date:20150127

On Thu, 22.01.15 13:54, Dimitri John Ledkov (dimitri.j.led...@intel.com) wrote:

 Is there a way to remove / override wants that are specified via
 .wants directory, .d snippet with Wants=, or wants specified in the
 unit itself?

Dependencies are always additive and coalescing currently. We don't
track which configuration file or automatic logic created which
dependency, and hence it is not really possible right now do reset the
list of dependencies: we wouldn't know what to reset and what
not. Note that in many cases dependencies can be created from both
sides, and if A wants some dependency on B, and B also wants it from
A, then we coalesce it one. If now some configuration in A wants to
reset its setting, what do we do with the request from B?

When we designed this initially this way I wasn't sure this would
suffice, but I kinda like the simplicity of this, and interestingly
you are the first one who wants to reset dependencies again. Which
makes me wonder if we canot find a better solution for this?

 I thought that creating a symlink to /dev/null from a higher up
 directory would disable wants dependency but it didn't:
 
 e.g.:
 I was expecting for
 /run/systemd/system/getty.target.wants/getty@tty1.service -
 /dev/null

Wat precisely is the reason for trying to do this? What are you trying
to do here, and why?

 So, is there a way to unwant something, as an override?

Nope, currently there isn't.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

On 27 January 2015 at 12:42, Lennart Poettering lenn...@poettering.net wrote:
 On Thu, 22.01.15 15:16, Dimitri John Ledkov (dimitri.j.led...@intel.com) 
 wrote:

 On 22 January 2015 at 14:46, Michael Biebl mbi...@gmail.com wrote:
  2015-01-22 15:08 GMT+01:00 Dimitri John Ledkov 
  dimitri.j.led...@intel.com:
  At the moment, I'm looking at packaging symlinks in .wants directories
  under /usr and then allow to uninstall such a package as a means to
  override the default config. Since I would like to update how the
  default config is setup, without doing in /etc where I'd have to
  answer is this my old config, or user modified it and I shouldn't
  touch it
 
  That's indeed a tough problem. The upstream recommendation is, to run
  systemctl preset during the initial installation.
  If there are changes to the default in the unit files, those changes
  are *not* applied on package upgrades.

 Presets are good, however they do not have a format to specify extra
 .wants and .requires. And in my case unwants and unrequires.

 Extra .wants and .requires? What would those entail? I mean, the unit
 files can store extra deps in their [Install] section...

 So at the moment I'm playing around with - unconditionally running
 preset on my preset file, and directing users to write (override) own
 preset file in /etc/systemd/system-preset if they want to modify the
 default proposed integration.

  I don't think that's a particularly compelling solution.
 
  In Debian, we introduced a helper called i-s-h [1], which keeps some
  additional state and tries to apply such changes on updates.
 

 Well, if systemctl enable/disable/add-requires/add-wants would write
 things into /etc/systemd/system-preset instead of modifying things in
 /etc, then it would be alright. As essentially the full set of presets
 would be the state of system-defaults + user overrides.

 Also it seems like preset is a bit of templating hack at the moment,
 as they are not loaded by systemd but rarther are simply used to
 generate files/symlinks on disk under /etc.

 I don't follow. Presets are the recommended vendor configuration, and
 as such static and immutable. It is supposed to be applied once,
 during first installation of a pacakge. From that point on things are
 user configuration and presets will not be applied.


The end result of preset commands is the same as running a series of
enable/disable commands interactively.

Which means it is never possible to tell apart differences between:
admin changes, current vendor configuration, original vendor
configuration at install-time. Nor upgrade to new vendor defaults.

Thus preset files simply scrip a list of enable/disable commands to run.

It is not supposed to be applied only once, but rather it has no way
to distinguish user modifications vs old vendor config and thus
cannot be re-run again without loosing admin changes/choices.

E.g.
for my use-case it would be awesome if preset commands would generate
symlinks in e.g. /var/lib/systemd/preset-system/
That way preset files is the current vendor configuration,
/var/lib/systemd/preset-system has symlinks as to how the system was
configured at install time.
Later when system is upgraded and e.g. vendor presets change, I would
like to enable user to upgrade the install time config to the current
one (by running preset command again, which would update symlinks in
/var/lib/systemd/preset-system based on the new preset configuration)
Or something like that.

I'm working on a system which has a policy of units enabled by
default, with packaging discouraged from shipping files in /etc.

/etc is end-user modifiable however and is supported to store
overrides over what is shipped in /usr.


 Patching preset files during runtime is really against what they were
 designed for.

 Quite frankly, I have trouble following at all what is being attempted
 here...


I think i'll need to start again, or show/expain what I mean on Friday.

-- 
Regards,

Dimitri.

Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] persisting sriov_numvfs

2015-01-27 Thread Martin Polednik

- Original Message -
 From: Lennart Poettering lenn...@poettering.net
 To: Martin Polednik mpoled...@redhat.com
 Cc: Andrei Borzenkov arvidj...@gmail.com, 
 systemd-devel@lists.freedesktop.org, ibar...@redhat.com
 Sent: Tuesday, January 27, 2015 2:21:21 PM
 Subject: Re: [systemd-devel] persisting sriov_numvfs

 On Tue, 27.01.15 07:35, Martin Polednik (mpoled...@redhat.com) wrote:

 Hmm, I see. In many ways this feels like VLAN setup from a
 configuration PoV, right? i.e. you have one hw device the driver
 creates, and then you configure a couple of additional interfaces on
 top of it.

 This of course then raises the question: shouldn't this functionality
 be exposed by the kernel the same way as VLANs? i.e. with a
 rtnetlink-based API to create additional interfaces, instead of /sys?

 In systemd I figure the right way to expose this to the user would be
 via
 .netdev files, the same way as we expose VLAN devices. Not however
 that that would be networkd territory,

No, this is not limited to NICs. It is generic feature that can be in
principle used with any hardware and there are e.g. FC or FCoE HBAs
with SR-IOV support. It is true that today it is mostly comes with NICs
though.

Any general framework for setting it up should not be tied to specific
card type.

   Well, I doubt that there will be graphics cards that support this
   right? I mean, it's really only network connectivity that can support
   a concept like this easily, since you can easily merge packet streams
   from multiple VMs on one connection. However, I am not sure how you
   want to physically merge VGA streams onto a single VGA connector...

   If this is about ethernet, FC, FCOE, then I still think that the
   network management solution should consider this as something you can
   configure on physical links like VLANs. Hence networkd or
   NetworkManager and so on should cover it.

   Lennart

  Afaik some storage cards support this, for GPU's it's possibly for the
  GPUPU applications and such - where you don't care about the physical
  output, but the processing core of gpu itself (but I'm not aware of such
  implementation yet, nvidia seems to be doing something but the details
  are nowhere to be found).

 Hmm, so there are three options I think.

 a) Expose this in networkd .netdev files, as I suggested
originally. This would be appropriate if we can add and remove VFs
freely any time, without the other VFs being affected. Can you
clarify whether going from let's say 4 to 5 VFs requires removing
all VFs and recreating them? THis would be the nicest exposure I
think, but be specific to networkd.

Removing and recreating the VFs is unfortunately required when changing the
number of them (both ways - increasing and decreasing their count).

https://www.kernel.org/doc/Documentation/PCI/pci-iov-howto.txt

 b) Expose this via udev .link files. This would be appropriate if
adding/removing VFs is a one-time thing, when a device pops
up. This would be networking specific, not cover anything else like
GPU or storage or so. Would still be quite nice. Would probably the
best option, after a), if VFs cannot be added/removed dynamically
all the time without affecting the other VFs.

 c) Expose this via udev rules files. This would be generic, would work
for networking as well as GPUs or storage. This would entail
writing our rules files when you want to configure the number of
VFs. Care needs to be taken to use the right way to identify
devices as they come and go, so that you can apply configuration to
them in a stable way. This is somewhat uglier, as we don't really
think that udev rules should be used that much for configuration,
especially not for configuration written out by programs, rather
than manually. However, logind already does this, to assign seat
identifiers to udev devices to enable multi-seat support.

 A combination of b) for networking and c) for the rest might be an
 option too.

I myself would vote for b) + c) since we want to cover most of the
possible use cases for SR-IOV and MR-IOV, which hopefully shares
the interface; adding Dan back to CC as he is the one to speak for network. 

 Lennart

 --
 Lennart Poettering, Red Hat

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] logind vs CAP_SYS_ADMIN-lessness

On Tue, 27.01.15 10:53, Christian Seiler (christ...@iwakd.de) wrote:

 LXC predates systemd by about 2 years. (And at the very beginning,
 systemd didn't support containers out of the box, so it predates
 systemd's container support by even more.) And at that time, doing that
 was a way to sysvinit containers with no or minimal modification to
 /etc/inittab. So instead of saying that LXC breaks systemd's
 assumptions, you could also say systemd breaks LXC's assumptions. As I
 said: bubbles. ;-)

Well, LXC breaks everbody's assumptions, not just
systemd's. /dev/tty[1-6] refers to the VT, and TERM=linux is the right
$TERM for it. However, if you actually have a pty and an xterm behind
it then these settings will be incorrect for a ton of programs.

 Now I'm not going to argue with you that the method of doing
 $container_ttys= isn't vastly superior to what was there previously,
 because it is. So I don't disagree with the long-term solution at
 all.

Note that $container_ttys= is actually just a frontend for dynamically
instantiating console-getty@.service instances for the specified
ptys. You can just enable them statically too.

(And 'machinectl login' actually even instantiateds them during
runtime to allow dynamic logins to an local container that registers
with it...)

 But LXC 1.0 just doesn't support this yet, so the question is what to do
 in the mean time. If I do what I described:
 
  - logind can't open /dev/tty0, so all VT management in there is
disabled anyway
  - within systemd: vt_disallocate can't open /dev/tty0, so it just
returns an error, but that error code is never checked in
core/execute.c, so it just behaves as if the directive never had
been there
  - getty@.service statically enabled just runs agetty, so really only
$TERM is wrong

Well, it's also conditionalized to /dev/tty0. Instead of patching the
unit file you could as well just instantiate container-getty@.service
in /etc, get the right $TERM and be done with it.

 Speaking of, isn't there a bug in container-getty@.service?[*] It uses
 ConditionPathExists=/dev/pts/%I, starts agetty on pts/%I but sets
 TTYPath=/dev/%I instead of /dev/pts/%I... And having the utmp specifier
 be just a number (%I) instead of pts/%I is also probably weird.

True, and true!

Thanks for the pointer. Fixed in git!

 Fair enough[#], but did you receive my patches for the part about
 skipping on missing perms?

Yes, I have a huge backlog of unprocessed mail, and am currently
wading through it backwards in time. Sorry for the delay!

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

On 27 January 2015 at 12:38, Lennart Poettering lenn...@poettering.net wrote:
 On Thu, 22.01.15 14:08, Dimitri John Ledkov (dimitri.j.led...@intel.com) 
 wrote:

  In any case, /etc overrides /run, so your example can never work.
 

 Oh, ok. But any combination of the two. E.g. for /etc to unwant from
 /run then, or for /etc to unwant from /usr.

 At the moment, I'm looking at packaging symlinks in .wants directories
 under /usr and then allow to uninstall such a package as a means to
 override the default config. Since I would like to update how the
 default config is setup, without doing in /etc where I'd have to
 answer is this my old config, or user modified it and I shouldn't
 touch it

 I am not grokking this. If you remove the package with the symlinks in
 /usr, then den deps are gone, so why do you need something in /etc or
 /run still?

For the case when one cannot remove the package at runtime (i.e. /usr
is read only)
or there is no mechanism to remove packages at all (no package manager).

-- 
Regards,

Dimitri.

Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] persisting sriov_numvfs

2015-01-27 Thread Jóhann B. Guðmundsson



On 01/27/2015 12:40 PM, Tom Gundersen wrote:

Hi Dan,

On Mon, Jan 19, 2015 at 3:18 PM, Dan Kenigsberg dan...@redhat.com wrote:

I'm an http://oVirt.org developer, and we plan to (finally) support
SR-IOV cards natively. Working on this feature, we've noticed that
something is missing in the platform OS.

If I maintain a host with sr-iov cards, I'd like to use the new kernel
method of defining how many virtual functions (VFs) are to be exposed by
each physical function:

 # echo 3  /sys/class/net/enp2s0f0/device/sriov_numvfs

This spawns 3 new devices, for which udev allocated (on my host) the names
enp2s16, enp2s16f2 and enp2s16f4.

I can attach these VFs to virtual machines, but I can also use them as
yet another host NIC. Let's assume that I did the latter, and persisted
its IP address using initscripts in
/etc/sysconfig/network-scripts/ifcfg-enp2s16f4.

However, on the next boot, sriov_numvfs is reset to 0, there's no
device named enp2s16f4, and certainly no IP address asigned to it.

The admin can solve his own private issue by writing a service to start
after udev allocats device names but before network services kick in,
and re-apply his echo there. But it feels like something that should
be solved in a more generic fashion. It is also not limitted to network
device. As similar issue would affect anything that attempts to refer to
a VF by its name, and survive reboot.

How should this be implemented in the realm of systemd?

Sorry for the delay in getting back to you.

My understanding is that the number of vfs must be basically set once
and not changed after that? It seems that it is possible to change it,
but only at the cost of removing all of them first, which I guess is
not really an option in case they are in use.


Enabling this stuff via module parameter manually or via .conf file has 
been deprecate and users are encourage to use the pci sysfs interface 
instead.




If that is the case, and what you essentially want is to just override
the kernel default (0 VFs), then I think we can add a feature to
udev's .link files to handle this.

This means the VFs will be allocated very early during boot, as soon
as the PF appears.

On the downside, there is no mechanism to nicely update this setting
during run-time (which may not be a problem if that is not really
supported anyway), you would have to reinsert the PF or reboot the
machine for the .link file to be applied.


You can create number of VF to the cards maximum per PF via|

|# echo number  /sys/bus/pci/devices/\:01\:00.0/sriov_numvfs
# echo number  /sys/bus/pci/devices/\:01\:00.1/sriov_numvfs
...
etc.

( these should be able to be matched in link files via Path as in 
Path=pci-:01:00.0-* for the above sample right ?  )


Then you can tweak the VF settings

To set the vNIC MAC address on the Virtual Function

# ip link set pf vf vf_index mac vnic_mac

# ip link set em1 vf 0 mac 00:52:44:11:22:33

It's common to set fixed mac address instead of randomly generated ones 
via bash script at startup


To turn HW packet source mac spoof check on or off for the specified VF

# ip link set pf vf vf_index spoofchk on|off

# ip link set em1 vf 0 spoofchk on

Change the link state as seen by the VF

# ip link set pf vf vf_index state auto|enable|disable

# ip link set em1 vf 0 state disabled

To set a VLAN and priority on Virtual Function

# ip link set dev down
# ip link set pf vf vf_index vlan vlan id qos priority
# ip link set dev up

Here for example is em1 is the PF (physical function) , em2 is the 
interface assigned to VF 0.


# ip link set em2 down
# ip link set em1 vf 0 vlan 2 qos 2
# ip link set em2 up

If someone ships you those cards you can verify configuration use ip 
link show command like so


# ip link show dev em1

And it's output be something like this

7: em1: BROADCAST,MULTICAST mtu 1500 qdisc noop state DOWN mode 
DEFAULT group default qlen 1000

link/ether 00:02:c9:e6:01:12 brd ff:ff:ff:ff:ff:ff
vf 0 MAC mac, vlan id, spoof checking off, link-state auto
vf 1 MAC mac, vlan id, spoof checking on, link-state enable
vf 2 MAC mac, vlan id, spoof checking off, link-state disable

etc...


  Moreover, .link files are
specific to network devices, so this will not help you with other
kinds of PFs. I think that may be ok, depending on how common it is to
use this for non-network hardware. If that is a niche usecase, it will
always be possible to write an udev rule to achieve the same result as
the .link file (for any kind of hardware), it is just a bit more
cumbersome.


If I'm not mistaken some of those cards can support for example 
infiniband,fc and etherenet at the same time ( which used to be 
configured when the module was loaded )


But what's missing from link files here?
set the number of VF ?
( Note the maximum number of VFs that you can create and the maximum 
number of VFs that you can use for passthrough can be different.)


That said it's probably best to get the Intel guys on board on this 
since a) Intel

Re: [systemd-devel] [PATCH v2 1/2] systemd.unit(5): add examples for common tasks

On Tue, 27.01.15 17:45, Christian Seiler (christ...@iwakd.de) wrote:

 Add examples for (a) making units enableable and (b) overriding vendor
 settings to the man page.

I am not a native english speaker, but I am not sure there's a word
like enableable in the english language. Maybe rephrase this as
allowing units to be enabled?

 +linking to the actual unit will be created. It
 +tells systemd to pull in the unit when starting
 +filenamemulti-user.target/filename. The
 +converse commandsystemctl disable/command
 +will remove that symlink again./para
 +/example

converse? shouldn't it be reverse or inverse?

 +programlisting[Unit]
 +Description=Some HTTP server
 +After=network.target remote-fs.target sqldb.service

Given the fact that network.target is so vaguely defined, and not
even necessary in most cases, I'd really suggest removing this bit
fromt the After= line.

 +[Service]
 +Type=notify
 +ExecStart=/usr/sbin/some-fancy-httpd-server
 +TimeoutStartSec=5

I think the default timeout should be fine. THere's usually no good
reason to change it.

 +paraThe first possibility is to copy the unit
 +file to
 +
 filename/etc/systemd/system/httpd.service/filename
 +and change the chosen settings:/para
 +
 +programlisting[Unit]
 +Description=Some HTTP server
 +After=network.target remote-fs.target sqldb.service 
 emphasismemcached.service/emphasis
 +Requires=sqldb.service emphasismemcached.service/emphasis
 +ConditionPathExists=emphasis/srv/www/emphasis

I wonder if the example should better use AssertionXYZ rather than
ConditionXYZ for this?

Looks great otherwise!

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] libudev-monitor: ensure proper string termination

On 01/27/15 00:19, Lennart Poettering wrote:
 On Sun, 25.01.15 07:10, Topi Miettinen (toiwo...@gmail.com) wrote:
 
 On 01/25/15 03:34, Zbigniew Jędrzejewski-Szmek wrote:
 On Sat, Jan 24, 2015 at 10:39:56AM +0200, Topi Miettinen wrote:
 Leave space for the terminating zero when reading and make sure
 that the last byte is zero. This also makes the check for long packets
 equivalent to code before 9c89c1ca: reject also packets with size 8192.
 ---
  src/libudev/libudev-monitor.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)

 diff --git a/src/libudev/libudev-monitor.c b/src/libudev/libudev-monitor.c
 index 4cfb2f6..b7fc031 100644
 --- a/src/libudev/libudev-monitor.c
 +++ b/src/libudev/libudev-monitor.c
 @@ -590,7 +590,7 @@ retry:
  if (udev_monitor == NULL)
  return NULL;
  iov.iov_base = buf;
 -iov.iov_len = sizeof(buf);
 +iov.iov_len = sizeof(buf) - 1; /* Leave space for terminating 
 zero */
  memzero(smsg, sizeof(struct msghdr));
  smsg.msg_iov = iov;
  smsg.msg_iovlen = 1;
 @@ -642,6 +642,8 @@ retry:
  if (udev_device == NULL)
  return NULL;
  
 +buf.raw[sizeof(buf.raw) - 1] = '\0';
 +
  if (memcmp(buf.raw, libudev, 8) == 0) {
  /* udev message needs proper version magic */
  if (buf.nlh.magic != htonl(UDEV_MONITOR_MAGIC)) {
 A buffer only needs to be terminated by a zero in certain cases: usually if 
 it
 is passed to a function which expectes that. iovecs can contain binary data,
 and have an explicit size field, so they do not need to be zero-terminated.
 Is there a reason why the buffer has to be zero-terminated in this case?

 String functions strcmp, strlen and strstr, used a few lines later,
 expect null byte terminated strings. Alternatively they could be changed
 to strncmp and friends where the scope can be limited to only the buffer.
 
 But the data comes from the kernel (and that's verified, securely),
 hence I am wondering what kind of vulnerability you have precisely in
 mind. If we don't trust the kernel, then we'll have quite a problem...

Right, I didn't look at the context. In that case, this would be just
defensive programming.

