diff --git a/NEWS b/NEWS index 3497d02f0c..e793498cc7 100644 --- a/NEWS +++ b/NEWS @@ -718,9 +718,9 @@ CHANGES WITH 254: store enabled. * A new service option FileDescriptorStorePreserve= has been added that - allows tuning the life-cycle of the per-service file descriptor - store. If set to "yes", the entries in the fd store are retained even - after the service has been fully stopped. + allows tuning the lifecycle of the per-service file descriptor store. + If set to "yes", the entries in the fd store are retained even after + the service has been fully stopped. * The "systemctl clean" command may now be used to clear the fdstore of a service. diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in index 37b59adbdd..8591a654aa 100644 --- a/catalog/systemd.catalog.in +++ b/catalog/systemd.catalog.in @@ -741,7 +741,7 @@ compatibility. Note that these automatically generated compatibility unit files cannot replace native unit files as they generally slow down the system (by creating unnecessary, additional synchronization points), are less robust (as SysV services -cannot properly be life-cycle tracked or automatically restarted) and less +cannot properly be lifecycle tracked or automatically restarted) and less secure (as no sandboxing restrictions can be enforced). Compatibility support for System V services in systemd is deprecated. Please diff --git a/docs/BUILDING_IMAGES.md b/docs/BUILDING_IMAGES.md index 15ca27845e..b11afa3a36 100644 --- a/docs/BUILDING_IMAGES.md +++ b/docs/BUILDING_IMAGES.md @@ -5,7 +5,7 @@ layout: default SPDX-License-Identifier: LGPL-2.1-or-later --- -# Safely Building Images +# Building Images Safely In many scenarios OS installations are shipped as pre-built images, that require no further installation process beyond simple `dd`-ing the image to diff --git a/docs/FILE_DESCRIPTOR_STORE.md b/docs/FILE_DESCRIPTOR_STORE.md index 15973cd20b..206dda7038 100644 --- a/docs/FILE_DESCRIPTOR_STORE.md +++ b/docs/FILE_DESCRIPTOR_STORE.md @@ -47,7 +47,7 @@ conveniently be used to serialize service state into and then place in the fdstore, in order to implement service restarts with full service state being passed over. -# Basic Mechanism +## Basic Mechanism The fdstore is enabled per-service via the [`FileDescriptorStoreMax=`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#FileDescriptorStoreMax=) @@ -76,7 +76,7 @@ both operates on IPv4 and IPv6 and treats both more or less the same.). And that's already the gist of it. -# Seamless Service Restarts +## Seamless Service Restarts A system service that provides a client-facing interface that shall be able to seamlessly restart can make use of this in a scheme like the following: @@ -100,14 +100,14 @@ general principle of guaranteeing a pristine execution environment, a pristine security context, and a pristine resource management context for freshly started services, without uncontrolled "leftovers" from previous runs. For example: leaving processes from previous runs generally negatively affects -life-cycle management (i.e. `KillMode=none` must be set), which disables large +lifecycle management (i.e. `KillMode=none` must be set), which disables large parts of the service managers state tracking, resource management (as resource counters cannot start at zero during service activation anymore, since the old processes remaining skew them), security policies (as processes with possibly out-of-date security policies – SElinux, AppArmor, any LSM, seccomp, BPF — in effect remain), and similar. -# File Descriptor Store Life-cycle +## File Descriptor Store Lifecycle By default any file descriptor stored in the fdstore for which a `POLLHUP` or `POLLERR` is seen is automatically closed and removed from the fdstore. This @@ -148,7 +148,7 @@ way will not receive an automatic `POLLHUP` event anymore if the service code issues `close()` on the socket. It must accompany it with an `FDSTOREREMOVE=1` notification to the service manager, so that the fd is comprehensively closed. -# Access Control +## Access Control Access to the fds in the file descriptor store is generally restricted to the service code itself. Pushing fds into or removing fds from the fdstore is @@ -160,7 +160,7 @@ By default only the main service process hence can push/remove fds, but by setting `NotifyAccess=all` this may be relaxed to allow arbitrary service child processes to do the same. -# Soft Reboot +## Soft Reboot The fdstore is particularly interesting in [soft reboot](https://www.freedesktop.org/software/systemd/man/systemd-soft-reboot.service.html) @@ -181,7 +181,7 @@ continuously). For further details see [Resource Pass-Through](https://www.freedesktop.org/software/systemd/man/systemd-soft-reboot.service.html#Resource%20Pass-Through). -# initrd Transitions +## Initrd Transitions The fdstore may also be used to pass file descriptors for resources from the initrd context to the main system. Restarting all processes after the @@ -198,7 +198,7 @@ The soft reboot cycle transition and the initrd→host transition are semantically very similar, hence similar rules apply, and in both cases it is recommended to use the fdstore if pinned resources shall be passed over. -# Debugging +## Debugging The [`systemd-analyze`](https://www.freedesktop.org/software/systemd/man/systemd-analyze.html#systemd-analyze%20fdstore%20%5BUNIT...%5D) diff --git a/docs/PORTABLE_SERVICES.md b/docs/PORTABLE_SERVICES.md index 7f07f231da..6f5ff112d2 100644 --- a/docs/PORTABLE_SERVICES.md +++ b/docs/PORTABLE_SERVICES.md @@ -5,7 +5,7 @@ layout: default SPDX-License-Identifier: LGPL-2.1-or-later --- -# Portable Services Introduction +# Portable Services systemd (since version 239) supports a concept of "Portable Services". "Portable Services" are a delivery method for system services that uses diff --git a/man/crypttab.xml b/man/crypttab.xml index fa60599301..e94bf1ca17 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -556,8 +556,9 @@ Note that VeraCrypt enforces a minimal allowed PIM value depending on the password strength and the hash algorithm used for key derivation, however is not checked against these bounds. - See - documentation for more information. + See + Veracrypt Personal Iterations Multiplier + documentation for more information. @@ -980,8 +981,9 @@ external /dev/sda3 keyfile:LABEL=keydev keyfile-timeout=10s,cipher=xchac We use RSA2048, which is the longest key size current Yubikeys support We use Yubikey key slot 9d, since that's apparently the keyslot to use for decryption purposes, - see - documentation. + see + Yubico PIV certificate slots. + diff --git a/man/journalctl.xml b/man/journalctl.xml index 8ac5400841..bdead3f8b5 100644 --- a/man/journalctl.xml +++ b/man/journalctl.xml @@ -865,7 +865,7 @@ removes archived journal files older than the specified timespan. Accepts the usual s (default), m, - h, days, months, weeks + h, days, weeks, months, and years suffixes, see systemd.time7 for details. diff --git a/man/machinectl.xml b/man/machinectl.xml index 3f4228ee14..6d391b76d9 100644 --- a/man/machinectl.xml +++ b/man/machinectl.xml @@ -413,10 +413,12 @@ edit NAME|FILE - Edit the settings file of the specified machines. For the format of the settings file, refer to systemd.nspawn5. - If an existing settings file of the given machine can't be found, edit automatically - create a new settings file from scratch under /etc/ + Edit the settings file of the specified machines. For the format of the settings + file, refer to + systemd.nspawn5. + If an existing settings file of the given machine can't be found, edit + automatically create a new settings file from scratch under /etc/. + diff --git a/man/networkctl.xml b/man/networkctl.xml index c83277a683..68b1d97f09 100644 --- a/man/networkctl.xml +++ b/man/networkctl.xml @@ -72,7 +72,7 @@ missing - the device is missing + The device is missing. @@ -80,7 +80,7 @@ off - the device is powered down + The device is powered down. @@ -88,7 +88,7 @@ no-carrier - the device is powered up, but it does not yet have a carrier + The device is powered up, but does not yet have a carrier. @@ -96,7 +96,7 @@ dormant - the device has a carrier, but is not yet ready for normal traffic + The device has a carrier, but is not yet ready for normal traffic. @@ -104,7 +104,8 @@ degraded-carrier - one of the bonding or bridge slave network interfaces is in off, no-carrier, or dormant state, and the master interface has no address. + One of the bonding or bridge slave network interfaces is in off, no-carrier, or + dormant state, and the master interface has no address. @@ -112,8 +113,8 @@ carrier - the link has a carrier, or for bond or bridge master, all bonding or bridge slave - network interfaces are enslaved to the master + The link has carrier, or for bond or bridge master, all bonding or bridge slave + network interfaces are enslaved to the master. @@ -121,7 +122,7 @@ degraded - the link has carrier and addresses valid on the local link configured. For bond or + The link has carrier and addresses valid on the local link configured. For bond or bridge master this means that not all slave network interfaces have carrier but at least one does. @@ -131,7 +132,8 @@ enslaved - the link has carrier and is enslaved to bond or bridge master network interface + The link has carrier and is enslaved to bond or bridge master network interface. + @@ -139,7 +141,7 @@ routable - the link has carrier and routable address configured. For bond or bridge master it is + The link has carrier and routable address configured. For bond or bridge master it is not necessary for all slave network interfaces to have carrier, but at least one must. @@ -153,7 +155,8 @@ pending - udev is still processing the link, we don't yet know if we will manage it + systemd-udevd8 + is still processing the link, we don't yet know if we will manage it. @@ -161,7 +164,8 @@ initialized - udev has processed the link, but we don't yet know if we will manage it + systemd-udevd8 + has processed the link, but we don't yet know if we will manage it. @@ -169,7 +173,7 @@ configuring - in the process of retrieving configuration or configuring the link + Configuration for the link is being retrieved or the link is being configured. @@ -177,7 +181,7 @@ configured - link configured successfully + Link has been configured successfully. @@ -185,7 +189,7 @@ unmanaged - networkd is not handling the link + systemd-networkd is not handling the link. @@ -193,7 +197,7 @@ failed - networkd failed to manage the link + systemd-networkd failed to configure the link. @@ -201,7 +205,7 @@ linger - the link is gone, but has not yet been dropped by networkd + The link is gone, but has not yet been dropped by systemd-networkd. @@ -246,7 +250,7 @@ unknown - all links have unknown online status (i.e. there are no required links) + All links have unknown online status (i.e. there are no required links). @@ -254,7 +258,7 @@ offline - all required links are offline + All required links are offline. @@ -262,7 +266,7 @@ partial - some, but not all, required links are online + Some, but not all, required links are online. @@ -270,7 +274,7 @@ online - all required links are online + All required links are online. @@ -436,7 +440,8 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR) the main configuration file. Unless is specified, systemd-networkd will be reloaded after the edit of the .network or .netdev files finishes. - The same applies for .link files and systemd-udevd. + The same applies for .link files and + systemd-udevd8. Note that the changed link settings are not automatically applied after reloading. To achieve that, trigger uevents for the corresponding interface. Refer to systemd.link5 @@ -514,8 +519,7 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR) - - NAME + NAME When used with edit, edit the drop-in file NAME @@ -529,8 +533,11 @@ s - Service VLAN, m - Two-port MAC Relay (TPMR) - When used with edit, systemd-networkd - or systemd-udevd will not be reloaded after the editing finishes. + When used with edit, + systemd-networkd.service8 + or + systemd-udevd.service8 + will not be reloaded after the editing finishes. diff --git a/man/os-release.xml b/man/os-release.xml index fbcce9bd5a..f2e0f3ecb7 100644 --- a/man/os-release.xml +++ b/man/os-release.xml @@ -104,7 +104,7 @@ /usr/lib/extension-release.d/extension-release.IMAGE plays the same role for extension images as os-release for the main system, and follows the syntax and rules as described in the Portable Services Documentation. The purpose of this + url="https://systemd.io/PORTABLE_SERVICES">Portable Services page. The purpose of this file is to identify the extension and to allow the operating system to verify that the extension image matches the base OS. This is typically implemented by checking that the ID= options match, and either SYSEXT_LEVEL= exists and matches too, or if it is not present, @@ -534,7 +534,7 @@ PORTABLE_PREFIXES= Takes a space-separated list of one or more valid prefix match strings for the - Portable Services Documentation logic. + Portable Services logic. This field serves two purposes: it is informational, identifying portable service images as such (and thus allowing them to be distinguished from other OS images, such as bootable system images). It is also used when a portable service image is attached: the specified or implied portable diff --git a/man/resolvectl.xml b/man/resolvectl.xml index 549dbbd2b7..4498732656 100644 --- a/man/resolvectl.xml +++ b/man/resolvectl.xml @@ -77,17 +77,17 @@ [[NAME] TYPE] DOMAIN - Resolve DNS-SD and SRV services, depending on the specified list of - parameters. If three parameters are passed the first is assumed to be the DNS-SD service name, the - second the SRV service type, and the third the domain to search in. - In this case a full DNS-SD style SRV and TXT lookup is executed. If only two parameters are specified, the first is - assumed to be the SRV service type, and the second the domain to look - in. In this case no TXT resource record is requested. Finally, if - only one parameter is specified, it is assumed to be a domain name, that is already prefixed with an - SRV type, and an SRV lookup is done - (no TXT). + Resolve RFC 6763 DNS-SD and + RFC 2782 SRV services, depending on the + specified list of parameters. If three parameters are passed the first is assumed to be the DNS-SD + service name, the second the SRV service type, and the third the + domain to search in. In this case a full DNS-SD style SRV and + TXT lookup is executed. If only two parameters are specified, the + first is assumed to be the SRV service type, and the second the + domain to look in. In this case no TXT resource record is requested. + Finally, if only one parameter is specified, it is assumed to be a domain name, that is already + prefixed with an SRV type, and an SRV lookup is done (no TXT). diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index