ot use systemd tools to inspect or manage resources.
You can use "systemd-cgtop" to show current resource usage of any
cgroup (regardless if managed by systemd or not), but it doesn't show
limits bein enforced, but that would probably make sense to add...
Lennart
--
Lennart Poettering, Berlin
and read what's set there, for now?
Lennart
--
Lennart Poettering, Berlin
allow exactly one operation to be
executed at once, and all other ones are queued. Thus, when we start
to execute one operation we check that there is none already being
executed, because if it was, then there's a bug somewhere.
Why do you ask? did you actually see the assertion being hit?
L
s to me you should ask the "bird" project for this
functionalit instead?
Lennart
--
Lennart Poettering, Berlin
u have to fix the kernel to properly virtualize block devices for
kernels. Good luck!
Lennart
--
Lennart Poettering, Berlin
passed. It might be a slight compat breakage,
but I think it would be safer that way, as the service execution
environment becomes more uniform then.
Security credentials should be passed down to user services opt-in,
not opt-out after all.
Can you prep a patch for that and submit via github?
Lennart
--
Lennart Poettering, Berlin
ly.
Lennart
--
Lennart Poettering, Berlin
ould use tags instead.
Also, libudev is obsolete and does not recieve new additions. Use the
sd-device API instead.
--
Lennart Poettering, Berlin
ally you probably have some odering cycle between units,
which we'll try to fix for you, but which will of course mean the
ordering is not going to be executed in full.
See:
https://freedesktop.org/wiki/Software/systemd/Debugging/#diagnosingshutdownproblems
Lennart
--
Lennart Poettering, Berlin
s, --bind=/dev/null:/etc/fstab
>
> allows boot to complete. Of course next it refuses root login because
> pts/0 is not secure :)
pam_securetty is archaic cruft, and a broken idea. Please work with
your distribution to remove it. It might have made some vague sense on
1980's fixed line terminal environments, but is security theatre and a
nothing more than a nuisance in today's world.
Modern distributions do not enable it anymore.
Lennart
--
Lennart Poettering, Berlin
cessing!) and see if that helps?
No need. Should happen automatically.
That said: I strongly recommend that distros ship empty /etc/fstab by
default, and rely on GPT partition auto discovery
(i.e. systemd-gpt-auto-generator) to mount everything, and only depart
from that if there's a strong re
units
> inside of container (it stops in single user allowing me to use sysctl
> -t device).
>
> Is it supposed to work at all? Even if I bind mount /dev/disk it does
> not help as systemd does not care whether device is actually present or not.
Yes, this should just work. I
enabled?
enabled *in* *what*? in the kernel? /proc/cgroups. Mounted? "mount"
maybe? in your container mgr? depends on that.
> - What is it that determines which controllers are enabled? Is it kernel
> configuration applied at boot?
Enabled where?
> - Is it possible to h
; /etc/crypttab or I have tpm2-device=auto the service succeeds - but
> won't use the fido device.. And that's probably obvious for everyone
> here but I'm stumped.
hmm, fido? or tpm?
Lennart
--
Lennart Poettering, Berlin
set yet. This
means cloud providers can control the machine ID a system will use
ahead of time.
Lennart
--
Lennart Poettering, Berlin
so, afaik OSes that run in clouds all have some tool like cloud-init
or ignition or so, which generate .network files in /run with the right
configuration. Why not generate .link files in /run the same way with
a MAC policy appropriate for the cloud provider?
Lennart
--
Lennart Poettering, Berlin
On Di, 10.05.22 18:29, Kamil Jońca (kjo...@op.pl) wrote:
> Lennart Poettering writes:
>
> > On Di, 10.05.22 17:59, Kamil Jońca (kjo...@op.pl) wrote:
> >
> >> Maybe I was not clear.
> >> I have ("internal") interfaces qemu1 and qemu2. and interface et
need to involve networkd. Just define the firewall outside of
> > networkd?
