On Mi, 11.01.23 13:31, Lennart Poettering (lenn...@poettering.net) wrote:
> On Mi, 11.01.23 11:53, Joshua Zivkovic (joshua.zivko...@codethink.co.uk)
> wrote:
>
> > Hello,
> >
> > I've been working on adding JSON and table output to `systemd-analyze
> > plot
people
might expect (startup time of first invocation).
Also note that services that are not referenced by anything (and
didn't fail) might have been unloaded (i.e. "GC'ed"), which means
their startup timing info is released and won't show up in the
displayed data either.
Lennart
--
Lennart Poettering, Berlin
p trees?
anyway, i'd recommend asking the podman community for help about this.
Lennart
--
Lennart Poettering, Berlin
On Mo, 09.01.23 19:45, Lewis Gaul (lewis.g...@gmail.com) wrote:
> Hi all,
>
> I've come across an issue when restarting a systemd container, which I'm
> seeing on a CentOS 8.2 VM but not able to reproduce on an Ubuntu 20.04 VM
> (both cgroups v1).
selinux?
Lennart
--
Lennart Poettering, Berlin
o, you solve this locally for dev-ttyLXU0.device by adding a
JobTimeoutSec= drop-in file (for the [Unit]) section.
Or if you want to increase the time-out globally, consider setting
DefaultTimeoutStartSec= in /etc/systemd/system.conf to any value you
like.
Lennart
--
Lennart Poettering, Berlin
On Mo, 09.01.23 12:53, Lennart Poettering (lenn...@poettering.net) wrote:
> https://www.freedesktop.org/software/systemd/man/sd_bus_get_fd.html#Description
>
> Note that the returned time-value is absolute, based of
> CLOCK_MONOTONIC and specified in microseconds. Whe
meout, but we all read the
full documentation, no, before actually using this API, no? ;-))
Anyway, will prep a fix that rewords the first sentence to make this
clearer right away.
Lennart
--
Lennart Poettering, Berlin
his will create tons of cyclic deps.
This all sounds like a terrible idea, you are actively working on
making things hard for you.
Lennart
--
Lennart Poettering, Berlin
I wonder if we can just
override systemd-fsck@….service for that specific case?
How are those mounts established? i.e. by which unit is the
systemd-fsck@.service instance pulled in? and how was that configured?
fstab? ubuntu-own code?
Lennart
--
Lennart Poettering, Berlin
rder I expect?
This all smeels like a mess of cyclic deps. See the system logs
(journalctl).
/etc/ must be available during early boot, before you run complex
services (such as glusterd) off it. Thus it cannot be backed by such
complex services.
If you want /etc/ to be backed by such complex servi
h make sense to me.
(I'd probably go for the more conservative 6month or so, and see what
kind of feedback we'll get)
Lennart
--
Lennart Poettering, Berlin
ndboxing settings, currently.
Lennart
--
Lennart Poettering, Berlin
drops all
> capabilities, and sending SO_PASSCRED requires CAP_SYS_ADMIN…
>
> What do we do about that?
Just add the capability to the service unit file.
Lennart
--
Lennart Poettering, Berlin
t an impersonator) should not bother with this at all,
since the kernel well attach this info anyway if needed. Only
impersonators need to attach SCM_CREDENTIALS explicitly, and userdb
should be one of these impersonators.
Lennart
--
Lennart Poettering, Berlin
to review a PR for that.
In the varlink API please report the SCM_CREDENTIALS ucred seperately
from the SO_PEERCRED though (i.e. from the current ucreds we already
store). For various purposes it is interesting to know the identity of
the process initiating the connection, if it's different from the
process actually sending messages over it.
Lennart
--
Lennart Poettering, Berlin
proach would be: automatic translation of
UIDs by the kernel in regards to userns, and the kernel will
implicitly validate for us whether the on-behalf-of impersonation
shall be allowed or not.
Does that make sense?
Lennart
--
Lennart Poettering, Berlin
end to make
> homed start managing the home directory for this user?
Nope, currently not. homed is a *provider* of user records, not a
consumer.
