diff --git a/man/journalctl.xml b/man/journalctl.xml index 8ac5400841..bdead3f8b5 100644 --- a/man/journalctl.xml +++ b/man/journalctl.xml @@ -865,7 +865,7 @@ removes archived journal files older than the specified timespan. Accepts the usual s (default), m, - h, days, months, weeks + h, days, weeks, months, and years suffixes, see systemd.time7 for details. diff --git a/man/machinectl.xml b/man/machinectl.xml index 3f4228ee14..6d391b76d9 100644 --- a/man/machinectl.xml +++ b/man/machinectl.xml @@ -413,10 +413,12 @@ edit NAME|FILE - Edit the settings file of the specified machines. For the format of the settings file, refer to systemd.nspawn5. - If an existing settings file of the given machine can't be found, edit automatically - create a new settings file from scratch under /etc/ + Edit the settings file of the specified machines. For the format of the settings + file, refer to + systemd.nspawn5. + If an existing settings file of the given machine can't be found, edit + automatically create a new settings file from scratch under /etc/. + diff --git a/man/networkctl.xml b/man/networkctl.xml index c83277a683..c5fb574990 100644 --- a/man/networkctl.xml +++ b/man/networkctl.xml @@ -436,7 +436,8 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR) the main configuration file. Unless is specified, systemd-networkd will be reloaded after the edit of the .network or .netdev files finishes. - The same applies for .link files and systemd-udevd. + The same applies for .link files and + systemd-udevd8. Note that the changed link settings are not automatically applied after reloading. To achieve that, trigger uevents for the corresponding interface. Refer to systemd.link5 @@ -514,8 +515,7 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR) - - NAME + NAME When used with edit, edit the drop-in file NAME @@ -529,8 +529,11 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR) - When used with edit, systemd-networkd - or systemd-udevd will not be reloaded after the editing finishes. + When used with edit, + systemd-networkd.service8 + or + systemd-udevd.service8 + will not be reloaded after the editing finishes. diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index b6178c1093..8edd6c94ef 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -363,17 +363,21 @@ DNSStubListenerExtra=udp:[2001:db8:0:f102::13]:9953 StaleRetentionSec=SECONDS - Takes a duration value, which determines the length of time DNS resource records can be retained - in the cache beyond their Time To Live (TTL). This allows these records to be returned as stale records. - By default, this value is set to zero, meaning that DNS resource records are not stored in the cache after their TTL expires. + Takes a duration value, which determines the length of time DNS resource records can + be retained in the cache beyond their Time To Live (TTL). This allows these records to be returned as + stale records. By default, this value is set to zero, meaning that DNS resource records are not + stored in the cache after their TTL expires. - This is useful when a DNS server failure occurs or becomes unreachable. - In such cases, systemd-resolved continues to use the stale records to answer DNS queries, particularly when no valid response - can be obtained from the upstream DNS servers. However, this doesn't apply to NXDOMAIN responses, as those are still perfectly valid responses. - This feature enhances resilience against DNS infrastructure failures and outages. + This is useful when a DNS server failure occurs or becomes unreachable. In such cases, + systemd-resolved8 + continues to use the stale records to answer DNS queries, particularly when no valid response can be + obtained from the upstream DNS servers. However, this doesn't apply to NXDOMAIN responses, as those + are still perfectly valid responses. This feature enhances resilience against DNS infrastructure + failures and outages. - systemd-resolved always attempts to reach the upstream DNS servers first, before providing the client application with any stale data. - If this feature is enabled, cache will not be flushed when changing servers. + systemd-resolved always attempts to reach the upstream DNS servers first, + before providing the client application with any stale data. If this feature is enabled, cache will + not be flushed when changing servers. diff --git a/man/systemctl.xml b/man/systemctl.xml index 3a5ea94aca..2204bee917 100644 --- a/man/systemctl.xml +++ b/man/systemctl.xml @@ -2740,11 +2740,11 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err - + NAME - When used with edit, use the given drop-in file name instead of - override.conf. + When used with edit, use NAME as the drop-in + file name instead of override.conf. diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 1ea16372fc..1aaf03ac52 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -863,7 +863,7 @@ stored sock 0:8 4213190 - socket:[4213190] ro systemd.image-policy7. The policy is normalized and simplified. For each currently defined partition identifier (as per the Discoverable - Partitions Specification the effect of the image policy string is shown in tabular form. + Partitions Specification) the effect of the image policy string is shown in tabular form. Example Output diff --git a/man/systemd-battery-check.service.xml b/man/systemd-battery-check.service.xml index 62d6bf5660..8be54848ce 100644 --- a/man/systemd-battery-check.service.xml +++ b/man/systemd-battery-check.service.xml @@ -18,7 +18,7 @@ systemd-battery-check.service systemd-battery-check - Check battery level whether there's enough charge, and power off if not. + Check battery level whether there's enough charge, and power off if not @@ -32,14 +32,11 @@ Description - - systemd-battery-check.service is used to check the battery level during the early - boot stage to determine whether there's sufficient battery power to carry on with the booting process. - - - systemd-battery-check returns success if the device is connected to an AC power - source or if the battery charge is greater than 5%. It returns failure otherwise. - + This service checks the presence of an external power supply and the battery level during the early + boot stage to determine whether there is sufficient power to carry on with the booting process. + + systemd-battery-check returns success if the device is connected to an AC power + source or if the battery charge is greater than 5%. It returns failure otherwise. diff --git a/man/systemd-firstboot.xml b/man/systemd-firstboot.xml index 5129d068f2..7145c768c2 100644 --- a/man/systemd-firstboot.xml +++ b/man/systemd-firstboot.xml @@ -293,8 +293,8 @@ Write configuration even if the relevant files already exist. Without this option, - systemd-firstboot doesn't modify or replace existing files. Note that when - configuring the root account, even with this option, systemd-firstboot only + systemd-firstboot doesn't modify or replace existing files. Note that when + configuring the root account, even with this option, systemd-firstboot only modifies the entry of the root user, leaving other entries in /etc/passwd and /etc/shadow intact. diff --git a/man/systemd-fsck@.service.xml b/man/systemd-fsck@.service.xml index 22aa876878..fc804374ee 100644 --- a/man/systemd-fsck@.service.xml +++ b/man/systemd-fsck@.service.xml @@ -55,12 +55,12 @@ last check, number of mounts, unclean unmount, etc. systemd-fsck-root.service and systemd-fsck-usr.service - will activate reboot.target if fsck returns the "System - should reboot" condition, or emergency.target if fsck + will activate reboot.target if fsck returns the "System + should reboot" condition, or emergency.target if fsck returns the "Filesystem errors left uncorrected" condition. systemd-fsck@.service will fail if - fsck returns with either "System should reboot" + fsck returns with either "System should reboot" or "Filesystem errors left uncorrected" conditions. For filesystems listed in /etc/fstab without nofail or noauto options, local-fs.target @@ -70,7 +70,7 @@ Kernel Command Line - systemd-fsck understands these kernel + systemd-fsck understands these kernel command line parameters: diff --git a/man/systemd-hibernate-resume.service.xml b/man/systemd-hibernate-resume.service.xml index 6f457f34ab..964c2bd62f 100644 --- a/man/systemd-hibernate-resume.service.xml +++ b/man/systemd-hibernate-resume.service.xml @@ -31,7 +31,7 @@ systemd-hibernate-resume.service initiates the resume from hibernation. - systemd-hibernate-resume only supports the in-kernel hibernation + systemd-hibernate-resume only supports the in-kernel hibernation implementation, see Swap suspend. Internally, it works by writing the major:minor of specified device node to /sys/power/resume, along with the offset in memory pages diff --git a/man/systemd-notify.xml b/man/systemd-notify.xml index 77ce2b5b6d..022297896f 100644 --- a/man/systemd-notify.xml +++ b/man/systemd-notify.xml @@ -211,7 +211,9 @@ invoked. This option may be used multiple times to pass multiple file descriptors in a single notification message. - To use this functionality from a bash shell, use an expression like the following: + To use this functionality from a + bash1 + shell, use an expression like the following: systemd-notify --fd=4 --fd=5 4</some/file 5</some/other/file diff --git a/man/systemd-run.xml b/man/systemd-run.xml index 8a509be2ae..d5a9ca61ba 100644 --- a/man/systemd-run.xml +++ b/man/systemd-run.xml @@ -560,7 +560,8 @@ Dec 08 20:44:48 container systemd[1]: Started /bin/touch /tmp/foo. Allowing access to the tty - The following command invokes bash1 + The following command invokes + bash1 as a service passing its standard input, output and error to the calling TTY. # systemd-run -t --send-sighup bash @@ -618,18 +619,22 @@ There is a screen on: The first argument is expanded by the shell (double quotes), but the second one is not expanded - by the shell (single quotes). echo is called with [/usr/bin/echo, + by the shell (single quotes). + echo1 + is called with [/usr/bin/echo, [], [${INVOCATION_ID}]] as the argument array, and then - systemd generates ${INVOCATION_ID} and substitutes it in the - command-line. This substitution could not be done on the client side, because the target ID that will - be set for the service isn't known before the call is made. + systemd1 + generates ${INVOCATION_ID} and substitutes it in the command-line. This substitution + could not be done on the client side, because the target ID that will be set for the service isn't + known before the call is made. Variable expansion and output redirection using a shell - Variable expansion by systemd can be disabled with - --expand-environment=no. + Variable expansion by + systemd1 + can be disabled with --expand-environment=no. Disabling variable expansion can be useful if the command to execute contains dollar characters and escaping them would be inconvenient. For example, when a shell is used: @@ -639,9 +644,10 @@ There is a screen on: /bin/bash 12345 - The last argument is passed verbatim to the bash shell which is started by the - service unit. The shell expands $SHELL to the path of the shell, and - $$ to its process number, and then those strings are passed to the + The last argument is passed verbatim to the + bash1 + shell which is started by the service unit. The shell expands $SHELL to the path of + the shell, and $$ to its process number, and then those strings are passed to the echo built-in and printed to standard output (which in this case is connected to the calling terminal). diff --git a/man/systemd-sysext.xml b/man/systemd-sysext.xml index 8227b972b9..fe980be5e7 100644 --- a/man/systemd-sysext.xml +++ b/man/systemd-sysext.xml @@ -129,7 +129,7 @@ an extension with the same name in a system folder with lower precedence. A simple mechanism for version compatibility is enforced: a system extension image must carry a - /usr/lib/extension-release.d/extension-release.$name + /usr/lib/extension-release.d/extension-release.NAME file, which must match its image name, that is compared with the host os-release file: the contained ID= fields have to match unless _any is set for the extension. If the extension ID= is not _any, the @@ -168,11 +168,13 @@ .raw suffix are considered disk image based confext images. Again, just like sysext images, the confext images will contain a - /etc/extension-release.d/extension-release.$name - file, which must match the image name (with the usual escape hatch of xattr), and again with content - being one or more of ID=, VERSION_ID=, and - CONFEXT_LEVEL. Confext images will then be checked and matched against the - base OS layer. + /etc/extension-release.d/extension-release.NAME + file, which must match the image name (with the usual escape hatch of + the user.extension-release.strict + xattr7), + and again with content being one or more of ID=, VERSION_ID=, and + CONFEXT_LEVEL. Confext images will then be checked and matched against the base OS + layer. diff --git a/man/systemd-sysusers.xml b/man/systemd-sysusers.xml index 3dfe8c006a..88645aaeb7 100644 --- a/man/systemd-sysusers.xml +++ b/man/systemd-sysusers.xml @@ -150,7 +150,7 @@ Credentials systemd-sysusers supports the service credentials logic as implemented by - ImportCredential=LoadCredential=/SetCredential= + ImportCredential=/LoadCredential=/SetCredential= (see systemd.exec1 for details). The following credentials are used when passed in: diff --git a/man/systemd-vconsole-setup.service.xml b/man/systemd-vconsole-setup.service.xml index 665f894363..614a4d48d2 100644 --- a/man/systemd-vconsole-setup.service.xml +++ b/man/systemd-vconsole-setup.service.xml @@ -57,7 +57,7 @@ Credentials systemd-vconsole-setup supports the service credentials logic as implemented by - ImportCredential=LoadCredential=/SetCredential= + ImportCredential=/LoadCredential=/SetCredential= (see systemd.exec1 for details). The following credentials are used when passed in: diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f5d68f6c47..8db8deb36d 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -232,10 +232,11 @@ To make sure making ephemeral copies can be made efficiently, the root directory or root image should be located on the same filesystem as /var/lib/systemd/ephemeral-trees/. - When using RootEphemeral= with root directories, btrfs should be used as the - filesystem and the root directory should ideally be a subvolume which systemd can - snapshot to make the ephemeral copy. For root images, a filesystem with support for reflinks should - be used to ensure an efficient ephemeral copy. + When using RootEphemeral= with root directories, + btrfs5 + should be used as the filesystem and the root directory should ideally be a subvolume which + systemd can snapshot to make the ephemeral copy. For root images, a filesystem + with support for reflinks should be used to ensure an efficient ephemeral copy. @@ -1917,7 +1918,7 @@ BindReadOnlyPaths=/var/lib/systemd Note that this functionality might not be available, for example if KSM is disabled in the kernel, or the kernel doesn't support controlling KSM at the process level through - prctl(). + prctl2. @@ -3180,7 +3181,7 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX RateLimitBurst= configured in journald.conf5. Note that this only applies to log messages that are processed by the logging subsystem, i.e. by - systemd-journald.service8 + systemd-journald.service8. This means that if you connect a service's stderr directly to a file via StandardOutput=file:… or a similar setting, the rate limiting will not be applied to messages written that way (but it will be enforced for messages generated via @@ -4147,9 +4148,9 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX FileDescriptorStoreMax= is set to a non-zero value (see systemd.service5 for details). Applications may check this environment variable before sending file descriptors to - the service manager via sd_pid_notify_with_fds() (see - sd_notify3 for - details). + the service manager via + sd_pid_notify_with_fds3. + diff --git a/man/systemd.image-policy.xml b/man/systemd.image-policy.xml index 5ea9e46ec2..7a4453d2e1 100644 --- a/man/systemd.image-policy.xml +++ b/man/systemd.image-policy.xml @@ -51,10 +51,10 @@ for partitions that shall exist and be used, with Verity authentication. (Note: if a DDI image carries a data partition, along with a Verity partition and a - signature partition for it, and only the flag is set – and - is not –, then the image will be set up with Verity, but the signature data will - not be used. Or in other words: any DDI with a set of partitions that qualify for - also implicitly qualifies for , and in fact + signature partition for it, and only the flag is set ( + is not), then the image will be set up with Verity, but the signature data will not be used. Or in + other words: any DDI with a set of partitions that qualify for also + implicitly qualifies for , and in fact also ). for partitions that shall exist and be used, with Verity @@ -130,9 +130,9 @@ Most systemd components that support operating with disk images support a command line option to specify the image policy to use, and default to - relatively open policies by default (typically the * policy, as described above), - under the assumption that trust in disk images is established before the images are passed to the program - in question. + relatively open policies (typically the * policy, as described above), under the + assumption that trust in disk images is established before the images are passed to the program in + question. For the host image itself systemd-gpt-auto-generator8 diff --git a/man/systemd.link.xml b/man/systemd.link.xml index b75dc7fcd4..04b424b910 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -1306,9 +1306,9 @@ $ sudo ip link set eth0 down $ sudo udevadm trigger --verbose --settle --action add /sys/class/net/eth0 You may also need to stop the service that manages the network interface, e.g. - systemd-networkd.service or NetworkManager.service before - the above operation, and then restart the service after that. For more details about - udevadm command, see + systemd-networkd.service8 + or NetworkManager.service before the above operation, and then restart the service + after that. For more details about udevadm command, see udevadm8. diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml index 2da83f8584..e9c00c935d 100644 --- a/man/systemd.net-naming-scheme.xml +++ b/man/systemd.net-naming-scheme.xml @@ -448,7 +448,7 @@ property or none at all. Some firmware and hypervisor implementations report unreasonably high numbers for the - on-board index. To prevent the generation of bogus onbard interface names, index numbers greater + on-board index. To prevent the generation of bogus on-board interface names, index numbers greater than 16381 (2¹⁴-1) were ignored. For s390 PCI devices index values up to 65535 (2¹⁶-1) are valid. To account for that, the limit was increased to 65535. diff --git a/man/systemd.network.xml b/man/systemd.network.xml index f065cfcafa..3e83caaf18 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -2430,7 +2430,9 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix UseCaptivePortal= When true (the default), the captive portal advertised by the DHCP server will be recorded - and made available to client programs and displayed in the networkctl status output per-link. + and made available to client programs and displayed in the + networkctl1 + status output per-link. @@ -2881,7 +2883,9 