> Of course. Like most nontrivial things I want to do.
> That was my point.
But why involve a callout at all if it's not dynamic?
Lennart
--
Lennart Poettering, Berlin
On Di, 10.05.22 17:46, Kamil Jońca (kjo...@op.pl) wrote:
> Lennart Poettering writes:
>
> > On Di, 10.05.22 12:00, Kamil Jońca (kjo...@op.pl) wrote:
> >
> >> > The engine is decided at build time, i.e. can be either iptables or
> >> > nftables
ncient... i figure this then also means you are stuck with
cgroupv1. Which means cgroup empty notifications in containers
typically don#t work.
Lennart
--
Lennart Poettering, Berlin
in cgroupsv1 mode. cgroup empty
notifications do not work reliably in containers on cgroupsv1.
Use cgroupsv2.
(but i think docker doesn't support that)
Lennart
--
Lennart Poettering, Berlin
1 (or did that change?) i
see no perspective there.
Lennart
--
Lennart Poettering, Berlin
gt; 2. nat based on destination network.
>
> I want to nat only traffic to say, 192.168.10.0/24, leaving rest
> untouched. (This is case when I have ipsec tunnel and I want to nat only
> traffic to other endpoint)
If this does not deal in interfaces, but in IP addresses instead, no
need to involve networkd. Just define the firewall outside of
networkd?
Lennart
--
Lennart Poettering, Berlin
before upping
the iface.
networkd always wants a complete, declarative idea of what it is
supposed to configure, so that it can adjust things to that. by doing
callouts that modify state you lose that ability, since networkd never
has a complete idea of what is supposed to be in effect, and once you
reload config things will be very confusing.
Lennart
--
Lennart Poettering, Berlin
On Do, 05.05.22 19:12, Yeongjin Kwon (yeongjink...@gmail.com) wrote:
> On Thu, May 5, 2022 at 11:17 AM Lennart Poettering
> wrote:
> >
> > On Do, 05.05.22 10:44, Yeongjin Kwon (yeongjink...@gmail.com) wrote:
> >
> > > On Wed, May 4, 2022 at 4:03 A
rety: if you muck with what it sets up it likely will override
> > your changes sooner or later, when some event happens... you have a
>
> I do not want interfere with interfaces "per se" I simply want to get
> some info from systemd and pass it to dnsmasq (for DNS) or nftables (for
> filtering) . That's it.
You started out asking about default routes?
Lennart
--
Lennart Poettering, Berlin
muck with what it sets up it likely will override
your changes sooner or later, when some event happens... you have a
choice: make networkd manage it, or manager it with your own scripts,
but interfering with routing via manual "ip" invocations on the
interface's routes will sooner or later break.
Lennart
--
Lennart Poettering, Berlin
o
interfaces shall always be the preferred one over the other.
or are you saying that you intend to change which one is preferred
dynamically? but the network callouts à la networkd-dispatcher run at
configuration time, not on request iiuc...
Lennart
--
Lennart Poettering, Berlin
become a templating language which I think is not precisely a wise
choice I'd rather not be associated with that work though...)
Lennart
--
Lennart Poettering, Berlin
//github.com/systemd/systemd/issues/3374#issuecomment-1031072530
or here:
https://github.com/systemd/systemd/issues/3374#issuecomment-601240730
I don't think that new issue was ever filed?
Lennart
--
Lennart Poettering, Berlin
igure the route metric via Metric= in the
[Route] section. If the routes are acquired through dhcp, you can set
the metric to use in the [DHCPv4] section in the RouteMetric= setting,
and so on.
Lennart
--
Lennart Poettering, Berlin
On Mo, 09.05.22 15:32, Lennart Poettering (lenn...@poettering.net) wrote:
> On So, 08.05.22 15:00, Peter Mattern (pmatt...@arcor.de) wrote:
>
> > Hello.
> >
> > Apparently resolved is ignoring DNS servers which are listening on Linux
> > dummy interfaces.
