[systemd-devel] systemd-nspawn: State Directories with -U?
Hello, I want to harden my systemd-nspawn container. Let's say we have a service like this: # cat /etc/systemd/system/test.service [Unit] Description=Test DynamicUser= with StateDirectory= [Service] ExecStart=id ExecStart=echo 1 ExecStart=test -w /var/lib/foobar ExecStart=echo 2 ExecStart=test -w /var/lib/private/foobar ExecStart=echo 3 ExecStart=touch /var/lib/foobar/yay ExecStart=echo 4 ExecStart=test -f /var/lib/foobar/yay ExecStart=echo 5 ExecStart=test -f /var/lib/private/foobar/yay Type=oneshot DynamicUser=yes StateDirectory=foobar When I start a systemd-nspawn container without "-U" parameter and put this service file inside of it and start it everything will works fine. But with "-U" paramketer it fails. My Question: How can I use the "-U" parameter for my systemd-nspawn container _and_ the above hardening features like "DynamicUser" and "StateDirectory"? If this is not possible. What would be the least intrusive way to get this service working with maximum security features enabled? Best regards Chris signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Setting MTU of interface without reboot
Hello, I am unsure if this is a bug or intended behaviour. I have a network file like this one: /etc/systemd/network/en0s25.network ``` [Match] Name=enp0s25 [Link] MTUBytes=9000 [Network] Address=192.168.1.101/24 Gateway=192.168.1.1/24 DNS=192.168.1.1 ``` When I reboot the computer the MTU will get set, but when I restart systemd-networkd the MTU will not get set. Is this intended behaviour or a bug? (Setting the MTU via `ip link set enp0s25 MTU 9000` works fine) best regards chris signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd-run -M and machinectl shell
Hello everybody, I wanted to make sure that this is a bug, before I open a ticket for this. But I have the following issue. I am currently writing a shell script that is debootstrapping a container and changes different configurations on that container ( a little bit like mkosi ) One line of my script is the following: machinectl shell "$CONTAINER_NAME" /bin/passwd -d root I also tried: systemd-run -M "$CONTAINER_NAME" /bin/passwd -d root With both variations I have the same result: systemd-run says the command was executed but it wasn't. The root password on the container is still set. When I login into the container via: machinectl shell "$CONTAINER_NAME" and do the line `passwd -d root` manually.. it's working. Is this a bug or normal behaviour? In last case: What do i wrong? Best regards, Chris signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] iwd and systemd-networkd
Hello everybody, I have read in a phoronix article that iwd will be integraded into systemd-networkd.[1] Is this already the case with the newest systemd version? If not, are there any plans to integrate it into systemd-networkd? I am really interested in this topic, because currently I use systemd-networkd with wpa_supplicant@.service. Do you have already any ideas or plans in this direction? Best regards, Chris [1] https://www.phoronix.com/scan.php?page=news_item=New-Linux-Wireless-Daemon signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] General question about dbus-activatable services
Hello, I have the following problem. I use X with only a tiling manager (DWM) on Arch Linux. Therefore I don't have imsettings nor im-chooser. (And I really don't want to install im-chooser). I would like to start ibus-daemon automatically on login in my user session. I wrote a systemd service file for it: # /etc/systemd/user/ibus.service [Unit] Description=ibus daemon Documentation=man:ibus-daemon(1) [Service] Type=forking ExecStart=/usr/bin/ibus-daemon --xim -d [Install] WantedBy=default.target And made a PR for it here: https://github.com/ibus/ibus/pull/1896 But it was rejected, due to the fact that a dbus-activatable service for ibus exists. Now is my question, how can I trigger this service? I expected that I need to send a call command via busctl directly to org.freedesktop.IBus but according to my `busctl list` output this dbus service doesn't exist (although it's there under /usr/share/dbus-1/services/org.freedesktop.IBus.service). How can I register this service to dbus? And how would I start this dbus-activatable service on login? Would I use a systemd.service for it? How would it look like? Would I simply swap the ExecStart line against a line with busctl that calls the dbus-activatable ibus service? Best regards, Chris signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] IPv6 forwarding inside systemd-nspawn containers
On Mon, Jun 13, 2016 at 02:33:32PM -0400, Egor M. wrote: > Hello Lennart. > > I made more tests, it looks like networking controls are indeed properly > namespaced. > > I don't know what's PR means in this context, so can't make it. Hello Egor, I guess PR means Pull-Request. best regards Chris signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] machine: which is the right way to unregister a machine?
Hello, I am currently working on a fix for: https://github.com/systemd/systemd/issues/2809 How does a machine get deregistered? I look for a proper way to remove the machine from the hashmap (see below). Does systemd have a function that provides deregistering a machine? > if (hashmap_get(manager->machines, name)) > return sd_bus_error_setf(error, BUS_ERROR_MACHINE_EXISTS, > "Machine '%s' already exists", name); I was thinking about deregistering the machine right after the kill via SIGINT to the systemd PID1 in the machine. What would be the best way to do this? best regards Chris signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
