This PR provides a new option for systemd-boot
`secure-boot-enroll-action` which allows to configure the behavior after
SecureBoot keys are enrolled.
Provides the option to either reboot or power off.
The current behavior is not changed, it will by default reboot as it did
before.
It also provides a small message about the action its going to take with
a small delay so the user can read it.
The existing text grew organically as features were added and was
not very organized. Reorder it and break into paragraphs grouped
by topic. The description of the :errno syntax is replaced by a short
reference to the SystemCallErrorNumber= setting. This makes the
text shorter and makes it easier to explain how the two settings combine.
Document .link .network and .netdev file type distinctions in early
introductory text, and document distro-specific need to sync link files
with early-boot copies, see Debian bug 1005282:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005282 for an
example.
This is analogous to #36123, but for Tun/Tap interfaces created by
systemd-networkd.
If a regular user account want to control a Tun/Tap interface, then
assign the interface to a system group, e.g., vpn, and add the user
to the group.
Closes#37279.
The original timeout of 7 seconds is very long for today's networks. Reduce it
to 200ms. Note that this change also affects IPv4 link-local addressing.
RFC 5227 specifies randomized intervals to avoid that a large number of hosts
powered up at the same time send their message simultaneously. Performing the
conflict detection takes a variable time between 4 and 7 seconds from the
beginning to the first announcement, as shown by the following diagram where P
indicates a probe and A an announcement:
time(s) 0 1 2 3 4 5 6 7 8 9
+---+---+---+---+---+---+---+---+---+
SHORTEST P P P A A
LONGEST P P P A A
The host can't use the address until the first announcement is sent. 7 seconds
is a very long time on modern computers especially considering the fact that
the round-trip time on current LAN technologies is at most few milliseconds.
Section 2.2 of the RFC addresses this matter and hints that a future standard
will adjust those timeouts; however that standard doesn't exist yet.
Make the timeout configurable via a new IPv4DuplicateAddressDetectionTimeoutSec=
option. The intervals defined in the RFC are then scaled proportionally so that
the duration of the conflict detection takes at most the given value. Interval
happening after the first announcement are not scaled, as recommended by the
RFC.
This is needed for dnf5. But dnf-4 doesn't know about it. So also add a hint to
skip the option with dnf-4. We can drop this later when dnf5 is the default
everywhere.
Also, s/vim-minimal/nano/. Nano is the default editor in Fedora since
https://fedoraproject.org/wiki/Changes/UseNanoByDefault.
Currently LogLevelMax= can only be used to decrease the maximum log level
for a unit but not to increase it. Let's make sure the latter works as
well, so LogLevelMax=debug can be used to enable debug logging for specific
units without enabling debug logging globally.
The method is deprecated since 64f173324e
(v257) and announced that it will be removed in v258.
Let's remove it now.
This effectively reverts 84c01612de.
Some sd-bus man pages did not have any references on the main
sd-bus man page. Unless you accidentally stumbled on them from
other pages it was difficult to discover them.
The functions `sd_bus_emit_interfaces_added_strv`, `sd_bus_emit_interfaces_removed_strv`
and `sd_bus_emit_properties_changed_strv` take an `char **` not
`const char **` as last argument.
See `src/systemd/sd-bus.h` for the function definition.
We can run sd-ipv4ll/sd-ipv4acd also on an interface with IFF_NOARP
flag, but that may cause address conflict with other hosts.
Let's enable ARPing when sd-ipv4ll/sd-ipv4acd are enabled unless ARP= is
explicitly disabled.
ssh-generator and ssh-proxy are great features, it is very handy to be
able to do:
ssh vsock/1
But, because of the '/' used as a separator, scp and rsync don't
interpret 'vsock/<CID>' as a hostname, e.g.
$ scp /etc/machine-id vsock/2222:.
cp: cannot create regular file 'vsock/2222:.': No such file or directory
$ rsync /etc/machine-id vsock/2222:.
rsync: [Receiver] change_dir#3 "(...)/vsock" failed: No such file or directory (2)
rsync error: errors selecting input/output files, dirs (code 3) at main.c(829) [Receiver=3.4.1]
An alternative is to use ',' as separator, e.g.
$ scp /etc/machine-id vsock,2222:.
This is what is being suggested here. The names with '/' are kept not to
break anything here.
Others are possible: '%', '=', '#', '@', ':', etc. As mentioned in
commit 0abd510f7f ("ssh-proxy: add ssh ProxyCommand tool that can
connect to AF_UNIX + AF_VSOCK sockets"), it is better to avoid ':' as it
is already taken by SSH itself when doing sftp, and "@" is already taken
for separating the user name. '#' will cause some issues with some
shells like ZSH when quotes are not used.
I think the current behaviour of not doing EFI variables when we are run
in a container makes a ton of sense, but in some cases it's useful to
do EFI var setup even when a set of namespaces is set up for us, for
example to recover a hosed installation from a rescue disk.
While we are at it, let's remove some duplicate checks, and
systematically output information why we skip various operations.
Fixes: #36174#35005
We had a downstream discussion on what `systemctl reload-or-restart
--marked` does, until upstream chimed in and pointed on very special
behavior for that combination. 😜
The second references the first, but not vice versa. Let's fix this.