>
>
n it would be a bug. But I have the suspicion the
interface might simply not be up or have no IP address correctly
configured or so?
Lennart
--
Lennart Poettering, Berlin
On Fr, 06.05.22 10:12, Wols Lists (antli...@youngman.org.uk) wrote:
> On 27/04/2022 14:53, Lennart Poettering wrote:
> > I think we systematically disagree on one point here: I am pretty sure
> > picking a boot loader is genuinely someting a distro should be doing,
> > and no
On Do, 05.05.22 10:44, Yeongjin Kwon (yeongjink...@gmail.com) wrote:
> On Wed, May 4, 2022 at 4:03 AM Lennart Poettering
> wrote:
> >
> > The slice names match 1:1 to the position in the cgroup tree, that's
> > where they were designed.
> >
> > Basically o
ect unit types encapsulates
already have a file system path as name then we don't allow you to
make up a new name, but insist that the unit name is derived from that
pre-existing file system path.
Lennart
--
Lennart Poettering, Berlin
the SHIM upstream
maintainer.
Lennart
--
Lennart Poettering, Berlin
On Sa, 30.04.22 08:08, Andrei Borzenkov (arvidj...@gmail.com) wrote:
> On 28.04.2022 10:54, Lennart Poettering wrote:
> >
> >> * systemd-boot is an additional bootloader, rather than replacing
> >> an existing one, thus increasing the attack surface.
> >
>
here is no need to keep a
random seed in the file system if it would be flushed out on each
boot...
/var/lib/ otoh sounds much more appropriate as it means "please keep
this", and that's exactly the persistance requirement we want here.
Lennart
--
Lennart Poettering, Berlin
e: if your target unit has
Conflicst= on some service, then the target unit should not enter
active state until the service fully shutdown. Thus you can place
After= *or* Before= between the two (your choice) and get the desired
behaviour.
Lennart
--
Lennart Poettering, Berlin
decision of your distro what to put in there and what
not.
So you are barking up the very very wrong tree here. Go, complain to
your distro instead, we have nothing to do with that.
Lennart
--
Lennart Poettering, Berlin
OSTNAME' field.
systemd is focussed on reality: we generate and process the same
format glibc generates.
Lennart
--
Lennart Poettering, Berlin
riving without a saftey-belt, BTW.
This comparison makes no sense. Please be civil.
Lennart
--
Lennart Poettering, Berlin
and fwupd. A
> signing of systemd-boot might be considered reasons for revoking
> the existing shim, and will certainly result in new shims not
> getting signed.
Christ! That's some gatekeeping.
Lennart
--
Lennart Poettering, Berlin
ood regarding
simplicity... I'd rather share more code with userspace, and thus have
less stuff to think about, get better testing and so on...
Lennart
--
Lennart Poettering, Berlin
in a shell prompt once all is
lost anyway is kinda a pointless discussion if you ask me.
For me recovery means something very different than graphical icons I
must say.
Lennart
--
Lennart Poettering, Berlin
multiboot cases
> more approachable, not to present it all the time by default.
"emergency cases more approachable"? what does that means? what
specific emergency features does it have?
it shows graphical icons, OK, but how that that help you in case of
"emergency"?
puzzled...
Lennart
--
Lennart Poettering, Berlin
low
> since the Red Hat grub2 patch set is *huge* and there's not enough
> reviewers to go through and get patches into the tree.
are you saying grub installation on fedora is just dropping some files
and dirs into the ESP now? are you *sure* about that?
i am pretty sure that's not the case, i.e. the weird boot counting
stuff grub is doine actually works with an expicit file that needs to
be created with specific properties, no?
Lennart
--
Lennart Poettering, Berlin
s can be entirely
independent and decoupled. In fact it's even OK if systemd-boot for
example skips a few upstream releases. Our code is tightly coupled at
build time, but at runtime as very losely coupled only, and it is our
explicit goal to ensure that old userspace can work with new sd-boot
and vice versa. Anf in fact work with other boot loaders, if they'd
implement the specs...