Lennart
--
Lennart Poettering, Berlin
. PAM has a lot on implicit and explicit state attached to
the PAM handle... And you can have PAM conversations and so on
(i.e. prompting arbitrary questions) which makes PAM compat really
really messy...
Lennart
--
Lennart Poettering, Berlin
passed on
> verbatim, or stripped, or cause an error preventing the User Record
> from being handled at all?
It's supposed to be extensible.
→ https://systemd.io/USER_RECORD/#extending-these-records
Lennart
--
Lennart Poettering, Berlin
the fields allowed in it seem to be
>static. Are there any ideas around here where such a token could be
>stored during the user session?
Kernel keyring for the user? It's where kerberos stuff is stored, and
is probably the best place. The API is a bit convoluted, but this has
been done before.
Lennart
--
Lennart Poettering, Berlin
On Mi, 23.11.22 17:56, Lennart Poettering (lenn...@poettering.net) wrote:
> > If this is a bug, I'd be willing to attempt a pull request submission
> > if a suggested fix is given. Overall we like the functionality
> > sd-boot provides and the integration with systemd, b
pull request submission
> if a suggested fix is given. Overall we like the functionality
> sd-boot provides and the integration with systemd, but this is likely
> a hard requirement for our use case.
Yes please file an issue on github first, and this does sound a lot
like something we should fix, hence a PR that addresses this would be
more than welcome, too.
Lennart
--
Lennart Poettering, Berlin
tirely sure this works
correctly though. There might be a bug lurking somewhere.
it's simply not a case we regular test for. But it should be a case
that just works.
Lennart
--
Lennart Poettering, Berlin
ecs exit in the parent process when the main
service process finished startup.
Lennart
--
Lennart Poettering, Berlin
On Do, 17.11.22 21:41, Andrei Borzenkov (arvidj...@gmail.com) wrote:
> On 17.11.2022 20:48, Lennart Poettering wrote:
> > On Do, 17.11.22 18:17, Vadim Lebedev (vadiml1...@gmail.com) wrote:
> >
> > > Awesome, thanks, it is EXTREMELY useful
> > > | Find the rig
ation files, like
you already are using.
Lennart
--
Lennart Poettering, Berlin
such a modalias string.
You can denylist that string for your hw and thus disable the
autoloading.
Use "grep . /sys/bus/*/*/*/modalias" to get a list of the actual
modalias strings requested on your system. The one nuveau.ko matched
against will be among them. Find the right one and denylist it.
Lennart
--
Lennart Poettering, Berlin
spect that or even respond to you then.
Public mailing lists have public archives, they are not confidential,
hence do not send an email to it you expect to remain confidential.
Lennart
--
Lennart Poettering, Berlin
On Mo, 14.11.22 15:06, Michael Biebl (mbi...@gmail.com) wrote:
> Yeah, can we please block this Ulrich Windl guy.
> He's been more of a nuisance than a benefit to this community.
I have put him on moderation now.
Lennart
--
Lennart Poettering, Berlin
article helped me with was to overcome systemd's
> misconception that the root account was locked.
systemd doesn't manage your root user. That's between you and
"shadow-utils" really.
Lennart
--
Lennart Poettering, Berlin
t; logs, etc.
>
> When I try to start networking with 'systemctl', I see this error:
>
> systemd "failed to connect to bus; No such file or directory"
>
> What can I do to minimally bring up the networking service? I don't even
> have any network dev
On Mo, 31.10.22 11:40, Lennart Poettering (lenn...@poettering.net) wrote:
> This is almost certainly a bug in chrony. If you use Type=forking,
> then the process that systemd forks off (let's call it "P") should
> wait until all of the below holds:
>
> 1. The middl
orking,
then the process that systemd forks off (let's call it "P") should
wait until all of the below holds:
1. The middle child P' has exited
2. The grandchild (and main daemon process) P'' is running
3. The PID file has been successfully written to contain the PID of P''.
That all said, it's 2022, maybe chrony should just use Type=notify and
sd_notify() like any modern code?
Lennart
--
Lennart Poettering, Berlin
ly tells
>
> starting multi-user.target via ExecStart=systemctl start starts all depending
> units, and probably one of those starts the multi-user.target again.
> That's what I call recursive.
If you enqueue a unit for starting while it is already enqueued for
starting this has no effect.
Lennart
--
Lennart Poettering, Berlin
nto cgroupsv1 mode as the host (by adding
systemd.unified_cgroup_hierarchy=no to the nspawn cmdline, does that
work?"
Also, please provide the relevant output from "strace -f -s 500 -y -o
/tmp/log.strace" (put on some pastebin)
Lennart
--
Lennart Poettering, Berlin
n error?
Add a .mount drop-in for your unit that sets AssertPathExists= to your
path in the [Unit] section.
i.e. create /etc/systemd/system/mnt-x.mount.d/50-myassert.conf, and
add:
[Unit]
AsserPathExists=/mnt/x
into it.
Lennart
--
Lennart Poettering, Berlin
and running Alma 8 it's eno1.
>
> Wasn't the idea of "BIOS device name" that the interface's name
> matches the label printed on the chassis?
Yes, but not all devices have the necessary firmware
metadata.
Lennart
--
Lennart Poettering, Berlin
osdevname package needs to
> be installed. This will yield the traditional ethX, wlanX, etc interface
> names that are ordered by default the way they used to be. Of course, this
> does not scale well when you have hotplug devices with many pci ports and
> ethernet cards if you e
_*
> sadly ID_NET_NAME is not always present, so I don't have a good
> solution for now.
> (I'm assuming policy kernel can be ignored on amd64 servers, maybe
> I'm wrong)
udev will rename interfaces it finds based on the data in
ID_NET_NAME. I the ID_NET_NAME prop is never set, then udev won't
rename the interface.
Lennart
--
Lennart Poettering, Berlin
bly not attributed back to a process
and hence a cgroup. You might want to ask the NFS community about
that.
Lennart
--
Lennart Poettering, Berlin
On So, 16.10.22 21:02, Michael Biebl (mbi...@gmail.com) wrote:
> Am So., 16. Okt. 2022 um 16:23 Uhr schrieb Lennart Poettering
> :
> >
> > On Fr, 14.10.22 22:57, Michael Biebl (mbi...@gmail.com) wrote:
> >
> > > Hi,
> > >
> > > since the iss
int where $HOME must be mounted at the latest, and then
systemd --user gets started off it and the user's login session is
allowed to begin.
Lennart
--
Lennart Poettering, Berlin
systemd should discover everything on its own and just work
when run in an older container manager/cgroup environment. But it's
not something we would regularly test.
Lennart
--
Lennart Poettering, Berlin
scheme level (see
systemd.net-naming-scheme man page)
Use "udevadm info /sys/class/net/" to query the udev db for
automatically generated names.
Relevant udev props to look out for are:
ID_NET_NAME_FROM_DATABASE
ID_NET_NAME_ONBOARD
ID_NET_NAME_SLOT
ID_NET_NAME_PATH
ID_NET_NAME_MAC
These using hwdb info, firmware info, slot info, device path info or
MAC addresss for naming.
Lennart
--
Lennart Poettering, Berlin
listed dep
will be started if not running. It means "systemctl stop" of a
dependent service will be immediately undone though, i.e. it has quite
different semantics from the usual Wants=.
Lennart
--
Lennart Poettering, Berlin
in
> /dev/bus/usb/00x/00y gets created with MODE=0640 and root:usb
As mentioned elsewhere, what's a usbfs file, not a netif. network
interfaces have no ownership concept.
> I'm at a loss here. How is one supposed to get more detailed info on
> what's and WHY is going on with systemd-udevd tree processing ?
if you boot up with "debug" you should get tons of debug output to
wade through.
Lennart
--
Lennart Poettering, Berlin
ion switchable, i.e. one in
the fg and all others in the bg, but any of them could be put in the
fg any time. but that simply makes no conceptual sense if an SSH
session is in the mix.
Sorry if that's disappointing.
Lennart
--
Lennart Poettering, Berlin
ready
> undertaken this exercise on their own, and wouldn't mind sharing.
Happy to help!