-Topi

 
 Lennart
 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] timesyncd: tighten unit file

On 01/27/15 01:54, Lennart Poettering wrote:
 On Sun, 25.01.15 12:23, Topi Miettinen (toiwo...@gmail.com) wrote:
 
 There's no need for CAP_CHOWN, CAP_DAC_OVERRIDE or CAP_FOWNER.
 
 Hmm, that's not true, is it? load_clock_timestamp() is invoked before
 we drop privs in the daemon. And it certainly calls fchmod() and
 fchown(), so that it can later on still access the clock touch file.
 
 What am I missing?

It works for me because the file exists already with correct owner and
permissions. I'd put CAP_CHOWN and CAP_FOWNER back for now.

Maybe the clock file could reside in a separate subdirectory, then the
directory owner and permissions could be set up already at installation?

 
 No new privileges are needed, especially no setuid fixups are
 expected.
 
 Yeah, we should probably set this for most of our daemons, not just
 timesyncd. 
 
 I am not entirely sure how NoNewPrivileges= and no-setuid-fixup
 actually relate to each other. I.e. what does one do that the other
 doesn't? And if they do different things, isn't NoNewPrivileges= kinda
 a superset of no-setuid-fixup, and thus makes setting the latter
 redundant?

I think NoNewPrivileges (prctl(PR_SET_NO_NEW_PRIVS)) prevents any kind
of uid/gid changes, while no-setuid-fixup does not restrict uid change
but does not elevate the capability set.

 
 Reading through Documentation/prctl/no_new_privs.txt in the
 kernel sources I found this paragraph:
 
Be careful, though: LSMs might also not tighten constraints on
exec in no_new_privs mode.  (This means that setting up a
general-purpose service launcher to set no_new_privs before
execing daemons may interfere with LSM-based sandboxing.)
 
 This kinda suggests that SELinux and friends might not like
 NoNewPrivileges=, hence I am not entirely sure it is really the right
 option for us.
 
 Hence I am wondering if no-setuid-fixup (and -locked) might be the
 better option for us to enable everywhere?

I don't think timesyncd is executing any helper programs, especially
set-uid or with file system capabilities, so both should work fine.

 
 Device policy can be closed, timesyncd does not access any devices.
 
 Note that we set PrivateDevices=yes already, which implies
 DevicePolicy=closed.
 
 Timesyncd only needs write access to /var/lib/systemd/clock. There's no
 need to access /boot nor most API filesystems.
 
 Well, /boot is already covered by ProtectSystem=full actually (but
 this wasn't documented, admittedly. Updated the man page now in gate.)
 
 I am a bit concerned about listing by default all these directories in
 the unit file. I mean, the reason why ProtectSystem=, ProtectHome= and
 suchlike exists is precisely to break this down to a few booleans (or
 boolean-like enums), instead of listing all directories in all unit
 files all the time. I mean, it's great if people do this on their
 local systems, but to make this palatable generically upstream I
 created ProtectSystem= and ProtectHome= to hide the directory lists
 away.
 
 The problem with these lists is that we need to be really conservative
 with them, since many of the libs we use (including glibc) use
 different interface behind our back, and thus writing generally
 valid rules, that work on all archs, on all distros, on all
 glibc/libary versions is hard. This is what SELinux policy does, but I
 *really* didn't want to create another implementation of such a
 finegrained policy, if you follow what I mean.

I'm not sure. Shouldn't we then ship a SELinux policy file then? Would
you be interested in AppArmor profile for timesyncd, I have one? Also,
if a distro uses weird SELinux policies or setuid helpers at every
possible opportunity, shouldn't they have some responsibility of fixing
their setup?

 
 Install a system call filter, generated with 'strace -c'.
 
 Hmm, I am a bit concerned about this part, I am not sure we can really
 do this upstream. Different glibc and other library versions we use
 invoke different syscalls. Moreover, different archs use different
 syscalls, too. This makes it really difficult putting together syscall
 filters upsteram that work generically, on all downstream versions.
 
 I think SystemCallFilter= is something that end-users can use on their
 systems, but I am not sure we can use this upstream. :-(

Right, this was generated on x86_64.

 
 Only one additional process is needed.
 
 Hmm, LimitNPROC=2 unfortunately doesn't do what we want it to do:
 since the daemon drops the to the systemd-timesync user on its own,
 PID 1 invokes it as root, not as the the systemd-timesync user, which
 makes the excercise pointless... We should probably handle this better
 though, and warn, instead of silently accepting it. Added that to the
 TODO list now.

This probably applies to other limits too?

 
 I have now changed the timesyncd code to do the right thing on its own
 after dropping privs. During runtime RLIMIT_NPROC=2 should now be set.
 
 Mounts should not propagate back, so set the

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On 01/26/15 23:46, Lennart Poettering wrote:
 But independently of the PrivateDevices thing, would you think
 tmpfiles.d could be extended to be usable for unit specific cases
 instead of just one global setup? I think there could be more uses, for
 example, creating directories and links inside a unit's
 RuntimeDirectory.
 
 I am not sure how this could work and what kind of integration you
 precisely are looking for there?
 
 Note that tmpfiles exists mostly for two reasons: a) to deal with old
 software that wasn't capable of creating its own subdirs/stuff below
 its runtime directory; and b) to deal with software whose main program
 was running unpriviliged all the time (for example by using User=),
 and hence lacked the priviliges to set up its subdir in /run.

a) was exactly my case, auditd doesn't have a way to specify where to
put the pid file yet, so it ends up in /run/auditd.pid.

 
 Now, to deal with case b) we nowadays have RuntimeDirectory=. And for
 a) I think the long story must be to make it set up its own stuff in
 /run, and I don#t see how tmpfiles could break any benefit there...
 
 Lennart
 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [systemd-commits] 5 commits - TODO configure.ac man/systemd.link.xml units/container-ge...@.service.m4.in units/systemd-resolved.service.in

On Tue, Jan 27, 2015 at 09:30:16AM -0800, Lennart Poettering wrote:
  TODO |6 +-
  configure.ac |8 +---
  man/systemd.link.xml |   16 +++-
  units/container-ge...@.service.m4.in |4 ++--
  units/systemd-resolved.service.in|1 +
  5 files changed, 24 insertions(+), 11 deletions(-)
 
 New commits:
 commit e611755d98ac6b213f39426359c3a94defc6a029
 Author: Lennart Poettering lenn...@poettering.net
 Date:   Tue Jan 27 18:29:33 2015 +0100
 
 man: mention that 99-default.link is shipped by default, and users hence 
 need to install a lexically earlier .link file for it to be honoured

What's up with those commit subjects getting longer and longer?  It's
hard to read, especially when skimming a long list of commit subjects,
and our tools don't really support this: gitk, file names generated by
git format patch, cia, git log in a non-terribly-wide window...

Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2 1/2] systemd.unit(5): add examples for common tasks

On Tue, 27.01.15 19:26, Christian Seiler (christ...@iwakd.de) wrote:

 I know, but I wanted to have something that was easily understandable at
 first glance that was already set in the original unit that would then
 be overridden. I'll use Nice= instead, that's more likely to be
 used.

Yeah, sounds like the better option.

  +paraThe first possibility is to copy the unit
  +file to
  +
  filename/etc/systemd/system/httpd.service/filename
  +and change the chosen settings:/para
  +
  +programlisting[Unit]
  +Description=Some HTTP server
  +After=network.target remote-fs.target sqldb.service 
  emphasismemcached.service/emphasis
  +Requires=sqldb.service emphasismemcached.service/emphasis
  +ConditionPathExists=emphasis/srv/www/emphasis
  
  I wonder if the example should better use AssertionXYZ rather than
  ConditionXYZ for this?
 
 A right, that's new, I'll use that instead.
 
 Will send second patch after your response to my question.

Uh, which question are you precisely referring to?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2 1/2] systemd.unit(5): add examples for common tasks

Am 27.01.2015 um 19:12 schrieb Lennart Poettering:
 On Tue, 27.01.15 17:45, Christian Seiler (christ...@iwakd.de) wrote:
 
 Add examples for (a) making units enableable and (b) overriding vendor
 settings to the man page.
 
 I am not a native english speaker, but I am not sure there's a word
 like enableable in the english language. Maybe rephrase this as
 allowing units to be enabled?

Drat. I've read that in technical contexts often enough, and for safety
I typed it into google. There were enough results there to make me think
'oh, ok, it's a real word'. A quick look in a dictionary disagrees with
that assessment. Oh well. (Although the urban dictionary does have that
word, but my guess is you won't accept that as a canonical source for
the English language. ;-))

I'll change it.

 +linking to the actual unit will be created. It
 +tells systemd to pull in the unit when starting
 +filenamemulti-user.target/filename. The
 +converse commandsystemctl disable/command
 +will remove that symlink again./para
 +/example
 
 converse? shouldn't it be reverse or inverse?

Hmm, converse was the first word that popped into my head, but inverse
is probably better, yes.

 +programlisting[Unit]
 +Description=Some HTTP server
 +After=network.target remote-fs.target sqldb.service
 
 Given the fact that network.target is so vaguely defined, and not
 even necessary in most cases, I'd really suggest removing this bit
 fromt the After= line.

Ok.

 +[Service]
 +Type=notify
 +ExecStart=/usr/sbin/some-fancy-httpd-server
 +TimeoutStartSec=5
 
 I think the default timeout should be fine. THere's usually no good
 reason to change it.

I know, but I wanted to have something that was easily understandable at
first glance that was already set in the original unit that would then
be overridden. I'll use Nice= instead, that's more likely to be used.

 +paraThe first possibility is to copy the unit
 +file to
 +
 filename/etc/systemd/system/httpd.service/filename
 +and change the chosen settings:/para
 +
 +programlisting[Unit]
 +Description=Some HTTP server
 +After=network.target remote-fs.target sqldb.service 
 emphasismemcached.service/emphasis
 +Requires=sqldb.service emphasismemcached.service/emphasis
 +ConditionPathExists=emphasis/srv/www/emphasis
 
 I wonder if the example should better use AssertionXYZ rather than
 ConditionXYZ for this?

A right, that's new, I'll use that instead.

Will send second patch after your response to my question.

Christian

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 2/2] logind: chown+chmod /run/user/$UID if mount(tmpfs) fails with EPERM

Am 27.01.2015 um 19:02 schrieb Lennart Poettering:
 Merged this one too, made some changes first howver. I reworked this
 to use our chmod_and_chown() helper, and removed the bit that checks
 whether the mount point actually was a mount point after umount2(). I
 really prefer if we can just check the return value of the syscall and
 decide on that.

Looks much nicer, yes.

 Please check if this all works for you now!

Yes, works for me, directory gets created, chown/chmod is applied,
XDG_RUNTIME_DIR is set and loginctl shows the session.

Thanks!

Christian

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH v3] systemd.unit(5): add examples for common tasks

Am 27.01.2015 um 19:32 schrieb Lennart Poettering:
 On Tue, 27.01.15 19:26, Christian Seiler (christ...@iwakd.de) wrote:
 Will send second patch after your response to my question.
 
 Uh, which question are you precisely referring to?

Forget it, I answered that question myself and forgot to edit out the
last sentence of my mail. ;-)

I've attached git format-patch's output for the revised manpage.

Christian

From 4d251d71bfa5eb19a7d14392d34357e0e3e859cc Mon Sep 17 00:00:00 2001
From: Christian Seiler christ...@iwakd.de
Date: Sat, 24 Jan 2015 14:04:03 +0100
Subject: [PATCH] systemd.unit(5): add examples for common tasks

Add examples for (a) how to allow units to be enabled and (b)
overriding vendor settings to the man page.
---
 man/systemd.unit.xml | 165 +++
 1 file changed, 165 insertions(+)

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index e820b33..9704d6f 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -1574,6 +1574,171 @@
 /refsect1
 
 refsect1
+titleExamples/title
+
+example
+titleAllowing units to be enabled/title
+
+paraThe following snippet (highlighted)
+allows a unit (e.g.
+filenamefoo.service/filename) to be
+enabled via
+commandsystemctl enable/command:/para
+
+programlisting[Unit]
+Description=Foo
+
+[Service]
+ExecStart=/usr/sbin/foo-daemon
+
+emphasis[Install]/emphasis
+emphasisWantedBy=multi-user.target/emphasis/programlisting
+
+paraAfter running
+commandsystemctl enable/command, a symlink
+filename/etc/systemd/system/multi-user.target.wants/foo.service/filename
+linking to the actual unit will be created. It
+tells systemd to pull in the unit when starting
+filenamemulti-user.target/filename. The
+inverse commandsystemctl disable/command
+will remove that symlink again./para
+/example
+
+example
+titleOverriding vendor settings/title
+
+paraThere are two methods of overriding
+vendor settings in unit files: copying the unit
+file from
+filename/usr/lib/systemd/system/filename
+to filename/etc/systemd/system/filename and
+modifying the chosen settings. Alternatively,
+one can create a directory named
+filenamereplaceableunit/replaceable.d//filename
+within
+filename/etc/systemd/system/filename and
+place a drop-in file
+filenamereplaceablename/replaceable.conf/filename
+there that only changes the specific settings
+one is interested in. Note that multiple such
+drop-in files are read if present./para
+
+paraThe advantage of the first method is
+that one easily overrides the complete unit,
+the vendor unit is not parsed at all anymore.
+It has the disadvantage that improvements to
+the unit file by the vendor are not
+automatically incorporated on updates./para
+
+paraThe advantage of the second method is
+that one only overrides the settings one
+specifically wants, where updates to the unit
+by the vendor automatically apply. This has the
+disadvantage that some future updates by the
+vendor might be incompatible with the local
+changes./para
+
+paraNote that for drop-in files, if one wants
+to remove entries from a setting that is parsed
+as a list (and is not a dependency), such as
+varnameConditionPathExists=/varname (or
+e.g. varnameExecStart=/varname in service
+units), one needs to first clear the list
+before re-adding all entries except the one
+that is to be removed. See below for an
+example./para
+
+paraThis also applies for user instances of
+systemd, but with different locations for the
+unit files. See the section on unit load paths
+for further details./para
+
+

Re: [systemd-devel] [PATCH] Added UFD (Uplink failure detection) support to networkd

2015-01-27 Thread Tom Gundersen

Hi Alin,

Thanks for working on this.

I think the main concepts here make sense, but I have some comments on
the implementation.

So the main ideas are:

1) a notion of groups of links
2) a notion of up- and downlinks
3) configuring downlinks if and only if at least one uplink in the
group has a carrier

Comments:

Maybe we should not restrict the naming to UFD, as the grouping may
be useful for other things in the future (would be great if you could
comment on Holger's email for instance). In fact Lennart suggested we
introduce the concept of 'tags' instead of groups, and these will be
similar to tags in udev rules.

I.e., introduce a new directive called Tag= in .network files, and
this could then be used for different things in the future.

I don't think we should introduce a netdev kind for groups, as this
really does not correspond to a netdev in the kernel. And I don't
think we should list the ifnames in the configuration of the groups,
but rather configure the group name in the .network file (see how
bonding and bridging currently works). It looks to me that we don't
even need (yet) configuration files for the groups, they can just be
made implicitly from their name as given in .network files. Using the
idea of Tags should give you this.

If possible we should not wait for all links to appear before handling
a group, but be tolerant to not knowing upfront precisely which links
will be on a system. It looks to me that this shouldn't be a problem,
but maybe I missed something? Also here see how bridging and bonding
currently works.

Could you comment a bit on how you decide when an uplink should be
considered failed? Is it jut when it does not have a carrier? Is this
the end of the story, or do you imagine extending this with other
notions in the future?

Lastly, Lennart also pointed out that there is not really a need for
grouping the downlinks, only the uplinks. We could then simply have a
new directive BindToCarrier= which is set in downlinks and which takes
a list of tags, meaning that this link will only be configured once at
least one tag has a link with a carrier.

What do you think?

Cheers,

Tom
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [systemd-commits] 5 commits - TODO configure.ac man/systemd.link.xml units/container-ge...@.service.m4.in units/systemd-resolved.service.in

On Tue, 27.01.15 19:14, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:

 On Tue, Jan 27, 2015 at 09:30:16AM -0800, Lennart Poettering wrote:
   TODO |6 +-
   configure.ac |8 +---
   man/systemd.link.xml |   16 +++-
   units/container-ge...@.service.m4.in |4 ++--
   units/systemd-resolved.service.in|1 +
   5 files changed, 24 insertions(+), 11 deletions(-)
  
  New commits:
  commit e611755d98ac6b213f39426359c3a94defc6a029
  Author: Lennart Poettering lenn...@poettering.net
  Date:   Tue Jan 27 18:29:33 2015 +0100
  
  man: mention that 99-default.link is shipped by default, and users 
  hence need to install a lexically earlier .link file for it to be honoured
 
 What's up with those commit subjects getting longer and longer?  It's
 hard to read, especially when skimming a long list of commit subjects,
 and our tools don't really support this: gitk, file names generated by
 git format patch, cia, git log in a non-terribly-wide window...

Well, gitk reveals the full commit subject when i click on the item.

I mean, that's not worse then if I'd shorten the subject and put the
rest in the body, right? you'd have to click on the thing, to see it
in full..

In general I believe that we don't live in times of 80ch terminals
anymore. Our coding style doesn't suggest breaking lines that early,
and I don't think we should do that either for git commits.

That said, I'll try to keep it shorter,

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On 01/26/15 21:04, Lennart Poettering wrote:
 On Mon, 26.01.15 17:07, Topi Miettinen (toiwo...@gmail.com) wrote:
 
 On 01/26/15 12:41, Simon McVittie wrote:
 On 24/01/15 10:09, Topi Miettinen wrote:
 For example, smartd only needs access to /dev/sd*.

 Let me spell that differently: smartd only needs the ability to make
 arbitrary filesystem changes, defeating any possible configurable
 security mechanism.

 Not exactly: it only needs read access. Depending on the system, that
 could be very different from being able to make arbitrary filesystem
 changes.
 
 Sending SMART requests requires the same priviliges as issue direct
 low-level write requests to my knowledge, hence I'd say simon is right.

CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
DevicePolicy=closed
DeviceAllow=block-sd r
DeviceAllow=/dev/sda r
DeviceAllow=/dev/sdb r
works fine here.

Probably CAP_SYS_RAWIO can be used to circumvent the lack of write
access, though.

-Topi

 
 Lennart
 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] logind vs CAP_SYS_ADMIN-lessness

On a general note: the stuff I mentioned that I did to modify the
container was just taken from the lxc-debian template that comes with
LXC 1.0, and I didn't have time to look at it thoroughly to see what's
actually needed there. The stuff I mentioned was more along the lines of
'what I did to get where I was if somebody wanted to reproduce it'
instead of 'I recommend doing that'.

Am 27.01.2015 um 03:08 schrieb Lennart Poettering:
  - explicitly enable getty@tty{1,2,3,4}.service
 
 Why?

Ah, it's nice to see we all live in our own bubbles. :-)

LXC predates systemd by about 2 years. (And at the very beginning,
systemd didn't support containers out of the box, so it predates
systemd's container support by even more.) And at that time, doing that
was a way to sysvinit containers with no or minimal modification to
/etc/inittab. So instead of saying that LXC breaks systemd's
assumptions, you could also say systemd breaks LXC's assumptions. As I
said: bubbles. ;-)

Now I'm not going to argue with you that the method of doing
$container_ttys= isn't vastly superior to what was there previously,
because it is. So I don't disagree with the long-term solution at all.

But LXC 1.0 just doesn't support this yet, so the question is what to do
in the mean time. If I do what I described:

 - logind can't open /dev/tty0, so all VT management in there is
   disabled anyway
 - within systemd: vt_disallocate can't open /dev/tty0, so it just
   returns an error, but that error code is never checked in
   core/execute.c, so it just behaves as if the directive never had
   been there
 - getty@.service statically enabled just runs agetty, so really only
   $TERM is wrong
 - but that was wrong already with sysvinit containers, and I never had
   any major issues because of that

So yeah, it's not pretty, it shouldn't stay in the long run, I
completely agree with your reasoning why you don't like it, but
currently it does seem to 'work'.

That being the case, thinking about it, I actually don't use this
feature myself (with kernels = 3.12 or so, lxc-attach works quite well,
so I never actually had the need to use a console to log in to a
container, for normal purposes I use SSH anyway), so maybe I'm just
going to deactivate the whole thing in my local config anyway.

Speaking of, isn't there a bug in container-getty@.service?[*] It uses
ConditionPathExists=/dev/pts/%I, starts agetty on pts/%I but sets
TTYPath=/dev/%I instead of /dev/pts/%I... And having the utmp specifier
be just a number (%I) instead of pts/%I is also probably weird.

