel stuffs the tail of the dmesg, which also contains a stack backtrace, into pstore). The pstore file system supports a variety of backends that map onto persistent storage, such as the ACPI ERST[2, Section 18.5 Error Serialization] and UEFI variables[3 Appendix N Common Platform Error Record]. The pstore backends typically offer a relatively small amount of persistent storage, e.g. 64KiB, which can quickly fill up and thus prevent subsequent kernel crashes from recording errors. Thus there is a need to monitor and extract the pstore contents so that future kernel problems can also record information in the pstore. The pstore service is independent of the kdump service. In cloud environments specifically, host and guest filesystems are on remote filesystems (eg. iSCSI or NFS), thus kdump relies [implicitly and/or explicitly] upon proper operation of networking software *and* hardware *and* infrastructure. Thus it may not be possible to capture a kernel coredump to a file since writes over the network may not be possible. The pstore backend, on the other hand, is completely local and provides a path to store error records which will survive a reboot and aid in post-mortem debugging. Usage Notes: This tool moves files from /sys/fs/pstore into /var/lib/systemd/pstore. To enable kernel recording of error records into pstore, one must either pass crash_kexec_post_notifiers[4] to the kernel command line or enable via 'echo Y > /sys/module/kernel/parameters/crash_kexec_post_notifiers'. This option invokes the recording of errors into pstore *before* an attempt to kexec/kdump on a kernel crash. Optionally, to record reboots and shutdowns in the pstore, one can either pass the printk.always_kmsg_dump[4] to the kernel command line or enable via 'echo Y > /sys/module/printk/parameters/always_kmsg_dump'. This option enables code on the shutdown path to record information via pstore. This pstore service is a oneshot service. When run, the service invokes systemd-pstore which is a tool that performs the following: - reads the pstore.conf configuration file - collects the lists of files in the pstore (eg. /sys/fs/pstore) - for certain file types (eg. dmesg) a handler is invoked - for all other files, the file is moved from pstore - In the case of dmesg handler, final processing occurs as such: - files processed in reverse lexigraphical order to faciliate reconstruction of original dmesg - the filename is examined to determine which dmesg it is a part - the file is appended to the reconstructed dmesg For example, the following pstore contents: root@vm356:~# ls -al /sys/fs/pstore total 0 drwxr-x--- 2 root root 0 May 9 09:50 . drwxr-xr-x 7 root root 0 May 9 09:50 .. -r--r--r-- 1 root root 1610 May 9 09:49 dmesg-efi-155741337601001 -r--r--r-- 1 root root 1778 May 9 09:49 dmesg-efi-155741337602001 -r--r--r-- 1 root root 1726 May 9 09:49 dmesg-efi-155741337603001 -r--r--r-- 1 root root 1746 May 9 09:49 dmesg-efi-155741337604001 -r--r--r-- 1 root root 1686 May 9 09:49 dmesg-efi-155741337605001 -r--r--r-- 1 root root 1690 May 9 09:49 dmesg-efi-155741337606001 -r--r--r-- 1 root root 1775 May 9 09:49 dmesg-efi-155741337607001 -r--r--r-- 1 root root 1811 May 9 09:49 dmesg-efi-155741337608001 -r--r--r-- 1 root root 1817 May 9 09:49 dmesg-efi-155741337609001 -r--r--r-- 1 root root 1795 May 9 09:49 dmesg-efi-155741337710001 -r--r--r-- 1 root root 1770 May 9 09:49 dmesg-efi-155741337711001 -r--r--r-- 1 root root 1796 May 9 09:49 dmesg-efi-155741337712001 -r--r--r-- 1 root root 1787 May 9 09:49 dmesg-efi-155741337713001 -r--r--r-- 1 root root 1808 May 9 09:49 dmesg-efi-155741337714001 -r--r--r-- 1 root root 1754 May 9 09:49 dmesg-efi-155741337715001 results in the following: root@vm356:~# ls -al /var/lib/systemd/pstore/155741337/ total 92 drwxr-xr-x 2 root root 4096 May 9 09:50 . drwxr-xr-x 4 root root 40 May 9 09:50 .. -rw-r--r-- 1 root root 1610 May 9 09:50 dmesg-efi-155741337601001 -rw-r--r-- 1 root root 1778 May 9 09:50 dmesg-efi-155741337602001 -rw-r--r-- 1 root root 1726 May 9 09:50 dmesg-efi-155741337603001 -rw-r--r-- 1 root root 1746 May 9 09:50 dmesg-efi-155741337604001 -rw-r--r-- 1 root root 1686 May 9 09:50 dmesg-efi-155741337605001 -rw-r--r-- 1 root root 1690 May 9 09:50 dmesg-efi-155741337606001 -rw-r--r-- 1 root root 1775 May 9 09:50 dmesg-efi-155741337607001 -rw-r--r-- 1 root root 1811 May 9 09:50 dmesg-efi-155741337608001 -rw-r--r-- 1 root root 1817 May 9 09:50 dmesg-efi-155741337609001 -rw-r--r-- 1 root root 1795 May 9 09:50 dmesg-efi-155741337710001 -rw-r--r-- 1 root root 1770 May 9 09:50 dmesg-efi-155741337711001 -rw-r--r-- 1 root root 1796 May 9 09:50 dmesg-efi-155741337712001 -rw-r--r-- 1 root root 1787 May 9 09:50 dmesg-efi-155741337713001 -rw-r--r-- 1 root root 1808 May 9 09:50 dmesg-efi-155741337714001 -rw-r--r-- 1 root root 1754 May 9 09:50 dmesg-efi-155741337715001 -rw-r--r-- 1 root root 26754 May 9 09:50 dmesg.txt where dmesg.txt is reconstructed from the group of related dmesg-efi-155741337* files. Configuration file: The pstore.conf configuration file has four settings, described below. - Storage : one of "none", "external", or "journal". With "none", this tool leaves the contents of pstore untouched. With "external", the contents of the pstore are moved into the /var/lib/systemd/pstore, as well as logged into the journal. With "journal", the contents of the pstore are recorded only in the systemd journal. The default is "external". - Unlink : is a boolean. When "true", the default, then files in the pstore are removed once processed. When "false", processing of the pstore occurs normally, but the pstore files remain. References: [1] "Persistent storage for a kernel's dying breath", March 23, 2011. https://lwn.net/Articles/434821/ [2] "Advanced Configuration and Power Interface Specification", version 6.2, May 2017. https://www.uefi.org/sites/default/files/resources/ACPI_6_2.pdf [3] "Unified Extensible Firmware Interface Specification", version 2.8, March 2019. https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf [4] "The kernel’s command-line parameters", https://static.lwn.net/kerneldoc/admin-guide/kernel-parameters.html --- man/pstore.conf.xml | 89 +++++++++++++++++++++++++++++++++++++++++++++ man/rules/meson.build | 2 + man/systemd-pstore.xml | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 190 insertions(+) create mode 100644 man/pstore.conf.xml create mode 100644 man/systemd-pstore.xml (limited to 'man') diff --git a/man/pstore.conf.xml b/man/pstore.conf.xml new file mode 100644 index 0000000000..2b9c8b1a71 --- /dev/null +++ b/man/pstore.conf.xml @@ -0,0 +1,89 @@ + + + + + + + pstore.conf + systemd + + + + pstore.conf + 5 + + + + pstore.conf + pstore.conf.d + PStore configuration file + + + + + /etc/systemd/pstore.conf + /etc/systemd/pstore.conf.d/* + + + + + Description + + This file configures the behavior of + systemd-pstore8, + a tool for archiving the contents of the persistent storage filesystem, + pstore. + + + + + + + Options + + All options are configured in the + [PStore] section: + + + + + Storage= + + Controls where to archive (i.e. copy) files from the pstore filesystem. One of none, + external, and journal. When + none, the tool exits without processing files in the pstore filesystem. + When external (the default), files are archived into /var/lib/systemd/pstore/, + and logged into the journal. + When journal, pstore file contents are logged only in the journal. + + + + + + Unlink= + + Controls whether or not files are removed from pstore after processing. + Takes a boolean value. When true, a pstore file is removed from the pstore once it has been + archived (either to disk or into the journal). When false, processing of pstore files occurs + normally, but the files remain in the pstore. + The default is true in order to maintain the pstore in a nearly empty state, so that the pstore + has storage available for the next kernel error event. + + + + + The defaults for all values are listed as comments in the + template /etc/systemd/pstore.conf file that + is installed by default. + + + + See Also + + systemd-journald.service8, + + + + diff --git a/man/rules/meson.build b/man/rules/meson.build index e459697221..7e32e732c1 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -46,6 +46,7 @@ manpages = [ ['os-release', '5', [], ''], ['pam_systemd', '8', [], 'HAVE_PAM'], ['portablectl', '1', [], 'ENABLE_PORTABLED'], + ['pstore.conf', '5', ['pstore.conf.d'], 'ENABLE_PSTORE'], ['resolvectl', '1', ['resolvconf'], 'ENABLE_RESOLVE'], ['resolved.conf', '5', ['resolved.conf.d'], 'ENABLE_RESOLVE'], ['runlevel', '8', [], 'ENABLE_UTMP'], @@ -746,6 +747,7 @@ manpages = [ ['systemd-nspawn', '1', [], ''], ['systemd-path', '1', [], ''], ['systemd-portabled.service', '8', ['systemd-portabled'], 'ENABLE_PORTABLED'], + ['systemd-pstore', '8', ['systemd-pstore.service'], 'ENABLE_PSTORE'], ['systemd-quotacheck.service', '8', ['systemd-quotacheck'], diff --git a/man/systemd-pstore.xml b/man/systemd-pstore.xml new file mode 100644 index 0000000000..dd1aa5e83b --- /dev/null +++ b/man/systemd-pstore.xml @@ -0,0 +1,99 @@ + + + + + + + + systemd-pstore + systemd + + + + systemd-pstore + 8 + + + + systemd-pstore + systemd-pstore.service + Tool to archive contents of the persistent storage filesytem + + + + /usr/lib/systemd/systemd-pstore + systemd-pstore.service + + + + Description + systemd-pstore.service is a system service that archives the + contents of the Linux persistent storage filesystem, pstore, to other storage, + thus preserving the existing information contained in the pstore, and clearing + pstore storage for future error events. + + Linux provides a persistent storage file system, pstore, that can store + error records when the kernel dies (or reboots or powers-off). These records in + turn can be referenced to debug kernel problems (currently the kernel stuffs + the tail of the dmesg, which also contains a stack backtrace, into pstore). + + The pstore file system supports a variety of backends that map onto persistent + storage, such as the ACPI ERST and UEFI variables. The pstore backends + typically offer a relatively small amount of persistent storage, e.g. 64KiB, + which can quickly fill up and thus prevent subsequent kernel crashes from + recording errors. Thus there is a need to monitor and extract the pstore + contents so that future kernel problems can also record information in the + pstore. + + The pstore service is independent of the kdump service. In cloud environments + specifically, host and guest filesystems are on remote filesystems (eg. iSCSI + or NFS), thus kdump relies [implicitly and/or explicitly] upon proper operation + of networking software *and* hardware *and* infrastructure. Thus it may not be + possible to capture a kernel coredump to a file since writes