[systemd-devel] Doc updates for July 12
The following changes since commit 3d56f7df4411684404470d36ddec0d90649a13a3: static-nodes: don't hardcode path to mkdir (2013-07-12 20:08:31 +0200) are available in the git repository at: git://git.inai.de/systemd master for you to fetch changes up to 21b984e144a1477e00fa01c370a52c2c641b6b9a: man: wording and grammar update (2013-07-12 22:41:57 +0200) Jan Engelhardt (1): man: wording and grammar update man/systemd.cgroup.xml | 30 +++--- man/systemd.exec.xml | 2 +- man/systemd.scope.xml | 2 +- man/systemd.socket.xml | 2 +- 4 files changed, 18 insertions(+), 18 deletions(-) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] man: wording and grammar update
--- man/systemd.cgroup.xml | 30 +++--- man/systemd.exec.xml | 2 +- man/systemd.scope.xml | 2 +- man/systemd.socket.xml | 2 +- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/man/systemd.cgroup.xml b/man/systemd.cgroup.xml index 504c968..e31faf5 100644 --- a/man/systemd.cgroup.xml +++ b/man/systemd.cgroup.xml @@ -78,7 +78,7 @@ along with systemd; If not, see http://www.gnu.org/licenses/. and citerefentryrefentrytitlesystemd.swap/refentrytitlemanvolnum5/manvolnum/citerefentry for more information on the specific unit configuration files. The -execution specific configuration options are configured in the +execution-specific configuration options are configured in the [Slice], [Scope], [Service], [Socket], [Mount], or [Swap] sections, depending on the unit type./para /refsect1 @@ -94,7 +94,7 @@ along with systemd; If not, see http://www.gnu.org/licenses/. termvarnameCPUAccounting=/varname/term listitem - paraTurn on the CPU usage accounting for this + paraTurn on CPU usage accounting for this unit./para /listitem /varlistentry @@ -103,7 +103,7 @@ along with systemd; If not, see http://www.gnu.org/licenses/. termvarnameBlockIOAccounting=/varname/term listitem - paraTurn on the Block IO bandwidth accounting + paraTurn on Block IO bandwidth accounting for this unit./para /listitem /varlistentry @@ -112,7 +112,7 @@ along with systemd; If not, see http://www.gnu.org/licenses/. termvarnameMemoryAccounting=/varname/term listitem - paraTurn on the process and kernel memory + paraTurn on process and kernel memory accounting for this unit./para /listitem /varlistentry @@ -126,7 +126,7 @@ along with systemd; If not, see http://www.gnu.org/licenses/. the processes executed. Takes an integer value. This controls the literalcpu.shares/literal control group attribute, which defaults to 1024. For details about this - control group attribute see ulink + control group attribute, see ulink url=http://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt;sched-design-CFS.txt/ulink./para paraImplies literalCPUAccounting=true/literal./para @@ -145,12 +145,12 @@ along with systemd; If not, see http://www.gnu.org/licenses/. detects memory contention, memory reclaim will be performed until the memory usage is within the soft limit. Takes a memory size in bytes. If the value is suffixed with K, M, G - or T the specified memory size is parsed as Kilobytes, + or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. This controls the literalmemory.limit_in_bytes/literal and literalmemory.soft_limit_in_bytes/literal control group - attributes. For details about these control group attributes + attributes. For details about these control group attributes, see ulink url=http://www.kernel.org/doc/Documentation/cgroups/memory.txt;memory.txt/ulink./para @@ -170,7 +170,7 @@ along with systemd; If not, see http://www.gnu.org/licenses/. literalblkio.weight/literal control group attribute, which defaults to 1000. For details about -this control group attribute see +this control group attribute, see ulink url=http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt;blkio-controller.txt/ulink./para/listitem /varlistentry @@ -190,7 +190,7 @@ along with systemd; If not, see http://www.gnu.org/licenses/. literalblkio.weight_device/literal control group attribute, which defaults to 1000. Use this option multiple times to set weights for multiple devices. For details about - this control group attribute see ulink + this control group attribute, see ulink url=http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt;blkio-controller.txt/ulink./para /listitem /varlistentry @@ -206,7 +206,7 @@ along with systemd; If not, see http://www.gnu.org/licenses/. specify the device specific bandwidth. The file path may be a path to a block device node, or as any other file in which case the backing block device of the file system of the file - is used. If the bandwidth is suffixed with K, M, G, or T + is used. If the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively (Example: /dev/disk/by-path/pci-:00:1f.2-scsi-0:0:0:0 5M). This @@ -214,7
[systemd-devel] [PATCH 1/3 v2] cryptsetup: Move password query out of main
Also use _cleanup_free_ where possible.