b6178c1093..8edd6c94ef 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -363,17 +363,21 @@ DNSStubListenerExtra=udp:[2001:db8:0:f102::13]:9953 StaleRetentionSec=SECONDS - Takes a duration value, which determines the length of time DNS resource records can be retained - in the cache beyond their Time To Live (TTL). This allows these records to be returned as stale records. - By default, this value is set to zero, meaning that DNS resource records are not stored in the cache after their TTL expires. + Takes a duration value, which determines the length of time DNS resource records can + be retained in the cache beyond their Time To Live (TTL). This allows these records to be returned as + stale records. By default, this value is set to zero, meaning that DNS resource records are not + stored in the cache after their TTL expires. - This is useful when a DNS server failure occurs or becomes unreachable. - In such cases, systemd-resolved continues to use the stale records to answer DNS queries, particularly when no valid response - can be obtained from the upstream DNS servers. However, this doesn't apply to NXDOMAIN responses, as those are still perfectly valid responses. - This feature enhances resilience against DNS infrastructure failures and outages. + This is useful when a DNS server failure occurs or becomes unreachable. In such cases, + systemd-resolved8 + continues to use the stale records to answer DNS queries, particularly when no valid response can be + obtained from the upstream DNS servers. However, this doesn't apply to NXDOMAIN responses, as those + are still perfectly valid responses. This feature enhances resilience against DNS infrastructure + failures and outages. - systemd-resolved always attempts to reach the upstream DNS servers first, before providing the client application with any stale data. - If this feature is enabled, cache will not be flushed when changing servers. + systemd-resolved always attempts to reach the upstream DNS servers first, + before providing the client application with any stale data. If this feature is enabled, cache will + not be flushed when changing servers. diff --git a/man/sd-id128.xml b/man/sd-id128.xml index 4021b8844b..d264220b0b 100644 --- a/man/sd-id128.xml +++ b/man/sd-id128.xml @@ -190,7 +190,7 @@ int main(int argc, char **argv) { are similar to SD_ID128_FORMAT_STR and SD_ID128_MAKE_STR(), but include separating hyphens to conform to the - "canonical representation". + "UUID canonical representation". They format the string based on RFC4122 Variant 1 rules, i.e. converting from Big Endian byte order. This matches behaviour of most other Linux userspace infrastructure. It's probably diff --git a/man/sd_bus_error.xml b/man/sd_bus_error.xml index 847051a6a2..3f7a28ccaf 100644 --- a/man/sd_bus_error.xml +++ b/man/sd_bus_error.xml @@ -163,7 +163,7 @@ The name field contains a short identifier of an error. It should follow the rules for error names described in the D-Bus specification, subsection Valid - Names. A number of common, standardized error names are described in + D-Bus Names. A number of common, standardized error names are described in sd-bus-errors3, but additional domain-specific errors may be defined by applications. diff --git a/man/sd_bus_message_append_array.xml b/man/sd_bus_message_append_array.xml index da72b78cb0..ea8f532ab6 100644 --- a/man/sd_bus_message_append_array.xml +++ b/man/sd_bus_message_append_array.xml @@ -80,7 +80,7 @@ t, d (but not b), as defined by the Basic - Types section of the D-Bus specification, and listed in + D-Bus Types section of the D-Bus specification, and listed in sd_bus_message_append_basic3. Pointer p must point to an array of size size bytes containing items of the diff --git a/man/sd_bus_set_description.xml b/man/sd_bus_set_description.xml index 0cc0ee77e9..0b49ba3a3b 100644 --- a/man/sd_bus_set_description.xml +++ b/man/sd_bus_set_description.xml @@ -121,7 +121,7 @@ i.e. lack of authentication, of the bus peer. This function must be called before the bus is started. See the - Authentication Mechanisms section of the D-Bus specification for details. + D-Bus Authentication Mechanisms section of the D-Bus specification for details. sd_bus_is_anonymous() returns true if the bus connection allows anonymous authentication (in the sense described in previous paragraph). diff --git a/man/systemctl.xml b/man/systemctl.xml index 3a5ea94aca..2204bee917 100644 --- a/man/systemctl.xml +++ b/man/systemctl.xml @@ -2740,11 +2740,11 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err - + NAME - When used with edit, use the given drop-in file name instead of - override.conf. + When used with edit, use NAME as the drop-in + file name instead of override.conf. diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 1ea16372fc..1aaf03ac52 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -863,7 +863,7 @@ stored sock 0:8 4213190 - socket:[4213190] ro systemd.image-policy7. The policy is normalized and simplified. For each currently defined partition identifier (as per the Discoverable - Partitions Specification the effect of the image policy string is shown in tabular form. + Partitions Specification) the effect of the image policy string is shown in tabular form. Example Output diff --git a/man/systemd-battery-check.service.xml b/man/systemd-battery-check.service.xml index 62d6bf5660..8be54848ce 100644 --- a/man/systemd-battery-check.service.xml +++ b/man/systemd-battery-check.service.xml @@ -18,7 +18,7 @@ systemd-battery-check.service systemd-battery-check - Check battery level whether there's enough charge, and power off if not. + Check battery level whether there's enough charge, and power off if not @@ -32,14 +32,11 @@ Description - - systemd-battery-check.service is used to check the battery level during the early - boot stage to determine whether there's sufficient battery power to carry on with the booting process. - - - systemd-battery-check returns success if the device is connected to an AC power - source or if the battery charge is greater than 5%. It returns failure otherwise. - + This service checks the presence of an external power supply and the battery level during the early + boot stage to determine whether there is sufficient power to carry on with the booting process. + + systemd-battery-check returns success if the device is connected to an AC power + source or if the battery charge is greater than 5%. It returns failure otherwise. diff --git a/man/systemd-firstboot.xml b/man/systemd-firstboot.xml index 5129d068f2..7145c768c2 100644 --- a/man/systemd-firstboot.xml +++ b/man/systemd-firstboot.xml @@ -293,8 +293,8 @@ Write configuration even if the relevant files already exist. Without this option, - systemd-firstboot doesn't modify or replace existing files. Note that when - configuring the root account, even with this option, systemd-firstboot only + systemd-firstboot doesn't modify or replace existing files. Note that when + configuring the root account, even with this option, systemd-firstboot only modifies the entry of the root user, leaving other entries in /etc/passwd and /etc/shadow intact. diff --git a/man/systemd-fsck@.service.xml b/man/systemd-fsck@.service.xml index 22aa876878..fc804374ee 100644 --- a/man/systemd-fsck@.service.xml +++ b/man/systemd-fsck@.service.xml @@ -55,12 +55,12 @@ last check, number of mounts, unclean unmount, etc. systemd-fsck-root.service and systemd-fsck-usr.service - will activate