over the network + may not be possible. + + The pstore backend, on the other hand, is completely local and provides a path + to store error records which will survive a reboot and aid in post-mortem + debugging. + + The systemd-pstore executable does the actual work. Upon starting, + the pstore.conf is read to obtain options, then the /sys/fs/pstore + directory contents are processed according to the options. Pstore files are written to the + journal, and optionally saved into /var/lib/systemd/pstore. + + + + Configuration + + The behavior of systemd-pstore is configured through the configuration file + /etc/systemd/pstore.conf and corresponding snippets + /etc/systemd/pstore.conf.d/*.conf, see + pstore.conf5. + + + + Disabling pstore processing + + To disable pstore processing by systemd-pstore, + set Storage=none in + pstore.conf5. + + + + + + Usage + Data stored in the journal can be viewed with + journalctl1 + as usual. + + + + See Also + + pstore.conf5 + + + -- cgit v1.2.3 From 03909b1e23833a4c08818a16f26e60e19517f06c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 21 Jul 2019 12:32:17 +0200 Subject: man: describe $LESS options more fully https://bugzilla.redhat.com/show_bug.cgi?id=1655316 --- man/less-variables.xml | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/less-variables.xml b/man/less-variables.xml index c80534b960..38cb18be2e 100644 --- a/man/less-variables.xml +++ b/man/less-variables.xml @@ -25,11 +25,36 @@ Override the options passed to less (by default FRSXMK). - If the value of $SYSTEMD_LESS does not include K, - and the pager that is invoked is less, - CtrlC will be ignored by the - executable. This allows less to handle - CtrlC itself. + Users might want to change two options in particular: + + + + + + This option instructs the pager to exit immediately when + CtrlC is pressed. To allow + less to handle CtrlC + itself to switch back to the pager command prompt, unset this option. + + If the value of $SYSTEMD_LESS does not include K, + and the pager that is invoked is less, + CtrlC will be ignored by the + executable, and needs to be handled by the pager. + + + + + + This option instructs the pager to not send termcap initialization and deinitialization + strings to the terminal. It is set by default to allow command output to remain visible in the + terminal even after the pager exits. Nevertheless, this prevents some pager functionality from + working, in particular paged output cannot be scrolled with the mouse. + + + + See + less1 + for more discussion. -- cgit v1.2.3 From afaae43bb191dc187a366fc3595b6b4e34039acf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 21 Jul 2019 15:06:35 +0200 Subject: timedated: add back support for ntp-units.d/ We removed support for foreign services (and ntp-units.d/) in b72ddf0f4. Support for foreign services was added back in 5d280742, but through an environment variable. The problem with the env var approach is that it only works as a mechanism to select one item, and doesn't work nicely as a mechinism to create a list of items through drop-ins (because the env var can be easily overridden, but not extended). Having a list of "ntp providers" is important to be able to reliably disable all of them when that is requested. Another problem is that nobody ever bothered to care about our new "standard". ntp-units.d/ is a nice simple format that works and is already supported by chrony and ntpd and timedatex. If we were to introduce and ask people to follow a new standard, there should be some good reason for this. The idea with env vars has lower functionality, requires systemd-specific syntax. We should just re-adopt the format that we originally introduced and that seems to work for everyone, and more on to more interesting problems. --- man/systemd-timedated.service.xml | 49 ++++++++++++++++++++++++--------------- man/timedatectl.xml | 31 ++++++++++++------------- 2 files changed, 45 insertions(+), 35 deletions(-) (limited to 'man') diff --git a/man/systemd-timedated.service.xml b/man/systemd-timedated.service.xml index 3626e8bc51..f981848cb2 100644 --- a/man/systemd-timedated.service.xml +++ b/man/systemd-timedated.service.xml @@ -31,7 +31,7 @@ systemd-timedated is a system service that may be used as a mechanism to change the system clock and - timezone, as well as to enable/disable NTP time synchronization. + timezone, as well as to enable/disable network time synchronization. systemd-timedated is automatically activated on request and terminates itself when it is unused. @@ -46,25 +46,36 @@ - Environment - - - - $SYSTEMD_TIMEDATED_NTP_SERVICES - - Colon-separated list of unit names of NTP client services. - If not set, then - systemd-timesyncd.service8 - is used. See the entries of NTP related commands of - timedatectl1 - for details about this. - - Example: - SYSTEMD_TIMEDATED_NTP_SERVICES=ntpd.service:chronyd.service:systemd-timesyncd.service - - - + List of network time synchronization services + + systemd-timesyncd will look for files with a .list extension + in ntp-units.d/ directories. Each file is parsed as a list of unit names, one per + line. Empty lines and lines with comments (#) are ignored. Files are read from + /usr/lib/systemd/ntp-units.d/ and the corresponding directories under + /etc/, /run/, /usr/local/lib/. Files in + /etc/ override files with the same name in /run/, + /usr/local/lib/, and /usr/lib/. Files in + /run/ override files with the same name under /usr/. Packages + should install their configuration files in /usr/lib/ (distribution packages) or + /usr/local/lib/ (local installs). + + + <filename>ntp-units.d/</filename> entry for <command>systemd-timesyncd</command> + # /usr/lib/systemd/ntp-units.d/80-systemd-timesync.list +systemd-timesyncd.service + + + + If the environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is set, + systemd-timesyncd will parse the contents of that variable as a colon-separated list + of unit names. When set, this variable overrides the file-based list described above. + + + An override that specifies that <command>chronyd</command> should be used if available + SYSTEMD_TIMEDATED_NTP_SERVICES=chronyd.service:systemd-timesyncd.service + + See Also diff --git a/man/timedatectl.xml b/man/timedatectl.xml index 262b9126e7..f797e0cd67 100644 --- a/man/timedatectl.xml +++ b/man/timedatectl.xml @@ -23,22 +23,25 @@ - timedatectl OPTIONS COMMAND + timedatectl + OPTIONS + COMMAND Description - timedatectl may be used to query and - change the system clock and its settings. + timedatectl may be used to query and change the system clock and its settings, + and enable or disable time synchronization services. Use systemd-firstboot1 to initialize the system time zone for mounted (but not booted) system images. - timedatectl may be used to show the current status of + timedatectl may be used to show the current status of time synchronization + services, for example systemd-timesyncd.service8. @@ -123,11 +126,8 @@ status - Show current settings of the system clock and RTC, - including whether network time synchronization through - systemd-timesyncd.service is active. Even if it is - inactive, a different service might still synchronize the clock. - If no command is specified, this is the implied default. + Show current settings of the system clock and RTC, including whether network time + synchronization is active. If no command is specified, this is the implied default. @@ -193,11 +193,11 @@ set-ntp [BOOL] - Takes a boolean argument. Controls whether network time synchronization is active - and enabled (if available). If the argument is true, this enables and starts the first existed - service listed in the environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES - of systemd-timedated.service. If the argument is false, then this disables and - stops the all services listed in $SYSTEMD_TIMEDATED_NTP_SERVICES. + Takes a boolean argument. Controls whether network time synchronization is active and + enabled (if available). If the argument is true, this enables and starts the first existing network + synchronization service. If the argument is false, then this disables and stops the known network + synchronization services. The way that the list of services is built is described below. + @@ -250,8 +250,7 @@ Exit status - On success, 0 is returned, a non-zero failure - code otherwise. + On success, 0 is returned, a non-zero failure code otherwise. -- cgit v1.2.3 From 00d85bbb608a0a9b098b606dddb499e868c2dc1e Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 23 Jul 2019 13:28:44 +0200 Subject: man: document the modprobe hack for DeviceAllow= --- man/systemd.resource-control.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'man') diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index e7b5dfbce6..1b5ac3e8e4 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -686,6 +686,18 @@ TTYs and all ALSA sound devices, respectively. char-cpu/* is a specifier matching all CPU related device groups. + + Note that whitelists defined this way should only reference device groups which are + resolvable at the time the unit is started. Any device groups not resolvable then are not added to + the device whitelist. In order to work around this limitation, consider extending service units + with an ExecStartPre=/sbin/modprobe… line that loads the necessary + kernel module implementing the device group if missing. Example: … +[Service] +ExecStartPre=-/sbin/modprobe -abq loop +DeviceAllow=block-loop +DeviceAllow=/dev/loop-control +… + -- cgit v1.2.3 From acafd7d8a6297fe40960d12dd86a974a53072cfb Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 19 Jul 2019 11:54:15 +0100 Subject: core: add KExecWatchdogSec option Rather than always enabling the shutdown WD on kexec, which might be dangerous in case the kernel driver and/or the hardware implementation does not reset the wd on kexec, add a new timer, disabled by default, to let users optionally enable the shutdown WD on kexec separately from the runtime and reboot ones. Advise in the documentation to also use the runtime WD in conjunction with it. Fixes: a637d0f9ecbe ("core: set shutdown watchdog on kexec too") --- man/systemd-system.conf.xml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index 5b80479a0a..4dd4bf0ca8 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -128,6 +128,7 @@ RuntimeWatchdogSec= ShutdownWatchdogSec= + KExecWatchdogSec= Configure the hardware watchdog at runtime and at reboot. Takes a timeout value in seconds (or in other time units if suffixed with ms, min, h, @@ -149,7 +150,13 @@ phase of system shutdown, configure JobTimeoutSec= and JobTimeoutAction= in the [Unit] section of the shutdown.target unit. By default RuntimeWatchdogSec= defaults to 0 (off), and ShutdownWatchdogSec= to - 10min. These settings have no effect if a hardware watchdog is not available. + 10min. KExecWatchdogSec= may be used to additionally enable the watchdog when kexec + is being executed rather than when rebooting. Note that if the kernel does not reset the watchdog on kexec (depending + on the specific hardware and/or driver), in this case the watchdog might not get disabled after kexec succeeds + and thus the system might get rebooted, unless RuntimeWatchdogSec= is also enabled at the same time. + For this reason it is recommended to enable KExecWatchdogSec= only if + RuntimeWatchdogSec= is also enabled. + These settings have no effect if a hardware watchdog is not available. -- cgit v1.2.3 From 65224c1d0e50667a87c2c4f840c49d4918718f80 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Mon, 22 Jul 2019 11:39:25 +0100 Subject: core: rename ShutdownWatchdogSec to RebootWatchdogSec This option is only used on reboot, not on other types of shutdown modes, so it is misleading. Keep the old name working for backward compatibility, but remove it from the documentation. --- man/systemd-system.conf.