<para>To activate the NSS modules, add <literal>myhostname</literal> to the line starting with
<literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
- <para>It is recommended to place <literal>myhostname</literal> last in the <filename>nsswitch.conf</filename>'
- <literal>hosts:</literal> line to make sure that this mapping is only used as fallback, and that any DNS or
- <filename>/etc/hosts</filename> based mapping takes precedence.</para>
+ <para>It is recommended to place <literal>myhostname</literal> either between <literal>resolve</literal>
+ and "traditional" modules like <literal>files</literal> and <literal>dns</literal>, or after them. In the
+ first version, well-known names like <literal>localhost</literal> and the machine hostname are given
+ higher priority than the external configuration. This is recommended when the external DNS servers and
+ network are not absolutely trusted. In the second version, external configuration is given higher
+ priority and <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable
+ in closely controlled networks, for example on a company LAN.</para>
</refsect1>
<refsect1>
group: compat mymachines systemd
shadow: compat
-hosts: files mymachines resolve [!UNAVAIL=return] dns <command>myhostname</command>
+# Either (untrusted network):
+hosts: mymachines resolve [!UNAVAIL=return] <command>myhostname</command> files dns
+# Or (only trusted networks):
+hosts: mymachines resolve [!UNAVAIL=return] files dns <command>myhostname</command>
networks: files
protocols: db files
group: compat <command>mymachines</command> systemd
shadow: compat
-hosts: files <command>mymachines</command> resolve [!UNAVAIL=return] dns myhostname
+hosts: <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
networks: files
protocols: db files
name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
hostnames via DNS.</para>
- <para>To activate the NSS module, add <literal>resolve</literal> to the line starting with
- <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is recommended to place
- <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s <literal>hosts:</literal> line (but
- after the <literal>files</literal> or <literal>mymachines</literal> entries), right before the
- <literal>dns</literal> entry if it exists, followed by <literal>[!UNAVAIL=return]</literal>, to ensure DNS queries
- are always routed via
- <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> if it is
- running, but are routed to <command>nss-dns</command> if this service is not available.</para>
+ <para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
+ with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
+ recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
+ <literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
+ <filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
+ caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
+ local VMs and containers precedence over names received over DNS. Finally, we recommend placing
+ <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
+ <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>
<para>Note that <command>systemd-resolved</command> will synthesize DNS resource
records in a few cases, for example for <literal>localhost</literal> and the
group: compat mymachines systemd
shadow: compat
-hosts: files mymachines <command>resolve [!UNAVAIL=return]</command> dns myhostname
+hosts: mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns
networks: files
protocols: db files
group: compat [SUCCESS=merge] mymachines [SUCCESS=merge] <command>systemd</command>
shadow: compat
-hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
+hosts: mymachines resolve [!UNAVAIL=return] myhostname files dns
networks: files
protocols: db files
libmount,
libblkid],
install_rpath : rootlibexecdir,
- install : true)
+ install : get_option('analyze'))
public_programs += exe
executable('systemd-journald',
['link-systemctl-shared', get_option('link-systemctl-shared')],
['link-networkd-shared', get_option('link-networkd-shared')],
['link-timesyncd-shared', get_option('link-timesyncd-shared')],
+ ['kernel-install', get_option('kernel-install')],
