still
undocumented, and we keep the liberty to change it if we must).
Lennart
--
Lennart Poettering, Berlin
he bpf filtering, and in particular the bloom filter that
is used for that is mostly internal to udev, and not something that is
consider official API and should be reimplemented.
Use sd-device/libudev, it implements all of this, and is the only official API
to the bpf bloom filter stuff udev does
Heya!
Some of the systemd developers have been discussing switching
systemd's crypto libraries to be exclusively OpenSSL 3.0, and drop
support for older OpenSSL versions, as well as any GNUTLS/libgcrypt
support. As you might have noticed OpenSSL 3.0 has been released
recently, and for the first ti
es, as we reinvent initrds
in secure, trusted way: the basic initrd is now built into the kernel
(and thus validated along with it), and exotic storage is then added
in via trusted, verifiable system extensions.
Lennart
--
Lennart Poettering, Berlin
someone actually doing the work.
I'd love to do it yesterday. But knowing how things work, this will be
a couple of months I guess, maybe half a year. Or could even be longer.
Lennart
--
Lennart Poettering, Berlin
Patch looks OK, but instead of replacing the line unconditionally, it
should be one or the other depending on `#if HAVE_LIBCRYPTSETUP`, so
that it then works in both cases.
Would be delighted if you could submit such a patch via github PR.
Lennart
--
Lennart Poettering, Berlin
always iterating with
readdir() as needed.
(Probably best to keep these discussions on the PR though).
Lennart
--
Lennart Poettering, Berlin
ysql, and you can
use mysql without apache, but quite often they are used together, and
if so you likely want to start mysql first, and apache second, since
it likely consumes services of mysql, and not the other way
round. Hence in this example, you'd place an ordering dep, but not
requirement dep.
Lennart
--
Lennart Poettering, Berlin
rt systemd-boot?
Did you see this:
https://github.com/systemd/systemd/pull/19417
(and maybe this: https://github.com/systemd/systemd/pull/20601)
maybe that addresses your issues?
Lennart
--
Lennart Poettering, Berlin
On Fr, 17.09.21 19:04, Kenneth Porter (sh...@sewingwitch.com) wrote:
65;6402;1c
> --On Friday, September 17, 2021 12:49 PM +0200 Lennart Poettering
> wrote:
>
> > more specific example: you can use apache without mysql, and you can
> > use mysql without apache, but quit
files the call creates.
We could also add some special dirs that may contain images we'll
automatically attach + enable during boot as we discover them. That'd
be a new feature though.
Lennart
--
Lennart Poettering, Berlin
rarily switch to volatile logging via "journalctl
--relinquish-var", then do something with /var/log (like replace it,
backup it, overmount it, whatever), and then eventually want to switch
back to using it, which you then can do with "journalctl --flush".
Lennart
--
Lennart Poettering, Berlin
ce
node by the UUID of what's on it. (Presumably that's supposed to be
the UUID of the LUKS2 superblock?) And it doesn't appear to match what
is *actually* the UUID of your LUKS2 superblock?
Lennart
--
Lennart Poettering, Berlin
see anything obvious fail during boot, moreover, manual
> 'clevis-luks-unlock' works no problems.
This is the systemd mailing list, not the clevis/tang mailing
list. Please contact the clevis/tang community instead.
Lennart
--
Lennart Poettering, Berlin
being the fifo and standard output being the log file to write to.
You then use it by using StandrdOutput=… in your main unit, to connect
its stdout/stderr to that fifo. Also, you add deps so that each time a
service that tneeds this starts the log prefix service socket for it
starts too.
Lennart
--
Lennart Poettering, Berlin
teractivity. The ultimate goal is that servers and embedded devices
can boot up entirely unattanded in safe way, and that desktop machines
only query the user once, and that the authentication the user does
unlocks the user's actual data.
Lennart
--
Lennart Poettering, Berlin
re would then also validate this
basic initrd. My focus is that this kernel/initrd signing happens
during build time, not at install time, i.e. the secret signature keys
should be held by the building party only, not by the local
instalations.
