supdate files based on a
> template shipped in the sysext, or sysupdate itself can look for
> updatable sysexts, but that's a different discussion for a different
> place I think. As far as I can tell this issue of updating sysexts is
> already on your radar.
systemd-sysupdate already has an "--image=" switch which allows
updating arbitrary DDIs if they carry sysupdate info.
So my idea was to eventually have "systemd-sysupdate --all" which
would iterate through all places we might have DDIs:
* /usr/lib/extensions/
* /var/lib/machines/
* /usr/lib/syscfg/
* /usr/lib/portables/
* the root block device itself
And then one-by-one update them as if you'd call systemd-sysupdate
individually on each via "--image=".
Lennart
--
Lennart Poettering, Berlin
e for our own stuff, which we
inherently own, and is our kingdom. /usr/share/ is for stuff with
shared ownership (i.e other packages own as much as we do), that must
also be arch-independent.
This was always that way, and still is. It's also what we documented
in file-hiearchy(7).
And no we are not
/usr/lib//…
It's simply the most generic, and simplest way: have one libdir per
arch, and don't redefine what "lib64" or "lib" means on various archs.
systemd supports that perfectly, and will auto-symlink /lib and /lib64
automatically to the right subdir if ABI needs that.
Lennart
--
Lennart Poettering, Berlin
On Sa, 25.02.23 10:01, Neal Gompa (ngomp...@gmail.com) wrote:
> On Sat, Feb 25, 2023 at 9:45 AM Lennart Poettering
> wrote:
> >
> > On Di, 21.02.23 16:00, Adrian Vovk (adrianv...@gmail.com) wrote:
> >
> > > Hello all,
> > >
> > > Would you accep
ABI is. But regardless, a patch using
/lib/ as final fallback we search for ld.so in sounds acceptable.)
Submit via github.
Lennart
--
Lennart Poettering, Berlin
0014
>
> Which is 14(octal)*8 = 96bit. As a result, it could be the shifting from
> the quote above, 1 >> 0, 1 >> 1, and so on, are also wrong. And perhaps
> it worth adding to the documentation that
See the docs for efivarfs:
https://www.kernel.org/doc/html/next/filesystems/efivarfs.html
The pink box explains where extra 4 bytes come from.
Lennart
--
Lennart Poettering, Berlin
g issue. What's the precisely rule
you are using? It's generally a good idea to start with the line that
doesn't work, not the one that works.
Also, 244 is ancient 4y old stuff. Consider updating.
Lennart
--
Lennart Poettering, Berlin
oncept for authentication purposes it's a really good
idea to avoid such ambiguities that could potentially be used for
exploits.
Lennart
--
Lennart Poettering, Berlin
publicly
and indexed by google.
Please stop putting such threatening text in your mails if you post on
a public forum asking people for help. Thank you.
Lennart
--
Lennart Poettering, Berlin
ntu, so this might
be less tested)
Lennart
--
Lennart Poettering, Berlin
"Load Error" in qemu ovmf? that's weird. this should just work.
Is this the latest mkosi from git? It's a fairly quickly moving
project. Any chance you can test that?
Lennart
--
Lennart Poettering, Berlin
m? fedora builds it
in. And yeah, if this is a kmod then it might not be available that
early. But why would you do that as a kmod?
Is the thing included in your initrd?
Lennart
--
Lennart Poettering, Berlin
deas. Can mount it manually
> but am sure previously it worked, but unsure when.
if it's not mounted, then something really strange is going
on. selinux issue maybe? or something manually unmounting it later?
Lennart
--
Lennart Poettering, Berlin
arted during boot? This is what I noticed in the time data, some
> units are being stopped and started again during boot, not
> afterwards.
We only store the timestamps of one invocation in PID 1 of each
service. And that's the most recent one. If you start it 27 times in a
row, then the 26 fi
On Mi, 11.01.23 13:31, Lennart Poettering (lenn...@poettering.net) wrote:
> On Mi, 11.01.23 11:53, Joshua Zivkovic (joshua.zivko...@codethink.co.uk)
> wrote:
>
> > Hello,
> >
> > I've been working on adding JSON and table output to `systemd-analyze
> > pl
(startup time of first invocation).