We should probably open a group chat somewhere for people who want to
build images like that. Since I am usually at home in Signal for
things like that, maybe we should open a chat room there for that?
(nah, not an IRC fan, not gonna return there, sorry)
Lennart
--
Lennart Poettering, Berlin
acd/system.journal:
> Journal header limits reached or header out-of-date, rotating.
No, we have no concept of turning off individual log messages.
Lennart
--
Lennart Poettering, Berlin
ce` + `After=foo-upgrade.service`. And then
add `ConditionFileExists=!/some/touch/file` to `foo-upgrade.service` to
make it a NOP if things have already been updated, using a touch
file. (some better, smarter condition check might work as well, see
man pages of things systemd can check for you).
Lennart
--
Lennart Poettering, Berlin
RFACE
Pretty much all container managers implement this more or less. Just
Docker does not...
You might be able to replace docker with podman, where supposed all
this just works out of the box.
Lennart
--
Lennart Poettering, Berlin
you don#t want to bother with rtnetlink for that you could even use
the old BSD ioctls, i.e. SIOCSIFFLAGS.
Lennart
--
Lennart Poettering, Berlin
ing,
then things should be implemented differently, i.e. you get called and
then scan yourself what is in the directory you watch. That makes
things robust towards lost events.
Lennart
--
Lennart Poettering, Berlin
Lennart
--
Lennart Poettering, Berlin
rget to
your service means rule #2 won't take effect anymore.
With that in place things should just work (untested, but afaics), as
it means s-b-c-n-f.s can run after multi-user.target, and then
boot-complete.target after that, and then finally your service.
Does that make sense?
Lennart
--
Lennart Poettering, Berlin
rk. The threads are created and configured after the startup
> phase has finished.
Please consult README, look for comment on CONFIG_RT_GROUP_SCHED=n.
Lennart
--
Lennart Poettering, Berlin
gs considered, shouldn’t these directories be deleted after a service
> stops?
THis is probably a bug. Can you please file an issue on systemd github
about this?
https://github.com/systemd/systemd/issues/new?assignees=&labels=bug+%F0%9F%90%9B&template=bug_report.yml
Lennart
--
Lennart Poettering, Berlin
rate. We are generally not.
Sorry, if that's disappointing.
Lennart
--
Lennart Poettering, Berlin
ffic so that it ends up on local sockets.
Lennart
--
Lennart Poettering, Berlin
o implement
that.
(consider filing an RFE issue on github, so that this is tracked)
Lennart
--
Lennart Poettering, Berlin
happen, do you?. I've also posted to the selinux list but
> haven't gotten any responses yet.
Uh, that's a question for the selinux people. I only have a limited
insight into selinux, and wouldn't know how to do such things.
Lennart
--
Lennart Poettering, Berlin
essed in libfido2 though, it will now
take a BSD lock on the device while talking to it, thus synchronizing
access properly.
See this bug:
https://github.com/systemd/systemd/issues/23889
Maybe it's sufficient to update libfido2 on your system?
Lennart
--
Lennart Poettering, Berlin
zas to the unit. I do have a /etc/crypttab file.
systemd-cryptsetup can wait on its own for a FIDO2 token, no need to
do that with unit deps?
Lennart
--
Lennart Poettering, Berlin
log (starting with boot).
>
> Is my guess correct? Logs at /run/log/journal are automerged, logs at
> /var/run/journal aren't.
As mentioned abive, when the logs are flushed from /run/ to /var/ in
systemd-journal-flush.service they are merged into one new journal
file, which is loca
are assigned should
be encoded in the database and in the policy but not elsewhere,
i.e. in unit files. I think that philosophy does make sense.
Lennart
--
Lennart Poettering, Berlin
;
> I see every nfs related service dependent on nfs-convert.service
Did you issue "systemctl daemon-reload"?
Lennart
--
Lennart Poettering, Berlin
tioning back into an initrd env. Hence for them PID 1 during
shutdown first transitions from the service manager into
systemd-shutdown, and then from there into into the initrd script, and
then back into systemd-shutdown. I like their approach.