---
src/cryptsetup/cryptsetup.c | 153 +---
1 file changed, 72 insertions(+), 81 deletions(-)
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 347394d..994a0e0 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -215,7 +215,8 @@ finish:
}
static char *disk_mount_point(const char *label) {
-char *mp = NULL, *device = NULL;
+char *mp = NULL;
+_cleanup_free_ char *device = NULL;
FILE *f = NULL;
struct mntent *m;
@@ -238,11 +239,68 @@ finish:
if (f)
endmntent(f);
-free(device);
-
return mp;
}
+static int get_password(const char *name, usec_t until, bool accept_cached,
char ***passwords) {
+int r;
+char **p;
+_cleanup_free_ char *text = NULL;
+
+assert(name);
+assert(passwords);
+
+if (asprintf(text, Please enter passphrase for disk %s!, name) 0)
+return log_oom();
+
+r = ask_password_auto(text, drive-harddisk, until, accept_cached,
passwords);
+if (r 0) {
+log_error(Failed to query password: %s, strerror(-r));
+return r;
+}
+
+if (opt_verify) {
+_cleanup_strv_free_ char **passwords2 = NULL;
+
+assert(strv_length(*passwords) == 1);
+
+if (asprintf(text, Please enter passphrase for disk %s!
(verification), name) 0)
+return log_oom();
+
+r = ask_password_auto(text, drive-harddisk, until, false,
passwords2);
+if (r 0) {
+log_error(Failed to query verification password: %s,
strerror(-r));
+return r;
+}
+
+assert(strv_length(passwords2) == 1);
+
+if (!streq(*passwords[0], passwords2[0])) {
+log_warning(Passwords did not match, retrying.);
+return -EAGAIN;
+}
+}
+
+strv_uniq(*passwords);
+
+STRV_FOREACH(p, *passwords) {
+char *c;
+
+if (strlen(*p)+1 = opt_key_size)
+continue;
+
+/* Pad password if necessary */
+if (!(c = new(char, opt_key_size)))
+return log_oom();
+
+strncpy(c, *p, opt_key_size);
+free(*p);
+*p = c;
+}
+
+return 0;
+}
+
static int help(void) {
printf(%s attach VOLUME SOURCEDEVICE [PASSWORD] [OPTIONS]\n
@@ -257,9 +315,6 @@ static int help(void) {
int main(int argc, char *argv[]) {
int r = EXIT_FAILURE;
struct crypt_device *cd = NULL;
-char **passwords = NULL, *truncated_cipher = NULL;
-const char *cipher = NULL, *cipher_mode = NULL, *hash = NULL, *name =
NULL;
-char *description = NULL, *name_buffer = NULL, *mount_point = NULL;
if (argc = 1) {
help();
@@ -281,9 +336,12 @@ int main(int argc, char *argv[]) {
uint32_t flags = 0;
int k;
unsigned try;
-const char *key_file = NULL;
usec_t until;
crypt_status_info status;
+const char *key_file = NULL, *cipher = NULL, *cipher_mode =
NULL,
+ *hash = NULL, *name = NULL;
+_cleanup_free_ char *description = NULL, *name_buffer = NULL,
+*mount_point = NULL, *truncated_cipher =
NULL;
/* Arguments: systemd-cryptsetup attach VOLUME SOURCE-DEVICE
[PASSWORD] [OPTIONS] */
@@ -386,73 +444,14 @@ int main(int argc, char *argv[]) {
for (try = 0; try opt_tries; try++) {
bool pass_volume_key = false;
-
-strv_free(passwords);
-passwords = NULL;
+_cleanup_strv_free_ char **passwords = NULL;
if (!key_file) {
-char *text, **p;
-
-if (asprintf(text, Please enter passphrase
for disk %s!, name) 0) {
-log_oom();
-goto finish;
-}
-
-k = ask_password_auto(text, drive-harddisk,
until, try == 0 !opt_verify, passwords);
-free(text);
-
-if (k 0) {
-log_error(Failed to query password:
%s, strerror(-k));
+k = get_password(name, until, try == 0
!opt_verify, passwords);
+if (k == -EAGAIN)
+continue;
+
[systemd-devel] [PATCH 3/3 v2] cryptsetup: Add tcrypt support