Also note that services that are not referenced by anything (and
didn't fail) might have been unloaded (i.e. "GC'ed"), which means
their startup timing info is released and won't show up in the
displayed data either.
Lennart
--
Lennart Poettering, Berlin
ing the podman community for help about this.
Lennart
--
Lennart Poettering, Berlin
On Mo, 09.01.23 19:45, Lewis Gaul (lewis.g...@gmail.com) wrote:
> Hi all,
>
> I've come across an issue when restarting a systemd container, which I'm
> seeing on a CentOS 8.2 VM but not able to reproduce on an Ubuntu 20.04 VM
> (both cgroups v1).
selinux?
Lennart
--
Lennart Poettering, Berlin
, you solve this locally for dev-ttyLXU0.device by adding a
JobTimeoutSec= drop-in file (for the [Unit]) section.
Or if you want to increase the time-out globally, consider setting
DefaultTimeoutStartSec= in /etc/systemd/system.conf to any value you
like.
Lennart
--
Lennart Poettering, Berlin
On Mo, 09.01.23 12:53, Lennart Poettering (lenn...@poettering.net) wrote:
> https://www.freedesktop.org/software/systemd/man/sd_bus_get_fd.html#Description
>
> Note that the returned time-value is absolute, based of
> CLOCK_MONOTONIC and specified in microseconds. Whe
we all read the
full documentation, no, before actually using this API, no? ;-))
Anyway, will prep a fix that rewords the first sentence to make this
clearer right away.
Lennart
--
Lennart Poettering, Berlin
ill create tons of cyclic deps.
This all sounds like a terrible idea, you are actively working on
making things hard for you.
Lennart
--
Lennart Poettering, Berlin
der if we can just
override systemd-fsck@….service for that specific case?
How are those mounts established? i.e. by which unit is the
systemd-fsck@.service instance pulled in? and how was that configured?
fstab? ubuntu-own code?
Lennart
--
Lennart Poettering, Berlin
smeels like a mess of cyclic deps. See the system logs
(journalctl).
/etc/ must be available during early boot, before you run complex
services (such as glusterd) off it. Thus it cannot be backed by such
complex services.
If you want /etc/ to be backed by such complex services, these
services must
both make sense to me.
(I'd probably go for the more conservative 6month or so, and see what
kind of feedback we'll get)
Lennart
--
Lennart Poettering, Berlin
ing settings, currently.
Lennart
--
Lennart Poettering, Berlin
erdbd drops all
> capabilities, and sending SO_PASSCRED requires CAP_SYS_ADMIN…
>
> What do we do about that?
Just add the capability to the service unit file.
Lennart
--
Lennart Poettering, Berlin
not bother with this at all,
since the kernel well attach this info anyway if needed. Only
impersonators need to attach SCM_CREDENTIALS explicitly, and userdb
should be one of these impersonators.
Lennart
--
Lennart Poettering, Berlin
the varlink API please report the SCM_CREDENTIALS ucred seperately
from the SO_PEERCRED though (i.e. from the current ucreds we already
store). For various purposes it is interesting to know the identity of
the process initiating the connection, if it's different from the
process actually sending messages over it.
Lennart
--
Lennart Poettering, Berlin
: automatic translation of
UIDs by the kernel in regards to userns, and the kernel will
implicitly validate for us whether the on-behalf-of impersonation
shall be allowed or not.
Does that make sense?
Lennart
--
Lennart Poettering, Berlin
end to make
> homed start managing the home directory for this user?
Nope, currently not. homed is a *provider* of user records, not a
consumer.
Lennart
--
Lennart Poettering, Berlin
as a lot on implicit and explicit state attached to
the PAM handle... And you can have PAM conversations and so on
(i.e. prompting arbitrary questions) which makes PAM compat really
really messy...
Lennart
--
Lennart Poettering, Berlin
ed on
> verbatim, or stripped, or cause an error preventing the User Record
> from being handled at all?
It's supposed to be extensible.
