This is useful when the previous invocation is unexpectedly killed.
Otherwise, if systemd-nspawn is killed forcibly, then unix-export
directory is not cleared and unmounted, and the subsequent invocation
will fail. E.g.
===
[ 18.895515] TEST-13-NSPAWN.sh[645]: + machinectl start long-running
[ 18.945703] systemd-nspawn[1387]: Mount point '/run/systemd/nspawn/unix-export/long-running' exists already, refusing.
[ 18.949236] systemd[1]: systemd-nspawn@long-running.service: Failed with result 'exit-code'.
[ 18.949743] systemd[1]: Failed to start systemd-nspawn@long-running.service.
===
So far, we supported two modes:
1. when running unpriv we'd get the mounts from mountfsd, and the userns
from nsresourced
2. when running priv we'd do the mounts/userns ourselves
This untangles this a bit, so that we can also use mountfsd/nsresourced
when running privilged.
I think this is generally a bit nicer, and probably something we should
switch to entirely one day, as it reduces the variety of codepaths.
With this patch the default behaviour remains unchanged, but by
selecting the new "managed" option for --private-users= the codepaths
via mountfsd/nsresourced can be explicitly requested even when running
with privs.
This is mostly just reworks that we check for arg_userns_mode !=
USER_NAMESPACE_MANAGED rather than arg_privileged for a number of
codepaths, but requires more fixes, too. The devil is in the details.
I don't actually need this anymore since we're going with a
unit based approach for the containers stuff internally so
let's just revert it.
Fixes#34085
This reverts commit ce2291730d.
This allows for example forcing to use /sbin/init instead of always
using /usr/lib/systemd/systemd if it exists. Or it allows using a
different path altogether.
This fixes a few unrelated issues:
- when ENABLE_MACHINED is false, machinectl is not installed, but _sd_machines
is still used in a few places that want to complete -M and such.
Also, bash completion calls machinectl in various places.
Make missing machinectl mean "no machines" in this case, so
that no error is generated in the callers.
- machinectl list --full would print multiple lines of output per machine,
breaking grep, issue introduced in e2268fa437.
Using --max-addresses=1 would fix the issue, but let's use
--max-addresses=0 because we now can.
- the lists used in various places were slightly different for no good reason.
- don't use a subshell if not necessary.
The code for bash still uses the same combined list of images and running
machines for various commands. The zsh code uses images for start/clone, and
running machines for the rest. Maybe something to fix in the future.
Replaces #25048.
This is supposed to be used by package/image builders such as mkosi to
speed up building, since it allows us to suppress sync() inside a
container.
This does what Debian's eatmydata tool does, but for a container, and
via seccomp (instead of LD_PRELOAD).
The words and cword variables are not localized in all Bash completion
scripts that call _init_completion.
cur, prev, words, and cword (and split if using the -s flag) are all
variables that should be localized in Bash completion scripts before
calling _init_completion (even if they don't otherwise appear in the
calling script). This is done for cur and prev, but not for words and
cword. Letting words and cword remain unlocalized may clobber variables
the user is using for other purposes, which is bad.
This issue can be resolved by declaring words and cword as local
variables.
Resolves#19188.
Since cryptsetup 2.3.0 a new API to verify dm-verity volumes by a
pkcs7 signature, with the public key in the kernel keyring,
is available. Use it if libcryptsetup supports it.
Hiding the first column, which may contain bullet circles, with --no-legend
is undocumented and potentially unexpected. On the other hand, not printing
bullet circles with --plain is documented so hiding the column with that
switch is sensible.
The combination "--full --no-legend --no-pager --plain" is appropriate for
automated processing of systemctl output.
*Autocompletion for dirs, doesn't leave until you press space.
*Added tmpfs, volatile and network-macvlan options.
I tried with the SELinux options with seinfo(setools-console), but too
messy to get it right. Even Daniel Walsh haven't done it yet. :)