+ ['systemd-analyze', get_option('analyze')],
]
if tuple.length() >= 2
option('llvm-fuzz', type : 'boolean', value : 'false',
description : 'build against LLVM libFuzzer')
option('kernel-install', type: 'boolean', value: 'true',
- description : 'include kernel-install feature')
+ description : 'install kernel-install and associated files')
+option('analyze', type: 'boolean', value: 'true',
+ description : 'install systemd-analyze')
if (manager_dispatch_dbus_queue(m) > 0)
continue;
- /* Sleep for half the watchdog time */
- if (timestamp_is_set(m->runtime_watchdog) && MANAGER_IS_SYSTEM(m)) {
- wait_usec = m->runtime_watchdog / 2;
- if (wait_usec <= 0)
- wait_usec = 1;
- } else
+ /* Sleep for watchdog runtime wait time */
+ if (MANAGER_IS_SYSTEM(m))
+ wait_usec = watchdog_runtime_wait();
+ else
wait_usec = USEC_INFINITY;
r = sd_event_run(m->event, wait_usec);
*new_line = true;
- r = bus_print_all_properties(bus, "org.freedesktop.login1", path, print_property, arg_property, arg_value, arg_all, NULL);
+ r = bus_print_all_properties(
+ bus,
+ "org.freedesktop.login1",
+ path,
+ print_property,
+ arg_property,
+ arg_value,
+ arg_all,
+ NULL);
if (r < 0)
return bus_log_parse_error(r);
}
static int parse_argv(int argc, char *argv[]) {
-
enum {
ARG_VERSION = 0x100,
ARG_VALUE,
}
static int loginctl_main(int argc, char *argv[], sd_bus *bus) {
-
static const Verb verbs[] = {
{ "help", VERB_ANY, VERB_ANY, 0, help },
{ "list-sessions", VERB_ANY, 1, VERB_DEFAULT, list_sessions },
if (r < 0)
return r;
+ /* Short-circuit the operation if the desired state is already in place, to
+ * avoid an unnecessary polkit permission check. */
+ if (streq_ptr(m->wall_message, empty_to_null(wall_message)) &&
+ m->enable_wall_messages == enable_wall_messages)
+ goto done;
+
r = bus_verify_polkit_async(message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-wall-message",
m->enable_wall_messages = enable_wall_messages;
+ done:
return sd_bus_reply_method_return(message, NULL);
}
void *data,
void *userdata) {
- uint8_t *protocol = data;
+ uint8_t *ret = data;
+ unsigned protocol;
+ /* linux/fou.h defines the netlink field as one byte, so we need to reject protocols numbers that
+ * don't fit in one byte. */
int r;
assert(filename);
assert(rvalue);
assert(data);
- assert_cc(IPPROTO_MAX-1 <= UINT8_MAX);
-
r = parse_ip_protocol(rvalue);
- if (r < 0) {
- r = safe_atou8(rvalue, protocol);
+ if (r >= 0)
+ protocol = r;
+ else {
+ r = safe_atou(rvalue, &protocol);
if (r < 0)
log_syntax(unit, LOG_ERR, filename, line, r,
- "Failed to parse IP protocol '%s' for Foo over UDP tunnel, "
+ "Failed to parse IP protocol '%s' for FooOverUDP tunnel, "
"ignoring assignment: %m", rvalue);
return 0;
}
- *protocol = r;
+ if (protocol > UINT8_MAX) {
+ log_syntax(unit, LOG_ERR, filename, line, 0,
+ "IP protocol '%s' for FooOverUDP tunnel out of range, "
+ "ignoring assignment: %m", rvalue);
+ return 0;
+ }
+
+ *ret = protocol;
return 0;
}
r = in_addr_from_string_auto(rvalue, f, addr);
if (r < 0)
log_syntax(unit, LOG_ERR, filename, line, r,
- "Foo over UDP tunnel '%s' address is invalid, ignoring assignment: %s",
+ "FooOverUDP tunnel '%s' address is invalid, ignoring assignment: %s",
lvalue, rvalue);
return 0;
"# This is a dynamic resolv.conf file for connecting local clients directly to\n"
"# all known uplink DNS servers. This file lists all configured search domains.\n"
"#\n"
- "# Third party programs must not access this file directly, but only through the\n"
- "# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,\n"
- "# replace this symlink by a static file or a different symlink.\n"
+ "# Third party programs should typically not access this file directly, but only\n"
+ "# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
+ "# different way, replace this symlink by a static file or a different symlink.\n"
"#\n"
"# See man:systemd-resolved.service(8) for details about the supported modes of\n"
"# operation for /etc/resolv.conf.\n"
}
static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *domains) {
- fputs_unlocked("# This file is managed by man:systemd-resolved(8). Do not edit.\n"
- "#\n"
- "# This is a dynamic resolv.conf file for connecting local clients to the\n"