Lennart
--
Lennart Poettering, Berlin
I think this is unrealistic to be frank. Ignoring this refind thing
(which I have not much clue about), for grub installation is a lot more
complex than just dropping a bunch of files+dirs into the ESP. They
have stages, partitions, boot scripts that need to be generated. I
think the complexities this involves is a major problem, and certainly
not something we should make *our* problem.
Lennart
--
Lennart Poettering, Berlin
more work from a maintenance perspective (especially around
> security stuff), and it doesn't really help with pushing the
> adoption of the Bootloader Spec as a whole.
I am not convinced. ;-)
Lennart
--
Lennart Poettering, Berlin
charsets and just passes data thorugh.
So, yeah, we might be stretching stdandards and tradition a bit, but
it actually works out quite well so far.
Lennart
--
Lennart Poettering, Berlin
nts when we the devices runs out of space
> 3. Avoid on-device duplicates by deleting them during enrollment
That kinda suggests to me, homed should be client to fprintd then. But
still wants me to be able to be able to maintain a shadow copy of the
enrollments in the homed user db, so that we can make things
reasonably portable and recover from lost /var if you still have
$HOME.
Lennart
--
Lennart Poettering, Berlin
fer storing hashes of secrets rather than
secrets in the user record, if fprint's enrollment are true secrets
which we must supply back, maybe that's not ideal after all...
Lennart
--
Lennart Poettering, Berlin
eview/merge a patch for that ;-)
(But of course, I'd actually prefer native support for finger print
auth in homed, as mentioned above).
Lennart
--
Lennart Poettering, Berlin
On Mo, 25.04.22 16:29, Lennart Poettering (lenn...@poettering.net) wrote:
> On Mo, 25.04.22 15:39, Benjamin Berg (benja...@sipsolutions.net) wrote:
>
> > > Right now homed supports neither (I think it would make a ton of sense
> > > to add though.
> > >
>
, if you ask me)
Lennart
--
Lennart Poettering, Berlin
pam_systemd_home.so whether the home directory is available and the
> simpler fingerprint authentication method may be acceptable.
I think pam_systemd_home.so should simply sit in the PAM stack before
the fprint auth so that fprint is never asked?
Lennart
--
Lennart Poettering, Berlin
is already possible, or is there someone willing
> to add the required feature to implement it?
I don't understand the question, I have no idea how fingerprint and
PAM currently interact... In fact I don't even have any idea whether
fingerprint auth can communicate something we can use as un
cause they can be more flexible about it, e.g. use different
> UIDs for different purposes.
Well, things like postfix kinda replicate their own service manager. I
have the suspicion it would be better to just leave that to systemd...
Lennart
--
Lennart Poettering, Berlin
(or at worst, with some very
limited ambient caps, such as CAP_NET_BIND_SERVICE).
Lennart
--
Lennart Poettering, Berlin
ld be the point where DHCP
> > is acquired and thus also the hostname in effect.
>
> I use systemd-networkd and systemd-networkd-wait-online is enabled but
> unfortunately it doesn't work anyway.
What doesn't work precisely?
Lennart
--
Lennart Poettering, Berlin
's quite some surprise: I thought they are evaluated when they are
> executed (as in shell scripts).
> Is there a way to "reload" a specific unit file?
No. You can only reload them all at once, via "systemctl daemon-reload".
Lennart
--
Lennart Poettering, Berlin
ow that's done, depends on the networking solution you
use. If you use systemd-networkd, then the
sytemd-network-wait-online.service is what you want to use. If you
enable that then network-online.target should be the point where DHCP
is acquired and thus also the hostname in effect.
Lennart
--
Lennart Poettering, Berlin
before udev started) or hotplug (in case the device was found
later).