Lennart
--
Lennart Poettering, Berlin
d
/etc/ or /var/. i.e. define a key file /etc/integrity.key (with a
fallback to /var/lib/integrity.key) or similar, that is used as
implicit HMAC key for all dm-integrity needs. Then, because (at least
in my idealized view) /etc or /var are authenticated territory (bound
to TPM) we get the property we want, indirectly.
Lennart
--
Lennart Poettering, Berlin
I intend to also add logic to shrink to minimal size
then (and conversely grow on login again).
This will only really work in case btrfs is used inside the homedir
images, as only then we can both shrink and grow the fs whenever we
want to.
Lennart
--
Lennart Poettering, Berlin
On Mi, 29.09.21 20:21, Arjun D R (drarju...@gmail.com) wrote:
> Hi Lennart,
>
> Please help me understand how the journald is figuring out the PID of the
> log line.
Google SCM_CREDENTIALS.
Lennart
--
Lennart Poettering, Berlin
makes sense for the
cases where your OS payload comes in flatpaks, containers, sysexts,
portable services, …, i.e. is not written to /usr.
Lennart
--
Lennart Poettering, Berlin
ryptsetup a scheme where we search
for the encryption key for volume xyz in
/etc/cryptsetup-keys.d/xyz.key, and we should probably do it similar
for verity keys, too.
> 5. use homed for LUKS-encrypted home areas on /home?
>
> Does this sound reasonable?
Yes!
Lennart
--
Lennart Poettering, Berlin
il eventually journald starts up again, and resumes processing
log messages. it will then process the messages already queued in the
sockets from when it was hanging, and thus the order might be
surprising.
--
Lennart Poettering, Berlin
quot;Journal started" message is inserted into the log stream by
journald itself before processing the already queued messages.
Lennart
--
Lennart Poettering, Berlin
obably mounted
by something you are using.
Lennart
--
Lennart Poettering, Berlin
On Fr, 08.10.21 21:15, Sebastian Wiesner (sebast...@swsnr.de) wrote:
> Am Montag, dem 04.10.2021 um 14:49 +0200 schrieb Lennart Poettering:
> > On Do, 30.09.21 21:20, Sebastian Wiesner (sebast...@swsnr.de) wrote:
> >
> > > Hello,
> > >
> > > thanks for q
ew (this fact is after all the whole point of the
excercise).
For cases like this it might make sense to ensure that flushing of the
journal to disk (i.e. systemd-journald-flush.service) is scheduled
after correct time has been acquired (i.e. time-sync.target).
Lennart
--
Lennart Poettering, Berlin
ion to remove the bold face only, but not the colors?
> systemd.log_color=0 removes all formatting, but I'd like to keep the
> colors...
No, this is not configurable. We are not a themeable desktop, sorry.
Lennart
--
Lennart Poettering, Berlin
side of data
centers I am not sure tang/clevis really has much use, and that's
quite a limited userbase, so I'd say: no this should be done outside
of systemd. Maybe a plugin for libcryptsetup's "token" feature.
Lennart
--
Lennart Poettering, Berlin
ORS=0 → no ANSI colors sequences (alternatively: "NO_COLOR=1" as
per https://no-color.org/)
SYSTEMD_EMOJI=0 → no unicode emojis
LC_CTYPE=ANSI_X3.4-1968 → no non-ASCII chars (which also means no emojis)
SYSTEMD_URLIFY=0 → no clickable links
Lennart
--
Lennart Poettering, Berlin
dit if we had a way to compare a service file’s sandboxing
> directives against a profile and find the delta. Then score the
> service file against delta.
Interesting idea.
Current git has all kinds of JSON hookup for systemd-analyze security
btw, so tools could do that externally too. But you
w will
> fork many tasks to process different kernel modules parallelly.
It doesn't do that actually. But udev when it loads kernel modules
does things from a bunch of worker processes all in parallel.
Lennart
--
Lennart Poettering, Berlin
ting other profiles. If we get to it
> before other people, we would really like to contribute and send a patch on
> this.
A patch adding .d/ style drop-ins for profiles would make a ton of
sense. Happy to take that.
Lennart
--
Lennart Poettering, Berlin
sks in systemd-udev
> service?
udev.children_max=1 on the kernel command line.
