l ro/rw state of the disks, expecting that
/etc/fstab later changes things to the final setting. And if neither
are specified we imply "ro".
Hence, you have two choices: define an /etc/fstab (which of course is
not what you want with gpt-auto) or just add "rw" to the kernel cmdline.
Lennart
--
Lennart Poettering, Berlin
rams, then you can script around this,
with a script like this:
```c
#!/bin/bash
read -r MYCRED < "$CREDENTIALS_DIRECTORY"/mycred
export MYCRED
exec mybinary
```
you get the idea.
Lennart
--
Lennart Poettering, Berlin
"ro" or "rw" on the kernel cmdline?
Lennart
--
Lennart Poettering, Berlin
UKI image in system-boot?
> Or is there any UEFI interface hook to implement such a change in UEFI to
> make a selection of DTB, just like DT_FIXUP ?
There's a PR for this:
https://github.com/systemd/systemd/pull/28959
But it hasn't seen progress in the past 3 weeks.
Lennart
--
Lennart Poettering, Berlin
n
during the initial transaction if avoidable. Better approaches are to
put together generators or so, which can augment the set of units and
their dependencies already when the first transaction is put together.
https://www.freedesktop.org/software/systemd/man/systemd.generator.html
Lennart
--
Lennart Poettering, Berlin
. One possible solution/workaround in systemd would be to
> retry under this condition. Or perhaps this should be considered a bug in
> the container runtimes?
Yes, that's what I think. They should fix that.
Lennart
--
Lennart Poettering, Berlin
Why was the decision taken to put these into /usr/lib/systemd instead of
> /usr/libexec/systemd/?
That's a Fedoraism. Why would one put something there?
/usr/lib/ is where private arch-dependent package stuff goes. What's
the rationale for /usr/libexec/ though?
Lennart
--
Lennart Poettering, Berlin
anks in advance for indicating, if systemd-cryptsetup (the binary) is a
> tool users may rely on.
Yes, absolutely.
The only reason when we might break things for you is when we one day
move it from /usr/lib to /usr/bin, ;-)
Hence: the call interface is certainly stable, the location in that
sense m
Hence, TLDR: don't make the lock file a symlink. (Also, why would you even?)
Lennart
--
Lennart Poettering, Berlin
o rhgb'
>
> Then added a boot entry:
> > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora
> > UKI"
>
> Unfortunately when trying to boot this I get:
> > Bad kernel image: Load Error
That suggests the kernel you picked does not ca
On Mo, 11.09.23 11:39, Nils Kattenbeck (nilskem...@gmail.com) wrote:
> On Mon, Sep 11, 2023, 10:54 Lennart Poettering
> wrote:
>
> > On So, 10.09.23 00:33, Nils Kattenbeck (nilskem...@gmail.com) wrote:
> >
> > > Hello, I am currently trying to build a
t; to specify it as the root partition and exclude /usr and /var in it?
> Any help would be appreciated.
If you want /etc/ split off, then the discoverable partition spec
won't help you: you have to mount it explicitly from your initrd.
Lennart
--
Lennart Poettering, Berlin
tirely complete yet. Sorry!
It's such a thankless job! But it's definitely on our TODO list.
If you can't guess how things work from the header, let us know, we
can provide you here with the necessary info to get things off the
ground.
Lennart
--
Lennart Poettering, Berlin
ify" that does all of this for you in one
relatively easy step, it's our recommended approach to building UKIs
these days.
Lennart
--
Lennart Poettering, Berlin
tional kernels, instead of sd-boot/sd-stub and UKIs. PCR
measurements are messy there, and the pcr signature stuff as
implemented in systemd-measure doesn't work there.
Lennart
--
Lennart Poettering, Berlin
nization guarantess since journalctl started
that way will just read the data from the journal files unsynchronized
as everyeone else too.
Lennart
--
Lennart Poettering, Berlin
property via some udev rule to
something reasonable, for the devices you add... I have no idea how
that looks like for your specific type of devices.
