Age | Commit message (Collapse) | Author |
|
nineteenth dnssec patch
|
|
zsh-completion: Escape results for `journalctl --unit`
|
|
shutdown: complain if process excluded from killing spree runs of the same rootfs as PID1 (v3)
|
|
Whenever we include a log level or facility in a journal string field, make sure the compiler checks for us that that's
actually the right thing to do.
|
|
Fixes: #2304
|
|
Fixes #2324.
|
|
This gets rid of the private DNSSEC TODO and moves it in the main TODO dump site, as the DNSSEC implementation is
pretty complete now, and the remaining bits are low-priority.
|
|
Lets make sure we always take notice of network changes before answering client requests.
This way, calls like SetLinkDNS() become race-free as the specified interface index is guarantee to have been processed
if it exists before we make changes to it.
|
|
DNS response
If we encounter NXDOMAIN, but find at least one matching RR in a response, then patch it to become SUCCESS. This should
clean up handling of CNAME/DNAMEs, and makes sure broken servers and those conforming to RFC 6604 are treated the same
way. The new behaviour opposes the logic suggested in RFC 6604, but given that some servers don't implement it
correctly, and given that in some ways the CNAME/DNAME chains will be incomplete anyway, and given that DNSSEC
generally only allows us to prove the first element of a CNAME/DNAME chain, this should simplify things for us.
|
|
|
|
|
|
Following the changes to expose the "routing" and "search" domain concepts in networkd, actually make resolved use
them. It will now use routing domains exclusively for making DNS routing decisions, and use search domains additionally
for extending single-label names.
|
|
The call combines outputing a string with prefixing it with a space, optionally. This is useful to shorten the logic
for outputing lists of strings, that are space separated.
|
|
This changes the UseDomains= setting of .network files to take an optional third value "route", in addition to the
boolean values. If set, the passed domain information is used for routing rules only, but not for the search path
logic.
|
|
configuration settings
All booleans called dhcp_xyz are now called ".dhcp_use_xyz", to match their respective configuration file settings. This
should clarify things a bit, in particular as there is a DHCP hostname that was previously called just ".hostname"
because ".dhcp_hostname" was already existing as a bool. Since this confusion is removed now because the bool is called
".dhcp_use_hostname", the string field is now renamed to ".dhcp_hostname".
|
|
Let's make sure the root domain is normalized to ".", rather than then empty string, so that there's actually something
to see on screen. Normally, we don't append a trailing dot to normalized domain names, but do so in the one exception
of the root domain, taking inspiration from UNIX file system paths.
|
|
Also don't permit host/domain names that reference the root domain, and unify the codepaths for this.
|
|
When we collect the domain names of the various links and other sources in one ordered set, make sure to use proper DNS
name comparison to filter out duplicates.
|
|
For the search domain logic the order is highly relevant, hence make sure when collecting the various search domains to
add them to an ordered set, so that the order between search domains of a specific link is retained.
|
|
Previously, each invocation of dump_list() was prefixed with a call to strv_isempty() to suppress invocation of the
function when the list is empty anyway. Move the check into the function itself, so that we can reduce the code a bit
in size.
(Also, prefix a couple of invocations we knowingly ignore return errors with a (void) cast).
|
|
Previously, .network files only knew a vaguely defined "Domains=" concept, for which the documentation declared it was
the "DNS domain" for the network connection, without specifying what that means.
With this the Domains setting is reworked, so that there are now "routing" domains and "search" domains. The former are
to be used by resolved to route DNS request to specific network interfaces, the latter is to be used for searching
single-label hostnames with (in addition to being used for routing). Both settings are configured in the "Domains="
setting. Normal domain names listed in it are now considered search domains (for compatibility with existing setups),
while those prefixed with "~" are considered routing domains only. To route all lookups to a specific interface the
routing domain "." may be used, referring to the root domain. An alternative syntax for this is the "*", as was already
implemented before using the "wildcard" domain concept.
This commit adds proper parsers for this new logic, and exposes this via the sd-network API. This information is not
used by resolved yet, this will be added in a later commit.
|
|
Journald disk usage
|
|
rootfs as PID1
|
|
logind: update documentation for cf7d1a30e44
|
|
|
|
Man pages
|
|
tests: add setup_selinux
|
|
We have 126 broken links to sd-bus.html, it's nice to fix that.
Current version is mostly a stub, with a long list of links to other
pages. I think that's fine, especially that sd-bus might evolve
quite a bit before it is made public.
Not all of linked pages are written. Still missing:
sd_bus_can_send
sd_bus_get_name_creds
sd_bus_get_owner_creds
sd_bus_message_can_send
sd_bus_message_get_creds
sd_bus_message_set_allow_interactive_authorization
sd_bus_send
sd_bus_set_address
sd_bus_set_description
sd_bus_start
sd_event_set_prepare
sd-device
systemd.busname
|
|
|
|
Noticed in pull request #2067.
|
|
Commit ab6f56debf made the change to allow building man pages even when disabled
with ./configure --disable-manpages. This works fine, as long as xsltproc is
present. If xsltproc is not present, the command to build a man page (obviously)
fails. Unfortnately it fails with a cryptic message '-o not found', because
$(XSLTPROC) is empty. Add a fallback, to use 'xsltproc' is $(XSLTPROC) is not
defined. This way we get a nice message:
make: xsltproc: Command not found
|
|
Escape colons and backslashes in unit names.
