[systemd-devel] Question about WATCHDOG
Hi, I am writing a daemon script which uses sd_notify watchdog. This works fine, system will kill the if the process doesn't notify. However, I have seen in 1 occasion where, due to a programming error, the script got stuck in a read and was not killed where it should have been. So my question is, what does systemd actually do when the watchdog expires, which signal does it send? -Sietse ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Question about WATCHDOG
On Fri, Jan 11, 2019 at 08:03:45AM +, Sietse van Zanen wrote: > Hi, > > > > I am writing a daemon script which uses sd_notify watchdog. This works fine, > system will kill the if the process doesn’t notify. > > > > However, I have seen in 1 occasion where, due to a programming error, the > script got stuck in a read and was not killed where it should have been. > > So my question is, what does systemd actually do when the watchdog expires, > which signal does it send? > It's well documented in the manpages. From systemd.service(5) under the description of WatchdogSec=: If the time between two such calls is larger than the configured time, then the service is placed in a failed state and it will be terminated with SIGABRT (or the signal specified by WatchdogSignal=) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-journald.service not using ProtectSystem=strict?
Hello, I have no problems using this with Debian testing: # /etc/systemd/system/systemd-journald.service.d/override.conf [Service] CapabilityBoundingSet=~CAP_MAC_OVERRIDE CAP_SYS_PTRACE InaccessiblePaths=-/dev/pts -/dev/shm -/dev/mqueue -/dev/hugepages -/setuid -/boot -/tmp -/var/tmp -/bin -/sbin -/usr/bin -/run/lock -/lost+found -/media -/mnt -/opt -/srv -/proc/bus Personality=x86-64 PrivateNetwork=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict ReadOnlyPaths=-/ ReadWritePaths=-/var -/run SystemCallFilter=~@resources UMask=0077 It could be obvious, but when testing journald configuration, if journald is started from initramfs, the config file should be also present there. -Topi On 10.1.2019 20.06, Reindl Harald wrote: looking at the current security issues and how it triggers the troll-army i wonder why systemd-journald.service is not restricted from at least write to /usr and /root at least on Fedora 28 (that it's not vulernable because of compiler hardening is just luck) [root@testserver:~]$ cat /etc/systemd/system/systemd-journald.service.d/security.conf [Service] ProtectSystem=strict ProtectHome=yes ReadWritePaths=/run ReadWritePaths=/var [root@testserver:~]$ systemctl status systemd-journald.service ● systemd-journald.service - Journal Service Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static; vendor preset: disabled) Drop-In: /etc/systemd/system/systemd-journald.service.d └─security.conf Active: active (running) since Thu 2019-01-10 19:00:30 CET; 42s ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Main PID: 398 (systemd-journal) Status: "Processing requests..." Tasks: 1 (limit: 512) Memory: 4.7M CGroup: /system.slice/systemd-journald.service └─398 /usr/lib/systemd/systemd-journald Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Journal started Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Runtime journal (/run/log/journal/b3591cfc6c4e65ea231a7d08489dc40f) is 2.5M, max 10.0M, 7.5M free. Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Runtime journal (/run/log/journal/b3591cfc6c4e65ea231a7d08489dc40f) is 2.5M, max 10.0M, 7.5M free. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] GithHub / private repos
Team plan with unlimited private repos and unlimited collaborators is free for open source teams. On Wed, Jan 9, 2019 at 11:41 PM Michael Biebl wrote: > > Am Mi., 9. Jan. 2019 um 21:24 Uhr schrieb Michael Biebl : > > > > https://blog.github.com/2019-01-07-new-year-new-github/ > > > > might be of interest given the recent discussions how to handle security issues. > > Answering to myself: With the restriction of 3 developers per private > repository, it's probably not particularly useful for this case. > > Too bad :-/ > -- > Why is it that all of the instruments seeking intelligent life in the > universe are pointed away from Earth? > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] sd-bus parameter names
Hi Lennart, all, On Sun, Jan 6, 2019 at 6:40 PM Lennart Poettering wrote: > > On Fr, 04.01.19 09:39, Giacinto Cifelli (gciof...@gmail.com) wrote: > > > Hi, > > > > I would like to give my DBus parameters names other than the default > > arg_X for the introspection. > > > > Is it ok if I post some commits to do that, or is the feature excluded > > by choice? > > It was excluded because the data is kinda redundant and I couldn't > come up with a sexy, convincing way how to denote this in the sources. > I have submitted my change, it has been reviewed (for the form), but not taken for merge. I don't want to be pushy, just I don't know if I need to do something more. And I was expecting some comments about the sexy part. None came, so I will give myself one. DBus uses for in/out parameters a single string each, but splits them for the introspectable interface (where the names are used). sd-bus takes the first path, more functional, and then splits the parameters internally for the XML declaration. Given that, a matching way to declare parameter names is using a 'concatenated' string and splitting it at the same time as the parameters themselves. I have taken this path. > > Adding this certainly makes, if you can come up with macro syntax that > makes this nice to read. I don't know if the macro names are appealing: I just added '_WITH_NAMES' ones, following the '_WITH_OFFSET' already in place. I would like a comment also on this. > > (I'd prefer if this would use \0 or so as separator though maybe, > given it sounds weird compiling in strings that the code first has to > parse, and if \0 is used as separator then things feel more > "pre-parsed" to me) submitted so, with \0 separators. > > Anyway, by all means, please prep a patch set and submit as PR, and we > can continue discussions there!y > > Lennart > Regards, Giacinto ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel