systemd work for the session
Goals:
- Simplify our stack by removing CK
- Automatic multi-seat support
- Make systemd available in the session
- Removal of XDG_SESSION_COOKIE and its security problems, emphasis on audit loginuid and cgroup names instead
- On-Demand starting of VT gettys
- Fix the 63 threads issue
- Covering all of getty, SSH and X11 sessions
- Make session exit of pam_systemd more robust
- Introduce D-Bus user bus
- allow systemd user services to be run outside of a session, for selected users, a la cron with cron.allow
Current ConsoleKit features:
- Registration of user sessions and seats storing of meta data
- fast user switching
- shutdown/reboot handling
- Logging of user logins/logouts
- udev integration to do device node ACLs
- PK integration to verify console access to certain functionality
Logging currently is done 6 times (neither are indexed, except for utmp and lastlog which are indexed by uid):
- utmp
- wtmp
- syslog
- audit
- ConsoleKit logs
- lastlog
Plans:
- Introduce “seat” tags on video, input, audio, other devices in udev
- Make X11 check those tags. This requires a simple patch, i.e. udev_monitor_filter_add_match_tag(), based on the tag name passed on the X command line; if no seat name is given on the command line, pick up all devices without seat tag, to mimic current behaviour
- gdm will spawn one X server for each video card found as they pop up, X itself should discover matching input devices
- plymouth should also make use of all video cards and input devices found, as they pop up, and and terminate as soon as gdm takes over, plymouth should ignore seat assignments however, and act on all display and input devices
- A tiny udev rule will try to automatically assign seat tags for devices manufactured by Plugable. Other hardware in the beginning will require writing udev rules manually. Eventually a UI for this should be written which spits out and installs udev rules.
- Most of the logic in pam_systemd will move into a tiny bus service, and which will hand out “leaking” pipe fds to detect when the session ends, the same way pam_consolekit_connector works right now, but built around dbus fd passing
- This bus service will have a similar interface to CK, however do a few key things differently: no cookie management (rely on audit login uid instead), listening on /sys/class/tty/tty0/active, on-demand triggering of gettys (or any other service), when an allocated VC with no process is activated. VCs will be handed out strictly based on a first-come first-serve basis, no fixed mapping anymore -- except for tty1. We will pre-allocate 12 ttys by default, but not start anything on them. If X needs another tty it just takes the next free one. If a tty is activated (by keypress) which currently has no client we will start a getty on it. That means by default we run zero gettys on a graphical boot, but they become instantly available as soon as the user switches ttys.
- There will be no public CK database. However we will provide a tiny library (drop-in or .so) which allows NM, PK and D-Bus query whether a PID or user is currently on an active sesssion without involving D-Bus, as fast path for auth checks
- udev-acl will move into this dbus service
- Separate bus service for shutting down/rebooting/suspending the system, with integration into PK and which checks whether sessions are left open
- We’ll introduce the D-Bus user bus, as discussed with various folks at the GNOME Summit last year, and redirect the session bus to it
- We will implicitly spawn a systemd instance for each user on first login, and remove it at last logout. Lifetime of XDG_RUNTIME_DIR, the user cgroup, the user bus and the systemd instance are bound together
- Ideally, X would start to listen on $XDG_RUNTIME_DIR/display or a similar socket. Could be default for clients if no $DISPLAY is set. Alternatively symlink hackery
- We will focus on Linux and Linux only
- Introduction of PR_SET_ANCHOR and usage in g-s/systemd, to ensure that all user processes are children of systemd/g-s and not detached
- gnome-session will mostly stay as it is for now, however will use the user bus if it exists
- Most likely drop support for CK history log files. Only user appears to be gdm and accountsservice. option 1) move this into gdm itself, so that gdm shows its own most frequent users only; option 2) use wtmp for this, which while ugly to use offers mostly the same functionality. If we need more metadata than wtmp can provide, hijack the 20 unused bytes at the end of each utmp record. If eventually we reintroduce log files for this, then we should do this in a really convincing fashion, i.e. indexed, with live querying support and suchlike
- Optionally start user session (without display) already on system bootup, to permit timer-based cron-like user-code to run, or to run network services independent of an actual login. This will be strictly optional and only permitted for users with a flag file in /var/lib/systemd/user/xxx. Flag files controllable via PK, yadda yadda
- Note that there is no static configuration of seats. The tiny dbus service will provide a list of current seats only based on the udev database: if there’s a display device with a seat tag, then this seat exists, otherwise it doesn’t
- Seats and seat names will automatically be generated for Plugable devices based on their udev path id. i.e. by plugging in a plugable device a dynamic seat “seat-pci-0000-00-1f-2-usb-4711-0815” (or something like that) is generated and exists exactly as long has it is plugged in.
- No stored CK database as public API, instead store everything we need in memory, and export only very few things in the fs, for example to allow fast perm checks for dbus/NM/PK
- Embedded folks can work without the bus service, to get old-style behaviour
Perspective for F17:
- In F17, we might want to move user service/process handling from g-s to systemd, and get a definition of running application along the lines of the cgroups for them, which transcends all layers of our stack, from kernel to the UI; an application that isn’t running is simply a .desktop file, and when it runs it is the cgroup by the same name
- keep in focus for later: support multi-session and session switching on secondary VGA cards, in userspace
Transition:
- We will ensure CK and the new scheme can run side-by-side. Only the ACL management of CK will be disabled when the new scheme is enabled
- Phase-out similar to HAL’s, leave things running side-by-side but port important things over quickly. Should be much easier than HAL, since less code uses it
External patches:
- udev: disable udev-acl
- X11: add seat support (check for tags)
- X11: make x11 XDG_RUNTIME_DIR-aware
- gdm: for libudev support and new seat registration
- plymouth: for libudev support
- dbus: for new active session detection
- PK: for new active session detection
- NM: for new activte session detection
- accountsservice: for new login history logs
- kernel: PR_SET_ANCHOR
- kernel: xattr on cgroup
- kdm, other dms: drop CK support. Quite possibly the PAM session hooks are sufficient for our needs, no need for patching in new support into dms
Questions left unanswered:
- What about idle hint stuff?
Where is what?
- CK’s seat management and session switching is pushed into new tiny bus service systemd-logind (or similarly named)
- CK’s logging is removed, and utmp/wtmp used instead
- CK’s shutdown/reboot handling moves into new tiny bus service systemd-rebootd (or similarly named)
- udev-acl will move into systemd-logind
- most of pam_systemd will move into systemd-logind
Effective new features by doing this:
- Automatic Multi-Seat
- Running user services outside of session
- gettys only spawned on demand
- synchronization on VGA discovery can be dropped → faster bootup
- Cleaner PS tree
- D-Bus/systemd available for user logins