[*]
http://cgit.freedesktop.org/systemd/systemd/tree/units/container-ge...@.service.m4.in

  - mask systemd-udevd.service (haven't tested if that's actually needed,
the lxc-debian template also does this however)
 
 There's no point in doing that. udev uses
 ConditionPathIsReadWrite=/sys anyway, and is automatically skipped
 hence when /sys is read-only.

Ah, good point, so it is in fact not needed. No idea why that's in there
then. Perhaps from a historic attempt when systemd didn't have that
Condition in there?

  - touch /etc/fstab if you debootstrap it directly
 
 You can just remove it. You don't need it in containers (and not even
 on most hosts, unless you actually need to refer to external
 partitions that cannot be auto-configured.

Ah, indeed, just tried it. Interesting, why did I write that? No idea...

 I am tempted to just
 change nspawn to mount a private tmpfs into /run/user, too, as it
 already mounts /run anyway.

 That would solve /run-quota issues for CAP_SYS_ADMIN-less containers,
 but is unnecessary (although harmless) for those that do have it.

 I decided against doing this after all. [...] Hence, we either do
 something (possibly skipping it it on missing perms) or, we don't do
 it at all, [...]

Fair enough[#], but did you receive my patches for the part about
skipping on missing perms?

http://lists.freedesktop.org/archives/systemd-devel/2015-January/027343.html
http://lists.freedesktop.org/archives/systemd-devel/2015-January/027344.html

[#] One could probably always do --tmpfs=/run/lock:options with nspawn
anyway, if one wants to explicitly do this.

Christian

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] systemd-udevd.service: restore mount propagation

Hey Lennart,

Lennart Poettering [2015-01-27  0:55 +0100]:
 Hmm? I don't see how mount propagation would break 60-cdrom_id... The
 eject ioctl operates on the device node, and does not care for
 mounts. This problem sounds made-up to me.

Right now cdrom_id indeed wouldn't be affected as it doesn't unmount a
CD which is about to ejected. That's the very problem that was
recently discussed here:

  http://lists.freedesktop.org/archives/systemd-devel/2015-January/026948.html

The two proposed solutions were to either teach cdrom_id --eject to
umount the device or just call the actual eject program which gets
this pretty much right. But neither would work because of the unshared
mount ns in udev.

 Moreover, if you want to do mounts or umounts on plug or play, then
 use a proper daemon, like udisks.

udisks actually used to have both the CD-ROM polling (which since then
moved into the kernel) and the post-eject cleanup. If we want to keep
the udev mount unsharing, we could put it back into udisks; but that
wouldn't be that robust as udisks isn't guaranteed to actually run,
both because it's a D-BUS activated service and a lot of server-ish
machines or lightweight desktops don't even have it.

Martin

-- 
Martin Pitt| http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v3] systemd.unit(5): add examples for common tasks

On Tue, 27.01.15 19:44, Christian Seiler (christ...@iwakd.de) wrote:

 Am 27.01.2015 um 19:32 schrieb Lennart Poettering:
  On Tue, 27.01.15 19:26, Christian Seiler (christ...@iwakd.de) wrote:
  Will send second patch after your response to my question.
  
  Uh, which question are you precisely referring to?
 
 Forget it, I answered that question myself and forgot to edit out the
 last sentence of my mail. ;-)
 
 I've attached git format-patch's output for the revised manpage.

Thanks! Applied!

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] Added UFD (Uplink failure detection) support to networkd

On Tue, 27.01.15 19:54, Tom Gundersen (t...@jklm.no) wrote:

 Hi Alin,
 
 Thanks for working on this.
 
 I think the main concepts here make sense, but I have some comments on
 the implementation.
 
 So the main ideas are:
 
 1) a notion of groups of links
 2) a notion of up- and downlinks
 3) configuring downlinks if and only if at least one uplink in the
 group has a carrier
 
 Comments:
 
 Maybe we should not restrict the naming to UFD, as the grouping may
 be useful for other things in the future (would be great if you could
 comment on Holger's email for instance). In fact Lennart suggested we
 introduce the concept of 'tags' instead of groups, and these will be
 similar to tags in udev rules.

Taking this one step further we could even simplify further: maybe the
entire concept of tags our groups is unnecessary. Instead, let's just
introduce a single new setting:

BindCarrier=

Which takes a list of interface names, and supports globbing. Now,
with this functionality in place, and a good naming regime we could
implement such uplink/download behaviour too, right? I mean, let's say
you name all your uplink interfaces uplink0, uplink1, uplink2, and
your downlink interfaces downlink0, downlink1, and so on. Now, in the
.network file for the downlink, we'd simply say BindCarrier=uplink*,
which would then mean that the port is only configured if at least one
interface matching that name, with a carrier is found.

Alin, wouldn't this be sufficient for you? I kinda prefer this
solution due to its simplicity, and as it does not introduce any new
concepts, and only a single new setting...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On 01/27/15 20:52, Lennart Poettering wrote:
 On Tue, 27.01.15 18:51, Topi Miettinen (toiwo...@gmail.com) wrote:
 
 On 01/26/15 21:04, Lennart Poettering wrote:
 On Mon, 26.01.15 17:07, Topi Miettinen (toiwo...@gmail.com) wrote:

 On 01/26/15 12:41, Simon McVittie wrote:
 On 24/01/15 10:09, Topi Miettinen wrote:
 For example, smartd only needs access to /dev/sd*.

 Let me spell that differently: smartd only needs the ability to make
 arbitrary filesystem changes, defeating any possible configurable
 security mechanism.

 Not exactly: it only needs read access. Depending on the system, that
 could be very different from being able to make arbitrary filesystem
 changes.

 Sending SMART requests requires the same priviliges as issue direct
 low-level write requests to my knowledge, hence I'd say simon is right.

 CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
 DevicePolicy=closed
 DeviceAllow=block-sd r
 DeviceAllow=/dev/sda r
 DeviceAllow=/dev/sdb r
 works fine here.
 
 You should be able to reduce this to simply:
 
 DeviceAllow=block-sd r
 
 This should suffic since DevicePolicy=closed is implied if there's at
 least one DeviceAllow= specified. And DeviceAllow=block-sd r enables
 access to all /dev/sd* access, which includes /dev/sda and /dev/sdb,
 of course.

In general yes, but I didn't want to allow SMART requests to /dev/sdc,
it's a DVD-ROM drive and there are useless errors if accessed with SMART.

 
 Probably CAP_SYS_RAWIO can be used to circumvent the lack of write
 access, though.
 
 Yes, it can.
 
 I think in general though that sandboxing should be done even if there
 are ways to circumvent it. It might still protects from accidental
 mishaps even if it doesn't prevent attackers to exploit things.
 
 That said, as mentioned in my earlier mail smartd will probably not be
 happy with accessing only /dev/sd*, it wants access to all kinds of
 other devices. For example it has special support for certain SCSI
 RAID drivers and such, which are not accessed via /dev/sd*...
 
 Lennart
 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On 01/27/15 21:40, Lennart Poettering wrote:
 On Tue, 27.01.15 21:38, Topi Miettinen (toiwo...@gmail.com) wrote:
 
 CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
 DevicePolicy=closed
 DeviceAllow=block-sd r
 DeviceAllow=/dev/sda r
 DeviceAllow=/dev/sdb r
 works fine here.

 You should be able to reduce this to simply:

 DeviceAllow=block-sd r

 This should suffic since DevicePolicy=closed is implied if there's at
 least one DeviceAllow= specified. And DeviceAllow=block-sd r enables
 access to all /dev/sd* access, which includes /dev/sda and /dev/sdb,
 of course.

 In general yes, but I didn't want to allow SMART requests to /dev/sdc,
 it's a DVD-ROM drive and there are useless errors if accessed with
 SMART.
 
 Well, don't you just get a different error then?

Embarrassingly it looks like I actually fixed the error by editing
smartd.conf and not with the unit file...

-Topi

 
 That said, if this is really what you want, then you should really
 remove the DeviceAllow=block-sd r line, since that opens up access
 to /dev/sdc, too...
 
 Lennart
 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On Tue, 27.01.15 19:04, Topi Miettinen (toiwo...@gmail.com) wrote:

 On 01/26/15 23:46, Lennart Poettering wrote:
  But independently of the PrivateDevices thing, would you think
  tmpfiles.d could be extended to be usable for unit specific cases
  instead of just one global setup? I think there could be more uses, for
  example, creating directories and links inside a unit's
  RuntimeDirectory.
  
  I am not sure how this could work and what kind of integration you
  precisely are looking for there?
  
  Note that tmpfiles exists mostly for two reasons: a) to deal with old
  software that wasn't capable of creating its own subdirs/stuff below
  its runtime directory; and b) to deal with software whose main program
  was running unpriviliged all the time (for example by using User=),
  and hence lacked the priviliges to set up its subdir in /run.
 
 a) was exactly my case, auditd doesn't have a way to specify where to
 put the pid file yet, so it ends up in /run/auditd.pid.

Hmm, but that's fine, no? What would you put in tmpfiles for auditd?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On 01/27/15 20:48, Lennart Poettering wrote:
 On Tue, 27.01.15 19:04, Topi Miettinen (toiwo...@gmail.com) wrote:
 
 On 01/26/15 23:46, Lennart Poettering wrote:
 But independently of the PrivateDevices thing, would you think
 tmpfiles.d could be extended to be usable for unit specific cases
 instead of just one global setup? I think there could be more uses, for
 example, creating directories and links inside a unit's
 RuntimeDirectory.

 I am not sure how this could work and what kind of integration you
 precisely are looking for there?

 Note that tmpfiles exists mostly for two reasons: a) to deal with old
 software that wasn't capable of creating its own subdirs/stuff below
 its runtime directory; and b) to deal with software whose main program
 was running unpriviliged all the time (for example by using User=),
 and hence lacked the priviliges to set up its subdir in /run.

 a) was exactly my case, auditd doesn't have a way to specify where to
 put the pid file yet, so it ends up in /run/auditd.pid.
 
 Hmm, but that's fine, no? What would you put in tmpfiles for auditd?

I'd want it to put the pid file somewhere else, like RuntimeDirectory.

L/run/auditd.pid ----   /run/auditd/auditd.pid

This is probably a bad example as pid files could be deleted by the
daemon at exit.

 
 Lennart
 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

On Tue, 27.01.15 15:45, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:

 Yes, I think attempting any kind of dependency removal *from loaded
 units* would be very complicated, and would require major surgery to
 current unit engine. And things would become conceptually more complicated,
 which we certainly don't need.
 
 But masking of .wants/ links is something different I think. It is a
 *localized* modification to a single configuration file. We currently
 allow overridding of almost all configuration (units files, files in
 .d directories, recently even generators), but .wants and .requires
 are an exception. I think we should allow this. Apart from current
 use case, it would things more consistent for the user.

Hmm, I am open to allowing to override the symlinks with symlinks, if
you follow what I mean. But i'd be careful with allowing to override
stuff listed in Wants= in a unit file in /usr, with a symlink in a
.wants/ dir in /etc, if you follow what I mean.

But yeah, allowing symlinks to override symlinks makes sense, a patch
for that would be good.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On Tue, 27.01.15 21:38, Topi Miettinen (toiwo...@gmail.com) wrote:

  CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
  DevicePolicy=closed
  DeviceAllow=block-sd r
  DeviceAllow=/dev/sda r
  DeviceAllow=/dev/sdb r
  works fine here.
  
  You should be able to reduce this to simply:
  
  DeviceAllow=block-sd r
  
  This should suffic since DevicePolicy=closed is implied if there's at
  least one DeviceAllow= specified. And DeviceAllow=block-sd r enables
  access to all /dev/sd* access, which includes /dev/sda and /dev/sdb,
  of course.
 
 In general yes, but I didn't want to allow SMART requests to /dev/sdc,
 it's a DVD-ROM drive and there are useless errors if accessed with
 SMART.

Well, don't you just get a different error then?

That said, if this is really what you want, then you should really
remove the DeviceAllow=block-sd r line, since that opens up access
to /dev/sdc, too...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On Tue, 27.01.15 18:51, Topi Miettinen (toiwo...@gmail.com) wrote:

 On 01/26/15 21:04, Lennart Poettering wrote:
  On Mon, 26.01.15 17:07, Topi Miettinen (toiwo...@gmail.com) wrote:
  
  On 01/26/15 12:41, Simon McVittie wrote:
  On 24/01/15 10:09, Topi Miettinen wrote:
  For example, smartd only needs access to /dev/sd*.
 
  Let me spell that differently: smartd only needs the ability to make
  arbitrary filesystem changes, defeating any possible configurable
  security mechanism.
 
  Not exactly: it only needs read access. Depending on the system, that
  could be very different from being able to make arbitrary filesystem
  changes.
  
  Sending SMART requests requires the same priviliges as issue direct
  low-level write requests to my knowledge, hence I'd say simon is right.
 
 CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
 DevicePolicy=closed
 DeviceAllow=block-sd r
 DeviceAllow=/dev/sda r
 DeviceAllow=/dev/sdb r
 works fine here.

You should be able to reduce this to simply:

DeviceAllow=block-sd r

This should suffic since DevicePolicy=closed is implied if there's at
least one DeviceAllow= specified. And DeviceAllow=block-sd r enables
access to all /dev/sd* access, which includes /dev/sda and /dev/sdb,
of course.

 Probably CAP_SYS_RAWIO can be used to circumvent the lack of write
 access, though.

Yes, it can.

I think in general though that sandboxing should be done even if there
are ways to circumvent it. It might still protects from accidental
mishaps even if it doesn't prevent attackers to exploit things.

That said, as mentioned in my earlier mail smartd will probably not be
happy with accessing only /dev/sd*, it wants access to all kinds of
other devices. For example it has special support for certain SCSI
RAID drivers and such, which are not accessed via /dev/sd*...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH v3] systemd.service(5): add some simple examples

Am 27.01.2015 um 21:45 schrieb Lennart Poettering:
 On Tue, 27.01.15 17:45, Christian Seiler (christ...@iwakd.de) wrote:
 +paraNote that systemd assumes here that the
 +program will continue running in the foreground
 +as long as it's active. If the program
 
 I think foreground vs. background here is probably something to
 avoid. These are services after all, and hence kinda background in
 all cases. I am not sure how to explain this better though... Maybe
 clarify that the program does not fork on its own, and that the
 process systemd starts stays running until the very end of the
 daemon, or so.

Yes, you are completely right. I've kept the use of 'background' at some
places, but specifically avoided foreground, since that is really,
really misleading. I've also rephrased the paragraph in question. I hope
that's better.

 +paraNote that systemd will consider the unit
 +to be in the state 'starting' until the program
 +has terminated, so ordered dependencies will
 +wait for the program to finish before starting
 +themselves. The unit will revert to the
 +'inactive' state after the execution is
 +done. That means another request to start the
 +unit will perform the action again./para
 
 It might be worth also mentioning here that the the unit this way will
 never actually be active. It will go directly from activating to
 inactive, which might be surprising!

Thanks for the pointer, done!

Now I also mentioned something about multiple ExecStart= for oneshot
units, which might be useful there.

 +paraSimilarly to the oneshot services, there
 +are sometimes units that need to execute a
 +program to set up something and then execute
 +another to shut it down, but no process remains
 +active while they are considered
 +'started'. Network configuration can sometimes
 +fall into this category./para
 
 Another reason to use RemainAfterExit= are services that shall not
 execute again and again when they are pulled in, but only the first
 time...

Mentioned that, thanks!

 varnameRemainAfterExit=/varnameoptiondbus/option
 
 Typo. Should be Type=, not RemainAfterExit=

*hehe* fixed.

 +example
 +titleDeferred (idle) services/title
 
 Hmm, I wonder if we maybe should remove this part. Idle services are
 kinda exotic, and I figure people might be tempted to misuse them. I
 think this might be something to document at the description of Type=,
 but not push people towards using this beyond that.

When I started writing this, I didn't just want to copy the getty
service (people can look that up anyway), so I decided to come up with
something else. However, once I wrote that unit, I realized that this
could have easily just been a Type=oneshot, RemainAfterExit=yes,
After=multi-user.target unit and have the same effect, and be a lot more
consistent with the rest of the way of doing things...

Type=idle is basically really just for gettys or something extremely
similar (like other interactive apps on VTs) that also get automatically
restarted.

Since these examples are supposed to provide a starting point for people
on how to write services, I've removed the section completely, and I
think this kind of special internal thing should remain in the reference
documentation.

v3 attached, I also fixed one or two other minor typos I noticed.

Christian

From ff44c16a173b36695e4844b36fbd10ac977bf4a3 Mon Sep 17 00:00:00 2001
From: Christian Seiler christ...@iwakd.de
Date: Tue, 27 Jan 2015 17:38:02 +0100
Subject: [PATCH] systemd.service(5): add some simple examples

Add a couple of exampels, at least one for each service type that
include some explanations and pointers to various relevant options.
---
 man/systemd.service.xml | 296 
 1 file changed, 296 insertions(+)

diff --git a/man/systemd.service.xml b/man/systemd.service.xml
index 4c890df..f33e8df 100644
--- a/man/systemd.service.xml
+++ b/man/systemd.service.xml
@@ -1358,6 +1358,302 @@ ExecStart=/bin/echo $ONE $TWO $THREE/programlisting
 /refsect1
 
 refsect1
+titleExamples/title
+
+example
+titleSimple service/title
+
+paraThe following unit file creates a service
+that will execute
+filename/usr/sbin/foo-daemon/filename.
+Since no varnameType=/varname is specified,
+the default
+varnameType=/varnameoptionsimple/option
+will

Re: [systemd-devel] [PATCH v3] systemd.service(5): add some simple examples

On Tue, 27.01.15 22:10, Christian Seiler (christ...@iwakd.de) wrote:

Thanks a ton! Applied!

 Am 27.01.2015 um 21:45 schrieb Lennart Poettering:
  On Tue, 27.01.15 17:45, Christian Seiler (christ...@iwakd.de) wrote:
  +paraNote that systemd assumes here that the
  +program will continue running in the foreground
  +as long as it's active. If the program
  
  I think foreground vs. background here is probably something to
  avoid. These are services after all, and hence kinda background in
  all cases. I am not sure how to explain this better though... Maybe
  clarify that the program does not fork on its own, and that the
  process systemd starts stays running until the very end of the
  daemon, or so.
 
 Yes, you are completely right. I've kept the use of 'background' at some
 places, but specifically avoided foreground, since that is really,
 really misleading. I've also rephrased the paragraph in question. I hope
 that's better.
 
  +paraNote that systemd will consider the unit
  +to be in the state 'starting' until the program
  +has terminated, so ordered dependencies will
  +wait for the program to finish before starting
  +themselves. The unit will revert to the
  +'inactive' state after the execution is
  +done. That means another request to start the
  +unit will perform the action again./para
  
  It might be worth also mentioning here that the the unit this way will
  never actually be active. It will go directly from activating to
  inactive, which might be surprising!
 
 Thanks for the pointer, done!
 
 Now I also mentioned something about multiple ExecStart= for oneshot
 units, which might be useful there.
 
  +paraSimilarly to the oneshot services, there
  +are sometimes units that need to execute a
  +program to set up something and then execute
  +another to shut it down, but no process remains
  +active while they are considered
  +'started'. Network configuration can sometimes
  +fall into this category./para
  
  Another reason to use RemainAfterExit= are services that shall not
  execute again and again when they are pulled in, but only the first
  time...
 
 Mentioned that, thanks!
 
  varnameRemainAfterExit=/varnameoptiondbus/option
  
  Typo. Should be Type=, not RemainAfterExit=
 
 *hehe* fixed.
 
  +example
  +titleDeferred (idle) services/title
  
  Hmm, I wonder if we maybe should remove this part. Idle services are
  kinda exotic, and I figure people might be tempted to misuse them. I
  think this might be something to document at the description of Type=,
  but not push people towards using this beyond that.
 
 When I started writing this, I didn't just want to copy the getty
 service (people can look that up anyway), so I decided to come up with
 something else. However, once I wrote that unit, I realized that this
 could have easily just been a Type=oneshot, RemainAfterExit=yes,
 After=multi-user.target unit and have the same effect, and be a lot more
 consistent with the rest of the way of doing things...
 
 Type=idle is basically really just for gettys or something extremely
 similar (like other interactive apps on VTs) that also get automatically
 restarted.
 