Lennart
--
Lennart Poettering, Berlin
thout loss of
accuracy (i.e. INT64_MIN … UINT64_MAX). Please read, write and
process user records following this specification only with JSON
implementations that guarantee this range."
Lennart
--
Lennart Poettering, Berlin
tations are allowed to set any limits on the
> range and precision of numbers accepted.
>
> So yeah Lennart seems to be technically correct. Even when reading the RFC
> by the letter.
BTW:
https://github.com/systemd/systemd/pull/21168
Lennart
--
Lennart Poettering, Berlin
could put their ostree
checkotus wherever they want and then create a symlink
/@auto/root-x86-64:myostreeos pointing to it, and their image would be
spec conformant: we'd boot into that automatically, and so would
nspawn and similar things. Thus they could switch their default OS to
boot into without patching kernel cmdlines or such, simply by updating
that symlink, and vanille systemd would know how to rearrange things.
Lennart
--
Lennart Poettering, Berlin
On Mo, 08.11.21 14:24, Ludwig Nussel (ludwig.nus...@suse.de) wrote:
> Lennart Poettering wrote:
> > [...]
> > 3. Inside the "@auto" dir of the "super-root" fs, have dirs named
> >[:]. The type should have a similar vocubulary
> >as th
sonably independent of btrfs where its
easy, plain dirs otherwise are fine too after all. Which reminds me,
recent util-linux implements the X-mount.subdir= mount option, which
means one could also use 'rootflags=X-mount.subdir=@auto/fedora_36.2'
as non-btrfs-specific way to express the btrfs-specific
'rootflags=subvol=@auto/fedora_36.2')
Lennart
--
Lennart Poettering, Berlin
a new option RootDirectoryVersioned= or so that takes a boolean.
Lennart
--
Lennart Poettering, Berlin
one happened to have named their dirs like that already
we'd suddenly do weird stuff with it the user might not expect. But I
think I could live with that.
A patch for that should be pretty easy to do, and be very generically
useful. I kinda like it. What do you think?
Lennart
--
Lennart Poettering, Berlin
On Do, 11.11.21 18:27, Lennart Poettering (mzerq...@0pointer.de) wrote:
> A patch for that should be pretty easy to do, and be very generically
> useful. I kinda like it. What do you think?
For now I added TODO list items for these ideas:
https://github.com/systemd/systemd/
copy [0].
>
> How do systemd developers build the unified kernel on aarch64? Is there
> an alternative toolchain used?
>
> [0]: https://sourceware.org/bugzilla/show_bug.cgi?id=26206
I personally never played around with this for anything
non-x86-64. But I wonder, maybe llvm-o
a from the first dictionary, can anyone
> help me to solve this issue? what am I missing?
You always need to leaver each container again once you read its
contents. i.e. each sd_bus_message_enter_container(…) must be paired
with sd_bus_message_leave_container(…)
Lennart
--
Lennart Poettering, Berlin
ople here are experts of same caliber, I
> decided to ask.
You can certainly hack something up like this, but to my knowledge
none of the boot loaders currently implement something like this.
Lennart
--
Lennart Poettering, Berlin
way we
tricked even Devuan to adopt /etc/os-release and the /run/ hierarchy,
since they probably aren't even aware that these are systemd things.
Other chars could be used too: /+auto/ sounds OK to me too. or
/_auto/, or /=auto/ or so.
Lennart
--
Lennart Poettering, Berlin
s more like:
>
> /x-systemd.auto/swap -> /run/systemd/swap
I'd be conservative with mounting disk stuff to /run/. We do this for
removable disks because the mount points are kinda dynamic, hence it
makes sense, but for this case it sounds unnecessary, /var/swap sounds
fine to me, in p
nd the right thing would happen.
(i figure wifi tethering applications could make use of this too?)
Lennart
--
Lennart Poettering, Berlin
e them appear
under their original ownership.
We might want to extend this later on: when bind mounting
non-directory inodes (such as sockets) we could even allow fixing
ownership to any uid of your choice, to give you full freedom there.