→ https://systemd.io/USER_RECORD/#extending-these-records
Lennart
--
Lennart Poettering, Berlin
to be
>static. Are there any ideas around here where such a token could be
>stored during the user session?
Kernel keyring for the user? It's where kerberos stuff is stored, and
is probably the best place. The API is a bit convoluted, but this has
been done before.
Lennart
--
Lennart Poettering, Berlin
On Mi, 23.11.22 17:56, Lennart Poettering (lenn...@poettering.net) wrote:
> > If this is a bug, I'd be willing to attempt a pull request submission
> > if a suggested fix is given. Overall we like the functionality
> > sd-boot provides and the integration with systemd,
; if a suggested fix is given. Overall we like the functionality
> sd-boot provides and the integration with systemd, but this is likely
> a hard requirement for our use case.
Yes please file an issue on github first, and this does sound a lot
like something we should fix, hence a PR that addresses this would be
more than welcome, too.
Lennart
--
Lennart Poettering, Berlin
tirely sure this works
correctly though. There might be a bug lurking somewhere.
it's simply not a case we regular test for. But it should be a case
that just works.
Lennart
--
Lennart Poettering, Berlin
parent process when the main
service process finished startup.
Lennart
--
Lennart Poettering, Berlin
On Do, 17.11.22 21:41, Andrei Borzenkov (arvidj...@gmail.com) wrote:
> On 17.11.2022 20:48, Lennart Poettering wrote:
> > On Do, 17.11.22 18:17, Vadim Lebedev (vadiml1...@gmail.com) wrote:
> >
> > > Awesome, thanks, it is EXTREMELY useful
> > > | Find the rig
s, like
you already are using.
Lennart
--
Lennart Poettering, Berlin
dalias string.
You can denylist that string for your hw and thus disable the
autoloading.
Use "grep . /sys/bus/*/*/*/modalias" to get a list of the actual
modalias strings requested on your system. The one nuveau.ko matched
against will be among them. Find the right one and denylist it.
Lennart
--
Lennart Poettering, Berlin
spect that or even respond to you then.
Public mailing lists have public archives, they are not confidential,
hence do not send an email to it you expect to remain confidential.
Lennart
--
Lennart Poettering, Berlin
On Mo, 14.11.22 15:06, Michael Biebl (mbi...@gmail.com) wrote:
> Yeah, can we please block this Ulrich Windl guy.
> He's been more of a nuisance than a benefit to this community.
I have put him on moderation now.
Lennart
--
Lennart Poettering, Berlin
as to overcome systemd's
> misconception that the root account was locked.
systemd doesn't manage your root user. That's between you and
"shadow-utils" really.
Lennart
--
Lennart Poettering, Berlin
tc.
>
> When I try to start networking with 'systemctl', I see this error:
>
> systemd "failed to connect to bus; No such file or directory"
>
> What can I do to minimally bring up the networking service? I don't even
> have any network devices at this point...
You can
On Mo, 31.10.22 11:40, Lennart Poettering (lenn...@poettering.net) wrote:
> This is almost certainly a bug in chrony. If you use Type=forking,
> then the process that systemd forks off (let's call it "P") should
> wait until all of the below holds:
>
> 1. The middl
orking,
then the process that systemd forks off (let's call it "P") should
wait until all of the below holds:
1. The middle child P' has exited
2. The grandchild (and main daemon process) P'' is running
3. The PID file has been successfully written to contain the PID of P''.
That all said, it's 2022, maybe chrony should just use Type=notify and
sd_notify() like any modern code?
Lennart
--
Lennart Poettering, Berlin
ly tells
>
> starting multi-user.target via ExecStart=systemctl start starts all depending
> units, and probably one of those starts the multi-user.target again.
> That's what I call recursive.
If you enqueue a unit for starting while it is already enqueued for
starting this has no effect.
Lennart
--
Lennart Poettering, Berlin
nto cgroupsv1 mode as the host (by adding
systemd.unified_cgroup_hierarchy=no to the nspawn cmdline, does that
work?"