 Since these examples are supposed to provide a starting point for people
 on how to write services, I've removed the section completely, and I
 think this kind of special internal thing should remain in the reference
 documentation.
 
 v3 attached, I also fixed one or two other minor typos I noticed.
 
 Christian
 

 From ff44c16a173b36695e4844b36fbd10ac977bf4a3 Mon Sep 17 00:00:00 2001
 From: Christian Seiler christ...@iwakd.de
 Date: Tue, 27 Jan 2015 17:38:02 +0100
 Subject: [PATCH] systemd.service(5): add some simple examples
 
 Add a couple of exampels, at least one for each service type that
 include some explanations and pointers to various relevant options.
 ---
  man/systemd.service.xml | 296 
 
  1 file changed, 296 insertions(+)
 
 diff --git a/man/systemd.service.xml b/man/systemd.service.xml
 index 4c890df..f33e8df 100644
 --- a/man/systemd.service.xml
 +++ b/man/systemd.service.xml
 @@ -1358,6 +1358,302 @@ ExecStart=/bin/echo $ONE $TWO $THREE/programlisting
  /refsect1
  
  refsect1
 +titleExamples/title
 +
 +example
 +titleSimple service/title
 +
 +paraThe following unit file creates a service
 +that will execute
 +

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On Tue, 27.01.15 21:32, Topi Miettinen (toiwo...@gmail.com) wrote:

 On 01/27/15 20:48, Lennart Poettering wrote:
  On Tue, 27.01.15 19:04, Topi Miettinen (toiwo...@gmail.com) wrote:
  
  On 01/26/15 23:46, Lennart Poettering wrote:
  But independently of the PrivateDevices thing, would you think
  tmpfiles.d could be extended to be usable for unit specific cases
  instead of just one global setup? I think there could be more uses, for
  example, creating directories and links inside a unit's
  RuntimeDirectory.
 
  I am not sure how this could work and what kind of integration you
  precisely are looking for there?
 
  Note that tmpfiles exists mostly for two reasons: a) to deal with old
  software that wasn't capable of creating its own subdirs/stuff below
  its runtime directory; and b) to deal with software whose main program
  was running unpriviliged all the time (for example by using User=),
  and hence lacked the priviliges to set up its subdir in /run.
 
  a) was exactly my case, auditd doesn't have a way to specify where to
  put the pid file yet, so it ends up in /run/auditd.pid.
  
  Hmm, but that's fine, no? What would you put in tmpfiles for auditd?
 
 I'd want it to put the pid file somewhere else, like RuntimeDirectory.
 
 L/run/auditd.pid ----   /run/auditd/auditd.pid
 
 This is probably a bad example as pid files could be deleted by the
 daemon at exit.

I think it would be better to fix this in auditd itself and make it
use a proper dir below /run, rather than store its stuff in /run
itself...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

On Tue, Jan 27, 2015 at 10:30:48PM +0100, Lennart Poettering wrote:
 On Tue, 27.01.15 15:45, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
 
  Yes, I think attempting any kind of dependency removal *from loaded
  units* would be very complicated, and would require major surgery to
  current unit engine. And things would become conceptually more complicated,
  which we certainly don't need.
  
  But masking of .wants/ links is something different I think. It is a
  *localized* modification to a single configuration file. We currently
  allow overridding of almost all configuration (units files, files in
  .d directories, recently even generators), but .wants and .requires
  are an exception. I think we should allow this. Apart from current
  use case, it would things more consistent for the user.
 
 Hmm, I am open to allowing to override the symlinks with symlinks, if
 you follow what I mean. But i'd be careful with allowing to override
 stuff listed in Wants= in a unit file in /usr, with a symlink in a
 .wants/ dir in /etc, if you follow what I mean.
Yes, exactly.
 
 But yeah, allowing symlinks to override symlinks makes sense, a patch
 for that would be good.
 
 Lennart

Zbyszek

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] systemd-udevd.service: restore mount propagation

On Tue, 27.01.15 17:22, Lennart Poettering (lenn...@poettering.net) wrote:

 On Tue, 27.01.15 16:24, Martin Pitt (martin.p...@ubuntu.com) wrote:
 
   Well, again, the right answer then is to handle it with .mount units,
  
  How would that look like, on a very high level? Create .mount units on
  the fly with udev rules when devices appear, and asking systemd to
  unmount them via a remove uevent, instead of having cdrom_id do the
  umount directly?
 
 The .mount units of device nodes already have a BindsTo= dependency on
 their respective backing .device units. This should have the effect
 that systemd will take the .mount units down if the .device units are
 removed. Are you saying that doesn't work?

So I figure the bit that is missing here is the fact that the .device
units for CD drives and USB card readers don't care for media sense right
now. The .device units for CD drives and USB card readers are
available as long as the CD drive or USB card reader is plugged in, it
doesn't care for any media being in it. That means that automatic
unmounting by systemd due to the device going away will only happen if
you actually unplug the CD driver or the USB card, but not already
when the media is ejected.

However, I think it would make a ton of sense to change that, and set
SYSTEMD_READY=0 on all block devices where the media sensing suggests
that no medium is in it. This would mean that these devices don't show
up as systemd units until you actually put a medium in it. That would
be a change of semantics, but I think a useful one. 

What do you think?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v3] sysv-generator: Handle .sh suffixes when translating Provides:

On Wed, 21.01.15 14:55, Martin Pitt (martin.p...@ubuntu.com) wrote:

 Martin Pitt [2015-01-21  9:49 +0100]:
  One more adjustment to master, considering a recent change in the
  sysv-generator tests.
 
 Thomas and Michael both reviewed this patch, it's quite
 straightforward, and it fixes quite a severe regression, so I pushed
 it now.
 
 I don't want to push the other one without some review, though, as
 it's much less clear what the right solution is.

Which one is the other one you refer to?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

On Tue, 27.01.15 16:18, Christian Seiler (christ...@iwakd.de) wrote:

 Or to put it this way: if you take the following things:
  - the unit file itself
  - all drop-ins
  - all .requires.d/
  - all .wants.d/
 you could combine them (according to precedence rules) to a single large
 unit file and only then process that. This is at least what I think is
 a good way to model this, and that's how I modeled it in my head as a
 user before I looked at the code, when I realized that that's not the
 case. If you make the code work in a way that respects that model, I
 think that a lot of things about overrides become much more consistent.

it's more complex than that, since dependencies can come from both
sides, and are generated automatically even. If we really wanted this
to work, we'd have store precisely if a dep belongs to the soource or
the destaination of the dep, if a dep comes from configuration, or is
automatically created, and that we never coalesce deps. But I am not I
like the complexity of that, and in particular the fact that we
couldn't coalesce anymore...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] sysv-generator: Handle .sh suffixes when translating Provides:

On Tue, 20.01.15 17:44, Martin Pitt (martin.p...@ubuntu.com) wrote:

 Hey all,
 
 the recent fix for sysv-generator's Provides: handling [1] caused, or
 rather uncovered, another bug which now creates symlinks to itself
 foo.service - foo.service for any /etc/init.d/foo.sh.
 
 The generator would output an error message like
 
   Failed to create unit file path.../foo.service: File exists
 
 instead of creating the actual foo.service file. I. e. this completely
 breaks translating init scripts with .sh.

Hmm, we already had code that checks this in place, didn#t we?

I mean sysv_translate_facility() already filters out the case where
the service name is identical to the provided name. Hence, why do you
need a second check for this?

I think your patch tapes over a bug somewhere else.

I wonder if the simple fix could just be to change this:

} else if (filename  streq(name, filename))

to this

} else if (filename  streq(n, filename))

Or so, in that function?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] timesyncd: tighten unit file

On Tue, 27.01.15 19:47, Topi Miettinen (toiwo...@gmail.com) wrote:

 On 01/27/15 01:54, Lennart Poettering wrote:
  On Sun, 25.01.15 12:23, Topi Miettinen (toiwo...@gmail.com) wrote:
  
  There's no need for CAP_CHOWN, CAP_DAC_OVERRIDE or CAP_FOWNER.
  
  Hmm, that's not true, is it? load_clock_timestamp() is invoked before
  we drop privs in the daemon. And it certainly calls fchmod() and
  fchown(), so that it can later on still access the clock touch file.
  
  What am I missing?
 
 It works for me because the file exists already with correct owner and
 permissions. I'd put CAP_CHOWN and CAP_FOWNER back for now. 

Well, but this also means CAP_DAC_OVERRIDE is required, as otherwise
we won't be able to access the file while we are still root, and have
not dropped privileges anymore.

Note that timesyncd actually drops all remaining caps when changng
to the systemd-timesync user, with the exception of
CAP_SYS_TIME. This means that the caps configured in the unit file
don't matter too much as they only are in effect for the short time
when timesyncd is initializing and hasn't dropped all the remaining
caps except for CAP_SYS_TIME yet.

 Maybe the clock file could reside in a separate subdirectory, then the
 directory owner and permissions could be set up already at
 installation?

Well, to enable stateless systems I think it is a good idea to write
services in a way that they can rebuild what they need in /var on
their own, should it be missing, so that /var can be flushed out and
things will just work when the machine is then booted again.

All our daemons are written in a style where /var is reconstructed
implicitly if it is missing, and timesyncd really should work the same
way.

  I am not entirely sure how NoNewPrivileges= and no-setuid-fixup
  actually relate to each other. I.e. what does one do that the other
  doesn't? And if they do different things, isn't NoNewPrivileges= kinda
  a superset of no-setuid-fixup, and thus makes setting the latter
  redundant?
 
 I think NoNewPrivileges (prctl(PR_SET_NO_NEW_PRIVS)) prevents any kind
 of uid/gid changes, while no-setuid-fixup does not restrict uid change
 but does not elevate the capability set.

The PR_SET_NO_NEW_PRIVS docs say explicitly it only applies to
execve(). 

To be honest, I am still very puzzled about this. The docs are awful
about this...

  Reading through Documentation/prctl/no_new_privs.txt in the
  kernel sources I found this paragraph:
  
 Be careful, though: LSMs might also not tighten constraints on
 exec in no_new_privs mode.  (This means that setting up a
 general-purpose service launcher to set no_new_privs before
 execing daemons may interfere with LSM-based sandboxing.)
  
  This kinda suggests that SELinux and friends might not like
  NoNewPrivileges=, hence I am not entirely sure it is really the right
  option for us.
  
  Hence I am wondering if no-setuid-fixup (and -locked) might be the
  better option for us to enable everywhere?
 
 I don't think timesyncd is executing any helper programs, especially
 set-uid or with file system capabilities, so both should work fine.

Well, the way I read the paragraph above if we set PR_SET_NO_NEW_PRIVS
after forking, but before execing systemd-timesyncd, and that binary
has an selinux label on it, that the selinux label would be ignore,
and things would continue to run with the same label as we forked
off. This pretty much renders SELinux usesless, since all services
where we set the bit for would then run as init_t... and that's
something we really shouldn't do.

  The problem with these lists is that we need to be really conservative
  with them, since many of the libs we use (including glibc) use
  different interface behind our back, and thus writing generally
  valid rules, that work on all archs, on all distros, on all
  glibc/libary versions is hard. This is what SELinux policy does, but I
  *really* didn't want to create another implementation of such a
  finegrained policy, if you follow what I mean.
 
 I'm not sure. Shouldn't we then ship a SELinux policy file then? Would
 you be interested in AppArmor profile for timesyncd, I have one? Also,
 if a distro uses weird SELinux policies or setuid helpers at every
 possible opportunity, shouldn't they have some responsibility of fixing
 their setup?

Well, SELinux policy is managed in a central selinux policy database
that is shipped in one big RPM. My selinux-fu is not good enough to
maintain the policy file in systemd, and i am not sure this even is
generic enough to be able to ship the same selinux policy that works
across all distros that do selinux.

If Apparmor policies are standardized and stand-alone enough, and
there's a clear way to install them, and you are willing to look after
it, then yes, I'd merge a patch that adds apparmor profiles to systemd
upstream.

  Hmm, LimitNPROC=2 unfortunately doesn't do what we want it to do:
  since the daemon drops the to the systemd-timesync user on

Re: [systemd-devel] [PATCH] timesyncd: tighten unit file

On 01/27/15 21:16, Lennart Poettering wrote:
 On Tue, 27.01.15 19:47, Topi Miettinen (toiwo...@gmail.com) wrote:
 
 On 01/27/15 01:54, Lennart Poettering wrote:
 On Sun, 25.01.15 12:23, Topi Miettinen (toiwo...@gmail.com) wrote:

 There's no need for CAP_CHOWN, CAP_DAC_OVERRIDE or CAP_FOWNER.

 Hmm, that's not true, is it? load_clock_timestamp() is invoked before
 we drop privs in the daemon. And it certainly calls fchmod() and
 fchown(), so that it can later on still access the clock touch file.

 What am I missing?

 It works for me because the file exists already with correct owner and
 permissions. I'd put CAP_CHOWN and CAP_FOWNER back for now. 
 
 Well, but this also means CAP_DAC_OVERRIDE is required, as otherwise
 we won't be able to access the file while we are still root, and have
 not dropped privileges anymore.
 
 Note that timesyncd actually drops all remaining caps when changng
 to the systemd-timesync user, with the exception of
 CAP_SYS_TIME. This means that the caps configured in the unit file
 don't matter too much as they only are in effect for the short time
 when timesyncd is initializing and hasn't dropped all the remaining
 caps except for CAP_SYS_TIME yet.
 
 Maybe the clock file could reside in a separate subdirectory, then the
 directory owner and permissions could be set up already at
 installation?
 
 Well, to enable stateless systems I think it is a good idea to write
 services in a way that they can rebuild what they need in /var on
 their own, should it be missing, so that /var can be flushed out and
 things will just work when the machine is then booted again.
 
 All our daemons are written in a style where /var is reconstructed
 implicitly if it is missing, and timesyncd really should work the same
 way.

Nice, but the directories could be created with tmpfiles.d then?

 
 I am not entirely sure how NoNewPrivileges= and no-setuid-fixup
 actually relate to each other. I.e. what does one do that the other
 doesn't? And if they do different things, isn't NoNewPrivileges= kinda
 a superset of no-setuid-fixup, and thus makes setting the latter
 redundant?

 I think NoNewPrivileges (prctl(PR_SET_NO_NEW_PRIVS)) prevents any kind
 of uid/gid changes, while no-setuid-fixup does not restrict uid change
 but does not elevate the capability set.
 
 The PR_SET_NO_NEW_PRIVS docs say explicitly it only applies to
 execve(). 
 
 To be honest, I am still very puzzled about this. The docs are awful
 about this...
 
 Reading through Documentation/prctl/no_new_privs.txt in the
 kernel sources I found this paragraph:

Be careful, though: LSMs might also not tighten constraints on
exec in no_new_privs mode.  (This means that setting up a
general-purpose service launcher to set no_new_privs before
execing daemons may interfere with LSM-based sandboxing.)

 This kinda suggests that SELinux and friends might not like
 NoNewPrivileges=, hence I am not entirely sure it is really the right
 option for us.

 Hence I am wondering if no-setuid-fixup (and -locked) might be the
 better option for us to enable everywhere?

 I don't think timesyncd is executing any helper programs, especially
 set-uid or with file system capabilities, so both should work fine.
 
 Well, the way I read the paragraph above if we set PR_SET_NO_NEW_PRIVS
 after forking, but before execing systemd-timesyncd, and that binary
 has an selinux label on it, that the selinux label would be ignore,
 and things would continue to run with the same label as we forked
 off. This pretty much renders SELinux usesless, since all services
 where we set the bit for would then run as init_t... and that's
 something we really shouldn't do.

seccomp_filter.txt on the other hand says that
Prior to use, the task must call prctl(PR_SET_NO_NEW_PRIVS, 1) or
run with CAP_SYS_ADMIN privileges in its namespace.  If these are not
true, -EACCES will be returned.  This requirement ensures that filter
programs cannot be applied to child processes with greater privileges
than the task that installed them.

Does this mean that SELinux and seccomp are mutually exclusive? Awful
design if so.

 
 The problem with these lists is that we need to be really conservative
 with them, since many of the libs we use (including glibc) use
 different interface behind our back, and thus writing generally
 valid rules, that work on all archs, on all distros, on all
 glibc/libary versions is hard. This is what SELinux policy does, but I
 *really* didn't want to create another implementation of such a
 finegrained policy, if you follow what I mean.

 I'm not sure. Shouldn't we then ship a SELinux policy file then? Would
 you be interested in AppArmor profile for timesyncd, I have one? Also,
 if a distro uses weird SELinux policies or setuid helpers at every
 possible opportunity, shouldn't they have some responsibility of fixing
 their setup?
 
 Well, SELinux policy is managed in a central selinux policy database
 that is shipped in one big RPM. My

Re: [systemd-devel] PrivateDevices with more than basic set of devices?

On 01/27/15 21:35, Lennart Poettering wrote:
 On Tue, 27.01.15 21:32, Topi Miettinen (toiwo...@gmail.com) wrote:
 
 On 01/27/15 20:48, Lennart Poettering wrote:
 On Tue, 27.01.15 19:04, Topi Miettinen (toiwo...@gmail.com) wrote:

 On 01/26/15 23:46, Lennart Poettering wrote:
 But independently of the PrivateDevices thing, would you think
 tmpfiles.d could be extended to be usable for unit specific cases
 instead of just one global setup? I think there could be more uses, for
 example, creating directories and links inside a unit's
 RuntimeDirectory.

 I am not sure how this could work and what kind of integration you
 precisely are looking for there?

 Note that tmpfiles exists mostly for two reasons: a) to deal with old
 software that wasn't capable of creating its own subdirs/stuff below
 its runtime directory; and b) to deal with software whose main program
 was running unpriviliged all the time (for example by using User=),
 and hence lacked the priviliges to set up its subdir in /run.

 a) was exactly my case, auditd doesn't have a way to specify where to
 put the pid file yet, so it ends up in /run/auditd.pid.

 Hmm, but that's fine, no? What would you put in tmpfiles for auditd?

 I'd want it to put the pid file somewhere else, like RuntimeDirectory.

 L/run/auditd.pid ----   /run/auditd/auditd.pid

 This is probably a bad example as pid files could be deleted by the
 daemon at exit.
 
 I think it would be better to fix this in auditd itself and make it
 use a proper dir below /run, rather than store its stuff in /run
 itself...

Fully agree.

-Topi

 
 Lennart
 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2 2/2] systemd.service(5): add some simple examples

On Tue, 27.01.15 17:45, Christian Seiler (christ...@iwakd.de) wrote:

 +titleExamples/title
 +
 +example
 +titleSimple service/title
 +
 +paraThe following unit file creates a service
 +that will execute
 +filename/usr/sbin/foo-daemon/filename.
 +Since no varnameType=/varname is specified,
 +the default
 +varnameType=/varnameoptionsimple/option
 +will be assumed. systemd will assume the unit
 +to be started immediately after the program has
 +begun executing./para
 +
 +programlisting[Unit]
 +Description=Foo
 +
 +[Service]
 +ExecStart=/usr/sbin/foo-daemon
 +
 +[Install]
 +WantedBy=multi-user.target/programlisting
 +
 +paraNote that systemd assumes here that the
 +program will continue running in the foreground
 +as long as it's active. If the program

I think foreground vs. background here is probably something to
avoid. These are services after all, and hence kinda background in
all cases. I am not sure how to explain this better though... Maybe
clarify that the program does not fork on its own, and that the
process systemd starts stays running until the very end of the
daemon, or so.

 +paraNote that systemd will consider the unit
 +to be in the state 'starting' until the program
 +has terminated, so ordered dependencies will
 +wait for the program to finish before starting
 +themselves. The unit will revert to the
 +'inactive' state after the execution is
 +done. That means another request to start the
 +unit will perform the action again./para

It might be worth also mentioning here that the the unit this way will
never actually be active. It will go directly from activating to
inactive, which might be surprising!

 +/example
 +
 +example
 +titleStoppable oneshot service/title
 +
 +paraSimilarly to the oneshot services, there
 +are sometimes units that need to execute a
 +program to set up something and then execute
 +another to shut it down, but no process remains
 +active while they are considered
 +'started'. Network configuration can sometimes
 +fall into this category./para

Another reason to use RemainAfterExit= are services that shall not
execute again and again when they are pulled in, but only the first
time...

