date:20150422

On Thu, 05.03.15 11:13, Randy Witt (randy.e.w...@linux.intel.com) wrote:

Sorry for the late review!

 Previously, globs would always get processed first followed by any other
 items in arbitrary order. This is contrary to the documentation which
 states Otherwise, the files/directories are processed in the order they
 are listed.
 
 To fix this, remove the separate globs hashmap, and instead use only one
 marking each entry as a glob or not. There should be little overhead
 from doing this, considering the only time nested processing will occur
 is for processing of globs which are not of type X.

Hmm, I figure the patch makes sense. Can you rebase this on current
git, please?

Also, any chance you can split this up in two patces, one that moves
this to ordered hashmaps, and the other which then merges the two
hashmaps? Should be much easier to review, then.

 Signed-off-by: Randy Witt randy.e.w...@linux.intel.com

No S-o-b please, we do not use this in systemd.

  src/tmpfiles/tmpfiles.c | 53 
 ++---
  1 file changed, 24 insertions(+), 29 deletions(-)
 
 diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
 index 917bb3c..0b6d226 100644
 --- a/src/tmpfiles/tmpfiles.c
 +++ b/src/tmpfiles/tmpfiles.c
 @@ -116,6 +116,7 @@ typedef struct Item {
  bool force:1;
  
  bool done:1;
 +bool glob:1;

This is unnecessary, isn't it? I mean, this value is only dependent of
the line type, and we can always query that again with needs_glob(),
no need to store this away...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tmpfiles.c: Honor ordering within files as the docs say.

On Wed, 22.04.15 18:19, Lennart Poettering (lenn...@poettering.net) wrote:

 On Thu, 05.03.15 11:13, Randy Witt (randy.e.w...@linux.intel.com) wrote:
 
 Sorry for the late review!
 
  Previously, globs would always get processed first followed by any other
  items in arbitrary order. This is contrary to the documentation which
  states Otherwise, the files/directories are processed in the order they
  are listed.
  
  To fix this, remove the separate globs hashmap, and instead use only one
  marking each entry as a glob or not. There should be little overhead
  from doing this, considering the only time nested processing will occur
  is for processing of globs which are not of type X.
 
 Hmm, I figure the patch makes sense. Can you rebase this on current
 git, please?
 
 Also, any chance you can split this up in two patces, one that moves
 this to ordered hashmaps, and the other which then merges the two
 hashmaps? Should be much easier to review, then.

So I looked into this in more detail now, and made the change to
ordered hashmap now already. However, I don't think we should merge
the two hashmaps. The reasons for this is actually documented in the
code: lines that take globs *adjust* files or other fs objects, while
lines that do not take globs *create* files or other fs objects. I
think it is a good idea, to make sure that the lines that create files
should be processed before the ones that adjust them, so that the
adjustments are always applied to *all* files that exist in the fs
after tmpfiles finished.

I have updated the man page to explain this now.

I hope this makes sense!

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] vconsole: rerun setup on console takeovers as well

On Tue, 24.02.15 19:23, Jan Engelhardt (jeng...@inai.de) wrote:

Sorry for the late reply,

 When a system, which has an FB driver and fbcon loaded and active,
 then the font state gets lost on console takeovers, as for example
 issued by i915. Since fbcon remains loaded and active, the existing
 event handling (add/vtcon*) is not sufficient.

what's the precise effect of this? I mean, iirc we already might end
up calling s-v-s twice, since it is pulled in from a udev rule and
during normal boot. Does this mean it is regularly pulled in thrice
even?

Isn#t the right fix to make the kernel keep the font settings around
during the fb transition?

Can you elaborate a bit on this? Kinda missing the details before I
can merge this.

David, Kay, any idea about this?

 ---
 This goes on top of the other patchset I sent earlier.
  [PATCH 1/2] vconsole: match on vtcon events, not fbcon ones
 
  src/vconsole/90-vconsole.rules.in | 4 
  1 file changed, 4 insertions(+)
 
 diff --git a/src/vconsole/90-vconsole.rules.in 
 b/src/vconsole/90-vconsole.rules.in
 index 35b9ad5..e05ecbf 100644
 --- a/src/vconsole/90-vconsole.rules.in
 +++ b/src/vconsole/90-vconsole.rules.in
 @@ -8,3 +8,7 @@
  # Each vtcon keeps its own state of fonts.
  #
  ACTION==add, SUBSYSTEM==vtconsole, KERNEL==vtcon*, 
 RUN+=@rootlibexecdir@/systemd-vconsole-setup
 +
 +# Handle the case of console takeover where the fb device is replaced.
 +#
 +ACTION==add, SUBSYSTEM==graphics, KERNEL==fb[0-9]*, 
 RUN+=@rootlibexecdir@/systemd-vconsole-setup
 -- 
 2.1.4
 
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel


Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] About the exit of systemd-udevd

2015-04-22 Thread Kay Sievers

On Tue, Apr 14, 2015 at 4:47 PM, Tom Yan tom.t...@gmail.com wrote:
 Under certain conditions, I discovered that commands like `udevadm
 control --exit` or `systemctl stop systemd-udevd` (with the sockets
 stopped beforehand) will kill udevd before it finish its jobs which
 triggered by `udevadm trigger` (I presume applying a written udev rule
 is one of them).

 Is this acceptable/expected? If so, is there any way to guarantee the
 jobs is done before it gets killed?

It is expected, udevd will finish everything that is currently already
running and do a clean shutdown, but not process any new events which
might be triggered and pending.

Kay
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

Hi Lennart,

On Wed, Apr 22, 2015 at 1:46 PM, Lennart Poettering
lenn...@poettering.net wrote:
 I was trying to run systemd-nspawn --ephemeral, but that failed
 since I had a read-only image in /var/lib/machines. Why is that not
 allowed? systemd-nspawn does create its own snapshot of that one after
 all (which can be read-write). Why does the base image have to be
 read-write, too?

 Hmm? This shouldn't fail. What's the precise error message you get?

It complains about a read-only filesystem when trying to bind-mount
some directories into the machine.

 Then I have trouble with systemd-nspawn --network-veth: The host0
 interface won't come up and stays in degraded state. On the host i get
 the following line in the journal:

 systemd-networkd[509]: ve-XXX : Could not enable IP masquerading:
 Protocol not available

 I have an nftables based firewall up and running, so maybe networkd is
 expecting iptables to be in use?

 Most likely iptables is compiled as kernel module for you. The module
 cannot be auto-loaded currently, iptables manually loads it for you on
 first invocation, networkd doesn't. If you load it manually (by adding
 it to modules-load.d for example) things should work.

I loaded the ip-tables module manually now and that does indeed fix
the error message in my original mail. The machine still stays in
degraded (configuring) forever though.

As I said: I have a fully set up nftables-based firewall, so I expect
systemd will have trouble doing anything sensible with iptables. I
read iptables are a wrapper around nftables nowadays, but iptables -L
does not show any of my rules, so that might be the reason for the
trouble I am seeing.

Do I need to reinstall my machines using an iptables firewall for this to work?

Best Regards,
Tobias
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 15:19, Tobias Hunger (tobias.hun...@gmail.com) wrote:

 On Wed, Apr 22, 2015 at 3:12 PM, Tobias Hunger tobias.hun...@gmail.com 
 wrote:
  Hi Lennart,
 
  On Wed, Apr 22, 2015 at 1:46 PM, Lennart Poettering
  lenn...@poettering.net wrote:
  I was trying to run systemd-nspawn --ephemeral, but that failed
  since I had a read-only image in /var/lib/machines. Why is that not
  allowed? systemd-nspawn does create its own snapshot of that one after
  all (which can be read-write). Why does the base image have to be
  read-write, too?
 
  Hmm? This shouldn't fail. What's the precise error message you get?
 
  It complains about a read-only filesystem when trying to bind-mount
  some directories into the machine.
 
 Sorry, I forgot to attach the exact error message:
 
 Apr 22 15:13:18 server systemd-nspawn[1804]: Failed to create mount
 point /var/lib/machines/.#vmbdd461661453a1b8/mnt/ftp: Read-only file
 system
 
 Looking at the code I do not see why that subvolume should be
 read-only. Maybe it inherits the read-only from the one it is a
 snapshot off?

Oh, that could be. I figure we should unset the read-only flag unless
--ephemeral is combined with --read-only.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Journalctl Unit Completion Optmization

On Tue, 03.03.15 23:02, Justin Brown (justin.br...@fandingo.org) wrote:

 Hello,
 
 I've recently been using journalctl on one of my longer-lived systems, and
 I'm running into a slight annoyance. Most of the time I'm using `journalctl
 -u unit -e`. I use tab completion for the unit name, and the annoyance
 is the long pause journalctl takes to complete a unit. With cold cache
 (meaning writing 3 to /proc/sys/vm/drop_caches), this takes 23 seconds on a
 system using Btrfs on a SATA3 SSD. With warm cache, it still takes 3-4
 seconds. Both cases are quite a bit slower than normal tab completion
 behavior.

Is it really that bad if the files on btrfs are defragmented properly?
Note that btrfs is notoriously bad at handling journald's write
pattern currently, which results in heavily fragmented files. Use the
filefrag tool to check how fragmented they are, and use btrfs defrag
to the fix this.

Before we look into other options I'd really prefer if you could check
if this already fixes your issues.

(Note that very recent journald will set the btrfs NOCOW flag now on
the journal files, which should work around this issue.)

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] vconsole: rerun setup on console takeovers as well

2015-04-22 Thread David Herrmann

Hi

On Wed, Apr 22, 2015 at 6:14 PM, Lennart Poettering
lenn...@poettering.net wrote:
 On Tue, 24.02.15 19:23, Jan Engelhardt (jeng...@inai.de) wrote:

 Sorry for the late reply,

 When a system, which has an FB driver and fbcon loaded and active,
 then the font state gets lost on console takeovers, as for example
 issued by i915. Since fbcon remains loaded and active, the existing
 event handling (add/vtcon*) is not sufficient.

 what's the precise effect of this? I mean, iirc we already might end
 up calling s-v-s twice, since it is pulled in from a udev rule and
 during normal boot. Does this mean it is regularly pulled in thrice
 even?

 Isn#t the right fix to make the kernel keep the font settings around
 during the fb transition?

 Can you elaborate a bit on this? Kinda missing the details before I
 can merge this.

 David, Kay, any idea about this?

The kernel should really issue a change uevent on handover. We
should not guess this based on graphics device add/removal.

Thanks
David
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Zombie process still exists after stopping gdm.service

On Tue, 21.04.15 13:25, Daniel Drake (dr...@endlessm.com) wrote:

 There's a comment in unit_kill_context() which looks relevant here:
 
 /* FIXME: For now, we will not wait for the
  * cgroup members to die, simply because
  * cgroup notification is unreliable. It
  * doesn't work at all in containers, and
  * outside of containers it can be confused
  * easily by leaving directories in the
  * cgroup. */
 
 /* wait_for_exit = true; */

This is indeed the key of the issue.

As soon as we move to using the new sane behaviour kernel cgroup API
we can fix this properly, and wait for the children correctly. As soon
as that is not the case though we send SIGKILL immediately after the
SIGTERM...

I am a bit unwilling to document the precise behaviour, since the
current behaviour is really just a stop-gap until we ported things
over to the new kernel API and this will work as intended.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 14:36, Michael Biebl (mbi...@gmail.com) wrote:

   Not everyone is using networkd or nspawn though, so loading this
   module for everyone is a bit excessive.
  
   Well, then blacklist the module or don't build it at all.
 
  That's the wrong way around.
 
  Nah, I disagree. We do this for a number of modules now. I mean, we
 
 We currently do this static loading for unix, ipv6 and autofs4.
 
  load tons of modules automatically, even if you don't use them. For
  example, my laptop always loads the bluetooth modules, even though I
  never used bluetooth.
 
 Those are all loaded on demand, not statically. I.e. we don't load the
 bluetooth module for each and every user.

No, things like bluetooth are not loaded on demand, but already when
you just have the hw for it.  That's quite a difference.

Pure on-demand loading of all modules is something that was given up
on back in kernel 2.2 times already...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 15:42, Tobias Hunger (tobias.hun...@gmail.com) wrote:

 PS: Is there a way to stop the VMs to get a btrfs subvolume created in
 /var/lib/machines?

Not in nspawn, no.

This could be implemented via seccomp though.

 I have a couple of .#vm subvolumes in /var/lib/machines now and
 btrfs subvolume delete does not work on those since they have a
 subvolume in /var/lib/machine. Apparently systemd-nspawn also stumbled
 over this as the directories are still there but the machines are not
 running.

As mentioned in an earlier thread here, Chris intends to add recursive
subvolume deletion to btrfs-progs.

In systemd git machinectl remove recursively deletes subvolumes already.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

2015-04-22 Thread Dominick Grift

   2015-04-22 14:14 GMT+02:00 Lennart Poettering lennart at poettering.net:
  
   Well, I really don't want to give networkd the caps for that,
   sorry. It's a network facing daemon, it should not be able to load
   kernel modules.
 
  But it is okay for networkd to manipulate the firewall directly.

 Yes, networkd configures the network. That's its raison d'etre.

Thanks for clearing that up. I alway's thought firewalls were a security thing, 
and that netfilter is mandatory access control framewark that should be, 
mostly, transparent to applications and services.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindexsearch=0x314883A202DFF788
Dominick Grift


pgpbPvtZbgCoo.pgp
Description: PGP signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 14:28, Michael Biebl (mbi...@gmail.com) wrote:

 2015-04-22 14:22 GMT+02:00 Michael Biebl mbi...@gmail.com:
  2015-04-22 14:14 GMT+02:00 Lennart Poettering lenn...@poettering.net:
  On Wed, 22.04.15 14:09, Michael Biebl (mbi...@gmail.com) wrote:
 
  Not everyone is using networkd or nspawn though, so loading this
  module for everyone is a bit excessive.
 
  Well, then blacklist the module or don't build it at all.
 
 [..]
 
  For the same reason that iptables doesn't complain loudly but loads
  it. To be user-friendly and just make things work?
 
 And making everyone who doesn't want this feature jump through hoops
 and having them blacklist the module is not user-friendly at all.
 Least of it, it's not really intuitive and discoverable, how this
 module got loaded in the first place.

Well, it is not discoverable for *any* kmod really, not just this
one. 

Except, that this is actually *more* discoverable thant normal
udev-based or kernel-auto-loaded kmods, since we actually *do* log
about it, in contrast to those cases.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

2015-04-22 14:26 GMT+02:00 Lennart Poettering lenn...@poettering.net:
On Wed, 22.04.15 14:22, Michael Biebl (mbi...@gmail.com) wrote:

2015-04-22 14:14 GMT+02:00 Lennart Poettering lenn...@poettering.net:
On Wed, 22.04.15 14:09, Michael Biebl (mbi...@gmail.com) wrote:

2015-04-22 13:57 GMT+02:00 Lennart Poettering lenn...@poettering.net:
Maybe we should simply list the iptables kernel modules in
src/core/kmod-setup, and then tell people to blacklist them if they
really don't want them.

I have made such a change now:

http://cgit.freedesktop.org/systemd/systemd/commit/?id=1d3087978a8ee23107cb64aa55ca97aefe9531e2

Not everyone is using networkd or nspawn though, so loading this
module for everyone is a bit excessive.

Well, then blacklist the module or don't build it at all.

That's the wrong way around.

Nah, I disagree. We do this for a number of modules now. I mean, we

We currently do this static loading for unix, ipv6 and autofs4.

load tons of modules automatically, even if you don't use them. For
example, my laptop always loads the bluetooth modules, even though I
never used bluetooth.

Those are all loaded on demand, not statically. I.e. we don't load the
bluetooth module for each and every user.

--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

2015-04-22 15:25 GMT+02:00 Lennart Poettering lenn...@poettering.net:
 On Wed, 22.04.15 14:36, Michael Biebl (mbi...@gmail.com) wrote:

   Not everyone is using networkd or nspawn though, so loading this
   module for everyone is a bit excessive.
  
   Well, then blacklist the module or don't build it at all.
 
  That's the wrong way around.
 
  Nah, I disagree. We do this for a number of modules now. I mean, we

 We currently do this static loading for unix, ipv6 and autofs4.

  load tons of modules automatically, even if you don't use them. For
  example, my laptop always loads the bluetooth modules, even though I
  never used bluetooth.

 Those are all loaded on demand, not statically. I.e. we don't load the
 bluetooth module for each and every user.

 No, things like bluetooth are not loaded on demand, but already when
 you just have the hw for it.  That's quite a difference.


Loading the bluetooth module when you have the hardware is something
different then loading it unconditionally for everyone.
You are doing the latter with iptables.
And why does this have to be hard-coded in the source instead of
shipping a /etc/modules-load.d snippet where it would be easily
discoverable?


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 15:43, Michael Biebl (mbi...@gmail.com) wrote:

 2015-04-22 15:25 GMT+02:00 Lennart Poettering lenn...@poettering.net:
  On Wed, 22.04.15 14:36, Michael Biebl (mbi...@gmail.com) wrote:
 
Not everyone is using networkd or nspawn though, so loading this
module for everyone is a bit excessive.
   
Well, then blacklist the module or don't build it at all.
  
   That's the wrong way around.
  
   Nah, I disagree. We do this for a number of modules now. I mean, we
 
  We currently do this static loading for unix, ipv6 and autofs4.
 
   load tons of modules automatically, even if you don't use them. For
   example, my laptop always loads the bluetooth modules, even though I
   never used bluetooth.
 
  Those are all loaded on demand, not statically. I.e. we don't load the
  bluetooth module for each and every user.
 
  No, things like bluetooth are not loaded on demand, but already when
  you just have the hw for it.  That's quite a difference.
 
 
 Loading the bluetooth module when you have the hardware is something
 different then loading it unconditionally for everyone.
 You are doing the latter with iptables.

I don#t see how this really was any different. I am sure a lot of
people never want to use bluetooth, and I am also sure that a lot of
people don#t want to use iptables (and of both of these, bluetooth is
certainly the more exotic one, even). In both cases we autoload them
now, with an easy way out, via blacklisting.