Lennart
--
Lennart Poettering, Berlin
. Restricting the shared resources available to a
> given seat, allocating them fairly, etc., is a different problem (and
> arguably one that I'd tackle per user and not per seat).
CPU/RAM are by default resource managed, i.e. each user logged in gets
a similar amount under pressure, as controlled via th
here's also a "render"
group set up to which users can be added which should always get
access.
Lennart
--
Lennart Poettering, Berlin
hidden backend or so, but a primary interface to this
setting.
Lennart
--
Lennart Poettering, Berlin
t
maybe someone at the Linux Foundation can connect you.
Lennart
--
Lennart Poettering, Berlin
we
should invalidate whatever information we collected so far about the
network.
Given this is redundant info we can reacquire this should not be an issue.
Lennart
--
Lennart Poettering, Berlin
ur OS vendor,
asking them to maybe backport the fix in question.
Lennart
--
Lennart Poettering, Berlin
ams for slices.
Lennart
--
Lennart Poettering, Berlin
y broken. Even if they are opt-in.
Lennart
--
Lennart Poettering, Berlin
ite()'s size is larger than datagram
max size you get EMSGSIZE). Programs trying to write too much usually
expect blocking behaviour... Thus this approach is not really an
option.
Lennart
--
Lennart Poettering, Berlin
t; To get what is send to stderr I had to do:
> journalctl -p 6 -u aptCacheUsage.service
>
> which gave beside a lot of other things the things send to stdout.
>
> Now I have two different statements I can do:
> journalctl -p 3 -u aptCacheUsage.service
>
> But it would be nice if I did not need two different statements (and the
> logic around that) for that.
Still not getting what you are trying to say here.
Lennart
--
Lennart Poettering, Berlin
t
rotate files like that, because we cannot externally close the current
stdout of a process and replace it with a new file.
hence, what you are trying to do is not supported, and is unlikely to
ever be supported for multiple reasons.
sorry!
Lennart
--
Lennart Poettering, Berlin
hings send to
> stdout.
I can't parse that.
Lennart
--
Lennart Poettering, Berlin
# journalctl -xeu scc_daemon.service
> Aug 24 13:41:35 scc_daemon[5574]: scc_Daemon start failed, see
> logfile: /opt/sap/scc/scc_daemon.log
systemd is just the messenger here. Please contact SAP for help on
this SAP product, not the systemd project.
Lennart
--
Lennart Poettering, Berlin
On Di, 22.08.23 22:35, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> On Tue, Aug 22, 2023 at 8:10 PM Lennart Poettering
> wrote:
> > On Di, 22.08.23 19:16, Aleksandar Kostadinov (akost...@redhat.com) wrote:
> <...>
> > > If attacker replaces volume with
s
> >0-7, 9, 11-13, 15, i.e. everything that is reasonably stable
> >locally.
> >
> > Alas, as mentioned this is WIP, still.
>
> I didn't expect the unattended server TPM2 encryption to be such a
> muddy ground. Probably because serious use cases also involve more
> infrastructure and dedicated admins, etc.
It is certainly my intention to make this all "just work" and "default
on", even on consumer hw. Windows does it, so we should be able to do
that as well.
Lennart
--
Lennart Poettering, Berlin
mistakes
> that original scripts already avoid.
Neither for the literla PCR policies nor for the signed PCR policies
the PCRs actailly need to be in the state we expected states when
enrolling. Support for the former was recently added upstream.
Lennart
--
Lennart Poettering, Berlin
thing inherently local that is hard to
predict from the outside (and for good measure also covers the
vendor supplied stuff, because why not). This would then cover PCRs
0-7, 9, 11-13, 15, i.e. everything that is reasonably stable
locally.
Alas, as mentioned this is WIP, still.
Lennart
--
Lennart Poettering, Berlin
e ask about AA compat with that.
Lennart
--
Lennart Poettering, Berlin
ebug info available in current fedora distros built-in.
