diff options
Diffstat (limited to 'man')
-rw-r--r-- | man/common-variables.xml | 8 | ||||
-rw-r--r-- | man/custom-html.xsl | 6 | ||||
-rw-r--r-- | man/daemon.xml | 2 | ||||
-rw-r--r-- | man/event-quick-child.c | 2 | ||||
-rw-r--r-- | man/hwdb-usb-device.c | 6 | ||||
-rw-r--r-- | man/org.freedesktop.resolve1.xml | 39 | ||||
-rw-r--r-- | man/path-documents.c | 2 | ||||
-rw-r--r-- | man/portablectl.xml | 4 | ||||
-rw-r--r-- | man/sd_bus_error-example.c | 2 | ||||
-rw-r--r-- | man/sd_event_add_io.xml | 24 | ||||
-rw-r--r-- | man/sd_journal_get_cursor.xml | 15 | ||||
-rw-r--r-- | man/sd_journal_seek_head.xml | 10 | ||||
-rw-r--r-- | man/systemctl.xml | 68 | ||||
-rw-r--r-- | man/systemd-bless-boot.service.xml | 2 | ||||
-rw-r--r-- | man/systemd-journald.service.xml | 16 | ||||
-rw-r--r-- | man/systemd-socket-proxyd.xml | 5 | ||||
-rw-r--r-- | man/systemd-timedated.service.xml | 4 | ||||
-rw-r--r-- | man/systemd.exec.xml | 23 | ||||
-rw-r--r-- | man/systemd.journal-fields.xml | 17 | ||||
-rw-r--r-- | man/systemd.network.xml | 13 | ||||
-rw-r--r-- | man/systemd.resource-control.xml | 16 | ||||
-rw-r--r-- | man/systemd.socket.xml | 2 |
22 files changed, 190 insertions, 96 deletions
diff --git a/man/common-variables.xml b/man/common-variables.xml index 0e220b3..4d2092f 100644 --- a/man/common-variables.xml +++ b/man/common-variables.xml @@ -129,6 +129,9 @@ </varlistentry> </variablelist> + <para>Note that setting the regular <varname>$LESS</varname> environment variable has no effect + for <command>less</command> invocations by systemd tools.</para> + <para>See <citerefentry project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> for more discussion.</para></listitem> @@ -138,7 +141,10 @@ <term><varname>$SYSTEMD_LESSCHARSET</varname></term> <listitem><para>Override the charset passed to <command>less</command> (by default <literal>utf-8</literal>, if - the invoking terminal is determined to be UTF-8 compatible).</para></listitem> + the invoking terminal is determined to be UTF-8 compatible).</para> + + <para>Note that setting the regular <varname>$LESSCHARSET</varname> environment variable has no effect + for <command>less</command> invocations by systemd tools.</para></listitem> </varlistentry> <varlistentry id='lesssecure'> diff --git a/man/custom-html.xsl b/man/custom-html.xsl index 8b21e15..2373bc3 100644 --- a/man/custom-html.xsl +++ b/man/custom-html.xsl @@ -81,13 +81,11 @@ <xsl:template match="citerefentry[@project='archlinux']"> <a> <xsl:attribute name="href"> - <xsl:text>https://www.archlinux.org/</xsl:text> - <xsl:value-of select="refentrytitle"/> - <xsl:text>/</xsl:text> + <xsl:text>https://man.archlinux.org/man/</xsl:text> <xsl:value-of select="refentrytitle"/> <xsl:text>.</xsl:text> <xsl:value-of select="manvolnum"/> - <xsl:text>.html</xsl:text> + <xsl:text>.en.html</xsl:text> </xsl:attribute> <xsl:call-template name="inline.charseq"/> </a> diff --git a/man/daemon.xml b/man/daemon.xml index f2b3f6f..c93a7ce 100644 --- a/man/daemon.xml +++ b/man/daemon.xml @@ -75,7 +75,7 @@ create an independent session.</para></listitem> <listitem><para>In the child, call <function>fork()</function> again, to ensure that the daemon can - never re-acquire a terminal again. (This relevant if the program — and all its dependencies — does + never re-acquire a terminal again. (This is relevant if the program — and all its dependencies — does not carefully specify `O_NOCTTY` on each and every single `open()` call that might potentially open a TTY device node.)</para></listitem> diff --git a/man/event-quick-child.c b/man/event-quick-child.c index 8195efb..b95ee1b 100644 --- a/man/event-quick-child.c +++ b/man/event-quick-child.c @@ -3,7 +3,7 @@ #include <assert.h> #include <stdio.h> #include <unistd.h> -#include <sd-event.h> +#include <systemd/sd-event.h> int main(int argc, char **argv) { pid_t pid = fork(); diff --git a/man/hwdb-usb-device.c b/man/hwdb-usb-device.c index 19a5db8..facd8c4 100644 --- a/man/hwdb-usb-device.c +++ b/man/hwdb-usb-device.c @@ -2,16 +2,16 @@ #include <stdio.h> #include <stdint.h> -#include <sd-hwdb.h> +#include <systemd/sd-hwdb.h> int print_usb_properties(uint16_t vid, uint16_t pid) { - char match[STRLEN("usb:vp") + DECIMAL_STR_MAX(uint16_t) * 2]; + char match[128]; sd_hwdb *hwdb; const char *key, *value; int r; /* Match this USB vendor and product ID combination */ - xsprintf(match, "usb:v%04Xp%04X", vid, pid); + snprintf(match, sizeof match, "usb:v%04Xp%04X", vid, pid); r = sd_hwdb_new(&hwdb); if (r < 0) diff --git a/man/org.freedesktop.resolve1.xml b/man/org.freedesktop.resolve1.xml index 54f0a18..e6bc573 100644 --- a/man/org.freedesktop.resolve1.xml +++ b/man/org.freedesktop.resolve1.xml @@ -156,16 +156,6 @@ node /org/freedesktop/resolve1 { }; </programlisting> - <!