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'man') diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index 4dd4bf0ca8..e403fa5308 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -127,7 +127,7 @@ RuntimeWatchdogSec= - ShutdownWatchdogSec= + RebootWatchdogSec= KExecWatchdogSec= Configure the hardware watchdog at runtime and at reboot. Takes a timeout value in seconds (or @@ -139,9 +139,9 @@ system manager will ensure to contact it at least once in half the specified timeout interval. This feature requires a hardware watchdog device to be present, as it is commonly the case in embedded and server systems. Not all hardware watchdogs allow configuration of all possible reboot timeout values, in which case - the closest available timeout is picked. ShutdownWatchdogSec= may be used to configure the + the closest available timeout is picked. RebootWatchdogSec= may be used to configure the hardware watchdog when the system is asked to reboot. It works as a safety net to ensure that the reboot takes - place even if a clean reboot attempt times out. Note that the ShutdownWatchdogSec= timeout + place even if a clean reboot attempt times out. Note that the RebootWatchdogSec= timeout applies only to the second phase of the reboot, i.e. after all regular services are already terminated, and after the system and service manager process (PID 1) got replaced by the systemd-shutdown binary, see system bootup7 @@ -149,7 +149,7 @@ and hence RuntimeWatchdogSec= is still honoured. In order to define a timeout on this first phase of system shutdown, configure JobTimeoutSec= and JobTimeoutAction= in the [Unit] section of the shutdown.target unit. By default - RuntimeWatchdogSec= defaults to 0 (off), and ShutdownWatchdogSec= to + RuntimeWatchdogSec= defaults to 0 (off), and RebootWatchdogSec= to 10min. KExecWatchdogSec= may be used to additionally enable the watchdog when kexec is being executed rather than when rebooting. Note that if the kernel does not reset the watchdog on kexec (depending on the specific hardware and/or driver), in this case the watchdog might not get disabled after kexec succeeds -- cgit v1.2.3 From f3d3a9ca0734c298cc3bf08f8c4907dd19ee9939 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 24 Jul 2019 09:59:38 +0200 Subject: man: highlight the different concepts behind h/H and t/T Fixes: #13151 --- man/tmpfiles.d.xml | 67 +++++++++++++++++++++++++++--------------------------- 1 file changed, 34 insertions(+), 33 deletions(-) (limited to 'man') diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index f097045b7b..dce05c364f 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -380,63 +380,64 @@ L /tmp/foobar - - - - /dev/null t - Set extended attributes. Lines of this type - accept shell-style globs in place of normal path names. - This can be useful for setting SMACK labels. Does not follow - symlinks. + Set extended attributes, see attr + 5 for details. The argument field should take one or more + assignment expressions in the form + namespace.attribute=value, + for examples see below. Lines of this type accept shell-style globs in place of normal path + names. This can be useful for setting SMACK labels. Does not follow symlinks. + + Please note that extended attributes settable with this line type are a different concept + from the Linux file attributes settable with h/H, see + below. T - Recursively set extended attributes. Lines - of this type accept shell-style globs in place of normal - path names. This can be useful for setting SMACK - labels. Does not follow symlinks. + Same as t, but operates recursively. h - Set file/directory attributes. Lines of this type - accept shell-style globs in place of normal path names. + Set Linux file/directory attributes. Lines of this type accept shell-style globs in + place of normal path names. - The format of the argument field is [+-=][aAcCdDeijPsStTu] . The prefix + The format of the argument field is [+-=][aAcCdDeijPsStTu]. The prefix + (the default one) causes the attribute(s) to be added; - causes the attribute(s) to be removed; = causes the attributes to be set exactly as the following letters. The letters aAcCdDeijPsStTu select the new attributes for the files, see chattr 1 for further information. - Passing only = as argument resets - all the file attributes listed above. It has to be pointed - out that the = prefix limits itself to - the attributes corresponding to the letters listed here. All - other attributes will be left untouched. Does not follow - symlinks. - + + Passing only = as argument resets all the file attributes listed above. It + has to be pointed out that the = prefix limits itself to the attributes + corresponding to the letters listed here. All other attributes will be left untouched. Does not + follow symlinks. + + Please note that the Linux file attributes settable with this line type are a different + concept from the extended attributes settable with t/T, + see above. H - Recursively set file/directory attributes. Lines - of this type accept shell-style globs in place of normal - path names. Does not follow symlinks. - + Sames as h, but operates recursively. a a+ - Set POSIX ACLs (access control lists). If - suffixed with +, the specified entries will - be added to the existing set. - systemd-tmpfiles will automatically add - the required base entries for user and group based on the - access mode of the file, unless base entries already exist - or are explicitly specified. The mask will be added if not - specified explicitly or already present. Lines of this type - accept shell-style globs in place of normal path names. This - can be useful for allowing additional access to certain - files. Does not follow symlinks. + Set POSIX ACLs (access control lists), see acl + 5. If suffixed with +, the specified + entries will be added to the existing set. systemd-tmpfiles will automatically + add the required base entries for user and group based on the access mode of the file, unless base + entries already exist or are explicitly specified. The mask will be added if not specified + explicitly or already present. Lines of this type accept shell-style globs in place of normal path + names. This can be useful for allowing additional access to certain files. Does not follow + symlinks. -- cgit v1.2.3 From afa51e2dfb1a0171d3a9341e5a5fc5c4088624bc Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Wed, 24 Jul 2019 18:28:57 +0530 Subject: networkd: bridge add support to set IGMP version --- man/systemd.netdev.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index ff37f26990..515560f14e 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -412,6 +412,14 @@ + + IGMPVersion= + + Allows to change bridge's multicast Internet Group Management Protocol (IGMP) version. + Takes an interger 2 or 3. When unset, the kernel's default will be used. + + + -- cgit v1.2.3 From 39867bb9fbeb3c1a421404caa2aa2438bbfdd81b Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 22 Jul 2019 14:19:33 +0200 Subject: man: document the systemd-random-seed rework --- man/bootctl.xml | 22 +++++-- man/loader.conf.xml | 16 +++++ man/rules/meson.build | 1 + man/systemd-boot-system-token.service.xml | 76 ++++++++++++++++++++++ man/systemd-boot.xml | 102 ++++++++++++++++++++++++------ man/systemd-random-seed.service.xml | 57 ++++++++++++++--- 6 files changed, 243 insertions(+), 31 deletions(-) create mode 100644 man/systemd-boot-system-token.service.xml (limited to 'man') diff --git a/man/bootctl.xml b/man/bootctl.xml index 46b9738b14..28826d621c 100644 --- a/man/bootctl.xml +++ b/man/bootctl.xml @@ -45,15 +45,15 @@ Path to the EFI System Partition (ESP). If not specified, /efi/, - /boot/, and /boot/efi are checked in turn. It is recommended to mount - the ESP to /efi/, if possible. + /boot/, and /boot/efi/ are checked in turn. It is + recommended to mount the ESP to /efi/, if possible. Path to the Extended Boot Loader partition, as defined in the Boot Loader Specification. If not - specified, /boot/ are checked. It is recommended to mount the Extended Boot + specified, /boot/ is checked. It is recommended to mount the Extended Boot Loader partition to /boot/, if possible. @@ -124,6 +124,19 @@ and the firmware's boot loader list. + + + + Generates a random seed and stores it in the EFI System Partition, for use by the + systemd-boot boot loader. Also, generates a random 'system token' and stores it + persistently as an EFI variable, if one has not been set before. If the boot loader finds the random + seed in the ESP and the system token in the EFI variable it will derive a random seed to pass to the + OS and a new seed to store in the ESP from the combination of both. The random seed passed to the OS + is credited to the kernel's entropy pool by the system manager during early boot, and permits + userspace to boot up with an entropy pool fully initialized very early on. Also see + systemd-boot-system-token.service8. + + @@ -165,7 +178,8 @@ systemd-boot7, Boot Loader Specification, - Boot Loader Interface + Boot Loader Interface, + systemd-boot-system-token.service8 diff --git a/man/loader.conf.xml b/man/loader.conf.xml index 38a80861b8..cef20b59d8 100644 --- a/man/loader.conf.xml +++ b/man/loader.conf.xml @@ -153,6 +153,22 @@ Takes a boolean argument. Enable (the default) or disable the "Reboot into firmware" entry. + + + random-seed-mode + + Takes one of off, with-system-token and + always. If off no random seed data is read off the ESP, nor + passed to the OS. If with-system-token (the default) + systemd-boot will read a random seed from the ESP (from the file + /loader/random-seed) only if the LoaderSystemToken EFI + variable is set, and then derive the random seed to pass to the