Also, please provide the relevant output from "strace -f -s 500 -y -o
/tmp/log.strace" (put on some pastebin)
Lennart
--
Lennart Poettering, Berlin
an error?
Add a .mount drop-in for your unit that sets AssertPathExists= to your
path in the [Unit] section.
i.e. create /etc/systemd/system/mnt-x.mount.d/50-myassert.conf, and
add:
[Unit]
AsserPathExists=/mnt/x
into it.
Lennart
--
Lennart Poettering, Berlin
running Alma 8 it's eno1.
>
> Wasn't the idea of "BIOS device name" that the interface's name
> matches the label printed on the chassis?
Yes, but not all devices have the necessary firmware
metadata.
Lennart
--
Lennart Poettering, Berlin
eeds to
> be installed. This will yield the traditional ethX, wlanX, etc interface
> names that are ordered by default the way they used to be. Of course, this
> does not scale well when you have hotplug devices with many pci ports and
> ethernet cards if you ever need to replace one c
_NAME is not always present, so I don't have a good
> solution for now.
> (I'm assuming policy kernel can be ignored on amd64 servers, maybe
> I'm wrong)
udev will rename interfaces it finds based on the data in
ID_NET_NAME. I the ID_NET_NAME prop is never set, then udev won't
rename the interface.
Lennart
--
Lennart Poettering, Berlin
bly not attributed back to a process
and hence a cgroup. You might want to ask the NFS community about
that.
Lennart
--
Lennart Poettering, Berlin
On So, 16.10.22 21:02, Michael Biebl (mbi...@gmail.com) wrote:
> Am So., 16. Okt. 2022 um 16:23 Uhr schrieb Lennart Poettering
> :
> >
> > On Fr, 14.10.22 22:57, Michael Biebl (mbi...@gmail.com) wrote:
> >
> > > Hi,
> > >
> > > since the iss
where $HOME must be mounted at the latest, and then
systemd --user gets started off it and the user's login session is
allowed to begin.
Lennart
--
Lennart Poettering, Berlin
systemd should discover everything on its own and just work
when run in an older container manager/cgroup environment. But it's
not something we would regularly test.
Lennart
--
Lennart Poettering, Berlin
-naming-scheme man page)
Use "udevadm info /sys/class/net/" to query the udev db for
automatically generated names.
Relevant udev props to look out for are:
ID_NET_NAME_FROM_DATABASE
ID_NET_NAME_ONBOARD
ID_NET_NAME_SLOT
ID_NET_NAME_PATH
ID_NET_NAME_MAC
These using hwdb info, firmware info, slot info, device path info or
MAC addresss for naming.
Lennart
--
Lennart Poettering, Berlin
ed dep
will be started if not running. It means "systemctl stop" of a
dependent service will be immediately undone though, i.e. it has quite
different semantics from the usual Wants=.
Lennart
--
Lennart Poettering, Berlin
n
> /dev/bus/usb/00x/00y gets created with MODE=0640 and root:usb
As mentioned elsewhere, what's a usbfs file, not a netif. network
interfaces have no ownership concept.
> I'm at a loss here. How is one supposed to get more detailed info on
> what's and WHY is going on with systemd-udevd tree processing ?
if you boot up with "debug" you should get tons of debug output to
wade through.
Lennart
--
Lennart Poettering, Berlin
one in
the fg and all others in the bg, but any of them could be put in the
fg any time. but that simply makes no conceptual sense if an SSH
session is in the mix.
Sorry if that's disappointing.
Lennart
--
Lennart Poettering, Berlin
heir own, and wouldn't mind sharing.
Happy to help!
We should probably open a group chat somewhere for people who want to
build images like that. Since I am usually at home in Signal for
things like that, maybe we should open a chat room there for that?
(nah, not an IRC fan, not gonna return there, sorry)
Lennart
--
Lennart Poettering, Berlin
acd/system.journal:
> Journal header limits reached or header out-of-date, rotating.
No, we have no concept of turning off individual log messages.
