let's skip over credentials we cannot decode when they are found with
ImportCredential=. When installing an OS on some disk and using that
disk on a different machine than assumed we'll otherwise end up with a
broken boot, because the credentials cannot be decoded when starting
systemd-firstboot. Let's handle this somewhat gracefully.
This leaves handling for LoadCredential=/SetCredential= as it is (i.e.
failure to decrypt results in service failure), because it is a lot more
explicit and focussed as opposed to ImportCredentials= which looks
everywhere, uses globs and so on and is hence very vague and unfocussed.
Fixes: #34740
This changes the instances of lexical to lexicographic, thus making it easier
to grep for instances of lexicographic order, since there's only one variant of
the word to consider.
Lexicographic is chosen since there are slightly fewer instances of lexical and
lexicographic seems a better fit than lexical after checking a few
dictionaries.
The words lexical, lexicographic, and lexicographical are synonyms in
computing, meaning an alphabetical order. Both the Oxford dictionary and
Merriam-Webster make no distinction between lexicographic and lexicographical,
with only Wiktionary adding a more precise meaning of
Meeting lexicographical standards or requirements; worthy of being included
in a dictionary. [1]
Since, outside of computing, lexicographic(al) has the more specific meaning
pertaining to lexicography, i.e. the editing or making of dictionaries [2], and
lexical only has this as a secondary meaning after its linguistic meaning [3],
lexicographic fits the meaning of including and ordering entries better.
[1] https://en.wiktionary.org/wiki/lexicographical#English
[2] https://www.merriam-webster.com/dictionary/lexicographic
[3] https://www.oed.com/dictionary/lexical_adj
This allows for more liberal usage of logging functionality as messages
will no longer always show up on screen, regardless of urgency. The log
level to use can be configured through an SMBIOS type 11 string
(`io.systemd.boot.loglevel=`) or by using the `log-level` option in
loader.conf. Valid values are debug, info, notice, warning, err, crit,
alert, and emerg. By default, info will be used.
As explained in https://github.com/systemd/systemd/issues/37892, it
would be nice to define per-partition PCRs/key file to use.
The global default config will be still defined as cmdline options, and
`TPM2PCRs=` and `KeyFile=` will be overriden by them.
Implements the ability to add recovery keys to existing user accounts
via homectl update --recovery-key=yes. Previously, recovery keys could
only be configured during initial user creation, requiring users to
recreate their entire home directory to add recovery keys later.
Fixes: #23602
This PR implements what is proposed in
https://github.com/systemd/systemd/issues/37992.
Having a global config file that supports the same cmdline options for
sysext/confext allows the user to customize the behavior of
systemd-sysext.service unit too, without the need of hacking the service
manually.
The global config will live in
`CONF_PATHS_STRV()/systemd/{sysext/confext}.conf` and it will be
overridden by cmdline, so it is possible to customize a run if
`systemd-sysext` is executed manually.
For now support `--mutable=` (`Mutable`) and `--image-policy=`
(`ImagePolicy`).
--no-hostname is one of the switches I use very often. In particular,
when looking at CI logs, the hostname is almost never interesting.
-H is not yet used in journalctl, because journal operates locally, but
will want it if display of remote journals is implemented. Use -W.
Commit d7bea6b6 ("nspawn: introduce an option for specifying network
namespace path") already did most of the work here enabling a command
line option for specifying the namespace path for a given container.
Someone even took care of the merging code in merge_settings as though
this already worked. All that's then needed is to add a line to the
nspawn-gperf.gperf file to actually enable being able to specify
NamespacePath from nspawn files as well.
This greatly simplifies how we configure nspawn containers by being able
to give all the options we need in .nspawn files instead of needing to
also use command line parameters.
Closes: #27188
These options were added in v255 with commit
cb341090d0, but were not documented as
standalone options in loader.conf. See #29440 for more information.
Add repart.d KeyFile= option with the same syntax as --key-file.
This allows a per-partition key file encryption, and not rely on a global key
applicable to all partitions.
The global --key-file overrides KeyFile config. If none of them is
defined, rely on default.
Add repart.d TPM2PCRs= option with the same syntax as --tpm2-pcrs.
This allows a per-partition pcr binding, and not rely on a global config
applicable to all partitions.
The global --tpm2-pcrs overrides TPM2PCRs config. If none of them
is defined, rely on default.
Found using linkchecker.
For virtiofsd, the man page is maintained upstream, but doesn't seem to be
available in any of the usual places. So let's link to the Debian version.
systemd.filter I have no idea what it is.
It is extremely confusing to use different filenames for different
locations, so pick up the same images for both per-UKI and global
extensions
Follow-up for 9f7e3820e9
https://github.com/systemd/systemd/pull/15509/files#r2234113960 complains that the
advice is still not clear enough. systemd-boot itself says
"Menu hidden. Hold down key at bootup to show menu."
so let's do the same and tell users to hold down space as the first option.
This should work fine for 99% of people. Then invert the following advice to
try repeated pressing as the alternative option.
Also, fix the advice about --boot-loader-menu=. The whole para is about getting
the menu to show, so 0 is not a good value.
Follow-up for https://github.com/systemd/systemd/pull/15509.
Some keys have only a transient effect, e.g. 'e', but some have a persistent
effect, e.g. 'd'. This is important informations, but the reader might be
forgiven for not finding that at all obvious when reading the descriptions of
the keys.
Also, mention in loader.conf man page that the settings there might be overriden
by EFI variables. This is another thing that is important but not obvious.
For some reason, the man page for loader.conf also mentioned type#1 entries
in passing. Except for using the same file extension, those files are in a
completely different format and with a different purpose. This mixup was
first introduced in f37d383582, was then
reported in #10923, which was closed by cbae79b8d0,
but that didn't fix the actual issue.
Really fixes#10923.
While at it, simplify and improve the wording a bit.
Add sysext.conf, which similar to other configs like coredump, will be
searched in:
/{etc run usr/lib}/systemd/{sysext/confext}.conf
but also
/{etc run usr/lib}/systemd/{sysext/confext}.conf.d/*
This config is an alternative to command line options, especially useful
if we want to extend the service units without modifying them.