--method RegisterService is not documented!--> - - <!--method UnregisterService is not documented!--> - - <!--method FlushCaches is not documented!--> - - <!--method ResetServerFeatures is not documented!--> - - <!--property DNSSECNegativeTrustAnchors is not documented!--> - <!--Autogenerated cross-references for systemd.directives, do not edit--> <variablelist class="dbus-interface" generated="True" extra-ref="org.freedesktop.resolve1.Manager"/> @@ -433,6 +423,30 @@ node /org/freedesktop/resolve1 { <para>The <function>RevertLink()</function> method may be used to revert all per-link settings described above to the defaults.</para> + <para>The <function>FlushCaches()</function> flushes all resource record caches maintained by the + resolver, and ensures that any subsequent lookups re-request their responses from their sources.</para> + + <para>The <function>ResetServerFeatures()</function> flushes any feature information learned about + remote DNS servers. This ensures that subsequent lookups will be initially attempted at the highest DNS + protocol feature level again, possibly requiring a (potentially slow) downgrade cycle to recognize the + supported feature level again.</para> + + <para>The <function>RegisterService()</function> method may be used to register a DNS-SD service on the + host. This functionality is closely related to the functionality provided by + <citerefentry><refentrytitle>systemd.dnssd</refentrytitle><manvolnum>5</manvolnum></citerefentry> + files. It takes a server identifier string as first parameter (this is jus a local identifier, and + should be chosen so that it neither collides with the basename of <filename>*.dnssd</filename> files + nor with names chosen by other IPC clients). It also takes a name template string for the DNS-SD + service name visible on the network. This string is subject to specifier expansation, as documented for + the <varname>Name=</varname> setting in <filename>*.dnssd</filename> files. It also takes a service + type string containing the DNS-SD service type, as well as an IP port, a priority/weight pair for the + DNS-SD SRV record. Finally, it takes an array of TXT record data. It returns an object path which may be + used as handle to the registered service.</para> + + <para>The <function>UnregisterService()</function> method undoes the effect of + <function>RegisterService()</function> and deletes a DNS-SD service previously created via IPC + again.</para> + <refsect3> <title>The Flags Parameter</title> @@ -634,6 +648,9 @@ node /org/freedesktop/resolve1 { enabled. Possible values are <literal>yes</literal> (enabled), <literal>no</literal> (disabled), <literal>udp</literal> (only the UDP listener is enabled), and <literal>tcp</literal> (only the TCP listener is enabled).</para> + + <para>The <varname>DNSSECNegativeTrustAnchors</varname> property contains a list of recognized DNSSEC + negative trust anchors and contains a list of domains.</para> </refsect2> </refsect1> @@ -688,8 +705,6 @@ node /org/freedesktop/resolve1/link/_1 { }; </programlisting> - <!--property DNSSECNegativeTrustAnchors is not documented!--> - <!--Autogenerated cross-references for systemd.directives, do not edit--> <variablelist class="dbus-interface" generated="True" extra-ref="org.freedesktop.resolve1.Link"/> diff --git a/man/path-documents.c b/man/path-documents.c index a357dd6..994f20b 100644 --- a/man/path-documents.c +++ b/man/path-documents.c @@ -2,7 +2,7 @@ #include <stdio.h> #include <stdlib.h> -#include <sd-path.h> +#include <systemd/sd-path.h> int main(void) { int r; diff --git a/man/portablectl.xml b/man/portablectl.xml index 963361e..267ea09 100644 --- a/man/portablectl.xml +++ b/man/portablectl.xml @@ -45,12 +45,12 @@ within the file system context of the image.</para> <para>Portable service images are an efficient way to bundle multiple related services and other units together, - and transfer them as a whole between systems. When these images are attached the local system the contained units + and transfer them as a whole between systems. When these images are attached to the local system, the contained units may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing, depending on the selected configuration. For more details, see <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.</para> - <para>Specifically portable service images may be of the following kind:</para> + <para>Portable service images may be of the following kinds:</para> <itemizedlist> <listitem><para>Directory trees containing an OS, including the top-level directories <filename>/usr/</filename>, diff --git a/man/sd_bus_error-example.c b/man/sd_bus_error-example.c index 9b162eb..4b5217c 100644 --- a/man/sd_bus_error-example.c +++ b/man/sd_bus_error-example.c @@ -3,7 +3,7 @@ #include <errno.h> #include <string.h> #include <unistd.h> -#include <sd-bus.h> +#include <systemd/sd-bus.h> int writer_with_negative_errno_return(int fd, sd_bus_error *error) { const char *message = "Hello, World!