Lennart
--
Lennart Poettering, Berlin
On Do, 14.04.22 08:00, Ulrich Windl (ulrich.wi...@rz.uni-regensburg.de) wrote:
> >>> Lennart Poettering schrieb am 13.04.2022 um 17:38
> in
> Nachricht :
> > On Di, 12.04.22 14:38, Elbek Mamajonov (emm.boxin...@gmail.com) wrote:
> >
> >> On graph I
sed on rules, and the default rules
will run blkid on the device, to see what's on it (i.e. to extract fs
label/uuid, …). maybe that's just terribly slow on your device?
Lennart
--
Lennart Poettering, Berlin
iad).
You must issue "systemctl enable" to actually make the stuff from
[Install] apply.
Lennart
--
Lennart Poettering, Berlin
line to your unit
clearshare-scheduler.service towards siad.service.
if you want "losely couple" this, i.e. don't want to modify
"siad.ervice" in to point to "clearshare-scheduler.service", then use
"WantedBy=siad.service" in "clearshare-scheduler.service"'s [Install] section.q
Lennart
--
Lennart Poettering, Berlin
re. It's less than ideal.
There are simple services where the synchronous vs. asynchronous
reload thing doesn't matter, because there are no services the daemon
offers to local clients that might rely on the synchronous
execution. But most daemons are probably not like that.
Lennart
--
Lennart Poettering, Berlin
On Sa, 09.04.22 08:00, Yolo von BNANA (y...@bnana.de) wrote:
> --- Original Message ---
> On Friday, April 8th, 2022 at 13:49, Lennart Poettering
> wrote:
>
> > This could be done better. Plugging in just a "kill" here, means the
> > reloa
On Mo, 11.04.22 07:56, Ulrich Windl (ulrich.wi...@rz.uni-regensburg.de) wrote:
> >>> Lennart Poettering schrieb am 08.04.2022 um
> >>> 15:14 in
> Nachricht :
>
> ...
> > This reminds of an RFE we have had for a while, and which I think
> >
ning that? Or just something pinephone specific thing? Ideally
we had some generic infra for that in the kernel.
(On PCs there's a field for that in DMI called "Wake-up Type". I
wonder how well that works these days.)
Lennart
--
Lennart Poettering, Berlin
On Do, 07.04.22 15:38, Kenneth Porter (sh...@sewingwitch.com) wrote:
> --On Thursday, April 07, 2022 12:30 PM +0200 Lennart Poettering
> wrote:
>
> > The other two options are likely similar, i.e. synchronous and talk to
> > smbd directly. But I don't know samba th
art
--
Lennart Poettering, Berlin
-egg race with temporary directories that
> systemd added.
Hm?
> Maybe just add a manual page systemd-filesystem-concepts ;-)
https://www.freedesktop.org/software/systemd/man/file-hierarchy.html
Lennart
--
Lennart Poettering, Berlin
not to upgrade" for someone interested in preserving their all numeric
> usernames?
No. Sorry.
Migrate away from such usernames. It cannot work.
Lennart
--
Lennart Poettering, Berlin
logs.
So yes, the order is correct, i'd say.
Lennart
--
Lennart Poettering, Berlin
ell, because you are afraid if making
it difficult...
Lennart
--
Lennart Poettering, Berlin
main/NEWS
2. Check git logs
Lennart
--
Lennart Poettering, Berlin
it's not even trying to read in the directories |etc/userdb/|,
> |/run/userdb/|, |/run/host/userdb/| and |/usr/lib/userdb/|
>
> ||
>
> Any suggestion?
Maybe your systemd version is simply too old? You need v249 at the
least for the above.
Lennart
--
Lennart Poettering, Berlin
dev.)
I know the kernel people like to carry that mantra of not breaking
userspace quite like a monstrance, but IRL it's broken all the
time. Often for good reasons, quite often also for no reason but lack
of testing. Things like that will happen. But I also think that
Windows for example is p
f you don#t have that it just
doesn't make any sense...
Lennart
--
Lennart Poettering, Berlin
e syscall that reads directory contents. Smells
like a kernel problem. If EIO is thrown when reading a directory, then
that's almost certainly a fuckup in the kernel, given that this
probably refers to sysfs or so.
Would be good to know which fd 4 refers to. Consider reruning the
strace with "-y". With that it will show you which fd this is
triggered from.
Lennart
--
Lennart Poettering, Berlin
people think it does, and clean-written software really doesn't
need that in the boot path. It just slows down boot.
Lennart
--
Lennart Poettering, Berlin
trace, do you
see where the EIO comes from?
Lennart
--
Lennart Poettering, Berlin
On Do, 24.03.22 10:28, Luca Boccassi (bl...@debian.org) wrote:
> > What I am trying to say is that it would actually help us a lot if
> > we'd not just be able to take croupv2 for granted but to take a
> > reasonably complete cgroupv2 for granted.
> >
> > Lennart
>
se registering the match rule
> (using the job's object path) will race with systemd signalling that
> the job has completed.
Correct.
Lennart
--
Lennart Poettering, Berlin
e correct order of doing a StartTransientUnit and wait for the
> job to be finished (done, failed, whatever) ?
first subscribe to JobRemoved, then issue StartTransientUnit, and then
wait until you see JobRemoved for the unit you just started.
Lennart
--
Lennart Poettering, Berlin
han 4.4 or 4.9 ;)
Well, the list is not complete. i.e. the "io" controller came late
iirc. And killing and stuff too. would take some work to figure out
which features of cgroupv2 we actually make us of, and then when they
were added.
Lennart
--
Lennart Poettering, Berlin
D is globally unique also in
> scenarios where users try to delete and recreate version tags without
> incrementing the version number (or other messy scenarios).
Shouldn't you use the fs header uuid? or the GPT partition or overall
uuids?
Lennart
--
Lennart Poettering, Berlin
ould actually help us a lot if
we'd not just be able to take croupv2 for granted but to take a
reasonably complete cgroupv2 for granted.
Lennart
--
Lennart Poettering, Berlin
not increase
it. Another is to communicate clearly what we support and what we
don't. Any such test suite collides with both these goals.
Lennart
--
Lennart Poettering, Berlin
ble and easy to
> handle and generate.
UUID is are effectively randomly generated. That sucks for build
processes I am sure, simply because they hence aren't reproducible.
BTW, there's now also this:
https://systemd.io/BUILDING_IMAGES/#image-metadata
Lennart
--
Lennart Poettering, Berlin
not for that. You are looking for IMAGE_VERSION.
> Last but not least, I was looking for a machine parsable unique id, so I
> plan to use BUILD_UUID if it is not kept reserved for other usages, that
> will be an UUID that is freshly generated every time I cook a new image.
What's this for?
Lennart
--
Lennart Poettering, Berlin
and thus without cgroup
migratory effect.
Lennart
--
Lennart Poettering, Berlin
b/os-release and adds in IMAGE_ID=/IMAGE_VERSION=.
Each time you rebuild the image your image building tool would repeat
that step. i.e. it would be the image builder tool's job to extend the
generic OS data from /usr/lib/ with info about the image and place the
result in /etc/.
Lennart
--
Lennar
ator.c on "systemd-249". Only code
> modifications, on my end, are within fstab-generator.c
The mempool stuff is not really "leaked": it's an allocation cache,
i.e. subsequent calls will reuse the already allocated objects. The
stuff is hence reachable via the allocation cache.
Lennart
--
Lennart Poettering, Berlin
f the cgroup. And conversely, a process can be associated
to multiple units this way. It can be main pid of one service and be
in a cgroup of a scope.
Lennart
--
Lennart Poettering, Berlin
tely the latter cannot work with glibc right now :-(.
i.e. keeping processes that already "have history" around for a long
time after migration kinda sucks.
Lennart
--
Lennart Poettering, Berlin
301 - 400 of 8632 matches
Mail list logo