 +example
 +titleDBus services/title
 +
 +paraFor services that acquire name on the
 +DBus system bus, use
 +
 varnameRemainAfterExit=/varnameoptiondbus/option

Typo. Should be Type=, not RemainAfterExit=

 +example
 +titleDeferred (idle) services/title

Hmm, I wonder if we maybe should remove this part. Idle services are
kinda exotic, and I figure people might be tempted to misuse them. I
think this might be something to document at the description of Type=,
but not push people towards using this beyond that.

Looks great otherwise! Thanks a ton for putting this together, much appreciated!

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] systemd-udevd.service: restore mount propagation

On Tue, 27.01.15 23:20, Martin Pitt (martin.p...@ubuntu.com) wrote:

 Hey Lennart,
 
 Lennart Poettering [2015-01-27 22:46 +0100]:
  So I figure the bit that is missing here is the fact that the .device
  units for CD drives and USB card readers don't care for media sense right
  now.
 
 Indeed, I had a similar thought on my evening walk: This works well
 for USB sticks and the like, but the /dev/sr0 node for CDs always
 stays around after eject. IOW, you get a change event, not a remove
 one. This is also why the cleanup in udisks 1.x (probably) didn't
 actually work.
 
  However, I think it would make a ton of sense to change that, and set
  SYSTEMD_READY=0 on all block devices where the media sensing suggests
  that no medium is in it. This would mean that these devices don't show
  up as systemd units until you actually put a medium in it. That would
  be a change of semantics, but I think a useful one. 
 
 That sounds good indeed! I can sit down at qemu tomorrow and simulate
 some CD insertions/removals, and come up with an udev rule for this.

That would be great. It would really just be a matter of setting
SYSTEMD_READY=0 for block devices where media sense suggests that no
media is in the drive. Probably a one line fix...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Tue, 27.01.15 23:31, Lennart Poettering (lenn...@poettering.net) wrote:

 On Fri, 23.01.15 10:18, Martin Pitt (martin.p...@ubuntu.com) wrote:
 
  So perhaps the more robust fix would be to make the gpt generator not
  generate swap units if fstab already configures any swap device? I. e.
  auto-discovery and swaps in fstab are mutually exclusive then.
 
 Hmm, so there's something fishy here. systemd should already handle
 this nicely, and I thought I tested this successfully.
 
 The logic here is that when we enumerate through /proc/swaps we
 already check udev to not only then set the device listed in there to
 active, but also all .swap units that are defined by any of its
 symlink names. This means, activating a swap partition should result
 in a number of .swap devices to go active, not just one. THis is
 visible if you type systemctl -a -t swap, which should show a number
 of .device units for the same actual swap device...
 
 Now, if two jobs are queued to up a swap device, using different names
 for it, like an entry in fstab, and a GPT auto-discovered partition
 might do it, then this should mean that one of the jobs should be
 removed by the effect of the other, i.e. the later job should be
 immediately succeed, since the other job already caused the swap
 device to go active.
 
 There must be a bug somewhere with this... Any chance you can boot in
 debug mode and check how the .swap units change states during the
 boot, and when the jobs for it are enqueued?

Hmm, thinking a bit more about this. The problem is probably this one:
when the jobs are queued we cannot know that the devices they are
queued by are actually the same, hence both are queued. Now, if the
.device unit backing the two .swap units, both .swap units are
suddenly runnable, and hence systemd forks off swapon for both of them
immediately. it will then eventually see that both .swap devices are
now active from /proc/swaps, but at that time it already had forked
off both mkswap's, and one of them will then fail...

I wonder what we can do about this.

One approach could be to say that automatically discovered mounts and
swaps are always dispatched before the ones from /etc/fstab. By
serializing things it would be guaranteed that one of the mkswaps runs
first, thus brining up both .swap units, so that the second mkswap
would not be done, since the .swap would already be up...

That said, it would of course be nicer if we wouldn't have to
serialize here...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] timesyncd: tighten unit file

2015-01-27 Thread Cameron Norman

On Tue, Jan 27, 2015 at 1:16 PM, Lennart Poettering
lenn...@poettering.net wrote:
 On Tue, 27.01.15 19:47, Topi Miettinen (toiwo...@gmail.com) wrote:

 I'm not sure. Shouldn't we then ship a SELinux policy file then? Would
 you be interested in AppArmor profile for timesyncd, I have one? Also,
 if a distro uses weird SELinux policies or setuid helpers at every
 possible opportunity, shouldn't they have some responsibility of fixing
 their setup?

 Well, SELinux policy is managed in a central selinux policy database
 that is shipped in one big RPM. My selinux-fu is not good enough to
 maintain the policy file in systemd, and i am not sure this even is
 generic enough to be able to ship the same selinux policy that works
 across all distros that do selinux.

 If Apparmor policies are standardized and stand-alone enough, and
 there's a clear way to install them, and you are willing to look after
 it, then yes, I'd merge a patch that adds apparmor profiles to systemd
 upstream.

A good idea would be to set the apparmor profile(s) to warn-only mode
for some period of time, and then let distros patch (this would be a
one liner) that to be in enforce mode if they want to test it out.

One possible issue is that AppArmor profiles are installed in /etc.
Will that be a problem WRT the whole stateless system initiative, or
is it an acceptable exception to the only comments in /etc rule?

Cheers,
--
Cameron
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

2015-01-27 Thread Jóhann B. Guðmundsson



On 01/28/2015 12:24 AM, Lennart Poettering wrote:

On Tue, 27.01.15 17:17, Chris Murphy (li...@colorremedies.com) wrote:


 The problem is simply that we cannot know in advance that /dev/sda7
 and /dev/disk/by-uuid/c0e7978b-f82b-4b7f-b72b-6717f6909abc will
 eventually refer to the same device.


Are these just scary looking warnings?

It should be unproblematic, but it looks scary right now. The swapon
will only succeed once, and fail the second time, and that doesn't
look pretty, but the kernel should do the right thing and not get
confused by this.


I can confirm it does and I simply remove the swap entry in fstab to 
make it go away when I encountered it.


That said are there any real practical benefits of using swap et al in 
today's age or are people just still creating it out of habit?


JBG
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] sysv-generator: Replace Provides: symlinks with real units

On Wed, 21.01.15 19:56, Jóhann B. Guðmundsson (johan...@gmail.com) wrote:

 
 On 01/21/2015 03:43 PM, Zbigniew Jędrzejewski-Szmek wrote:
 On Wed, Jan 21, 2015 at 11:08:44AM +0100, Martin Pitt wrote:
 So I expect if it gets dropped upstream, a lot of distros (and all the
 major ones) will have to bring that back; it's IMHO better to just
 maintain it upstream by the distro maintainers.
 Exactly. Dropping it would be just busy work for everyone. General
 purpose distributions need to carry it for the forseeable future.
 
 That argument does not hold water since there are systemd and core/baseOS
 consumers that want the other side of that coin and have to patch out all
 the legacy stuff.
 
 Arguably upstream should be leading everybody into the future not dwelling
 on the past and having to maintain it in the process.

If you compile systemd and pass empty strings for the sysv rc and
scripts paths, then this turns off all sysv support in systemd, and
all that old cruft goes away. Today.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] failing boot start jobs delay reboot

On Mon, 19.01.15 17:59, Felix Miata (mrma...@earthlink.net) wrote:

 Has anything been done in more recent releases about this? I do a lot of
 cloning, and sometimes produce typos on grub cmdlines and fstab lines. This
 produces long delays in init followed by emergency mode when the
 non-essential mount fails and fstab for that device does not include the
 nofail option. When I recognize early in init that I have made a fstab typo,
 I try to CAD to choose another boot choice that isn't broken and fix the
 typo, but that produces yet another start job wait for the same broken job,
 often followed by a gazillion failed to save sound card state messages from
 holding down CAD.
 
 openSUSEes, Mageias  Fedoras (including Factories, Cauldrons  Rawhides)
 comprise most of my installations subject to these self-inflicted delays that
 I can't recall being a problem with sysvinit.

Hmm, so there has been a long-standing TODO list item to show some job
data when C-a-d is pressed 3 times within 1s, and reboot the machine
immediately on 3 times within 10s or so.  I figure that would already
make you happy?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] failing boot start jobs delay reboot

On Mon, 19.01.15 23:03, Felix Miata (mrma...@earthlink.net) wrote:

 Andrei Borzenkov composed on 2015-01-20 06:35 (UTC+0300):
 
  Mon, 19 Jan 2015 17:59:41 -0500 Felix Miata composed:
 
  Has anything been done in more recent releases about this? I do a lot of
  cloning, and sometimes produce typos on grub cmdlines and fstab lines. This
  produces long delays in init followed by emergency mode when the
  non-essential mount fails and fstab for that device does not include the
  nofail option. When I recognize early in init that I have made a fstab 
  typo,
  I try to CAD to choose another boot choice that isn't broken and fix the
  typo, but that produces yet another start job wait for the same broken job,
  often followed by a gazillion failed to save sound card state messages from
  holding down CAD.
 
  openSUSEes, Mageias  Fedoras (including Factories, Cauldrons  Rawhides)
  comprise most of my installations subject to these self-inflicted delays 
  that
  I can't recall being a problem with sysvinit.
 
  Self inflicted delays during boot or during Ctrl-Alt-Del? 
 
 Both. When they occur during init they repeat during shutdown. Even when I
 let init complete and succeed to fix the typo or oversight, the init failure
 gets remembered and repeated at shutdown. Often the start job is on account
 of a volume label that has been replaced, usually along with a UUID, because
 the clone is a partition on the same HD. Fedora is particularly frustrating
 by embedding dependent root volume label and not obeying root= on cmdline
 (openSUSE obeys root=). Those typos usually have to be fixed by chroot to run
 dracut.

Hmm, Fedora doesn't obey root=? That sounds like a bug. 

Harald?

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] failing boot start jobs delay reboot

On Wed, 28.01.15 02:02, Lennart Poettering (lenn...@poettering.net) wrote:

On Mon, 19.01.15 17:59, Felix Miata (mrma...@earthlink.net) wrote:

Has anything been done in more recent releases about this? I do a lot of
cloning, and sometimes produce typos on grub cmdlines and fstab lines. This
produces long delays in init followed by emergency mode when the
non-essential mount fails and fstab for that device does not include the
nofail option. When I recognize early in init that I have made a fstab typo,
I try to CAD to choose another boot choice that isn't broken and fix the
typo, but that produces yet another start job wait for the same broken job,
often followed by a gazillion failed to save sound card state messages from
holding down CAD.

openSUSEes, Mageias Fedoras (including Factories, Cauldrons Rawhides)
comprise most of my installations subject to these self-inflicted delays
that
I can't recall being a problem with sysvinit.

Hmm, so there has been a long-standing TODO list item to show some job
data when C-a-d is pressed 3 times within 1s, and reboot the machine
immediately on 3 times within 10s or so. I figure that would already
make you happy?

So, I actually implemented this now. Or actually, I only implemented
the part about C-A-D triggering a reboot. I picked 7x per 2s as limit
though, seemed easier to me.

It should be easy to extend this to show information about running
jobs after 3x too.

http://cgit.freedesktop.org/systemd/systemd/commit/?id=2e5c94b9aaefce46835b623e800cfc168995ea3f

Hope this is useful,

Lennart

--
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Making udev emit a signal when it is done loading modules

On Sat, 17.01.15 17:03, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:

 On Sat, Jan 17, 2015 at 09:44:00AM +0100, Hans de Goede wrote:
  We would like
  udev to emit a signal (ABI to be discussed) when it is done
  trying to load modules for everything which was already enumerated
  when it starts, iow when there are no new device events pending
  anymore when udev does its initial hotplug replay.
 I think you can just create a unit like:
 
 # disable-new-hardware.service
 [Unit]
 After=systemd-udev-settle.service systemd-modules-load.service
 Wants=systemd-udev-settle.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/local/bin/ping-the-kernel
 
  So the question to you is would you be willing to include such
  functionality in udev?
 I don't think udevd has enough knowledge. But a systemd unit like
 the one above should work.

To clarify this: if people do this, then this pulls in
systemd-udev-settle.service, which slows down boot. Every service that
does that is hence a majour source of slowness. 

It's a hack to use this, not a solution. 

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [systemd-commits] 5 commits - man/journalctl.xml man/tmpfiles.d.xml src/console src/import src/journal src/libudev src/shared src/tmpfiles

On Sun, 18.01.15 16:13, Zbigniew Jędrzejewski-Szmek 
(zbys...@kemper.freedesktop.org) wrote:

 commit 302fbdf29eb0ad4ca1fe8ee18755edad7db11b37
 Author: Zbigniew J??drzejewski-Szmek zbys...@in.waw.pl
 Date:   Tue Jan 6 01:58:31 2015 -0500
 
 man: reindent tmpfiles.d(5)
 
 Reindent to 2 spaces, use more markup.

So, hmm, maybe we should make up our minds on this. Currently half ot
he man pages is 2ch indented, the other half 8ch indented. I would
prefer if all files would either be one or the other...

I can see why 8ch indenting is not as nice and useful for XML as it is
for C. So I'd be open to changing everything to 2ch. 

Maybe it's time to run some sed script over the man pages to fix
everything to 2ch?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Tue, Jan 27, 2015 at 5:28 PM, Jóhann B. Guðmundsson
johan...@gmail.com wrote:

 On 01/28/2015 12:24 AM, Lennart Poettering wrote:

 On Tue, 27.01.15 17:17, Chris Murphy (li...@colorremedies.com) wrote:

  The problem is simply that we cannot know in advance that /dev/sda7
  and /dev/disk/by-uuid/c0e7978b-f82b-4b7f-b72b-6717f6909abc will
  eventually refer to the same device.

 
 Are these just scary looking warnings?

 It should be unproblematic, but it looks scary right now. The swapon
 will only succeed once, and fail the second time, and that doesn't
 look pretty, but the kernel should do the right thing and not get
 confused by this.


 I can confirm it does and I simply remove the swap entry in fstab to make it
 go away when I encountered it.

 That said are there any real practical benefits of using swap et al in
 today's age or are people just still creating it out of habit?

For those who have hibernation working, it's needed. And there's a
case for it on baremetal servers, it's sometimes better that they slow
down instead of totally face planting. And it can be useful if you
don't have enough memory to do a full fsck on a large file system,
especially if swap is on an SSD it's not as slow as on a HDD. But
otherwise, maybe not.

Over on that other OS that begins with W, it looks like they aren't
using swap directly. Instead there's a separate Intel Rapid Start
specific partition (it has it's own GPT partition type GUID) that puts
some kind of hibernation like file there on normal shutdown. Cold boot
times are insanely fast, like 3-4 seconds from pushing the button.

-- 
Chris Murphy
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [systemd-commits] src/journal

On Mon, 19.01.15 10:43, Zbigniew Jędrzejewski-Szmek 
(zbys...@kemper.freedesktop.org) wrote:

  src/journal/journalctl.c |   28 ++--
  1 file changed, 14 insertions(+), 14 deletions(-)
 
 New commits:
 commit 40f0b71b063da6a36b8d7ec75ef20103abd18243
 Author: Zbigniew J??drzejewski-Szmek zbys...@in.waw.pl
 Date:   Mon Jan 19 13:42:34 2015 -0500
 
 journalctl: trim --help to fit in 80 columns
 
 Terminals tend to be 80 columns wide by default, and the help
 text is only supposed to be a terse reminder anyway.
 

Hmm, maybe we should add a test target to the makefile that runs all
our tools with --help and checks that the output it generates is
identical to the output pssed through fold -w 79 or so?

(I added this to the TODO list for now)

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 04/11] tmpfiles: attach an array of items to each path

On Mon, 19.01.15 01:20, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:

 The data structure used by tmpfiles is changed: instead of hashmaps
 mapping {path → Item*} we now have hashmaps containing
 {path - ItemArray}, where ItemArray contains a pointer
 to an array of Items.

I figure one of those days we really should add a proper MultiHashmap
type or so, that can map one key to multiple values. There are quite a
few cases we could have used this so far, and this is the next one.

So far we usually resorted to using a hashmap that points to a linked
list of items, using the LIST_FIELDS macros for the list. That has the
nice effect that ignoring the list makes the this multi-map behave
exactly like a normal map, i.e. it points to one valid object...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] sysv-generator: Replace Provides: symlinks with real units

On Wed, 21.01.15 11:08, Martin Pitt (martin.p...@ubuntu.com) wrote:

 Hey Jóhann,
 
 Jóhann B. Guðmundsson [2015-01-21  9:59 +]:
  Seems like a corner case as administrator should fix himself by not backing
  up files in the /etc/init.d directory so arguably this broken behaviour is
  expect.
 
 With SysV init this isn't broken at all. As long as you don't
 actually enable the backup files in rcN.d/, this is perfectly valid.
 The effect is that systems with such backup files work fine under SysV
 init and even under systemd up to 218, but will fail to boot under
 systemd 219 onwards (i. e. with current master). I call this a
 regression.
 
  That said at one point or another we need to drop legacy sysv
  initscript support and have downstream the generator themselves if
  they intend on supporting legacy sysv initscripts.
 
 If upstream wants to drop it at some point that's their prerogative of
 course. I'd advise against it though, as LSB compliant systems need to
 support SysV init scripts, it's still the lowest common denoniator,
 and tons of third-party software still ship with init.d scripts. I. e.
 it's not enough to port the distro packages.

Just to clarify: I have zero intention to drop LSB script support
any time soon.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] sysv-generator: Replace Provides: symlinks with real units

On Wed, 21.01.15 10:46, Martin Pitt (martin.p...@ubuntu.com) wrote:

 A similar case can also happen if
 one init.d script Provides: the name of another init.d script
 (arguably this is at least questionable, but it might happen in
 practice -- e. g. /etc/init.d/mariad might very well Provides: mysql
 as it's kind of a drop-in replacement).
 
 I wrote some more tests which reproduce these failures, and a proposed
 patch. It's not exactly nice due to the TOCTOU (which shouldn't cause
 any practical problem though, it's just a bit unclean), but I can't
 think of a better solution which covers all corner cases.

I am not a fan of this stuff either. I really don't like the TOCTOU
behaviour I must say...

If this is really just about .bak, then we can add it to the list of
suffixes in hidden_files()...

I think a much better fix for all of this would be to first read in
all sysv scripts, and only then start creating aliases. So far we read
everything in, and while doing so already create symlinks, while
defering creation of the unit files to the end. If we moevd the
symlink creation part to the end too we could easily check in the sysv
script hashtable if we have a real script for a name before writing
out an alias symlink for this.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] failing boot start jobs delay reboot

On Tue, 20.01.15 11:24, Andrei Borzenkov (arvidj...@gmail.com) wrote:

   When they occur during init they repeat during shutdown. Even when 
  I
  let init complete and succeed to fix the typo or oversight, the init failure
  gets remembered and repeated at shutdown.
 
 Yes, that's the problem. For once, traditional workflow of
 
 - stop in emergency shell when mount fails
 - fix /etc/fstab
 - ^D to continue boot
 
 no more works, because /etc/fstab is not reevaluated so systemd will
 still try the same broken mount again. 

Yeah, systemd will require a systemctl daemon-reload first. It might
be a good idea if distros would mention that in a comment in the
default fstab file they install.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] timedated: support split usr v3

On Sun, 18.01.15 10:53, Shawn Landden (sh...@churchofgit.com) wrote:

 From: Shawn Paul Landden sh...@churchofgit.com
 
 The current Debian solution to this is really ugly, and I would rather
 have them use the correct patch even if split usr is dumb.

Again, I really don't grok what the point of this is. The right fix is
to mount /usr from the initrd. It's certainly not to add hacks to
systemd.

Sorry, but there's no way this will get in.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd-216 breaks combined ReadOnlyDirectories / ReadWriteDirectories

On Tue, 20.01.15 13:48, Reindl Harald (h.rei...@thelounge.net) wrote:

 after upgrade to Fedora 21 with new systemd namespaces like below no longer
 works which breaks *all my systemd-units*
 
 why?
 
 ReadOnlyDirectories=/var/lib
 ReadWriteDirectories=/var/lib/mysql

I cannot reproduce this issue with systemd upstream. This appears to
work fine. Any chance you can try to reproduce this with current
upstream?

Do you have any other namespace-related settings in the unit file that
triggers this? Like ProtectSystem= or so? Can you paste the entire
unit file?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] logind vs CAP_SYS_ADMIN-lessness

Am 27.01.2015 um 14:46 schrieb Lennart Poettering:
 Note that $container_ttys= is actually just a frontend for dynamically
 instantiating console-getty@.service instances for the specified
 ptys. You can just enable them statically too.