 And why does this have to be hard-coded in the source instead of
 shipping a /etc/modules-load.d snippet where it would be easily
 discoverable?

Because we generally try to make the system just work, without
configuration. 

There's also another backstory: hopefully we can merge Daniel's
patches soon that add minimal per-service Firewalling to PID 1. In
that case it's not only networkd+nspawn that needs this, but PID 1
too, which makes the modules-load.d path unworkable.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 15:55, Dominick Grift (dac.overr...@gmail.com) wrote:

  2015-04-22 14:14 GMT+02:00 Lennart Poettering lennart at poettering.net:
 
  Well, I really don't want to give networkd the caps for that,
  sorry. It's a network facing daemon, it should not be able to load
  kernel modules.
 
 But it is okay for networkd to manipulate the firewall directly.

Yes, networkd configures the network. That's its raison d'etre.

 The nft manual page states that the iptable_nat module conflicts
 with the module that deals with nftables nat. Does that mean that
 the networkd IPMasquerade= functionality will not work if one
 blacklists iptables_nat?

Well, if that's what it says, then yes. We can certainly add support
for manipulating nft too, but so far the APIs fo that appeared much
less convincing to me, and quite a bit more exotic.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 15:12, Tobias Hunger (tobias.hun...@gmail.com) wrote:

  Then I have trouble with systemd-nspawn --network-veth: The host0
  interface won't come up and stays in degraded state. On the host i get
  the following line in the journal:
 
  systemd-networkd[509]: ve-XXX : Could not enable IP masquerading:
  Protocol not available
 
  I have an nftables based firewall up and running, so maybe networkd is
  expecting iptables to be in use?
 
  Most likely iptables is compiled as kernel module for you. The module
  cannot be auto-loaded currently, iptables manually loads it for you on
  first invocation, networkd doesn't. If you load it manually (by adding
  it to modules-load.d for example) things should work.
 
 I loaded the ip-tables module manually now and that does indeed fix
 the error message in my original mail. The machine still stays in
 degraded (configuring) forever though.
 
 As I said: I have a fully set up nftables-based firewall, so I expect
 systemd will have trouble doing anything sensible with iptables. I
 read iptables are a wrapper around nftables nowadays, but iptables -L
 does not show any of my rules, so that might be the reason for the
 trouble I am seeing.

Well, to my knowledge the kernel actually supports both in
parallel. networkd + nspawn only do iptables.

 Do I need to reinstall my machines using an iptables firewall for this to 
 work?

No need.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

PS: Is there a way to stop the VMs to get a btrfs subvolume created in
/var/lib/machines?

I have a couple of .#vm subvolumes in /var/lib/machines now and
btrfs subvolume delete does not work on those since they have a
subvolume in /var/lib/machine. Apparently systemd-nspawn also stumbled
over this as the directories are still there but the machines are not
running.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, Apr 22, 2015 at 4:04 PM, Lennart Poettering
lenn...@poettering.net wrote:
 Well, if that's what it says, then yes. We can certainly add support
 for manipulating nft too, but so far the APIs fo that appeared much
 less convincing to me, and quite a bit more exotic.

The user space tools for nft are much nicer than iptables, so I think
they do provide a significant benefit. I would appreciate not having
to go back to iptables:-)

The exact command line I am running is this (straight out of systemctl
cat systemd-nspawn@vm.service, *THANKS* to whoever implemented that!):

ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --ephemeral \
--machine=vm \
--network-veth \
--bind=/mnt/raid0/data/ftp:/mnt/ftp

/var/lib/machines is a normal read-write btrfs snapshot. vm is a
read-only snapshot.

It starts fine when vm is read-write.

Best Regards,
Tobias
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, Apr 22, 2015 at 3:12 PM, Tobias Hunger tobias.hun...@gmail.com wrote:
 Hi Lennart,

 On Wed, Apr 22, 2015 at 1:46 PM, Lennart Poettering
 lenn...@poettering.net wrote:
 I was trying to run systemd-nspawn --ephemeral, but that failed
 since I had a read-only image in /var/lib/machines. Why is that not
 allowed? systemd-nspawn does create its own snapshot of that one after
 all (which can be read-write). Why does the base image have to be
 read-write, too?

 Hmm? This shouldn't fail. What's the precise error message you get?

 It complains about a read-only filesystem when trying to bind-mount
 some directories into the machine.

Sorry, I forgot to attach the exact error message:

Apr 22 15:13:18 server systemd-nspawn[1804]: Failed to create mount
point /var/lib/machines/.#vmbdd461661453a1b8/mnt/ftp: Read-only file
system

Looking at the code I do not see why that subvolume should be
read-only. Maybe it inherits the read-only from the one it is a
snapshot off?

Best Regards,
Tobias
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 15:19, Tobias Hunger (tobias.hun...@gmail.com) wrote:

 On Wed, Apr 22, 2015 at 3:12 PM, Tobias Hunger tobias.hun...@gmail.com 
 wrote:
  Hi Lennart,
 
  On Wed, Apr 22, 2015 at 1:46 PM, Lennart Poettering
  lenn...@poettering.net wrote:
  I was trying to run systemd-nspawn --ephemeral, but that failed
  since I had a read-only image in /var/lib/machines. Why is that not
  allowed? systemd-nspawn does create its own snapshot of that one after
  all (which can be read-write). Why does the base image have to be
  read-write, too?
 
  Hmm? This shouldn't fail. What's the precise error message you get?
 
  It complains about a read-only filesystem when trying to bind-mount
  some directories into the machine.
 
 Sorry, I forgot to attach the exact error message:
 
 Apr 22 15:13:18 server systemd-nspawn[1804]: Failed to create mount
 point /var/lib/machines/.#vmbdd461661453a1b8/mnt/ftp: Read-only file
 system
 
 Looking at the code I do not see why that subvolume should be
 read-only. Maybe it inherits the read-only from the one it is a
 snapshot off?

So, this is not inherited. 

THere are some trouble with setting the read only flag correctly when
we do recursive snapshots, I am working on fixing that now. That only
is triggered when --read-only and --ephemeral are combined though.

The error you run into confuses me a bit I must say. What's the
precise command line you trigger this with?

Does /mnt/tmp exist? Is /mnt a mount or so, and /mnt/tmp another?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2 1/2] Don't use ALSA card id in ID_ID

On Tue, 21.04.15 17:45, Adam Goode (ago...@google.com) wrote:

 The ALSA id sysattr is generated by the sound subsystem and is not
 a stable identifier. It is generated though some string manipulation
 then made unique if there is a conflict. This means that it is
 enumeration-dependent and shouldn't be used for ID_ID.
 
 If ID_ID is supposed to be system-unique, it is not already since
 for firewire it is generated from the guid and there are broken
 firewire devices that have duplicate guids across devices.
 
 This is tracked for PulseAudio at
 https://bugs.freedesktop.org/show_bug.cgi?id=90129.

Please also mention that commit that this effectvily reverts, see
earlier discussion.

 ---
  rules/78-sound-card.rules | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/rules/78-sound-card.rules b/rules/78-sound-card.rules
 index 295f490..bd7a994 100644
 --- a/rules/78-sound-card.rules
 +++ b/rules/78-sound-card.rules
 @@ -49,8 +49,8 @@ SUBSYSTEMS==firewire, GOTO=skip_pci
  SUBSYSTEMS==pci, ENV{ID_BUS}=pci, ENV{ID_VENDOR_ID}=$attr{vendor}, 
 ENV{ID_MODEL_ID}=$attr{device}
  LABEL=skip_pci
  
 -ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==?*, 
 ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}-$env{ID_USB_INTERFACE_NUM}-$attr{id}
 -ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==, 
 ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}-$attr{id}
 +ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==?*, 
 ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}-$env{ID_USB_INTERFACE_NUM}
 +ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==, 
 ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}
  
  IMPORT{builtin}=path_id
  
 -- 
 2.2.0.rc0.207.ga3a616c
 
 


Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2 2/2] Add more firewire properties for sound, to be closer to USB and PCI

On Tue, 21.04.15 17:45, Adam Goode (ago...@google.com) wrote:

 USB and PCI soundcards have a nice set of ID_* properties. It would
 be handy for firewire soundcards to have the same.

As requested earlier, please document in the commit messsage that this
does not eat up ID_ID.

 ---
  rules/78-sound-card.rules | 9 ++---
  1 file changed, 6 insertions(+), 3 deletions(-)
 
 diff --git a/rules/78-sound-card.rules b/rules/78-sound-card.rules
 index bd7a994..04740e8 100644
 --- a/rules/78-sound-card.rules
 +++ b/rules/78-sound-card.rules
 @@ -41,14 +41,17 @@ IMPORT{builtin}=hwdb
  SUBSYSTEMS==usb, IMPORT{builtin}=usb_id
  SUBSYSTEMS==usb, GOTO=skip_pci
  
 -SUBSYSTEMS==firewire, ATTRS{vendor_name}==?*, ATTRS{model_name}==?*, \
 -  ENV{ID_BUS}=firewire, ENV{ID_VENDOR}=$attr{vendor_name}, 
 ENV{ID_MODEL}=$attr{model_name}
 -SUBSYSTEMS==firewire, ATTRS{guid}==?*, ENV{ID_ID}=firewire-$attr{guid}
 +SUBSYSTEMS==firewire, ATTRS{guid}==?*, \
 +  ENV{ID_BUS}=firewire, ENV{ID_SERIAL}=$attr{guid}, 
 ENV{ID_SERIAL_SHORT}=$attr{guid}, \
 +  ENV{ID_VENDOR_ID}=$attr{vendor}, ENV{ID_MODEL_ID}=$attr{model}, \
 +  ENV{ID_VENDOR}=$attr{vendor_name}, ENV{ID_MODEL}=$attr{model_name}
  SUBSYSTEMS==firewire, GOTO=skip_pci
  
  SUBSYSTEMS==pci, ENV{ID_BUS}=pci, ENV{ID_VENDOR_ID}=$attr{vendor}, 
 ENV{ID_MODEL_ID}=$attr{device}
  LABEL=skip_pci
  
 +# Define ID_ID if ID_BUS and ID_SERIAL are set. This will work for both
 +# USB and firewire.
  ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==?*, 
 ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}-$env{ID_USB_INTERFACE_NUM}
  ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==, 
 ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}
  
 -- 
 2.2.0.rc0.207.ga3a616c
 
 


Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] How to factory reset?

On Mon, 16.03.15 11:31, Tobias Hunger (tobias.hun...@gmail.com) wrote:

 Just a short update:
 
 I managed to get my machine image to (kind of) boot in systemd-nspawn
 this weekend. Kind-of as it tries to mount some drives that are
 obviously not there in the container. But apart from that it seems to
 boot fine:-)
 
 On real hardware I am not so lucky: Once I get to
 system-switch-root.service I get lots of output about missing nodes in
 dev (/dev/ttyX mostly).

Note that systemd only supports /dev mounted from devtmpfs, where the
nodes are created by the kernel (and not userspace), and hence cannot
really be missing. If the nodes are missing this is an indication that
/dev is configured in some other way...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] How to factory reset?

On Wed, 11.03.15 20:56, Kay Sievers (k...@vrfy.org) wrote:

 On Wed, Mar 11, 2015 at 7:45 PM, Chris Murphy li...@colorremedies.com wrote:
  On Wed, Mar 11, 2015 at 11:50 AM, Kay Sievers k...@vrfy.org wrote:
 
  The all included kernels are found at /boot/EFI/Linux/*.efi
 
  Yeah until the distros stop persistently mounting the ESP, I'm not a
  fan at all of anything but the most minimalist approach to the ESP.
 
 Systemd by default mounts it with autofs, it will not be mounted until
 it is accessed, which does not happen during normal operation. We
 currently miss autofs timeout handling, which would umount /boot again
 when it is no longer used. That would make stuff pretty robust, I
 expect.

Quick update on this: autofs expiry is now implemented and enabled for
the ESP mount systemd does by default.

This should shorten the time-frame of corruptions of the ESP quite a
bit.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Service watchdog feature in state ACTIVATING ?

On Mon, 02.03.15 20:32, Hoyer, Marko (ADITG/SW2) (mho...@de.adit-jv.com) wrote:

  Why would you need this? Watchdog is to prevent system being stuck
  somewhere. If activation fails within TimeoutStartSec=, systemd will
  put the service in failed to activate state anyways.
  
  Is waiting 20 seconds to detect the freeze is too much for your case?
  Is it not possible to lower the activation time?
 
 Yes it is too long. The process is a kind of application starter and observer 
 processing a startup phase. It is responsible for:
 - observing the application internal states of upcoming applications
 - it kicks off the startup of applications depending on the internal state of 
 other once
 - it delays the startup of late services started the normal way by systemd 
 once the startup phase is done
 
 And yes, one could say that we are implementing a kind of second
 systemd started by systemd. The difference is that our starter knows
 about some more states than just ACTIVATING and RUNING which is not
 really realizable with systemd especially when more than one
 application is contained in one process.
 
 So the idea was to bring up a set of applications with our starter
 application and stay with our starter in state ACTIVATING until it
 is done with bringing up the set of applications.
 
 Depending on the product, bringing up our set of applications can
 take 10-20secs. Since the starter is a kind of sensible application,
 it needs to be supervised by a watchdog with a timeout far less than
 20secs.
 
 Hope this gives a rough picture of our use case.

So, I can see that having watchdog support during the activating phase
might make sense in this case, but I am not sure this case is strong
enough to add it to systemd proper, since it would complicate things
for most: it's not a behaviour we can just enable for everybody, it
would have to be something we'd have to add an explicit opt-in option
for, since most daemons don't work like this.

I mean, in most cases the start-up phase of a daemon is relatively
quick, and the daemon will not enter its event loop before the
start-up is complete. But it is the event loop that normally needs to
process watchdog events.

Anyway, I'd prefer not adding support for this now. We can revisit
this if more folks are asking for this, and this turns out to be a
more common setup.

I hope that makes sense,

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] unit: When stopping due to BindsTo=, log which unit caused it

2015-04-22 Thread Alban Crequy

On Tue, Apr 21, 2015 at 10:35 PM, Zbigniew Jędrzejewski-Szmek
zbys...@in.waw.pl wrote:
 On Tue, Apr 21, 2015 at 03:54:35PM +0200, Alban Crequy wrote:
 On Sat, Feb 28, 2015 at 5:40 PM, Lennart Poettering
 lenn...@poettering.net wrote:
  On Fri, 27.02.15 17:13, Lennart Poettering (lenn...@poettering.net) wrote:
 
  On Thu, 26.02.15 16:50, Martin Pitt (martin.p...@ubuntu.com) wrote:
 
   IMHO it would be prudent to skip adding the BindsTo= if at the time of
   creating the .mount unit the backing .device unit doesn't actually
   exist. In that case it's a mount which isn't managed by systemd, and
   we shouldn't touch it. We mostly want this BindsTo= for mounts where
   the .device units *do* exist, so that when they go away we can clean
   up the mount (mostly for hotpluggable devices and removable media).
   I'll have a deeper look ASAP.
 
  I ran into this myself the other day, and Kay, Daniel and I spent a
  lot of time to come up with a scheme how to deal with the race... And
  I think we have a nice scheme now and I started implementing it.
 
  The idea is that .device units will gain a third state: currently they
  are either dead or plugged, and the new state will be
  tentative. It is entered when a device is referenced in
  /proc/self/mountinfo or /proc/swap, even though it has not yet shown
  up via udev.
 
  This new state has will not result in BindsTo= getting active.
 
  This is implemented now. Please check if this fixes this issue for
  you.

 Which commit implements this?

 I have an issue on nspawn container shutdown with v219 that I didn't
 have with v215. Systemd is trying to unmount the volumes bind mounted
 by nspawn and it fails because /bin/umount does not exist in my
 container. Systemd keeps trying to umount it in a busy loop. Reverting
 06e9783e2cc12eb6514e80c7f0014295f59b (core/mount: add
 dependencies to dynamically mounted mounts too) fixes my issue.
 There was a bunch of fixes on top. See 5bd4b173605142, 628c89cc68ab96fce2d,
 496068a8288084ab3.

Thanks for the commits. They don't seem related to containers.

I can reproduce my issue on git-master:

sudo ~/git/systemd/systemd-nspawn --register=false --bind
$HOME/tmp/vol -D debian-tree -b

Then, in the container, make sure /bin/umount does NOT exist.
Then halt the container with kill -37 1 (SIGRTMIN+3)

It will loop forever on:

[  OK  ] Failed unmounting /home/alban/tmp/vol.
 Unmounting /home/alban/tmp/vol...
[  OK  ] Failed unmounting /home/alban/tmp/vol.
 Unmounting /home/alban/tmp/vol...

I am not sure why it worked fine for me with the older version v215.

Cheers,
Alban
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 16:31, Tobias Hunger (tobias.hun...@gmail.com) wrote:

 On Wed, Apr 22, 2015 at 4:04 PM, Lennart Poettering
 lenn...@poettering.net wrote:
  Well, if that's what it says, then yes. We can certainly add support
  for manipulating nft too, but so far the APIs fo that appeared much
  less convincing to me, and quite a bit more exotic.
 
 The user space tools for nft are much nicer than iptables, so I think
 they do provide a significant benefit. I would appreciate not having
 to go back to iptables:-)
 
 The exact command line I am running is this (straight out of systemctl
 cat systemd-nspawn@vm.service, *THANKS* to whoever implemented that!):
 
 ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --ephemeral \
 --machine=vm \
 --network-veth \
 --bind=/mnt/raid0/data/ftp:/mnt/ftp
 
 /var/lib/machines is a normal read-write btrfs snapshot. vm is a
 read-only snapshot.
 
 It starts fine when vm is read-write.

OK, I think I fixed this now, please check:

http://cgit.freedesktop.org/systemd/systemd/commit/?id=aee327b8169670986f6a48acbd5ffe1355bfcf27

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] How to factory reset?