reboot.target if fsck returns the "System - should reboot" condition, or emergency.target if fsck + will activate reboot.target if fsck returns the "System + should reboot" condition, or emergency.target if fsck returns the "Filesystem errors left uncorrected" condition. systemd-fsck@.service will fail if - fsck returns with either "System should reboot" + fsck returns with either "System should reboot" or "Filesystem errors left uncorrected" conditions. For filesystems listed in /etc/fstab without nofail or noauto options, local-fs.target @@ -70,7 +70,7 @@ Kernel Command Line - systemd-fsck understands these kernel + systemd-fsck understands these kernel command line parameters: diff --git a/man/systemd-hibernate-resume.service.xml b/man/systemd-hibernate-resume.service.xml index 6f457f34ab..964c2bd62f 100644 --- a/man/systemd-hibernate-resume.service.xml +++ b/man/systemd-hibernate-resume.service.xml @@ -31,7 +31,7 @@ systemd-hibernate-resume.service initiates the resume from hibernation. - systemd-hibernate-resume only supports the in-kernel hibernation + systemd-hibernate-resume only supports the in-kernel hibernation implementation, see Swap suspend. Internally, it works by writing the major:minor of specified device node to /sys/power/resume, along with the offset in memory pages diff --git a/man/systemd-id128.xml b/man/systemd-id128.xml index 32c5af9671..d9378b69df 100644 --- a/man/systemd-id128.xml +++ b/man/systemd-id128.xml @@ -137,8 +137,8 @@ Generate output as a UUID formatted in the "canonical representation", with five - groups of digits separated by hyphens. See the - wikipedia + groups of digits separated by hyphens. See the Wikipedia entry for + Universally Unique Identifiers for more discussion. diff --git a/man/systemd-notify.xml b/man/systemd-notify.xml index 77ce2b5b6d..022297896f 100644 --- a/man/systemd-notify.xml +++ b/man/systemd-notify.xml @@ -211,7 +211,9 @@ invoked. This option may be used multiple times to pass multiple file descriptors in a single notification message. - To use this functionality from a bash shell, use an expression like the following: + To use this functionality from a + bash1 + shell, use an expression like the following: systemd-notify --fd=4 --fd=5 4</some/file 5</some/other/file diff --git a/man/systemd-portabled.service.xml b/man/systemd-portabled.service.xml index 6dacea5e9b..cb8cea6f6e 100644 --- a/man/systemd-portabled.service.xml +++ b/man/systemd-portabled.service.xml @@ -35,7 +35,7 @@ Most of systemd-portabled's functionality is accessible through the portablectl1 command. - See the Portable Services Documentation + See the Portable Services page for details about the concepts this service implements. diff --git a/man/systemd-run.xml b/man/systemd-run.xml index 8a509be2ae..d5a9ca61ba 100644 --- a/man/systemd-run.xml +++ b/man/systemd-run.xml @@ -560,7 +560,8 @@ Dec 08 20:44:48 container systemd[1]: Started /bin/touch /tmp/foo. Allowing access to the tty - The following command invokes bash1 + The following command invokes + bash1 as a service passing its standard input, output and error to the calling TTY. # systemd-run -t --send-sighup bash @@ -618,18 +619,22 @@ There is a screen on: The first argument is expanded by the shell (double quotes), but the second one is not expanded - by the shell (single quotes). echo is called with [/usr/bin/echo, + by the shell (single quotes). + echo1 + is called with [/usr/bin/echo, [], [${INVOCATION_ID}]] as the argument array, and then - systemd generates ${INVOCATION_ID} and substitutes it in the - command-line. This substitution could not be done on the client side, because the target ID that will - be set for the service isn't known before the call is made. + systemd1 + generates ${INVOCATION_ID} and substitutes it in the command-line. This substitution + could not be done on the client side, because the target ID that will be set for the service isn't + known before the call is made. Variable expansion and output redirection using a shell - Variable expansion by systemd can be disabled with - --expand-environment=no. + Variable expansion by + systemd1 + can be disabled with --expand-environment=no. Disabling variable expansion can be useful if the command to execute contains dollar characters and escaping them would be inconvenient. For example, when a shell is used: @@ -639,9 +644,10 @@ There is a screen on: /bin/bash 12345 - The last argument is passed verbatim to the bash shell which is started by the - service unit. The shell expands $SHELL to the path of the shell, and - $$ to its process number, and then those strings are passed to the + The last argument is passed verbatim to the + bash1 + shell which is started by the service unit. The shell expands $SHELL to the path of + the shell, and $$ to its process number, and then those strings are passed to the echo built-in and printed to standard output (which in this case is connected to the calling terminal). diff --git a/man/systemd-sleep.conf.xml b/man/systemd-sleep.conf.xml index 4a04263c1a..ee13ce8703 100644 --- a/man/systemd-sleep.conf.xml +++ b/man/systemd-sleep.conf.xml @@ -153,9 +153,9 @@ be aborted. The allowed set of values is determined by the kernel and is shown in the file itself (use - cat /sys/power/disk to display). See the - kernel documentation for more details. + cat /sys/power/disk to display). See the kernel documentation page + + Basic sysfs Interfaces for System Suspend and Hibernation for more details. systemd-suspend-then-hibernate.service8 @@ -175,8 +175,8 @@ The allowed set of values is determined by the kernel and is shown in the file itself (use cat /sys/power/state to display). See the - kernel documentation for more details. + url="https://www.kernel.org/doc/html/latest/admin-guide/pm/sleep-states.html#basic-sysfs-interfaces-for-system-suspend-and-hibernation"> + Basic sysfs Interfaces for System Suspend and Hibernation for more details. systemd-suspend-then-hibernate.service8 diff --git a/man/systemd-soft-reboot.service.xml b/man/systemd-soft-reboot.service.xml index c232df41a1..8884c24774 100644 --- a/man/systemd-soft-reboot.service.xml +++ b/man/systemd-soft-reboot.service.xml @@ -43,18 +43,18 @@ The second phase of regular shutdown, as implemented by systemd-shutdown8. - The third phase of regular shutdown, i.e. the return to the initrd - context + The third phase of regular shutdown, i.e. the return to the initrd context. + - The hardware reboot operation + The hardware reboot operation. - The firmware initialization + The firmware initialization. - The boot loader initialization + The boot loader initialization. - The kernel initialization + The kernel initialization. - The initrd initialization + The initrd initialization. However this form of reboot comes with drawbacks as well: diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml index 337759a0c3..184b10bc88 100644 --- a/man/systemd-stub.xml +++ b/man/systemd-stub.xml @@ -162,30 +162,32 @@ system extension images is measured into TPM PCR 13 (if a TPM is present). Similarly, files - foo.efi.extra.d/*.addon.efi - are loaded and verified as PE binaries, and a .cmdline section is parsed from them. - In case Secure Boot is enabled, these files will be validated using keys in UEFI DB, Shim's DB or - Shim's MOK, and will be rejected otherwise. Additionally, if the both the addon and the UKI contain a - a .uname section, the addon will be rejected if they do not exactly match. It is + foo.efi.extra.d/*.addon.efi are loaded and verified as + PE binaries, and a .cmdline section is parsed from them. Addons are supposed to be + used to pass additional kernel command line parameters or Devicetree blobs, regardless of the kernel + image being booted, for example to allow platform vendors to ship platform-specific + configuration. + + In case Secure Boot is enabled, these files will be validated using keys in UEFI DB, Shim's DB or + Shim's MOK, and will be rejected otherwise. Additionally, if the both the addon and the UKI contain a a + .uname section, the addon will be rejected if they do not match exactly. It is recommended to always add a .sbat section to all signed addons, so that they may be revoked with a SBAT policy update, without requiring blocklisting via DBX/MOKX. The - ukify1 tool will - add a SBAT policy by default if none is passed when building addons. For more information on SBAT see - Shim's documentation. - Addons are supposed to be used to pass additional kernel command line parameters or Devicetree blobs, - regardless of the kernel image being booted, for example to allow platform vendors to ship - platform-specific configuration. The loaded command line addon files are sorted, loaded, and measured - into TPM PCR 12 (if a TPM is present) and appended to the kernel command line. UKI command line options - are listed first, then options from addons in /loader/addons/*.addon.efi, and - finally UKI-specific addons. Device tree blobs are loaded and measured following the same algorithm. - Addons are always loaded in the same order based on the filename, so that, given the same set of - addons, the same set of measurements can be expected in PCR12. However, note that the filename is not - protected by the PE signature, and as such an attacker with write access to the ESP could potentially - rename these files to change the order in which they are loaded, in a way that could alter the - functionality of the kernel, as some options might be order dependent. If you sign such addons, you - should pay attention to the PCR12 values and make use of an attestation service so that improper use - of your signed addons can be detected and dealt with using one of the aforementioned revocation - mechanisms. + ukify1 tool will add + a SBAT policy by default if none is passed when building addons. For more information on SBAT see + Shim documentation. + + Addon files are sorted, loaded, and measured into TPM PCR 12 (if a TPM is present) and appended + to the kernel command line. UKI command line options are listed first, then options from addons in + /loader/addons/*.addon.efi, and finally UKI-specific addons. Device tree blobs are + loaded and measured following the same algorithm. Addons are always loaded in the same order based on + the filename, so that, given the same set of addons, the same set of measurements can be expected in + PCR12. However, note that the filename is not protected by the PE signature, and as such an attacker + with write access to the ESP could potentially rename these files to change the order in which they are + loaded, in a way that could alter the functionality of the kernel, as some options might be + order-dependent. If you sign such addons, you should pay attention to the PCR12 values and make use of + an attestation service so that improper use of your signed addons can be detected and dealt with using + one of the aforementioned revocation mechanisms. Files /loader/credentials/*.cred are packed up in a cpio archive and placed in the /.extra/global_credentials/ diff --git a/man/systemd-sysext.xml b/man/systemd-sysext.xml index 8227b972b9..76076931d5 100644 --- a/man/systemd-sysext.xml +++ b/man/systemd-sysext.xml @@ -112,7 +112,7 @@ suitable for shipping resources that are processed by subsystems running in earliest boot. Specifically, OS extension images are not suitable for shipping system services or systemd-sysusers8 - definitions. See the Portable Services Documentation + definitions. See the Portable Services page for a simple mechanism for shipping system services in disk images, in a similar fashion to OS extensions. Note the different isolation on these two mechanisms: while system extension directly extend the underlying OS image with additional files that appear in a way very similar to as if they were @@ -129,7 +129,7 @@ an extension with the same name in a system folder with lower precedence. A simple mechanism for version compatibility is enforced: a system extension image must carry a - /usr/lib/extension-release.d/extension-release.$name + /usr/lib/extension-release.d/extension-release.NAME file, which must match its image name, that is compared with the host os-release file: the contained ID= fields have to match unless _any is set for the extension. If the extension ID= is not _any, the @@ -168,11 +168,13 @@ .raw suffix are considered disk image based confext images. Again, just like sysext images, the confext images will contain a - /etc/extension-release.d/extension-release.$name - file, which must match the image name (with the usual escape hatch of xattr), and again with content - being one or more of ID=, VERSION_ID=, and - CONFEXT_LEVEL. Confext images will then be checked and matched against the - base OS layer. + /etc/extension-release.d/extension-release.NAME + file, which must match the image name (with the usual escape hatch of + the user.extension-release.strict + xattr7), + and again with content being one or more of ID=, VERSION_ID=, and + CONFEXT_LEVEL. Confext images will then be checked and matched against the base OS + layer. diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index ac2be5a5c2..3c06b65f93 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -461,8 +461,8 @@ case of the system manager, this includes variables set by the kernel based on the kernel command line. Setting environment variables for the manager process may be useful to modify its behaviour. - See ENVIRONMENT for a descriptions of some - variables understood by systemd. + See Known Environment Variables for a + descriptions of some variables understood by systemd. Simple %-specifier expansion is supported, see below for a list of supported specifiers. diff --git a/man/systemd-sysusers.xml b/man/systemd-sysusers.xml index 3dfe8c006a..88645aaeb7 100644 --- a/man/systemd-sysusers.xml +++ b/man/systemd-sysusers.xml @@ -150,7 +150,7 @@ Credentials systemd-sysusers supports the service credentials logic as implemented by - ImportCredential=LoadCredential=/SetCredential= + ImportCredential=/LoadCredential=/SetCredential= (see systemd.exec1 for details). The following credentials are used when passed in: diff --git a/man/systemd-vconsole-setup.service.xml b/man/systemd-vconsole-setup.service.xml index 665f894363..614a4d48d2 100644 --- a/man/systemd-vconsole-setup.service.xml +++ b/man/systemd-vconsole-setup.service.xml @@ -57,7 +57,7 @@ Credentials systemd-vconsole-setup supports the service credentials logic as implemented by - ImportCredential=LoadCredential=/SetCredential= + ImportCredential=/LoadCredential=/SetCredential= (see systemd.exec1 for details). The following credentials are used when passed in: diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index e9cef24d18..8db8deb36d 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -166,8 +166,9 @@ or loopback file instead of a directory. The device node or file system image file needs to contain a file