No, I can't, because you only support PTY numbers in that interface and
I can't predict which ones will get assigned. Oh, I see now, I can use
../ in the statically enabled, and that actually works. If I now combine
that with LXC's feature to add a subdir to the ttys, I can do the following:

 - tell LXC to create /dev/lxc/ttyN instead
 - statically enable container-getty@..-lxc-ttyN.service
 - just tried it: works

Thanks!

Christian

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Examples in man pages

Just a heads-up: while reading the Unwants thread I noticed that
dependencies are the only types of lists in unit files that can't be
reset, so my example in there actually doesn't work, so please don't
commit my patch just now. I'm writing more examples and will resubmit
anyway.

Christian

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

On Tue, Jan 27, 2015 at 01:36:41PM +0100, Lennart Poettering wrote:
 On Thu, 22.01.15 13:54, Dimitri John Ledkov (dimitri.j.led...@intel.com) 
 wrote:
 
  Is there a way to remove / override wants that are specified via
  .wants directory, .d snippet with Wants=, or wants specified in the
  unit itself?
 
 Dependencies are always additive and coalescing currently. We don't
 track which configuration file or automatic logic created which
 dependency, and hence it is not really possible right now do reset the
 list of dependencies: we wouldn't know what to reset and what
 not. Note that in many cases dependencies can be created from both
 sides, and if A wants some dependency on B, and B also wants it from
 A, then we coalesce it one. If now some configuration in A wants to
 reset its setting, what do we do with the request from B?
Yes, I think attempting any kind of dependency removal *from loaded
units* would be very complicated, and would require major surgery to
current unit engine. And things would become conceptually more complicated,
which we certainly don't need.

But masking of .wants/ links is something different I think. It is a
*localized* modification to a single configuration file. We currently
allow overridding of almost all configuration (units files, files in
.d directories, recently even generators), but .wants and .requires
are an exception. I think we should allow this. Apart from current
use case, it would things more consistent for the user.

For --user mode this is actually the only unprivileged way to achieve
complete overriding of system supplied units, so I'm convinced we
should allow this.

Zbyszek




 When we designed this initially this way I wasn't sure this would
 suffice, but I kinda like the simplicity of this, and interestingly
 you are the first one who wants to reset dependencies again. Which
 makes me wonder if we canot find a better solution for this?
 
  I thought that creating a symlink to /dev/null from a higher up
  directory would disable wants dependency but it didn't:
  
  e.g.:
  I was expecting for
  /run/systemd/system/getty.target.wants/getty@tty1.service -
  /dev/null
 
 Wat precisely is the reason for trying to do this? What are you trying
 to do here, and why?


 
  So, is there a way to unwant something, as an override?
 
 Nope, currently there isn't.
 
 Lennart
 
 -- 
 Lennart Poettering, Red Hat
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

Am 27.01.2015 um 15:45 schrieb Zbigniew Jędrzejewski-Szmek:
 On Tue, Jan 27, 2015 at 01:36:41PM +0100, Lennart Poettering wrote:
 Dependencies are always additive and coalescing currently. We don't
 track which configuration file or automatic logic created which
 dependency, and hence it is not really possible right now do reset the
 list of dependencies: we wouldn't know what to reset and what
 not. Note that in many cases dependencies can be created from both
 sides, and if A wants some dependency on B, and B also wants it from
 A, then we coalesce it one. If now some configuration in A wants to
 reset its setting, what do we do with the request from B?
 Yes, I think attempting any kind of dependency removal *from loaded
 units* would be very complicated, and would require major surgery to
 current unit engine. And things would become conceptually more complicated,
 which we certainly don't need.
 
 But masking of .wants/ links is something different I think. It is a
 *localized* modification to a single configuration file. We currently
 allow overridding of almost all configuration (units files, files in
 .d directories, recently even generators), but .wants and .requires
 are an exception. I think we should allow this. Apart from current
 use case, it would things more consistent for the user.

Additionally, not considering .wants/ but drop-ins: currently, all[*]
lists except dependencies can be overridden in drop-ins by resetting
them first. So if I write
ConditionPathExists=/foo
in the unit file, and then
ConditionPathExists=
ConditionPathExists=/bar
in a snippet, that will work as expected. Not so for dependencies.

The problem here is I think a bit in the parsing logic: when parsing a
unit file, dependencies are immediately added to the unit in question.

If you were to first collect them as a set and then only after all
drop-ins / etc. of a unit file are parsed you would add them to the
unit's dependencies, this would immediately solve the problem.

Also note that if b.service as Before=a.service, I would NOT expect and
empty After= in a.service to override that, it would be weird. This is
another good reason to first collect stuff locally (and only do
overrides on that level) before adding the global state at the end of
parsing.

Or to put it this way: if you take the following things:
 - the unit file itself
 - all drop-ins
 - all .requires.d/
 - all .wants.d/
you could combine them (according to precedence rules) to a single large
unit file and only then process that. This is at least what I think is
a good way to model this, and that's how I modeled it in my head as a
user before I looked at the code, when I realized that that's not the
case. If you make the code work in a way that respects that model, I
think that a lot of things about overrides become much more consistent.

Just my 2 cents.

Christian

[*] Probably, I haven't checked. ;-)

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] timesyncd: tighten unit file

On Tue, 27.01.15 21:58, Topi Miettinen (toiwo...@gmail.com) wrote:

  Well, to enable stateless systems I think it is a good idea to write
  services in a way that they can rebuild what they need in /var on
  their own, should it be missing, so that /var can be flushed out and
  things will just work when the machine is then booted again.
  
  All our daemons are written in a style where /var is reconstructed
  implicitly if it is missing, and timesyncd really should work the same
  way.
 
 Nice, but the directories could be created with tmpfiles.d then?

Well, we could. But I really like robust deamons that just work on
their own, I must say...

  Well, the way I read the paragraph above if we set PR_SET_NO_NEW_PRIVS
  after forking, but before execing systemd-timesyncd, and that binary
  has an selinux label on it, that the selinux label would be ignore,
  and things would continue to run with the same label as we forked
  off. This pretty much renders SELinux usesless, since all services
  where we set the bit for would then run as init_t... and that's
  something we really shouldn't do.
 
 seccomp_filter.txt on the other hand says that
 Prior to use, the task must call prctl(PR_SET_NO_NEW_PRIVS, 1) or
 run with CAP_SYS_ADMIN privileges in its namespace.  If these are not
 true, -EACCES will be returned.  This requirement ensures that filter
 programs cannot be applied to child processes with greater privileges
 than the task that installed them.
 
 Does this mean that SELinux and seccomp are mutually exclusive? Awful
 design if so.

Well, no it doesn't mean that. If systemd sets up a seccomp filter it
has CAP_SYS_ADMIN, hence all is good. And it can leave
PR_SET_NO_NEW_PRIVS off, and thus not break selinux.

  If Apparmor policies are standardized and stand-alone enough, and
  there's a clear way to install them, and you are willing to look after
  it, then yes, I'd merge a patch that adds apparmor profiles to systemd
  upstream.
 
 Well, I'm no expert on AppArmor policies. This is what I have:
 
 #include tunables/global
 
 /lib/systemd/systemd-timesyncd {
   #include abstractions/nameservice
 
   capability setgid,
   capability setuid,
   capability sys_time,
   capability setpcap,

this is missing the three fs related caps at least...

   /etc/ld.so.cache r,
   /etc/systemd/timesyncd.conf r,
   /lib/systemd/systemd-timesyncd mr,
   /lib/x86_64-linux-gnu/libattr.so.* mr,
   /lib/x86_64-linux-gnu/libc-*.so mr,
   /lib/x86_64-linux-gnu/libcap.so.* mr,
   /lib/x86_64-linux-gnu/libm-*.so mr,
   /lib/x86_64-linux-gnu/libnsl-*.so mr,
   /lib/x86_64-linux-gnu/libpthread-*.so mr,
   /lib/x86_64-linux-gnu/libresolv-*.so mr,
   /proc/cmdline r,
   /proc/sys/kernel/random/boot_id r,
   /run/systemd/netif/state r,

This is not sufficient, as it also wants to read the networkd
confguration, to get NTP servers from it, if networkd is running.

Anyway, if this is cleaned up, and overlooked by somebody who knows
apparmor, and is properly installed by automake, i'd take a patch for
this. However, as i have no clue of Apparmor and can't test this I'd
fully rely on contributions for this one.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] systemd-udevd.service: restore mount propagation

On Tue, 27.01.15 23:33, Martin Pitt (martin.p...@ubuntu.com) wrote:

 Lennart Poettering [2015-01-27 22:46 +0100]:
  However, I think it would make a ton of sense to change that, and set
  SYSTEMD_READY=0 on all block devices where the media sensing suggests
  that no medium is in it.
 
 Thinking about it again, we already know that this rule in
 60-cdrom_id.rules still works:
 
 ENV{DISK_EJECT_REQUEST}==?*, RUN+=cdrom_id --eject-media $devnode, 
 GOTO=cdrom_end
 
 Could we not simply add the ENV{SYSTEMD_READY}=0 there, and then
 reset it (to 1) in the following rule?

Well, in that case it would only be set when somebody actually
presses the eject button. I am pretty sure though we should also set
the flag when a cdrom drive appears first and has no medium in it...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

2015-01-27 Thread Jóhann B. Guðmundsson



On 01/27/2015 10:48 PM, Lennart Poettering wrote:

Another idea might be to simply accept that activating the swap by two
names at the same time can happen concurrently, and teach mkswap in
some way to handle this gracefully.

For example, mkswap could learn a new switch --idempotent or so, which
we could always pass from systemd. If set and if activating the swap
fails with EBUSY because the swap is already activated it would eat
that up and return success.


Is not the problem here that we are using two generators to parse this?


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Tue, 27.01.15 23:48, Lennart Poettering (lenn...@poettering.net) wrote:

  That said, it would of course be nicer if we wouldn't have to
  serialize here...
 
 Another idea might be to simply accept that activating the swap by two
 names at the same time can happen concurrently, and teach mkswap in
 some way to handle this gracefully.
 
 For example, mkswap could learn a new switch --idempotent or so, which
 we could always pass from systemd. If set and if activating the swap
 fails with EBUSY because the swap is already activated it would eat
 that up and return success. 

I implemented a different logic now:

http://cgit.freedesktop.org/systemd/systemd/commit/?id=37cf8fee46025d704660a9fc1d1349fe7d0b139d

With this change we'll now dispatch only one mkswap per device node,
regardless which symlinked alias is used to refer to it. I have only
given this very light testing, and I am not sure this solves the
original problem you reported, hence I'd be thankful if you could
check if this makes the problem go away.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v3] sysv-generator: Handle .sh suffixes when translating Provides:

Lennart Poettering [2015-01-27 23:11 +0100]:
 Which one is the other one you refer to?

That was

  http://lists.freedesktop.org/archives/systemd-devel/2015-January/027249.html

Martin
-- 
Martin Pitt| http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Tue, 27.01.15 23:40, Lennart Poettering (lenn...@poettering.net) wrote:

 On Tue, 27.01.15 23:31, Lennart Poettering (lenn...@poettering.net) wrote:
 
  On Fri, 23.01.15 10:18, Martin Pitt (martin.p...@ubuntu.com) wrote:
  
   So perhaps the more robust fix would be to make the gpt generator not
   generate swap units if fstab already configures any swap device? I. e.
   auto-discovery and swaps in fstab are mutually exclusive then.
  
  Hmm, so there's something fishy here. systemd should already handle
  this nicely, and I thought I tested this successfully.
  
  The logic here is that when we enumerate through /proc/swaps we
  already check udev to not only then set the device listed in there to
  active, but also all .swap units that are defined by any of its
  symlink names. This means, activating a swap partition should result
  in a number of .swap devices to go active, not just one. THis is
  visible if you type systemctl -a -t swap, which should show a number
  of .device units for the same actual swap device...
  
  Now, if two jobs are queued to up a swap device, using different names
  for it, like an entry in fstab, and a GPT auto-discovered partition
  might do it, then this should mean that one of the jobs should be
  removed by the effect of the other, i.e. the later job should be
  immediately succeed, since the other job already caused the swap
  device to go active.
  
  There must be a bug somewhere with this... Any chance you can boot in
  debug mode and check how the .swap units change states during the
  boot, and when the jobs for it are enqueued?
 
 Hmm, thinking a bit more about this. The problem is probably this one:
 when the jobs are queued we cannot know that the devices they are
 queued by are actually the same, hence both are queued. Now, if the
 .device unit backing the two .swap units, both .swap units are
 suddenly runnable, and hence systemd forks off swapon for both of them
 immediately. it will then eventually see that both .swap devices are
 now active from /proc/swaps, but at that time it already had forked
 off both mkswap's, and one of them will then fail...
 
 I wonder what we can do about this.
 
 One approach could be to say that automatically discovered mounts and
 swaps are always dispatched before the ones from /etc/fstab. By
 serializing things it would be guaranteed that one of the mkswaps runs
 first, thus brining up both .swap units, so that the second mkswap
 would not be done, since the .swap would already be up...
 
 That said, it would of course be nicer if we wouldn't have to
 serialize here...

Another idea might be to simply accept that activating the swap by two
names at the same time can happen concurrently, and teach mkswap in
some way to handle this gracefully.

For example, mkswap could learn a new switch --idempotent or so, which
we could always pass from systemd. If set and if activating the swap
fails with EBUSY because the swap is already activated it would eat
that up and return success. 

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Tue, 27.01.15 23:29, Jóhann B. Guðmundsson (johan...@gmail.com) wrote:

 
 On 01/27/2015 10:48 PM, Lennart Poettering wrote:
 Another idea might be to simply accept that activating the swap by two
 names at the same time can happen concurrently, and teach mkswap in
 some way to handle this gracefully.
 
 For example, mkswap could learn a new switch --idempotent or so, which
 we could always pass from systemd. If set and if activating the swap
 fails with EBUSY because the swap is already activated it would eat
 that up and return success.
 
 Is not the problem here that we are using two generators to parse this?

No, not at all.

The problem is simply that we cannot know in advance that /dev/sda7
and /dev/disk/by-uuid/c0e7978b-f82b-4b7f-b72b-6717f6909abc will
eventually refer to the same device. We hence have to enqueue jobs to
activate both, but finally, when the device actually appears and we
realize both names actually refer to the same device, we need to
handle this gracefully, instead of actually invoking mkswap on both of
them.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] timesyncd: tighten unit file

On Tue, 27.01.15 15:12, Cameron Norman (camerontnor...@gmail.com) wrote:

 Lennart: if you really want to test the profile, you just need to spin
 up an OpenSuSE, Ubuntu, or Debian VM (on debian you need to install
 and enable apparmor, which takes a short while).

Well, I have no personal interest in AppArmor, and I really have
enough stuff to do. If AA shall be supported in systemd, then I am
happy to merge stuff for it, if it is reviewed properly, but I am not
the one to test it. Sorry...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] systemd-udevd.service: restore mount propagation

Lennart Poettering [2015-01-27 22:46 +0100]:
 However, I think it would make a ton of sense to change that, and set
 SYSTEMD_READY=0 on all block devices where the media sensing suggests
 that no medium is in it.

Thinking about it again, we already know that this rule in
60-cdrom_id.rules still works:

ENV{DISK_EJECT_REQUEST}==?*, RUN+=cdrom_id --eject-media $devnode, 
GOTO=cdrom_end

Could we not simply add the ENV{SYSTEMD_READY}=0 there, and then
reset it (to 1) in the following rule?

Martin

-- 
Martin Pitt| http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Tue, Jan 27, 2015 at 5:05 PM, Lennart Poettering
lenn...@poettering.net wrote:
 On Tue, 27.01.15 23:29, Jóhann B. Guðmundsson (johan...@gmail.com) wrote:


 On 01/27/2015 10:48 PM, Lennart Poettering wrote:
 Another idea might be to simply accept that activating the swap by two
 names at the same time can happen concurrently, and teach mkswap in
 some way to handle this gracefully.
 
 For example, mkswap could learn a new switch --idempotent or so, which
 we could always pass from systemd. If set and if activating the swap
 fails with EBUSY because the swap is already activated it would eat
 that up and return success.

 Is not the problem here that we are using two generators to parse this?

 No, not at all.

 The problem is simply that we cannot know in advance that /dev/sda7
 and /dev/disk/by-uuid/c0e7978b-f82b-4b7f-b72b-6717f6909abc will
 eventually refer to the same device.

Are these just scary looking warnings? Or is swapon actually listing
the same device twice, as if it's activated twice? That'd seem to be a
bug. What if the fstab listed the same swap twice, either duplicate
lines or one line with /dev/sdXY and one line with UUID for the same
device?

I thought /dev/sdXY is considered sufficiently unreliable that it
shouldn't be used for static configuration files anymore.?

Patient: Doctor, when I bend my arm like this it hurts!
Doctor: I suggest not bending your arm that way.

It's probably not what people want to hear because it doesn't really
solve the problem, but the problem is created by an unreliable
practice in the first place.

-- 
Chris Murphy
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] systemd-udevd.service: restore mount propagation

Hey Lennart,

Lennart Poettering [2015-01-27 22:46 +0100]:
 So I figure the bit that is missing here is the fact that the .device
 units for CD drives and USB card readers don't care for media sense right
 now.

Indeed, I had a similar thought on my evening walk: This works well
for USB sticks and the like, but the /dev/sr0 node for CDs always
stays around after eject. IOW, you get a change event, not a remove
one. This is also why the cleanup in udisks 1.x (probably) didn't
actually work.

 However, I think it would make a ton of sense to change that, and set
 SYSTEMD_READY=0 on all block devices where the media sensing suggests
 that no medium is in it. This would mean that these devices don't show
 up as systemd units until you actually put a medium in it. That would
 be a change of semantics, but I think a useful one. 

That sounds good indeed! I can sit down at qemu tomorrow and simulate
some CD insertions/removals, and come up with an udev rule for this.

Martin
-- 
Martin Pitt| http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Fri, 23.01.15 10:18, Martin Pitt (martin.p...@ubuntu.com) wrote:

 So perhaps the more robust fix would be to make the gpt generator not
 generate swap units if fstab already configures any swap device? I. e.
 auto-discovery and swaps in fstab are mutually exclusive then.

Hmm, so there's something fishy here. systemd should already handle
this nicely, and I thought I tested this successfully.

The logic here is that when we enumerate through /proc/swaps we
already check udev to not only then set the device listed in there to
active, but also all .swap units that are defined by any of its
symlink names. This means, activating a swap partition should result
in a number of .swap devices to go active, not just one. THis is
visible if you type systemctl -a -t swap, which should show a number
of .device units for the same actual swap device...

Now, if two jobs are queued to up a swap device, using different names
for it, like an entry in fstab, and a GPT auto-discovered partition
might do it, then this should mean that one of the jobs should be
removed by the effect of the other, i.e. the later job should be
immediately succeed, since the other job already caused the swap
device to go active.

There must be a bug somewhere with this... Any chance you can boot in
debug mode and check how the .swap units change states during the
boot, and when the jobs for it are enqueued?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] timesyncd: tighten unit file

2015-01-27 Thread Cameron Norman

On Tue, Jan 27, 2015 at 1:58 PM, Topi Miettinen toiwo...@gmail.com wrote:

 Well, I'm no expert on AppArmor policies. This is what I have:

 #include tunables/global

 /lib/systemd/systemd-timesyncd {

I am not sure how that would be done, but this needs to handle
timesyncd being in /usr/lib/systemd as well as /lib.

Also, adding `flags=(complain)` just before the curly brace puts the
profile into complain mode by default.

   #include abstractions/nameservice

   capability setgid,
   capability setuid,
   capability sys_time,
   capability setpcap,

   /etc/ld.so.cache r,
   /etc/systemd/timesyncd.conf r,
   /lib/systemd/systemd-timesyncd mr,
   /lib/x86_64-linux-gnu/libattr.so.* mr,
   /lib/x86_64-linux-gnu/libc-*.so mr,
   /lib/x86_64-linux-gnu/libcap.so.* mr,
   /lib/x86_64-linux-gnu/libm-*.so mr,
   /lib/x86_64-linux-gnu/libnsl-*.so mr,
   /lib/x86_64-linux-gnu/libpthread-*.so mr,
   /lib/x86_64-linux-gnu/libresolv-*.so mr,

Use the variable `@{multiarch}` in place of `x86...`. Also, it is
probably desirable to add `{,usr/}` between the / and lib in these
lines for distros like Arch that have made the /usr merge.