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix UseCaptivePortal= When true (the default), the captive portal advertised by the DHCPv6 server will be recorded - and made available to client programs and displayed in the networkctl status output per-link. + and made available to client programs and displayed in the + networkctl1 + status output per-link. @@ -3297,7 +3301,9 @@ Token=prefixstable:2002:da8:1:: UseCaptivePortal= When true (the default), the captive portal received in the Router Advertisement will be recorded - and made available to client programs and displayed in the networkctl status output per-link. + and made available to client programs and displayed in the + networkctl1 + status output per-link. @@ -3306,9 +3312,11 @@ Token=prefixstable:2002:da8:1:: UsePREF64= - When true, the IPv6 PREF64 (or NAT64) prefixes received in the Router Advertisement will be recorded - and made available to client programs and displayed in the networkctl status output per-link. - See RFC 8781. Defaults to false. + When true, the IPv6 PREF64 (or NAT64) prefixes received in the Router Advertisement will be + recorded and made available to client programs and displayed in the + networkctl1 + status output per-link. See RFC 8781. + Defaults to false. diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index c3581e78b3..42f265c950 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -1143,7 +1143,7 @@ NFTSet=cgroup:inet:filter:my_service user:inet:filter:serviceuser BPFProgram= allows attaching custom BPF programs to the cgroup of a unit. (This generalizes the functionality exposed via IPEgressFilterPath= and - and IPIngressFilterPath= for other hooks.) Cgroup-bpf hooks in the form of BPF + IPIngressFilterPath= for other hooks.) Cgroup-bpf hooks in the form of BPF programs loaded to the BPF filesystem are attached with cgroup-bpf attach flags determined by the unit. For details about attachment types and flags see bpf.h. Also @@ -1154,13 +1154,27 @@ NFTSet=cgroup:inet:filter:my_service user:inet:filter:serviceuser type:program-path. The BPF program type is equivalent to the BPF attach type used in - bpftool. It may be one of egress, - ingress, sock_create, sock_ops, - device, bind4, bind6, - connect4, connect6, post_bind4, - post_bind6, sendmsg4, sendmsg6, - sysctl, recvmsg4, recvmsg6, - getsockopt, setsockopt. + bpftool8 + It may be one of + egress, + ingress, + sock_create, + sock_ops, + device, + bind4, + bind6, + connect4, + connect6, + post_bind4, + post_bind6, + sendmsg4, + sendmsg6, + sysctl, + recvmsg4, + recvmsg6, + getsockopt, + or setsockopt. + The specified program path must be an absolute path referencing a BPF program inode in the bpffs file system (which generally means it must begin with /sys/fs/bpf/). If @@ -1545,7 +1559,7 @@ DeviceAllow=/dev/loop-control $MEMORY_PRESSURE_WATCH environment variable to the literal string /dev/null. If on tells the service to watch for memory pressure events. This enables memory accounting for the service, and ensures the - memory.pressure cgroup attribute files is accessible for read and write to the + memory.pressure cgroup attribute file is accessible for reading and writing by the service's user. It then sets the $MEMORY_PRESSURE_WATCH environment variable for processes invoked by the unit to the file system path to this file. The threshold information configured with MemoryPressureThresholdSec= is encoded in the diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 51b8404abd..735c98d1d6 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -167,7 +167,7 @@ been forked off (i.e. immediately after fork(), and before various process attributes have been configured and in particular before the new process has called execve() to invoke the actual service binary). Typically, - Type= (see below) is the better choice, see below. + Type= is the better choice, see below. It is expected that the process configured with ExecStart= is the main process of the service. In this mode, if the process offers functionality to other processes on @@ -239,7 +239,7 @@ socket provided by systemd. If NotifyAccess= is missing or set to , it will be forcibly set to . - If the service supports reloading, and uses the a signal to start the reload, using + If the service supports reloading, and uses a signal to start the reload, using instead is recommended. Behavior of is similar to , @@ -1239,8 +1239,9 @@ stop the event is logged but the unit is terminated cleanly by the service manager. If set to kill and one of the unit's processes is killed by the OOM killer the kernel is instructed to kill all remaining processes of the unit too, by setting the - memory.oom.group attribute to 1; also see kernel documentation. + memory.oom.group attribute to 1; also see kernel + page Control Group v2. + Defaults to the setting DefaultOOMPolicy= in systemd-system.conf5 diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 6137d94a0c..647b7dbb72 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -349,9 +349,9 @@ queue that have not been accepted yet. This setting matters only for stream and sequential packet sockets. See listen2 for - details. Note that this value is silently capped by the net.core.somaxconn sysctl, - which typically defaults to 4096. By default this is set to 4294967295, so that the sysctl takes full - effect. + details. Defaults to 4294967295. Note that this value is silently capped by the + net.core.somaxconn sysctl, which typically defaults to 4096, so typically + the sysctl is the setting that actually matters. diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 83ac72a5a3..2e9b87645f 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -884,12 +884,12 @@ JoinsNamespaceOf= For units that start processes (such as service units), lists one or more other units - whose network and/or temporary file namespace to join. If this is specified on a unit (say, a.service - has JoinsNamespaceOf=b.service), then this the inverse dependency - (JoinsNamespaceOf=a.service for b.service) is implied. This only applies to unit - types which support the PrivateNetwork=, NetworkNamespacePath=, - PrivateIPC=, IPCNamespacePath=, and - PrivateTmp= directives (see + whose network and/or temporary file namespace to join. If this is specified on a unit (say, + a.service has JoinsNamespaceOf=b.service), then the inverse + dependency (JoinsNamespaceOf=a.service for b.service) is implied. This only + applies to unit types which support the PrivateNetwork=, + NetworkNamespacePath=, PrivateIPC=, + IPCNamespacePath=, and PrivateTmp= directives (see systemd.exec5 for details). If a unit that has this setting set is started, its processes will see the same /tmp/, /var/tmp/, IPC namespace and network namespace as diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index 03faa66a54..e06da2b661 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -872,10 +872,10 @@ e! /var/cache/krb5rcache - - - 0 -smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=$(echo "f~ /root/.ssh/authorized_keys 700 root root - $(ssh-add -L | base64 -w 0)" | base64 -w 0) - By passing this line to QEMU, the public key of the current user will be encoded in - base64, added to a tmpfiles.d line that tells systemd-tmpfiles to decode it into - /root/.ssh/authorized_keys, encode that line itself in base64 and - pass it as a Credential that will be picked up by systemd from SMBIOS on boot. + By passing this line to QEMU, the public key of the current user will be encoded in base64, added + to a tmpfiles.d line that tells systemd-tmpfiles to decode it into + /root/.ssh/authorized_keys, encode that line itself in base64 and pass it as a + Credential that will be picked up by systemd from SMBIOS on boot. diff --git a/man/ukify.xml b/man/ukify.xml index f6cd6804bb..9b7e20997a 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -111,7 +111,7 @@ If the stub and/or the kernel contain .sbat sections they will be merged in the UKI so that revocation updates affecting either are considered when the UKI is loaded by Shim. For more information on SBAT see - Shim's documentation. + Shim documentation. @@ -243,7 +243,7 @@ Print a summary of loaded config and exit. This is useful to check how the options - form the configuration file and the command line are combined. + from the configuration file and the command line are combined. @@ -478,7 +478,7 @@ DBX/MOKX. If not specified manually, a default metadata entry consisting of uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html will be used, to ensure it is always possible to revoke UKIs and addons. For more information on - SBAT see Shim's documentation. + SBAT see Shim documentation. @@ -512,8 +512,8 @@ On the command line, this option may be specified more than once, similarly to the option. If not present, the public keys will be extracted from - the private keys. On the command line, if present, the this option must be specified the same number - of times as the option. + the private keys. On the command line, if present, this option must be specified the same number of + times as the option. @@ -662,13 +662,13 @@ Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem (Both operations need to be done as root to allow write access to /etc/kernel/.) - Subsequent invocations of using the config file + Subsequent invocations using the config file (ukify build --config=/etc/kernel/uki.conf) will use this certificate and key files. Note that the kernel-install8 plugin 60-ukify.install uses /etc/kernel/uki.conf by default, so after this file has been created, installations of kernels that create a UKI on the - local machine using kernel-install would perform signing using this config. + local machine using kernel-install will perform signing using this config.