system without a partition table, or a file system within an MBR/MS-DOS or GPT partition table with only a single Linux-compatible partition, or a set of file systems within a GPT partition table - that follows the Discoverable Partitions - Specification. + that follows the + + Discoverable Partitions Specification. When DevicePolicy= is set to closed or strict, or set to auto and DeviceAllow= is @@ -207,8 +208,9 @@ mount8. - Valid partition names follow the Discoverable Partitions Specification: + Valid partition names follow the + + Discoverable Partitions Specification: root, usr, home, srv, esp, xbootldr, tmp, var. @@ -230,10 +232,11 @@ To make sure making ephemeral copies can be made efficiently, the root directory or root image should be located on the same filesystem as /var/lib/systemd/ephemeral-trees/. - When using RootEphemeral= with root directories, btrfs should be used as the - filesystem and the root directory should ideally be a subvolume which systemd can - snapshot to make the ephemeral copy. For root images, a filesystem with support for reflinks should - be used to ensure an efficient ephemeral copy. + When using RootEphemeral= with root directories, + btrfs5 + should be used as the filesystem and the root directory should ideally be a subvolume which + systemd can snapshot to make the ephemeral copy. For root images, a filesystem + with support for reflinks should be used to ensure an efficient ephemeral copy. @@ -302,8 +305,9 @@ This option is supported only for disk images that contain a single file system, without an enveloping partition table. Images that contain a GPT partition table should instead include both - root file system and matching Verity data in the same image, implementing the Discoverable Partitions Specification. + root file system and matching Verity data in the same image, implementing the + + Discoverable Partitions Specification. @@ -831,9 +835,10 @@ CapabilityBoundingSet=~CAP_B CAP_C SystemCallFilter=, or SystemCallLog= are specified. Note that even if this setting is overridden by them, systemctl show shows the original value of this setting. In case the service will be run in a new mount namespace anyway and SELinux is - disabled, all file systems are mounted with MS_NOSUID flag. Also see No New Privileges - Flag. + disabled, all file systems are mounted with MS_NOSUID flag. Also see + the kernel document + No New Privileges Flag. + Note that this setting only has an effect on the unit's processes themselves (or any processes directly or indirectly forked off them). It has no effect on processes potentially invoked on request @@ -1913,7 +1918,7 @@ BindReadOnlyPaths=/var/lib/systemd Note that this functionality might not be available, for example if KSM is disabled in the kernel, or the kernel doesn't support controlling KSM at the process level through - prctl(). + prctl2. @@ -2787,37 +2792,39 @@ SystemCallErrorNumber=EPERM Similar to Environment=, but reads the environment variables from a text file. The text file should contain newline-separated variable assignments. Empty lines, lines without an = separator, or lines starting with ; or - # will be ignored, which may be used for commenting. The file must be UTF-8 - encoded. Valid characters are unicode scalar values other than - noncharacters, U+0000 NUL, and - U+FEFF byte order mark. - Control codes other than NUL are allowed. + # will be ignored, which may be used for commenting. The file must be encoded with + UTF-8. Valid characters are + unicode scalar values + other than + unicode noncharacters, + U+0000 NUL, and U+FEFF + unicode byte order mark. + Control codes other than NUL are allowed. In the file, an unquoted value after the = is parsed with the same backslash-escape rules as unquoted - text in a POSIX shell, but unlike in a shell, interior whitespace is preserved and quotes after the + url="https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_01">POSIX shell unquoted + text, but unlike in a shell, interior whitespace is preserved and quotes after the first non-whitespace character are preserved. Leading and trailing whitespace (space, tab, carriage return) is discarded, but interior whitespace within the line is preserved verbatim. A line ending with a backslash will be continued to the following one, with the newline itself discarded. A backslash \ followed by any character other than newline will preserve the following character, so that \\ will become the value \. - In the file, a '-quoted value after the = can span multiple lines - and contain any character verbatim other than single quote, like single-quoted - text in a POSIX shell. No backslash-escape sequences are recognized. Leading and trailing whitespace - outside of the single quotes is discarded. + In the file, a '-quoted value after the = can span + multiple lines and contain any character verbatim other than single quote, like POSIX + shell single-quoted text. No backslash-escape sequences are recognized. Leading and trailing + whitespace outside of the single quotes is discarded. - In the file, a "-quoted value after the = can span multiple lines, - and the same escape sequences are recognized as in double-quoted - text of a POSIX shell. Backslash (\) followed by any of "\`$ will - preserve that character. A backslash followed by newline is a line continuation, and the newline itself is - discarded. A backslash followed by any other character is ignored; both the backslash and the following - character are preserved verbatim. Leading and trailing whitespace outside of the double quotes is - discarded. + In the file, a "-quoted value after the = can span + multiple lines, and the same escape sequences are recognized as in POSIX + shell double-quoted text. Backslash (\) followed by any of + "\`$ will preserve that character. A backslash followed by newline is a line + continuation, and the newline itself is discarded. A backslash followed by any other character is + ignored; both the backslash and the following character are preserved verbatim. Leading and trailing + whitespace outside of the double quotes is discarded. The argument passed should be an absolute filename or wildcard expression, optionally prefixed with -, which indicates that if the file does not exist, it will not be read and no error or @@ -3174,7 +3181,7 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX RateLimitBurst= configured in journald.conf5. Note that this only applies to log messages that are processed by the logging subsystem, i.e. by - systemd-journald.service8 + systemd-journald.service8. This means that if you connect a service's stderr directly to a file via StandardOutput=file:… or a similar setting, the rate limiting will not be applied to messages written that way (but it will be enforced for messages generated via @@ -4141,9 +4148,9 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX FileDescriptorStoreMax= is set to a non-zero value (see systemd.service5 for details). Applications may check this environment variable before sending file descriptors to - the service manager via sd_pid_notify_with_fds() (see - sd_notify3 for - details). + the service manager via + sd_pid_notify_with_fds3. + diff --git a/man/systemd.image-policy.xml b/man/systemd.image-policy.xml index 5ea9e46ec2..7a4453d2e1 100644 --- a/man/systemd.image-policy.xml +++ b/man/systemd.image-policy.xml @@ -51,10 +51,10 @@ for partitions that shall exist and be used, with Verity