\n"; diff --git a/man/sd_event_add_io.xml b/man/sd_event_add_io.xml index 383a58a..238ca08 100644 --- a/man/sd_event_add_io.xml +++ b/man/sd_event_add_io.xml @@ -217,16 +217,20 @@ source object and returns the non-negative file descriptor or a negative error number on error (see below).</para> - <para><function>sd_event_source_set_io_fd()</function> - changes the UNIX file descriptor of an I/O event source created - previously with <function>sd_event_add_io()</function>. It takes - the event source object and the new file descriptor.</para> - - <para><function>sd_event_source_set_io_fd_own()</function> controls whether the file descriptor of the event source - shall be closed automatically when the event source is freed, i.e. whether it shall be considered 'owned' by the - event source object. By default it is not closed automatically, and the application has to do this on its own. The - <parameter>b</parameter> parameter is a boolean parameter: if zero, the file descriptor is not closed automatically - when the event source is freed, otherwise it is closed.</para> + <para><function>sd_event_source_set_io_fd()</function> changes the UNIX file descriptor of an I/O event + source created previously with <function>sd_event_add_io()</function>. It takes the event source object + and the new file descriptor. If the event source takes the ownership of the previous file descriptor, + that is, <function>sd_event_source_set_io_fd_own()</function> was called for the event source with a + non-zero value, then the previous file descriptor will be closed and the event source will also take the + ownership of the new file descriptor on success.</para> + + <para><function>sd_event_source_set_io_fd_own()</function> controls whether the file descriptor of the + event source shall be closed automatically when the event source is freed (or when the file descriptor + assigned to the event source is replaced by <function>sd_event_source_set_io_fd()</function>), i.e. + whether it shall be considered 'owned' by the event source object. By default it is not closed + automatically, and the application has to do this on its own. The <parameter>b</parameter> parameter is a + boolean parameter: if zero, the file descriptor is not closed automatically when the event source is + freed, otherwise it is closed.</para> <para><function>sd_event_source_get_io_fd_own()</function> may be used to query the current setting of the file descriptor ownership boolean flag as set with <function>sd_event_source_set_io_fd_own()</function>. It returns diff --git a/man/sd_journal_get_cursor.xml b/man/sd_journal_get_cursor.xml index acaba06..5620d18 100644 --- a/man/sd_journal_get_cursor.xml +++ b/man/sd_journal_get_cursor.xml @@ -61,12 +61,6 @@ and should be freed after use with <citerefentry project='man-pages'><refentrytitle>free</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para> - <para>Note that <function>sd_journal_get_cursor()</function> will - not work before - <citerefentry><refentrytitle>sd_journal_next</refentrytitle><manvolnum>3</manvolnum></citerefentry> - (or related call) has been called at least once, in order to - position the read pointer at a valid entry.</para> - <para><function>sd_journal_test_cursor()</function> may be used to check whether the current position in the journal matches the specified cursor. This is @@ -75,10 +69,17 @@ multiple different cursor strings, and hence string comparing cursors is not possible. Use this call to verify after an invocation of - <citerefentry><refentrytitle>sd_journal_seek_cursor</refentrytitle><manvolnum>3</manvolnum></citerefentry> + <citerefentry><refentrytitle>sd_journal_seek_cursor</refentrytitle><manvolnum>3</manvolnum></citerefentry>, whether the entry being sought to was actually found in the journal or the next closest entry was used instead.</para> + + <para>Note that <function>sd_journal_get_cursor()</function> + and <function>sd_journal_test_cursor()</function> + will not work before + <citerefentry><refentrytitle>sd_journal_next</refentrytitle><manvolnum>3</manvolnum></citerefentry> + (or one of the other functions which move to an entry) + has been called at least once to position the read pointer at a valid entry.