OS from the combination. If + always the boot loader will do so even if LoaderSystemToken is + not set. This mode is useful in environments where protection against OS image reuse is not a + concern, and the random seed shall be used even with no further setup in place. User bootctl + random-seed to initialize both the random seed file in the ESP and the system token EFI + variable. + diff --git a/man/rules/meson.build b/man/rules/meson.build index 7e32e732c1..3b63311d7b 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -655,6 +655,7 @@ manpages = [ ['systemd-bless-boot-generator', '8', [], 'ENABLE_EFI'], ['systemd-bless-boot.service', '8', [], 'ENABLE_EFI'], ['systemd-boot-check-no-failures.service', '8', [], ''], + ['systemd-boot-system-token.service', '8', [], 'ENABLE_EFI'], ['systemd-boot', '7', ['sd-boot'], 'ENABLE_EFI'], ['systemd-cat', '1', [], ''], ['systemd-cgls', '1', [], ''], diff --git a/man/systemd-boot-system-token.service.xml b/man/systemd-boot-system-token.service.xml new file mode 100644 index 0000000000..b2948a5c4b --- /dev/null +++ b/man/systemd-boot-system-token.service.xml @@ -0,0 +1,76 @@ + + + + + + + + systemd-boot-system-token.service + systemd + + + + systemd-boot-system-token.service + 8 + + + + systemd-boot-system-token.service + Generate an initial boot loader system token and random seed + + + + systemd-boot-system-token.service + + + + Description + + systemd-boot-system-token.service is a system service that automatically + generates a 'system token' to store in an EFI variable in the system's NVRAM and a random seed to store + on the EFI System Partition ESP on disk. The boot loader may then combine these two randomized data + fields by cryptographic hashing, and pass it to the OS it boots as initialization seed for its entropy + pool. The random seed stored in the ESP is refreshed on each reboot ensuring that multiple subsequent + boots will boot with different seeds. The 'system token' is generated randomly once, and then + persistently stored in the system's EFI variable storage. + + The systemd-boot-system-token.service unit invokes the bootctl + random-seed command, which updates the random seed in the ESP, and initializes the 'system + token' if it's not initialized yet. The service is conditionalized so that it is run only when all of the + below apply: + + + A boot loader is used that implements the Boot Loader Interface (which defines the 'system + token' concept). + + Either a 'system token' was not set yet, or the boot loader has not passed the OS a + random seed yet (and thus most likely has been missing the random seed file in the + ESP). + + The system is not running in a VM environment. This case is explicitly excluded since + on VM environments the ESP backing storage and EFI variable storage is typically not physically + separated and hence booting the same OS image in multiple instances would replicate both, thus reusing + the same random seed and 'system token' among all instances, which defeats its purpose. Note that it's + still possible to use boot loader random seed provisioning in this mode, but the automatic logic + implemented by this service has no effect then, and the user instead has to manually invoke the + bootctl random-seed acknowledging these restrictions. + + + For further details see + bootctl1, regarding + the command this service invokes. + + + + See Also + + systemd1, + bootctl1, + systemd-boot7 + + + + diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml index 2575ab3fe5..3142b56d66 100644 --- a/man/systemd-boot.xml +++ b/man/systemd-boot.xml @@ -28,13 +28,14 @@ manager. It provides a graphical menu to select the entry to boot and an editor for the kernel command line. systemd-boot supports systems with UEFI firmware only. - systemd-boot loads boot entry information from the EFI system partition (ESP), usually mounted at - /efi/, /boot/, or /boot/efi/ during OS - runtime, as well as from the Extended Boot Loader partition if it exists (usually mounted to - /boot/). Configuration file fragments, kernels, initrds and other EFI images to boot - generally need to reside on the ESP or the Extended Boot Loader partition. Linux kernels must be built - with to be able to be directly executed as an EFI image. During boot - systemd-boot automatically assembles a list of boot entries from the following sources: + systemd-boot loads boot entry information from the EFI system partition (ESP), + usually mounted at /efi/, /boot/, or + /boot/efi/ during OS runtime, as well as from the Extended Boot Loader partition if + it exists (usually mounted to /boot/). Configuration file fragments, kernels, + initrds and other EFI images to boot generally need to reside on the ESP or the Extended Boot Loader + partition. Linux kernels must be built with to be able to be directly + executed as an EFI image. During boot systemd-boot automatically assembles a list of + boot entries from the following sources: Boot entries defined with A reboot into the UEFI firmware setup option, if supported by the firmware - kernel-install8 - may be used to copy kernel images onto the ESP or the Extended Boot Loader Partition and to generate - description files compliant with the Boot Loader - Specification. bootctl1 + systemd-boot supports the following features: + + + Basic boot manager configuration changes (such as timeout + configuration, default boot entry selection, …) may be made directly from the boot loader UI at + boot-time, as well as during system runtime with EFI variables. + + The boot manager integrates with the systemctl command to implement + features such as systemctl reboot --boot-loader-entry=… (for rebooting into a + specific boot menu entry, i.e. "reboot into Windows") and systemctl reboot + --boot-loader-menu=… (for rebooting into the boot loader menu), by implementing the Boot Loader Interface. See + systemctl1 for + details. + + An EFI variable set by the boot loader informs the OS about the ESP partition used + during boot. This is then used to automatically mount the correct ESP partition to + /efi/ or /boot/ during OS runtime. See + systemd-gpt-auto-generator8 + for details. + + The boot manager provides information about the boot time spent in UEFI firmware using + the Boot Loader Interface. This + information can be displayed using + systemd-analyze1. + + + The boot manager implements boot counting and automatic fallback to older, working boot + entries on failure. See Automatic Boot + Assessment. + + The boot manager optionally reads a random seed from the ESP partition, combines it + with a 'system token' stored in a persistant EFI variable and derives a random seed to use by the OS as + entropy pool initializaton, providing a full entropy pool during early boot. + + + bootctl1 may be used from a running system to locate the ESP and the Extended Boot Loader Partition, list available entries, and install systemd-boot itself. - systemd-boot will provide information about the time spent in UEFI firmware using the Boot Loader Interface. This information can be displayed - using systemd-analyze1. - + kernel-install8 + may be used to copy kernel images onto the ESP or the Extended Boot Loader Partition and to generate + description files compliant with the Boot Loader + Specification. @@ -238,7 +272,9 @@ Loader Specification are read from /loader/entries/ on the ESP and the Extended Boot Loader partition. Unified kernel boot entries following the Boot Loader Specification are read from - /EFI/Linux/ on the ESP and the Extended Boot Loader partition. + /EFI/Linux/ on the ESP and the Extended Boot Loader partition. Optionally, a random + seed for early boot entropy pool provisioning is stored in /loader/random-seed in + the ESP. @@ -346,10 +382,39 @@ Information about the time spent in various parts of the boot loader. Set by the boot loader. Use systemd-analyze1 - to view this data. These variables are defined by the Boot Loader Interface. + to view this data. + + + + LoaderRandomSeed + + A binary random seed systemd-boot may optionally pass to the + OS. This is a volatile EFI variable that is hashed at boot from the combination of a random seed + stored in the ESP (in /loader/random-seed) and a "system token" persistently + stored in the EFI variable LoaderSystemToken (see below). During early OS boot the + system manager reads this variable and passes it to the OS kernel's random pool, crediting the full + entropy it contains. This is an efficient way to ensure the system starts up with a fully initialized + kernel random pool — as early as the initial RAM disk phase. systemd-boot reads + the random seed from the ESP, combines it with the "system token", and both derives a new random seed + to update in-place the seed stored in the ESP, and the random seed to pass to the OS from it via + SHA256 hashing in counter mode. This ensures that different physical systems that boot the same + "golden" OS image — i.e. containing the same random seed file in the ESP — will still pass a + different random seed to the OS. It is made sure the random seed stored in the ESP is fully + overwritten before the OS is booted, to ensure different random seed data is used between subsequent + boots. + + + + LoaderSystemToken + + A binary random data field, that is used for generating the random see to pass to the + OS (see above). Note that this random data is generally only generated once, during OS installation, + and is then never updated again. + + Many of these variables are defined by the Boot Loader Interface. @@ -413,6 +478,7 @@ bootctl1, loader.conf5, systemd-bless-boot.service8, + systemd-boot-system-token.service8, kernel-install8, Boot Loader Specification, Boot Loader Interface diff --git a/man/systemd-random-seed.service.xml b/man/systemd-random-seed.service.xml index 35c6e2fd0b..8714c4280d 100644 --- a/man/systemd-random-seed.service.xml +++ b/man/systemd-random-seed.service.xml @@ -29,21 +29,60 @@ Description - systemd-random-seed.service is a - service that restores the random seed of the system at early boot - and saves it at shutdown. See - random4 - for details. Saving/restoring the random seed across boots - increases the amount of available entropy early at boot. On disk - the random seed is stored in - /var/lib/systemd/random-seed. + systemd-random-seed.service is a service that loads an on-disk random seed + into the kernel entropy pool during boot and saves it at shutdown. See + random4 for + details. By default, no entropy is credited when the random seed is written into the kernel entropy pool, + but this may be changed with $SYSTEMD_RANDOM_SEED_CREDIT, see below. On disk the random + seed is stored in /var/lib/systemd/random-seed. + + Note that this service runs relatively late during the early boot phase, i.e. generally after