Re: [systemd-devel] Dynamic locale changes with localed

2013-07-02 Thread Zbigniew Jędrzejewski-Szmek 
On Tue, Jul 02, 2013 at 09:42:46PM +0900, Tristan Van Berkom wrote:
 Hello Mailing List.
 
 I have a quick question about the org.freedesktop.locale1 interface.
I'm not aware of anyone working on something like that. I think you'd
be best off simply reading the sources, esp. locale_message_handler
[1], they're short enough even if you're not familiar with the
codebase.

Zbyszek

[1] 
http://cgit.freedesktop.org/systemd/systemd/tree/src/locale/localed.c?id=HEAD#n981
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH 1/3] cryptsetup: Move password query out of main

2013-07-02 Thread Jan Janssen 
Also use _cleanup_free_ where possible.
---
 src/cryptsetup/cryptsetup.c | 153 +---
 1 file changed, 72 insertions(+), 81 deletions(-)

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 347394d..994a0e0 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -215,7 +215,8 @@ finish:
 }
 
 static char *disk_mount_point(const char *label) {
-char *mp = NULL, *device = NULL;
+char *mp = NULL;
+_cleanup_free_ char *device = NULL;
 FILE *f = NULL;
 struct mntent *m;
 
@@ -238,11 +239,68 @@ finish:
 if (f)
 endmntent(f);
 
-free(device);
-
 return mp;
 }
 
+static int get_password(const char *name, usec_t until, bool accept_cached, 
char ***passwords) {
+int r;
+char **p;
+_cleanup_free_ char *text = NULL;
+
+assert(name);
+assert(passwords);
+
+if (asprintf(text, Please enter passphrase for disk %s!, name)  0)
+return log_oom();
+
+r = ask_password_auto(text, drive-harddisk, until, accept_cached, 
passwords);
+if (r  0) {
+log_error(Failed to query password: %s, strerror(-r));
+return r;
+}
+
+if (opt_verify) {
+_cleanup_strv_free_ char **passwords2 = NULL;
+
+assert(strv_length(*passwords) == 1);
+
+if (asprintf(text, Please enter passphrase for disk %s! 
(verification), name)  0)
+return log_oom();
+
+r = ask_password_auto(text, drive-harddisk, until, false, 
passwords2);
+if (r  0) {
+log_error(Failed to query verification password: %s, 
strerror(-r));
+return r;
+}
+
+assert(strv_length(passwords2) == 1);
+
+if (!streq(*passwords[0], passwords2[0])) {
+log_warning(Passwords did not match, retrying.);
+return -EAGAIN;
+}
+}
+
+strv_uniq(*passwords);
+
+STRV_FOREACH(p, *passwords) {
+char *c;
+
+if (strlen(*p)+1 = opt_key_size)
+continue;
+
+/* Pad password if necessary */
+if (!(c = new(char, opt_key_size)))
+return log_oom();
+
+strncpy(c, *p, opt_key_size);
+free(*p);
+*p = c;
+}
+
+return 0;
+}
+
 static int help(void) {
 
 printf(%s attach VOLUME SOURCEDEVICE [PASSWORD] [OPTIONS]\n
@@ -257,9 +315,6 @@ static int help(void) {
 int main(int argc, char *argv[]) {
 int r = EXIT_FAILURE;
 struct crypt_device *cd = NULL;
-char **passwords = NULL, *truncated_cipher = NULL;
-const char *cipher = NULL, *cipher_mode = NULL, *hash = NULL, *name = 
NULL;
-char *description = NULL, *name_buffer = NULL, *mount_point = NULL;
 
 if (argc = 1) {
 help();
@@ -281,9 +336,12 @@ int main(int argc, char *argv[]) {
 uint32_t flags = 0;
 int k;
 unsigned try;
-const char *key_file = NULL;
 usec_t until;
 crypt_status_info status;
+const char *key_file = NULL, *cipher = NULL, *cipher_mode = 
NULL,
+   *hash = NULL, *name = NULL;
+_cleanup_free_ char *description = NULL, *name_buffer = NULL,
+*mount_point = NULL, *truncated_cipher = 
NULL;
 
 /* Arguments: systemd-cryptsetup attach VOLUME SOURCE-DEVICE 
[PASSWORD] [OPTIONS] */
 
