| Age | Commit message (Collapse) | Author |
|---|
|
Better support for DANE, shell completion
|
|
v2:
- use /sys/class/net to list interfaces,
also copy the same code to systemd-nspawn
v3:
- do not propose "any" twice for --type
|
|
test-dns-domain should be built and run even without ENABLE_RESOLVED.
|
|
If ./configure --disable-resolved has been used, do not try to build
test-dns-packet and test-resolve-tables which depend on it.
Previously, the SOURCES, LIBS and LDADDs for these tests were made conditional
while the main rules for them weren't, causing build failures trying to build a
binary with no sources.
This was uncovered when trying to build udeb for systemd in CI, which uses
--disable-resolved for a minimal build, which uncovered the issue.
Fixes #2651.
|
|
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to
"allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled
by default add a configure switch to disable this again.
DNSSEC in "allow-downgrade" mode should mostly work without affecting user
experience. There's one exception: some captive portal systems rewrite DNS in
order to redirect HTTP traffic to the captive portal. If these systems
implement DNS servers that are otherwise DNSSEC-capable (which in fact is
pretty unlikely, but still...), then this will result in the captive portal
being inaccessible. To fix this support in NetworkManager (or any other network
management solution that does captive portal detection) is required, which
simply turns off DNSSEC during the captive portal detection, and resets it back
to the default (i.e. on) after captive portal authentication is complete.
|
|
remove bus-proxyd
|
|
It has fairly wide functionality now and the interface has been
stable for a while. It it a useful testing tool.
The name is changed to better indicate what it does.
|
|
Some spring cleaning
|
|
Left over cruft from the dkr excercise.
|
|
This was used by the dkr logic, which is gone now, hence remove this too.
Should we need it one day again the git history never forgets...
Note that this only covers the JSON parser. The JSON generator used by
"journalctl -o json" remains, as its much much simpler and requires no
infrastructure except printf() and the most basic escaping.
|
|
They have long been obsolete, and upstream distros and packages have mostly
switched over, let's get rid of it for good.
|
|
Better support of OPENPGPKEY, CAA, TLSA packets and tests
|
|
Left-over unknown flags are printed numerically. Otherwise,
it wouldn't be known what bits are remaining without knowning
what the known bits are.
A test case is added to verify the flag printing code:
============== src/resolve/test-data/fake-caa.pkts ==============
google.com. IN CAA 0 issue "symantec.com"
google.com. IN CAA 128 issue "symantec.com"
-- Flags: critical
google.com. IN CAA 129 issue "symantec.com"
-- Flags: critical 1
google.com. IN CAA 22 issue "symantec.com"
-- Flags: 22
|
|
Also add example files with TLSA and SSHFP records.
|
|
|
|
Packets are stored in a simple format:
<size> <packet-wire-format> <size> <packet-wire-format> ...
Packets for some example domains are dumped, to test rr code for various
record types. Currently:
A
AAAA
CAA
DNSKEY
LOC
MX
NS
NSEC
OPENPGPKEY
SOA
SPF
TXT
The hashing code is executed, but results are not checked.
Also build other tests in src/resolve only with --enable-resolve.
|
|
As kdbus won't land in the anticipated way, the bus-proxy is not needed in
its current form. It can be resurrected at any time thanks to the history,
but for now, let's remove it from the sources. If we'll have a similar tool
in the future, it will look quite differently anyway.
Note that stdio-bridge is still available. It was restored from a version
prior to f252ff17, and refactored to make use of the current APIs.
|
|
This feature will not be used anytime soon, so remove a bit of cruft.
The BusPolicy= config directive will stay around as compat noop.
|
|
sd-boot: put hashed kernel command line in a PCR of the TPM
|
|
$ systemd-resolve --openpgp zbyszek@fedoraproject.org
d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproject.org. IN OPENPGPKEY
mQINBFBHPMsBEACeInGYJCb+7TurKfb6wGyTottCDtiSJB310i37/6ZYoeIay/5soJjlM
yfMFQ9T2XNT/0LM6gTa0MpC1st9LnzYTMsT6tzRly1D1UbVI6xw0g0vE5y2Cjk3xUwAyn
...
|
|
It's annoying to have the exact same function in three places.