Lennart
--
Lennart Poettering, Berlin
service`. And then
add `ConditionFileExists=!/some/touch/file` to `foo-upgrade.service` to
make it a NOP if things have already been updated, using a touch
file. (some better, smarter condition check might work as well, see
man pages of things systemd can check for you).
Lennart
--
Lennart Poettering, Berlin
ll container managers implement this more or less. Just
Docker does not...
You might be able to replace docker with podman, where supposed all
this just works out of the box.
Lennart
--
Lennart Poettering, Berlin
you don#t want to bother with rtnetlink for that you could even use
the old BSD ioctls, i.e. SIOCSIFFLAGS.
Lennart
--
Lennart Poettering, Berlin
debugging,
then things should be implemented differently, i.e. you get called and
then scan yourself what is in the directory you watch. That makes
things robust towards lost events.
Lennart
--
Lennart Poettering, Berlin
Lennart
--
Lennart Poettering, Berlin
means rule #2 won't take effect anymore.
With that in place things should just work (untested, but afaics), as
it means s-b-c-n-f.s can run after multi-user.target, and then
boot-complete.target after that, and then finally your service.
Does that make sense?
Lennart
--
Lennart Poettering, Berlin
he threads are created and configured after the startup
> phase has finished.
Please consult README, look for comment on CONFIG_RT_GROUP_SCHED=n.
Lennart
--
Lennart Poettering, Berlin
gs considered, shouldn’t these directories be deleted after a service
> stops?
THis is probably a bug. Can you please file an issue on systemd github
about this?
https://github.com/systemd/systemd/issues/new?assignees==bug+%F0%9F%90%9B=bug_report.yml
Lennart
--
Lennart Poettering, Berlin
nerally not.
Sorry, if that's disappointing.
Lennart
--
Lennart Poettering, Berlin
so that it ends up on local sockets.
Lennart
--
Lennart Poettering, Berlin
t
that.
(consider filing an RFE issue on github, so that this is tracked)
Lennart
--
Lennart Poettering, Berlin
o you?. I've also posted to the selinux list but
> haven't gotten any responses yet.
Uh, that's a question for the selinux people. I only have a limited
insight into selinux, and wouldn't know how to do such things.
Lennart
--
Lennart Poettering, Berlin
ed in libfido2 though, it will now
take a BSD lock on the device while talking to it, thus synchronizing
access properly.
See this bug:
https://github.com/systemd/systemd/issues/23889
Maybe it's sufficient to update libfido2 on your system?
Lennart
--
Lennart Poettering, Berlin
. I do have a /etc/crypttab file.
systemd-cryptsetup can wait on its own for a FIDO2 token, no need to
do that with unit deps?
Lennart
--
Lennart Poettering, Berlin
ith boot).
>
> Is my guess correct? Logs at /run/log/journal are automerged, logs at
> /var/run/journal aren't.
As mentioned abive, when the logs are flushed from /run/ to /var/ in
systemd-journal-flush.service they are merged into one new journal
file, which is located in the machine I
assigned should
be encoded in the database and in the policy but not elsewhere,
i.e. in unit files. I think that philosophy does make sense.
Lennart
--
Lennart Poettering, Berlin
ee every nfs related service dependent on nfs-convert.service
Did you issue "systemctl daemon-reload"?
Lennart
--
Lennart Poettering, Berlin
ck into an initrd env. Hence for them PID 1 during
shutdown first transitions from the service manager into
systemd-shutdown, and then from there into into the initrd script, and
then back into systemd-shutdown. I like their approach.
Lennart
--
Lennart Poettering, Berlin
the in
> > initrd, right?
>
> Sorry: s/mist the in/must be in the"
systemd-shutdown actually pivots the rootdir into the /run/initramfs
subdir, when invoking the initrd shutdown script. Thus at that point
all fs paths refer to subdirs below /run/initramfs.
Lennart
--
Lennart Poettering, Berlin
boot/poweroff/kexec.
Nah, the killing of processes it already did between steps 2 and
3. Also, as mentioned systemd-shutdown doesn't run at this time anymore.
Lennart
--
Lennart Poettering, Berlin
t, you should see the
copy_file_range() stuff there.