On Fri, 13.03.15 01:16, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:

 On Tue, Mar 10, 2015 at 10:23:23PM +0100, Tobias Hunger wrote:
  On Tue, Mar 10, 2015 at 9:33 PM, Tobias Hunger tobias.hun...@gmail.com 
  wrote:
   presets and machined ID are applied by PID 1, before it begins with
   starting any units, hence *really* early on. Note though that actually
   /etc/machine-id is used as flag for is /etc empty. If the file
   exists it is assumed that /etc is provisioned properly. If it is
   missing PID 1 will generate the machiend id and apply presets.
  
   An OS installer could put the machine-id into /usr just fine (and so
   can I) and systemd could just get it from there if available before
   generating a new one.
  
   It would be nice if the machine-id did not change during to a factory
   reset: It is used in the logs and changing it will basically make
   historical log data much harder to analyze. IIRC networkd also uses it
   to generate persistent MAC addresses for containers and such.
  
   So far this seems to be the only critical piece of information that
   can not get restored via tmpfiles.d.
  
  Thinking about this a bit longer: /usr does not seem like a good idea.
  The machine-id is supposed to be unique and usr-images are meant to be
  reused.
  
  Maybe provide a kernel command line option to force the machine-id if
  none is set yet?
 I think this could be an option.  We currently check
 /var/lib/dbus/machine-id, $container_uuid, and /sys/class/dmi/id/product_uuid.
 I think that the first should work for your use case, since you keep /var.
 But we also check some commandline option, this seems useful for some
 use cases.

I think /var/lib/dbus/machine-id is nothing to use here. It purely
exists for compat with upgrades from classic dbus1 systems, where we
should avoid inventing a new machine id, if the dbus one is fine.

I'd be fine with adding a kernel switch to make this configurable, as
Zbigniew suggested.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Needs help for on charging activation

On Mon, 09.03.15 23:21, WaLyong Cho (walyong@samsung.com) wrote:

 Hi,
 
 I want to find best solution on our case. Our product is mobile device.
 But I don't think that is only problem of mobile device. That also can
 be problem of laptop. So, please comment to me.
 
 We have some of services are always running after system is started up
 as default. They don't need to be running always. They are just needed
 only charger is plugged in.
 So I thought lets only active them when only charger is plugged in.
 

[...]

 Is there any more good way for this?
 I want to find best appropriate way.

We currently have no nice way to cover this I must say.

I figure the way how I would implement this is by having some power
daemon (upower?) activate a target or so when power comes or goes.

systemd alone does not cover this right now, and i doubt it
should. This should really be handled by an external daemon I think.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] How to factory reset?

On Fri, 13.03.15 14:20, Tobias Hunger (tobias.hun...@gmail.com) wrote:

 Hi Zbyszek,
 
 I would expect the machine-id to be written before mount units are
 processed, so for that to work I would need to mount /var in the
 initrd, wouldn't I?

Yeah, /var/lib/dbus/machine-id isn't a general purpose solution, since
/var ca nbe mounted very late. (Also, as mentioned in other mail, it's
compat only, please don't use it.)

 Currently I am trying to just write the machine-id to /etc in the
 initrd. This makes systemd loose the understanding that /etc is empty
 though, which might have some side-effects that I am not yet
 anticipating.
 
 Isn't systemd started from inside the initrd once the new root has
 been set up? Maybe I could set $container_uuid and feed the machine-id
 to systemd that way? I am afraid that this will lead to some other
 side-effects, because systemd might assume to be running inside a
 container. Looks like I will have to do some testing over the
 weekend:-)

$container_uuid is only used in containers. If you set it in other
conditions, we don't care.

 Maybe I am lucky and /sys/class/dmi/id/product_uuid is set.

That is only read on kvm, since on physical hardware it is more often
than not filled with rubbish, that is not useful as a real machine id.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2] automount: add expire support

2015-04-22 Thread Michael Olbrich

On Tue, Apr 21, 2015 at 08:45:30PM +0200, Lennart Poettering wrote:
 On Tue, 14.04.15 22:01, Michael Olbrich (m.olbr...@pengutronix.de) wrote:
 
 I added some more logging (so that automount_dispatch_expire() can
 never fail without this being logged) and applied it!
 
 I only gave this superficial testing though, please check if this all
 still works fine for you now!

Looks good. My test-cases work just fine.

Michael

-- 
Pengutronix e.K.   | |
Industrial Linux Solutions | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0|
Amtsgericht Hildesheim, HRA 2686   | Fax:   +49-5121-206917- |
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] networkd: introduce vti6 tunnel




On 04/21/2015 09:54 PM, Lennart Poettering wrote:

On Tue, 21.04.15 15:16, Susant Sahani (sus...@redhat.com) wrote:



+static int netdev_vti6_fill_message_create(NetDev *netdev, Link *link, 
sd_rtnl_message *m) {
+Tunnel *t = VTI6(netdev);
+int r;
+
+assert(netdev);
+assert(link);
+assert(m);
+assert(t);
+assert(t-family == AF_INET6);
+
+r = sd_rtnl_message_append_u32(m, IFLA_VTI_LINK, link-ifindex);
+if (r  0) {
+log_netdev_error(netdev,
+ Could not append IFLA_IPTUN_LINK attribute: 
%s,
+ strerror(-r));
+return r;
+}


I have now added log_netdev_error_errno(), which takes the error
number as parameter, and opens it up for %m. Hence please rewrite the
7 lines above as these 2:


Sure I will make the changes.



 if (r  0)
 return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_LINK attribute: %m);


+r = sd_rtnl_message_append_in6_addr(m, IFLA_VTI_LOCAL, t-local.in6);
+if (r  0) {
+log_netdev_error(netdev,
+ Could not append IFLA_IPTUN_LOCAL attribute: 
%s,
+ strerror(-r));
+return r;
+}


Similar here.


+r = sd_rtnl_message_append_in6_addr(m, IFLA_VTI_REMOTE, 
t-remote.in6);
+if (r  0) {
+log_netdev_error(netdev,
+ Could not append IFLA_IPTUN_REMOTE attribute: 
%s,
+ strerror(-r));
+return r;
+}


Similar here.



  static void vti_init(NetDev *n) {
-Tunnel *t = VTI(n);
+Tunnel *t;

  assert(n);
+
+if (n-kind == NETDEV_KIND_VTI)
+t =  VTI(n);


Spurious space.

Lennart


Susant
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] udev: Fix ping timeout when settle timeout is 0

2015-04-22 Thread David Herrmann

Hi

On Mon, Apr 20, 2015 at 6:58 PM, David Herrmann dh.herrm...@gmail.com wrote:
 Hi

 On Sun, Apr 19, 2015 at 1:49 AM, Nir Soffer nir...@gmail.com wrote:
 When running udevadm settle --timeout=0, the ping always times out, and
 udevadm will return 0 without checking the queue state.

 Since zero timeout is considered as unlimited timeout, we use now
 unlimited ping timeout.
 ---
  src/udev/udevadm-settle.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)

 diff --git a/src/udev/udevadm-settle.c b/src/udev/udevadm-settle.c
 index 2c84ada..424 100644
 --- a/src/udev/udevadm-settle.c
 +++ b/src/udev/udevadm-settle.c
 @@ -107,7 +107,9 @@ static int adm_settle(struct udev *udev, int argc, char 
 *argv[]) {

  uctrl = udev_ctrl_new(udev);
  if (uctrl != NULL) {
 -if (udev_ctrl_send_ping(uctrl, timeout)  0) {
 +int ping_timeout = timeout  0 ? (int)timeout : -1;
 +
 +if (udev_ctrl_send_ping(uctrl, ping_timeout)  0) {
  log_debug(no connection to daemon);
  udev_ctrl_unref(uctrl);
  return EXIT_SUCCESS;

 This looks much more reasonable to me. I'd prefer some sanity-timeout,
 though. 1s or 5s or something like this. Kay?

Applied.

Thanks
David
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] install a fedora container

2015-04-22 Thread arnaud gaboury

On Wed, Apr 22, 2015 at 7:39 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Wed, 22.04.15 19:26, arnaud gaboury (arnaud.gabo...@gmail.com) wrote:

I am little confused how to install Fedora on a container on my Archlinux
box.

Here is my setup : a whole ssd for Fedora server. Btrfs with 3
subvolumes for snapshots:
/etc, /var, and /rootvol. No nested subvolumes.

This ssd will then be mounted on /var/lib/container/MyContainer.

Shall i install first Fedora server on the SSD then mount it in
/var/lib/container and boot with systemd-nspawn ? Or is there another
solution?

The usualy way how I installed a Fedora container so far, was via yum
--installroot. But that of course only works if you have yum around,
which might be unavailable on ArchLinux.

Yes yum package is available in Arch.

Another option is to use the upstream cloud image. Recent
systemd-nspawn versions can boot that directly if you stick that in
/var/lib/machines and uncompress it. The image is here:

http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz

I wanted to install 22 server beta. Will see if I can find a link.

Thank you for tips.

In systemd git you can use machinectl pull-raw directly on this URL
which will do this all automatically for you.

Lennart

--
Lennart Poettering, Red Hat

google.com/+arnaudgabourygabx
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] install a fedora container

2015-04-22 Thread arnaud gaboury

I am little confused how to install Fedora on a container on my Archlinux box.

Here is my setup : a whole ssd for Fedora server. Btrfs with 3
subvolumes for snapshots:
/etc, /var, and /rootvol. No nested subvolumes.

This ssd will then be mounted on /var/lib/container/MyContainer.

Shall i install first Fedora server on the SSD then mount it in
/var/lib/container and boot with systemd-nspawn ? Or is there another
solution?

Thank you.

-- 

google.com/+arnaudgabourygabx
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] install a fedora container

2015-04-22 Thread arnaud gaboury

On Wed, Apr 22, 2015 at 7:26 PM, arnaud gaboury
arnaud.gabo...@gmail.com wrote:
 I am little confused how to install Fedora on a container on my Archlinux box.

 Here is my setup : a whole ssd for Fedora server. Btrfs with 3
 subvolumes for snapshots:
 /etc, /var, and /rootvol. No nested subvolumes.

 This ssd will then be mounted on /var/lib/container/MyContainer.

 Shall i install first Fedora server on the SSD then mount it in
 /var/lib/container and boot with systemd-nspawn ? Or is there another
 solution?

EDIT : I already downloaded the iso file.

 Thank you.

 --

 google.com/+arnaudgabourygabx
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] option to ignore ENOMEDIUM in blkid

On Wed, 18.02.15 23:51, Hans Scholze (hans.scho...@gmail.com) wrote:

  # probe filesystem metadata of disks
 -KERNEL!=sr*, IMPORT{builtin}=blkid
 +KERNEL!=sr*, IMPORT{builtin}=blkid --ignore-enomedium

Adding a new switch for this sounds overly complicated. We should
really ignore this error in any case, and just print a debug level
message about this case, which people can see if they turn debug
logging on.

Now, as it turns out I actually commited such a change a week back
with 8d8ce9e2cd066e90c17e2d1eb1882defabb1fa63 in order to fix fdobz
89885.

I figure this should resolve the issue,

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Improve log notice when unprivileged users run journalctl executable

On Tue, 24.02.15 23:42, Gautier Pelloux-Prayer (gaut...@damsy.net) wrote:

 Hi,
 
 Currently, when user runs journalctl without extra privileges, output
 will be:
 
 No journal files were found.

Hmm, this would be a bug. The whole logic of collecting error codes in
j-errors exists exclusively to show more useful error messages in
this case.

Are you saying this does not work correctly for you?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] install a fedora container

On Wed, 22.04.15 19:26, arnaud gaboury (arnaud.gabo...@gmail.com) wrote:

 I am little confused how to install Fedora on a container on my Archlinux box.
 
 Here is my setup : a whole ssd for Fedora server. Btrfs with 3
 subvolumes for snapshots:
 /etc, /var, and /rootvol. No nested subvolumes.
 
 This ssd will then be mounted on /var/lib/container/MyContainer.
 
 Shall i install first Fedora server on the SSD then mount it in
 /var/lib/container and boot with systemd-nspawn ? Or is there another
 solution?

The usualy way how I installed a Fedora container so far, was via yum
--installroot. But that of course only works if you have yum around,
which might be unavailable on ArchLinux.

Another option is to use the upstream cloud image. Recent
systemd-nspawn versions can boot that directly if you stick that in
/var/lib/machines and uncompress it. The image is here:

http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz

In systemd git you can use machinectl pull-raw directly on this URL
which will do this all automatically for you.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Setting up network interfaces for containers with --private-network

2015-04-22 Thread Spencer Baugh

Lennart Poettering lenn...@poettering.net writes:
 On Tue, 21.04.15 15:22, Spencer Baugh (sba...@catern.com) wrote:

  Also, trivial static IP configuration is seldom sufficient, you at
  least need to also provide DNS configuration, and if you don't use
  DHCP or something similar then you need to configure that inside the
  container anyway. But if you do that you might as well configure the
  static IP addresses in it too, so what is gained by doing this from a
  networkd outside of the cotnainer?
 
  Or am I misunderstanding the role of networkd? It seems like if I am
  writing a service that represents the network interface and namespace
  for this container, I am doing something that networkd should
  ultimately do.
 
  Sure, absolutely. But our idea so far was that networkd should run
  inside the container to configure the container's network, and on the
  host to configure the host's network, but not to cross this boundary
  and have the host networkd configure the container's network.
 
 Hmm, yes, but I think the problem is the configuration done at
 interface-creation-time. It seems to me that that configuration
 currently does not fit naturally in either the host networkd or the
 container networkd.

 Well, again, I doubt that configuration exclusivel at
 interface-creation-time will be useful for more than the most trivial
 cases, already because as mentioned it would not cover DNS server
 configuration and thelike.

Sure, I'm in agreement, but there are things that can only be
configured at interface-creation-time. As a trivial example, the type
of the interface. And it looks like for ipvlan you can only choose L2 or
L3 mode at creation-time.

Additionally, it seems to me that the MAC address, at least, is
something that you might want to configure only at creation-time and not
change later.

The earlier two examples are necessary, the third example, the MAC
address, is just nice-to-have. But since there are things that actually
really must be configured at creation-time, it seems that eventually it
will be necessary to figure out a best practice or mechanism for such
configuration. And that method might as well also allow the nice-to-have
of configuring the MAC address at creation time.

 If you really want fixed IP addresses, I think this could work:

 We add configurability for the DHCP server address range in networkd,
 including taking ranges that contain a single IP address. You could
 then assign fixed addresses to your containers simply by dropping a
 .network snippet for them, that only contains a single dhcp range IP
 address for it. THat should work, no?

This would be a nice feature and would work for many use cases.

My problem with this solution is that I'm using IPv6. With IPv6, I can
set up stateless autoconfiguration to assign IPs to interfaces.  In
that case the IP is directly determined by the MAC address, so it is not
possible (AFAIK?) to specify a range of IPs of length 1 to force that
single IP to be assigned to a specific interface.

I would somewhat prefer to be using this feature of IPv6, rather than
using DHCPv6; and anyway, networkd doesn't support DHCPv6 right now,
right? So this doesn't necessarily work for me.

The mapping from MAC address to IPv6 address is just a matter of
encoding the MAC address in the last 64 bits of the IPv6 address.  So if
I know the MAC address of the container, and maybe listen a little on
the network interface to see what routing prefix is being advertised, I
know the IPv6 address that the container will get. Maybe something
(networkd, networkctl, machined, machinectl?) could reveal this
information? Just an idea.

The stateless autoconfiguration of IPv6 seems pretty similar to
systemd's own aims, it would be nice if they worked well together.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Service watchdog feature in state ACTIVATING ?

2015-04-22 Thread Hoyer, Marko (ADITG/SW2)

 -Original Message-
 From: Lennart Poettering [mailto:lenn...@poettering.net]
 Sent: Wednesday, April 22, 2015 6:00 PM
 To: Hoyer, Marko (ADITG/SW2)
 Cc: Umut Tezduyar Lindskog; systemd-devel@lists.freedesktop.org
 Subject: Re: [systemd-devel] Service watchdog feature in state
 ACTIVATING ?

 On Mon, 02.03.15 20:32, Hoyer, Marko (ADITG/SW2) (mho...@de.adit-
 jv.com) wrote:

   Why would you need this? Watchdog is to prevent system being stuck
   somewhere. If activation fails within TimeoutStartSec=, systemd
 will
   put the service in failed to activate state anyways.

   Is waiting 20 seconds to detect the freeze is too much for your
 case?
   Is it not possible to lower the activation time?

  Yes it is too long. The process is a kind of application starter and
 observer processing a startup phase. It is responsible for:
  - observing the application internal states of upcoming applications
  - it kicks off the startup of applications depending on the internal
  state of other once
  - it delays the startup of late services started the normal way by
  systemd once the startup phase is done

  And yes, one could say that we are implementing a kind of second
  systemd started by systemd. The difference is that our starter knows
  about some more states than just ACTIVATING and RUNING which is not
  really realizable with systemd especially when more than one
  application is contained in one process.

  So the idea was to bring up a set of applications with our starter
  application and stay with our starter in state ACTIVATING until it is
  done with bringing up the set of applications.

  Depending on the product, bringing up our set of applications can
 take
  10-20secs. Since the starter is a kind of sensible application, it
  needs to be supervised by a watchdog with a timeout far less than
  20secs.

  Hope this gives a rough picture of our use case.

 So, I can see that having watchdog support during the activating phase
 might make sense in this case, but I am not sure this case is strong
 enough to add it to systemd proper, since it would complicate things
 for most: it's not a behaviour we can just enable for everybody, it
 would have to be something we'd have to add an explicit opt-in option
 for, since most daemons don't work like this.

Thx for getting back to this again.

An a bit more light weight variant could be adding a second watchdog timeout 
parameter meant for the activation phase only. This timeout value could be 0 
(infinite) by default. This way, the feature is probably invisible for all who 
are not explicitly setting it. 

 Anyway, I'd prefer not adding support for this now. We can revisit this
 if more folks are asking for this, and this turns out to be a more
 common setup.

Sounds good.