Lennart
--
Lennart Poettering, Berlin
ntu adopt Debian's stance of accepting OpenSSL as system
component? i.e. is OpenSSL 3 compatible with both (L)GPL 2.x code
*and* GPL3 code in Ubuntu's eyes? Or only the latter?
Lennart
--
Lennart Poettering, Berlin
of tweaks since 245, and it's
pretty likely this has since been fixed. Specifically, the
NAMING_SLOT_FUNCTION_ID feature flag introduced with v249 will likely
fix your case.
Lennart
--
Lennart Poettering, Berlin
t;checked"?
Lennart
--
Lennart Poettering, Berlin
On Fr, 10.12.21 12:25, Chris Murphy (li...@colorremedies.com) wrote:
> On Thu, Nov 11, 2021 at 12:28 PM Lennart Poettering
> wrote:
>
> > That said: naked squashfs sucks. Always wrap your squashfs in a GPT
> > wrapper to make things self-descriptive.
>
> Do you mean th
lly the build time of the package, or
the time the release of systemd was done.
Lennart
--
Lennart Poettering, Berlin
t);
> sd_bus_unref(bus);
> }
Maybe the callback handlers you added in the vtable keep some objects
pinned?
Also note that unreffing the bus in the end is typically not enough,
if it still has messages queued. Use sd_bus_flush() + sd_bus_close()
first (or combine them in one sd_bus_flu
use "udevadm trigger" to fire uevents for existing devices.
Or create new, synthetic virtual devices during runtime, for example
via "losetup".
Lennart
--
Lennart Poettering, Berlin
I can specify "User=" in the service file but I could not figure out
> to translate the --machine=drew@.host parameter to it.
This is not supported. Containers run in their own little world, and
generally get their own devices (i.e. just virtual devices such as
/dev/null and similar), hence we do not have infra to propagate evnts
to containers.
Lennart
--
Lennart Poettering, Berlin
Usually that's what you do, yes: you take an inhibitor lock while you
are running, and wait until you are informed about system suspend,
then you do your thing, and release the lock once you are done at
which point the suspend continues.
Lennart
--
Lennart Poettering, Berlin
its about 50% of the time, and IDEA exits
> pretty consistently. Most other apps remain running. Not sure why that
> would be -- if systemd is cleaning up, shouldn't all apps exit?
"systemd-cgls" should give you a hint which cgroups exists and which
processes remain children of plasma inside its cgroup, and which ones
got their own cgroup.
Lennart
--
Lennart Poettering, Berlin
udev is about more than just plug + unplug.
If you stop udev apps waiting for their devices to show up won't be
able to ever get the ready notifications for that and thus will stop
working.
Lennart
--
Lennart Poettering, Berlin
accpeted for
compat, but not documented.
Lennart
--
Lennart Poettering, Berlin
ated instances of mariadb, and if you
don#t things break. Plese work with the mariadb people at Debian to
figure this out, there's nothing much we can do from systemd upstream
about that.
Lennart
--
Lennart Poettering, Berlin
those things? I guess there are. But I am also sure that they are
either obsolete if you look at the bigger pictue or better ways to do
them, which we do support.
Or to say this differently: it has been years that anyone filed an RFE
bug on systemd github asking for a feature from xinetd that we lack.
Lennart
--
Lennart Poettering, Berlin
means if your command turns off the power source you should stick it
in the initrd's shutdown logic, and not into
/usr/lib/systemd/system-shutdown/. If you are using RHEL this means
into dracut. But adding it there is something to better discuss with
the dracut community than here.
Lennart
--
Lennart Poettering, Berlin
program that explicitly tells
systemd to shut this stuff down, i.e. some script or so. Turn on debug
logging (systemd-analyze log-level debug) before shutting down, the
logs should tell you a thing or two about why the service is stopped.
Lennart
--
Lennart Poettering, Berlin
re they come from.
Lennart
--
Lennart Poettering, Berlin
dependency of your backup service, implicitly, as
LogNamespace= side effect. There should be no need to run it all the
time.
The socket units come with StopWhenUnneeded=yes set, so they
automatically go away if no service needs them.
Why would you want to run those services continously?