Lennart
--
Lennart Poettering, Berlin
btrfs
with ENOTTY, and given you have xfs this is behaving as it should.
It then starts copying things manually, which is slow. i.e. it's then
basically doing what "cp -a" does.
Lennart
--
Lennart Poettering, Berlin
appreciate any help/references.
Try straceing nspawn, to see what it does.
strace -f -y -s 500 -o /tmp/nspawnstrace.log systemd-nspawn …
Then look at the generated log and see what is busy doing... If unsure
paste things somewhre.
Lennart
--
Lennart Poettering, Berlin
t might hence simply be that we are busy
individually copying all files...
Lennart
--
Lennart Poettering, Berlin
IFDIR|0755, st_size=0, ...}) = 0
> close(3)= 0
> openat(4, "0:0", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = -1 ENOENT (No
> such file or directory)
> close(4)
>
> So it's trying to open() /sys/dev/block/0:0, but my system does not
> have that dev
gurable. Kernel command line option
systemd.unified_cgroup_hierarchy=yes|no
Lennart
--
Lennart Poettering, Berlin
caller. Only messages that no registered handler has indicated
"ownership" in will be returned to the caller.
I guess we should document that. Added to TODO list.
Th idea is basically that you have two choices for processing
messages: install a filter/handler, or process them via
sd_bus_process() returns. Pick one.
Lennart
--
Lennart Poettering, Berlin
On Fr, 22.07.22 12:15, Lennart Poettering (mzerq...@0pointer.de) wrote:
> > I guess that would mean holding on to cgroup1 support until EOY 2023
> > or thereabout?
>
> That does sound OK to me. We can mark it deprecated before though,
> i.e. generate warnings, and remove
On Fr, 22.07.22 12:37, Wols Lists (antli...@youngman.org.uk) wrote:
> On 22/07/2022 11:15, Lennart Poettering wrote:
> > > I guess that would mean holding on to cgroup1 support until EOY 2023
> > > or thereabout?
>
> > That does sound OK to me. We can mark it dep
same system as one will only work on cgroup1 and the
> other only on cgroup2.
I am pretty sure this works fine with nspawn...
> I guess that would mean holding on to cgroup1 support until EOY 2023
> or thereabout?
That does sound OK to me. We can mark it deprecated before though,
i.e. generat
support, once the age difference is beyond some
boundary. The question is at what that boundary is.
Much the same way as we have a baseline on kernel versions systemd
supports (currently 3.15, soon 4.5), we probably should start to
define a baseline of what to expect from a container manager.
Lennart
--
Lennart Poettering, Berlin
*will* come eventually
either way, but what's still up for discussion is to determine
precisely when. hence, please let us know!
Thanks,
Lennart
--
Lennart Poettering, Berlin
On Do, 14.07.22 12:40, Michael Cassaniti (mich...@cassaniti.id.au) wrote:
> Should I at least raise a feature request in GitHub?
Please do!
Lennart
--
Lennart Poettering, Berlin
lls in the gap.
(In my own usecase I always used usrhash= on the kernel cmdline, to
pin a specific /usr/ fs to a specific kernel, thus /usr/ auto
discovery was never needed, but we should definitely support that too)
Lennart
--
Lennart Poettering, Berlin
e. concept 1 should always be done. If you then also adopt concept 2
is up to you. You can, but you don't have to.
Lennart
--
Lennart Poettering, Berlin
On Mo, 04.07.22 23:15, Michael Biebl (mbi...@gmail.com) wrote:
> Am Mo., 4. Juli 2022 um 19:36 Uhr schrieb Lennart Poettering
> :
> >
> > eOn So, 03.07.22 19:29, Uwe Geuder (systemd-devel-ugeu...@snkmail.com)
> > wrote:
> >
> > > Hi!
> > >
>
The problem was originally noted in a somewhat loaded system. However,
> above reproducer (including the 2 echo commands and a shorter sleep)
> shows the same problem even on an idling machine.
https://github.com/systemd/systemd/issues/2913
Lennart
--
Lennart Poettering, Berlin
201 - 300 of 8632 matches
Mail list logo