Best regards

Marko Hoyer
Software Group II (ADITG/SW2)

Tel. +49 5121 49 6948
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Setting up network interfaces for containers with --private-network

On Wed, 22.04.15 13:41, Spencer Baugh (sba...@catern.com) wrote:

 Lennart Poettering lenn...@poettering.net writes:
  On Tue, 21.04.15 15:22, Spencer Baugh (sba...@catern.com) wrote:
 
   Also, trivial static IP configuration is seldom sufficient, you at
   least need to also provide DNS configuration, and if you don't use
   DHCP or something similar then you need to configure that inside the
   container anyway. But if you do that you might as well configure the
   static IP addresses in it too, so what is gained by doing this from a
   networkd outside of the cotnainer?
  
   Or am I misunderstanding the role of networkd? It seems like if I am
   writing a service that represents the network interface and namespace
   for this container, I am doing something that networkd should
   ultimately do.
  
   Sure, absolutely. But our idea so far was that networkd should run
   inside the container to configure the container's network, and on the
   host to configure the host's network, but not to cross this boundary
   and have the host networkd configure the container's network.
  
  Hmm, yes, but I think the problem is the configuration done at
  interface-creation-time. It seems to me that that configuration
  currently does not fit naturally in either the host networkd or the
  container networkd.
 
  Well, again, I doubt that configuration exclusivel at
  interface-creation-time will be useful for more than the most trivial
  cases, already because as mentioned it would not cover DNS server
  configuration and thelike.
 
 Sure, I'm in agreement, but there are things that can only be
 configured at interface-creation-time. As a trivial example, the type
 of the interface. And it looks like for ipvlan you can only choose L2 or
 L3 mode at creation-time.
 
 Additionally, it seems to me that the MAC address, at least, is
 something that you might want to configure only at creation-time and not
 change later.

networkd considers the MAC address that can be changed for the network
you connect to, and can hence change dynamically depending on the
network you pick.

Hmm, there's indeed a gap here though: as .link files are applied by
udev, not by networkd, and udev is not available in containers, .link
files are currently not applied at all in containers. It might be an
option to do this within networkd instead of udev when it is run in a
container.

Of course, this will then only cover the props that can be changed
with .link files, not the ones that have to be specified at link
creation time.

For those, things are nasty. I mean, for things like ipvlan which
relate to an interface outside of the container, this means we need to
create them outside of the container, and thus they need to be
configured initially outside of the container.

So far we handled all this inside .netdev files, that are processed by
networkd. We have limited support for creating these devices also with
nspawn (i.e. the --network-veth, --network-macvlan and
--network-ipvlan switches), but I'd be really careful with turning
them into more than just basic switches, I'd really leave more complex
cases with networkd.

Now, I am not really sure how would could hook this up... After all
as you say it will not be sufficient to create the netdevs once before
nspawn uses them, they need to be created before each time before
nspawn uses them.

As soon as networkd gains a bus interface maybe an option could be to
hook up nspawn's --network-interface= with it: if the specified
interface doesn't exist, nspawn could synchronously ask networkd to
create it. With that in place you could then configure .netdev files
outside of the container, and neatly pass them on into the container,
without races. Would that fix your issue?

  If you really want fixed IP addresses, I think this could work:
 
  We add configurability for the DHCP server address range in networkd,
  including taking ranges that contain a single IP address. You could
  then assign fixed addresses to your containers simply by dropping a
  .network snippet for them, that only contains a single dhcp range IP
  address for it. THat should work, no?
 
 This would be a nice feature and would work for many use cases.
 
 My problem with this solution is that I'm using IPv6. With IPv6, I can
 set up stateless autoconfiguration to assign IPs to interfaces.  In
 that case the IP is directly determined by the MAC address, so it is not
 possible (AFAIK?) to specify a range of IPs of length 1 to force that
 single IP to be assigned to a specific interface.
 
 I would somewhat prefer to be using this feature of IPv6, rather than
 using DHCPv6; and anyway, networkd doesn't support DHCPv6 right now,
 right? So this doesn't necessarily work for me.

True. It's certainly our plan to support it eventually.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org

Re: [systemd-devel] Improve log notice when unprivileged users run journalctl executable

On Wed, 22.04.15 20:07, Gautier Pelloux-Prayer (gaut...@damsy.net) wrote:

 Actually I posted twich my email (my bad), the real discussion is here:
 http://lists.freedesktop.org/archives/systemd-devel/2015-March/029119.html
 
 Zbigniew Jędrzejewski-Szmek patched it and it should be OK now.

Oh indeed, and I even replied to that other thread already,

Thanks,

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 3/3] zsh-completion: add missing completions for systemd-nspawn

Patchset imported to github.
Pull request:
https://github.com/systemd-devs/systemd/compare/master...systemd-mailing-devs:1429726059-5463-4-git-send-email-lorusak%40gmail.com

--
Generated by https://github.com/haraldh/mail2git
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH 1/3] zsh-completion: add missing completions for machinectl

---
 shell-completion/zsh/_machinectl | 84 +---
 1 file changed, 70 insertions(+), 14 deletions(-)

diff --git a/shell-completion/zsh/_machinectl b/shell-completion/zsh/_machinectl
index c666b7e..2b1b7ed 100644
--- a/shell-completion/zsh/_machinectl
+++ b/shell-completion/zsh/_machinectl
@@ -1,5 +1,20 @@
 #compdef machinectl
 
+__get_available_machines () {
+ls -1 /var/lib/container |  {while read -r a b; do echo $a; done;}
+}
+
+_available_machines() {
+local -a _machines
+_machines=(${(fo)$(__get_available_machines)})
+typeset -U _machines
+if [[ -n $_machines ]]; then
+_describe 'machines' _machines
+else
+   _message 'no machines'
+fi
+}
+
 (( $+functions[_machinectl_command] )) || _machinectl_command()
 {
   local -a _machinectl_cmds
@@ -7,23 +22,55 @@
 list:List currently running VMs/containers
 status:Show VM/container status
 show:Show properties of one or more VMs/containers
+start:Start container as a service
 login:Get a login prompt on a VM/container
+enable:Enable automatic container start at boot
+disable:Disable automatic container start at boot
 poweroff:Power off one or more VMs/containers
 reboot:Reboot one or more VMs/containers
 terminate:Terminate one or more VMs/containers
 kill:Send signal to process or a VM/container
+copy-to:Copy files from the host to a container
+copy-from:Copy files from a container to the host
+bind:Bind mount a path from the host into a container
+
+list-images:Show available container and VM images
+image-status:Show image details
+show-image:Show properties of image
+clone:Clone an image
+rename:Rename an image
+read-only:Mark or unmark image read-only
+remove:Remove an image
+
+pull-tar:Download a TAR container image
+pull-raw:Download a RAW container or VM image
+pull-dkr:Download a DKR container image
+list-transfers:Show list of downloads in progress
+cancel-transfer:Cancel a download
   )
+
   if (( CURRENT == 1 )); then
 _describe -t commands 'machinectl command' _machinectl_cmds || compadd $@
   else
 local curcontext=$curcontext
 cmd=${${_machinectl_cmds[(r)$words[1]:*]%%:*}}
 if (( $#cmd )); then
-  case $cmd in
-list) msg=no options ;;
-*)
-  _sd_machines
-  esac
+  if (( CURRENT == 2 )); then
+case $cmd in
+  list*|cancel-transfer|pull-tar|pull-raw|pull-dkr)
+msg=no options ;;
+  start)
+_available_machines ;;
+  *)
+_sd_machines
+esac
+  else
+case $cmd in
+  copy-to|copy-from|bind)
+_files ;;
+  *) msg=no options
+esac
+  fi
 else
   _message no more options
 fi
@@ -33,13 +80,22 @@
 _arguments \
   {-h,--help}'[Prints a short help text and exits.]' \
   '--version[Prints a short version string and exits.]' \
-  \*{-p+,--property=}'[Limit output to specified property.]:property:(Name Id 
Timestamp TimestampMonotonic Service Scope Leader Class State RootDirectory)' \
-  {-a,--all}'[Show all proerties]' \
-  (-l,--full)'[Do not ellipsize cgroup members]' \
-  '--no-pager[Do not pipe output into a pager]' \
-  '--no-ask-password[Do not ask for system passwords]' \
-  '--kill-who=[Who to send signal to]:killwho:(leader all)' \
-  {-s+,--signal=}'[Which signal to send]:signal:_signals' \
-  {-H+,--host=}'[Operate on remote host]:userathost:_sd_hosts_or_user_at_host' 
\
-  {-P,--privileged}'[Acquire privileges before execution]' \
+  '--no-pager[Do not pipe output into a pager.]' \
+  '--no-legend[Do not show the headers and footers.]' \
+  '--no-ask-password[Do not ask for system passwords.]' \
+  {-H+,--host=}'[Operate on remote 
host.]:userathost:_sd_hosts_or_user_at_host' \
+  {-M+,--machine=}'[Operate on local container.]:machine:_sd_machines' \
+  {-p+,--property=}'[Limit output to specified property.]:property:(Name Id 
Timestamp TimestampMonotonic Service Scope Leader Class State RootDirectory)' \
+  {-a,--all}'[Show all proerties.]' \
+  {-q,--quiet}'[Suppress output.]' \
+  {-l,--full}'[Do not ellipsize cgroup members.]' \
+  '--kill-who=[Who to send signal to.]:killwho:(leader all)' \
+  {-s+,--signal=}'[Which signal to send.]:signal:_signals' \
+  '--read-only[Create read-only bind mount.]' \
+  '--mkdir[Create directory before bind mounting, if missing.]' \
+  {-n+,--lines=}'[Number of journal entries to show.]:integer' \
+  {-o+,--output=}'[Change journal output mode.]:output modes:_sd_outputmodes' \
+  '--verify=[Verification mode for downloaded images.]:verify:(no checksum 
signature)' \
+  '--force[Download image even if already exists.]' \
+  '--dkr-index-url=[Specify the index URL to use for DKR image downloads.]' \
   '*::machinectl command:_machinectl_command'
-- 
2.3.5

___
systemd-devel mailing list

[systemd-devel] [PATCH 3/3] zsh-completion: add missing completions for systemd-nspawn

---
 shell-completion/zsh/_systemd-nspawn | 23 +--
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/shell-completion/zsh/_systemd-nspawn 
b/shell-completion/zsh/_systemd-nspawn
index ceedb2c..42cdbcd 100644
--- a/shell-completion/zsh/_systemd-nspawn
+++ b/shell-completion/zsh/_systemd-nspawn
@@ -11,34 +11,37 @@ _nspawn-caps(){
 }
 
 _arguments \
-{-h,--help}'[Show this help]' \
+{-h,--help}'[Show this help.]' \
+'--version[Print a short version string and exit.]' \
+{--quiet,-q}'[Turns off any status output by the tool itself.]' \
 {--directory=,-D+}'[Directory to use as file system root for the namespace 
container. If omitted the current directory will be 
used.]:directories:_directories' \
+'--template=[Initialize root directory from template directory, if 
missing.]:template:_directories' \
+{--ephemeral,-x}'[Run container with snapshot of root directory, and 
remove it after exit.]' \
 {--image=,-i+}'[Disk image to mount the root directory for the container 
from.]' \
 {--boot=,-b+}'[Automatically search for an init binary and invoke it 
instead of a shell or a user supplied program.]' \
 {--user=,-u+}'[Run the command under specified user, create home directory 
and cd into it.]' \
 {--machine=,-M+}'[Sets the machine name for this container.]' \
 '--uuid=[Set the specified uuid for the container.]' \
-'--slice=[Make the container part of the specified slice, instead of the 
default machine.slice.]' \
-'--private-network[Turn off networking in the container. This makes all 
network interfaces unavailable in the container, with the exception of the 
loopback device.]' \
+{--slice=,-S+}'[Make the container part of the specified slice, instead of 
the default machine.slice.]' \
 '--private-network[Disconnect networking of the container from the host.]' 
\
 '--network-interface=[Assign the specified network interface to the 
container.]' \
 '--network-macvlan=[Create a macvlan interface of the specified Ethernet 
network interface and add it to the container.]' \
-'--network-veth[Create a virtual Ethernet link (veth) between host and 
container.]' \
+'--network-ipvlan=[Create a ipvlan network interface based on an existing 
network interface to the container.]' \
+{--network-veth,-n}'[Create a virtual Ethernet link (veth) between host 
and container.]' \
 '--network-bridge=[Adds the host side of the Ethernet link created with 
--network-veth to the specified bridge.]' \
+{--port=,-p+}'[Expose a container IP port on the host.]' \
 {--selinux-context=,-Z+}'[Sets the SELinux security context to be used to 
label processes in the container.]' \
 {--selinux-apifs-context=,-L+}'[Sets the SELinux security context to be 
used to label files in the virtual API file systems in the container.]' \
 '--capability=[List one or more additional capabilities to grant the 
container.]:capabilities:_nspawn-caps' \
-'--drop-capability=[Specify one or more additional capabilities to drop 
for the container]' \
---link-journal=[Control whether the container's journal shall be made 
visible to the host system.]:options:(no, host, guest, auto) \
+'--drop-capability=[Specify one or more additional capabilities to drop 
for the containerm]:capabilities:_nspawn-caps' \
+--link-journal=[Control whether the container's journal shall be made 
visible to the host system.]:options:(no host guest auto) \
 '-j[Equivalent to --link-journal=guest.]' \
 '--read-only[Mount the root file system read only for the container.]' \
 '--bind=[Bind mount a file or directory from the host into the 
container.]' \
 '--bind-ro=[Bind mount a file or directory from the host into the 
container (read-only).]' \
+'--tmpfs=[Mount an empty tmpfs to the specified directory.]' \
 '--setenv=[Specifies an environment variable assignment to pass to the 
init process in the container, in the format NAME=VALUE.]' \
 '--share-system[Allows the container to share certain system facilities 
with the host.]' \
 '--register=[Controls whether the container is registered with 
systemd-machined(8).]' \
 '--keep-unit[Instead of creating a transient scope unit to run the 
container in, simply register the service or scope unit systemd-nspawn has been 
invoked in with systemd-machined(8).]' \
-'--personality=[Control the architecture (personality) reported by 
uname(2) in the container.]' \
-{--quiet,-q}'[Turns off any status output by the tool itself.]' \
-{--help,-h}'[Print a short help text and exit.]' \
-'--version[Print a short version string and exit.]'
+'--volatile=[Run the system in volatile mode.]:volatile:(no yes state)'
-- 
2.3.5

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH 2/3] zsh-completion: update -M completion for systemd-analyze

---
 shell-completion/zsh/_systemd-analyze | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shell-completion/zsh/_systemd-analyze 
b/shell-completion/zsh/_systemd-analyze
index 2c0e543..efafddc 100644
--- a/shell-completion/zsh/_systemd-analyze
+++ b/shell-completion/zsh/_systemd-analyze
@@ -54,5 +54,5 @@ _arguments \
 '--from-pattern=[When generating a dependency graph, filter only 
origins]:GLOB' \
 '--to-pattern=[When generating a dependency graph, filter only 
destinations]:GLOB' \
 {-H+,--host=}'[Operate on remote 
host]:userathost:_sd_hosts_or_user_at_host' \
-{-M+,--machine=}'[Operate on local container]:machine' \
+{-M+,--machine=}'[Operate on local container]:machine:_sd_machines' \
 '*::systemd-analyze commands:_systemd_analyze_command'
-- 
2.3.5

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH 0/3] update zsh completions for systemd-analyze, systemd-nspawn, and machinectl

This is my first time submitting on a mailing list, so go easy on me.

Lukas Rusak (3):
  zsh-completion: add missing completions for machinectl
  zsh-completion: update -M completion for systemd-analyze
  zsh-completion: add missing completions for systemd-nspawn

 shell-completion/zsh/_machinectl  | 84 +--
 shell-completion/zsh/_systemd-analyze |  2 +-
 shell-completion/zsh/_systemd-nspawn  | 23 +-
 3 files changed, 84 insertions(+), 25 deletions(-)

-- 
2.3.5

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Service watchdog feature in state ACTIVATING ?

On Wed, 22.04.15 17:59, Hoyer, Marko (ADITG/SW2) (mho...@de.adit-jv.com) wrote:

  So, I can see that having watchdog support during the activating phase
  might make sense in this case, but I am not sure this case is strong
  enough to add it to systemd proper, since it would complicate things
  for most: it's not a behaviour we can just enable for everybody, it
  would have to be something we'd have to add an explicit opt-in option
  for, since most daemons don't work like this.
 
 Thx for getting back to this again.
 
 An a bit more light weight variant could be adding a second watchdog
 timeout parameter meant for the activation phase only. This timeout
 value could be 0 (infinite) by default. This way, the feature is
 probably invisible for all who are not explicitly setting it.

Well, if it's a boolean or a timeout that is configured, I'd prefer
not to add either option unless this turns out to be a frequently
requested feature...

I am just careful with adding even more settings so easily...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/3] zsh-completion: add missing completions for machinectl

On Wed, 22.04.15 11:07, Lukas Rusak (loru...@gmail.com) wrote:

 ---
  shell-completion/zsh/_machinectl | 84 
 +---
  1 file changed, 70 insertions(+), 14 deletions(-)
 
 diff --git a/shell-completion/zsh/_machinectl 
 b/shell-completion/zsh/_machinectl
 index c666b7e..2b1b7ed 100644
 --- a/shell-completion/zsh/_machinectl
 +++ b/shell-completion/zsh/_machinectl
 @@ -1,5 +1,20 @@
  #compdef machinectl
  
 +__get_available_machines () {
 +ls -1 /var/lib/container |  {while read -r a b; do echo $a; done;}
 +}

Hmm, the right way to list running containers is with machinectl
list. The right way to list container images is with machinectl
list-images.

Just listing /var/lib/container is not right, because the we tent to
prefer /var/lib/machines now, and because we support raw images in
those dirs, which carry the .raw suffix which should be removed when
used as machine name.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2] Add support for transient presets, applied on every boot.

On Sat, 21.02.15 02:38, Dimitri John Ledkov (dimitri.j.led...@intel.com) wrote:

Sorry for the late review!

Can you please add a commit description to this, explaining the
precise rationale for this?