Lenn
o so inside a systemd UNIT. Will someone please provide an
> example how to do so?
At least Fedora puts a comment about this in /etc/fstab, explaining
the situation. Tht sounds a lot more appropriate to me rather then
making this appear in the logs...
You can use a PathModified= .path unit for this if you like.
Lennart
--
Lennart Poettering, Berlin
e a bug upstream and we can look into fixing this. But fixing would
mostly entail to just downgrade logging in this case, i.e. just
cosmetically suppressing the noisy logging about this case.
Lennart
--
Lennart Poettering, Berlin
relevant processes long enough so that others can
catch up that previously couldn't.
Lennart
--
Lennart Poettering, Berlin
by whoever wants to run
*before* any remote mounts (i.e. do Wants= + Before= on it). The remote mounts
should only order
themselves *after* it, but not pull it in.
> So my question would revolve around the above points
>
> Can you help me figuring out the correct way to see those concepts ?
I think you mostly got things right but the services you listed are
simply buggy.
Lennart
--
Lennart Poettering, Berlin
On Di, 15.02.22 08:46, Kenneth Porter (sh...@sewingwitch.com) wrote:
> --On Tuesday, February 15, 2022 11:52 AM +0100 Lennart Poettering
> wrote:
>
> > Yes, rsyslog.service should definitely not pull in network.target. (I
> > am not sure why a syslog implementat
nnot take for granted
> that some passive target will be pulled in, correct ? So before ordering
> around it one can make sure some unit pulls the checkpoint ?
Yeah, that's the idea: passive units are mostly synchronization
points, that allow lose coupling for ordering things: for generically
ordering stuff before and after it without actually listing the
servicess explicitly on either side.
Lennart
--
Lennart Poettering, Berlin
must be filled with meaning by the admin.
Lennart
--
Lennart Poettering, Berlin
ake it something that can be
enabled by default. And if that's not possible then it apparently
comes at some price, but a simple config boolean somewhere can't
decide whether that price is worth it...
So, quite frnakly, I am not convinced this is desirable.
That said, You can extend machine-info with anything you like, it's
supposed to be extensible. But please make sure you prefix the
variables with some prefix that makes collisions unlikely.
Lennart
--
Lennart Poettering, Berlin
this does not exist yet, but parts of it sound like
worthwile feature additions to systemd.
Lennart
--
Lennart Poettering, Berlin
is via "resolvectl monitor" or so.
Lennart
--
Lennart Poettering, Berlin
I kill
> the Main PID of the service (causing non-clean exit for testing).
Can you provide a minimal .service file that shows the issue? Smells
like a bug. SuccessAction= should not be triggred if a service process
exits with SIGKILL...
Lennart
--
Lennart Poettering, Berlin
how a DNS
> resolution would usefully cause a state change in the firewall without
> some further external guidance?
Yeah, I am not sure I grok the relationship to firewalls here,
either. Updatign firewalls asynchronously based on DNS lookups sounds
wrong to me...
Lennart
--
Lennart Poettering, Berlin
t /sys/fs/cgroup/user_stuff/, will
> systemd touch my directories?
That's not supported. You may only create your own cgroups where you
turned on delegation, otherwise all bets are off. If you but stuff in
/sys/fs/cgroup/user-stuff its as if you placed stuff in systemd's
"-.slice" without telling it so, and things will break sooner or
later, and often in non-obvious ways.
Lennart
--
Lennart Poettering, Berlin
e to fix their stuff themselves, we cannot work around
it.
Lennart
--
Lennart Poettering, Berlin
t in Docker. Or in other words: talk to the
docker people aout all this.
That said, we could certainly show both the comm field and the PID of
the offending processes. I am prepping a patch for that.
Lennart
--
Lennart Poettering, Berlin
give me
> some light on why/when/where things will break in practice, or just an
> example?
THis depends highly on what precisely you do. At best systemd will
complain or just override the changes you did outside of the tree you
got delegated. You might break systemd as a whole though (for example,
add a process directly to a slice's cgroup and systemd will be very
sad).
Lennart
--
Lennart Poettering, Berlin
roupLeaf=. If set to yes an extra directory will be
> created into the unit cgroup to place the newly spawned service process.