Tcrypt uses a different approach to passphrases/key files. The passphrase and all key files are incorporated into the password to open the volume. So, the idea of slots that provide a way to open the volume with different passphrases/key files that are independent from each other like with LUKS does not apply. Therefore, we use the key file from /etc/crypttab as the source for the passphrase. The actual key files that are combined with the passphrase into a password are provided as a new option in /etc/crypttab and can be given multiple times if more than one key file is used by a volume. --- configure.ac| 2 +- man/crypttab.xml| 300 +++- src/cryptsetup/cryptsetup.c | 79 +++- 3 files changed, 258 insertions(+), 123 deletions(-) diff --git a/configure.ac b/configure.ac index 1e196f7..115208a 100644 --- a/configure.ac +++ b/configure.ac @@ -553,7 +553,7 @@ AC_SUBST(AUDIT_LIBS) have_libcryptsetup=no AC_ARG_ENABLE(libcryptsetup, AS_HELP_STRING([--disable-libcryptsetup], [disable libcryptsetup tools])) if test x$enable_libcryptsetup != xno; then -PKG_CHECK_MODULES(LIBCRYPTSETUP, [ libcryptsetup = 1.4.2 ], +PKG_CHECK_MODULES(LIBCRYPTSETUP, [ libcryptsetup = 1.6.0 ], [AC_DEFINE(HAVE_LIBCRYPTSETUP, 1, [Define if libcryptsetup is available]) have_libcryptsetup=yes], have_libcryptsetup=no) if test x$have_libcryptsetup = xno -a x$enable_libcryptsetup = xyes; then AC_MSG_ERROR([*** libcryptsetup support requested but libraries not found]) diff --git a/man/crypttab.xml b/man/crypttab.xml index e52b7e6..298f39e 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -75,23 +75,29 @@ fields are mandatory, the remaining two are optional./para +paraSetting up encrypted block devices using this file +supports three encryption modes: LUKS, TrueCrypt and plain. +See citerefentryrefentrytitlecryptsetup/refentrytitlemanvolnum8/manvolnum/citerefentry +for more information about each mode. When no mode is specified +in the options field and the block device contains a LUKS +signature, it is opened as a LUKS device; otherwise, it is +assumed to be in raw dm-crypt (plain mode) format./para + paraThe first field contains the name of the resulting encrypted block device; the device is set up within filename/dev/mapper//filename./para paraThe second field contains a path to the -underlying block device, or a specification of a block +underlying block device or file, or a specification of a block device via literalUUID=/literal followed by the -UUID. If the block device contains a LUKS signature, -it is opened as a LUKS encrypted partition; otherwise, -it is assumed to be a raw dm-crypt partition./para +UUID./para paraThe third field specifies the encryption password. If the field is not present or the password -is set to none, the password has to be manually -entered during system boot. Otherwise, the field is -interpreted as a path to a file containing the -encryption password. For swap encryption, +is set to literalnone/literal or literal-/literal, +the password has to be manually entered during system boot. +Otherwise, the field is interpreted as a absolute path to +a file containing the encryption password. For swap encryption, filename/dev/urandom/filename or the hardware device filename/dev/hw_random/filename can be used as the password file; using @@ -104,181 +110,237 @@ options are recognized:/para variablelist class='crypttab-options' + +varlistentry +termvarnameallow-discards/varname/term + +listitemparaAllow discard requests to be +passed through the encrypted block device. This +improves performance on SSD storage but has +security implications./para/listitem +/varlistentry + varlistentry termvarnamecipher=/varname/term -listitemparaSpecifies the cipher -to use; see +listitemparaSpecifies the cipher to use. See citerefentryrefentrytitlecryptsetup/refentrytitlemanvolnum8/manvolnum/citerefentry -
