| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
resolved: more fixes, among them "systemctl-resolve --status" to see DNS configuration in effect, and a local DNS stub listener on 127.0.0.53
|
| | | |
|
| | |
| |
| |
| | |
variables
|
| | |
| |
| |
| | |
Let's explain the various APIs and various ways to handle /etc/resolv.conf.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
|
| | | |
|
| | |
| |
| |
| | |
We don't make use of this yet, but later work will.
|
| | |
| |
| |
| | |
And make use of it at a couple of places.
|
| | |
| |
| |
| | |
And make use of them at a few places.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When we return the full RR wire data, let's make sure the TTL included in it is
adjusted by the time the RR sat in the cache.
As an optimization we do this only for ResolveRecord() and not for
ResolveHostname() and friends, since adjusting the TTL means copying the RR
object, and we don#t want to do that if there's no reason to.
(ResolveHostname() and friends don't return the TTL hence there's no reason to
in that case)
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
sd-bus generally exposes bools as "int" instead of "bool" in the public API.
This is relevant when unmarshaling booleans, as the relevant functions expect
an int* pointer and no bool* pointer. Since sizeof(bool) is not necessarily the
same as sizeof(int) this is problematic and might result in memory corruption.
Let's fix this, and make sure bus_map_all_properties() handles booleans as
ints, as the rest of sd-bus, and make all users of it expect the right thing.
|
| | |
| |
| |
| |
| |
| |
| | |
restarts
Let's make sure that all settings pushed in stay around when systemd-resolved
is restarted.
|
| | |
| |
| |
| |
| | |
It's like set_put_strdup(), but splits up a string via an extract_first_word()
loop.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
It's weird having a "negative" function link_is_unmanaged(), let's invert it
and get rid of the negation this way, by renaming it to link_is_managed().
Internally we stored this as a positive boolean already, hence let's do this
for the function too.
|
| | |
| |
| |
| |
| |
| |
| | |
Let's split the code from the inner loop out, into its own function
link_update_dns_server_one(). This matches how things are already handled for
the search domain logic. Also, this is preparation for a later commit that
persists DNS server data pushed in via the bus.
|
| | | |
|
| | |
| |
| |
| |
| | |
After all, /etc/resolv.conf doesn't know the concept of "route-only domains",
hence the domains should really not appear there.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
NULL strings nicely
xyz_from_string() functions defined with DEFINE_STRING_TABLE_LOOKUP() properly
handle NULL strings already. make sure the equivalent functions defined with
DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN() do the same.
|
| | |
| |
| |
| |
| |
| | |
The new command shows the per-link and global DNS configuration currently in
effect. This is useful to quickly see the DNS settings resolved acquired from
networkd and that was pushed into it via the bus APIs.
|
| | |
| |
| |
| |
| |
| |
| | |
Internally, we store the per-link DNSSEC setting as -1 (invalid) if there's no
link-specific setting configured, and the global setting should be used. When
exporting this one the bus we really should export the effective DNSSEC
setting however, i.e. return the global one if there's non set per-link.
|
| | |
| |
| |
| | |
We export them per-link, hence let's export the global NTAs too.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
udevd already limits its number of workers/children: the max number is actually
twice the number of CPUs the system is using.
(The limit can also be raised with udev.children-max= kernel command line
option BTW).
On some servers, this limit can easily exceed the maximum number of tasks that
systemd put on all services, which is 512 by default.
Since udevd has already its limitation logic, simply disable the static
limitation done by TasksMax.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
root=/dev/nfs is a legacy option for the kernel to handle root on NFS.
Documentation for this kernel command line option
can be found in the kernel source tree:
Documentation/filesystems/nfs/nfsroot.txt
|
| |\ \
| | |
| | | |
add new RestrictRealtime= option to services (and other fixes)
|
| | | |
| | |
| | |
| | |
| | | |
It takes a boolean value. If true, access to SCHED_RR, SCHED_FIFO and
SCHED_DEADLINE is blocked, which my be used to lock up the system.
|
| | | |
| | |
| | |
| | | |
Let's politely refuse with EPERM rather than kill the whole thing right-away.