authentication. (Note: if a DDI image carries a data partition, along with a Verity partition and a - signature partition for it, and only the flag is set – and - is not –, then the image will be set up with Verity, but the signature data will - not be used. Or in other words: any DDI with a set of partitions that qualify for - also implicitly qualifies for , and in fact + signature partition for it, and only the flag is set ( + is not), then the image will be set up with Verity, but the signature data will not be used. Or in + other words: any DDI with a set of partitions that qualify for also + implicitly qualifies for , and in fact also ). for partitions that shall exist and be used, with Verity @@ -130,9 +130,9 @@ Most systemd components that support operating with disk images support a command line option to specify the image policy to use, and default to - relatively open policies by default (typically the * policy, as described above), - under the assumption that trust in disk images is established before the images are passed to the program - in question. + relatively open policies (typically the * policy, as described above), under the + assumption that trust in disk images is established before the images are passed to the program in + question. For the host image itself systemd-gpt-auto-generator8 diff --git a/man/systemd.link.xml b/man/systemd.link.xml index b75dc7fcd4..04b424b910 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -1306,9 +1306,9 @@ $ sudo ip link set eth0 down $ sudo udevadm trigger --verbose --settle --action add /sys/class/net/eth0 You may also need to stop the service that manages the network interface, e.g. - systemd-networkd.service or NetworkManager.service before - the above operation, and then restart the service after that. For more details about - udevadm command, see + systemd-networkd.service8 + or NetworkManager.service before the above operation, and then restart the service + after that. For more details about udevadm command, see udevadm8. diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml index 2da83f8584..e9c00c935d 100644 --- a/man/systemd.net-naming-scheme.xml +++ b/man/systemd.net-naming-scheme.xml @@ -448,7 +448,7 @@ property or none at all. Some firmware and hypervisor implementations report unreasonably high numbers for the - on-board index. To prevent the generation of bogus onbard interface names, index numbers greater + on-board index. To prevent the generation of bogus on-board interface names, index numbers greater than 16381 (2¹⁴-1) were ignored. For s390 PCI devices index values up to 65535 (2¹⁶-1) are valid. To account for that, the limit was increased to 65535. diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 2d3e575a8b..9cad358f1e 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -712,11 +712,11 @@ ReduceARPProxy= - Takes a boolean. When true, bridge-connected VXLAN tunnel - endpoint answers ARP requests from the local bridge on behalf - of remote Distributed Overlay Virtual Ethernet + Takes a boolean. When true, bridge-connected VXLAN tunnel endpoint answers ARP requests from + the local bridge on behalf of remote - (DOVE) clients. Defaults to false. + Distributed Overlay Virtual Ethernet (DOVE) + clients. Defaults to false. diff --git a/man/systemd.network.xml b/man/systemd.network.xml index f065cfcafa..3e83caaf18 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -2430,7 +2430,9 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix UseCaptivePortal= When true (the default), the captive portal advertised by the DHCP server will be recorded - and made available to client programs and displayed in the networkctl status output per-link. + and made available to client programs and displayed in the + networkctl1 + status output per-link. @@ -2881,7 +2883,9 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix UseCaptivePortal= When true (the default), the captive portal advertised by the DHCPv6 server will be recorded - and made available to client programs and displayed in the networkctl status output per-link. + and made available to client programs and displayed in the + networkctl1 + status output per-link. @@ -3297,7 +3301,9 @@ Token=prefixstable:2002:da8:1:: UseCaptivePortal= When true (the default), the captive portal received in the Router Advertisement will be recorded - and made available to client programs and displayed in the networkctl status output per-link. + and made available to client programs and displayed in the + networkctl1 + status output per-link. @@ -3306,9 +3312,11 @@ Token=prefixstable:2002:da8:1:: UsePREF64= - When true, the IPv6 PREF64 (or NAT64) prefixes received in the Router Advertisement will be recorded - and made available to client programs and displayed in the networkctl status output per-link. - See RFC 8781. Defaults to false. + When true, the IPv6 PREF64 (or NAT64) prefixes received in the Router Advertisement will be + recorded and made available to client programs and displayed in the + networkctl1 + status output per-link. See RFC 8781. + Defaults to false. diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index c3581e78b3..42f265c950 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -1143,7 +1143,7 @@ NFTSet=cgroup:inet:filter:my_service user:inet:filter:serviceuser BPFProgram= allows attaching custom BPF programs to the cgroup of a unit. (This generalizes the functionality exposed via IPEgressFilterPath= and - and IPIngressFilterPath= for other hooks.) Cgroup-bpf hooks in the form of BPF + IPIngressFilterPath= for other hooks.) Cgroup-bpf hooks in the form of BPF programs loaded to the BPF filesystem are attached with cgroup-bpf attach flags determined by the unit. For details about attachment types and flags see bpf.h. Also @@ -1154,13 +1154,27 @@ NFTSet=cgroup:inet:filter:my_service user:inet:filter:serviceuser type:program-path. The BPF program type is equivalent to the BPF attach type used in - bpftool. It may be one of egress, - ingress, sock_create, sock_ops, - device, bind4, bind6, - connect4, connect6, post_bind4, - post_bind6, sendmsg4, sendmsg6, - sysctl, recvmsg4, recvmsg6, - getsockopt, setsockopt. + bpftool8 + It may be one of + egress, + ingress, + sock_create, + sock_ops, + device, + bind4, + bind6, + connect4, + connect6, + post_bind4, + post_bind6, + sendmsg4, + sendmsg6, + sysctl, + recvmsg4, + recvmsg6, + getsockopt, + or setsockopt. + The specified program path must be an absolute path referencing a BPF program inode in the bpffs file system (which generally means it must begin with /sys/fs/bpf/). If @@ -1545,7 +1559,7 @@ DeviceAllow=/dev/loop-control $MEMORY_PRESSURE_WATCH environment variable to the literal string /dev/null. If on tells the service to watch for memory pressure events. This enables memory accounting for the service, and ensures the - memory.pressure cgroup attribute files is accessible for read and write to the + memory.pressure cgroup attribute file is accessible for reading and writing by the service's user. It then sets the $MEMORY_PRESSURE_WATCH environment variable for processes invoked by the unit to the file system path to this file. The threshold information configured with MemoryPressureThresholdSec= is encoded in the diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 51b8404abd..735c98d1d6 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -167,7 +167,7 @@ been forked off (i.e. immediately after fork(), and before various process attributes