@@ -386,73 +444,14 @@ int main(int argc, char *argv[]) {
 
 for (try = 0; try  opt_tries; try++) {
 bool pass_volume_key = false;
-
-strv_free(passwords);
-passwords = NULL;
+_cleanup_strv_free_ char **passwords = NULL;
 
 if (!key_file) {
-char *text, **p;
-
-if (asprintf(text, Please enter passphrase 
for disk %s!, name)  0) {
-log_oom();
-goto finish;
-}
-
-k = ask_password_auto(text, drive-harddisk, 
until, try == 0  !opt_verify, passwords);
-free(text);
-
-if (k  0) {
-log_error(Failed to query password: 
%s, strerror(-k));
+k = get_password(name, until, try == 0  
!opt_verify, passwords);
+if (k == -EAGAIN)
+continue;
+

[systemd-devel] [PATCH 2/3] cryptsetup: Move attaching of the device out of main

2013-07-02 Thread Jan Janssen 
---
 src/cryptsetup/cryptsetup.c | 229 +++-
 1 file changed, 121 insertions(+), 108 deletions(-)

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 994a0e0..cb48009 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -301,6 +301,108 @@ static int get_password(const char *name, usec_t until, 
bool accept_cached, char
 return 0;
 }
 
+static int attach_luks_or_plain(struct crypt_device *cd,
+const char *name,
+const char **key_file,
+char **passwords,
+uint32_t flags) {
+int r = 0;
+bool pass_volume_key = false;
+
+assert(cd);
+assert(name);
+assert(key_file);
+
+if (!opt_type || streq(opt_type, CRYPT_LUKS1))
+r = crypt_load(cd, CRYPT_LUKS1, NULL);
+
+if ((!opt_type  r  0) || streq_ptr(opt_type, CRYPT_PLAIN)) {
+struct crypt_params_plain params = {};
+const char *cipher, *cipher_mode;
+_cleanup_free_ char *truncated_cipher = NULL;
+
+if (opt_hash) {
+/* plain isn't a real hash type. it just means use no 
hash */
+if (!streq(opt_hash, plain))
+params.hash = opt_hash;
+} else
+params.hash = ripemd160;
+
+if (opt_cipher) {
+size_t l;
+
+l = strcspn(opt_cipher, -);
+truncated_cipher = strndup(opt_cipher, l);
+if (!truncated_cipher)
+return log_oom();
+
+cipher = truncated_cipher;
+cipher_mode = opt_cipher[l] ? opt_cipher+l+1 : plain;
+} else {
+cipher = aes;
+cipher_mode = cbc-essiv:sha256;
+}
+
+/* for CRYPT_PLAIN limit reads
+ * from keyfile to key length, and
+ * ignore keyfile-size */
+opt_keyfile_size = opt_key_size / 8;
+
+/* In contrast to what the name
+ * crypt_setup() might suggest this
+ * doesn't actually format anything,
+ * it just configures encryption
+ * parameters when used for plain
+ * mode. */
+r = crypt_format(cd, CRYPT_PLAIN,
+ cipher,
+ cipher_mode,
+ NULL,
+ NULL,
+ opt_keyfile_size,
+ params);
+
+/* hash == NULL implies the user passed plain */
+pass_volume_key = (params.hash == NULL);
+}
+
+if (r  0) {
+log_error(Loading of cryptographic parameters failed: %s, 
strerror(-r));
+return r;
+}
+
+log_info(Set cipher %s, mode %s, key size %i bits for device %s.,
+ crypt_get_cipher(cd),
+ crypt_get_cipher_mode(cd),
+ crypt_get_volume_key_size(cd)*8,
+ crypt_get_device_name(cd));
+
+if (*key_file) {
+r = crypt_activate_by_keyfile_offset(cd, name, CRYPT_ANY_SLOT,
+ *key_file, 
opt_keyfile_size,
+ opt_keyfile_offset, 
flags);
+if (r  0) {
+log_error(Failed to activate with key file '%s': %s, 
*key_file, strerror(-r));
+*key_file = NULL;
+return -EAGAIN;
+}
+} else {
+char **p;
+
+STRV_FOREACH(p, passwords) {
+if (pass_volume_key)
+r = crypt_activate_by_volume_key(cd, name, *p, 
opt_key_size, flags);
+else
+r = crypt_activate_by_passphrase(cd, name, 
CRYPT_ANY_SLOT, *p, strlen(*p), flags);
+
+if (r = 0)
+break;
+}
+}
+
+return r;
+}
+
 static int help(void) {
 
 printf(%s attach VOLUME SOURCEDEVICE [PASSWORD] [OPTIONS]\n
@@ -335,13 +437,11 @@ int main(int argc, char *argv[]) {
 if (streq(argv[1], attach)) {
 uint32_t flags = 0;
 int k;
-unsigned try;
+unsigned tries;
 usec_t until;
 crypt_status_info status;
-const char *key_file = NULL, *cipher = NULL, *cipher_mode = 
NULL,
-   *hash = NULL, *name