Lennart
--
Lennart Poettering, Berlin
the in
> > initrd, right?
>
> Sorry: s/mist the in/must be in the"
systemd-shutdown actually pivots the rootdir into the /run/initramfs
subdir, when invoking the initrd shutdown script. Thus at that point
all fs paths refer to subdirs below /run/initramfs.
Lennart
--
Lennart Poettering, Berlin
lt/reboot/poweroff/kexec.
Nah, the killing of processes it already did between steps 2 and
3. Also, as mentioned systemd-shutdown doesn't run at this time anymore.
Lennart
--
Lennart Poettering, Berlin
rovide a more complete strace output, you should see the
copy_file_range() stuff there.
Lennart
--
Lennart Poettering, Berlin
fail on non-btrfs
with ENOTTY, and given you have xfs this is behaving as it should.
It then starts copying things manually, which is slow. i.e. it's then
basically doing what "cp -a" does.
Lennart
--
Lennart Poettering, Berlin
appreciate any help/references.
Try straceing nspawn, to see what it does.
strace -f -y -s 500 -o /tmp/nspawnstrace.log systemd-nspawn …
Then look at the generated log and see what is busy doing... If unsure
paste things somewhre.
Lennart
--
Lennart Poettering, Berlin
hat backing fs do you use?
if you use non-btrfs it might hence simply be that we are busy
individually copying all files...
Lennart
--
Lennart Poettering, Berlin
de=S_IFDIR|0755, st_size=0, ...}) = 0
> close(3)= 0
> openat(4, "0:0", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = -1 ENOENT (No
> such file or directory)
> close(4)
>
> So it's trying to open() /sys/dev/block/0:0, but my system does not
> hav
configurable. Kernel command line option
systemd.unified_cgroup_hierarchy=yes|no
Lennart
--
Lennart Poettering, Berlin
opagated back to
the caller. Only messages that no registered handler has indicated
"ownership" in will be returned to the caller.
I guess we should document that. Added to TODO list.
Th idea is basically that you have two choices for processing
messages: install a filter/handler, or process them via
sd_bus_process() returns. Pick one.
Lennart
--
Lennart Poettering, Berlin
On Fr, 22.07.22 12:15, Lennart Poettering (mzerq...@0pointer.de) wrote:
> > I guess that would mean holding on to cgroup1 support until EOY 2023
> > or thereabout?
>
> That does sound OK to me. We can mark it deprecated before though,
> i.e. generate warnings, and remove it
On Fr, 22.07.22 12:37, Wols Lists (antli...@youngman.org.uk) wrote:
> On 22/07/2022 11:15, Lennart Poettering wrote:
> > > I guess that would mean holding on to cgroup1 support until EOY 2023
> > > or thereabout?
>
> > That does sound OK to me. We can mark it dep
y won't be able to have both CentOS7 and Fedora XYZ running in
> containers on the same system as one will only work on cgroup1 and the
> other only on cgroup2.
I am pretty sure this works fine with nspawn...
> I guess that would mean holding on to cgroup1 support until EOY 2023
>
have to support, once the age difference is beyond some
boundary. The question is at what that boundary is.
Much the same way as we have a baseline on kernel versions systemd
supports (currently 3.15, soon 4.5), we probably should start to
define a baseline of what to expect from a container manager.
Lennart
--
Lennart Poettering, Berlin
roupv1 support *will* come eventually
either way, but what's still up for discussion is to determine
precisely when. hence, please let us know!
Thanks,
Lennart
--
Lennart Poettering, Berlin
On Do, 14.07.22 12:40, Michael Cassaniti (mich...@cassaniti.id.au) wrote:
> Should I at least raise a feature request in GitHub?
Please do!
Lennart
--
Lennart Poettering, Berlin
ould love to review/merge a patch that fills in the gap.
(In my own usecase I always used usrhash= on the kernel cmdline, to
pin a specific /usr/ fs to a specific kernel, thus /usr/ auto
discovery was never needed, but we should definitely support that too)
Lennart
--
Lennart Poettering, Berlin
stuff, servers).
i.e. concept 1 should always be done. If you then also adopt concept 2
is up to you. You can, but you don't have to.
