Add a new option PrivateBPF= to mount a new instance of bpffs within a
namespace.
PrivateBPF= can be set to "no" to use the host bpffs in readonly mode
and "yes" to do a new mount.
The mount is done with the new fsopen()/fsmount() API because in future
we'll hook some commands between the two calls.
This changes little in behaviour, the conceptual part is more important. The
non-Ex variant is the actual name on the command line, and we should use the
non-Ex D-Bus property too, if it works. This increases compatibility with old
versions. But the code was mostly doing the right thing. Even the tests tested
the right thing.
Follow-up for b3d593673c and
898fc00e79.
The test is simplified by taking advantage of the fact that both names
on the commandline are supposed to behave identically.
Partially resolves https://github.com/systemd/systemd/issues/37174.
Enable nspawn job, as there's no nested kvm so VMs are too slow. Fix
some tests that fail in a VM anyway, might add a nightly job later that
runs them.
Related to https://github.com/systemd/systemd/pull/37641.
The name "transient settings" was used in docs/TRANSIENT-SETTINGS.md.
Using "setting" helps distinguish this from D-Bus "properties", which are
a much larger set, partially overlapping.
This is a separate commit because the parent commit is supposed to be
backward compatible, i.e. the tests must pass with both the bogus ProtectHostnameEx
name and ProtectHostname.
A test is added for ProtectHostnameEx to verify that it is still accepted
for backward compat.
Let's make sure these socket units work as expected by stopping the
related services and making sure the services are started as expected
when a client connects to the corresponding socket.
Prior to this change, no user shell can be specified in the user
records passed into a container via --bind-user=. This new option
allows users to:
1. When false (the default), continue to specify no user shell for
each bound user record, resulting in the use of the container's
default shell for bound users.
2. When true, include each host user's shell in the corresponding
user record passed into a container (via --bind-user=).
3. When an absolute path, set that path as the user shell for each
user record passed into a container (via --bind-user=).
This does not change the existing behavior, but allows users to
opt-in to either copy the shells specified by the host user records
or override the shell explicitly by path.
[1] says:
> Since 0.60.0 the name argument is optional and defaults to the basename of
> the first output
We specify >= 0.62 as the supported version, so drop the duplicate name in all cases
where it is the same as outputs[0], i.e. almost all cases.
[1] https://mesonbuild.com/Reference-manual_functions.html#custom_target
Otherwise, the result may point to outside of the root directory.
This also sets CONF_FILES_REGULAR and CONF_FILES_FILTER_MASKED, as the
callers will call fopen() or friends for the result, thus the enumerated
results must be non-empty regular files.
Otherwise, kernel may announce configuration of an address or route
after 'ip monitor' is started.
This also makes the test check if the whole output of 'ip monitor' is
empty. Otherwise, if the test fails, it is hard to find what is wrong.
Follow-ups for 912a48572d and
bcb9e72b6b.
Fixes#37982.
When `num_skip` is supplied to the `Range` header, journal-gatewayd
always returns the very last record even though it should have been
skipped. This is because the `sd_journal_next_skip` always returns
non-zero value on the first call, leading to one iteration of the
`request_reader_entries` returning the last record.
To avoid this unexpected behavior, check that the number of lines we
have skipped by is not lower than the requested skip value. If it is,
then it means there are lines which should not be returned now -
decrement the n_skip counter then and return from the function, closing
the stream if follow flag is not set.
Fixes#37954
It will otherwise interpret characters such as '+' as if they
were regex, and break matching.
For example TEST-71-HOSTNAME started failing when
uname -r started including a '+':
FAIL: 'Kernel: Linux 6.12.33+deb13-amd64' not found in:
Static hostname: host
Icon name: computer-vm
Chassis: vm 🖴
Machine ID: e6471c1f95ab49098827498ed816cdf7
Boot ID: 231da987f64d4af59f2076fbb638c611
Virtualization: kvm
Operating System: Debian GNU/Linux 13 (trixie)
Kernel: Linux 6.12.33+deb13-amd64
Architecture: x86-64
Loopback block devices are agressively reused, without being removed in
between. This means various inode attributes on their device nodes will
– so far – remain in effect between uses of the devices. Since there are
applications which change access mode/ownership of such devices after
attaching files to them, let's undo this again when we detect them to be
unused again.
Fixes: #37745
Some configuration files that need updates are directly under in /etc. To
update them atomically, we need write access to /etc. For Ubuntu Core this is
an issue as /etc is not writable. Only a selection of subdirectories can be
writable. The general solution is symlinks or bind mounts to writable places.
But for atomic writes in /etc, that does not work. So Ubuntu has had a patch
for that that did not age well.
Instead we would like to introduce some environment variables for alternate
paths.
* SYSTEMD_ETC_HOSTNAME: /etc/hostname
* SYSTEMD_ETC_MACHINE_INFO: /etc/machine-info
* SYSTEMD_ETC_LOCALTIME: /etc/localtime
* SYSTEMD_ETC_LOCALE_CONF: /etc/locale.conf
* SYSTEMD_ETC_VCONSOLE_CONF: /etc/vconsole.conf
* SYSTEMD_ETC_ADJTIME: /etc/adjtime
While it is for now expected that there is a symlink from the standard, we
still try to read them from that alternate path. This is important for
`/etc/localtime`, which is a symlink, so we cannot have an indirect symlink or
bind mount for it.
Since machine-id is typically written only once and not updated. This commit
does not cover it. An initrd can properly create it and bind mount it.
Since 435c372ce5 added in v256,
num_entries part of the Range header is mandatory and error is returned
when it's not filled in. This makes using the "follow" argument clumsy,
because for an indefinite following of the logs, arbitrary high number
must be specified. This change makes it possible to omit it again and
documents this behavior in the man page.
Moreover, as the cursor part of the header was never mandatory, enclose
it in square brackets in the documentation as well and elaborate how
indexing works.
Following are some concrete examples of the Range header which are now
accepted:
entries= (or entries=:)
- everything starting from the first event
entries=cursor
- everything starting from `cursor`
entries=:-9:10
- last 10 events and close the connection
If the follow flag is set:
entries=:-4:10
- last 5 events, wait for 5 new and close connection
entries=:-9:
- last 10 events and keep streaming
Note that only the very last one is changing current behavior, but
reintroduces pre-v256 compatibility.
Fixes#37172
When adding a new interface to the object add it at the end of the list.
This way, when iterating over the list, e.g., during handling introspect
call, the order of returned interfaces will mach the order in which they
were added.
If mode= is not set in rootflags= add mode=0755 when a tmpfs
is used on the rootfs, otherwise it will be group/world writable
as that's the default mode for tmpfs filesystems.
Follow-up for 725ad3b062