> This is useful for services which need to be restarted while its forked
> pids remain in the cgroup and the service cgroup is not a leaf
> anymore.
No. Let's not add that.
Lennart
--
Lennart Poettering, Berlin
sad).".
if you add a process to a cgroup systemd manages that is supposed to
be an inner one in the tree, you will make creation of children fail
that way, and thus starting services and other operations will likely
start failing all over the place.
Lennart
--
Lennart Poettering, Berlin
On Mi, 02.03.22 17:50, Lennart Poettering (lenn...@poettering.net) wrote:
> That said, we could certainly show both the comm field and the PID of
> the offending processes. I am prepping a patch for that.
See: https://github.com/systemd/systemd/pull/22655
Lennart
--
Lennart Poettering, Berlin
r layers, not the other way around. Yes, systemd
has bugs, but here we are not at fault, we document our interfaces,
but Docker knowingly goes its own way, and there's little I can do
about it.
Lennart
--
Lennart Poettering, Berlin
EINVAL.
In this case I am not very sympathetic to your case: squatting syscall
numbers is just a terrible idea...
Lennart
--
Lennart Poettering, Berlin
ou want that mysql runs before apache, so that the web apps you run
on apache can access mysql. Still it should be totally OK to install
one without the other, and it's not a bug thus if one refers to the
other in its unit files, even if the other thing is not installed.
Lennart
--
Lennart Poettering, Berlin
ervice really, if you intend to be compatible with early boot
networking. That said, I think NetworkManager is not early-boot either
right now, is it? So you have to move that too. But in that case too,
not sure if it can deal with D-Bus not being around.
Lennart
--
Lennart Poettering, Berlin
ia DefaultDependencies=yes get's an
> > After=sysinit.target ordering.
> >
> > So we have conflicting requirements and a dependency loop that needs
> > to be broken by systemd.
> >
>
> Firewalld is red herring here. cloud-init.service has
>
> After=networking.service
What is this unit? Is this a Debian thing?
Lennart
--
Lennart Poettering, Berlin
just exit at
shutdown and don't need to tdo D-Bus anymore just to exit. But of
course reality isn't always ideal.
Lennart
--
Lennart Poettering, Berlin
sage?
Besides turning it off? Nothing I was aware of.
Lennart
--
Lennart Poettering, Berlin
we are applying it globally for all services.
>
> Now due to this huge memory consumption we are trying to put
> everything into the same namespace using
> JoinsNamespaceOf=. It seems to consume less memory.
This means they will still be isolated from the network, but no longer
from ea
hing would be solved.
I don't follow. You can enable delegation on the scope. I mean, that's
the reason I suggested to use a scope.
> Do you have any other suggestions?
Not really, except maybe: please read up on the documentation, it
explains a lot of the concepts.
Lennart
--
Lennart Poettering, Berlin
shown as active, so where is the problem?
Lennart
--
Lennart Poettering, Berlin
ovide at least one PID
to add to the scope when it is created.
For services we have a RemainAfterExit= property btw. There were
requests for adding the same for scopes. I'd be fine with adding that,
happy to take a patch.
Lennart
--
Lennart Poettering, Berlin
adding RemainAfterExit= to scope units
> Such a recycled scope would only be useful via
> org.freedesktop.systemd1.Manager.AttachProcessesToUnit().
Well, if delegation is on, then people don#t really have to use our
API, they can just do that themselves.
Lennart
--
Lennart Poettering, Berlin
cesses
on the system are placed in a unit of some form so that we can apply
useful resource mgmt to it.
So yes you can have a delegated subtree, if you like and we'll not
interfere with what you do there mostly, but it must be a leaf of our
tree, and we'll "macro manage" it for you, i.e. define a lifetime for
it, and track processes back to it.
Lennart
--
Lennart Poettering, Berlin
a clone(CLONE_INTO_CGROUP) –
though unfortunately the latter cannot work with glibc right now :-(.
i.e. keeping processes that already "have history" around for a long
time after migration kinda sucks.
Lennart
--
Lennart Poettering, Berlin
1 - 100 of 9693 matches
Mail list logo