the + initial RAM disk (initrd) completed its work, and the /var/ file system has been + mounted writable. Many system services require entropy much earlier than this — this service is hence of + limited use for complex system. It is recommended to use a boot loader that can pass an initial random + seed to the kernel to ensure that entropy is available from earliest boot on, for example + systemd-boot7, with + its bootctl random-seed functionality. + + When loading the random seed from disk its file is immediately updated with a new seed retrieved + from the kernel, in order to ensure no two boots operate with the same random seed. This new seed is + retrieved synchronously from the kernel, which means the service will not complete start-up until the + random pool is fully initialized. On entropy-starved systems this may take a while. This functionality is + intended to be used as synchronization point for ordering services that require an initialized entropy + pool to function securely (i.e. services that access /dev/urandom without any + further precautions). + + Care should be taken when creating OS images that are replicated to multiple systems: if the random + seed file is included unmodified each system will initialize its entropy pool with the same data, and + thus — if otherwise entropy-starved — generate the same or at least guessable random seed streams. As a + safety precaution crediting entropy is thus disabled by default. It is recommended to remove the random + seed from OS images intended for replication on multiple systems, in which case it is safe to enable + entropy crediting, see below. + + + + Environment + + + + $SYSTEMD_RANDOM_SEED_CREDIT + By default, systemd-random-seed.service does not credit any + entropy when loading the random seed. With this option this behaviour may be changed: it either takes + a boolean parameter or the special string force. Defaults to false, in which case + no entropy is credited. If true, entropy is credited if the random seed file and system state pass + various superficial concisistency checks. If set to force entropy is credited, + regardless of these checks, as long as the random seed file exists. + + See Also systemd1, - random4 + random4, + systemd-boot7, + bootctl4 -- cgit v1.2.3 From a2aa605d220b2b12eabd2974a947af603171b90c Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 22 Jul 2019 15:05:29 +0200 Subject: bootctl: add is-installed verb Fixes: #9428 --- man/bootctl.xml | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'man') diff --git a/man/bootctl.xml b/man/bootctl.xml index 28826d621c..0c9fa80d09 100644 --- a/man/bootctl.xml +++ b/man/bootctl.xml @@ -137,6 +137,15 @@ systemd-boot-system-token.service8. + + + + Checks whether systemd-boot is installed in the ESP. Note that a + single ESP might host multiple boot loaders; this hence checks whether + systemd-boot is one (of possibly many) installed boot loaders — and neither + whether it is the default nor whether it is registered in any EFI variables. + + -- cgit v1.2.3 From 7fb0c615807cdcc2d509e4d719763f2b196c6e72 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 22 Jul 2019 15:24:49 +0200 Subject: man: extend on the --print-boot-path description a bit --- man/bootctl.xml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/bootctl.xml b/man/bootctl.xml index 0c9fa80d09..070a31d09c 100644 --- a/man/bootctl.xml +++ b/man/bootctl.xml @@ -70,8 +70,17 @@ This option modifies the behaviour of status. Only prints the path to the Extended Boot Loader partition if it exists, and the path to the ESP otherwise to standard output and exit. This command is useful to determine where to place boot loader entries, as they are - preferably placed in the Extended Boot Loader partition if it exists and in the ESP otherwise. - + preferably placed in the Extended Boot Loader partition if it exists and in the ESP otherwise. + + Boot Loader Specification Type #1 entries should generally be placed in the directory + $(bootctl -x)/loader/entries/. Existence of that directory may also be used as + indication that boot loader entry support is available on the system. Similarly, Boot Loader + Specification Type #2 entries should be placed in the directory $(bootctl + -x)/EFI/Linux/. + + Note that this option (similar to the option mentioned + above), is available independently from the boot loader used, i.e. also without + systemd-boot being installed. -- cgit v1.2.3 From 93f5910078f9f6d34183ea4df8a842ad7b8a83e6 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 22 Jul 2019 18:13:26 +0200 Subject: docs: add longer document about systemd and random number seeds --- man/bootctl.xml | 5 ++++- man/loader.conf.xml | 5 ++++- man/systemd-boot.xml | 5 ++++- man/systemd-random-seed.service.xml | 3 +++ 4 files changed, 15 insertions(+), 3 deletions(-) (limited to 'man') diff --git a/man/bootctl.xml b/man/bootctl.xml index 070a31d09c..822d07a606 100644 --- a/man/bootctl.xml +++ b/man/bootctl.xml @@ -143,7 +143,10 @@ OS and a new seed to store in the ESP from the combination of both. The random seed passed to the OS is credited to the kernel's entropy pool by the system manager during early boot, and permits userspace to boot up with an entropy pool fully initialized very early on. Also see - systemd-boot-system-token.service8. + systemd-boot-system-token.service8. + + See Random Seeds for further + information. diff --git a/man/loader.conf.xml b/man/loader.conf.xml index cef20b59d8..14f84c13ee 100644 --- a/man/loader.conf.xml +++ b/man/loader.conf.xml @@ -167,7 +167,10 @@ not set. This mode is useful in environments where protection against OS image reuse is not a concern, and the random seed shall be used even with no further setup in place. User bootctl random-seed to initialize both the random seed file in the ESP and the system token EFI - variable. + variable. + + See Random Seeds for further + information. diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml index 3142b56d66..da8ddb5f84 100644 --- a/man/systemd-boot.xml +++ b/man/systemd-boot.xml @@ -401,7 +401,10 @@ "golden" OS image — i.e. containing the same random seed file in the ESP — will still pass a different random seed to the OS. It is made sure the random seed stored in the ESP is fully overwritten before the OS is booted, to ensure different random seed data is used between subsequent - boots. + boots. + + See Random Seeds for + further information. diff --git a/man/systemd-random-seed.service.xml b/man/systemd-random-seed.service.xml index 8714c4280d..28783a15e9 100644 --- a/man/systemd-random-seed.service.xml +++ b/man/systemd-random-seed.service.xml @@ -58,6 +58,9 @@ safety precaution crediting entropy is thus disabled by default. It is recommended to remove the random seed from OS images intended for replication on multiple systems, in which case it is safe to enable entropy crediting, see below. + + See Random Seeds for further + information. -- cgit v1.2.3 From e8489008cb9f0ada20c99633dfca4c66ccfadc6c Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 26 Jul 2019 10:58:34 +0900 Subject: network: rename IGMPVersion= -> MulticastIGMPVersion= --- man/systemd.netdev.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 515560f14e..0775e00bd2 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -413,7 +413,7 @@ - IGMPVersion= + MulticastIGMPVersion= Allows to change bridge's multicast Internet Group Management Protocol (IGMP) version. Takes an interger 2 or 3. When unset, the kernel's default will be used. -- cgit v1.2.3 From e08be64937293e3aa8adb08048497520d58445c6 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 26 Jul 2019 09:24:11 +0200 Subject: man: document the new sysctl.d/ - prefix --- man/sysctl.d.xml | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'man') diff --git a/man/sysctl.d.xml b/man/sysctl.d.xml index 0a8eeb62a4..21ef6de97c 100644 --- a/man/sysctl.d.xml +++ b/man/sysctl.d.xml @@ -59,6 +59,10 @@ /proc/sys/net/ipv4/conf/enp3s0.200/forwarding. + If a variable assignment is prefixed with a single - character, any attempts to + set it that fail will be ignored (though are logged). Moreover, any access permission errors, and + attempts to write variables not defined on the local system are ignored (and logged) too. + The settings configured with sysctl.d files will be applied early on boot. The network interface-specific options will also be applied individually for -- cgit v1.2.3 From 1774d03fb2bf7734b4c56c1a53b536b623804082 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 26 Jul 2019 15:01:36 +0200 Subject: man: reword description of "-" for sysctl.d Follow-up for e08be64937. --- man/sysctl.d.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'man') diff --git a/man/sysctl.d.xml b/man/sysctl.d.xml index 21ef6de97c..4932948178 100644 --- a/man/sysctl.d.xml +++ b/man/sysctl.d.xml @@ -59,9 +59,11 @@ /proc/sys/net/ipv4/conf/enp3s0.200/forwarding. - If a variable assignment is prefixed with a single - character, any attempts to - set it that fail will be ignored (though are logged). Moreover, any access permission errors, and - attempts to write variables not defined on the local system are ignored (and logged) too. + Any access permission errors and attempts to write variables not defined on the local system are + logged, but do not cause the the service to fail. Moreover, if a variable assignment is prefixed with a + single - character, failure to set the variable will be logged, but will not cause the + service to fail. All other errors when setting variables cause the service to return failure at the end + (other variables are still processed). The settings configured with sysctl.d files will be applied early on boot. The network -- cgit v1.2.3 From 77ce88c1286311e6f190f76c9d5cd6beff223989 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 29 Jul 2019 09:24:09 +0200 Subject: man: document the kernel command line options to use when logging to kmsg Prompted by: https://lists.freedesktop.org/archives/systemd-devel/2019-July/043149.html --- man/journald.conf.xml | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) (limited to 'man') diff --git a/man/journald.conf.xml b/man/journald.conf.xml index 57c2256567..44fd0d2f3d 100644 --- a/man/journald.conf.xml +++ b/man/journald.conf.xml @@ -288,21 +288,25 @@ ForwardToConsole= ForwardToWall= - Control whether log messages received by the journal daemon shall - be forwarded to a traditional syslog daemon, to the kernel log buffer (kmsg), to - the system console, or sent as wall messages to all logged-in users. These - options take boolean arguments. If forwarding to syslog is enabled but nothing - reads messages from the socket, forwarding to syslog has no effect. By default, - only forwarding to wall is enabled. These settings may be overridden at boot