From 2dc6b11d29ae09f59de314bad24ad196b0d14277 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 26 Aug 2015 10:30:06 +0200 Subject: man: document resolved's RR synthesizing and query routing --- man/systemd-resolved.service.xml | 57 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml index 89ec5f8b19..27662456ea 100644 --- a/man/systemd-resolved.service.xml +++ b/man/systemd-resolved.service.xml @@ -1,4 +1,4 @@ - + @@ -71,6 +71,61 @@ systemd.network5 for more details. + systemd-resolved synthesizes DNS RRs for the following cases: + + + The local, configured hostname is resolved to + all locally configured IP addresses ordered by their scope, or + — if none are configured — the IPv4 address 127.0.0.2 (which + is on the local loopback) and the IPv6 address ::1 (which is the + local host). + + The hostname localhost is + resolved to the IP addresses 127.0.0.1 and + ::1. + + The hostname gateway is + resolved to all current default routing gateway addresses, + ordered by their metric. This assigns a stable hostname to the + current gateway, useful for referencing it independently of the + current network configuration state. + + + Lookup requests are routed to the available DNS servers + and LLMNR interfaces according to the following rules: + + + Lookups for the special hostname + localhost are never routed to the + network. + + Single-label names are routed to all local + interfaces capable of IP multicasting, using the LLMNR + protocol. Lookups for IPv4 addresses are only sent via LLMNR on + IPv4, and lookups for IPv6 addresses are only sent via LLMNR on + IPv6. Lookups for the locally configured host name and the + gateway host name are never routed to + LLMNR. + + Multi-label names are routed to all local + interfaces that have a DNS sever configured, plus the globally + configured DNS server if there is one. Address lookups from the + link-local addres range are never routed to + DNS. + + + If lookups are routed to multiple interfaces, the first + successful response is returned (thus effectively merging the + lookup zones on all matching interfaces). If the lookup failed on + all interfaces the last failing response is returned. + + Routing of lookups may be influenced by configuring + per-interface domain names, see + systemd.network5 + for details. Lookups for a hostname ending in one of the + per-interface domains are exclusively routed to the matching + interfaces. + Note that /run/systemd/resolve/resolv.conf should not be used directly, but only through a symlink from -- cgit v1.2.3-54-g00ecf From 0d6868f9ae83c06b23676eec0726e1f37adce30e Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 26 Aug 2015 11:00:09 +0200 Subject: man: document nss-resolve --- Makefile-man.am | 7 +++ man/nss-myhostname.xml | 13 +++--- man/nss-mymachines.xml | 3 +- man/nss-resolve.xml | 118 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 134 insertions(+), 7 deletions(-) create mode 100644 man/nss-resolve.xml (limited to 'man') diff --git a/Makefile-man.am b/Makefile-man.am index c0cebaab63..65287371b9 100644 --- a/Makefile-man.am +++ b/Makefile-man.am @@ -1774,13 +1774,19 @@ endif if ENABLE_RESOLVED MANPAGES += \ + man/nss-resolve.8 \ man/resolved.conf.5 \ man/systemd-resolved.service.8 MANPAGES_ALIAS += \ + man/libnss_resolve.so.2.8 \ man/resolved.conf.d.5 \ man/systemd-resolved.8 +man/libnss_resolve.so.2.8: man/nss-resolve.8 man/resolved.conf.d.5: man/resolved.conf.5 man/systemd-resolved.8: man/systemd-resolved.service.8 +man/libnss_resolve.so.2.html: man/nss-resolve.html + $(html-alias) + man/resolved.conf.d.html: man/resolved.conf.html $(html-alias) @@ -2217,6 +2223,7 @@ EXTRA_DIST += \ man/networkctl.xml \ man/nss-myhostname.xml \ man/nss-mymachines.xml \ + man/nss-resolve.xml \ man/os-release.xml \ man/pam_systemd.xml \ man/resolved.conf.xml \ diff --git a/man/nss-myhostname.xml b/man/nss-myhostname.xml index 2d36df6f6f..b7b7e1b555 100644 --- a/man/nss-myhostname.xml +++ b/man/nss-myhostname.xml @@ -111,17 +111,17 @@ Here's an example /etc/nsswitch.conf file, that enables myhostname correctly: -passwd: compat -group: compat -shadow: compat +passwd: compat +group: compat +shadow: compat -hosts: files dns mymachines myhostname +hosts: files resolve mymachines myhostname networks: files protocols: db files services: db files -ethers: db files -rpc: db files +ethers: db files +rpc: db files netgroup: nis @@ -143,6 +143,7 @@ netgroup: nis See Also systemd1, + nss-resolve8, nss-mymachines8, nsswitch.conf5, getent1 diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml index 41ec458e4b..92c72846c1 100644 --- a/man/nss-mymachines.xml +++ b/man/nss-mymachines.xml @@ -91,7 +91,7 @@ group: compat mymachines shadow: compat -hosts: files dns mymachines myhostname +hosts: files resolve mymachines myhostname networks: files protocols: db files @@ -108,6 +108,7 @@ netgroup: nis systemd1, systemd-machined.service8, + nss-resolve8, nss-myhostname8, nsswitch.conf5, getent1 diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml new file mode 100644 index 0000000000..dd402b359c --- /dev/null +++ b/man/nss-resolve.xml @@ -0,0 +1,118 @@ + + + + + + + + + nss-resolve + systemd + + + + Developer + Lennart + Poettering + lennart@poettering.net + + + + + + nss-resolve + 8 + + + + nss-resolve + libnss_resolve.so.2 + Provide hostname resolution via systemd-resolved.service + + + + libnss_resolve.so.2 + + + + Description + + nss-resolve is a plugin module for the + GNU Name Service Switch (NSS) functionality of the GNU C Library + (glibc) enabling it to resolve host names via + the + systemd-resolved8 + local network name resolution service. + + To activate the NSS module, resolve + has to be added to the line starting with + hosts: in + /etc/nsswitch.conf. + + It is recommended to place resolve early + in the nsswitch.conf line (but after the + files entry), replacing the + dns entry if it exists, to ensure DNS queries + are always routed via + systemd-resolved8. + + + + Example + + Here's an example /etc/nsswitch.conf + file, that enables resolve correctly: + +passwd: compat +group: compat +shadow: compat + +hosts: files resolve mymachines myhostname +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis + + Note that nss-resolve will chain-load + nss-dns if + systemd-resolved.service is not running, + ensuring that basic DNS resolution continues to work if the + service is down. + + + + + See Also + + systemd1, + systemd-resolved8, + nss-mymachines8, + nss-myhostname8, + nsswitch.conf5 + + + + -- cgit v1.2.3-54-g00ecf From 762a5766dc65058c245c87d326ae3d403d85ea06 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 26 Aug 2015 11:02:28 +0200 Subject: man: minor extension to the machinectl man page s/an/any/, as reported by Vito Caputo. Also mention explicitly that the security properties (i.e. SELinux) are also isolated when "machinectl shell" is used. --- man/machinectl.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/machinectl.xml b/man/machinectl.xml index 6cf405ed29..e2be017427 100644 --- a/man/machinectl.xml +++ b/man/machinectl.xml @@ -429,8 +429,9 @@ the new session from the originating session, so that it shares no process or session properties, and is in a clean and well-defined state. It will be tracked in a new utmp, login, - audit and keyring session, and will not inherit an environment - variables or resource limits, among other properties. + audit, security and keyring session, and will not inherit any + environment variables or resource limits, among other + properties. Note that the systemd-run1 -- cgit v1.2.3-54-g00ecf