 ---
  src/core/main.c  | 27 +++
  src/core/unit.c  |  2 +-
  src/shared/install.c | 25 -
  src/shared/install.h |  2 +-
  4 files changed, 49 insertions(+), 7 deletions(-)
 
 diff --git a/src/core/main.c b/src/core/main.c
 index 08f46f5..2656779 100644
 --- a/src/core/main.c
 +++ b/src/core/main.c
 @@ -1207,6 +1207,23 @@ static int write_container_id(void) {
  return write_string_file(/run/systemd/container, c);
  }
  
 +static int transient_presets(void) {
 +struct stat st;
 +
 +if (lstat(/usr/lib/systemd/system-preset-transient, st) == 0)
 +return !!S_ISDIR(st.st_mode);

Please use is_dir() for this, it's slightly nicer to read.

 +#ifdef HAVE_SPLIT_USR
 +if (lstat(/lib/systemd/system-preset-transient, st) == 0)
 +return !!S_ISDIR(st.st_mode);
 +#endif
 +
 +if (lstat(/etc/systemd/system-preset-transient, st) == 0)
 +return !!S_ISDIR(st.st_mode);
 +
 +return 0;
 +}

Also, the function should probably return a proper bool instead of
an int. We use C99 bool heavily.

That said, maybe we shouldn't have this function at all, see below.

 +
  int main(int argc, char *argv[]) {
  Manager *m = NULL;
  int r, retval = EXIT_FAILURE;
 @@ -1619,6 +1636,16 @@ int main(int argc, char *argv[]) {
  if (arg_running_as == SYSTEMD_SYSTEM) {
  bump_rlimit_nofile(saved_rlimit_nofile);
  
 +// NB! transient presets must be applied before
 normal

We try to stick to /* comments */ instead of // comments

 +if (transient_presets()) {
 +r = unit_file_preset_all(UNIT_FILE_SYSTEM, true, 
 NULL, UNIT_FILE_PRESET_ENABLE_ONLY, false, NULL, 0);
 +if (r  0)
 +log_warning_errno(r, Failed to populate 
 transient preset unit settings, ignoring: %m);
 +else
 +log_info(Populated transient preset unit 
 settings.);
 +}

Hmm, do we actually need the explicit check with transient_presets()
at all? I mean, it replicates the search path logic, and
unit_file_preset_all() should notice on its own that there are no
preset files in those dirs...

 diff --git a/src/shared/install.c b/src/shared/install.c
 index 65f1c24..7372e56 100644
 --- a/src/shared/install.c
 +++ b/src/shared/install.c
 @@ -1873,7 +1873,7 @@ UnitFileState unit_file_get_state(
  return r  0 ? r : state;
  }
  
 -int unit_file_query_preset(UnitFileScope scope, const char
 -*root_dir, const char *name) {
 +int unit_file_query_preset(UnitFileScope scope, bool runtime, const
 -char *root_dir, const char *name) {

Hmm, runtime, or transient? Pick one!

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH] tree-wide: Introduce a dup_cloexec inline helper

2015-04-22 Thread Cristian Rodríguez

- Nicer  easier to remember than fcntl(fd, F_DUPFD_CLOEXEC, 3)
- Update CODING_STYLE
- Use it tree-wide
---
 CODING_STYLE | 6 +++---
 src/import/curl-util.c   | 2 +-
 src/import/importd.c | 4 ++--
 src/journal/cat.c| 2 +-
 src/libsystemd-terminal/grdev-drm.c  | 4 ++--
 src/libsystemd-terminal/idev-evdev.c | 4 ++--
 src/libsystemd/sd-bus/bus-message.c  | 6 +++---
 src/login/inhibit.c  | 2 +-
 src/login/pam_systemd.c  | 2 +-
 src/run/run.c| 2 +-
 src/shared/copy.c| 2 +-
 src/shared/fdset.c   | 2 +-
 src/shared/install.c | 2 +-
 src/shared/util.h| 5 +
 14 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/CODING_STYLE b/CODING_STYLE
index a295ca7..19891ce 100644
--- a/CODING_STYLE
+++ b/CODING_STYLE
@@ -233,12 +233,12 @@
   fork()ed off a child process, please use _exit() instead of exit(),
   so that the exit handlers are not run.
 
-- Please never use dup(). Use fcntl(fd, F_DUPFD_CLOEXEC, 3)
-  instead. For two reason: first, you want O_CLOEXEC set on the new fd
+- Please never use dup(). Use the dup_cloexec() helper instead.
+  For two reasons: first, you want O_CLOEXEC set on the new fd
   (see above). Second, dup() will happily duplicate your fd as 0, 1,
   2, i.e. stdin, stdout, stderr, should those fds be closed. Given the
   special semantics of those fds, it's probably a good idea to avoid
-  them. F_DUPFD_CLOEXEC with 3 as parameter avoids them.
+  them.
 
 - When you define a destructor or unref() call for an object, please
   accept a NULL object and simply treat this as NOP. This is similar
diff --git a/src/import/curl-util.c b/src/import/curl-util.c
index d390cfb..dfa5acc 100644
--- a/src/import/curl-util.c
+++ b/src/import/curl-util.c
@@ -131,7 +131,7 @@ static int curl_glue_socket_callback(CURLM *curl, 
curl_socket_t s, int action, v
  * anymore. Hence, duplicate the fds here, and keep a
  * copy for epoll which we control after use. */
 
-fd = fcntl(s, F_DUPFD_CLOEXEC, 3);
+fd = dup_cloexec(s);
 if (fd  0)
 return -1;
 
diff --git a/src/import/importd.c b/src/import/importd.c
index d4da4b2..416a43c 100644
--- a/src/import/importd.c
+++ b/src/import/importd.c
@@ -765,7 +765,7 @@ static int method_import_tar_or_raw(sd_bus *bus, 
sd_bus_message *msg, void *user
 if (!t-local)
 return -ENOMEM;
 
-t-stdin_fd = fcntl(fd, F_DUPFD_CLOEXEC, 3);
+t-stdin_fd = dup_cloexec(fd);
 if (t-stdin_fd  0)
 return -errno;
 
@@ -826,7 +826,7 @@ static int method_export_tar_or_raw(sd_bus *bus, 
sd_bus_message *msg, void *user
 if (!t-local)
 return -ENOMEM;
 
-t-stdout_fd = fcntl(fd, F_DUPFD_CLOEXEC, 3);
+t-stdout_fd = dup_cloexec(fd);
 if (t-stdout_fd  0)
 return -errno;
 
diff --git a/src/journal/cat.c b/src/journal/cat.c
index 2e236f0..9e26e7c 100644
--- a/src/journal/cat.c
+++ b/src/journal/cat.c
@@ -138,7 +138,7 @@ int main(int argc, char *argv[]) {
 goto finish;
 }
 
-saved_stderr = fcntl(STDERR_FILENO, F_DUPFD_CLOEXEC, 3);
+saved_stderr = dup_cloexec(STDERR_FILENO);
 
 if (dup3(fd, STDOUT_FILENO, 0)  0 ||
 dup3(fd, STDERR_FILENO, 0)  0) {
diff --git a/src/libsystemd-terminal/grdev-drm.c 
b/src/libsystemd-terminal/grdev-drm.c
index 066a4d8..deb7e94 100644
--- a/src/libsystemd-terminal/grdev-drm.c
+++ b/src/libsystemd-terminal/grdev-drm.c
@@ -2782,7 +2782,7 @@ static int managed_card_resume_device_fn(sd_bus *bus,
  * TakeDevice(). However, lets be safe and use this FD in case
  * we really don't have one. There is no harm in doing this
  * and our code works fine this way. */
-fd = fcntl(fd, F_DUPFD_CLOEXEC, 3);
+fd = dup_cloexec(fd);
 if (fd  0) {
 log_debug_errno(errno, grdrm: %s/%s: cannot duplicate 
fd: %m,
 session-name, cm-card.base.name);
@@ -2874,7 +2874,7 @@ static int managed_card_take_device_fn(sd_bus *bus,
 return 0;
 }
 
-fd = fcntl(fd, F_DUPFD_CLOEXEC, 3);
+fd = dup_cloexec(fd);
 if (fd  0) {
 log_debug_errno(errno, grdrm: %s/%s: cannot duplicate fd: %m,
 session-name, cm-card.base.name);
diff --git a/src/libsystemd-terminal/idev-evdev.c 
b/src/libsystemd-terminal/idev-evdev.c
index 91ae507..c49ba90 100644
--- a/src/libsystemd-terminal/idev-evdev.c
+++ b/src/libsystemd-terminal/idev-evdev.c
@@ -559,7 +559,7 @@ static int managed_evdev_take_device_fn(sd_bus *bus,
 if (paused)
 return 0;
 
-fd = fcntl(fd,

Re: [systemd-devel] Setting up network interfaces for containers with --private-network

2015-04-22 Thread Spencer Baugh

Lennart Poettering lenn...@poettering.net writes:
 On Wed, 22.04.15 13:41, Spencer Baugh (sba...@catern.com) wrote:
  Lennart Poettering lenn...@poettering.net writes:
   Well, again, I doubt that configuration exclusivel at
   interface-creation-time will be useful for more than the most trivial
   cases, already because as mentioned it would not cover DNS server
   configuration and thelike.
  
  Sure, I'm in agreement, but there are things that can only be
  configured at interface-creation-time. As a trivial example, the type
  of the interface. And it looks like for ipvlan you can only choose L2 or
  L3 mode at creation-time.
  
  Additionally, it seems to me that the MAC address, at least, is
  something that you might want to configure only at creation-time and not
  change later.

 networkd considers the MAC address that can be changed for the network
 you connect to, and can hence change dynamically depending on the
 network you pick.

 Hmm, there's indeed a gap here though: as .link files are applied by
 udev, not by networkd, and udev is not available in containers, .link
 files are currently not applied at all in containers. It might be an
 option to do this within networkd instead of udev when it is run in a
 container.

 Of course, this will then only cover the props that can be changed
 with .link files, not the ones that have to be specified at link
 creation time.

 For those, things are nasty. I mean, for things like ipvlan which
 relate to an interface outside of the container, this means we need to
 create them outside of the container, and thus they need to be
 configured initially outside of the container.

 So far we handled all this inside .netdev files, that are processed by
 networkd. We have limited support for creating these devices also with
 nspawn (i.e. the --network-veth, --network-macvlan and
 --network-ipvlan switches), but I'd be really careful with turning
 them into more than just basic switches, I'd really leave more complex
 cases with networkd.

 Now, I am not really sure how would could hook this up... After all
 as you say it will not be sufficient to create the netdevs once before
 nspawn uses them, they need to be created before each time before
 nspawn uses them.

 As soon as networkd gains a bus interface maybe an option could be to
 hook up nspawn's --network-interface= with it: if the specified
 interface doesn't exist, nspawn could synchronously ask networkd to
 create it. With that in place you could then configure .netdev files
 outside of the container, and neatly pass them on into the container,
 without races. Would that fix your issue?

Yes, that sounds like it would work. This would destroy and recreate the
interface on reboot, which is fine for my use case.

There might at some point be a desire by someone else to have the
interface not be destroyed on reboot. At that point it would just
require teaching networkd something about network namespaces, which
shouldn't be hard. I don't want that myself, of course.

As a stopgap measure until the feature you described is ready, I'll use
the .service with PrivateNetwork= and JoinsNamespaceOf= suggestion you
made earlier.

  If you really want fixed IP addresses, I think this could work:
 
  We add configurability for the DHCP server address range in networkd,
  including taking ranges that contain a single IP address. You could
  then assign fixed addresses to your containers simply by dropping a
  .network snippet for them, that only contains a single dhcp range IP
  address for it. THat should work, no?
 
 This would be a nice feature and would work for many use cases.
 
 My problem with this solution is that I'm using IPv6. With IPv6, I can
 set up stateless autoconfiguration to assign IPs to interfaces.  In
 that case the IP is directly determined by the MAC address, so it is not
 possible (AFAIK?) to specify a range of IPs of length 1 to force that
 single IP to be assigned to a specific interface.
 
 I would somewhat prefer to be using this feature of IPv6, rather than
 using DHCPv6; and anyway, networkd doesn't support DHCPv6 right now,
 right? So this doesn't necessarily work for me.

 True. It's certainly our plan to support it eventually.

That's in reference to just DHCPv6, right? What about stateless
autoconfiguration, out of curiosity?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/3] zsh-completion: add missing completions for machinectl

Ah, completely missed images. So perhaps something like this would be
better?

machinectl --full --no-legend --no-pager list-images | awk '{print $1}'

as this lists

fedora
fedora-rawhide

instead of

fedora.raw
fedora-rawhide

However this will break if one has spaces in the container name. I would
delimit awk by a tab, but it seems list-images doesn't delimit by tabs. So
I'm not sure what the best solution would be as something like this, ls -1
/var/lib/container | sed 's|\.raw||g' seems kind of silly.

(Apologies for sending twice. I missed the CC)

On Wed, Apr 22, 2015 at 11:20 AM, Lennart Poettering lenn...@poettering.net
 wrote:

 On Wed, 22.04.15 11:07, Lukas Rusak (loru...@gmail.com) wrote:

  ---
   shell-completion/zsh/_machinectl | 84
 +---
   1 file changed, 70 insertions(+), 14 deletions(-)
 
  diff --git a/shell-completion/zsh/_machinectl
 b/shell-completion/zsh/_machinectl
  index c666b7e..2b1b7ed 100644
  --- a/shell-completion/zsh/_machinectl
  +++ b/shell-completion/zsh/_machinectl
  @@ -1,5 +1,20 @@
   #compdef machinectl
 
  +__get_available_machines () {
  +ls -1 /var/lib/container |  {while read -r a b; do echo $a; done;}
  +}

 Hmm, the right way to list running containers is with machinectl
 list. The right way to list container images is with machinectl
 list-images.

 Just listing /var/lib/container is not right, because the we tent to
 prefer /var/lib/machines now, and because we support raw images in
 those dirs, which carry the .raw suffix which should be removed when
 used as machine name.

 Lennart

 --
 Lennart Poettering, Red Hat

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tree-wide: Introduce a dup_cloexec inline helper

Patchset imported to github.
Pull request:
https://github.com/systemd-devs/systemd/compare/master...systemd-mailing-devs:1429730951-13156-1-git-send-email-crrodriguez%40opensuse.org

--
Generated by https://github.com/haraldh/mail2git
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] machinectl login machine fails systemd 219

2015-04-22 Thread Keller, Jacob E

On Wed, 2015-04-22 at 22:25 +0200, Lennart Poettering wrote:
 On Fri, 17.04.15 18:40, Keller, Jacob E (jacob.e.kel...@intel.com) wrote:
 
  On Wed, 2015-04-15 at 00:07 +0200, Stefan Tatschner wrote:
   On Di, 2015-04-14 at 21:56 +, Keller, Jacob E wrote:
Failed to get machine PTY: Message did not receive a reply (timeout 
by message bus)

I get a notification on the machine itself that it started container
getty and then stopped it.

It worked earlier so I am not sure what changed. No one on google 
seems
to have this specific error.
   
   There is a patch which fixes this problem:
   http://lists.freedesktop.org/archives/systemd-devel/2015
   -February/028603.html
   
   git log --grep tells me that is has been already commited as
   f2273101c21bc59a390379e182e53cd4f07a7e71:
   
   http://cgit.freedesktop.org/systemd/systemd/commit/?id=f2273101c21bc59a
   390379e182e53cd4f07a7e71
   
   
   Stay tuned,
   Stefan
  
  I still seem to have this issue with this. I am currently working on
  compiling upstream git of systemd so I can try running machined from
  there. Will let you know results.
 
 Are you sure you updated both the client machinectl and the machined
 daemon and restarted it?
 
 This works fine here with current git...
 
 Lennart
 

I probably didn't update both client and daemon. I'll double check
that :)

Regards,
Jake
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] cryptsetup-generator: support rd.luks.key=keyfile:keyfile_device

On Fri, 20.02.15 10:56, Jan Synacek (jsyna...@redhat.com) wrote:

Sorry for the late review.

What's the precise background of this? Can you elaborate? Is there
some feature request for this?

What does this actually do? Is the specified key file read from the
specified device? The order of keyfile:device sounds weird, no?
Shouldn't it be the other way round?

Is this specific to Dracut so far? Is this widely used, and something
that we really want.

 First version of the patch that allows rd.luks.key to be specified
 almost the same way as dracut can read it.
 
 The solution creates a temporary mount unit mnt.mount that the
 generated cryptsetup service wants.  The partition where the keyfile
 is then mounted to /mnt and the absolute path to the keyfile is
 changed so it points to this temporary mount instead.

Well, I'd place this in /run somewhere. Maybe
/run/systemd/cryptsetup/mount or so...

 I'm not sure if temporarily mounting something to /mnt in initrd is
 safe. If not, what would be a preffered way to do this?

What does temporarily mean? When is this unmounted?

 Also, there's a problem that I'm not sure how to solve. If the
 keyfile_device is somehow misspecified (for example, the uuid simply
 isn't valid), the boot stalls. I believe that this was one of the
 problems in https://bugzilla.redhat.com/show_bug.cgi?id=905683. I
 was thinking about using udev to verify the uuid and its device, but
 I'm not sure if this makes sense to do in initrd. Any pointers would
 be appreciated.

Things like this are necessarily racy: at boot time devices are not
probed yet, and just start to appear. That means if you enumerate them
it is highly likely your block device has not shown up yet, but will
so shortly. Hence you need to wait for them. But that means you cannot
really distuingish the case not shown up yet, but will from will
never show up...

 Once the above problems are sorted out, an extension of this patch
 (perhaps another patch?) would be to also support the third argument
 that rd.luks.key can take in dracut.

Which is?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/3] zsh-completion: add missing completions for machinectl

On Wed, 22.04.15 15:44, Lukas Rusak (loru...@gmail.com) wrote:

 Here is a rebase of the original patch to include the discussed changes

Where?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] cryptsetup-generator: support rd.luks.key=keyfile:keyfile_device

2015-04-22 Thread Andrei Borzenkov

В Thu, 23 Apr 2015 00:48:38 +0200
Lennart Poettering lenn...@poettering.net пишет:

 On Fri, 20.02.15 10:56, Jan Synacek (jsyna...@redhat.com) wrote:
 
 Sorry for the late review.
 