[systemd-devel] [PATCH 2/3 v2] cryptsetup: Move attaching of the device out of main
---
src/cryptsetup/cryptsetup.c | 222 +++-
1 file changed, 114 insertions(+), 108 deletions(-)
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 994a0e0..e84ebba 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -301,6 +301,102 @@ static int get_password(const char *name, usec_t until,
bool accept_cached, char
return 0;
}
+static int attach_luks_or_plain(struct crypt_device *cd,
+const char *name,
+const char *key_file,
+char **passwords,
+uint32_t flags) {
+int r = 0;
+bool pass_volume_key = false;
+
+assert(cd);
+assert(name);
+assert(key_file || passwords);
+
+if (!opt_type || streq(opt_type, CRYPT_LUKS1))
+r = crypt_load(cd, CRYPT_LUKS1, NULL);
+
+if ((!opt_type r 0) || streq_ptr(opt_type, CRYPT_PLAIN)) {
+struct crypt_params_plain params = {};
+const char *cipher, *cipher_mode;
+_cleanup_free_ char *truncated_cipher = NULL;
+
+if (opt_hash) {
+/* plain isn't a real hash type. it just means use no
hash */
+if (!streq(opt_hash, plain))
+params.hash = opt_hash;
+} else
+params.hash = ripemd160;
+
+if (opt_cipher) {
+size_t l;
+
+l = strcspn(opt_cipher, -);
+truncated_cipher = strndup(opt_cipher, l);
+if (!truncated_cipher)
+return log_oom();
+
+cipher = truncated_cipher;
+cipher_mode = opt_cipher[l] ? opt_cipher+l+1 : plain;
+} else {
+cipher = aes;
+cipher_mode = cbc-essiv:sha256;
+}
+
+/* for CRYPT_PLAIN limit reads
+ * from keyfile to key length, and
+ * ignore keyfile-size */
+opt_keyfile_size = opt_key_size / 8;
+
+/* In contrast to what the name
+ * crypt_setup() might suggest this
+ * doesn't actually format anything,
+ * it just configures encryption
+ * parameters when used for plain
+ * mode. */
+r = crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode,
+ NULL, NULL, opt_keyfile_size, params);
+
+/* hash == NULL implies the user passed plain */
+pass_volume_key = (params.hash == NULL);
+}
+
+if (r 0) {
+log_error(Loading of cryptographic parameters failed: %s,
strerror(-r));
+return r;
+}
+
+log_info(Set cipher %s, mode %s, key size %i bits for device %s.,
+ crypt_get_cipher(cd),
+ crypt_get_cipher_mode(cd),
+ crypt_get_volume_key_size(cd)*8,
+ crypt_get_device_name(cd));
+
+if (key_file) {
+r = crypt_activate_by_keyfile_offset(cd, name, CRYPT_ANY_SLOT,
+ key_file,
opt_keyfile_size,
+ opt_keyfile_offset,
flags);
+if (r 0) {
+log_error(Failed to activate with key file '%s': %s,
key_file, strerror(-r));
+return -EAGAIN;
+}
+} else {
+char **p;
+
+STRV_FOREACH(p, passwords) {
+if (pass_volume_key)
+r = crypt_activate_by_volume_key(cd, name, *p,
opt_key_size, flags);
+else
+r = crypt_activate_by_passphrase(cd, name,
CRYPT_ANY_SLOT, *p, strlen(*p), flags);
+
+if (r = 0)
+break;
+}
+}
+
+return r;
+}
+
static int help(void) {
printf(%s attach VOLUME SOURCEDEVICE [PASSWORD] [OPTIONS]\n
@@ -335,13 +431,11 @@ int main(int argc, char *argv[]) {
if (streq(argv[1], attach)) {
uint32_t flags = 0;
int k;
-unsigned try;
+unsigned tries;
usec_t until;
crypt_status_info status;
-const char *key_file = NULL, *cipher = NULL, *cipher_mode =
NULL,
- *hash = NULL, *name = NULL;
-_cleanup_free_ char *description = NULL, *name_buffer = NULL,
-*mount_point = NULL, *truncated_cipher =
NULL;
+const char *key_file = NULL, *name =
Re: [systemd-devel] [PATCH] man: wording and grammar update