This gives correct completions for units with names like
systemd-backlight@backlight:acpi_video0.service
and
systemd-fsck@dev-disk-by\x2duuid-...
|
|
eightteenth dnssec patch
|
|
coredump: fix bug that loses core dump files when core dumps are compressed and disk space is low.
|
|
and disk space is low.
Previously the save_external_coredump function returned a file
descriptor corresponding to the dumped file. This descriptor was used
for two different purposes by calling code: a) access to the raw core
dump data; b) testing candidate files (via inode comparisons) while
vacuuming to protect the current core dump from vacuuming.
The descriptor returned always corresponded to a file containing the raw
core dump data. However if compresson was used and the core dump was
compressed then the descriptor returned did not correspond to the file
that would eventually be left on disk (ie the compressed file). Thus
the file was never protected by vacuuming. When disk space was low all
core dumps including the current one would be vacuumed and the
corresponding log message referred to a file that no longer existed.
This resulted in the following error message from coredumpctl if the
missing core dump was requested:
Cannot retrieve coredump from journal nor disk.
Failed to retrieve core: No such file or directory
save_external_coredump now returns two descriptors, one to be used for
inode comparisons to prevent overzealous vacuuming and one to be used
for raw data access. When compression is not used the returned inode
comparison descriptor will be invalid, indicating that the raw data
access descriptor should be used for inode comparisons as well.
Corresponding use of save_external_coredump and the returned
descriptors also updated.
|
|
systemctl: is-active/failed should return 0 if at least one unit is in given state
Previously:
[lnykryn@notas lnykryn-systemd(is-active-failed)]$ systemctl is-failed fail cups; echo $?
failed
active
1
now:
[lnykryn@notas lnykryn-systemd(is-active-failed)]$ ./systemctl is-failed fail cups; echo $?
failed
active
0
|
|
Let's not accept onboard interface indexes, that are so high that they are obviously non-sensical.
Fixes: #2407
|
|
So far, abritrary NSEC and NSEC3 RRs were implicitly consider "primary" for any transaction, meaning we'd abort the
transaction immediately if we couldn't validate it. With this patch this logic is removed, and the NSEC/NSEC3 RRs will
not be considered primary anymore. This has the effect that they will be dropped from the message if they don't
validate, but processing continues. This is safe to do, as they are required anyway to validate positive wildcard and
negative responses, and if they are missing then, then message will be considered unsigned, which hence means the
outcome is effectively the same.
This is benefical in case the server sends us NSEC/NSEC3 RRs that are not directly related to the lookup we did, but
simply auxiliary information. Previously, if we couldn't authenticate those RRs we'd fail the entire lookup while with
this change we'll simply drop the auxiliary information and proceed without it.
|
|
authenticated
In some cases we get NSEC3 RRs that have not been authenticated (because the chain of trust to the root is somewhere
broken). We can use these for checking negative replies, as long as we don't claim they were ultimately authenticated.
This means we need to be able to deal with NSEC3 RRs that lack RRSIG metadata.
|
|
|
|
|
|
We already properly propagate errors from transactions to queries. Make sure that errors that happened during handling
of query candidates are propagated to the query, too.
|
|
Whenever we encounter an OS error we did not expect, we so far put the transaction into DNS_TRANSACTION_RESOURCES
state. Rename this state to DNS_TRANSACTION_ERRNO, and save + propagate the actual system error to the caller. This
should make error messages triggered by system errors much more readable by the user.
|
|
|
|
Line breaks default to 119 characters for systemd sources now, configured through the .vimrc and .dir-local.el files.
However, for the catalog files we really should stick to 79 chars, as they are regularly shown on terminal screens.
|
|
If we downgrade from DNSSEC to non-DNSSEC mode, let's log about this in a recognizable way (i.e. with a message ID),
after all, this is of major importance.
|
|
This way the difference between lookups via NSS and our native bus API should become minimal.
|
|
When we synthesize A/AAAA for domains like "localhost", then make sure we generate ENODATA if the user asks for RR
types such a RP to be solved on the name. Previously, we'd pass the error back in that case that was generated from the
usual lookup procedure.
|
|
The LLMNR spec suggests to do do reverse address lookups by doing direct LLMNR/TCP connections to the indicated
address, instead of doing any LLMNR multicast queries. When we do this and the peer doesn't actually implement LLMNR
this will result in a TCP connection error, which we need to handle. In contrast to most LLMNR lookups this will give
us a quick response on whether we can find a suitable name. Report this as new transaction state, since this should
mostly be treated like an NXDOMAIN rcode, except that it's not one.
|
|
Assign errno-style errors to a variable called "r" when they happen, the same way we do this in most other calls. It's
bad enough that the error handling part of the function deals with two different error variables (pam_code and r) now,
but before this fix it was even three!
|