have been configured and in particular before the new process has called execve() to invoke the actual service binary). Typically, - Type= (see below) is the better choice, see below. + Type= is the better choice, see below. It is expected that the process configured with ExecStart= is the main process of the service. In this mode, if the process offers functionality to other processes on @@ -239,7 +239,7 @@ socket provided by systemd. If NotifyAccess= is missing or set to , it will be forcibly set to . - If the service supports reloading, and uses the a signal to start the reload, using + If the service supports reloading, and uses a signal to start the reload, using instead is recommended. Behavior of is similar to , @@ -1239,8 +1239,9 @@ stop the event is logged but the unit is terminated cleanly by the service manager. If set to kill and one of the unit's processes is killed by the OOM killer the kernel is instructed to kill all remaining processes of the unit too, by setting the - memory.oom.group attribute to 1; also see kernel documentation. + memory.oom.group attribute to 1; also see kernel + page Control Group v2. + Defaults to the setting DefaultOOMPolicy= in systemd-system.conf5 diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 6137d94a0c..647b7dbb72 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -349,9 +349,9 @@ queue that have not been accepted yet. This setting matters only for stream and sequential packet sockets. See listen2 for - details. Note that this value is silently capped by the net.core.somaxconn sysctl, - which typically defaults to 4096. By default this is set to 4294967295, so that the sysctl takes full - effect. + details. Defaults to 4294967295. Note that this value is silently capped by the + net.core.somaxconn sysctl, which typically defaults to 4096, so typically + the sysctl is the setting that actually matters. diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 83ac72a5a3..2e9b87645f 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -884,12 +884,12 @@ JoinsNamespaceOf= For units that start processes (such as service units), lists one or more other units - whose network and/or temporary file namespace to join. If this is specified on a unit (say, a.service - has JoinsNamespaceOf=b.service), then this the inverse dependency - (JoinsNamespaceOf=a.service for b.service) is implied. This only applies to unit - types which support the PrivateNetwork=, NetworkNamespacePath=, - PrivateIPC=, IPCNamespacePath=, and - PrivateTmp= directives (see + whose network and/or temporary file namespace to join. If this is specified on a unit (say, + a.service has JoinsNamespaceOf=b.service), then the inverse + dependency (JoinsNamespaceOf=a.service for b.service) is implied. This only + applies to unit types which support the PrivateNetwork=, + NetworkNamespacePath=, PrivateIPC=, + IPCNamespacePath=, and PrivateTmp= directives (see systemd.exec5 for details). If a unit that has this setting set is started, its processes will see the same /tmp/, /var/tmp/, IPC namespace and network namespace as diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index 03faa66a54..e06da2b661 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -872,10 +872,10 @@ e! /var/cache/krb5rcache - - - 0 -smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=$(echo "f~ /root/.ssh/authorized_keys 700 root root - $(ssh-add -L | base64 -w 0)" | base64 -w 0) - By passing this line to QEMU, the public key of the current user will be encoded in - base64, added to a tmpfiles.d line that tells systemd-tmpfiles to decode it into - /root/.ssh/authorized_keys, encode that line itself in base64 and - pass it as a Credential that will be picked up by systemd from SMBIOS on boot. + By passing this line to QEMU, the public key of the current user will be encoded in base64, added + to a tmpfiles.d line that tells systemd-tmpfiles to decode it into + /root/.ssh/authorized_keys, encode that line itself in base64 and pass it as a + Credential that will be picked up by systemd from SMBIOS on boot. diff --git a/man/udev.xml b/man/udev.xml index 0f524697c0..709cecfd6a 100644 --- a/man/udev.xml +++ b/man/udev.xml @@ -136,7 +136,8 @@ backslash, lowercase t, backslash, lowercase n. The string can be prefixed with a lowercase e (e"string\n") to mark the string as - C-style escaped. + C-style escaped, see + Escape sequences in C. For example, e"string\n" is parsed as 7 characters: 6 lowercase letters and a newline. This can be useful for writing special characters when a kernel driver requires them. diff --git a/man/ukify.xml b/man/ukify.xml index f6cd6804bb..9b7e20997a 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -111,7 +111,7 @@ If the stub and/or the kernel contain .sbat sections they will be merged in the UKI so that revocation updates affecting either are considered when the UKI is loaded by Shim. For more information on SBAT see - Shim's documentation. + Shim documentation. @@ -243,7 +243,7 @@ Print a summary of loaded config and exit. This is useful to check how the options - form the configuration file and the command line are combined. + from the configuration file and the command line are combined. @@ -478,7 +478,7 @@ DBX/MOKX. If not specified manually, a default metadata entry consisting of uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html will be used, to ensure it is always possible to revoke UKIs and addons. For more information on - SBAT see Shim's documentation. + SBAT see Shim documentation. @@ -512,8 +512,8 @@ On the command line, this option may be specified more than once, similarly to the option. If not present, the public keys will be extracted from - the private keys. On the command line, if present, the this option must be specified the same number - of times as the option. + the private keys. On the command line, if present, this option must be specified the same number of + times as the option. @@ -662,13 +662,13 @@ Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem (Both operations need to be done as root to allow write access to /etc/kernel/.) - Subsequent invocations of using the config file + Subsequent invocations using the config file (ukify build --config=/etc/kernel/uki.conf) will use this certificate and key files. Note that the kernel-install8 plugin 60-ukify.install uses /etc/kernel/uki.conf by default, so after this file has been created, installations of kernels that create a UKI on the - local machine using kernel-install would perform signing using this config. + local machine using kernel-install will perform signing using this config. diff --git a/src/shared/varlink-idl.c b/src/shared/varlink-idl.c index f871c8e632..655324c6c3 100644 --- a/src/shared/varlink-idl.c +++ b/src/shared/varlink-idl.c @@ -379,7 +379,7 @@ VarlinkInterface* varlink_interface_free(VarlinkInterface *interface) { return NULL; /* So here's the thing: in most cases we want that users of this define their interface descriptions - * in C code, and hence the definitions are constant and immutable during the life-cycle of the + * in C code, and hence the definitions are constant and immutable during the lifecycle of the * system. Because of that we define all structs with const* pointers. It makes it very nice and * straight-forward to populate these structs with literal C strings. However, in some not so common * cases we also want to allocate these structures dynamically on the heap, when parsing interface