On Sat, Jul 13, 2013 at 10:51:35AM +0200, Jan Engelhardt wrote: --- man/systemd.cgroup.xml | 30 +++--- man/systemd.exec.xml | 2 +- man/systemd.scope.xml | 2 +- man/systemd.socket.xml | 2 +- 4 files changed, 18 insertions(+), 18 deletions(-) Applied. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] journalctl: have a useful --setup-keys error message when using non-persistant logging
On Fri, Jul 12, 2013 at 08:57:15PM -0700, Shawn Landden wrote: Generating seed... Generating key pair... Generating sealing key... Failed to open /var/log/journal/33f46101703a10c5fc6fa4f451840101/fss.tmp.k2wDDU: No such file or directory --- src/journal/journalctl.c | 17 + 1 file changed, 17 insertions(+) Applied, with some simplifications (and s/persistant/persistent/!). Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] install: make reenable work with templated units
On Mon, Jun 17, 2013 at 07:11:50PM +0100, Ross Lagerwall wrote: Before, systemctl reenable getty@tty1.service would fail with: Failed to issue method call: File exists To fix this, reimplement reenable explicitly as a disable followed by an enable. This is shorter and is how the man page documents its behavior. --- src/shared/install.c | 38 +- 1 file changed, 5 insertions(+), 33 deletions(-) Hm, I don't get this error with reenable, but your patch indeed simplifies things, so I don't see a reason not to apply it: applied now. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] install: make reenable work with templated units
On Sat, Jul 13, 2013 at 04:12:33PM +0200, Zbigniew Jędrzejewski-Szmek wrote: On Mon, Jun 17, 2013 at 07:11:50PM +0100, Ross Lagerwall wrote: Before, systemctl reenable getty@tty1.service would fail with: Failed to issue method call: File exists To fix this, reimplement reenable explicitly as a disable followed by an enable. This is shorter and is how the man page documents its behavior. --- src/shared/install.c | 38 +- 1 file changed, 5 insertions(+), 33 deletions(-) Hm, I don't get this error with reenable, but your patch indeed simplifies things, so I don't see a reason not to apply it: applied now. As far as I can recall, it would fail if /etc/systemd/system/getty.target.wants/getty@tty1.service is set up as a symlink to /usr/lib/systemd/system/getty@.service and then systemctl reenable getty@tty1.service is run. I can't exactly remember but I think it would fail because reenable would try to delete the untemplated unit getty@.service (which would not exist) but then try to create the templated unit getty@tty1.service which would still exist hence the File exists error. Thanks for applying the patch anyway. -- Ross Lagerwall ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [RFC PATCH] condition: add ConditionFileContains=
On Fri, Jul 12, 2013 at 09:19:58PM +0200, Lennart Poettering wrote: On Fri, 12.07.13 20:42, Karol Lewandowski (k.lewando...@samsung.com) wrote: ... - software raid (md) status - /proc/mdstat Not sure what this is really doing... /etc/init.d/hdparm seems to be bailing out if md-raid is not fully operational and /etc/init.d/halt doesn't pass -h to final halt(8) if md is in active state. Every such case could be handled by generic built-in grep instead of dozen of flags like ConditionCPUFeature=, ConditionMDStatus=, ... I am pretty sure we cover most of these cases with some other way too. I mean, I am generally willing to add this, but if there's no strict need for it, I'd avoid it. Let's avoid it for now as our use case can be solved by udev rule (as Kay suggested). I'll take closer into Tizen boot sequence next monday to see if there are other cases where feature like this might come useful (hopefully I won't find any). Thanks ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
