summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2016-06-24machined: make sure CleanPool() method is opened up in the dbus policyLennart Poettering
The method is already hooked up to PolicyKit, hence let's open this up via the bus policy language too. Fixes: #3585
2016-06-24machined: "machinectl clean" can take a while, do it asynchronously from a ↵Lennart Poettering
background process This is a follow-up to 5d2036b5f3506bd0ff07042aee8d69c26db32298, and also makes the "machinectl clean" verb asynchronous, after all it's little more than a series of image removals. The changes required to make this happen are a bit more comprehensive as we need to pass information about deleted images back to the client, as well as information about the image we failed on if we failed on one. Hence, create a temporary file in /tmp, serialize that data into, and read it from the parent after the operation is complete.
2016-06-24machined: don't bother explicitly closing the errno pipeLennart Poettering
There's no point in explicitly closing the errno pipe, if we exit right after anyway. It doesn't hurt doing this either, but let's do this the same way for all cases where we use the "Operation" object right now, and in all other cases we do not close the pipe explicitly, hence don't do so here either.
2016-06-24cgroup: minor coding style fixLennart Poettering
2016-06-24Merge pull request #3594 from poettering/resolved-servfailMartin Pitt
resolved fixes for handling SERVFAIL errors from servers
2016-06-24systemctl: Create new unit files with "edit --force" (#3584)Doug Christman
2016-06-24resolved: add option to disable caching (#3592)Martin Pitt
In some cases, caching DNS results locally is not desirable, a it makes DNS cache poisoning attacks a tad easier and also allows users on the system to determine whether or not a particular domain got visited by another user. Thus provide a new "Cache" resolved.conf option to disable it.
2016-06-24Merge pull request #3549 from poettering/resolved-moreTom Gundersen
resolved: more fixes, among them "systemctl-resolve --status" to see DNS configuration in effect, and a local DNS stub listener on 127.0.0.53
2016-06-23resolved: when processing auxiliary DNSSEC transactions, accept those with ↵Lennart Poettering
SERVFAIL Some upstream DNS servers return SERVFAIL if we ask them for DNSSEC RRs, which some forwarding DNS servers pass on to us as SERVFAIL (other though as NOERROR...). This is should not be considered a problem, as long as the domain in question didn't have DNSSEC enabled. Hence: when making use of auxiliary transactions accept those that return SERVFAIL.
2016-06-23resolved: when caching replies, check rcode earlierLennart Poettering
This way we don't log complaints about packets without SOA in case we are not caching it anyway because the rcode is not SUCCESS or NXDOMAIN...
2016-06-23resolved: rework SERVFAIL handlingLennart Poettering
There might be two reasons why we get a SERVFAIL response from our selected DNS server: because this DNS server itself is bad, or because the DNS server actually serving the zone upstream is bad. So far we immediately downgraded our server feature level when getting SERVFAIL, under the assumption that the first case is the only possible case. However, this meant we'd downgrade immediately even if we encountered the second case described above. With this commit handling of SERVFAIL is reworked. As soon as we get a SERVFAIL on a transaction we retry the transaction with a lower feature level, without changing the feature level tracked for the DNS server itself. If that fails too, we downgrade further, and so on. If during this downgrading the SERVFAIL goes away we assume that the DNS server we are talking to is bad, but the zone is fine and propagate the detected feature level to the information we track about the DNS server. Should the SERVFAIL not go away this way we let the transaction fail and accept the SERVFAIL.
2016-06-23fstab-generator: ignore root=/dev/nfs (#3591)Harald Hoyer
root=/dev/nfs is a legacy option for the kernel to handle root on NFS. Documentation for this kernel command line option can be found in the kernel source tree: Documentation/filesystems/nfs/nfsroot.txt
2016-06-23Merge pull request #3583 from poettering/restrict-realtimeRonny Chevalier
add new RestrictRealtime= option to services (and other fixes)
2016-06-23Merge pull request #3581 from dobyrch/masterRonny Chevalier
systemctl: Add missing "/" to files created by 'edit --runtime'
2016-06-23build-sys: move fdset.[ch] src/basic → src/shared (#3580)Lennart Poettering
It makes use of the sd_listen_fds() call, and as such should live in src/shared, as the distinction between src/basic and src/shared is that the latter may use libsystemd APIs, the former does not. Note that btrfs-util.[ch] and log.[ch] also include header files from libsystemd, but they only need definitions, they do not invoke any function from it. Hence they may stay in src/basic.