 What's the precise background of this? Can you elaborate? Is there
 some feature request for this?
 

There are multiple bug reports that switching to dracut with integrated
systemd breaks ability to auto-setup encrypted devices using keyfile
on external USB stick.

 What does this actually do? Is the specified key file read from the
 specified device?

It reads keyfile from filesystem on device identifed by keyfile_device.

  The order of keyfile:device sounds weird, no?
 Shouldn't it be the other way round?
 

keyfile is mandatory, keyfile_device is optional and can be omitted. I
believe dracut looked at all existing devices then. This order makes
it easier to omit optional parameter(s).

In any case it became dracut API which is too late to change.

 Is this specific to Dracut so far? Is this widely used, and something
 that we really want.
 

I can say about dracut only but yes, it is used and it is serious
regression when it is used comparing with pre-systemd version.

  First version of the patch that allows rd.luks.key to be specified
  almost the same way as dracut can read it.
  
  The solution creates a temporary mount unit mnt.mount that the
  generated cryptsetup service wants.  The partition where the keyfile
  is then mounted to /mnt and the absolute path to the keyfile is
  changed so it points to this temporary mount instead.
 
 Well, I'd place this in /run somewhere. Maybe
 /run/systemd/cryptsetup/mount or so...
 
  I'm not sure if temporarily mounting something to /mnt in initrd is
  safe. If not, what would be a preffered way to do this?
 
 What does temporarily mean? When is this unmounted?
 

To fetch keyfile dracut needs to mount USB stick. This mount is not
normally needed after cryptomount setup is completed.

  Also, there's a problem that I'm not sure how to solve. If the
  keyfile_device is somehow misspecified (for example, the uuid simply
  isn't valid), the boot stalls. I believe that this was one of the
  problems in https://bugzilla.redhat.com/show_bug.cgi?id=905683. I
  was thinking about using udev to verify the uuid and its device, but
  I'm not sure if this makes sense to do in initrd. Any pointers would
  be appreciated.
 
 Things like this are necessarily racy: at boot time devices are not
 probed yet, and just start to appear. That means if you enumerate them
 it is highly likely your block device has not shown up yet, but will
 so shortly. Hence you need to wait for them. But that means you cannot
 really distuingish the case not shown up yet, but will from will
 never show up...
 
  Once the above problems are sorted out, an extension of this patch
  (perhaps another patch?) would be to also support the third argument
  that rd.luks.key can take in dracut.
 
 Which is?
 

LUKS device to which key applies. Can be wildcarded.

 Lennart
 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v3 2/2] Add more firewire properties for sound, to be closer to USB and PCI

Patchset imported to github.
Pull request:
https://github.com/systemd-devs/systemd/compare/master...systemd-mailing-devs:1429751139-7651-2-git-send-email-agoode%40google.com

--
Generated by https://github.com/haraldh/mail2git
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH v3 2/2] Add more firewire properties for sound, to be closer to USB and PCI

2015-04-22 Thread Adam Goode

USB and PCI soundcards have a nice set of ID_* properties. It would
be handy for firewire soundcards to have the same.

Note that this removes the explicit setting of ID_ID in the firewire
conditional. Because we are now setting ID_SERIAL, ID_ID will come
from later in the file.
---
 rules/78-sound-card.rules | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/78-sound-card.rules b/rules/78-sound-card.rules
index bd7a994..04740e8 100644
--- a/rules/78-sound-card.rules
+++ b/rules/78-sound-card.rules
@@ -41,14 +41,17 @@ IMPORT{builtin}=hwdb
 SUBSYSTEMS==usb, IMPORT{builtin}=usb_id
 SUBSYSTEMS==usb, GOTO=skip_pci
 
-SUBSYSTEMS==firewire, ATTRS{vendor_name}==?*, ATTRS{model_name}==?*, \
-  ENV{ID_BUS}=firewire, ENV{ID_VENDOR}=$attr{vendor_name}, 
ENV{ID_MODEL}=$attr{model_name}
-SUBSYSTEMS==firewire, ATTRS{guid}==?*, ENV{ID_ID}=firewire-$attr{guid}
+SUBSYSTEMS==firewire, ATTRS{guid}==?*, \
+  ENV{ID_BUS}=firewire, ENV{ID_SERIAL}=$attr{guid}, 
ENV{ID_SERIAL_SHORT}=$attr{guid}, \
+  ENV{ID_VENDOR_ID}=$attr{vendor}, ENV{ID_MODEL_ID}=$attr{model}, \
+  ENV{ID_VENDOR}=$attr{vendor_name}, ENV{ID_MODEL}=$attr{model_name}
 SUBSYSTEMS==firewire, GOTO=skip_pci
 
 SUBSYSTEMS==pci, ENV{ID_BUS}=pci, ENV{ID_VENDOR_ID}=$attr{vendor}, 
ENV{ID_MODEL_ID}=$attr{device}
 LABEL=skip_pci
 
+# Define ID_ID if ID_BUS and ID_SERIAL are set. This will work for both
+# USB and firewire.
 ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==?*, 
ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}-$env{ID_USB_INTERFACE_NUM}
 ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==, 
ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}
 
-- 
2.2.0.rc0.207.ga3a616c

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH v3 1/2] Don't use ALSA card id in ID_ID

2015-04-22 Thread Adam Goode

The ALSA id sysattr is generated by the sound subsystem and is not
a stable identifier. It is generated though some string manipulation
then made unique if there is a conflict. This means that it is
enumeration-dependent and shouldn't be used for ID_ID.

If ID_ID is supposed to be system-unique, it is not already since
for firewire it is generated from the guid and there are broken
firewire devices that have duplicate guids across devices.

This is tracked for PulseAudio at
https://bugs.freedesktop.org/show_bug.cgi?id=90129.

This is essentially a revert of systemd
ed1b2d9fc7d5c5bfe2a67b0b8ff9e5ea8694268e.
---
 rules/78-sound-card.rules | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/78-sound-card.rules b/rules/78-sound-card.rules
index 295f490..bd7a994 100644
--- a/rules/78-sound-card.rules
+++ b/rules/78-sound-card.rules
@@ -49,8 +49,8 @@ SUBSYSTEMS==firewire, GOTO=skip_pci
 SUBSYSTEMS==pci, ENV{ID_BUS}=pci, ENV{ID_VENDOR_ID}=$attr{vendor}, 
ENV{ID_MODEL_ID}=$attr{device}
 LABEL=skip_pci
 
-ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==?*, 
ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}-$env{ID_USB_INTERFACE_NUM}-$attr{id}
-ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==, 
ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}-$attr{id}
+ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==?*, 
ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}-$env{ID_USB_INTERFACE_NUM}
+ENV{ID_SERIAL}==?*, ENV{ID_USB_INTERFACE_NUM}==, 
ENV{ID_ID}=$env{ID_BUS}-$env{ID_SERIAL}
 
 IMPORT{builtin}=path_id
 
-- 
2.2.0.rc0.207.ga3a616c

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2 2/2] Add more firewire properties for sound, to be closer to USB and PCI

2015-04-22 Thread Adam Goode

On Wed, Apr 22, 2015 at 11:17 AM, Lennart Poettering lenn...@poettering.net
 wrote:

 On Tue, 21.04.15 17:45, Adam Goode (ago...@google.com) wrote:

  USB and PCI soundcards have a nice set of ID_* properties. It would
  be handy for firewire soundcards to have the same.

 As requested earlier, please document in the commit messsage that this
 does not eat up ID_ID.



In v3, this is now mentioned in the commit message as well as being a
comment in the rules file directly.


Thanks,

Adam
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] util: Fix assertion in split() on missing '

On Wed, 22.04.15 23:20, Martin Pitt (martin.p...@ubuntu.com) wrote:

 Hello all,
 
 today I got a report about crashing systemd (pid 1) by installing a
 package with a broken unit file. Rebooting also doesn't work as
 systemd immediately crashes again. It turns out the unit file used a
 multi-line ExecStart= with ' quoting where the author (accidentally)
 added a trailing slash after the usual \ escaping of the newline:
 
 -- snip -
 [Unit]
 Description=test
 
 [Service]
 ExecStart=/bin/echo 'foo \ 
 bar'
 -- snip -
 
 Instead of actually breaking your machine, you can just copy that unit
 to e. g. /tmp and then run systemd-analyze verify test.service to
 get the same assertion.
 
 Of course this syntax is invalid, but systemd certainly shouldn't
 spill its guts that hard, but just reject the broken .service file.
 
 Simple fix with test case attached.

Thanks! Applied!

We really should get rid of split() entirely. The code is ugly, and it
pretends to do quoting, but actually doesn't do it properly. An
unquote_first_word() loop is really the much better option.

Would love if somebody would sit down and port this all over...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Failure(s) Building Systemd with --enable-resolved

On Tue, 21.04.15 08:39, aaron_wri...@selinc.com (aaron_wri...@selinc.com) wrote:

 I've been getting a few problems building systemd with --enable-resolved
 . Any help would be very welcomed. I don't have any problems when 
 compiling with --disable-resolved.
 
 The first problem I got was this:
 
   CCLD   libnss_resolve.la
 libsystemd_internal_la-bus-message.o (symbol from plugin): warning: memset 
 used with constant zero length parameter; this could be due to transposed 
 parameters
 /tmp/cc03x1nN.ltrans6.ltrans.o: In function `bus_error_name_to_errno.4725
 ':
 cc03x1nN.ltrans6.o:(.text+0x12bb): undefined reference to 
 `__stop_BUS_ERROR_MAP'
 cc03x1nN.ltrans6.o:(.text+0x12c2): undefined reference to 
 `__start_BUS_ERROR_MAP'
 collect2: ld returned 1 exit status

Kay made some changes to the build system for this. Can you check if
this part works now for you?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] util: Fix assertion in split() on missing '

Patchset imported to github.
Pull request:
https://github.com/systemd-devs/systemd/compare/master...systemd-mailing-devs:2015042023.GD3982%40piware.de

--
Generated by https://github.com/haraldh/mail2git
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/3] zsh-completion: add missing completions for machinectl

Appologies, I'm still getting used to this mailing list thing and using git 
send-email

---
 shell-completion/zsh/_machinectl | 84 +---
 1 file changed, 70 insertions(+), 14 deletions(-)

diff --git a/shell-completion/zsh/_machinectl b/shell-completion/zsh/_machinectl
index c666b7e..a81c5c7 100644
--- a/shell-completion/zsh/_machinectl
+++ b/shell-completion/zsh/_machinectl
@@ -1,5 +1,20 @@
 #compdef machinectl
 
+__get_available_machines () {
+machinectl --no-legend list-images | awk '{print $1}' |  {while read -r a 
b; do echo $a; done;}
+}
+
+_available_machines() {
+local -a _machines
+_machines=(${(fo)$(__get_available_machines)})
+typeset -U _machines
+if [[ -n $_machines ]]; then
+_describe 'machines' _machines
+else
+   _message 'no machines'
+fi
+}
+
 (( $+functions[_machinectl_command] )) || _machinectl_command()
 {
   local -a _machinectl_cmds
@@ -7,23 +22,55 @@
 list:List currently running VMs/containers
 status:Show VM/container status
 show:Show properties of one or more VMs/containers
+start:Start container as a service
 login:Get a login prompt on a VM/container
+enable:Enable automatic container start at boot
+disable:Disable automatic container start at boot
 poweroff:Power off one or more VMs/containers
 reboot:Reboot one or more VMs/containers
 terminate:Terminate one or more VMs/containers
 kill:Send signal to process or a VM/container
+copy-to:Copy files from the host to a container
+copy-from:Copy files from a container to the host
+bind:Bind mount a path from the host into a container
+
+list-images:Show available container and VM images
+image-status:Show image details
+show-image:Show properties of image
+clone:Clone an image
+rename:Rename an image
+read-only:Mark or unmark image read-only
+remove:Remove an image
+
+pull-tar:Download a TAR container image
+pull-raw:Download a RAW container or VM image
+pull-dkr:Download a DKR container image
+list-transfers:Show list of downloads in progress
+cancel-transfer:Cancel a download
   )
+
   if (( CURRENT == 1 )); then
 _describe -t commands 'machinectl command' _machinectl_cmds || compadd $@
   else
 local curcontext=$curcontext
 cmd=${${_machinectl_cmds[(r)$words[1]:*]%%:*}}
 if (( $#cmd )); then
-  case $cmd in
-list) msg=no options ;;
-*)
-  _sd_machines
-  esac
+  if (( CURRENT == 2 )); then
+case $cmd in
+  list*|cancel-transfer|pull-tar|pull-raw|pull-dkr)
+msg=no options ;;
+  start)
+_available_machines ;;
+  *)
+_sd_machines
+esac
+  else
+case $cmd in
+  copy-to|copy-from|bind)
+_files ;;
+  *) msg=no options
+esac
+  fi
 else
   _message no more options
 fi
@@ -33,13 +80,22 @@
 _arguments \
   {-h,--help}'[Prints a short help text and exits.]' \
   '--version[Prints a short version string and exits.]' \
-  \*{-p+,--property=}'[Limit output to specified property.]:property:(Name Id 
Timestamp TimestampMonotonic Service Scope Leader Class State RootDirectory)' \
-  {-a,--all}'[Show all proerties]' \
-  (-l,--full)'[Do not ellipsize cgroup members]' \
-  '--no-pager[Do not pipe output into a pager]' \
-  '--no-ask-password[Do not ask for system passwords]' \
-  '--kill-who=[Who to send signal to]:killwho:(leader all)' \
-  {-s+,--signal=}'[Which signal to send]:signal:_signals' \
-  {-H+,--host=}'[Operate on remote host]:userathost:_sd_hosts_or_user_at_host' 
\
-  {-P,--privileged}'[Acquire privileges before execution]' \
+  '--no-pager[Do not pipe output into a pager.]' \
+  '--no-legend[Do not show the headers and footers.]' \
+  '--no-ask-password[Do not ask for system passwords.]' \
+  {-H+,--host=}'[Operate on remote 
host.]:userathost:_sd_hosts_or_user_at_host' \
+  {-M+,--machine=}'[Operate on local container.]:machine:_sd_machines' \
+  {-p+,--property=}'[Limit output to specified property.]:property:(Name Id 
Timestamp TimestampMonotonic Service Scope Leader Class State RootDirectory)' \
+  {-a,--all}'[Show all proerties.]' \
+  {-q,--quiet}'[Suppress output.]' \
+  {-l,--full}'[Do not ellipsize cgroup members.]' \
+  '--kill-who=[Who to send signal to.]:killwho:(leader all)' \
+  {-s+,--signal=}'[Which signal to send.]:signal:_signals' \
+  '--read-only[Create read-only bind mount.]' \
+  '--mkdir[Create directory before bind mounting, if missing.]' \
+  {-n+,--lines=}'[Number of journal entries to show.]:integer' \
+  {-o+,--output=}'[Change journal output mode.]:output modes:_sd_outputmodes' \
+  '--verify=[Verification mode for downloaded images.]:verify:(no checksum 
signature)' \
+  '--force[Download image even if already exists.]' \
+  '--dkr-index-url=[Specify the index URL to use for DKR image downloads.]' \
   '*::machinectl

[systemd-devel] [PATCH] util: Fix assertion in split() on missing '

2015-04-22 Thread Martin Pitt

Hello all,

today I got a report about crashing systemd (pid 1) by installing a
package with a broken unit file. Rebooting also doesn't work as
systemd immediately crashes again. It turns out the unit file used a
multi-line ExecStart= with ' quoting where the author (accidentally)
added a trailing slash after the usual \ escaping of the newline:

-- snip -
[Unit]
Description=test

[Service]
ExecStart=/bin/echo 'foo \ 
bar'
-- snip -

Instead of actually breaking your machine, you can just copy that unit
to e. g. /tmp and then run systemd-analyze verify test.service to
get the same assertion.

Of course this syntax is invalid, but systemd certainly shouldn't
spill its guts that hard, but just reject the broken .service file.

Simple fix with test case attached.

Thanks,

Martin
-- 
Martin Pitt| http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
From ef581ce6e258ffc0c90f268b6054b83e15374ba6 Mon Sep 17 00:00:00 2001
From: Martin Pitt martin.p...@ubuntu.com
Date: Wed, 22 Apr 2015 23:09:43 +0100
Subject: [PATCH] util: Fix assertion in split() on missing '

When parsing a unit with a trailing slash after an escaped line break, like

  ExecStart=/bin/echo 'foo \
bar'

the split() function (through config_parse()) asserted and crashed pid 1:

  Assertion 'current[*l + 1] == quotechars[0]' failed at ../src/shared/util.c:583, function split(). Aborting.

Fix this by returning an error in this case (trailing garbage).

Add corresponding test case. Also fix the missing unit argument of
config_parse_exec() in the comment.

https://launchpad.net/bugs/1447243
---
 src/shared/util.c |  3 +--
 src/test/test-unit-file.c | 15 +++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/shared/util.c b/src/shared/util.c
index 4a04484..6a883d7 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -570,13 +570,12 @@ const char* split(const char **state, size_t *l, const char *separator, bool quo
 char quotechars[2] = {*current, '\0'};
 
 *l = strcspn_escaped(current + 1, quotechars);
-if (current[*l + 1] == '\0' ||
+if (current[*l + 1] == '\0' || current[*l + 1] != quotechars[0] ||
 (current[*l + 2]  !strchr(separator, current[*l + 2]))) {
 /* right quote missing or garbage at the end */
 *state = current;
 return NULL;
 }
-assert(current[*l + 1] == quotechars[0]);
 *state = current++ + *l + 2;
 } else if (quoted) {
 *l = strcspn_escaped(current, separator);
diff --git a/src/test/test-unit-file.c b/src/test/test-unit-file.c
index 22ac76d..5a9796d 100644
--- a/src/test/test-unit-file.c
+++ b/src/test/test-unit-file.c
@@ -91,6 +91,7 @@ static void check_execcommand(ExecCommand *c,
 
 static void test_config_parse_exec(void) {
 /* int config_parse_exec(
+ const char *unit,
  const char *filename,
  unsigned line,
  const char *section,
@@ -302,6 +303,20 @@ static void test_config_parse_exec(void) {
 assert_se(r == 0);
 assert_se(c1-command_next == NULL);
 
+log_info(/* missing ending ' */);
+r = config_parse_exec(NULL, fake, 4, section, 1,
+  LValue, 0, /path 'foo,
+  c, NULL);
+assert_se(r == 0);
+assert_se(c1-command_next == NULL);
+
+log_info(/* missing ending ' with trailing backslash */);
+r = config_parse_exec(NULL, fake, 4, section, 1,
+  LValue, 0, /path 'foo\\,
+  c, NULL);
+assert_se(r == 0);
+assert_se(c1-command_next == NULL);
+
 exec_command_free_list(c);
 }
 
-- 
2.1.4



signature.asc
Description: Digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

2015-04-22 Thread Dominick Grift

 2015-04-22 14:14 GMT+02:00 Lennart Poettering lennart at poettering.net:

 Well, I really don't want to give networkd the caps for that,
 sorry. It's a network facing daemon, it should not be able to load
 kernel modules.