[systemd-devel] [PATCH 3/3] cryptsetup: Add tcrypt support

2013-07-02 Thread Jan Janssen 
Tcrypt uses a different approach to passphrases/key files. The
passphrase and all key files are incorpaorated into the password
to open the volume. So, the idea of slots that provide a way to
open the volume with different passphrases/key files that are
independent from each other like with LUKS does not apply.

Therefore, we use the key file from /etc/crypttab as the source
for the passphrase. If the passphrase of a volume is empty, using
/dev/null as key file is enough.

The actual key files that are combined with the passphrase into
a password are provided as a new option in /etc/crypttab and can
be given multiple times if more than one key file was used for a
volume.
---
 man/crypttab.xml| 300 +++-
 src/cryptsetup/cryptsetup.c |  81 +++-
 2 files changed, 259 insertions(+), 122 deletions(-)

diff --git a/man/crypttab.xml b/man/crypttab.xml
index 1063b46..386fa0d 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -75,23 +75,29 @@
 fields are mandatory, the remaining two are
 optional./para
 
+paraSetting up encrypted block devices using this file
+supports three encryption modes: LUKS, TrueCrypt and plain.
+See 
citerefentryrefentrytitlecryptsetup/refentrytitlemanvolnum8/manvolnum/citerefentry
+for more information about each mode. When no mode is specified
+in the options field and the block device contains a LUKS
+signature, it is opened as a LUKS device; otherwise it is
+assumed to be in raw dm-crypt (plain mode) format./para
+
 paraThe first field contains the name of the
 resulting encrypted block device; the device is set up
 within filename/dev/mapper//filename./para
 
 paraThe second field contains a path to the
-underlying block device, or a specification of a block
+underlying block device or file, or a specification of a block
 device via literalUUID=/literal followed by the
-UUID.  If the block device contains a LUKS signature,
-it is opened as a LUKS encrypted partition; otherwise
-it is assumed to be a raw dm-crypt partition./para
+UUID./para
 
 paraThe third field specifies the encryption
 password.  If the field is not present or the password
-is set to none, the password has to be manually
-entered during system boot.  Otherwise the field is
-interpreted as a path to a file containing the
-encryption password.  For swap encryption
+is set to none or literal-/literal, the password has
+to be manually entered during system boot.  Otherwise the
+field is interpreted as a absolute path to a file containing 
the
+encryption password. For swap encryption
 filename/dev/urandom/filename or the hardware
 device filename/dev/hw_random/filename can be used
 as the password file; using
@@ -104,181 +110,237 @@
 options are recognized:/para
 
 variablelist class='crypttab-options'
+
+varlistentry
+termvarnameallow-discards/varname/term
+
+listitemparaAllow discard requests to be
+passed through the encrypted block device. This
+improves performance on SSD storage but has
+security implications./para/listitem
+/varlistentry
+
 varlistentry
 termvarnamecipher=/varname/term
 
-listitemparaSpecifies the cipher
-to use; see
+listitemparaSpecifies the cipher to use. 
See
 
citerefentryrefentrytitlecryptsetup/refentrytitlemanvolnum8/manvolnum/citerefentry
-for possible values and the default
-value of this option.  A cipher with
-unpredictable IV values, such as
-literalaes-cbc-essiv:sha256/literal,
-is recommended. /para/listitem
+for possible values and the default value of
+this option. A cipher with unpredictable IV
+values, such as 
literalaes-cbc-essiv:sha256/literal,
+is recommended./para/listitem
 /varlistentry
 