2016-06-23execute: add a new easy-to-use RestrictRealtime= option to unitsLennart Poettering
It takes a boolean value. If true, access to SCHED_RR, SCHED_FIFO and SCHED_DEADLINE is blocked, which my be used to lock up the system.
2016-06-23execute: be a little less drastic when MemoryDenyWriteExecute= hitsLennart Poettering
Let's politely refuse with EPERM rather than kill the whole thing right-away.
2016-06-23execute: set PR_SET_NO_NEW_PRIVS also in case the exec memory protection is usedLennart Poettering
This was forgotten when MemoryDenyWriteExecute= was added: we should set NNP in all cases when we set seccomp filters.
2016-06-23execute: use the return value of setrlimit_closest() properlyLennart Poettering
It's a function defined by us, hence we should look for the error in its return value, not in "errno".
2016-06-23core: when writing transient unit files, make sure all lines end with a newlineLennart Poettering
This is a fix-up for 2a9a6f8ac04a69ca36d645f9305a33645f22a22b which covered non-transient units, but missed the case for transient units.
2016-06-22systemctl: Add missing "/" to files created by 'edit --runtime'Douglas Christman
2016-06-22machinectl: do not escape the unit name (#3554)Elias Probst
Otherwise starting a machine named `foo-bar-baz` will end up in machinectl attempting to start the service unit `systemd-nspawn@foo\x2dbar\x2dbaz` instead of `systemd-nspawn@foo-bar-baz`.
2016-06-22watchdog: Support changing watchdog_usec during runtime (#3492)Minkyung
Add sd_notify() parameter to change watchdog_usec during runtime. Application can change watchdog_usec value by sd_notify like this. Example. sd_notify(0, "WATCHDOG_USEC=20000000"). To reset watchdog_usec as configured value in service file, restart service. Notice. sd_event is not currently supported. If application uses sd_event_set_watchdog, or sd_watchdog_enabled, do not use "WATCHDOG_USEC" option through sd_notify.
2016-06-22Merge pull request #3526 from fbuihuu/fix-console-log-colorLennart Poettering
Fix console log color
2016-06-22pid1: initialize status color mode after setting up TERMFranck Bui
Also we had to connect PID's stdio to null later since colors_enabled() assume that stdout is connected to the console.
2016-06-22pid1: initialize TERM environment variable correctlyFranck Bui
When systemd is started by the kernel, the kernel set the TERM environment variable unconditionnally to "linux" no matter the console device used. This might be an issue for dumb devices with no colors support. This patch uses default_term_for_tty() for getting a more accurate value. But it makes sure to keep the user preferences (if any) which might be passed via the kernel command line. For that purpose /proc should be mounted.
2016-06-21machinectl: interpret options placed between "shell" verb and machine nameLennart Poettering
Previously, we'd stop processing of the argument list immediately when hitting the "shell" verb. However, we really should continue processing options then, until we hit the machine name. Fixes: #3472
2016-06-21Do not ellipsize cgroups when showing slices in --full mode (#3560)Ian Lee
Do not ellipsize cgroups when showing slices in --full mode
2016-06-21tmpfiles: make sure to always initialize "r" correctly.Lennart Poettering
2016-06-21tree-wide: some work-arounds for gcc false positives regarding uninitialized ↵Lennart Poettering
variables
2016-06-21resolved: respond to local resolver requests on 127.0.0.53:53Lennart Poettering
In order to improve compatibility with local clients that speak DNS directly (and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process any queries made that way. Note that resolved does not implement a full DNS server on this port, but simply enough to allow normal, local clients to resolve RRs through resolved. Specifically it does not implement queries without the RD bit set (these are requests where recursive lookups are explicitly disabled), and neither queries with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with validation turned off). It also refuses zone transfers and obsolete RR types. All lookups done this way will be rejected with a clean error code, so that the client side can repeat the query with a reduced feature set. The code will set the DNSSEC AD flag however, depending on whether the data resolved has been validated (or comes from a local, trusted source). Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary, but this is only partially useful as DNS packets cannot carry IP scope data (i.e. the ifindex), and hence link-local addresses returned cannot be used properly (and given that LLMNR/mDNS are mostly about link-local communication this is quite a limitation). Also, given that DNS tends to use IDNA for non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1. In general this should improve compatibility with clients bypassing NSS but it is highly recommended for clients to instead use NSS or our native bus API. This patch also beefs up the DnsStream logic, as it reuses the code for local TCP listening. DnsStream now provides proper reference counting for its objects. In order to avoid feedback loops resolved will no silently ignore 127.0.0.53 specified as DNS server when reading configuration. resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave the latter free for local, external DNS servers or forwarders. This also changes the "etc.conf" tmpfiles snippet to create a symlink from /etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this stub the default mode of operation if /etc is not populated.