But it is okay for networkd to manipulate the firewall directly.

The nft manual page states that the iptable_nat module conflicts with the 
module that deals with nftables nat. Does that mean that
the networkd IPMasquerade=  functionality will not work if one blacklists 
iptables_nat?

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindexsearch=0x314883A202DFF788
Dominick Grift


pgpNEepiniQub.pgp
Description: PGP signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Setting up network interfaces for containers with --private-network

On Wed, 22.04.15 15:52, Spencer Baugh (sba...@catern.com) wrote:

  As soon as networkd gains a bus interface maybe an option could be to
  hook up nspawn's --network-interface= with it: if the specified
  interface doesn't exist, nspawn could synchronously ask networkd to
  create it. With that in place you could then configure .netdev files
  outside of the container, and neatly pass them on into the container,
  without races. Would that fix your issue?
 
 Yes, that sounds like it would work. This would destroy and recreate the
 interface on reboot, which is fine for my use case.

I'll add it to the TODO list.

It's not actually nspawn that destroys these interfaces, it's the
kernel. 

 There might at some point be a desire by someone else to have the
 interface not be destroyed on reboot. At that point it would just
 require teaching networkd something about network namespaces, which
 shouldn't be hard. I don't want that myself, of course.

Hmm, I am not sure that that teaching networkd namespacing is that
easy or desirable. 

But anyway, we can discuss this when this comes up.

  I would somewhat prefer to be using this feature of IPv6, rather than
  using DHCPv6; and anyway, networkd doesn't support DHCPv6 right now,
  right? So this doesn't necessarily work for me.
 
  True. It's certainly our plan to support it eventually.
 
 That's in reference to just DHCPv6, right? What about stateless
 autoconfiguration, out of curiosity?

THe code for that is already in place.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tree-wide: Introduce a dup_cloexec inline helper

On Wed, 22.04.15 16:29, Cristian Rodríguez (crrodrig...@opensuse.org) wrote:

 - Nicer  easier to remember than fcntl(fd, F_DUPFD_CLOEXEC, 3)
 - Update CODING_STYLE
 - Use it tree-wide

I am not convinced this is a good idea like this.

Our own functions tend to return proper negative error codes. This
function should hence do the same, at least.

Also, It shouldn't be called dup_cloexec() I think, since that
misleads people to think it is just a cloexec version of dup(), which
it isn't. Maybe a name like dupfd_cloexec() would be better, since it
doesn't try to be similar named to dup(), and in fact is closer to
F_DUPFD_CLOEXEC that it internall wraps.

 +static inline int dup_cloexec(int oldfd)
 +{
 +return fcntl(oldfd, F_DUPFD_CLOEXEC, STDERR_FILENO + 1);
 +}

We place the opening { on the same line as the function name, see
CODING_STYLE.

Also, a comment next to that declaration is probably a good idea, to
explain why this function exists at all, and is better than dup().

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] machinectl login machine fails systemd 219

On Fri, 17.04.15 18:40, Keller, Jacob E (jacob.e.kel...@intel.com) wrote:

 On Wed, 2015-04-15 at 00:07 +0200, Stefan Tatschner wrote:
  On Di, 2015-04-14 at 21:56 +, Keller, Jacob E wrote:
   Failed to get machine PTY: Message did not receive a reply (timeout 
   by message bus)
   
   I get a notification on the machine itself that it started container
   getty and then stopped it.
   
   It worked earlier so I am not sure what changed. No one on google 
   seems
   to have this specific error.
  
  There is a patch which fixes this problem:
  http://lists.freedesktop.org/archives/systemd-devel/2015
  -February/028603.html
  
  git log --grep tells me that is has been already commited as
  f2273101c21bc59a390379e182e53cd4f07a7e71:
  
  http://cgit.freedesktop.org/systemd/systemd/commit/?id=f2273101c21bc59a
  390379e182e53cd4f07a7e71
  
  
  Stay tuned,
  Stefan
 
 I still seem to have this issue with this. I am currently working on
 compiling upstream git of systemd so I can try running machined from
 there. Will let you know results.

Are you sure you updated both the client machinectl and the machined
daemon and restarted it?

This works fine here with current git...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd startup failed...

On Fri, 20.02.15 19:39, aotto (aotto1...@t-online.de) wrote:

 Hi,
 
 Using fresh installation with suse 13.2 my startup with systemd is
 failing...

THis appears to be the same issue as this one:

https://bugs.freedesktop.org/show_bug.cgi?id=89817

Which appears to be a kernel issue, see last comment.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] journald problems

2015-04-22 Thread Michał Zegan

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Any chance it may be related to copy on write or whatever?

W dniu 2015-04-22 o 00:28, Michał Zegan pisze:
 Hello.
 
 I have just removed my journal files and restarted journald. I
 then generated sealing keys, saved the verification key. The system
 worked for maybe an hour or less, I had to power it off, then it
 was restarted. I tried to verify the journal. This is what
 happened:
 
 PASS:
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/system.journal
 
 
 390398: tag failed verification
 
 
 File corruption detected at 
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1000.journal:39
03

 
98
 (of 8388608 bytes, 44%). FAIL: 
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1000.journal

 
(Bad message)
 
 3987a0: tag failed verification
 
 
 File corruption detected at 
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1002.journal:39
87

 
a0
 (of 8388608 bytes, 44%). FAIL: 
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1002.journal

 
(Bad message)
 
 3903a0: tag failed verification
 
 
 File corruption detected at 
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1001.journal:39
03

 
a0
 (of 8388608 bytes, 44%). FAIL: 
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1001.journal

 
(Bad message)
 
 What is happening here? It always happens after sealing, no matter 
 what I am doing, all new journal files are corrupted and show this 
 message.
 
 Systemd version 219, system is archlinux, kernel 3.19.3-3-ARCH,
 and filesystem is btrfs if at all important.
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJVOBDDAAoJEHb1CzgxXKwYwmoP/3pKX6QBcUDxoNRhXzGmGCtG
I4ojFgtZ1f6Q3r+RHtne7ph95r8vaHfNyB51qCvK6pWeZRUnpWf/RlB9Ha3UgMXp
Hi2OKuWU8lw7jxFszh+LYcI6F0Kp95HQjKKGd0YShCkW2k+Bll6t1hmTSKq73IAF
BGBSuddq3J1nkM2cq9lABsYBMviOZZ7XKo3C1uL5eXZRoEw3lCOmyB01dzqa1LYy
KeJ0foiHWwERcoMz1Mu0CWqLrbfGq9BS3TdhIyoGRPYDTjBx570XYmNNWJIvuLJr
E33JezQn7TTSIElo96bm4sKz+uPvny7prEwxzKy+glchmcM3aLEHIKXT51n1u/wM
VwLhhvdzSely5ZQ2SdX7rByFGDgNsW1aIcOGAAVBGawkdVoWlANWlDwVaS4VBEKL
8STz/lN6rkcPRYzncVbHqldZ0Y3jYwHbr5u63jtbQTD0zBbfg7QZmcgSCYjMzHNG
+0+DcOvmYIad2dzIjTIPUUPzwBVlNKHMdaxdvBQlAexxU/THH+NN/7kaQh6QntOb
4cdOZBKda0JYPyAKVytvaWabD+r0thDuiJJdQFl2rEV70t/RdVt0ivkRKrN2WokB
TXKANrdLhH5hqcddEzWMjUoXZJJPjEfv7cRrszzeIqYJHvaCz7XIAP9+8Un/eIZ6
RfeGOiIZajOIlK1FiZc1
=pb+S
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/3] zsh-completion: add missing completions for machinectl

Here is a rebase of the original patch to include the discussed changes

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] journald problems

2015-04-22 Thread Mikhail Morfikov

On Wed, 22 Apr 2015 00:28:12 +0200
Michał Zegan webczat_...@poczta.onet.pl wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Hello.
 
 I have just removed my journal files and restarted journald. I then
 generated sealing keys, saved the verification key. The system worked
 for maybe an hour or less, I had to power it off, then it was
 restarted. I tried to verify the journal.
 This is what happened:
 
 PASS: /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/system.journal
 
 
  390398: tag failed verification
 
 
  File corruption detected at
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1000.journal:3903
 98
 (of 8388608 bytes, 44%).
  FAIL:
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1000.journal
 (Bad message)
 
  3987a0: tag failed verification
 
 
  File corruption detected at
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1002.journal:3987
 a0
 (of 8388608 bytes, 44%).
  FAIL:
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1002.journal
 (Bad message)
 
  3903a0: tag failed verification
 
 
  File corruption detected at
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1001.journal:3903
 a0
 (of 8388608 bytes, 44%).
  FAIL:
 /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1001.journal
 (Bad message)
 
 What is happening here? It always happens after sealing, no matter
 what I am doing, all new journal files are corrupted and show this
 message.
 
 Systemd version 219, system is archlinux, kernel 3.19.3-3-ARCH, and
 filesystem is btrfs if at all important.
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2
 
 iQIcBAEBAgAGBQJVNs77AAoJEHb1CzgxXKwYldcP/jGnuCyN1hcQvUHgc4ZS+CkW
 gCEf59TteLYO/7yVQnrAs4gHFJ6WJlFw8+2L1Lt9gpts2h41oQxyPjhfa6578kSB
 2ZC+9McpjLqMctn+hBt3GcPyi/vpr7QAm29sBoPpbCl8hCQQeRbGg5dfUnV0q7ot
 ueXiO2VMW2wYDz3/0gmqCf7Fh+ChWdBTNAZFrTMqP1hLw0xTukazpNFGm8sStgcp
 TC2p3JlLmmdCXHxPTGnxFj4jVWuYIOzDajh5GZUPlhmlBy48TKSzF+T3ri6zkOr5
 +lyDC1fho5P7shdSN07OlGLSeg6JXC193gBB8WEhUwTs29fZzjyChke0dHVq/WSj
 2pYpSr5cncxiUnwR5HTAhBRKHctKP8/5Rqmgu9GCEpy52mtuDsHUQQVbckjMaOYj
 9Bz1y+pLNVi5v9AeD3wv/TnxEKeIYd4lwfs9pSutrF/KDo3XxPzys+jgbQvDrxVn
 zbiKW9X8gc0r6P9qQ5p1jcBndW3dstQExNqGSZCgrCckymDxiSzfhjKQe8G/rD/O
 29By4j9vbhHRq/gVpo0MWdnn8I1PCAxpqrftxCLmkEUNCgNAn+xIzwe+G6ppmAv7
 4ZnbYfvLAz4Fj0g4QmswCXZB+DEqowrHK5N89BWxRSiY19A87l7BeFDzIFytOfkC
 LHhedmjVTZXNvgTZXyeE
 =VsvH
 -END PGP SIGNATURE-
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel

It seems you have exactly the same issue that I had. I described the
problem here: 
http://lists.freedesktop.org/archives/systemd-devel/2015-February/028119.html ,
but no one answered it. I was just testing this sealing feature and
forgot about it because I couldn't make it work, and there was no info
what to do with the problem.

It seems I'm not the only one who has the issue, you have it on
archlinux, and I had it on debian, different kernels, and different
filesystem types.


pgp4xXrSZvggC.pgp
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/2] Partially revert patch 11689d2a which force the NOCOW attribute.

On Sun, 12.04.15 20:30, Goffredo Baroncelli (kreij...@libero.it) wrote:

 From: Goffredo Baroncelli kreij...@inwind.it
 
 Partially revert patch 11689d2a, which force the NOCOW attribute for the
 journal files. This patch was introduced to allievate the perfomances
 problem that journald shows on the BTRFS filesystem.
 
 Because the NOCOW attribute is forced the user can't revert to
 the old behavior. However NOCOW attribute disables the btrfs checksums,
 which prevent BTRFS to rebuild a currupted file in an RAIDx filesystem.
 
 To continue to set the NOCOW attribute, use the h|H command of
 systemd-tmpfile.

I have now commited a similar patch that replaces the patching of the
attribute for new journal files with a warning if we notice the
journal file is on btrfs and the flag is not set.

I hope this settles the issue!

Thanks!

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Setting up network interfaces for containers with --private-network

On Tue, 21.04.15 15:22, Spencer Baugh (sba...@catern.com) wrote:

  Also, trivial static IP configuration is seldom sufficient, you at
  least need to also provide DNS configuration, and if you don't use
  DHCP or something similar then you need to configure that inside the
  container anyway. But if you do that you might as well configure the
  static IP addresses in it too, so what is gained by doing this from a
  networkd outside of the cotnainer?
 
  Or am I misunderstanding the role of networkd? It seems like if I am
  writing a service that represents the network interface and namespace
  for this container, I am doing something that networkd should
  ultimately do.
 
  Sure, absolutely. But our idea so far was that networkd should run
  inside the container to configure the container's network, and on the
  host to configure the host's network, but not to cross this boundary
  and have the host networkd configure the container's network.
 
 Hmm, yes, but I think the problem is the configuration done at
 interface-creation-time. It seems to me that that configuration
 currently does not fit naturally in either the host networkd or the
 container networkd.

Well, again, I doubt that configuration exclusivel at
interface-creation-time will be useful for more than the most trivial
cases, already because as mentioned it would not cover DNS server
configuration and thelike.

I am a bit careful with supporting something like this directly in
nspawn if it cannot even cover the most basic cases...

If you really want fixed IP addresses, I think this could work:

We add configurability for the DHCP server address range in networkd,
including taking ranges that contain a single IP address. You could
then assign fixed addresses to your containers simply by dropping a
.network snippet for them, that only contains a single dhcp range IP
address for it. THat should work, no?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Tue, 21.04.15 22:43, Tobias Hunger (tobias.hun...@gmail.com) wrote:

 Hi!
 
 Now that systemd 219 is finally available in arch I am playing with
 systemd-nspawn again.
 
 I was trying to run systemd-nspawn --ephemeral, but that failed
 since I had a read-only image in /var/lib/machines. Why is that not
 allowed? systemd-nspawn does create its own snapshot of that one after
 all (which can be read-write). Why does the base image have to be
 read-write, too?

Hmm? This shouldn't fail. What's the precise error message you get?

 Then I have trouble with systemd-nspawn --network-veth: The host0
 interface won't come up and stays in degraded state. On the host i get
 the following line in the journal:
 
 systemd-networkd[509]: ve-XXX : Could not enable IP masquerading:
 Protocol not available
 
 I have an nftables based firewall up and running, so maybe networkd is
 expecting iptables to be in use?

Most likely iptables is compiled as kernel module for you. The module
cannot be auto-loaded currently, iptables manually loads it for you on
first invocation, networkd doesn't. If you load it manually (by adding
it to modules-load.d for example) things should work.

I am not sure how to fix this best. I#d rather not have networkd gain
support for autoloading kernel modules. Also, it's unlikely to be
sufficient, given that nspawn can make use of the iptables bits as
well...

Maybe we should simply list the iptables kernel modules in
src/core/kmod-setup, and then tell people to blacklist them if they
really don't want them.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 13:46, Lennart Poettering (lenn...@poettering.net) wrote:

  I have an nftables based firewall up and running, so maybe networkd is
  expecting iptables to be in use?
 
 Most likely iptables is compiled as kernel module for you. The module
 cannot be auto-loaded currently, iptables manually loads it for you on
 first invocation, networkd doesn't. If you load it manually (by adding
 it to modules-load.d for example) things should work.
 
 I am not sure how to fix this best. I#d rather not have networkd gain
 support for autoloading kernel modules. Also, it's unlikely to be
 sufficient, given that nspawn can make use of the iptables bits as
 well...
 
 Maybe we should simply list the iptables kernel modules in
 src/core/kmod-setup, and then tell people to blacklist them if they
 really don't want them.

