summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-01-26resolved: teach resolved the difference between "routing" and "search" domainsLennart Poettering
Following the changes to expose the "routing" and "search" domain concepts in networkd, actually make resolved use them. It will now use routing domains exclusively for making DNS routing decisions, and use search domains additionally for extending single-label names.
2016-01-26util: introduce fputs_with_space() and make use of it at various placesLennart Poettering
The call combines outputing a string with prefixing it with a space, optionally. This is useful to shorten the logic for outputing lists of strings, that are space separated.
2016-01-26networkd: optinally use DHCP lease domain info for routing onlyLennart Poettering
This changes the UseDomains= setting of .network files to take an optional third value "route", in addition to the boolean values. If set, the passed domain information is used for routing rules only, but not for the search path logic.
2016-01-26networkd: rename a few Network object properties to be more like the ↵Lennart Poettering
configuration settings All booleans called dhcp_xyz are now called ".dhcp_use_xyz", to match their respective configuration file settings. This should clarify things a bit, in particular as there is a DHCP hostname that was previously called just ".hostname" because ".dhcp_hostname" was already existing as a bool. Since this confusion is removed now because the bool is called ".dhcp_use_hostname", the string field is now renamed to ".dhcp_hostname".
2016-01-26shared: normalize the root domain to "." rather than ""Lennart Poettering
Let's make sure the root domain is normalized to ".", rather than then empty string, so that there's actually something to see on screen. Normally, we don't append a trailing dot to normalized domain names, but do so in the one exception of the root domain, taking inspiration from UNIX file system paths.
2016-01-26dhcp: make host/domain name validity checks stricterLennart Poettering
Also don't permit host/domain names that reference the root domain, and unify the codepaths for this.
2016-01-26networkd: when filtering out duplicate domain names use DNS comparisonLennart Poettering
When we collect the domain names of the various links and other sources in one ordered set, make sure to use proper DNS name comparison to filter out duplicates.
2016-01-26networkd: use an OrderedSet instead of Set to collect link domainsLennart Poettering
For the search domain logic the order is highly relevant, hence make sure when collecting the various search domains to add them to an ordered set, so that the order between search domains of a specific link is retained.
2016-01-26networkctl: move strv_isempty() check into dump_list()Lennart Poettering
Previously, each invocation of dump_list() was prefixed with a call to strv_isempty() to suppress invocation of the function when the list is empty anyway. Move the check into the function itself, so that we can reduce the code a bit in size. (Also, prefix a couple of invocations we knowingly ignore return errors with a (void) cast).
2016-01-26networkd: rework Domains= settingLennart Poettering
Previously, .network files only knew a vaguely defined "Domains=" concept, for which the documentation declared it was the "DNS domain" for the network connection, without specifying what that means. With this the Domains setting is reworked, so that there are now "routing" domains and "search" domains. The former are to be used by resolved to route DNS request to specific network interfaces, the latter is to be used for searching single-label hostnames with (in addition to being used for routing). Both settings are configured in the "Domains=" setting. Normal domain names listed in it are now considered search domains (for compatibility with existing setups), while those prefixed with "~" are considered routing domains only. To route all lookups to a specific interface the routing domain "." may be used, referring to the root domain. An alternative syntax for this is the "*", as was already implemented before using the "wildcard" domain concept. This commit adds proper parsers for this new logic, and exposes this via the sd-network API. This information is not used by resolved yet, this will be added in a later commit.
2016-01-26Merge pull request #2424 from keszybz/journald-disk-usageLennart Poettering
Journald disk usage
2016-01-26Merge pull request #2436 from grawity/fix/tasks-maxDaniel Mack
logind: update documentation for cf7d1a30e44
2016-01-26logind: update documentation for cf7d1a30e44Mantas Mikulėnas
2016-01-26Merge pull request #2434 from keszybz/man-pagesDaniel Mack
Man pages
2016-01-26Merge pull request #2435 from evverx/tests-setup-selinuxDaniel Mack
tests: add setup_selinux
2016-01-25man: add stub sd-bus(3)Zbigniew Jędrzejewski-Szmek
We have 126 broken links to sd-bus.html, it's nice to fix that. Current version is mostly a stub, with a long list of links to other pages. I think that's fine, especially that sd-bus might evolve quite a bit before it is made public. Not all of linked pages are written. Still missing: sd_bus_can_send sd_bus_get_name_creds sd_bus_get_owner_creds sd_bus_message_can_send sd_bus_message_get_creds sd_bus_message_set_allow_interactive_authorization sd_bus_send sd_bus_set_address sd_bus_set_description sd_bus_start sd_event_set_prepare sd-device systemd.busname
2016-01-25man: fix reference to sd_event_source_get_io_reventsZbigniew Jędrzejewski-Szmek
2016-01-25man: fix references to a few external man pagesZbigniew Jędrzejewski-Szmek
Noticed in pull request #2067.