2016-06-21resolved: use DNS_{QUESTION|ANSWER}_FOREACH macros at two more placesLennart Poettering
2016-06-21resolved: extend dns_packet_append_opt() so that it can set the extended rcodeLennart Poettering
We don't make use of this yet, but later work will.
2016-06-21resolved: add dns_packet_add_{question,answer}() helperLennart Poettering
And make use of it at a couple of places.
2016-06-21resolved: add dns_answer_is_empty() and dns_question_is_empty() helpersLennart Poettering
And make use of them at a few places.
2016-06-21resolved: when using the ResolveRecord() bus call, adjust TTL for caching timeLennart Poettering
When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-21resolved: explicitly refuse zone transfers using the bus APILennart Poettering
2016-06-21resolved: drop unused permit_domain_search variable from Manager objectLennart Poettering
2016-06-21sd-bus: make sure bus_map_all_properties() handle booleans rightLennart Poettering
sd-bus generally exposes bools as "int" instead of "bool" in the public API. This is relevant when unmarshaling booleans, as the relevant functions expect an int* pointer and no bool* pointer. Since sizeof(bool) is not necessarily the same as sizeof(int) this is problematic and might result in memory corruption. Let's fix this, and make sure bus_map_all_properties() handles booleans as ints, as the rest of sd-bus, and make all users of it expect the right thing.
2016-06-21resolved: make sure DNS configuration pushed in by the user stays around on ↵Lennart Poettering
restarts Let's make sure that all settings pushed in stay around when systemd-resolved is restarted.
2016-06-21set: add new set_put_strsplit() callLennart Poettering
It's like set_put_strdup(), but splits up a string via an extract_first_word() loop.
2016-06-21resolved: fix negated boolean functionLennart Poettering
It's weird having a "negative" function link_is_unmanaged(), let's invert it and get rid of the negation this way, by renaming it to link_is_managed(). Internally we stored this as a positive boolean already, hence let's do this for the function too.
2016-06-21resolved: rework link_update_dns_servers() a bitLennart Poettering
Let's split the code from the inner loop out, into its own function link_update_dns_server_one(). This matches how things are already handled for the search domain logic. Also, this is preparation for a later commit that persists DNS server data pushed in via the bus.
2016-06-21resolved: make use of set_put_strdupv() where appropriateLennart Poettering
2016-06-21resolved: make sure that route-only domains are never added to /etc/resolv.confLennart Poettering
After all, /etc/resolv.conf doesn't know the concept of "route-only domains", hence the domains should really not appear there.
2016-06-21string-table: make sure DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN() handles ↵Lennart Poettering
NULL strings nicely xyz_from_string() functions defined with DEFINE_STRING_TABLE_LOOKUP() properly handle NULL strings already. make sure the equivalent functions defined with DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN() do the same.
2016-06-21resolve: add "systemd-resolve --status" commandLennart Poettering
The new command shows the per-link and global DNS configuration currently in effect. This is useful to quickly see the DNS settings resolved acquired from networkd and that was pushed into it via the bus APIs.
2016-06-21resolved: export the effective per-link DNSSEC setting, not the internal oneLennart Poettering
Internally, we store the per-link DNSSEC setting as -1 (invalid) if there's no link-specific setting configured, and the global setting should be used. When exporting this one the bus we really should export the effective DNSSEC setting however, i.e. return the global one if there's non set per-link.
2016-06-21resolved: export global NTAs on the busLennart Poettering
We export them per-link, hence let's export the global NTAs too.
2016-06-21networkd: fix bad memory access when parsing DNSSECNegativeTrustAnchors=Lennart Poettering