Lennart
--
Lennart Poettering, Berlin
ng anything on its
own, such as a cgroupv2 tree.
that should be enough to make old systemd happy.
Lennart
--
Lennart Poettering, Berlin
for longer.
Lennart
--
Lennart Poettering, Berlin
time. Which doesn't
make much sense to me.
Consider this NEWS file entry your "stimulation" to transition the
holdouts.
Lennart
--
Lennart Poettering, Berlin
ey parse messages.
Yeah, this is not fun, but hey, this is C, so nothing is "fun".
Lennart
--
Lennart Poettering, Berlin
already doing that, I've not seen it).
That has been in place for a while:
https://github.com/systemd/systemd/blob/main/src/sysv-generator/sysv-generator.c#L767
Lennart
--
Lennart Poettering, Berlin
mework like systemd-initctl was? Perhaps it could even be a
> pattern for others to implement translation for their own things to
> systemd (e.g. runit, et al).
Once the hooks from systemctl's client side are gone, they are
gone. You can't really work around that.
I am sorry, you want to convert runit service definitions to systemd? huh?
Lennart
--
Lennart Poettering, Berlin
ent_source *source,
> sd_event_io_handler_t handler);
>
> and similar for the other event types?
Noone needed this so far. Usually people track states in enums, not by
replacing function pointers...
I see no reason to not add support for this. If this is important to
you, please submit a PR adding
o. Until then, the way
to go is shelling out to the tool.
Lennart
--
Lennart Poettering, Berlin
> ask me the rescue password.
please provide boot logs, otherwise this is not actionable.
A black screen usually indicates some graphics problem. What makes you
think cryptsetup has anything to do with that?
Lennart
--
Lennart Poettering, Berlin
On Mo, 10.07.23 11:37, Marc Haber (mh+systemd-de...@zugschlus.de) wrote:
> Hi Lennart,
>
> On Mon, Jul 10, 2023 at 10:28:52AM +0200, Lennart Poettering wrote:
> > On So, 09.07.23 20:14, Marc Haber (mh+systemd-de...@zugschlus.de) wrote:
> >
> > > > It should suff
ways be a tmpfs, hence unless you mount a
tmpfs to /var/local/chroot/bind/run/ first, the above is a bit ugly.
Instead of this .mount unit, consider using in the .service file:
TemporaryFileSystem=/var/local/chroot/bind/run
BindPaths=/run/systemd/notify:/var/local/chroot/bind/run/systemd/notify
(Under the assumption bind chroots itself into /var/local/chroot/bind)
Lennart
--
Lennart Poettering, Berlin
o re-sign the PCR measurements
> in /boot without needing to re-do cryptenroll.)
Actually, my recommendation is to embed the signature file in the UKI
itself, after all the signatures are specific to specific UKIs, and
hence it makes sense to glue them into the UKIs.
Lennart
--
Lennart Poettering, Berlin
that match
signatures of those PCR values.
Lennart
--
Lennart Poettering, Berlin
stemd/Debugging/#diagnosingbootproblems
Lennart
--
Lennart Poettering, Berlin
am enrolling the wrong PCR value?
> Otherwise... what am I doing wrong?
We mesaure the "boot phase" into PCR 11 too. See
systemd-pcrphase.service(8) for details.
Generally the assumption is that PCR 11 is used for signed PCR
policies, i.e. under vendor control.
Lennart
--
Lennart Poettering, Berlin
On Mo, 03.07.23 15:21, Andrei Borzenkov (arvidj...@gmail.com) wrote:
> On 03.07.2023 14:17, Lennart Poettering wrote:
> > On Mo, 03.07.23 10:58, Valentijn Sessink (valent...@sessink.nl) wrote:
> >
> > > Now my remaining question is probably so very basic, that y
aemon
in question then does further lockdown, that's great (as sometimes a
daemon might need privs during startup but not later), but generally
systemd should be better at locking things down, given the seccomp
stuff and all that other stuff it nowadays does.