</para> </refsect1> <refsect1> diff --git a/man/sd_journal_seek_head.xml b/man/sd_journal_seek_head.xml index 869889a..e95b697 100644 --- a/man/sd_journal_seek_head.xml +++ b/man/sd_journal_seek_head.xml @@ -82,8 +82,7 @@ string. For details on cursors, see <citerefentry><refentrytitle>sd_journal_get_cursor</refentrytitle><manvolnum>3</manvolnum></citerefentry>. If no entry matching the specified cursor is found the call will seek to the next closest entry (in terms - of time) instead. To verify whether the newly selected entry actually matches the cursor, use - <citerefentry><refentrytitle>sd_journal_test_cursor</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para> + of time) instead.</para> <para>Note that these calls do not actually make any entry the new current entry, this needs to be done in a separate step with a subsequent @@ -97,6 +96,13 @@ used, the closest following entry will be sought to, if <citerefentry><refentrytitle>sd_journal_previous</refentrytitle><manvolnum>3</manvolnum></citerefentry> is used the closest preceding entry is sought to.</para> + + <para>After the seek is done, and + <citerefentry><refentrytitle>sd_journal_next</refentrytitle><manvolnum>3</manvolnum></citerefentry> + or a similar call has been made, + <citerefentry><refentrytitle>sd_journal_test_cursor</refentrytitle><manvolnum>3</manvolnum></citerefentry> + may be used to verify whether the newly selected entry actually matches the cursor. + </para> </refsect1> <refsect1> diff --git a/man/systemctl.xml b/man/systemctl.xml index 00ae580..862609f 100644 --- a/man/systemctl.xml +++ b/man/systemctl.xml @@ -1176,46 +1176,64 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <term><command>show-environment</command></term> <listitem> - <para>Dump the systemd manager environment block. This is the environment - block that is passed to all processes the manager spawns. The environment - block will be dumped in straightforward form suitable for sourcing into - most shells. If no special characters or whitespace is present in the variable - values, no escaping is performed, and the assignments have the form - <literal>VARIABLE=value</literal>. If whitespace or characters which have - special meaning to the shell are present, dollar-single-quote escaping is - used, and assignments have the form <literal>VARIABLE=$'value'</literal>. - This syntax is known to be supported by - <citerefentry project='die-net'><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry project='die-net'><refentrytitle>zsh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry project='die-net'><refentrytitle>ksh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - and - <citerefentry project='die-net'><refentrytitle>busybox</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s - <citerefentry project='die-net'><refentrytitle>ash</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - but not - <citerefentry project='die-net'><refentrytitle>dash</refentrytitle><manvolnum>1</manvolnum></citerefentry> - or - <citerefentry project='die-net'><refentrytitle>fish</refentrytitle><manvolnum>1</manvolnum></citerefentry>. + <para>Dump the systemd manager environment block. This is the environment block that is passed to + all processes the manager spawns. The environment block will be dumped in straightforward form + suitable for sourcing into most shells. If no special characters or whitespace is present in the + variable values, no escaping is performed, and the assignments have the form + <literal>VARIABLE=value</literal>. If whitespace or characters which have special meaning to the + shell are present, dollar-single-quote escaping is used, and assignments have the form + <literal>VARIABLE=$'value'</literal>. This syntax is known to be supported by <citerefentry + project='die-net'><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry + project='die-net'><refentrytitle>zsh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry + project='die-net'><refentrytitle>ksh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, and + <citerefentry + project='die-net'><refentrytitle>busybox</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s + <citerefentry + project='die-net'><refentrytitle>ash</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but + not <citerefentry + project='die-net'><refentrytitle>dash</refentrytitle><manvolnum>1</manvolnum></citerefentry> or + <citerefentry + project='die-net'><refentrytitle>fish</refentrytitle><manvolnum>1</manvolnum></citerefentry>. </para> + + <para>Note that this shows the <emphasis>effective</emphasis> block, i.e. the combination of + environment variables configured via configuration files, environment generators and via IPC + (i.e. via the <command>set-environment</command> described below). At the moment a unit process + is forked off this combined environment block will be further combined with per-unit environment + variables, which are not visible in this command.