-
 varlistentry
-

Re: [systemd-devel] [PATCH] scope: Silence compiler warning

2013-07-02 Thread Dave Reisner 
On Mon, Jul 01, 2013 at 05:16:02PM +0200, Jan Janssen wrote:
 ---
  src/core/dbus-scope.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/core/dbus-scope.c b/src/core/dbus-scope.c
 index bddf8f4..f6cfe38 100644
 --- a/src/core/dbus-scope.c
 +++ b/src/core/dbus-scope.c
 @@ -93,7 +93,7 @@ static int bus_scope_set_transient_property(
  
  if (streq(name, PIDs)) {
  DBusMessageIter sub;
 -unsigned n;
 +unsigned n = 0;

Apologies, I just fixed this myself in git without having seen this patch.

  
  if (dbus_message_iter_get_arg_type(i) != DBUS_TYPE_ARRAY ||
  dbus_message_iter_get_element_type(i) != 
 DBUS_TYPE_UINT32)
 -- 
 1.8.3.2
 
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] No such file or directory when enabling a service

2013-07-02 Thread Dave Reisner 
On Thu, Jun 27, 2013 at 08:14:03PM +, Lars Kellogg-Stedman wrote:
 I'm running systemd 204 under Fedora 19 (beta).  I have
 /etc/systemd/system/postfix-update-hook.service installed as a symlink
 to /etc/postfix/support/postfix-update-hook.service.
 
 I can start it:
 
 # systemctl start postfix-update-hook
 
 And check the status:
 
 # systemctl status postfix-update-hook
 postfix-update-hook.service
Loaded: loaded (/etc/postfix/support/postfix-update-hook.service; 
 linked)
Active: active (running) since Thu 2013-06-27 19:59:28 UTC; 25s ago
  Main PID: 19276 (postfix-update-)
CGroup: name=systemd:/system/postfix-update-hook.service
└─19276 /bin/sh /etc/postfix/support/postfix-update-hook
 
 But I can't enable it:
 
 # systemctl enable postfix-update-hook
 Failed to issue method call: No such file or directory
 
 If I replace the symlink in /etc/systemd/system with an actual file,
 then it works just fine:
 
 # cd /etc/systemd/system
 # mv postfix-update-hook.service postfix-update-hook.service.symlink
 # cp postfix-update-hook.service.symlink postfix-update-hook.service
 # systemctl enable postfix-update-hook
 ln -s '/etc/systemd/system/postfix-update-hook.service' 
 '/etc/systemd/system/multi-user.target.wants/postfix-update-hook.service'
 
 Is this expected behavior?

I suspect it is. 'systemctl link' does what you want if you're
interested in including unit files from outside the default unit search
path.

 Thanks,
 
 -- 
 Lars Kellogg-Stedman l...@oddbit.com
 
 
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] systemd config recipes for namespace-isolated webapps

2013-07-02 Thread Martin Langhoff 
Hi folks!

At OLPC, I got an early chance to use and abuse systemd, and I like it
quite a bit.

We currently have ~500 identical VMs (created from kickstarts, kept
almost in sync via satellite), each hosts apache/mysql daemons, and 2
installs of the same PHP webapp (production, test).

Goal is to reduce the number of VMs radically, as memory and storage
overheads are killing us.

I am now looking at systemd (under F-19, RHEL7 later) and wondering
whether there are any recipes that can guide me a bit through setting
up webapps in CGs with suitable namespaces.

What I _think_ I need is

0 - one target per customer, which in turn pulls in
1 - apache
2 - mysql
3 - cronjobs
4 - apache/tomcat/java setup {for some customers}
5 - sftp -- namespace-aware?

with 1,2 and 3 set to use the same CG. And stopping the target should
ensure all the CG is down/dead.

If possible, I prefer to avoid containers (and the associated chroot
maintenance).

High on the list of goals is to protect customers from data leakage,
so guidelines towards effective use of namespaces are sought here.

Pointers, hints, anyone else working in a similar direction?

cheers,



martin
ps: I have read all/most of LWN and Lennart's articles, but welcome a
gentle pointer if relevant...
--
 martin.langh...@gmail.com
 -  ask interesting questions
 - don't get distracted with shiny stuff  - working code first
 ~ http://docs.moodle.org/en/User:Martin_Langhoff
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] systemd and criu (checkpoint / restart)

2013-07-02 Thread Alex Polvi 
Hello,

TL;DR criu works if you disable the journal and stop the .socket
before restore, criu appears to be incompatible with systemd-nspawn.

I've been having fun with systemd, -nspawn, and the latest criu
tools. These are just my research notes. I wanted to share progress,
would love any feedback or pointers on places this does not work.

