Age | Commit message (Collapse) | Author |
|
authenticated
Doing DNS retrieval on non-authenticated crypt keys is useless, hence warn
loudly about it.
|
|
This patch makes networkd stay around as long as there is more than just a
loopback interface around, or the loopback device isn't fully probed yet, or
the loopback device has a .network file attached.
In essence, this means networkd stays around now continously as it should,
unless it is running in some (container?) environment that really has no
interface except a loopback device.
Fixes #2577.
|
|
Before this patch existence of char16_t, char32_t, key_serial_t was checked
with AC_CHECK_DECLS() which doesn't actually work for types. Correct this to
use AC_CHECK_TYPES() instead.
Also, while we are at it, change the check for memfd_create() to use
AC_CHECK_DECLS() instead of AC_CHECK_FUNCS(). This is a better choice, since a
couple of syscalls are defined by glibc but not exported in the header files
(pivot_root() for example), and we hence should probably be more picky with
memfd_create() too, which glibc might decide to expose one day, but not
necessarily in the headers too.
|
|
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to
"allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled
by default add a configure switch to disable this again.
DNSSEC in "allow-downgrade" mode should mostly work without affecting user
experience. There's one exception: some captive portal systems rewrite DNS in
order to redirect HTTP traffic to the captive portal. If these systems
implement DNS servers that are otherwise DNSSEC-capable (which in fact is
pretty unlikely, but still...), then this will result in the captive portal
being inaccessible. To fix this support in NetworkManager (or any other network
management solution that does captive portal detection) is required, which
simply turns off DNSSEC during the captive portal detection, and resets it back
to the default (i.e. on) after captive portal authentication is complete.
|
|
time-util: Rename and fix call of deserialize_timestamp_value()
|
|
The deserialize_timestamp_value() is renamed timestamp_deserialize() to be more
consistent with dual_timestamp_deserialize()
And add the NULL check back on realtime and monotonic
|
|
systemctl: include -M or -H arguments in the hint
|
|
https://github.com/systemd/systemd/issues/2431
Some newlines are added, but the output will still exceed 80 columns in many
cases. The fallback for oom conditions is changed from "n/a" to something
"<service>", and a similar pattern is used for the new code. This way we
have a realistic fallback for oom, which seems nicer than making the whole
function return an error code which would then have to be propagated.
$ systemctl -M fedora-rawhide restart systemd-networkd.service
Job for systemd-networkd.service failed because start of the service was attempted too often.
See "systemctl -M fedora-rawhide status systemd-networkd.service" and "journalctl -M fedora-rawhide -xe" for details.
To force a start use "systemctl -M fedora-rawhide reset-failed systemd-networkd.service"
followed by "systemctl -M fedora-rawhide start systemd-networkd.service" again.
|
|
time-util: introduce deserialize_timestamp_value()
|
|
which is introduced in the ebf30a086d commit.
|
|
which is introduced in the ebf30a086dfa commit.
|
|
The time-util.c provides dual_timestamp_deserialize() function to
convert value to usec_t and set it as value of ts->monotonic and
ts->realtime.
There are some places in code which do the same but only for one
clockid_t (realtime or monotonic), when dual_timestamp_deserialize()
sets value of both.
This patch introduces the deserialize_timestamp_value() which converts
a given value to usec_t and write it to a given timestamp.
|
|
The function must never fail.
|
|
remove bus-proxyd
|
|
Move activate to bin, extend --fdnames functionality
|
|
We already define IFLA_PROMISCUITY and some other of these masks in
order to allow building with older headers. Define IFLA_EXT_MASK too,
which was added in the same kernel version as IFLA_PROMISCUITY (v3.10).
|
|
bus property name fix in resolved
|
|
Previously we'd miss a necessary whitespace at the end of arrays, if more data
was following.
|
|
If the hostname passed to ResolveHostname() is actually an IP address that is
correctly formatted as string parse it as such, avoid any DNS traffic and
return the data in parsed form.
This is useful for clients which can simply call the bus function now without
caring about the precise formatting of specified hostnames. This mimics
getaddrinfo()'s behaviour with the AI_NUMERICHOST flag set.
Note that this logic is only implemented for ResolveHostname(), but not for
calls such as ResolveRecord(), for which only DNS domain names may be used as
input.
The "authenticated" flag is set for look-ups of this type, after all no
untrusted network traffic is involved.
|
|
Another property name fuck-up. The property contains both search and routing
domains and hence should be exposed as "Domains" rather than "SearchDomains".