I have made such a change now:

http://cgit.freedesktop.org/systemd/systemd/commit/?id=1d3087978a8ee23107cb64aa55ca97aefe9531e2

Any chance you can check if this makes things work for you?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH 2/3] networkd: introduce vti6 tunnel

This patch add support to create vti6 tunnel

test:

vt6.network
[Match]
Name=wlan0

[Network]
Tunnel=ip6vti

vti6.netdev
[NetDev]
Name=ip6vti
Kind=vti6

[Tunnel]
Local=2a00:ffde:4567:edde::4987
Remote=2001:473:fece:cafe::5179

ip link

11: ip6_vti0@NONE: NOARP mtu 1500 qdisc noop state DOWN mode DEFAULT
group default
link/tunnel6 :: brd ::
12: ip6vti@wlan0: POINTOPOINT,NOARP mtu 1500 qdisc noop state DOWN
mode DEFAULT group default
link/tunnel6 2a00:ffde:4567:edde::4987 peer 2001:473:fece:cafe::5179
---
 src/libsystemd/sd-rtnl/rtnl-types.c  |  3 +++
 src/libsystemd/sd-rtnl/rtnl-types.h  |  1 +
 src/network/networkd-netdev-tunnel.c | 43 
 src/network/networkd-netdev-tunnel.h |  1 +
 src/network/networkd-netdev.c|  2 ++
 src/network/networkd-netdev.h|  2 ++
 src/network/networkd-network.c   |  1 +
 7 files changed, 53 insertions(+)

diff --git a/src/libsystemd/sd-rtnl/rtnl-types.c 
b/src/libsystemd/sd-rtnl/rtnl-types.c
index a5c9fdf..d211684 100644
--- a/src/libsystemd/sd-rtnl/rtnl-types.c
+++ b/src/libsystemd/sd-rtnl/rtnl-types.c
@@ -204,6 +204,7 @@ static const char* const 
nl_union_link_info_data_table[_NL_UNION_LINK_INFO_DATA_
 [NL_UNION_LINK_INFO_DATA_IP6GRETAP_TUNNEL] = ip6gretap,
 [NL_UNION_LINK_INFO_DATA_SIT_TUNNEL] = sit,
 [NL_UNION_LINK_INFO_DATA_VTI_TUNNEL] = vti,
+[NL_UNION_LINK_INFO_DATA_VTI6_TUNNEL] = vti6,
 [NL_UNION_LINK_INFO_DATA_IP6TNL_TUNNEL] = ip6tnl,
 };
 
@@ -238,6 +239,8 @@ static const NLTypeSystem 
rtnl_link_info_data_type_systems[_NL_UNION_LINK_INFO_D
   .types = 
rtnl_link_info_data_iptun_types },
 [NL_UNION_LINK_INFO_DATA_VTI_TUNNEL] =  { .max = 
ELEMENTSOF(rtnl_link_info_data_ipvti_types) - 1,
   .types = 
rtnl_link_info_data_ipvti_types },
+[NL_UNION_LINK_INFO_DATA_VTI6_TUNNEL] =  { .max = 
ELEMENTSOF(rtnl_link_info_data_ipvti_types) - 1,
+  .types = 
rtnl_link_info_data_ipvti_types },
 [NL_UNION_LINK_INFO_DATA_IP6TNL_TUNNEL] =  { .max = 
ELEMENTSOF(rtnl_link_info_data_ip6tnl_types) - 1,
  .types = 
rtnl_link_info_data_ip6tnl_types },
 
diff --git a/src/libsystemd/sd-rtnl/rtnl-types.h 
b/src/libsystemd/sd-rtnl/rtnl-types.h
index 72773ea..de1544b 100644
--- a/src/libsystemd/sd-rtnl/rtnl-types.h
+++ b/src/libsystemd/sd-rtnl/rtnl-types.h
@@ -87,6 +87,7 @@ typedef enum NLUnionLinkInfoData {
 NL_UNION_LINK_INFO_DATA_IP6GRETAP_TUNNEL,
 NL_UNION_LINK_INFO_DATA_SIT_TUNNEL,
 NL_UNION_LINK_INFO_DATA_VTI_TUNNEL,
+NL_UNION_LINK_INFO_DATA_VTI6_TUNNEL,
 NL_UNION_LINK_INFO_DATA_IP6TNL_TUNNEL,
 _NL_UNION_LINK_INFO_DATA_MAX,
 _NL_UNION_LINK_INFO_DATA_INVALID = -1
diff --git a/src/network/networkd-netdev-tunnel.c 
b/src/network/networkd-netdev-tunnel.c
index 7aa9317..aef2ef4 100644
--- a/src/network/networkd-netdev-tunnel.c
+++ b/src/network/networkd-netdev-tunnel.c
@@ -212,6 +212,31 @@ static int netdev_vti_fill_message_create(NetDev *netdev, 
Link *link, sd_rtnl_me
 return r;
 }
 
+static int netdev_vti6_fill_message_create(NetDev *netdev, Link *link, 
sd_rtnl_message *m) {
+Tunnel *t = VTI6(netdev);
+int r;
+
+assert(netdev);
+assert(link);
+assert(m);
+assert(t);
+assert(t-family == AF_INET6);
+
+r = sd_rtnl_message_append_u32(m, IFLA_VTI_LINK, link-ifindex);
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_LINK attribute: %m);
+
+r = sd_rtnl_message_append_in6_addr(m, IFLA_VTI_LOCAL, t-local.in6);
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_LOCAL attribute: %m);
+
+r = sd_rtnl_message_append_in6_addr(m, IFLA_VTI_REMOTE, 
t-remote.in6);
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_REMOTE attribute: %m);
+
+return r;
+}
+
 static int netdev_ip6tnl_fill_message_create(NetDev *netdev, Link *link, 
sd_rtnl_message *m) {
 Tunnel *t = IP6TNL(netdev);
 uint8_t proto;
@@ -287,6 +312,9 @@ static int netdev_tunnel_verify(NetDev *netdev, const char 
*filename) {
 case NETDEV_KIND_VTI:
 t = VTI(netdev);
 break;
+case NETDEV_KIND_VTI6:
+t = VTI6(netdev);
+break;
 case NETDEV_KIND_IP6TNL:
 t = IP6TNL(netdev);
 break;
@@ -374,6 +402,12 @@ static void vti_init(NetDev *n) {
 Tunnel *t = VTI(n);
 
 assert(n);
+
+if (n-kind == NETDEV_KIND_VTI)
+t =  VTI(n);
+else
+t = VTI6(n);
+
 assert(t);
 
 t-pmtudisc = true;
@@ -447,6 +481,15 @@ const NetDevVTable

[systemd-devel] [PATCH 1/3] networkd: tunnel improve logging

Replaces a lof ot strerror() usage with log_netdev_error_errno()
---
 src/network/networkd-netdev-tunnel.c | 240 ++-
 1 file changed, 64 insertions(+), 176 deletions(-)

diff --git a/src/network/networkd-netdev-tunnel.c 
b/src/network/networkd-netdev-tunnel.c
index 89ad3ee..7aa9317 100644
--- a/src/network/networkd-netdev-tunnel.c
+++ b/src/network/networkd-netdev-tunnel.c
@@ -54,44 +54,24 @@ static int netdev_ipip_fill_message_create(NetDev *netdev, 
Link *link, sd_rtnl_m
 assert(t-family == AF_INET);
 
 r = sd_rtnl_message_append_u32(m, IFLA_IPTUN_LINK, link-ifindex);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_LINK attribute: 
%s,
- strerror(-r));
-return r;
-}
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_LINK attribute: %m);
 
 r = sd_rtnl_message_append_in_addr(m, IFLA_IPTUN_LOCAL, t-local.in);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_LOCAL attribute: 
%s,
- strerror(-r));
-return r;
-}
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_LOCAL attribute: %m);
 
 r = sd_rtnl_message_append_in_addr(m, IFLA_IPTUN_REMOTE, 
t-remote.in);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_REMOTE 
attribute: %s,
- strerror(-r));
-return r;
-}
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_REMOTE attribute: %m);
 
 r = sd_rtnl_message_append_u8(m, IFLA_IPTUN_TTL, t-ttl);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_TTL  attribute: 
%s,
- strerror(-r));
-return r;
-}
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_TTL  attribute: %m);
 
 r = sd_rtnl_message_append_u8(m, IFLA_IPTUN_PMTUDISC, t-pmtudisc);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_PMTUDISC 
attribute: %s,
- strerror(-r));
-return r;
-}
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_PMTUDISC attribute: %m);
 
 return r;
 }
@@ -107,44 +87,24 @@ static int netdev_sit_fill_message_create(NetDev *netdev, 
Link *link, sd_rtnl_me
 assert(t-family == AF_INET);
 
 r = sd_rtnl_message_append_u32(m, IFLA_IPTUN_LINK, link-ifindex);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_LINK attribute: 
%s,
- strerror(-r));
-return r;
-}
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_LINK attribute: %m);
 
 r = sd_rtnl_message_append_in_addr(m, IFLA_IPTUN_LOCAL, t-local.in);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_LOCAL attribute: 
%s,
- strerror(-r));
-return r;
-}
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_LOCAL attribute: %m);
 
 r = sd_rtnl_message_append_in_addr(m, IFLA_IPTUN_REMOTE, 
t-remote.in);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_REMOTE 
attribute: %s,
- strerror(-r));
-return r;
-}
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_REMOTE attribute: %m);
 
 r = sd_rtnl_message_append_u8(m, IFLA_IPTUN_TTL, t-ttl);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_TTL attribute: 
%s,
- strerror(-r));
-return r;
-}
+if (r  0)
+return log_netdev_error_errno(netdev, r, Could not append 
IFLA_IPTUN_TTL attribute: %m);
 
 r = sd_rtnl_message_append_u8(m, IFLA_IPTUN_PMTUDISC, t-pmtudisc);
-if (r  0) {
-log_netdev_error(netdev,
- Could not append IFLA_IPTUN_PMTUDISC 
attribute: %s,
- strerror(-r));
-return r;
-}
+if (r  0)

[systemd-devel] [PATCH 3/3] networkd: add man for vti6 tunnel

---
 man/systemd.netdev.xml | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index f413739..3bfd01b 100644
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -155,6 +155,9 @@
   rowentryvarnamevti/varname/entry
   entryAn IPv4 over IPSec tunnel./entry/row
 
+  rowentryvarnamevti6/varname/entry
+  entryAn IPv6 over IPSec tunnel./entry/row
+
   rowentryvarnamevxlan/varname/entry
   entryA virtual extensible LAN (vxlan), for connecting Cloud 
computing deployments./entry/row
 /tbody
@@ -441,7 +444,8 @@
 literalgretap/literal,
 literalip6gre/literal,
 literalip6gretap/literal,
-literalvti/literal, and
+literalvti/literal,
+literalvti6/literal, and
 literalip6tnl/literal and accepts
 the following keys:/para
 
-- 
2.3.5

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 3/3] networkd: add man for vti6 tunnel

Patchset imported to github.
Pull request:
https://github.com/systemd-devs/systemd/compare/master...systemd-mailing-devs:1429692296-5793-3-git-send-email-susant%40redhat.com

--
Generated by https://github.com/haraldh/mail2git
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

2015-04-22 13:57 GMT+02:00 Lennart Poettering lenn...@poettering.net:
 Maybe we should simply list the iptables kernel modules in
 src/core/kmod-setup, and then tell people to blacklist them if they
 really don't want them.

 I have made such a change now:

 http://cgit.freedesktop.org/systemd/systemd/commit/?id=1d3087978a8ee23107cb64aa55ca97aefe9531e2

Not everyone is using networkd or nspawn though, so loading this
module for everyone is a bit excessive.

Why non let nspawn and networkd complain loudly if iptables support is missing?
This would also be better in case you have a kernel compiled withouth
iptables support.

Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 14:09, Michael Biebl (mbi...@gmail.com) wrote:

 2015-04-22 13:57 GMT+02:00 Lennart Poettering lenn...@poettering.net:
  Maybe we should simply list the iptables kernel modules in
  src/core/kmod-setup, and then tell people to blacklist them if they
  really don't want them.
 
  I have made such a change now:
 
  http://cgit.freedesktop.org/systemd/systemd/commit/?id=1d3087978a8ee23107cb64aa55ca97aefe9531e2
 
 Not everyone is using networkd or nspawn though, so loading this
 module for everyone is a bit excessive.

Well, then blacklist the module or don't build it at all.

 Why non let nspawn and networkd complain loudly if iptables support is 
 missing?
 This would also be better in case you have a kernel compiled withouth
 iptables support.

For the same reason that iptables doesn't complain loudly but loads
it. To be user-friendly and just make things work?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Possible systemd segfault switching from 216 to 219 in fedora upgrade

On Fri, 13.03.15 17:59, Will Woods (wwo...@redhat.com) wrote:

(Warming up this rally old thread again, sorry for not responding more timely)

  http://www.freedesktop.org/wiki/Software/systemd/SystemUpdates/
  
  systemd has been implementing this for quite a while, at least for all
  systems fedup should care for. In this scheme you mark the system for
  upgrades, you reboot using the old kernel/initrd. This will now enter
  the special upgrade mode, where you make your changes, and then you
  reboot again with the new kernel.
 
 Yeah, I really wanted that to work, but... when you're replacing
 literally the entire system *while* part of it is running, stuff gets a
 little weird.

Well, i doubt there's a way around it if you want this to work at all.

I mean, the point of the system updates stuff was to only run
early-boot services, i.e. udev, journald and systemd itself, whatever
storage needs, nothing else. Are these really that problematic?

 All my efforts to make major-version upgrades work from the
 system-updates hook ended in weird crashes due to libraries being
 replaced out from under running binaries, etc.
 
 At this point people usually say: Hmm, maybe you need a minimal system
 you can chroot into and run the upgrade from?
 
 ..and that's exactly what the upgrade.img initramfs is! We just need to
 be able to switch-root from your running system into an upgrade image..
 *WITH* your disks mounted in it.

But we will not support something like this sorry. Not with full
serialization/deserialization. This cannot work. We will not support
two-way version transitions like this. Sorry.

I also have doubts this will really work. Much of the storage stuff
cannot just be left around without its backing daemon. Hence you need
to leave those daemons around, and there you go: you will still have
old stuff in memory then.

 I don't really like the new-old-new switchroot stuff, but I haven't
 got a better solution at the moment.
 
 But: if we could use something like systemd-nspawn to:
 
 1) start your old system in a container,
 2) let it mount its disks,
 3) copy/bind/move those mounts back out to the host somehow

Well, we don't allow access to devices from containers. The kernel
does not virtualize access to it, and we will not pretend it
does. Sorry, this cannot work either. 

There can raelly only be one udev daemon that manages devices, not two...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] journald-remote problem

2015-04-22 Thread Eric

Hi, I'm trying to sync my vps log to laptop. They are connected with
openvpn.

Both laptop and vps are,

- Arch Linux
- systemd 219-5

- vps: 10.8.0.1
- laptop: 10.8.0.6

It is already secured by openvpn tunnel. So I tried with normal http
settings. Services are launched successfully. There is nothing happening
in journal. Also there is nothing in /var/log/journal/remote/ .

Also I tried example from man page.

~~~
$ ll /tmp/jjj
-rw-r--r-- 1 a a 0 Apr 22 15:54 /tmp/jjj
$ journalctl -o export | /usr/lib/systemd/systemd-journal-remote -o
/tmp/jjj -
Received 0 descriptors
Using standard input as source.
Failed to open output journal /tmp/jjj: Invalid argument
Failed to get writer for source stdin: Invalid argument
Failed to create source for fd:0 (stdin): Invalid argument
~~~

Am I doing right? I attach config and service file.

Thanks.

# laptop ; 10.8.0.6
# /etc/systemd/system/systemd-journal-remote.socket

[Unit]
Description=Journal Remote Sink Socket

[Socket]
ListenStream=10.8.0.6:19532

[Install]
WantedBy=sockets.target

# laptop ; 10.8.0.6
# /etc/systemd/system/systemd-journal-remote.service

[Unit]
Description=Journal Remote Sink Service
Requires=systemd-journal-remote.socket

[Service]
ExecStart=/usr/lib/systemd/systemd-journal-remote \
  --listen-http=-3 \
  --output=/var/log/journal/remote/
User=systemd-journal-remote
Group=systemd-journal-remote
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
WatchdogSec=10min

[Install]
Also=systemd-journal-remote.socket

# vps ; 10.8.0.1
# /usr/lib/systemd/system/systemd-journal-upload.service

[Unit]
Description=Journal Remote Upload Service
After=network.target

[Service]
ExecStart=/usr/lib/systemd/systemd-journal-upload \
  --save-state
User=systemd-journal-upload
PrivateTmp=yes
PrivateDevices=yes
WatchdogSec=20min

[Install]
WantedBy=multi-user.target

# vps ; 10.8.0.1
# /etc/systemd/journal-remote.conf

[Upload]
URL=http://10.8.0.6
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

2015-04-22 14:14 GMT+02:00 Lennart Poettering lenn...@poettering.net:
 On Wed, 22.04.15 14:09, Michael Biebl (mbi...@gmail.com) wrote:

 2015-04-22 13:57 GMT+02:00 Lennart Poettering lenn...@poettering.net:
  Maybe we should simply list the iptables kernel modules in
  src/core/kmod-setup, and then tell people to blacklist them if they
  really don't want them.
 
  I have made such a change now:
 
  http://cgit.freedesktop.org/systemd/systemd/commit/?id=1d3087978a8ee23107cb64aa55ca97aefe9531e2

 Not everyone is using networkd or nspawn though, so loading this
 module for everyone is a bit excessive.

 Well, then blacklist the module or don't build it at all.

That's the wrong way around.

 Why non let nspawn and networkd complain loudly if iptables support is 
 missing?
 This would also be better in case you have a kernel compiled withouth
 iptables support.

 For the same reason that iptables doesn't complain loudly but loads
 it. To be user-friendly and just make things work?

iptables loads it on-demand, If nspawn or networkd would load it
on-demand, I would have no problem with it.

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble

On Wed, 22.04.15 14:22, Michael Biebl (mbi...@gmail.com) wrote:

2015-04-22 14:14 GMT+02:00 Lennart Poettering lenn...@poettering.net:
On Wed, 22.04.15 14:09, Michael Biebl (mbi...@gmail.com) wrote:

I have made such a change now:

http://cgit.freedesktop.org/systemd/systemd/commit/?id=1d3087978a8ee23107cb64aa55ca97aefe9531e2

Not everyone is using networkd or nspawn though, so loading this
module for everyone is a bit excessive.

Well, then blacklist the module or don't build it at all.

That's the wrong way around.

Nah, I disagree. We do this for a number of modules now. I mean, we
load tons of modules automatically, even if you don't use them. For
example, my laptop always loads the bluetooth modules, even though I
never used bluetooth.

We always load more kmods than strictly necessary, simply to ensure a
good user experience, and so we should do this in this case too. And
the blacklist is a good answer to give the user control, if he wants
to opt out of some modules.

(Also note that this is a non-issue on distros like Fedora, where the
kmod is built-in anyway.)

Why non let nspawn and networkd complain loudly if iptables support is
missing?
This would also be better in case you have a kernel compiled withouth
iptables support.

For the same reason that iptables doesn't complain loudly but loads
it. To be user-friendly and just make things work?

iptables loads it on-demand, If nspawn or networkd would load it
on-demand, I would have no problem with it.

Well, I really don't want to give networkd the caps for that,
sorry. It's a network facing daemon, it should not be able to load
kernel modules.

Lennart

--
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-nspawn trouble