It's stored in src/shared, but it's not added to the library to
avoid the dependency on libgcrypt.
|
|
The UEFI BIOS already hashes the contents of the loaded image, so the
initrd and the command line of the binary are recorded.
Because manually added LoadOptions are not taken into account, these
should be recorded also.
This patch logs and extends a TPM PCR register with the LoadOptions.
This feature can be enabled with configure --enable-tpm
The PCR register index can be specified with
configure --with-tpm-pcrindex=<NUM>
|
|
|
|
This is a follow-up to https://github.com/systemd/systemd/pull/2493
|
|
|
|
Let's add an extra-safety net and change UID/GID to the "systemd-coredump" user when processing coredumps from system
user. For coredumps of normal users we keep the current logic of processing the coredumps from the user id the coredump
was created under.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=87354
|
|
This reworks the coredumping logic so that the coredump handler invoked from the kernel only collects runtime data
about the crashed process, and then submits it for processing to a socket-activate coredump service, which extracts a
stacktrace and writes the coredump to disk.
This has a number of benefits: the disk IO and stack trace generation may take a substantial amount of resources, and
hence should better be managed by PID 1, so that resource management applies. This patch uses RuntimeMaxSec=, Nice=, OOMScoreAdjust=
and various sandboxing settings to ensure that the coredump handler doesn't take away unbounded resources from normally
priorized processes.
This logic is also nice since this makes sure the coredump processing and storage is delayed correctly until
/var/systemd/coredump is mounted and writable.
Fixes: #2286
|
|
|
|
|
|
Build sys and man fixes
|
|
Repeating those conditionals for every program is
annoying. Use a helper variable to avoid conditionals.
Also always add generated completion files to CLEANFILES.
|
|
It's better to always include them in 'make clean'.
It is also easier to read Makefile.am when less stuff is conditional.
|
|
This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1.
This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other
processes regarding reaping of unknown children or signal handling.
|
|
journalctl: make "journalctl /dev/sda" work
|
|
Currently when journalctl is called with path to block device node we
add following match _KERNEL_DEVICE=b$MAJOR:$MINOR.
That is not sufficient to actually obtain logs about the disk because
dev_printk() kernel helper puts to /dev/kmsg information about the
device in following format, +$SUBSYSTEM:$ADDRESS,
e.g. "+pci:pci:0000:00:14.0".
Now we will walk upward the syspath and add match for every device in
format produced by dev_printk() as well as match for its device node if
it exists.
|
|
|
|
Resolved 2
|
|
|
|
|
|
The command has a man page now and is public, hence add it to /usr/bin.
|
|
Let's make sure our poll() calls don't get interrupted where they shouldn't (SIGALRM, ...), but allow them to be
interrupted where they should (SIGINT, ...).
Fixes #1965
|
|
Ask password unicode fix
|
|
|
|
For the search domain logic the order is highly relevant, hence make sure when collecting the various search domains to
add them to an ordered set, so that the order between search domains of a specific link is retained.
|
|
Commit ab6f56debf made the change to allow building man pages even when disabled
with ./configure --disable-manpages. This works fine, as long as xsltproc is
present. If xsltproc is not present, the command to build a man page (obviously)
fails. Unfortnately it fails with a cryptic message '-o not found', because
$(XSLTPROC) is empty. Add a fallback, to use 'xsltproc' is $(XSLTPROC) is not
defined. This way we get a nice message:
make: xsltproc: Command not found
|
|
This way the difference between lookups via NSS and our native bus API should become minimal.
|
|
The tool resolves way more than just hosts, hence give it a more generic name. This should be safe, as the tool is
currently undocumented. Before we add documentation for it, let's get the name right.
This also moves the C source into src/resolve/ (from src/resolve-host/), since the old name is a misnomer now. Also,
since it links directly to many of the C files of resolved it really belongs into resolved's directory anyway.
|
|
Also, while we are at it, set the "authenticated" bit for everything we synthesize
|
|
Nss link less 2
|
|
resolved bus API improvements
|