|
| | | |
| | |
| | |
| | |
| | | |
This was forgotten when MemoryDenyWriteExecute= was added: we should set NNP in
all cases when we set seccomp filters.
|
| | | |
| | |
| | |
| | |
| | | |
It's a function defined by us, hence we should look for the error in its return
value, not in "errno".
|
| | | |
| | |
| | |
| | |
| | | |
This is a fix-up for 2a9a6f8ac04a69ca36d645f9305a33645f22a22b which covered
non-transient units, but missed the case for transient units.
|
| |\ \ \
| | | |
| | | | |
systemctl: Add missing "/" to files created by 'edit --runtime'
|
| | | | | |
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It makes use of the sd_listen_fds() call, and as such should live in
src/shared, as the distinction between src/basic and src/shared is that the
latter may use libsystemd APIs, the former does not.
Note that btrfs-util.[ch] and log.[ch] also include header files from
libsystemd, but they only need definitions, they do not invoke any function
from it. Hence they may stay in src/basic.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change documents the existance of the systemd-nspawn@.service template
unit file, which was previously not mentioned at all. Since the unit file uses
slightly different default than nspawn invoked from the command line, these
defaults are now explicitly documented too.
A couple of further additions and changes are made, too.
Replaces: #3497
|
| |/ / |
|
| | |
| |
| |
| |
| |
| | |
Otherwise starting a machine named `foo-bar-baz` will end up in
machinectl attempting to start the service unit
`systemd-nspawn@foo\x2dbar\x2dbaz` instead of
`systemd-nspawn@foo-bar-baz`.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add sd_notify() parameter to change watchdog_usec during runtime.
Application can change watchdog_usec value by
sd_notify like this. Example. sd_notify(0, "WATCHDOG_USEC=20000000").
To reset watchdog_usec as configured value in service file,
restart service.
Notice.
sd_event is not currently supported. If application uses
sd_event_set_watchdog, or sd_watchdog_enabled, do not use
"WATCHDOG_USEC" option through sd_notify.
|
| | |
| |
| |
| | |
This documents the "add nosuid and nodev options to tmp.mount" change from
commit 2f9df7c96a2.
|
| |\ \
| | |
| | | |
Fix console log color
|
| | | |
| | |
| | |
| | |
| | | |
Also we had to connect PID's stdio to null later since colors_enabled()
assume that stdout is connected to the console.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When systemd is started by the kernel, the kernel set the TERM
environment variable unconditionnally to "linux" no matter the console
device used. This might be an issue for dumb devices with no colors
support.
This patch uses default_term_for_tty() for getting a more accurate
value. But it makes sure to keep the user preferences (if any) which
might be passed via the kernel command line. For that purpose /proc
should be mounted.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit ce8aba568156f2b9d0d3b023e960cda3d9d7db81.
We should pass an environment as close as possible to what we originally
got.
|
| | | |
| | |
| | |
| | |
| | | |
When re-executed, reconnect the console to PID1's stdios as it was the case
when PID1 was initially started by the kernel.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This makes privilege escalation attacks harder by putting traps and exploits
into /tmp.
https://bugs.debian.org/826377
|
| | | |
| | |
| | |
| | |
| | |
| | | |
* sd_bus_add_match
* sd_bus_get_fd
* sd_bus_message_read_basic
* sd_bus_process
|
| | | |
| | |
| | | |
Do not ellipsize cgroups when showing slices in --full mode
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Quoting @cgwalters:
Just uploading this as an RFC. Now I know reading the code that systemd says
`Welcome to $OS` as a generic thing, but my initial impression on seeing this
was that it was almost sarcastic =)
Let's say "You are in emergency mode" as a more neutral/less excited phrase.
This patch is based on #3556, but makes the same change for rescue mode.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Jun 16 05:12:08 systemd[1]: Controller 'io' supported: yes
Jun 16 05:12:08 systemd[1]: Controller 'memory' supported: yes
Jun 16 05:12:08 systemd[1]: Controller 'pids' supported: yes
instead of
Jun 16 04:06:50 systemd[1]: Controller 'memory' supported: yes
Jun 16 04:06:50 systemd[1]: Controller 'devices' supported: yes
Jun 16 04:06:50 systemd[1]: Controller 'pids' supported: yes
|