   /proc/cmdline r,
   /proc/sys/kernel/random/boot_id r,

@{PROC} rather than /proc, so `@{PROC/cmdline r,`.

   /run/systemd/netif/state r,

I have seen compatibility for pre-/run distros (i.e. adding `{,var/}`
before the run but after the slash), but probably not relevant for a
systemd daemon.

   /var/lib/systemd/clock w,
 }

Then post to appar...@lists.ubuntu.com asking for a review.

Lennart: if you really want to test the profile, you just need to spin
up an OpenSuSE, Ubuntu, or Debian VM (on debian you need to install
and enable apparmor, which takes a short while).

Cheers,
--
Cameron Norman
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] timesyncd: tighten unit file

On Tue, 27.01.15 14:58, Cameron Norman (camerontnor...@gmail.com) wrote:

 On Tue, Jan 27, 2015 at 1:16 PM, Lennart Poettering
 lenn...@poettering.net wrote:
  On Tue, 27.01.15 19:47, Topi Miettinen (toiwo...@gmail.com) wrote:
 
  I'm not sure. Shouldn't we then ship a SELinux policy file then? Would
  you be interested in AppArmor profile for timesyncd, I have one? Also,
  if a distro uses weird SELinux policies or setuid helpers at every
  possible opportunity, shouldn't they have some responsibility of fixing
  their setup?
 
  Well, SELinux policy is managed in a central selinux policy database
  that is shipped in one big RPM. My selinux-fu is not good enough to
  maintain the policy file in systemd, and i am not sure this even is
  generic enough to be able to ship the same selinux policy that works
  across all distros that do selinux.
 
  If Apparmor policies are standardized and stand-alone enough, and
  there's a clear way to install them, and you are willing to look after
  it, then yes, I'd merge a patch that adds apparmor profiles to systemd
  upstream.
 
 A good idea would be to set the apparmor profile(s) to warn-only mode
 for some period of time, and then let distros patch (this would be a
 one liner) that to be in enforce mode if they want to test it out.
 
 One possible issue is that AppArmor profiles are installed in /etc.
 Will that be a problem WRT the whole stateless system initiative, or
 is it an acceptable exception to the only comments in /etc rule?

Well, there's support for copying data from /usr to /etc on first boot
using tmpfile's C lines. However, that's supposed to be used only
as temporarily glue. Ideally all softare would work fine without /etc
around and do the right thing on its own. Also, apparmor probably
should operate before tmpfiles has run.

So yeah, apparmor working like that is not compatible withe stateless
systems that shall be able to boot up without /etc around.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] ConditionNeedsUpdate date comparison

2015-01-27 Thread Umut Tezduyar Lindskog

Hi,

On Tue, Jan 27, 2015 at 1:35 AM, Lennart Poettering
lenn...@poettering.net wrote:
 On Mon, 26.01.15 14:00, Umut Tezduyar Lindskog (u...@tezduyar.com) wrote:

 Hi,

 condition_test_needs_update() wants the timestamp of /usr to be newer
 than what is being checked.

 Is there a reason why we don't check for /usr !=
 Condition.parameter?

 Well, when I hacked that up, I didn't think of this case.

 What are you saying ConditionNeedsUpdate=/usr is supposed to even
 mean?

We are not on the same page. I never meant ConditionNeedsUpdate=/usr.


 Not that we explicitly document that /etc and /var are the only valid
 parameters currently (because we only manage those stamp
 files with systemd-update-done.service). Hence,
 ConditionNeedsUpdate=/usr is undefined currently, and it's not clear
 to me what is should mean?

 It makes sense to check for /usr  Condition.parameter in a package
 managed linux but our embedded system is upgrading the entire /usr
 partition.

 ConditionNeedsUpdate=/etc is working fine when we upgrade our image
 but it fails when we downgrade it since the timestamp of /usr is older
 than /etc/.updated.

 Well, this stuf is not intended to support downgrades. I don't think
 that can ever work...

 But anyway, I don't really understand what you are trying to say I
 must admit. Could you please elaborate?

Sure.

Pretty much what I am saying is we wan't to use
ConditionNeedsUpdate=/etc for downgrade case. Why do you think it
won't work?

Instead of IF time(/usr)  time(/etc/.updated), we can check IF
time(/usr) != time(/etc/.updated).

Umut



 Lennart

 --
 Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [systemd-commits] src/journal

On Wed, 28.01.15 03:47, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:

 On Wed, Jan 28, 2015 at 01:53:17AM +0100, Lennart Poettering wrote:
  On Mon, 19.01.15 10:43, Zbigniew Jędrzejewski-Szmek 
  (zbys...@kemper.freedesktop.org) wrote:
  
src/journal/journalctl.c |   28 ++--
1 file changed, 14 insertions(+), 14 deletions(-)
   
   New commits:
   commit 40f0b71b063da6a36b8d7ec75ef20103abd18243
   Author: Zbigniew J??drzejewski-Szmek zbys...@in.waw.pl
   Date:   Mon Jan 19 13:42:34 2015 -0500
   
   journalctl: trim --help to fit in 80 columns
   
   Terminals tend to be 80 columns wide by default, and the help
   text is only supposed to be a terse reminder anyway.
   
  
  Hmm, maybe we should add a test target to the makefile that runs all
  our tools with --help and checks that the output it generates is
  identical to the output pssed through fold -w 79 or so?
  
  (I added this to the TODO list for now)
 
 Done.

Hmm, your commit checks for 80 chars, right? Shouldn't we rather check
for 79? Many terminals that are 80 chars wide will leave one line free
if you output 80 consecutive chars plus one newline...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [systemd-commits] src/journal

On Wed, Jan 28, 2015 at 03:50:42AM +0100, Lennart Poettering wrote:
 On Wed, 28.01.15 03:47, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
 
  On Wed, Jan 28, 2015 at 01:53:17AM +0100, Lennart Poettering wrote:
   On Mon, 19.01.15 10:43, Zbigniew Jędrzejewski-Szmek 
   (zbys...@kemper.freedesktop.org) wrote:
   
 src/journal/journalctl.c |   28 ++--
 1 file changed, 14 insertions(+), 14 deletions(-)

New commits:
commit 40f0b71b063da6a36b8d7ec75ef20103abd18243
Author: Zbigniew J??drzejewski-Szmek zbys...@in.waw.pl
Date:   Mon Jan 19 13:42:34 2015 -0500

journalctl: trim --help to fit in 80 columns

Terminals tend to be 80 columns wide by default, and the help
text is only supposed to be a terse reminder anyway.

   
   Hmm, maybe we should add a test target to the makefile that runs all
   our tools with --help and checks that the output it generates is
   identical to the output pssed through fold -w 79 or so?
   
   (I added this to the TODO list for now)
  
  Done.
 
 Hmm, your commit checks for 80 chars, right? Shouldn't we rather check
 for 79? Many terminals that are 80 chars wide will leave one line free
 if you output 80 consecutive chars plus one newline...
Are you sure? I though this was fixed already.
A quick test with the linux console, urxvt, konsole, systemd-subterm,
and xterm all DTRT.

Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Mon, Jan 26, 2015 at 10:08:02AM +0100, Martin Pitt wrote:
 Peter Mattern [2015-01-23 14:03 +0100]:
  According to man 
  (http://www.freedesktop.org/software/systemd/man/systemd-gpt-auto-generator.html,
  see section Description) systemd-gpt-auto-generator is supposed to behave
  like this by now already.
 
 Supposed yes, but I don't see anything in gpt-auto-generator.c which
 would actually check fstab. The only check I see is
 path_is_mount_point() in probe_and_add_mount(), but as the generators
 all run during very early boot where most of the mounts did not happen
 yet, this doesn't help.
What the man page really means is that if you have a units with the same
name, the one from the generator will have lower priority. Unfortunately
does not help at all for the case at hand.

Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] root= ignored (was: failing boot start jobs delay reboot)

On Tue, Jan 27, 2015 at 10:58 PM, Felix Miata mrma...@earthlink.net wrote:
 Lennart Poettering composed on 2015-01-28 02:03 (UTC+0100):

 Felix Miata wrote:

 Both. When they occur during init they repeat during shutdown. Even when I
 let init complete and succeed to fix the typo or oversight, the init failure
 gets remembered and repeated at shutdown. Often the start job is on account
 of a volume label that has been replaced, usually along with a UUID, because
 the clone is a partition on the same HD. Fedora is particularly frustrating
 by embedding dependent root volume label and not obeying root= on cmdline
 (openSUSE obeys root=). Those typos usually have to be fixed by chroot to 
 run
 dracut.

 Hmm, Fedora doesn't obey root=? That sounds like a bug.

I'm not sure what it means, Fedora doesn't obey root=. Since a long
time it uses root=UUID= and this has worked for me.


 I think it's only a problem due to Fedora's configuration of its Dracut
 hostonly option used by default. AFAICR, its rescue initrds have always
 worked.

The problem(s) with Fedora rescue initramfs:

1. It behaves differently depending on whether its /lib/modules have
been deleted because the originally installed kernel has been removed
due to yum.conf  installonly_limit=3 being reached. If deleted, user
gets dropped to a dracut prompt. And if not they get a complete boot
to a login prompt. It's better than a kernel panic, but the
inconsistency is not a good UX.

2. rescue is a generic term, but this nohostonly initramfs is really
meant to get a close to full boot when changing hardware such that the
hostonly initramfs does't work. So the use case is not really rescue.

3. A user might think rescue is for fsck or something basic. But
that can be done with rd.break=cmdline it doesn't require the rescue
initramfs.

4. Confusion with rescue.target and emergency.target. Both of which
require a root password, and Fedora now doesn't require a root
password at install or setup time, so the user can actually get stuck
being unable to access rdsosreport.txt because they can't login.

So... it's slightly ickey right now for these edge cases. Anyway, room
for improvement.

-- 
Chris Murphy
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Tue, Jan 27, 2015 at 8:19 PM, Zbigniew Jędrzejewski-Szmek
zbys...@in.waw.pl wrote:
 You also need swap if you want to use all of your memory. If you have
 no swap, allocating close to 100% RAM becomes very dangerous, because
 any overflow will result in oom.

Yes that makes sense too. Maybe zram will work out such that it
effectively slows things to a craw until pressure instead of
implosion, and swap on disk can mostly be obviated for the ordinary
cases.

-- 
Chris Murphy
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Swap gets activated twice (through fstab and gpt generators)

On Tue, Jan 27, 2015 at 10:25:32PM -0700, Chris Murphy wrote:
 On Tue, Jan 27, 2015 at 8:19 PM, Zbigniew Jędrzejewski-Szmek
 zbys...@in.waw.pl wrote:
  You also need swap if you want to use all of your memory. If you have
  no swap, allocating close to 100% RAM becomes very dangerous, because
  any overflow will result in oom.
 
 Yes that makes sense too. Maybe zram will work out such that it
 effectively slows things to a craw until pressure instead of
 implosion, and swap on disk can mostly be obviated for the ordinary
 cases.
Certainly not for all cases. zram can give compression on the order of 50%
max, so it allows you to trade some CPU for RAM, but does not help at all
for the case I described, since my data is noncompressible and cpus are
maxed out anyway.

Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] root= ignored (was: failing boot start jobs delay reboot)

2015-01-27 Thread Felix Miata

Lennart Poettering composed on 2015-01-28 02:03 (UTC+0100):

 Felix Miata wrote:

 Both. When they occur during init they repeat during shutdown. Even when I
 let init complete and succeed to fix the typo or oversight, the init failure
 gets remembered and repeated at shutdown. Often the start job is on account
 of a volume label that has been replaced, usually along with a UUID, because
 the clone is a partition on the same HD. Fedora is particularly frustrating
 by embedding dependent root volume label and not obeying root= on cmdline
 (openSUSE obeys root=). Those typos usually have to be fixed by chroot to run
 dracut.

 Hmm, Fedora doesn't obey root=? That sounds like a bug. 

I think it's only a problem due to Fedora's configuration of its Dracut
hostonly option used by default. AFAICR, its rescue initrds have always
worked. I can't remember now, but it may possibly be Mageia with hostonly
enabled disobeys root= too, locking onto root's UUID when the initrd was
built. It's never been a problem I've observed in openSUSE, which let dracut
evolve a lot longer before switching to it from mkinitrd.

 Harald?
-- 
The wise are known for their understanding, and pleasant
words are persuasive. Proverbs 16:21 (New Living Translation)

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH v2 2/2] systemd.service(5): add some simple examples

Add a couple of exampels, at least one for each service type that
include some explanations and pointers to various relevant options.
---
 man/systemd.service.xml | 332 
 1 file changed, 332 insertions(+)

diff --git a/man/systemd.service.xml b/man/systemd.service.xml
index 4c890df..5ccbba0 100644
--- a/man/systemd.service.xml
+++ b/man/systemd.service.xml
@@ -1358,6 +1358,338 @@ ExecStart=/bin/echo $ONE $TWO $THREE/programlisting
 /refsect1
 
 refsect1
+titleExamples/title
+
+example
+titleSimple service/title
+
+paraThe following unit file creates a service
+that will execute
+filename/usr/sbin/foo-daemon/filename.
+Since no varnameType=/varname is specified,
+the default
+varnameType=/varnameoptionsimple/option
+will be assumed. systemd will assume the unit
+to be started immediately after the program has
+begun executing./para
+
+programlisting[Unit]
+Description=Foo
+
+[Service]
+ExecStart=/usr/sbin/foo-daemon
+
+[Install]
+WantedBy=multi-user.target/programlisting
+
+paraNote that systemd assumes here that the
+program will continue running in the foreground
+as long as it's active. If the program
+backgrounds/daemonizes/forks itself, please use
+varnameType=/varnameoptionforking/option
+instead./para
+
+paraSince no varnameExecStop=/varname was
+specified, systemd will send SIGTERM to all
+processes started from this service, and after
+a timeout also SIGKILL. This behavior can be
+modified, see
+
citerefentryrefentrytitlesystemd.kill/refentrytitlemanvolnum5/manvolnum/citerefentry
+for details./para
+
+paraNote that this unit type does not include
+any type of notification when a service has
+completed initialization. For this, you should
+use other unit types, such as
+varnameType=/varnameoptionnotify/option
+if the service understands systemd's
+notification protocol,
+varnameType=/varnameoptionforking/option
+if the service can background itself or
+varnameType=/varnameoptiondbus/option
+if the unit acquires a DBus name once
+initialization is complete. See below./para
+/example
+
+example
+titleOneshot service/title
+
+paraSometimes units should just execute an
+action without keeping active processes, such
+as a filesystem check or a cleanup action on
+boot. For this,
+varnameType=/varnameoptiononeshot/option
+exists. Units of this type will wait until the
+process specified terminates and then fall back
+to being inactive. The following unit will
+perform a clenaup action:/para
+
+programlisting[Unit]
+Description=Cleanup old Foo data
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/foo-cleanup
+
+[Install]
+WantedBy=multi-user.target/programlisting
+
+paraNote that systemd will consider the unit
+to be in the state 'starting' until the program
+has terminated, so ordered dependencies will
+wait for the program to finish before starting
+themselves. The unit will revert to the
+'inactive' state after the execution is
+done. That means another request to start the
+unit will perform the action again./para
+/example
+
+example
+titleStoppable oneshot service/title
+
+paraSimilarly to the oneshot services, there
+are sometimes units that need to execute a
+program to set up something and then execute
+another to shut it down, but no process remains
+active while they are considered
+'started'. Network configuration can sometimes
+fall into this

[systemd-devel] [PATCH v2 1/2] systemd.unit(5): add examples for common tasks

Add examples for (a) making units enableable and (b) overriding vendor
settings to the man page.
---
 man/systemd.unit.xml | 164 +++
 1 file changed, 164 insertions(+)

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index e820b33..8714f70 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -1574,6 +1574,170 @@
 /refsect1
 
 refsect1
+titleExamples/title
+
+example
+titleMaking a unit enableable/title
+
+paraThe following snippet (highlighted) makes
+a unit (e.g. filenamefoo.service/filename)
+enableable via
+commandsystemctl enable/command:/para
+
+programlisting[Unit]
+Description=Foo
+
+[Service]
+ExecStart=/usr/sbin/foo-daemon
+
+emphasis[Install]/emphasis
+emphasisWantedBy=multi-user.target/emphasis/programlisting
+
+paraAfter running
+commandsystemctl enable/command, a symlink
+
filename/etc/systemd/system/multi-user.target.wants/foo.service/filename
+linking to the actual unit will be created. It
+tells systemd to pull in the unit when starting
+filenamemulti-user.target/filename. The
+converse commandsystemctl disable/command
+will remove that symlink again./para
+/example
+
+example
+titleOverriding vendor settings/title
+
+paraThere are two methods of overriding
+vendor settings in unit files: copying the unit
+file from
+filename/usr/lib/systemd/system/filename
+to filename/etc/systemd/system/filename and
+modifying the chosen settings. Alternatively,
+one can create a directory named
+filenamereplaceableunit/replaceable.d//filename
+within
+filename/etc/systemd/system/filename and
+place a drop-in file
+
filenamereplaceablename/replaceable.conf/filename
+there that only changes the specific settings
+one is interested in. Note that multiple such
+drop-in files are read if present./para
+
+paraThe advantage of the first method is
+that one easily overrides the complete unit,
+the vendor unit is not parsed at all anymore.
+It has the disadvantage that improvements to
+the unit file by the vendor are not
+automatically incorporated on updates./para
+
+paraThe advantage of the second method is
+that one only overrides the settings one
+specifically wants, where updates to the unit
+by the vendor automatically apply. This has the
+disadvantage that some future updates by the
+vendor might be incompatible with the local
+changes./para
+
+paraNote that for drop-in files, if one wants
+to remove entries from a setting that is parsed
+as a list (and is not a dependency), such as
+varnameConditionPathExists=/varname (or
+e.g. varnameExecStart=/varname in service
+units), one needs to first clear the list
+before re-adding all entries except the one
+that is to be removed. See below for an
+example./para
+
+paraThis also applies for user instances of
+systemd, but with different locations for the
+unit files. See the section on unit load paths
+for further details./para
+
+paraSuppose there is a vendor-supplied unit
+
filename/usr/lib/systemd/system/httpd.service/filename
+with the following contents:/para
+
+programlisting[Unit]
+Description=Some HTTP server
+After=network.target remote-fs.target sqldb.service
+Requires=sqldb.service
+ConditionPathExists=/srv/webserver
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/some-fancy-httpd-server
+TimeoutStartSec=5
+
+[Install]
+WantedBy=multi-user.target/programlisting
+
+paraNow one wants to change some settings as
+an administrator: firstly, in the

Re: [systemd-devel] Unwants

On Tue, Jan 27, 2015 at 03:50:49PM +, Dimitri John Ledkov wrote:
 On 27 January 2015 at 15:18, Christian Seiler christ...@iwakd.de wrote:
  Am 27.01.2015 um 15:45 schrieb Zbigniew Jędrzejewski-Szmek:
  On Tue, Jan 27, 2015 at 01:36:41PM +0100, Lennart Poettering wrote:
  Dependencies are always additive and coalescing currently. We don't
  track which configuration file or automatic logic created which
  dependency, and hence it is not really possible right now do reset the
  list of dependencies: we wouldn't know what to reset and what
  not. Note that in many cases dependencies can be created from both
  sides, and if A wants some dependency on B, and B also wants it from
  A, then we coalesce it one. If now some configuration in A wants to
  reset its setting, what do we do with the request from B?
  Yes, I think attempting any kind of dependency removal *from loaded
  units* would be very complicated, and would require major surgery to
  current unit engine. And things would become conceptually more complicated,
  which we certainly don't need.
 
  But masking of .wants/ links is something different I think. It is a
  *localized* modification to a single configuration file. We currently
  allow overridding of almost all configuration (units files, files in
  .d directories, recently even generators), but .wants and .requires
  are an exception. I think we should allow this. Apart from current
  use case, it would things more consistent for the user.
 
  Additionally, not considering .wants/ but drop-ins: currently, all[*]
  lists except dependencies can be overridden in drop-ins by resetting
  them first. So if I write
  ConditionPathExists=/foo
  in the unit file, and then
  ConditionPathExists=
  ConditionPathExists=/bar
  in a snippet, that will work as expected. Not so for dependencies.
 
  The problem here is I think a bit in the parsing logic: when parsing a
  unit file, dependencies are immediately added to the unit in question.
 