2016-01-25build-sys: provide fallback value for xsltprocZbigniew Jędrzejewski-Szmek
Commit ab6f56debf made the change to allow building man pages even when disabled with ./configure --disable-manpages. This works fine, as long as xsltproc is present. If xsltproc is not present, the command to build a man page (obviously) fails. Unfortnately it fails with a cryptic message '-o not found', because $(XSLTPROC) is empty. Add a fallback, to use 'xsltproc' is $(XSLTPROC) is not defined. This way we get a nice message: make: xsltproc: Command not found
2016-01-25Merge pull request #2392 from poettering/dnssec18Tom Gundersen
eightteenth dnssec patch
2016-01-25Merge pull request #2240 from hgwalles/coredump-delete-bugLennart Poettering
coredump: fix bug that loses core dump files when core dumps are compressed and disk space is low.
2016-01-25coredump: fix bug that loses core dump files when core dumps are compressed ↵Hayden Walles
and disk space is low. Previously the save_external_coredump function returned a file descriptor corresponding to the dumped file. This descriptor was used for two different purposes by calling code: a) access to the raw core dump data; b) testing candidate files (via inode comparisons) while vacuuming to protect the current core dump from vacuuming. The descriptor returned always corresponded to a file containing the raw core dump data. However if compresson was used and the core dump was compressed then the descriptor returned did not correspond to the file that would eventually be left on disk (ie the compressed file). Thus the file was never protected by vacuuming. When disk space was low all core dumps including the current one would be vacuumed and the corresponding log message referred to a file that no longer existed. This resulted in the following error message from coredumpctl if the missing core dump was requested: Cannot retrieve coredump from journal nor disk. Failed to retrieve core: No such file or directory save_external_coredump now returns two descriptors, one to be used for inode comparisons to prevent overzealous vacuuming and one to be used for raw data access. When compression is not used the returned inode comparison descriptor will be invalid, indicating that the raw data access descriptor should be used for inode comparisons as well. Corresponding use of save_external_coredump and the returned descriptors also updated.
2016-01-25Merge pull request #2430 from lnykryn/is-active-failedZbigniew Jędrzejewski-Szmek
systemctl: is-active/failed should return 0 if at least one unit is in given state Previously: [lnykryn@notas lnykryn-systemd(is-active-failed)]$ systemctl is-failed fail cups; echo $? failed active 1 now: [lnykryn@notas lnykryn-systemd(is-active-failed)]$ ./systemctl is-failed fail cups; echo $? failed active 0
2016-01-25udev: filter out non-sensically high onboard indexes reported by the kernelLennart Poettering
Let's not accept onboard interface indexes, that are so high that they are obviously non-sensical. Fixes: #2407
2016-01-25resolved: don't consider NSEC/NSEC3 RRs as "pimary" for transactionsLennart Poettering
So far, abritrary NSEC and NSEC3 RRs were implicitly consider "primary" for any transaction, meaning we'd abort the transaction immediately if we couldn't validate it. With this patch this logic is removed, and the NSEC/NSEC3 RRs will not be considered primary anymore. This has the effect that they will be dropped from the message if they don't validate, but processing continues. This is safe to do, as they are required anyway to validate positive wildcard and negative responses, and if they are missing then, then message will be considered unsigned, which hence means the outcome is effectively the same. This is benefical in case the server sends us NSEC/NSEC3 RRs that are not directly related to the lookup we did, but simply auxiliary information. Previously, if we couldn't authenticate those RRs we'd fail the entire lookup while with this change we'll simply drop the auxiliary information and proceed without it.
2016-01-25resolved: don't insist in RRSIG metadata for NSEC3 RRs that have not been ↵Lennart Poettering
authenticated In some cases we get NSEC3 RRs that have not been authenticated (because the chain of trust to the root is somewhere broken). We can use these for checking negative replies, as long as we don't claim they were ultimately authenticated. This means we need to be able to deal with NSEC3 RRs that lack RRSIG metadata.
2016-01-25resolved: use dns_query_reset_answer() where we canLennart Poettering
2016-01-25update DNSSEC TODOLennart Poettering
2016-01-25resolved: properly propagate query candidate errorLennart Poettering
We already properly propagate errors from transactions to queries. Make sure that errors that happened during handling of query candidates are propagated to the query, too.
2016-01-25resolved: replace DNS_TRANSACTION_RESOURCES by DNS_TRANSACTION_ERRNOLennart Poettering
Whenever we encounter an OS error we did not expect, we so far put the transaction into DNS_TRANSACTION_RESOURCES state. Rename this state to DNS_TRANSACTION_ERRNO, and save + propagate the actual system error to the caller. This should make error messages triggered by system errors much more readable by the user.