time - with the kernel command line options - systemd.journald.forward_to_syslog, + Control whether log messages received by the journal daemon shall be forwarded to a + traditional syslog daemon, to the kernel log buffer (kmsg), to the system console, or sent as wall + messages to all logged-in users. These options take boolean arguments. If forwarding to syslog is + enabled but nothing reads messages from the socket, forwarding to syslog has no effect. By default, + only forwarding to wall is enabled. These settings may be overridden at boot time with the kernel + command line options systemd.journald.forward_to_syslog, systemd.journald.forward_to_kmsg, systemd.journald.forward_to_console, and - systemd.journald.forward_to_wall. If the option name is - specified without = and the following argument, true is - assumed. Otherwise, the argument is parsed as a boolean. When forwarding to the - console, the TTY to log to can be changed with TTYPath=, - described below. + systemd.journald.forward_to_wall. If the option name is specified without + = and the following argument, true is assumed. Otherwise, the argument is parsed + as a boolean. + + When forwarding to the console, the TTY to log to can be changed with + TTYPath=, described below. + + When forwarding to the kernel log buffer (kmsg), make sure to select a suitably large size for + the log buffer, and ensure the kernel's rate-limiting applied to userspace processes is turned + off. Specifically, add log_buf_len=8M and printk.devkmsg=on (or + similar) to the kernel command line. -- cgit v1.2.3 From 2e542f4e62f770865bac6d6b2ad32d802a1523a7 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 29 Jul 2019 09:45:11 +0200 Subject: man: document that --volatile=yes is not supported for split /usr systems --- man/systemd-nspawn.xml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'man') diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 8c1a1e6871..9f0be96b26 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -368,12 +368,16 @@ kernel-command-line7 for details. - Note that setting this option to or will only work correctly - with operating systems in the container that can boot up with only /usr mounted, and are - able to automatically populate /var, and also /etc in case of - --volatile=yes. The option does not require any particular - preparations in the OS, but do note that overlayfs behaviour differs from regular file - systems in a number of ways, and hence compatibility is limited. + Note that setting this option to or will only work + correctly with operating systems in the container that can boot up with only + /usr/ mounted, and are able to automatically populate /var/ + (and /etc/ in case of --volatile=yes). Specifically, this + means that operating systems that follow the historic split of /bin/ and + /lib/ (and related directories) from /usr/ (i.e. where the + former are not symlinks into the latter) are not supported by --volatile=yes as + container payload. The option does not require any particular preparations + in the OS, but do note that overlayfs behaviour differs from regular file systems + in a number of ways, and hence compatibility is limited. -- cgit v1.2.3 From a077755abf6ecca7f801d306e363d7581150e23f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 29 Jul 2019 12:49:38 +0200 Subject: man: document default HibernateDelaySec= setting --- man/systemd-sleep.conf.xml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemd-sleep.conf.xml b/man/systemd-sleep.conf.xml index 3311a046ca..a6949b0c3b 100644 --- a/man/systemd-sleep.conf.xml +++ b/man/systemd-sleep.conf.xml @@ -168,11 +168,10 @@ HibernateDelaySec= - The amount of time in seconds - that will pass before the system is automatically - put into hibernate when using - systemd-suspend-then-hibernate.service8. - + The amount of time the system spends in suspend mode before the system is + automatically put into hibernate mode, when using + systemd-suspend-then-hibernate.service8. Defaults + to 2h. -- cgit v1.2.3 From 2e2ed88062fcd4fbe138a5198a979ccdea4fb11c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 28 Jul 2019 12:37:31 +0200 Subject: pid1,systemctl: allow symbolic exit code names --- man/systemd.service.xml | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) (limited to 'man') diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 90c1257f37..06116df1b0 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -852,27 +852,32 @@ SuccessExitStatus= - Takes a list of exit status definitions that, - when returned by the main service process, will be considered - successful termination, in addition to the normal successful - exit code 0 and the signals SIGHUP, - SIGINT, SIGTERM, and - SIGPIPE. Exit status definitions can - either be numeric exit codes or termination signal names, - separated by spaces. For example: - - SuccessExitStatus=1 2 8 SIGKILL - - ensures that exit codes 1, 2, 8 and - the termination signal SIGKILL are - considered clean service terminations. - + Takes a list of exit status definitions that, when returned by the main service + process, will be considered successful termination, in addition to the normal successful exit code 0 + and the signals SIGHUP, SIGINT, + SIGTERM, and SIGPIPE. Exit status definitions can be + numeric exit codes, termination code names, or termination signal names, separated by spaces. See the + Process Exit Codes section in + systemd.exec5 for + a list of termination codes names (for this setting only the part without the + EXIT_ or EX_ prefix should be used). See + signal7 for + a list of signal names. This option may appear more than once, in which case the list of successful exit statuses is merged. If the empty string is assigned to this option, the list is reset, all prior assignments of this option will have no - effect. + effect. + + + A service with with the the <varname>SuccessExitStatus=</varname> setting + + SuccessExitStatus=TEMPFAIL 250 SIGUSR1 + + Exit codes 75 (TEMPFAIL), 250, and the termination signal + SIGKILL are considered clean service terminations. + -- cgit v1.2.3 From 76ed04d936f757763c32db5dbaaebd8b13785d7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 29 Jul 2019 15:44:39 +0200 Subject: analyze: add exit-codes verb --- man/systemd-analyze.xml | 30 ++++++++++++++++++++++++++++++ man/systemd.service.xml | 5 ++++- 2 files changed, 34 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 7112362ac5..8e9f24caac 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -83,6 +83,12 @@ OPTIONS unit-paths + + systemd-analyze + OPTIONS + exit-codes + CODE + systemd-analyze OPTIONS @@ -365,6 +371,30 @@ $ eog targets.svg to retrieve the actual list that the manager uses, with any empty directories omitted. + + <command>systemd-analyze exit-codes <optional><replaceable>CODE</replaceable>...</optional></command> + + This command prints a list of exit codes along with their "class", i.e. the source of the + definition (one of glibc, systemd, LSB, or + BSD), see the Process Exit Codes section in + systemd.exec5. + If no additional arguments are specified, all known codes are are shown. Otherwise, only the + definitions for the specified codes are shown. + + + <command>Show some example exit code names</command> + + $ systemd-analyze exit-codes 0 1 {63..65} +NAME CODE CLASS +SUCCESS 0 glibc +FAILURE 1 glibc +- 63 - +USAGE 64 BSD +DATAERR 65 BSD + + + + <command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command> diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 06116df1b0..40ac052ba5 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -877,7 +877,10 @@ Exit codes 75 (TEMPFAIL), 250, and the termination signal SIGKILL are considered clean service terminations. - + + + Note: systemd-analyze exit-codes may be used to list exit + codes and translate between numerical code values and names. -- cgit v1.2.3 From 5238d9a83a52c64e24856b0d3b2ca0b0ee52479a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 29 Jul 2019 19:18:56 +0200 Subject: analyze: rename "exit-codes" to "exit-status" waitid(2) and the libc function signature calls this "exit status", and uses "exit code" for something different. Let's stick to the same nomenclature hence. --- man/systemd-analyze.xml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'man') diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 8e9f24caac..7e842ac201 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -86,8 +86,8 @@ systemd-analyze OPTIONS - exit-codes - CODE + exit-status + STATUS systemd-analyze @@ -372,25 +372,25 @@ $ eog targets.svg - <command>systemd-analyze exit-codes <optional><replaceable>CODE</replaceable>...</optional></command> + <command>systemd-analyze exit-status <optional><replaceable>STATUS</replaceable>...</optional></command> - This command prints a list of exit codes along with their "class", i.e. the source of the + This command prints a list of exit statuses along with their "class", i.e. the source of the definition (one of glibc, systemd, LSB, or BSD), see the Process Exit Codes section in systemd.exec5. - If no additional arguments are specified, all known codes are are shown. Otherwise, only the + If no additional arguments are specified, all known statuses are are shown. Otherwise, only the definitions for the specified codes are shown. - <command>Show some example exit code names</command> - - $ systemd-analyze exit-codes 0 1 {63..65} -NAME CODE CLASS -SUCCESS 0 glibc -FAILURE 1 glibc -- 63 - -USAGE 64 BSD -DATAERR 65 BSD + <command>Show some example exit status names</command> + + $ systemd-analyze exit-status 0 1 {63..65} +NAME STATUS CLASS +SUCCESS 0 glibc +FAILURE 1 glibc +- 63 - +USAGE 64 BSD +DATAERR 65 BSD -- cgit v1.2.3 From 29a3d5caea40821079a73628d6dbe275f7ff475a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 29 Jul 2019 19:25:49 +0200 Subject: man: remove trailing space in link in HTML output --- man/systemd.exec.