Lennart
--
Lennart Poettering, Berlin
can use this to kill your own session:
loginctl kill-session $XDG_SESSION_ID
if you want to know which systemd unit your process belongs to use:
ps --pid $$ -o unit=
Lennart
--
Lennart Poettering, Berlin
On Fr, 30.06.23 15:11, Valentijn Sessink (valent...@sessink.nl) wrote:
> Hi,
>
> On 28-06-2023 18:04, Lennart Poettering wrote:
> > > "PAMName=login", then starts a script and a few (old X11 related)
> > > programs.
> [...]>> Is there a way to
, from systemd's PoV they are part of the login session, not
the original service anymore.
You can't have it both ways: be a session and a service. In system
it's either/or.
Lennart
--
Lennart Poettering, Berlin
bstract namespace sockets are nice for things like this, but they are
inherently vulnerable to DoS attacks if you use a fixed name since the
namespace knows not access controls: everyone can grab any socket they
like.
Make sure to look at the source PID (i..e SCM_CREDENTIALS) before
using incoming data.
Lennart
--
Lennart Poettering, Berlin
system. If you are not the intended recipient, you may not use,
> disclose, distribute, copy, print, or rely on this email.
You are posting this to a public mailing list, you know this? I
presume you don't actually mean this confidentiality notice, do you?
Lennart
--
Lennart Poettering, Berlin
e that gets loaded. Do you guys think this would be
> needed, or is overkill?
If you use UKIs, bind to the signature for PCR 11.
Lennart
--
Lennart Poettering, Berlin
github.com/systemd/systemd/pull/28037
Lennart
--
Lennart Poettering, Berlin
at some points trying to be nice has ends: if yocto can't find
the maintainance resources for updating CI, for running good reporting
infra, or for maintaining systemd there's not that much stuff we can
do, but it doesn't stll doesn't become our upstream problem then. We
refuse to be held back by that indefinitely.
Lennart
--
Lennart Poettering, Berlin
e6633430e8b240b87f
should address your issue, no? because then we'll not mount by uuid
anymore, but purely by diskseq ensuring that the stuff
gpt-auto-generator finds is also the stuff we'll end up mounting
eventually.
Lennart
--
Lennart Poettering, Berlin
On Mo, 05.06.23 11:09, Lennart Poettering (lenn...@poettering.net) wrote:
> On Mo, 05.06.23 10:41, Valentin David (valentin.da...@canonical.com) wrote:
>
> > On Mon, Jun 5, 2023 at 9:56 AM Lennart Poettering
> > wrote:
> >
> > > On So, 04.06.23 14:25, Valentin Da
On Mo, 05.06.23 10:41, Valentin David (valentin.da...@canonical.com) wrote:
> On Mon, Jun 5, 2023 at 9:56 AM Lennart Poettering
> wrote:
>
> > On So, 04.06.23 14:25, Valentin David (valentin.da...@canonical.com)
> > wrote:
> >
> > > I have been trying to
for UKIs btw,
precisely to deal with the problems around sizing ESP.
Lennart
--
Lennart Poettering, Berlin
gn PCR values and
then bind disk encryption to the public key used for that signing, and
include the signature matching a kernel in the UKI. That means
updating becomes trivial, as every UKI comes with all data needed to
unlock the disk safely.
Lennart
--
Lennart Poettering, Berlin
-QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMM
> ON +UTMP +SYSVINIT default-hierarchy=unified)
>
> Cryptsetup: v2.6.1
I am a bit puzzled by this. WOuld be good to figure out what actually
is so slow here? formatting luks? formatting ext4? discarding?
Lennart
--
Lennart Poettering, Berlin
On Mo, 05.06.23 07:46, daggs (da...@gmx.com) wrote:
> Greetings,
>
> given a rule file which has a add and remove handlers, is there a
> way to manually trigger the remove handler of that file?
I cannot parse this, sorry.
Lennart
--
Lennart Poettering, Berlin
On Do, 25.05.23 14:32, Phillip Susi (ph...@thesusis.net) wrote:
>
> Lennart Poettering writes:
>
> > We want that within each file all records are strictly ordered by all
> > clocks, so that we can find specific entries via bisection.