2016-01-25catalog: add DNSSEC log messages to message catalogLennart Poettering
2016-01-25catalog: fix line width to 79 charsLennart Poettering
Line breaks default to 119 characters for systemd sources now, configured through the .vimrc and .dir-local.el files. However, for the catalog files we really should stick to 79 chars, as they are regularly shown on terminal screens.
2016-01-25resolved: log recognizably about DNSSEC downgradesLennart Poettering
If we downgrade from DNSSEC to non-DNSSEC mode, let's log about this in a recognizable way (i.e. with a message ID), after all, this is of major importance.
2016-01-25resolved: synthesize RRs for data from /etc/hostsLennart Poettering
This way the difference between lookups via NSS and our native bus API should become minimal.
2016-01-25resolved: when synthesizing RR responses, own the name fullyLennart Poettering
When we synthesize A/AAAA for domains like "localhost", then make sure we generate ENODATA if the user asks for RR types such a RP to be solved on the name. Previously, we'd pass the error back in that case that was generated from the usual lookup procedure.
2016-01-25resolved: properly handle LLMNR/TCP connection errorsLennart Poettering
The LLMNR spec suggests to do do reverse address lookups by doing direct LLMNR/TCP connections to the indicated address, instead of doing any LLMNR multicast queries. When we do this and the peer doesn't actually implement LLMNR this will result in a TCP connection error, which we need to handle. In contrast to most LLMNR lookups this will give us a quick response on whether we can find a suitable name. Report this as new transaction state, since this should mostly be treated like an NXDOMAIN rcode, except that it's not one.
2016-01-25core: normalize error handling a bit, in setup_pam()Lennart Poettering
Assign errno-style errors to a variable called "r" when they happen, the same way we do this in most other calls. It's bad enough that the error handling part of the function deals with two different error variables (pam_code and r) now, but before this fix it was even three!
2016-01-25resolved: fix rcode formatting string lengthLennart Poettering
Since we honour the edns rcode extension we need more than 4 bits to format it. To avoid further confusion, derive the right length from the type.
2016-01-25github: extend README.md a bitLennart Poettering
Link up more stuff on the GitHub landing page.
2016-01-25github: add a CONTRIBUTING.md file that github shows when a PR or issue is filedLennart Poettering
github links up CONTRIBUTING.md if it exists from the issue/PR filing form. Let's add one, in the hope that people have a look before filing a PR.
2016-01-25README: drop link to systemd-commits MLLennart Poettering
Since we moved to github the commits ML is basically dead, hence don't advertise it anymore.
2016-01-25CODING_STYLE: make sure line break recommendation matches edit configurationLennart Poettering
In the .vimrc and .dir-locals.el we suggest a line width of 119. We should recommend the same in CODING_STYLE.
2016-01-25resolve: fix wording in resolver statistics outputLennart Poettering
Now that we count both negative and positive validation results, we shouldn't claim we just counted RRsets.
2016-01-25resolved: log each time we increase the DNSSEC verdict countersLennart Poettering
Also, don't consider RRs that aren't primary to the lookups we do as relevant to the lookups.
2016-01-25resolved: never store NSEC/NSEC3 RRs from the upper zone of a zone cut in cacheLennart Poettering
When using NSEC/NSEC3 RRs from the cache to derive existance of arbitrary RRs, we should not get confused by the fact that NSEC/NSEC3 RRs exist twice at zone cuts: once in the parent zone, and once in the child zone. For most RR types we should only consult the latter since that's where the beef is. However, for DS lookups we have to check the former. This change makes sure we never cache NSEC/NSEC3 RRs from any parent zone of a zone-cut. It also makes sure that when we look for a DS RR in the cache we never consider any cached NSEC RR, as those are now always from the child zone.
2016-01-25resolved: if we detect a message with incomplete DNSSEC data, consider this ↵Lennart Poettering
an invalid packet event
2016-01-25resolved: also collect statistics about negative DNSSEC proofsLennart Poettering
We already maintain statistics about positive DNSSEC proofs, and count them up by 1 for each validated RRset. Now, update the same counters each time we validated a negative query, so that the statistics are the combined result of all validation checks, both positive and negative.
2016-01-25resolve: use different bitmap checking rules when we find an exact NSEC3 ↵Lennart Poettering
match, or just a covering enclosure If we are looking for a DS RR we need to check the NSEC3 bitmap of the parent zone's NSEC3 RR, not the one from the child. For any other RR we need to look at the child's however, hence enforce this with the bitmaps. Note that not coverign checks only the lower zone's NSEC3 bitmaps matter, hence the existing check is fine.
2016-01-25resolve: minor strings improvementsLennart Poettering
2016-01-25man: document systemd-resolve(8)Lennart Poettering
This also links up the new manpage from systemd-resolved.service(8), and makes a couple of unrelated additions.