This allows for more liberal usage of logging functionality as messages
will no longer always show up on screen, regardless of urgency. The log
level to use can be configured through an SMBIOS type 11 string
(`io.systemd.boot.loglevel=`) or by using the `log-level` option in
loader.conf. Valid values are debug, info, notice, warning, err, crit,
alert, and emerg. By default, info will be used.
As explained in https://github.com/systemd/systemd/issues/37892, it
would be nice to define per-partition PCRs/key file to use.
The global default config will be still defined as cmdline options, and
`TPM2PCRs=` and `KeyFile=` will be overriden by them.
Implements the ability to add recovery keys to existing user accounts
via homectl update --recovery-key=yes. Previously, recovery keys could
only be configured during initial user creation, requiring users to
recreate their entire home directory to add recovery keys later.
Fixes: #23602
This PR implements what is proposed in
https://github.com/systemd/systemd/issues/37992.
Having a global config file that supports the same cmdline options for
sysext/confext allows the user to customize the behavior of
systemd-sysext.service unit too, without the need of hacking the service
manually.
The global config will live in
`CONF_PATHS_STRV()/systemd/{sysext/confext}.conf` and it will be
overridden by cmdline, so it is possible to customize a run if
`systemd-sysext` is executed manually.
For now support `--mutable=` (`Mutable`) and `--image-policy=`
(`ImagePolicy`).
--no-hostname is one of the switches I use very often. In particular,
when looking at CI logs, the hostname is almost never interesting.
-H is not yet used in journalctl, because journal operates locally, but
will want it if display of remote journals is implemented. Use -W.
Commit d7bea6b6 ("nspawn: introduce an option for specifying network
namespace path") already did most of the work here enabling a command
line option for specifying the namespace path for a given container.
Someone even took care of the merging code in merge_settings as though
this already worked. All that's then needed is to add a line to the
nspawn-gperf.gperf file to actually enable being able to specify
NamespacePath from nspawn files as well.
This greatly simplifies how we configure nspawn containers by being able
to give all the options we need in .nspawn files instead of needing to
also use command line parameters.
Closes: #27188
These options were added in v255 with commit
cb341090d0, but were not documented as
standalone options in loader.conf. See #29440 for more information.
Add repart.d KeyFile= option with the same syntax as --key-file.
This allows a per-partition key file encryption, and not rely on a global key
applicable to all partitions.
The global --key-file overrides KeyFile config. If none of them is
defined, rely on default.
Add repart.d TPM2PCRs= option with the same syntax as --tpm2-pcrs.
This allows a per-partition pcr binding, and not rely on a global config
applicable to all partitions.
The global --tpm2-pcrs overrides TPM2PCRs config. If none of them
is defined, rely on default.
Found using linkchecker.
For virtiofsd, the man page is maintained upstream, but doesn't seem to be
available in any of the usual places. So let's link to the Debian version.
systemd.filter I have no idea what it is.
It is extremely confusing to use different filenames for different
locations, so pick up the same images for both per-UKI and global
extensions
Follow-up for 9f7e3820e9
https://github.com/systemd/systemd/pull/15509/files#r2234113960 complains that the
advice is still not clear enough. systemd-boot itself says
"Menu hidden. Hold down key at bootup to show menu."
so let's do the same and tell users to hold down space as the first option.
This should work fine for 99% of people. Then invert the following advice to
try repeated pressing as the alternative option.
Also, fix the advice about --boot-loader-menu=. The whole para is about getting
the menu to show, so 0 is not a good value.
Follow-up for https://github.com/systemd/systemd/pull/15509.
Some keys have only a transient effect, e.g. 'e', but some have a persistent
effect, e.g. 'd'. This is important informations, but the reader might be
forgiven for not finding that at all obvious when reading the descriptions of
the keys.
Also, mention in loader.conf man page that the settings there might be overriden
by EFI variables. This is another thing that is important but not obvious.
For some reason, the man page for loader.conf also mentioned type#1 entries
in passing. Except for using the same file extension, those files are in a
completely different format and with a different purpose. This mixup was
first introduced in f37d383582, was then
reported in #10923, which was closed by cbae79b8d0,
but that didn't fix the actual issue.
Really fixes#10923.
While at it, simplify and improve the wording a bit.
Add sysext.conf, which similar to other configs like coredump, will be
searched in:
/{etc run usr/lib}/systemd/{sysext/confext}.conf
but also
/{etc run usr/lib}/systemd/{sysext/confext}.conf.d/*
This config is an alternative to command line options, especially useful
if we want to extend the service units without modifying them.
Installing stuff in a chroot should not fail because efivars are
not available. When running in a container touching efivars is
completely disabled, but there are some cases (recovery) where
it is needed to touch them in a chroot, so don't disable them but
avoid failing the run instead.
All those files are standalone programs that can be executed directly.
Some .py files were marked executable, others weren't, probably accidentally.
Mark them all as executable in preparation for subsequent changes.
Some files were using that, others weren't. Since those are user-facing
docs, we should use the nice clean form, not the workaround for strange
systems that we use in other places.
This makes the systemd.getty_auto= kernel command line option and the
$SYSTEMD_GETTY_AUTO environment variable takes the list of classes of
services: credential, container, console, builtin.
This also add getty.auto credential that can take the same value as the
kernel command line option.
Closes#37928.
Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>