  If you were to first collect them as a set and then only after all
  drop-ins / etc. of a unit file are parsed you would add them to the
  unit's dependencies, this would immediately solve the problem.
 
  Also note that if b.service as Before=a.service, I would NOT expect and
  empty After= in a.service to override that, it would be weird. This is
  another good reason to first collect stuff locally (and only do
  overrides on that level) before adding the global state at the end of
  parsing.
 
  Or to put it this way: if you take the following things:
   - the unit file itself
   - all drop-ins
   - all .requires.d/
   - all .wants.d/
  you could combine them (according to precedence rules) to a single large
  unit file and only then process that. This is at least what I think is
  a good way to model this, and that's how I modeled it in my head as a
  user before I looked at the code, when I realized that that's not the
  case. If you make the code work in a way that respects that model, I
  think that a lot of things about overrides become much more consistent.
 
  Just my 2 cents.
 
 
 Well i thought that if below are implemented:
 http://lists.freedesktop.org/archives/systemd-devel/2014-December/026026.html
 http://lists.freedesktop.org/archives/systemd-devel/2014-December/026042.html
 http://lists.freedesktop.org/archives/systemd-devel/2014-December/026076.html
Yeah, I think I dozed off at the of that discussion there, thank you for digging
up the links. It seems everybody is in agreement about overriding 
.wants/.requires
symlinks with /dev/null.

...
 Whilst:
 bar.service: [Unit] Wants=!foo.service
 foo.service: [Install]WantedBy=!bar
But this isn't in the mails you linked. Let's get the link-overriding part
done first.

Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] systemd-udevd.service: restore mount propagation

2015-01-27 Thread Dave Reisner

On Tue, Jan 27, 2015 at 05:33:06PM +0100, Martin Pitt wrote:
 Lennart Poettering [2015-01-27 17:22 +0100]:
  The .mount units of device nodes already have a BindsTo= dependency on
  their respective backing .device units. This should have the effect
  that systemd will take the .mount units down if the .device units are
  removed. Are you saying that doesn't work?
 
 It's been ages since I've had a CD drive with an eject button, so I
 can't say myself. But given the recent reports on the list from Robert
 Milasan and Dave Reiser it seems that *something* here is still
 broken?

Well, my test case was flawed and the mount namespacing in udevd isn't
actually relevant to the problem. I've since found myself uninterested
in solving this particular problem.

dR
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] systemd-udevd.service: restore mount propagation

On Tue, 27.01.15 09:40, Martin Pitt (martin.p...@ubuntu.com) wrote:

 Hey Lennart,
 
 Lennart Poettering [2015-01-27  0:55 +0100]:
  Hmm? I don't see how mount propagation would break 60-cdrom_id... The
  eject ioctl operates on the device node, and does not care for
  mounts. This problem sounds made-up to me.
 
 Right now cdrom_id indeed wouldn't be affected as it doesn't unmount a
 CD which is about to ejected. That's the very problem that was
 recently discussed here:
 
   http://lists.freedesktop.org/archives/systemd-devel/2015-January/026948.html
 
 The two proposed solutions were to either teach cdrom_id --eject to
 umount the device or just call the actual eject program which gets
 this pretty much right. But neither would work because of the unshared
 mount ns in udev.

So, why is this a new problem, and why do you say that
MountFlags=slave broke anything? I mean, cdrom_id cannot do unmounts
(and it really shouldn't), And an eject invocation was never part of
the udev rules, so there was really nothing that broke. So, these
things never worked, and MountFlags=slave didn't change anything about
it.

There's some part of the story that I am missing, or something makes
no sense at all...

  Moreover, if you want to do mounts or umounts on plug or play, then
  use a proper daemon, like udisks.
 
 udisks actually used to have both the CD-ROM polling (which since then
 moved into the kernel) and the post-eject cleanup.

Why was the removed, and with what was it replaced when it was?

 If we want to keep the udev mount unsharing, we could put it back
 into udisks; but that wouldn't be that robust as udisks isn't
 guaranteed to actually run, both because it's a D-BUS activated
 service and a lot of server-ish machines or lightweight desktops
 don't even have it.

Well, again, the right answer then is to handle it with .mount units,
which can correctly deal with partitioned block devices and other file
systems mounted on top of these pluggable block devices.

In general though I don't think people should expect that pluggable
devices are handled nicely if you uninstall the daemon that deals with
pluggable devices...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] persisting sriov_numvfs

On Tue, 27.01.15 07:35, Martin Polednik (mpoled...@redhat.com) wrote:

Hmm, I see. In many ways this feels like VLAN setup from a
configuration PoV, right? i.e. you have one hw device the driver
creates, and then you configure a couple of additional interfaces on
top of it.

This of course then raises the question: shouldn't this functionality
be exposed by the kernel the same way as VLANs? i.e. with a
rtnetlink-based API to create additional interfaces, instead of /sys?

In systemd I figure the right way to expose this to the user would be 
via
.netdev files, the same way as we expose VLAN devices. Not however
that that would be networkd territory,
   
   No, this is not limited to NICs. It is generic feature that can be in
   principle used with any hardware and there are e.g. FC or FCoE HBAs
   with SR-IOV support. It is true that today it is mostly comes with NICs
   though.
   
   Any general framework for setting it up should not be tied to specific
   card type.
  
  Well, I doubt that there will be graphics cards that support this
  right? I mean, it's really only network connectivity that can support
  a concept like this easily, since you can easily merge packet streams
  from multiple VMs on one connection. However, I am not sure how you
  want to physically merge VGA streams onto a single VGA connector...
  
  If this is about ethernet, FC, FCOE, then I still think that the
  network management solution should consider this as something you can
  configure on physical links like VLANs. Hence networkd or
  NetworkManager and so on should cover it.
  
  Lennart
 
 Afaik some storage cards support this, for GPU's it's possibly for the
 GPUPU applications and such - where you don't care about the physical
 output, but the processing core of gpu itself (but I'm not aware of such
 implementation yet, nvidia seems to be doing something but the details
 are nowhere to be found).

Hmm, so there are three options I think.

a) Expose this in networkd .netdev files, as I suggested
   originally. This would be appropriate if we can add and remove VFs
   freely any time, without the other VFs being affected. Can you
   clarify whether going from let's say 4 to 5 VFs requires removing
   all VFs and recreating them? THis would be the nicest exposure I
   think, but be specific to networkd.

b) Expose this via udev .link files. This would be appropriate if
   adding/removing VFs is a one-time thing, when a device pops
   up. This would be networking specific, not cover anything else like
   GPU or storage or so. Would still be quite nice. Would probably the
   best option, after a), if VFs cannot be added/removed dynamically
   all the time without affecting the other VFs.

c) Expose this via udev rules files. This would be generic, would work
   for networking as well as GPUs or storage. This would entail
   writing our rules files when you want to configure the number of
   VFs. Care needs to be taken to use the right way to identify
   devices as they come and go, so that you can apply configuration to
   them in a stable way. This is somewhat uglier, as we don't really
   think that udev rules should be used that much for configuration,
   especially not for configuration written out by programs, rather
   than manually. However, logind already does this, to assign seat
   identifiers to udev devices to enable multi-seat support. 

A combination of b) for networking and c) for the rest might be an
option too.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] persisting sriov_numvfs

2015-01-27 Thread Martin Polednik

- Original Message -
 From: Lennart Poettering lenn...@poettering.net
 To: Andrei Borzenkov arvidj...@gmail.com
 Cc: Martin Polednik mpoled...@redhat.com, 
 systemd-devel@lists.freedesktop.org, ibar...@redhat.com
 Sent: Tuesday, January 27, 2015 1:21:32 PM
 Subject: Re: [systemd-devel] persisting sriov_numvfs

 On Tue, 27.01.15 06:47, Andrei Borzenkov (arvidj...@gmail.com) wrote:

   Hmm, I see. In many ways this feels like VLAN setup from a
   configuration PoV, right? i.e. you have one hw device the driver
   creates, and then you configure a couple of additional interfaces on
   top of it.

   This of course then raises the question: shouldn't this functionality
   be exposed by the kernel the same way as VLANs? i.e. with a
   rtnetlink-based API to create additional interfaces, instead of /sys?

   In systemd I figure the right way to expose this to the user would be via
   .netdev files, the same way as we expose VLAN devices. Not however
   that that would be networkd territory,

  No, this is not limited to NICs. It is generic feature that can be in
  principle used with any hardware and there are e.g. FC or FCoE HBAs
  with SR-IOV support. It is true that today it is mostly comes with NICs
  though.

  Any general framework for setting it up should not be tied to specific
  card type.

 Well, I doubt that there will be graphics cards that support this
 right? I mean, it's really only network connectivity that can support
 a concept like this easily, since you can easily merge packet streams
 from multiple VMs on one connection. However, I am not sure how you
 want to physically merge VGA streams onto a single VGA connector...

 If this is about ethernet, FC, FCOE, then I still think that the
 network management solution should consider this as something you can
 configure on physical links like VLANs. Hence networkd or
 NetworkManager and so on should cover it.

 Lennart

Afaik some storage cards support this, for GPU's it's possibly for the
GPUPU applications and such - where you don't care about the physical
output, but the processing core of gpu itself (but I'm not aware of such
implementation yet, nvidia seems to be doing something but the details
are nowhere to be found).

 --
 Lennart Poettering, Red Hat

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] persisting sriov_numvfs

On Tue, 27.01.15 06:47, Andrei Borzenkov (arvidj...@gmail.com) wrote:

  Hmm, I see. In many ways this feels like VLAN setup from a
  configuration PoV, right? i.e. you have one hw device the driver
  creates, and then you configure a couple of additional interfaces on
  top of it.
  
  This of course then raises the question: shouldn't this functionality
  be exposed by the kernel the same way as VLANs? i.e. with a
  rtnetlink-based API to create additional interfaces, instead of /sys?
  
  In systemd I figure the right way to expose this to the user would be via
  .netdev files, the same way as we expose VLAN devices. Not however
  that that would be networkd territory,
 
 No, this is not limited to NICs. It is generic feature that can be in
 principle used with any hardware and there are e.g. FC or FCoE HBAs
 with SR-IOV support. It is true that today it is mostly comes with NICs
 though.
 
 Any general framework for setting it up should not be tied to specific
 card type.

Well, I doubt that there will be graphics cards that support this
right? I mean, it's really only network connectivity that can support
a concept like this easily, since you can easily merge packet streams
from multiple VMs on one connection. However, I am not sure how you
want to physically merge VGA streams onto a single VGA connector...

If this is about ethernet, FC, FCOE, then I still think that the
network management solution should consider this as something you can
configure on physical links like VLANs. Hence networkd or
NetworkManager and so on should cover it.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

On Thu, 22.01.15 14:08, Dimitri John Ledkov (dimitri.j.led...@intel.com) wrote:

  In any case, /etc overrides /run, so your example can never work.
 
 
 Oh, ok. But any combination of the two. E.g. for /etc to unwant from
 /run then, or for /etc to unwant from /usr.
 
 At the moment, I'm looking at packaging symlinks in .wants directories
 under /usr and then allow to uninstall such a package as a means to
 override the default config. Since I would like to update how the
 default config is setup, without doing in /etc where I'd have to
 answer is this my old config, or user modified it and I shouldn't
 touch it

I am not grokking this. If you remove the package with the symlinks in
/usr, then den deps are gone, so why do you need something in /etc or
/run still?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

On Thu, 22.01.15 15:16, Dimitri John Ledkov (dimitri.j.led...@intel.com) wrote:

 On 22 January 2015 at 14:46, Michael Biebl mbi...@gmail.com wrote:
  2015-01-22 15:08 GMT+01:00 Dimitri John Ledkov dimitri.j.led...@intel.com:
  At the moment, I'm looking at packaging symlinks in .wants directories
  under /usr and then allow to uninstall such a package as a means to
  override the default config. Since I would like to update how the
  default config is setup, without doing in /etc where I'd have to
  answer is this my old config, or user modified it and I shouldn't
  touch it
 
  That's indeed a tough problem. The upstream recommendation is, to run
  systemctl preset during the initial installation.
  If there are changes to the default in the unit files, those changes
  are *not* applied on package upgrades.
 
 Presets are good, however they do not have a format to specify extra
 .wants and .requires. And in my case unwants and unrequires.

Extra .wants and .requires? What would those entail? I mean, the unit
files can store extra deps in their [Install] section...

 So at the moment I'm playing around with - unconditionally running
 preset on my preset file, and directing users to write (override) own
 preset file in /etc/systemd/system-preset if they want to modify the
 default proposed integration.
 
  I don't think that's a particularly compelling solution.
 
  In Debian, we introduced a helper called i-s-h [1], which keeps some
  additional state and tries to apply such changes on updates.
 
 
 Well, if systemctl enable/disable/add-requires/add-wants would write
 things into /etc/systemd/system-preset instead of modifying things in
 /etc, then it would be alright. As essentially the full set of presets
 would be the state of system-defaults + user overrides.
 
 Also it seems like preset is a bit of templating hack at the moment,
 as they are not loaded by systemd but rarther are simply used to
 generate files/symlinks on disk under /etc.

I don't follow. Presets are the recommended vendor configuration, and
as such static and immutable. It is supposed to be applied once,
during first installation of a pacakge. From that point on things are
user configuration and presets will not be applied.

Patching preset files during runtime is really against what they were
designed for.

Quite frankly, I have trouble following at all what is being attempted
here...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants

On 27 January 2015 at 15:18, Christian Seiler christ...@iwakd.de wrote:
 Am 27.01.2015 um 15:45 schrieb Zbigniew Jędrzejewski-Szmek:
 On Tue, Jan 27, 2015 at 01:36:41PM +0100, Lennart Poettering wrote:
 Dependencies are always additive and coalescing currently. We don't
 track which configuration file or automatic logic created which
 dependency, and hence it is not really possible right now do reset the
 list of dependencies: we wouldn't know what to reset and what
 not. Note that in many cases dependencies can be created from both
 sides, and if A wants some dependency on B, and B also wants it from
 A, then we coalesce it one. If now some configuration in A wants to
 reset its setting, what do we do with the request from B?
 Yes, I think attempting any kind of dependency removal *from loaded
 units* would be very complicated, and would require major surgery to
 current unit engine. And things would become conceptually more complicated,
 which we certainly don't need.

 But masking of .wants/ links is something different I think. It is a
 *localized* modification to a single configuration file. We currently
 allow overridding of almost all configuration (units files, files in
 .d directories, recently even generators), but .wants and .requires
 are an exception. I think we should allow this. Apart from current
 use case, it would things more consistent for the user.

 Additionally, not considering .wants/ but drop-ins: currently, all[*]
 lists except dependencies can be overridden in drop-ins by resetting
 them first. So if I write
 ConditionPathExists=/foo
 in the unit file, and then
 ConditionPathExists=
 ConditionPathExists=/bar
 in a snippet, that will work as expected. Not so for dependencies.

 The problem here is I think a bit in the parsing logic: when parsing a
 unit file, dependencies are immediately added to the unit in question.

 If you were to first collect them as a set and then only after all
 drop-ins / etc. of a unit file are parsed you would add them to the
 unit's dependencies, this would immediately solve the problem.

 Also note that if b.service as Before=a.service, I would NOT expect and
 empty After= in a.service to override that, it would be weird. This is
 another good reason to first collect stuff locally (and only do
 overrides on that level) before adding the global state at the end of
 parsing.

 Or to put it this way: if you take the following things:
  - the unit file itself
  - all drop-ins
  - all .requires.d/
  - all .wants.d/
 you could combine them (according to precedence rules) to a single large
 unit file and only then process that. This is at least what I think is
 a good way to model this, and that's how I modeled it in my head as a
 user before I looked at the code, when I realized that that's not the
 case. If you make the code work in a way that respects that model, I
 think that a lot of things about overrides become much more consistent.

 Just my 2 cents.


Well i thought that if below are implemented:
http://lists.freedesktop.org/archives/systemd-devel/2014-December/026026.html
http://lists.freedesktop.org/archives/systemd-devel/2014-December/026042.html
http://lists.freedesktop.org/archives/systemd-devel/2014-December/026076.html

the logic would be:
bar.service: [Unit] Wants=foo.service
foo.service: [Install]WantedBy=bar
bar.service.wants/foo.service - ***/foo.service

Add a dependency type want from bar - to foo.

Whilst:
bar.service: [Unit] Wants=!foo.service
foo.service: [Install]WantedBy=!bar
bar.service.wants/foo.service - /dev/null

Would remove a dependency link from bar - to foo, if and only if it
already exists.

The ! syntax is for e.g. overriding symlinks via .d/*.conf files or
when unit is copied into a higher level configuration path and edited.

Thus everything is still coalescing, in the order that configuration
directories are transversed, but proposed to be additive and
subtractive in nature.
(and will thus allow adding/removing dependencies at each configuration level)

e.g.
distro ships user level unit that gpg-agent is enabled by default in
the user sessions
global user override by admin sets gnome-keyring to be the default
agent for user sessions (Wants=gnome-keyring-gpg !gpg-agent)
user overrides the admin to make gpg-agent enabled by default back
(Wants=!gnome-keyring-gpg gpg-agent)

where wants are either .d snippets with lines as in brackets or (valid
| dev-null) symlinks in appropriate .wants directories at respective
configuration levels.

-- 
Regards,

Dimitri.

Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] systemd-udevd.service: restore mount propagation

Lennart Poettering [2015-01-27 13:52 +0100]:
 So, why is this a new problem, and why do you say that
 MountFlags=slave broke anything?

I didn't say that. :-) I just said that due to this the two proposed
solutions of cleaning up the mounts after CD ejection won't work.

 I mean, cdrom_id cannot do unmounts (and it really shouldn't), And
 an eject invocation was never part of the udev rules, so there was
 really nothing that broke. So, these things never worked, and
 MountFlags=slave didn't change anything about it.

Correct.

  udisks actually used to have both the CD-ROM polling (which since then
  moved into the kernel) and the post-eject cleanup.
 
 Why was the removed, and with what was it replaced when it was?

So udisks 1.x had a force_removal() function which was called on a
remove uevent and cleaned up stale mounts. Apparenlty that never made
it into the udisks 2.x rewrite unless I'm missing something. But as it
obviously doesn't seem to work right now (i. e. CD mounts are kept
stale), I guess it's due to that.

 Well, again, the right answer then is to handle it with .mount units,

How would that look like, on a very high level? Create .mount units on
the fly with udev rules when devices appear, and asking systemd to
unmount them via a remove uevent, instead of having cdrom_id do the
umount directly?

Thanks,

Martin
-- 
Martin Pitt| http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Examples in man pages

On Tue, Jan 27, 2015 at 03:19:51PM +0100, Christian Seiler wrote:
 Just a heads-up: while reading the Unwants thread I noticed that
 dependencies are the only types of lists in unit files that can't be
 reset, so my example in there actually doesn't work, so please don't
 commit my patch just now. I'm writing more examples and will resubmit
 anyway.
So the thread is still on... Things are likely to change again.

Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] persisting sriov_numvfs

On Tue, 27.01.15 08:41, Martin Polednik (mpoled...@redhat.com) wrote:

  b) Expose this via udev .link files. This would be appropriate if
 adding/removing VFs is a one-time thing, when a device pops
 up. This would be networking specific, not cover anything else like
 GPU or storage or so. Would still be quite nice. Would probably the
 best option, after a), if VFs cannot be added/removed dynamically
 all the time without affecting the other VFs.
  
  c) Expose this via udev rules files. This would be generic, would work
 for networking as well as GPUs or storage. This would entail
 writing our rules files when you want to configure the number of
 VFs. Care needs to be taken to use the right way to identify
 devices as they come and go, so that you can apply configuration to
 them in a stable way. This is somewhat uglier, as we don't really
 think that udev rules should be used that much for configuration,
 especially not for configuration written out by programs, rather
 than manually. However, logind already does this, to assign seat
 identifiers to udev devices to enable multi-seat support.
  
  A combination of b) for networking and c) for the rest might be an
  option too.
 
 I myself would vote for b) + c) since we want to cover most of the
 possible use cases for SR-IOV and MR-IOV, which hopefully shares
 the interface; adding Dan back to CC as he is the one to speak for network. 

I have added b) to our TODO list for networkd/udev .link files.

c) should probably be done outside of systemd/udev. Just write a tool
(or even documenting this might suffice), that creates udev rules in
/etc/udev/rules.d, matches against ID_PATH and then sets the right
attribute.  

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Unwants