</para> </listitem> </varlistentry> <varlistentry> <term><command>set-environment <replaceable>VARIABLE=VALUE</replaceable>…</command></term> <listitem> - <para>Set one or more systemd manager environment variables, as specified on the command + <para>Set one or more service manager environment variables, as specified on the command line. This command will fail if variable names and values do not conform to the rules listed above.</para> + + <para>Note that this operates on an environment block separate from the environment block + configured from service manager configuration and environment generators. Whenever a process is + invoked the two blocks are combined (also incorporating any per-service environment variables), + and passed to it. The <command>show-environment</command> verb will show the combination of the + blocks, see above.</para> </listitem> </varlistentry> <varlistentry> <term><command>unset-environment <replaceable>VARIABLE</replaceable>…</command></term> <listitem> - <para>Unset one or more systemd manager environment - variables. If only a variable name is specified, it will be - removed regardless of its value. If a variable and a value - are specified, the variable is only removed if it has the - specified value.</para> + <para>Unset one or more systemd manager environment variables. If only a variable name is + specified, it will be removed regardless of its value. If a variable and a value are specified, + the variable is only removed if it has the specified value.</para> + + <para>Note that this operates on an environment block separate from the environment block + configured from service manager configuration and environment generators. Whenever a process is + invoked the two blocks are combined (also incorporating any per-service environment variables), + and passed to it. The <command>show-environment</command> verb will show the combination of the + blocks, see above. Note that this means this command cannot be used to unset environment + variables defined in the service manager configuration files or via generators.</para> </listitem> </varlistentry> <varlistentry> diff --git a/man/systemd-bless-boot.service.xml b/man/systemd-bless-boot.service.xml index bccf22c..f9720c8 100644 --- a/man/systemd-bless-boot.service.xml +++ b/man/systemd-bless-boot.service.xml @@ -37,7 +37,7 @@ boot counting is used.</para> <para>Internally, the service operates based on the <varname>LoaderBootCountPath</varname> EFI variable (of the - vendor UUID <constant>4a67b082-0a4c-41cf-b6c7-440b29bb8c4</constant>), which is passed from the boot loader to the + vendor UUID <constant>4a67b082-0a4c-41cf-b6c7-440b29bb8c4f</constant>), which is passed from the boot loader to the OS. It contains a file system path (relative to the EFI system partition) of the <ulink url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader Specification</ulink> compliant boot loader entry file or unified kernel image file that was used to boot up the diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml index 8fa8644..b81dca9 100644 --- a/man/systemd-journald.service.xml +++ b/man/systemd-journald.service.xml @@ -236,6 +236,22 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting> </listitem> </varlistentry> + + <varlistentry> + <term><varname>systemd.journald.max_level_store=</varname></term> + <term><varname>systemd.journald.max_level_syslog=</varname></term> + <term><varname>systemd.journald.max_level_kmsg=</varname></term> + <term><varname>systemd.journald.max_level_console=</varname></term> + <term><varname>systemd.journald.max_level_wall=</varname></term> + <term><varname>systemd.journald.max_level_socket=</varname></term> + + <listitem><para>Controls the maximum log level of messages that are stored in the journal, forwarded + to syslog, kmsg, the console, the wall, or a socket. This kernel command line options override the + settings of the same names in the + <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> + file.</para> + </listitem> + </varlistentry> </variablelist> <para>Note that these kernel command line options are only honoured by the default namespace, see diff --git a/man/systemd-socket-proxyd.xml b/man/systemd-socket-proxyd.xml index e512a43..e6ef7b0 100644 --- a/man/systemd-socket-proxyd.xml +++ b/man/systemd-socket-proxyd.xml @@ -53,6 +53,11 @@ <literal>Accept=no</literal> and an event-driven design that scales better with the number of connections.</para> + + <para>Note that <command>systemd-socket-proxyd</command> will not forward socket side channel + information, i.e. will not forward <constant>SCM_RIGHTS</constant>, <constant>SCM_CREDENTIALS</constant>, + <constant>SCM_SECURITY</constant>, <constant>SO_PEERCRED</constant>, <constant>SO_PEERPIDFD</constant>, + <constant>SO_PEERSEC</constant>, <constant>SO_PEERGROUPS</constant> and similar.