>
> Why *all* clocks?
s part of rule processing, but it can
only be used for very quickly
running programs, and you have to communicate results of your script
via properties you write to stdout rather than exit status.
Lennart
--
Lennart Poettering, Berlin
On Do, 25.05.23 10:08, Andrea Pappacoda (and...@pappacoda.it) wrote:
> Il giorno mer 24 mag 2023 alle 14:35:05 +02:00:00, Lennart Poettering
> ha scritto:
> > Note that in systemd git main there's already support for generating
> > UKIs dynamically when a kernel RPM/DEB is
f both the
UKI and the add-ons are done via regular UEFI SecureBoot or via
shim. Both UKIs and add-ons are just PE files after all that thus can
be verified that way. Because the files can be authenticated via shim
you get MOK and so on.
Lennart
--
Lennart Poettering, Berlin
ept we call "add-on", which would we could extend
to initrds too i guess, see
https://github.com/systemd/systemd/pull/27358
Lennart
--
Lennart Poettering, Berlin
ed" stream, so that you
can't see that they are stored in separate journal files.
> If it is intentional that journals be rotated after a reboot, could it
> at least be done without complaining about it?
The message is debug level, no?
Lennart
--
Lennart Poettering, Berlin
led (as long as the
"kernel-install" infra is in use). It can be signed with a local key,
that can be enrolled with MOK.
With that we make it reasonably easy to run a setup with a locally
signed initrd – but it means that you'll get a MOK prompt during at
least one boot.
Lennart
--
Lennart Poettering, Berlin
? Where is that stored? In the ESP? That would be
pointless, as you could swap it out. You could use a MOK key, but that
means intraction at at least one boot, which generic distros don't like.
Lennart
--
Lennart Poettering, Berlin
ur /boot/ partition as XBOOTLDR and
format it is vfat it should just work.
Lennart
--
Lennart Poettering, Berlin
a large log message
> looks like.
Well, I think rsyslog has no idea about the journal's structured
logging, because it lives in its own world. It won't see the
_LINE_BREAK= structured logging. Hence you cannot reasonably
reassamble I guess, the info is simply lost once rsyslog takes over.
Lennart
--
Lennart Poettering, Berlin
ing possible?
As mentioned you can use the _LINE_BREAK= field to reassemble the
lines. But seriously, if you are logging megabytes of data in single
log messages you are doing things wrong. Rivisit what you are doing
there, you are trying to hammer a square log message into a round log
transport. Bad idea.
Lennart
--
Lennart Poettering, Berlin
I saw was the 1.5MB long message
> that was truncating earlier went through this time without truncation and a
> split happened the way I wanted it to be.
So apparently your are logging via stdout/stderr. In that case
LineMax= as mentioned above will help you. Still though: bad idea to
send a 1.5
obably should change systemd-logind to
implicitly and unconditionally keep an open fd to the home dir of a
user around as long as there's at least one session of them around,
simply to make clear that sessions keep home dirs busy. This, as side
effect would then also mean that autofs wouldn#t be tempted to
consider the home dir idle as long as there's a session.
Lennart
--
Lennart Poettering, Berlin
ogs excerpt one cannot figure anything out.
This looks a lot like an integration issue, i.e. something you shoul
first ask your distro about.
Other than that, there's this:
https://freedesktop.org/wiki/Software/systemd/Debugging/#diagnosingbootproblems
Lennart
--
Lennart Poettering, Berlin
ot support booting in a classic chroot(). Use a
container manager for that, for example "systemd-nspawn -D
/some/directory -b"
Lennart
--
Lennart Poettering, Berlin
gain it freezes.The shells do start, however, when the hook is not
> activated.
Anyway, without debug logs as suggested in my earlier mail this is
really hard to debug. Enable debug logging.