Lennart
--
Lennart Poettering, Berlin
On Mo, 04.07.22 23:15, Michael Biebl (mbi...@gmail.com) wrote:
> Am Mo., 4. Juli 2022 um 19:36 Uhr schrieb Lennart Poettering
> :
> >
> > eOn So, 03.07.22 19:29, Uwe Geuder (systemd-devel-ugeu...@snkmail.com)
> > wrote:
> >
> > > Hi!
> > >
>
>
> The problem was originally noted in a somewhat loaded system. However,
> above reproducer (including the 2 echo commands and a shorter sleep)
> shows the same problem even on an idling machine.
https://github.com/systemd/systemd/issues/2913
Lennart
--
Lennart Poettering, Berlin
r you cannot use systemd tools to inspect or manage resources.
You can use "systemd-cgtop" to show current resource usage of any
cgroup (regardless if managed by systemd or not), but it doesn't show
limits bein enforced, but that would probably make sense to add...
Lennart
--
Lennart Poettering, Berlin
go to
cgroupfs and read what's set there, for now?
Lennart
--
Lennart Poettering, Berlin
allow exactly one operation to be
executed at once, and all other ones are queued. Thus, when we start
to execute one operation we check that there is none already being
executed, because if it was, then there's a bug somewhere.
Why do you ask? did you actually see the assertion being hi
her
software does, and then acts on it. That's racy and fragile.
It appears to me you should ask the "bird" project for this
functionalit instead?
Lennart
--
Lennart Poettering, Berlin
nything similar.
You have to fix the kernel to properly virtualize block devices for
kernels. Good luck!
Lennart
--
Lennart Poettering, Berlin
t some ambient caps passed. It might be a slight compat breakage,
but I think it would be safer that way, as the service execution
environment becomes more uniform then.
Security credentials should be passed down to user services opt-in,
not opt-out after all.
Can you prep a patch for that and submit via github?
Lennart
--
Lennart Poettering, Berlin
ly.
Lennart
--
Lennart Poettering, Berlin
at, and should use tags instead.
Also, libudev is obsolete and does not recieve new additions. Use the
sd-device API instead.
--
Lennart Poettering, Berlin
at
happens. Usually you probably have some odering cycle between units,
which we'll try to fix for you, but which will of course mean the
ordering is not going to be executed in full.
See:
https://freedesktop.org/wiki/Software/systemd/Debugging/#diagnosingshutdownproblems
Lennart
--
Lennart Poettering, Berlin
t; Yes, --bind=/dev/null:/etc/fstab
>
> allows boot to complete. Of course next it refuses root login because
> pts/0 is not secure :)
pam_securetty is archaic cruft, and a broken idea. Please work with
your distribution to remove it. It might have made some vague sense on
1980's fixed line terminal environments, but is security theatre and a
nothing more than a nuisance in today's world.
Modern distributions do not enable it anymore.
Lennart
--
Lennart Poettering, Berlin
b processing!) and see if that helps?
No need. Should happen automatically.
That said: I strongly recommend that distros ship empty /etc/fstab by
default, and rely on GPT partition auto discovery
(i.e. systemd-gpt-auto-generator) to mount everything, and only depart
from that if there's a
units
> inside of container (it stops in single user allowing me to use sysctl
> -t device).
>
> Is it supposed to work at all? Even if I bind mount /dev/disk it does
> not help as systemd does not care whether device is actually present or not.
Yes, this should just work. I
gt; - What’s the correct way to check which controllers are enabled?
enabled *in* *what*? in the kernel? /proc/cgroups. Mounted? "mount"
maybe? in your container mgr? depends on that.
> - What is it that determines which controllers are enabled? Is it kernel
> configuration ap
; kernel command-line, the boot process breaks. Buf it I don't use
> /etc/crypttab or I have tpm2-device=auto the service succeeds - but
> won't use the fido device.. And that's probably obvious for everyone
> here but I'm stumped.
hmm, fido? or tpm?
Lennart
--
Lennart Poettering, Berlin
301 - 400 of 1003 matches
Mail list logo