The counterpart in the Link object was correctly named, and the
SetLinkDomains() and SetDomains() setter calls too, hence let's get this right,
too.
(Yepp, a minor API break actually, but given that this was so far not
documented, and only 3 days public let's fix this now)
|
|
|
|
|
|
We call dual_timestamp_serialize() only if the s->watchdog_timestamp is
set. But the dual_timestamp_serialize() already checks a given dual
timestamp by the call of the dual_timestamp_is_set(). So we can remove
this check safely.
|
|
By mistake the "DNSSECSupported" bus property of the Link object got named
"DNSSECSupport". Internally, it's named correctly, and the counterpart on the
"Manager" object got named correctly too.
Technically this rename is an API break, but given that the interface is not
documented or widely announced yet, and just 3 days in a published release,
let's just fix this, and hope nobody notices.
|
|
Previous code only allowed a single name to be passed, and duplicated
it over all descriptors. For the sake of testing, allow different
names and in arbitrary number. If just one is given, duplicate it
to match the number of sockets. This matches previuos behaviour.
Since this is a testing tool, it seems useful to allow passing invalid
names to test application behaviour with invalid names. Hence, only
warn. When warning, escape the name.
|
|
Empty strings were ignored in strv_join, but only if they were at the beginning
of the string. Empty strings after at least one non-empty item were treated
normally.
Previously:
{"x"} → "x"
{"x", ""} → "x"
{"x", "", ""} → "x::"
{""} → ""
{"", ""} → ""
{"", "", ""} → ""
{"", "x"} → "x"
{"", "x", ""} → "x:"
Now:
{"x"} → "x"
{"x", ""} → "x"
{"x", "", ""} → "x::"
{""} → ""
{"", ""} → ":"
{"", "", ""} → "::"
{"", "x"} → ":x"
{"", "x", ""} → ":x:"
|
|
Some spring cleaning
|
|
let's export as little as we can
|
|
|
|
Left over cruft from the dkr excercise.
|
|
The dir is not used otherwise, hence let's drop the Makefile, so that the dir
stops to exist, too.
|
|
The setting is hardly useful (since its effect is generally reduced to zero due
to file system caps), and with the advent of ambient caps an actually useful
replacement exists, hence let's get rid of this.
I am pretty sure this was unused and our man page already recommended against
its use, hence this should be a safe thing to remove.
|
|
This was used by the dkr logic, which is gone now, hence remove this too.
Should we need it one day again the git history never forgets...
Note that this only covers the JSON parser. The JSON generator used by
"journalctl -o json" remains, as its much much simpler and requires no
infrastructure except printf() and the most basic escaping.
|
|
They have long been obsolete, and upstream distros and packages have mostly
switched over, let's get rid of it for good.
|
|
Better support of OPENPGPKEY, CAA, TLSA packets and tests
|
|
core: fix indenting in dump output
|
|
Left-over unknown flags are printed numerically. Otherwise,
it wouldn't be known what bits are remaining without knowning
what the known bits are.
A test case is added to verify the flag printing code:
============== src/resolve/test-data/fake-caa.pkts ==============
google.com. IN CAA 0 issue "symantec.com"
google.com. IN CAA 128 issue "symantec.com"
-- Flags: critical
google.com. IN CAA 129 issue "symantec.com"
-- Flags: critical 1
google.com. IN CAA 22 issue "symantec.com"
-- Flags: 22
|
|
|
|
Also add example files with TLSA and SSHFP records.
|
|
|
|
Packets are stored in a simple format:
<size> <packet-wire-format> <size> <packet-wire-format> ...
Packets for some example domains are dumped, to test rr code for various
record types. Currently:
A
AAAA
CAA
DNSKEY
LOC
MX
NS
NSEC
OPENPGPKEY
SOA
SPF
TXT
The hashing code is executed, but results are not checked.
Also build other tests in src/resolve only with --enable-resolve.
|
|
Fixes: #2593
|
|
Fixes: #2597
|
|
As kdbus won't land in the anticipated way, the bus-proxy is not needed in
its current form. It can be resurrected at any time thanks to the history,
but for now, let's remove it from the sources. If we'll have a similar tool
in the future, it will look quite differently anyway.
Note that stdio-bridge is still available. It was restored from a version
prior to f252ff17, and refactored to make use of the current APIs.
|
|
Spelling
|
|
Remove kdbus custom endpoint support
|
|
|
|
|
|
This feature will not be used anytime soon, so remove a bit of cruft.
The BusPolicy= config directive will stay around as compat noop.
|
|
sd-boot: put hashed kernel command line in a PCR of the TPM
|