</para> </refsect1> <refsect1> <title>Options</title> diff --git a/man/systemd-timedated.service.xml b/man/systemd-timedated.service.xml index 112bdf3..c0314d5 100644 --- a/man/systemd-timedated.service.xml +++ b/man/systemd-timedated.service.xml @@ -63,7 +63,7 @@ <refsect1> <title>List of network time synchronization services</title> - <para><command>systemd-timesyncd</command> will look for files with a <literal>.list</literal> extension + <para><command>systemd-timedated</command> will look for files with a <literal>.list</literal> extension in <filename>ntp-units.d/</filename> directories. Each file is parsed as a list of unit names, one per line. Empty lines and lines with comments (<literal>#</literal>) are ignored. Files are read from <filename>/usr/lib/systemd/ntp-units.d/</filename> and the corresponding directories under @@ -82,7 +82,7 @@ systemd-timesyncd.service </example> <para>If the environment variable <varname>$SYSTEMD_TIMEDATED_NTP_SERVICES</varname> is set, - <command>systemd-timesyncd</command> will parse the contents of that variable as a colon-separated list + <command>systemd-timedated</command> will parse the contents of that variable as a colon-separated list of unit names. When set, this variable overrides the file-based list described above.</para> <example> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index d3b64e9..0aad217 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1240,6 +1240,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> accessible to privileged processes. However, most namespacing settings, that will not work on their own in user services, will work when used in conjunction with <varname>PrivateUsers=</varname><option>true</option>.</para> + <para>Note that the various options that turn directories read-only (such as + <varname>ProtectSystem=</varname>, <varname>ReadOnlyPaths=</varname>, …) do not affect the ability for + programs to connect to and communicate with <constant>AF_UNIX</constant> sockets in these + directores. These options cannot be used to lock down access to IPC services hence.</para> + <variablelist class='unit-directives'> <varlistentry> @@ -1253,14 +1258,16 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> mounted read-only, except for the API file system subtrees <filename>/dev/</filename>, <filename>/proc/</filename> and <filename>/sys/</filename> (protect these directories using <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, - <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied - operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is - recommended to enable this setting for all long-running services, unless they are involved with system updates - or need to modify the operating system in other ways. If this option is used, - <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This - setting is implied if <varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all - cases. In general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below. Defaults to - off.</para></listitem> + <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the + vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited + for the service. It is recommended to enable this setting for all long-running services, unless they + are involved with system updates or need to modify the operating system in other ways. If this option + is used, <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being + made read-only. Similar, <varname>StateDirectory=</varname>, <varname>LogsDirectory=</varname>, … and + related directory settings (see below) also exclude the specific directories from the effect of + <varname>ProtectSystem=</varname>. This setting is implied if <varname>DynamicUser=</varname> is + set. This setting cannot ensure protection in all cases. In general it has the same limitations as + <varname>ReadOnlyPaths=</varname>, see below. Defaults to off.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml index caedb6e..7e72701 100644 --- a/man/systemd.journal-fields.xml +++ b/man/systemd.journal-fields.xml @@ -491,8 +491,7 @@ <varlistentry> <term><varname>OBJECT_PID=<replaceable>PID</replaceable></varname></term> <listitem> - <para>PID of the program that this message pertains to. - </para> + <para>PID of the program that this message pertains to.</para> </listitem> </varlistentry> @@ -510,9 +509,8 @@ <term><varname>OBJECT_SYSTEMD_UNIT=</varname></term> <term><varname>OBJECT_SYSTEMD_USER_UNIT=</varname></term> <listitem> - <para>These are additional fields added automatically by - <command>systemd-journald</command>. Their meaning is the - same as + <para>These are additional fields added automatically by <command>systemd-journald</command>. + Their meaning is the same as <varname>_UID=</varname>, <varname>_GID=</varname>, <varname>_COMM=</varname>, @@ -530,6 +528,15 @@ process which logged the message.