- "# internal DNS stub resolver of systemd-resolved. This file lists all\n"
- "# configured search domains.\n"
- "#\n"
- "# Run \"resolvectl status\" to see details about the uplink DNS servers\n"
- "# currently in use.\n"
- "#\n"
- "# Third party programs must not access this file directly, but only through the\n"
- "# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,\n"
- "# replace this symlink by a static file or a different symlink.\n"
- "#\n"
- "# See man:systemd-resolved.service(8) for details about the supported modes of\n"
- "# operation for /etc/resolv.conf.\n"
- "\n"
- "nameserver 127.0.0.53\n"
- "options edns0\n", f);
+ fputs("# This file is managed by man:systemd-resolved(8). Do not edit.\n"
+ "#\n"
+ "# This is a dynamic resolv.conf file for connecting local clients to the\n"
+ "# internal DNS stub resolver of systemd-resolved. This file lists all\n"
+ "# configured search domains.\n"
+ "#\n"
+ "# Run \"resolvectl status\" to see details about the uplink DNS servers\n"
+ "# currently in use.\n"
+ "#\n"
+ "# Third party programs should typically not access this file directly, but only\n"
+ "# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
+ "# different way, replace this symlink by a static file or a different symlink.\n"
+ "#\n"
+ "# See man:systemd-resolved.service(8) for details about the supported modes of\n"
+ "# operation for /etc/resolv.conf.\n"
+ "\n"
+ "nameserver 127.0.0.53\n"
+ "options edns0\n", f);
if (!ordered_set_isempty(domains))
write_resolv_conf_search(domains, f);
static int watchdog_fd = -1;
static char *watchdog_device = NULL;
static usec_t watchdog_timeout = USEC_INFINITY;
+static usec_t watchdog_last_ping = USEC_INFINITY;
static int update_timeout(void) {
int r;
r = ioctl(watchdog_fd, WDIOC_KEEPALIVE, 0);
if (r < 0)
return log_warning_errno(errno, "Failed to ping hardware watchdog: %m");
+
+ watchdog_last_ping = now(clock_boottime_or_monotonic());
}
return 0;
return r;
}
+usec_t watchdog_runtime_wait(void) {
+ usec_t rtwait;
+ usec_t ntime;
+
+ if (!timestamp_is_set(watchdog_timeout))
+ return USEC_INFINITY;
+
+ /* Sleep half the watchdog timeout since the last succesful ping at most */
+ if (timestamp_is_set(watchdog_last_ping)) {
+ ntime = now(clock_boottime_or_monotonic());
+ assert(ntime >= watchdog_last_ping);
+ rtwait = usec_sub_unsigned(watchdog_last_ping + (watchdog_timeout / 2), ntime);
+ } else
+ rtwait = watchdog_timeout / 2;
+
+ return rtwait;
+}
+
int watchdog_ping(void) {
+ usec_t ntime;
int r;
+ ntime = now(clock_boottime_or_monotonic());
+
+ /* Never ping earlier than watchdog_timeout/4 and try to ping
+ * by watchdog_timeout/2 plus scheduling latencies the latest */
+ if (timestamp_is_set(watchdog_last_ping)) {
+ assert(ntime >= watchdog_last_ping);
+ if ((ntime - watchdog_last_ping) < (watchdog_timeout / 4))
+ return 0;
+ }
+
if (watchdog_fd < 0) {
r = open_watchdog();
if (r < 0)
if (r < 0)
return log_warning_errno(errno, "Failed to ping hardware watchdog: %m");
+ watchdog_last_ping = ntime;
+
return 0;
}
int watchdog_set_timeout(usec_t *usec);
int watchdog_ping(void);
void watchdog_close(bool disarm);
+usec_t watchdog_runtime_wait(void);
static inline void watchdog_free_device(void) {
(void) watchdog_set_device(NULL);
# also, plymouth is pulled in by rescue.service, but even there the exit code
# is ignored; as it's not present on some distros, don't fail if it doesn't exist
dinfo "Attempting to install $i"
- inst $i || [ "${i%.local}" != "$i" ] || [ "${i%systemd-update-done}" != "$i" ] || [ "/bin/plymouth" == "$i" ]
+ inst $i || [ "${i%.local}" != "$i" ] || [ "${i%systemd-update-done}" != "$i" ] || [ "${i##*/}" == "plymouth" ]
done
)
}
[Service]
Environment=HOME=/root
WorkingDirectory=-/root
-ExecStartPre=-/bin/plymouth --wait quit
+ExecStartPre=-@rootbindir@/plymouth --wait quit
ExecStart=-@rootlibexecdir@/systemd-sulogin-shell emergency
Type=idle
StandardInput=tty-force
[Service]
Environment=HOME=/root
WorkingDirectory=-/root
-ExecStartPre=-/bin/plymouth --wait quit
+ExecStartPre=-@rootbindir@/plymouth --wait quit
ExecStart=-@rootlibexecdir@/systemd-sulogin-shell rescue
Type=idle
StandardInput=tty-force