Before we begin:

localhost criu2 # systemd --version
systemd 204
+PAM -LIBWRAP -AUDIT -SELINUX +IMA -SYSVINIT -LIBCRYPTSETUP -GCRYPT -ACL -XZ
localhost criu2 # criu -V
Version: 0.6
localhost criu2 # uname -a
Linux localhost 3.10.0+ #4 SMP Mon Jul 1 13:36:25 PDT 2013 x86_64
Intel(R) Core(TM) i7-2677M CPU @ 1.80GHz GenuineIntel GNU/Linux

In the following gist:
1) I setup a socket activated go http server (just plain, no nspawn)
2) start the process via socket activation
3) criu dump it
4) shut down the .socket
5) criu restore, works, yay

  https://gist.github.com/polvi/310fad0a2a3b0859cfb1

What works:
-  Application state is dumped and restored successfully.

What doesn't work:
- The system .socket has to be disabled to because the restore will
open the socket. Not sure if there is a work around for this, with the
exception of not using socket activation.
- The status of the .service is now in a killed state. This is because
the dump kills the process when it is done.
- Once the process is restored (with the same pid) systemd is confused
and is no longer monitoring it. Maybe there is a way to get systemd to
realize that the process is running again?
- I had to set StandardError=null and StanardOut=null to keep the
journal from opening a socket to the service. With-out this the
container will not checkpoint, because the criu tools do not allow one
end of a socket to be checkpointed.

For -nspawn, I'm pretty sure it is incompatible with criu. This took a
bunch of fighting, and in the end, triggered a bug in criu. I was able
to dump, but not restore the container.

In the following gist you'll see where I hit bugs and the fix...

1) I start a busybox while loop in a container using systemd-nspawn
2) nsenter the container and umount /proc/sys/kernel/random/boot_id
and /proc/kmsg because they are in a (deleted) state, and criu does
not really care for that. I guess -nspawn is setting these up.
3) Updated my copy of iproute2, because criu requires the ip addr
save functionality
4) Now it gets really bad... criu restores mount namespaces using
pivot_root. systemd uses MS_ENTER.  Initially I was hitting a bug
where pivot_root was not working because my container was on a
different filesystem. After bind mounting the container filesystem to
my running root, the restore triggers a bug.
5) I give up.

  https://gist.github.com/polvi/d883043343e4db8e16cb

What works:
- It dumped the state of something!

What does not work:
- Restoring
- Using the containers mount namespace (because of criu and pivot_root)

In summary, to make this actually work, I think we'd need to implement
checkpoint/restart into systemd itself. With this, we could get around
all the journal issue, and maybe even make socket activation work.
Containers seem to be their own beast.

-Alex
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] man: improve grammar and word formatting in numerous man pages

2013-07-02 Thread Zbigniew Jędrzejewski-Szmek 
On Tue, Jul 02, 2013 at 12:16:09PM +0200, Jason St. John wrote:
 On Sat, Jun 29, 2013 at 5:38 PM, Zbigniew Jędrzejewski-Szmek
 zbys...@in.waw.pl wrote:
  On Thu, Jun 27, 2013 at 09:51:44PM +0200, Jason St. John wrote:
  Hi David,
  you changed the spellings of 'file system' and 'namespace'.
  Here is a proposal to use 'hostname' and 'file name' (instead
  of 'host name' and 'filename'). Consistency might be more
  important than pure grammatical considerations, so ... what
  do you think?
 
  Zbyszek
 
 
 I agree that consistency is more important than being grammatically
 pure; however, Red Hat seems to use file system in all of their
 documentation. I don't see an obvious pattern for hostname vs. host
 name though, but it's difficult to get good numbers on that.
 
 My patch makes host name and file name a consistent standard for
 systemd man pages. I can't find anything missed in the man pages when
 I grep for their variations except for 3 examples in systemctl(1) and
 udev(7).
OK,
so I have 0 'file names?' in man-pages, and lots of 'filenames?'.
'hostnames?' is almost much more popular than 'host names?'.
Michael Kerrisk shall be our guide here, thus 'filename' and 
'hostname' win. The same is true for 'timezone' vs. 'time zone',
even though 'timezone' is not even a real word.

 Do you want me to resubmit the patch to fix those? Or should I
 resubmit this patch in two parts, one for the host name, file
 name, etc. changes and a second patch for the non-contentious
 changes?
It's fine, applied with the modifications described above.