</para> </listitem> </varlistentry> + + <varlistentry> + <term><varname>OBJECT_SYSTEMD_INVOCATION_ID=</varname></term> + <listitem> + <para>An additional field added automatically by <command>systemd-journald</command>. The meaning + is mostly the same as <varname>_SYSTEMD_INVOCATION_ID=</varname>, with the difference described + above.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/man/systemd.network.xml b/man/systemd.network.xml index e1c050f..8434247 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -354,13 +354,12 @@ <varlistentry> <term><varname>LinkLocalAddressing=</varname></term> <listitem> - <para>Enables link-local address autoconfiguration. Accepts <option>yes</option>, - <option>no</option>, <option>ipv4</option>, and <option>ipv6</option>. An IPv6 link-local - address is configured when <option>yes</option> or <option>ipv6</option>. An IPv4 link-local - address is configured when <option>yes</option> or <option>ipv4</option> and when DHCPv4 - autoconfiguration has been unsuccessful for some time. (IPv4 link-local address - autoconfiguration will usually happen in parallel with repeated attempts to acquire a DHCPv4 - lease).</para> + <para>Enables link-local address autoconfiguration. Accepts a boolean, <option>ipv4</option>, + and <option>ipv6</option>. An IPv6 link-local address is configured when <option>yes</option> + or <option>ipv6</option>. An IPv4 link-local address is configured when <option>yes</option> + or <option>ipv4</option> and when DHCPv4 autoconfiguration has been unsuccessful for some time. + (IPv4 link-local address autoconfiguration will usually happen in parallel with repeated attempts + to acquire a DHCPv4 lease).</para> <para>Defaults to <option>no</option> when <varname>KeepMaster=</varname> or <varname>Bridge=</varname> is set or when the specified diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 48e7c52..f5b6b82 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -632,6 +632,9 @@ CPUWeight=20 DisableControllers=cpu / \ <para>The system default for this setting may be controlled with <varname>DefaultIPAccounting=</varname> in <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + + <para>Note that this functionality is currently only available for system services, not for + per-user services.</para> </listitem> </varlistentry> @@ -828,8 +831,10 @@ BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook <term><varname>SocketBindDeny=<replaceable>bind-rule</replaceable></varname></term> <listitem> - <para>Allow or deny binding a socket address to a socket by matching it with the <replaceable>bind-rule</replaceable> and - applying a corresponding action if there is a match.</para> + <para>Configures restrictions on the ability of unit processes to invoke <citerefentry + project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry> on a + socket. Both allow and deny rules may defined that restrict which addresses a socket may be bound + to.</para> <para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>, <replaceable>transport-protocol</replaceable> and <replaceable>ip-ports</replaceable>.</para> @@ -876,6 +881,13 @@ BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook </itemizedlist> <para>The feature is implemented with <constant>cgroup/bind4</constant> and <constant>cgroup/bind6</constant> cgroup-bpf hooks.</para> + + <para>Note that these settings apply to any <citerefentry + project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry> + system call invocation by the unit processes, regardless in which network namespace they are + placed. Or in other words: changing the network namespace is not a suitable mechanism for escaping + these restrictions on <function>bind()</function>.</para> + <para>Examples:<programlisting>… # Allow binding IPv6 socket addresses with a port greater than or equal to 10000. [Service] diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 69aa9f3..e506fee 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -724,7 +724,7 @@ <varlistentry> <term><varname>TCPCongestion=</varname></term> <listitem><para>Takes a string value. Controls the TCP congestion algorithm used by this - socket. Should be one of <literal>westwood</literal>, <literal>veno</literal>, + socket. Should be one of <literal>westwood</literal>, <literal>reno</literal>, <literal>cubic</literal>, <literal>lp</literal> or any other available algorithm supported by the IP stack. This setting applies only to stream sockets.</para></listitem> </varlistentry> |