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f9c3f41890..fbbfd4f514 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -2718,8 +2718,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy The following service exit codes are defined by the LSB specification - . + url="https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html">LSB specification. -- cgit v1.2.3 From 3ff668cb9a04dde09c34e7934f19790be0393147 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 31 Jul 2019 10:20:16 +0200 Subject: man: reword DeviceAllow= documentation Don't claim we'd use cgroup.deny much. It's just a way to remove stuff from device lists, which is nothing we allow users to explicitly configure. Also, extend documentation when wildcards may be used, and when not. --- man/systemd.resource-control.xml | 57 ++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 31 deletions(-) (limited to 'man') diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 1b5ac3e8e4..d8fa24727a 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -655,37 +655,32 @@ DeviceAllow= - Control access to specific device nodes by the - executed processes. Takes two space-separated strings: a - device node specifier followed by a combination of - r, w, - m to control - reading, writing, - or creation of the specific device node(s) by the unit - (mknod), respectively. This controls - the devices.allow and - devices.deny control group - attributes. For details about these control group - attributes, see devices.txt. - - The device node specifier is either a path to a device - node in the file system, starting with - /dev/, or a string starting with either - char- or block- - followed by a device group name, as listed in - /proc/devices. The latter is useful to - whitelist all current and future devices belonging to a - specific device group at once. The device group is matched - according to filename globbing rules, you may hence use the - * and ? - wildcards. Examples: /dev/sda5 is a - path to a device node, referring to an ATA or SCSI block - device. char-pts and - char-alsa are specifiers for all pseudo - TTYs and all ALSA sound devices, - respectively. char-cpu/* is a specifier - matching all CPU related device groups. + Control access to specific device nodes by the executed processes. Takes two space-separated + strings: a device node specifier followed by a combination of r, + w, m to control reading, + writing, or creation of the specific device node(s) by the unit + (mknod), respectively. On cgroup-v1 this controls the + devices.allow control group attribute. For details about this control group + attribute, see devices.txt. On + cgroup-v2 this functionality is implemented using eBPF filtering. + + The device node specifier is either a path to a device node in the file system, starting with + /dev/, or a string starting with either char- or + block- followed by a device group name, as listed in + /proc/devices. The latter is useful to whitelist all current and future + devices belonging to a specific device group at once. The device group is matched according to + filename globbing rules, you may hence use the * and ? + wildcards. (Note that such globbing wildcards are not available for device node path + specifications!) In order to match device nodes by numeric major/minor, use device node paths in + the /dev/char/ and /dev/block/ directories. However, + matching devices by major/minor is generally not recommended as assignments are neither stable nor + portable between systems or different kernel versions. + + Examples: /dev/sda5 is a path to a device node, referring to an ATA or + SCSI block device. char-pts and char-alsa are specifiers for + all pseudo TTYs and all ALSA sound devices, respectively. char-cpu/* is a + specifier matching all CPU related device groups. Note that whitelists defined this way should only reference device groups which are resolvable at the time the unit is started. Any device groups not resolvable then are not added to -- cgit v1.2.3 From 2c520df429b766e27dec8a8383ce4a10622a33d9 Mon Sep 17 00:00:00 2001 From: Ronan Pigott Date: Mon, 5 Aug 2019 15:41:16 -0700 Subject: man: fix typo in resolvectl(1) man page --- man/resolvectl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/resolvectl.xml b/man/resolvectl.xml index a59fa4c66d..ccc1b378f8 100644 --- a/man/resolvectl.xml +++ b/man/resolvectl.xml @@ -200,7 +200,7 @@ - Shows the global and per-link DNS settings in currently in effect. If no command is specified, + Shows the global and per-link DNS settings currently in effect. If no command is specified, this is the implied default. -- cgit v1.2.3 From 916f595c7cbe5dd5028a23a17a245ef19e8f6a29 Mon Sep 17 00:00:00 2001 From: Matthew Leeds Date: Wed, 7 Aug 2019 13:10:50 -0700 Subject: man: Fix grammar in systemd.kill.xml --- man/systemd.kill.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd.kill.xml b/man/systemd.kill.xml index 1f9d622ce9..2c6fea7493 100644 --- a/man/systemd.kill.xml +++ b/man/systemd.kill.xml @@ -79,7 +79,7 @@ signal (see below) is sent to all remaining processes of the unit's control group. If set to , no process is killed. In this case, only the stop command will be - executed on unit stop, but no process be killed otherwise. + executed on unit stop, but no process will be killed otherwise. Processes remaining alive after stop are left in their control group and the control group continues to exist after stop unless it is empty. -- cgit v1.2.3 From 4c94a4c2d65b4951834595c409a72b089bfd349d Mon Sep 17 00:00:00 2001 From: frederik Date: Fri, 9 Aug 2019 12:09:26 +0200 Subject: man: add example for IPv6 Prefix Delegation --- man/systemd.network.xml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index cdcca4aca8..accc824e4d 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -2206,6 +2206,27 @@ DHCP=yes en (i.e. ethernet interfaces). + + IPv6 Prefix Delegation + + # /etc/systemd/network/55-ipv6-pd-upstream.network +[Match] +Name=enp1s0 + +[Network] +DHCP=ipv6 + + # /etc/systemd/network/56-ipv6-pd-downstream.network +[Match] +Name=enp2s0 + +[Network] +IPv6PrefixDelegation=dhcpv6 + + This will enable IPv6 PD on the interface enp1s0 as an upstream interface where the + DHCPv6 client is running and enp2s0 as a downstream interface where the prefix is delegated to. + + A bridge with two enslaved links -- cgit v1.2.3 From f6c6ff97f5c0f31d38fcf373f3b25033cb23e1af Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 1 Aug 2019 07:41:36 +0900 Subject: network: add RoutingPolicyRule.Family= setting Closes #13233. --- man/systemd.network.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index accc824e4d..95c56b0ae3 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1139,6 +1139,16 @@ A boolean. Specifies whether the rule to be inverted. Defaults to false. + + Family= + + Takes a special value ipv4, ipv6, or + both. By default, the address family is determined by the address + specified in To= or From=. If neither + To= nor From= are specified, then defaults to + ipv4. + + -- cgit v1.2.3 From b1e91af8d97c3b8ce30aecab5df1f4e09cb9d601 Mon Sep 17 00:00:00 2001 From: Mr-Foo Date: Sat, 17 Aug 2019 16:30:57 +0000 Subject: trivial spelling fixes (#13339) --- man/systemd.network.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/systemd.network.xml b/man/systemd.network.xml index accc824e4d..32589d34b1 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -57,7 +57,7 @@ /run/systemd/network directories. Drop-in files in /etc take precedence over those in /run which in turn take precedence over those in /usr/lib. Drop-in files under any of these - directories take precedence over the main netdev file wherever located. + directories take precedence over the main network file wherever located. Note that an interface without any static IPv6 addresses configured, and neither DHCPv6 nor IPv6LL enabled, shall be considered to have no IPv6 support. IPv6 will be automatically @@ -90,7 +90,7 @@ MACAddress= A whitespace-separated list of hardware addresses. Use full colon-, hyphen- or dot-delimited hexadecimal. See the example below. - This option may appear more than one, in which case the lists are merged. If the empty string is assigned to this option, the list + This option may appear more than once, in which case the lists are merged. If the empty string is assigned to this option, the list of hardware addresses defined prior to this is reset. Example: -- cgit v1.2.3 From 651dcdd6691a3559ef69d2c41c164a1b692cc58d Mon Sep 17 00:00:00 2001 From: Theo Ouzhinski Date: Sat, 17 Aug 2019 13:21:50 -0400 Subject: man: add missing comma --- man/systemd-vconsole-setup.service.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd-vconsole-setup.service.xml b/man/systemd-vconsole-setup.service.xml index 268e69c0e7..7e76383720 100644 --- a/man/systemd-vconsole-setup.service.xml +++ b/man/systemd-vconsole-setup.service.xml @@ -33,7 +33,7 @@ Description systemd-vconsole-setup sets up and configures either all virtual consoles, or — if the - optional TTY parameter is provided — a specific one. When the system is booting up it's + optional TTY parameter is provided — a specific one. When the system is booting up, it's called by systemd-udevd8 during VT console subsystem initialization. Also, systemd-localed.service8 invokes -- cgit v1.2.3 From bcf09321c95c7d49b0f36def26d73dd0c3696f88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 6 Aug 2019 09:05:12 +0200 Subject: =?UTF-8?q?man:=20owned=20to=20=E2=86=92=20owned=20by?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- man/systemd-nspawn.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'man') diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 9f0be96b26..db3f10c3a2 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -713,10 +713,10 @@ - If specified, all files and directories in the container's directory tree will adjusted so that - they are owned to the appropriate UIDs/GIDs selected for the container (see above). This operation is - potentially expensive, as it involves descending and iterating through the full directory tree of the - container. Besides actual file ownership, file ACLs are adjusted as well. + If specified, all files and directories in the container's directory tree will be + adjusted so that they are owned by the appropriate UIDs/GIDs selected for the container (see above). + This operation is potentially expensive, as it involves iterating through the full directory tree of + the container. Besides actual file ownership, file ACLs are adjusted as well. This option is implied if is used. This option has no effect if user namespacing is not used. -- cgit v1.2.3 From 0e4a4f56bebc94a99134d79c5e1148aa787fc4dc Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Mon, 12 Aug 2019 19:36:56 +0200 Subject: journalctl: Make journalctl --user-unit= match on _SYSTEMD_USER_SLICE journalctl --unit= already did this, and allows you to tail all the logs for a certain slice easily. It seemed only natural to make --user-unit behave in a similar way. The _SYSTEMD_USER_SLICE field was not documented as being added by journald, so I have added that to the documentation too. Furthermore, I have documented the existing behaviour of --unit= and the new behaviour of --user-unit= The behaviour was actually not documented before, so I am also OK with removing the match for the --unit= command instead. The user would then have to manually provide _SYSTEMD_SLICE= filter to journalctl in both cases. Both options work for me. --- man/journalctl.xml | 13 +++++++++++-- man/systemd.journal-fields.xml | 1 + 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/journalctl.xml b/man/journalctl.xml index 0ecab521fa..f6703b06d6 100644 --- a/man/journalctl.xml +++ b/man/journalctl.xml @@ -544,7 +544,12 @@ the unit (_SYSTEMD_UNIT=UNIT), along with additional matches for messages from systemd and - messages about coredumps for the specified unit. + messages about coredumps for the specified unit. A match + is also added for _SYSTEMD_SLICE=UNIT, + such that if the provided UNIT is a + systemd.slice5 + unit, all logs of the children of the slice will be logged. + This parameter can be specified multiple times. @@ -558,7 +563,11 @@ (_SYSTEMD_USER_UNIT= and _UID=) and additional matches for messages from session systemd and messages about coredumps for the - specified unit. + specified unit. A match + is also added for _SYSTEMD_USER_SLICE=UNIT, + such that if the provided UNIT is a + systemd.slice5 + unit, all logs of the children of the unit will be logged. This parameter can be specified multiple times. diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml index fa374bf0f8..c11ec050e5 100644 --- a/man/systemd.journal-fields.xml +++ b/man/systemd.journal-fields.xml @@ -188,6 +188,7 @@ _SYSTEMD_SLICE= _SYSTEMD_UNIT= _SYSTEMD_USER_UNIT= + _SYSTEMD_USER_SLICE= _SYSTEMD_SESSION= _SYSTEMD_OWNER_UID= -- cgit v1.2.3 From d527ebef882137f22ec6d82c28adb9fc52bdf875 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 24 Aug 2019 08:16:44 +0200 Subject: Fix typo in sd_event_set_watchdog manpage (#13393) --- man/sd_event_set_watchdog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/sd_event_set_watchdog.xml b/man/sd_event_set_watchdog.xml index faaaad39d9..cacc683b57 100644 --- a/man/sd_event_set_watchdog.xml +++ b/man/sd_event_set_watchdog.xml @@ -69,7 +69,7 @@ this feature disabled. The first watchdog notification message is sent immediately - when set_event_set_watchdog() is invoked with + when sd_event_set_watchdog() is invoked with a true b parameter. The watchdog logic is designed to allow the service manager -- cgit v1.2.3 From db11487d1062655f17db54c4d710653f16c87313 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 6 Aug 2015 21:34:15 -0400 Subject: manager: put bin before sbin for user instances Traditionally, user logins had a $PATH in which /bin was before /sbin, while root logins had a $PATH with /sbin first. This allows the tricks that consolehelper is doing to work. But even if we ignore consolehelper, having the path in this order might have been used by admins for other purposes, and keeping the order in user sessions will make it easier the adoption of systemd user sessions a bit easier. Fixes #733. https://bugzilla.redhat.com/show_bug.cgi?id=1744059 OOM handling in manager_default_environment wasn't really correct. Now the (theorertical) malloc failure in strv_new() is handled. Please note that this has no effect on: - systems with merged /bin-/sbin (e.g. arch) - when there are no binaries that differ between the two locations. E.g. on my F30 laptop there is exactly one program that is affected: /usr/bin/setup -> consolehelper. There is less and less stuff that relies on consolehelper, but there's still some. So for "clean" systems this makes no difference, but helps with legacy setups. $ dnf repoquery --releasever=31 --qf %{name} --whatrequires usermode anaconda-live audit-viewer beesu chkrootkit driftnet drobo-utils-gui hddtemp mate-system-log mock pure-ftpd setuptool subscription-manager system-config-httpd system-config-rootpassword system-switch-java system-switch-mail usermode-gtk vpnc-consoleuser wifi-radar xawtv --- man/systemd.exec.xml | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index fbbfd4f514..5cb83afa57 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -2152,16 +2152,17 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy LogExtraFields= - Configures additional log metadata fields to include in all log records generated by processes - associated with this unit. This setting takes one or more journal field assignments in the format - FIELD=VALUE separated by whitespace. See - systemd.journal-fields7 for - details on the journal field concept. Even though the underlying journal implementation permits binary field - values, this setting accepts only valid UTF-8 values. To include space characters in a journal field value, - enclose the assignment in double quotes ("). The usual specifiers are expanded in all assignments (see - below). Note that this setting is not only useful for attaching additional metadata to log records of a unit, - but given that all fields and values are indexed may also be used to implement cross-unit log record - matching. Assign an empty string to reset the list. + Configures additional log metadata fields to include in all log records generated by + processes associated with this unit. This setting takes one or more journal field assignments in the + format FIELD=VALUE separated by whitespace. See + systemd.journal-fields7 + for details on the journal field concept. Even though the underlying journal implementation permits + binary field values, this setting accepts only valid UTF-8 values. To include space characters in a + journal field value, enclose the assignment in double quotes ("). + The usual specifiers are expanded in all assignments (see below). Note that this setting is not only + useful for attaching additional metadata to log records of a unit, but given that all fields and + values are indexed may also be used to implement cross-unit log record matching. Assign an empty + string to reset the list. @@ -2355,10 +2356,16 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy $PATH - Colon-separated list of directories to use - when launching executables. systemd uses a fixed value of - /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin. - + Colon-separated list of directories to use when launching + executables. systemd uses a fixed value of + /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin + in the system manager. When compiled for systems with "unmerged /usr" (/bin is + not a symlink to /usr/bin), + :/sbin:/bin is appended. In case of the + the user manager, each bin/ and sbin/ pair is switched, so + that programs from /usr/bin have higher priority than programs from + /usr/sbin, etc. It is recommended to not rely on this in any way, and have only + one program with a given name in $PATH. -- cgit v1.2.3 From 013a87517d0a6682d7140321ce80d18c54fd1f57 Mon Sep 17 00:00:00 2001 From: Jan Chren Date: Wed, 28 Aug 2019 23:30:58 +0000 Subject: man: install runlevel.8 unconditionally systemctl supports runlevel invocation name without utmp. The runlevel symlink is installed unconditionally. So it's reasonable to install runlevel manpage with it as well. Signed-off-by: Jan Chren (rindeal) --- man/runlevel.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'man') diff --git a/man/runlevel.xml b/man/runlevel.xml index d8bfcd73fc..87e2ed234a 100644 --- a/man/runlevel.xml +++ b/man/runlevel.xml @@ -4,8 +4,7 @@ + xmlns:xi="http://www.w3.org/2001/XInclude"> runlevel -- cgit v1.2.3 From 13dcc96ffb02041018f15e6fff3979ff933ca624 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 30 Aug 2019 13:52:33 +0200 Subject: docs: describe valid unit names in systemd.unit(5) --- man/systemd.unit.xml | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) (limited to 'man') diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 8307be1d33..acb09d005d 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -104,16 +104,24 @@ systemd.scope5. - Unit files are loaded from a set of paths determined during - compilation, described in the next section. - - Unit files can be parameterized by a single argument called the "instance name". The unit - is then constructed based on a "template file" which serves as the definition of multiple - services or other units. A template unit must have a single @ at the end of - the name (right before the type suffix). The name of the full unit is formed by inserting the - instance name between @ and the unit type suffix. In the unit file itself, - the instance parameter may be referred to using %i and other specifiers, see - below. + Unit files are loaded from a set of paths determined during compilation, described in the next + section. + + Valid unit names consist of a "name prefix" and a dot and a suffix specifying the unit type. The + "unit prefix" must consist of one or more valid characters (ASCII letters, digits, :, + -, _, ., and \). The total + length of the unit name including the suffix must not exceed 256 characters. The type suffix must be one + of .service, .socket, .device, + .mount, .automount, .swap, + .target, .path, .timer, + .slice, or .scope. + + Units names can be parameterized by a single argument called the "instance name". The unit is then + constructed based on a "template file" which serves as the definition of multiple services or other + units. A template unit must have a single @ at the end of the name (right before the + type suffix). The name of the full unit is formed by inserting the instance name between + @ and the unit type suffix. In the unit file itself, the instance parameter may be + referred to using %i and other specifiers, see below. Unit files may contain additional options on top of those listed here. If systemd encounters an unknown option, it will -- cgit v1.2.3 From e148cbc5ef8b5c306f0059a32048dcdce232d9ed Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 31 Aug 2019 13:57:34 +0900 Subject: man: list possible action string and default value Closes #13442. --- man/udevadm.xml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/udevadm.xml b/man/udevadm.xml index d12c39b765..c2f2bc95d2 100644 --- a/man/udevadm.xml +++ b/man/udevadm.xml @@ -528,8 +528,11 @@ - The action string. The special value help may be used to list - known values. + Type of event to be simulated. Possible actions are add, + remove, change, move, + online, offline, bind, + and unbind. Also, the special value help can be used + to list the possible actions. The default value is add. -- cgit v1.2.3 From 8fa0de653b634f1b7377857c2dd99cfc84a77527 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Mon, 15 Apr 2019 15:07:52 +0100 Subject: Generate stable machine-id and DHCP client ID on POWER KVM. --- man/machine-id.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/machine-id.xml b/man/machine-id.xml index f4d94e8800..ebee065a61 100644 --- a/man/machine-id.xml +++ b/man/machine-id.xml @@ -99,8 +99,8 @@ be used. If this file is empty or missing, systemd will attempt to use the D-Bus machine ID from /var/lib/dbus/machine-id, the value of the kernel command line option container_uuid, the KVM DMI - product_uuid (on KVM systems), and finally a randomly generated - UUID. + product_uuid or the devicetree vm,uuid + (on KVM systems), and finally a randomly generated UUID. After the machine ID is established, systemd1 -- cgit v1.2.3