 P.S. I changed your reply to a bottom post. Hopefully that isn't a problem.

Thanks,
Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Broken build and CI strategy

2013-07-02 Thread William Giokas 
On Fri, Jun 28, 2013 at 09:18:24AM +0200, Holger Hans Peter Freyther wrote:
 On Fri, Jun 28, 2013 at 09:05:40AM +0200, Peter Sztanojev wrote:
  there already is a jenkins ci for systemd kindly provided by Pantheon:
  http://systemd.getpantheon.com:8080/jenkins/
 
 The jenkins script is still using make test (which is like calling
 make /tmp), to execute the tests one would need to call make check
 but we already had this and it wasn't changed...

Okay, there needs to be something done about this ASAP. I have now twice
gone to build a package, then run 'make check', and it has failed for
simple reasons like translations missing or not being in the right
places. These should be caught by jenkins and reported to the IRC
channel. I realize that some files have been added recently, but they
need to be fully added, not just thrown into the pot (pun not intended).

Thanks,

-- 
William Giokas | KaiSforza | http://kaictl.net/
GnuPG Key: 0x73CD09CF
Fingerprint: F73F 50EF BBE2 9846 8306  E6B8 6902 06D8 73CD 09CF


pgpP6CNqB8Xht.pgp
Description: PGP signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [systemd-commits] 2 commits - Makefile.am TODO src/core src/login src/shared src/systemctl src/test units/-.slice units/slices.target units/system.slice

2013-07-02 Thread Zbigniew Jędrzejewski-Szmek 
On Thu, Jun 27, 2013 at 09:34:24PM +0200, Kay Sievers wrote:
 On Thu, Jun 27, 2013 at 7:12 AM, Zbigniew Jędrzejewski-Szmek
 zbys...@in.waw.pl wrote:
  On Thu, Jun 27, 2013 at 06:40:37AM +0200, Zbigniew Jędrzejewski-Szmek wrote:
  make distcheck fails for me, because make uninstall chokes on -.slice.
  automake-1.12.2-5.fc18.noarch and automake-1.13.4-1.fc19.noarch both.
  Sent a bug report to bug-autom...@gnu.org just now, should show
  up in their db soon.
 
  http://debbugs.gnu.org/cgi/bugreport.cgi?bug=14728
 
 Awesome response in that bug. :) It's great when completely generic
 tools get to decide what file names projects can use. :)
 
 We should probably work around it, until it is sorted out. Any better
 idea than the attached?
Hi Kay,
I went ahead and applied your patch. It's not pretty, but I think
that having a working distcheck has priority.

Zbyszek

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] replace tabs with spaces in various files

2013-07-02 Thread Zbigniew Jędrzejewski-Szmek 
Applied.

Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] Log failing start conditions

2013-07-02 Thread Zbigniew Jędrzejewski-Szmek 
On Wed, Jun 26, 2013 at 03:06:38PM +0200, har...@redhat.com wrote:
 From: Harald Hoyer har...@redhat.com
 
 $ systemctl status dracut-initqueue.service
 dracut-initqueue.service - dracut initqueue hook
Loaded: loaded (/usr/lib/systemd/system/dracut-initqueue.service;
 static)
Active: inactive (dead)
   start condition failed at Wed 2013-06-26 13:01:05 UTC; 22s ago
  Docs: man:dracut-initqueue.service(8)
 
 Jun 26 13:01:05 lenovo systemd[1]: Starting of dracut-initqueue.service
 skipped because the following start conditions were not met:
ConditionKernelCommandLine:|rd.break=initqueue
ConditionPathExistsGlob: |/lib/dracut/hooks/initqueue/timeout/*.sh
ConditionPathExistsGlob: |/lib/dracut/hooks/initqueue/online/*.sh
ConditionPathExistsGlob: |/lib/dracut/hooks/initqueue/finished/*.sh
ConditionPathExistsGlob: |/lib/dracut/hooks/initqueue/settled/*.sh
ConditionPathExistsGlob: |/lib/dracut/hooks/initqueue/*.sh
ConditionPathExists: |/lib/dracut/need-initqueue
Hi Harald,

your patch seems to is better than mine, I somehow missed
the question of muliple conditions. I think you should go ahead
and appy this.

My patch also exported the failing condition over dbus. I guess
we might still want to do this, but let's get this basic functionality
in first.