Lennart
--
Lennart Poettering, Berlin
am pretty sure the above message has little to do with
amount of memory required. Enable debug output if output is too terse.
https://freedesktop.org/wiki/Software/systemd/Debugging/#diagnosingbootproblems
Lennart
--
Lennart Poettering, Berlin
titute a sysv runlevel-lookalike have started. If
you order rc-local.service after that then you create a cyclic
dependency, because it would mean s-u-u-r.s is both before *and* after
rc-local.service and that cannot be.
Lennart
--
Lennart Poettering, Berlin
On Mo, 24.04.23 11:57, Aki Ketolainen (a...@mykolab.com) wrote:
> Would it be possible to change the rc-local.service configuration as
> follows, so that it could be used similarly as before
> i.e. running close to the end of the "runlevel" or systemd target:
>
> [Unit]
> After=crond.service
Why
On Mo, 17.04.23 06:48, Chuck Tuffli (ctuf...@gmail.com) wrote:
> On Mon, Apr 17, 2023 at 4:48 AM Lennart Poettering
> wrote:
> >
> > On Fr, 14.04.23 09:14, Chuck Tuffli (ctuf...@gmail.com) wrote:
> >
> > > On Thu, Apr 13, 2023 at 4:14 PM Luca Boccassi
>
mount it via "mkdir t && mount /dev/loopXp1 t" or something
like that.
Lennart
--
Lennart Poettering, Berlin
example.
We usually recommend starting out with the docs first. Yes, they are
incomplete, in which case the mailing list can fill in the gaps, but
please, consult the docs, it saves us all time, and we wrote them for
that.
https://www.freedesktop.org/software/systemd/man/sd_bus_add_object.html
Lennart
--
Lennart Poettering, Berlin
for you then! Since it doesn't look likely that
anyone can convince you otherwise, let's end this dicussion here.
Lennart
--
Lennart Poettering, Berlin
misbehaving application, the system may still go into trashing.
> Or is the kernel smart enough to prevent this?
Things like systemd-oomd are supposed to detect misbehaving services
and apps and shut them down cleanly before they can misbehave too
much.
Lennart
--
Lennart Poettering, Berlin
g like this, if you use it properly. Swap is part of
using it "properly".
Oversized hw is typically a bad investment. In particular in today's
cloud world where costs multiply with every node you have.
Lennart
--
Lennart Poettering, Berlin
On Do, 30.03.23 13:16, Phillip Susi (ph...@thesusis.net) wrote:
>
> Lennart Poettering writes:
>
> > oomd/PSI looks at memory allocation latencies to determine memory
> > pressure. Since you disallow anonymous memory to be paged out and thus
> > increase IO on file
f, at the price of degrading peformance of the
apparently never used stuff. Overall win!
Lennart
--
Lennart Poettering, Berlin
ut that's kinda
wasteful. Resource-management through oversized hw is certainly a way to
solve problems, no doubt.
Lennart
--
Lennart Poettering, Berlin
On Do, 30.03.23 18:56, Michael Chapman (m...@very.puzzling.org) wrote:
> On Thu, 30 Mar 2023, Lennart Poettering wrote:
> > On Mi, 29.03.23 13:53, Christoph Anton Mitterer (cales...@scientia.org)
> > wrote:
> >
> > > > > That's a bad idea btw. I'd
Might make it easier for people to use it properly :-)
It's a bad idea to do what you are doing. I don't think we need to
make
Lennart
--
Lennart Poettering, Berlin
uld like to allow this by satisfying the condition c->vtable->flags &
> SD_BUS_VTABLE_UNPRIVILEGED
There are roughly a bazillion examples in the systemd source tree for
that. For example here:
https://github.com/systemd/systemd/blob/main/src/login/logind-session-dbus.c#L857
Lennart
--
Lennart Poettering, Berlin
hibernation
>
> Does that mean it's the same problem as with the desktop environment?
> I.e. systemdctl first asking logind whether hibernate was available,
> before even starting hibernate.target?
Yeah, all requests that go through logind check that.
You can override the check via an env
101 - 200 of 8650 matches
Mail list logo