 +if (!(f = open_memstream(buf, size))) {
Style:
f = open_memstream(buf, size);
if (!f) {

 +log_warning(Failed to allocate memory stream.);
 +return -EALREADY;
 +}
 +
 +condition_dump_list_result(u-conditions, f);
 +
 +if (ferror(f)) {
 +fclose(f);
 +log_warning(Failed to write status stream);
 +return -EALREADY;
 +}
 +
 +fclose(f);
 +
 +log_struct_unit(LOG_NOTICE,
 +   u-id,
 +   MESSAGE_ID(SD_MESSAGE_UNIT_CONDITIONS),
 +   MESSAGE=Starting of %s skipped because the 
 following start conditions were not met:\n%s, u-id, buf,
 +   CONDITION_RESULTS=%s, buf,
 +   NULL);
 +
  return -EALREADY;
  }
  
 diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
 index c811a06..c85dda1 100644
 --- a/src/systemd/sd-messages.h
 +++ b/src/systemd/sd-messages.h
 @@ -62,6 +62,7 @@ extern C {
  
  #define SD_MESSAGE_UNIT_STARTING
 SD_ID128_MAKE(7d,49,58,e8,42,da,4a,75,8f,6c,1c,dc,7b,36,dc,c5)
  #define SD_MESSAGE_UNIT_STARTED 
 SD_ID128_MAKE(39,f5,34,79,d3,a0,45,ac,8e,11,78,62,48,23,1f,bf)
 +#define SD_MESSAGE_UNIT_CONDITIONS 
 SD_ID128_MAKE(b1,44,ed,c7,3c,f3,49,3b,b4,44,2c,67,03,61,ea,e8)
Strange indentation...

  #define SD_MESSAGE_UNIT_STOPPING
 SD_ID128_MAKE(de,5b,42,6a,63,be,47,a7,b6,ac,3e,aa,c8,2e,2f,6f)
  #define SD_MESSAGE_UNIT_STOPPED 
 SD_ID128_MAKE(9d,1a,aa,27,d6,01,40,bd,96,36,54,38,aa,d2,02,86)
  #define SD_MESSAGE_UNIT_FAILED  
 SD_ID128_MAKE(be,02,cf,68,55,d2,42,8b,a4,0d,f7,e9,d0,22,f0,3d)

Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd config recipes for namespace-isolated webapps

2013-07-02 Thread Zbigniew Jędrzejewski-Szmek 
On Tue, Jul 02, 2013 at 05:18:57PM -0400, Martin Langhoff wrote:
 Hi folks!
 
 At OLPC, I got an early chance to use and abuse systemd, and I like it
 quite a bit.
 
 We currently have ~500 identical VMs (created from kickstarts, kept
 almost in sync via satellite), each hosts apache/mysql daemons, and 2
 installs of the same PHP webapp (production, test).
 
 Goal is to reduce the number of VMs radically, as memory and storage
 overheads are killing us.
 
 I am now looking at systemd (under F-19, RHEL7 later) and wondering
 whether there are any recipes that can guide me a bit through setting
 up webapps in CGs with suitable namespaces.
 
 What I _think_ I need is
 
 0 - one target per customer, which in turn pulls in
 1 - apache
 2 - mysql
 3 - cronjobs
 4 - apache/tomcat/java setup {for some customers}
 5 - sftp -- namespace-aware?
 
 with 1,2 and 3 set to use the same CG. And stopping the target should
 ensure all the CG is down/dead.
 
 If possible, I prefer to avoid containers (and the associated chroot
 maintenance).
Hi,
I haven't really tried anythng like what you describe, but in general
both container and container-less approaches should work.

with a container: you can have socket activated systemd-nspawn
instance, which boots to a default target containing your services
1-5 + whatever special you want for that customer. It is currently
not possible to launch a systemd-nspawn container directly from /,
but you can do a bind mount to somewhere else. If by chroot
maintanance you mean the need to copy stuff between / and the
container, then it can be avoided this way. Launching systemd-nspawn
containers directly from / is on the list of planned things.
systemd-nspawn@.service already provides part of the installation.

container-less: a bunch of template units with dependencies on one
another should do what you need (instance units can refer to each
other). You can use InaccessibleDirectories= and other settings to
limit what those units can see.

The version with containers is probably slightly more flexible
and will allow more customizations for each customer. The other
one has probably lower overhead. But both should work.

HTH,
Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel