2 years agofinal v236 update (#7649) v236
Lennart Poettering [Thu, 14 Dec 2017 22:09:57 +0000 (23:09 +0100)] 
final v236 update (#7649)

2 years agoMerge pull request #7608 from poettering/more-news-v236
Lennart Poettering [Thu, 14 Dec 2017 21:58:22 +0000 (22:58 +0100)] 
Merge pull request #7608 from poettering/more-news-v236

more v236 news improvements

2 years agoMerge pull request #6598 from kyle-walker/shutdown-limit
Lennart Poettering [Thu, 14 Dec 2017 21:57:57 +0000 (22:57 +0100)] 
Merge pull request #6598 from kyle-walker/shutdown-limit

core: Limit the time and attempts in shutdown remount/umount efforts

2 years agoMerge pull request #7640 from keszybz/tainting-updates
Lennart Poettering [Thu, 14 Dec 2017 21:57:17 +0000 (22:57 +0100)] 
Merge pull request #7640 from keszybz/tainting-updates

Tainting updates

2 years agoMerge pull request #7469 from kinvolk/dongsu/nspawn-netns
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 21:47:57 +0000 (22:47 +0100)] 
Merge pull request #7469 from kinvolk/dongsu/nspawn-netns

nspawn: introduce an option for specifying network namespace path

2 years agoUpdate TODO 7640/head
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 13:12:39 +0000 (14:12 +0100)] 
Update TODO

2 years agomeson: restore --update-catalog call after install
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 13:12:31 +0000 (14:12 +0100)] 
meson: restore --update-catalog call after install

This got dropped by mistake in 72cdb3e783174dcf9223a49f03e3b0e2ca95ddb8.

2 years agoMake taint message structured and add catalog entry
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 09:15:41 +0000 (10:15 +0100)] 
Make taint message structured and add catalog entry

Dec 14 14:10:54 krowka systemd[1]: System is tainted: overflowgid-not-65534
-- Subject: The system is configured in a way that might cause problems
-- Defined-By: systemd
-- Support:
-- The following "tags" are possible:
-- - "split-usr" — /usr is a separate file system and was not mounted when systemd
--   was booted
-- - "cgroups-missing" — the kernel was compiled without cgroup support or access
--   to expected interface files is resticted
-- - "var-run-bad" — /var/run is not a symlink to /run
-- - "overflowuid-not-65534" — the kernel user ID used for "unknown" users (with
--   NFS or user namespaces) is not 65534
-- - "overflowgid-not-65534" — the kernel group ID used for "unknown" users (with
--   NFS or user namespaces) is not 65534
-- Current system is tagged as overflowgid-not-65534.

2 years agocore: drop taints for nobody user/group names
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 11:44:21 +0000 (12:44 +0100)] 
core: drop taints for nobody user/group names

We have a check and warning at compile time. The user cannot do anything about
this at runtime, and all other taints are about checks that happen at runtime
and are specific to that system (and at least potentially correctable).

(The logic in the compilation-time check was updated to treat "nogroup" as OK,
but not the runtime check. But I think it's better to remove the runtime check
for this altogether, so this becomes moot.)

2 years agoMerge pull request #7643 from keszybz/hwdb-update-again
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 20:13:20 +0000 (21:13 +0100)] 
Merge pull request #7643 from keszybz/hwdb-update-again

Hwdb update again

2 years agoresolve: extend systemd-resolve so that it can push per-interface DNS configuration...
Lennart Poettering [Thu, 14 Dec 2017 19:13:14 +0000 (20:13 +0100)] 
resolve: extend systemd-resolve so that it can push per-interface DNS configuration into systemd-resolved (#7576)

This is useful to debug things, but also to hook up external post-up
scripts with resolved.

Eventually this code might be useful to implement a
resolvconf(8)-compatible interface for compatibility purposes. Since the
semantics don't map entirely cleanly as first step we add a native
interface for pushing DNS configuration into resolved, that exposes the
correct semantics, before adding any compatibility interface.

See: #7202

2 years agotree-wide: make use of new STRLEN() macro everywhere (#7639)
Lennart Poettering [Thu, 14 Dec 2017 18:02:29 +0000 (19:02 +0100)] 
tree-wide: make use of new STRLEN() macro everywhere (#7639)

Let's employ coccinelle to do this for us.

Follow-up for #7625.

2 years agocore: Implement sync_with_progress() 6598/head
Kyle Walker [Thu, 14 Dec 2017 16:46:03 +0000 (11:46 -0500)] 
core: Implement sync_with_progress()

In similar fashion to the previous change, sync() operations can stall
endlessly if cache is unable to be written out. In order to avoid an
unbounded hang, the sync takes place within a child process. Every 10
seconds (SYNC_TIMEOUT_USEC), the value of /proc/meminfo "Dirty" is checked
to verify it is smaller than the last iteration. If the sync is not making
progress for 3 successive iterations (SYNC_PROGRESS_ATTEMPTS), a SIGKILL is
sent to the sync process and the shutdown continues.

2 years agotest: add smoke tests for `--network-namespace-path` 7469/head
Iago López Galeiras [Tue, 12 Dec 2017 16:47:41 +0000 (16:47 +0000)] 
test: add smoke tests for `--network-namespace-path`

We create net ns with `ip netns`, pass the created ns to nspawn and
check the loopback interface is DOWN.

2 years agoNEWS: update NEWS again, and prepare for a release tomorrow 7608/head
Lennart Poettering [Wed, 13 Dec 2017 17:27:59 +0000 (18:27 +0100)] 
NEWS: update NEWS again, and prepare for a release tomorrow

2 years agomeson: increase version numbers
Lennart Poettering [Mon, 11 Dec 2017 15:10:25 +0000 (16:10 +0100)] 
meson: increase version numbers

2 years agoMerge pull request #7610 from poettering/stdio-nolocking
Lennart Poettering [Thu, 14 Dec 2017 15:56:36 +0000 (16:56 +0100)] 
Merge pull request #7610 from poettering/stdio-nolocking

use __fsetlocking() to turn off thread locking in STDIO where applicable

2 years agohwdb: update 7643/head
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 14:47:43 +0000 (15:47 +0100)] 
hwdb: update

The changes in pci.ids, usb.ids, and the .hwdb files are almost always
additions. 20-OUI.hwdb drops a few names and replaces them by
"IEEE Registration Authority". I'm not sure what to do about this.
Many other removals do not seem to be removals of real entries, but
rather placeholder or generic names.

2 years agohwdb/ids_parser: use replacement chars for invalid characters
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 14:42:25 +0000 (15:42 +0100)] 
hwdb/ids_parser: use replacement chars for invalid characters

We have some more non-utf8 characters. Let's just replace them, this doesn't
matter much.

2 years agomeson-hwdb-update: fix undefined variable access
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 13:36:03 +0000 (14:36 +0100)] 
meson-hwdb-update: fix undefined variable access

I added the test if an optional parameter is not empty, but that doesn't work
with -u. Provide an empty "fallback" value to fix the issue.

Also group the update steps so that it's easier to see what is going on.

2 years agocore: Implement timeout based umount/remount limit
Kyle Walker [Wed, 13 Dec 2017 17:49:26 +0000 (12:49 -0500)] 
core: Implement timeout based umount/remount limit

Remount, and subsequent umount, attempts can hang for inaccessible network
based mount points. This can leave a system in a hard hang state that
requires a hard reset in order to recover. This change moves the remount,
and umount attempts into separate child processes. The remount and umount
operations will block for up to 90 seconds (DEFAULT_TIMEOUT_USEC). Should
those waits fail, the parent will issue a SIGKILL to the child and continue
with the shutdown efforts.

In addition, instead of only reporting some additional errors on the final
attempt, failures are reported as they occur.

2 years agosd-bus: fix a memory leak in message_new_reply() (#7636)
Cong Wang [Thu, 14 Dec 2017 12:07:04 +0000 (04:07 -0800)] 
sd-bus: fix a memory leak in message_new_reply() (#7636)

Signed-off-by: Cong Wang <>
2 years agoMerge pull request #7606 from yuwata/run-timer
Lennart Poettering [Thu, 14 Dec 2017 12:04:30 +0000 (13:04 +0100)] 
Merge pull request #7606 from yuwata/run-timer

run: allow to specify multiple timer options

2 years agocore: add EXTEND_TIMEOUT_USEC={usec} - prevent timeouts in startup/runtime/shutdown...
Daniel Black [Thu, 14 Dec 2017 11:17:43 +0000 (22:17 +1100)] 
core: add EXTEND_TIMEOUT_USEC={usec} - prevent timeouts in startup/runtime/shutdown (#7214)

With Type=notify services, EXTEND_TIMEOUT_USEC= messages will delay any startup/
runtime/shutdown timeouts.

A service that hasn't timed out, i.e, start time < TimeStartSec,
runtime < RuntimeMaxSec and stop time < TimeoutStopSec, may by sending
EXTEND_TIMEOUT_USEC=, allow the service to continue beyond the limit for
the execution phase (i.e TimeStartSec, RunTimeMaxSec and TimeoutStopSec).

EXTEND_TIMEOUT_USEC= must continue to be sent (in the same way as
WATCHDOG=1) within the time interval specified to continue to reprevent
the timeout from occuring.

Watchdog timeouts are also extended if a EXTEND_TIMEOUT_USEC is greater
than the remaining time on the watchdog counter.

Fixes #5868.

2 years agobusctl: let's make use of the log_error_errno() calls 7610/head
Lennart Poettering [Mon, 11 Dec 2017 19:31:36 +0000 (20:31 +0100)] 
busctl: let's make use of the log_error_errno() calls

2 years agobusctl: modernize code a bit
Lennart Poettering [Mon, 11 Dec 2017 19:30:07 +0000 (20:30 +0100)] 
busctl: modernize code a bit

I am puzzled why coccinelle is unwilling to detect these cases...

2 years agobasic: turn off stdio locking for a couple of helper calls
Lennart Poettering [Mon, 11 Dec 2017 19:01:55 +0000 (20:01 +0100)] 
basic: turn off stdio locking for a couple of helper calls

These helper calls are potentially called often, and allocate FILE*
objects internally for a very short period of time, let's turn off
locking for them too.

2 years agotree-wide: use __fsetlocking() instead of fxyz_unlocked()
Lennart Poettering [Mon, 11 Dec 2017 18:50:30 +0000 (19:50 +0100)] 
tree-wide: use __fsetlocking() instead of fxyz_unlocked()

Let's replace usage of fputc_unlocked() and friends by __fsetlocking(f,
FSETLOCKING_BYCALLER). This turns off locking for the entire FILE*,
instead of doing individual per-call decision whether to use normal
calls or _unlocked() calls.

This has various benefits:

1. It's easier to read and easier not to forget

2. It's more comprehensive, as fprintf() and friends are covered too
   (as these functions have no _unlocked() counterpart)

3. Philosophically, it's a bit more correct, because it's more a
   property of the file handle really whether we ever pass it on to another
   thread, not of the operations we then apply to it.

This patch reworks all pieces of codes that so far used fxyz_unlocked()
calls to use __fsetlocking() instead. It also reworks all places that
use open_memstream(), i.e. use stdio FILE* for string manipulations.

Note that this in some way a revert of 4b61c8751135c58be043d86b9fef4c8ec7aadf18.

2 years agoMerge pull request #7625 from thom311/th/const-strlen
Zbigniew Jędrzejewski-Szmek [Thu, 14 Dec 2017 08:41:09 +0000 (09:41 +0100)] 
Merge pull request #7625 from thom311/th/const-strlen

Don't use strlen() to declare variable-length arrays

2 years agonetworkd: RouteTable option in [IPv6AcceptRA] is now properly processed (#7633)
Saran Tunyasuvunakool [Thu, 14 Dec 2017 05:11:03 +0000 (05:11 +0000)] 
networkd: RouteTable option in [IPv6AcceptRA] is now properly processed (#7633)

Fixes: #7632

2 years agoresolved: fix "in-between" logic when boundaries are equal (#7590)
Lennart Poettering [Thu, 14 Dec 2017 05:08:21 +0000 (06:08 +0100)] 
resolved: fix "in-between" logic when boundaries are equal (#7590)

This changes dns_name_between() to deal properly with checking whether B
is between A and C if A and C are equal. Previously we simply returned
-EINVAL in this case, refusing checking. With this change we correct
behaviour: if A and C are equal, then B is "between" both if it is
different from them. That's logical, since we do < and > comparisons, not
<= and >=, and that means that anything "right of A" and "left of C"
lies in between with wrap-around at the ends. And if A and C are equal
that means everything lies between, except for A itself.

This fixes handling of domains using NSEC3 "white lies", for example the
.it TLD.

Fixes: #7421

2 years agoMerge pull request #7618 from tiagosh/sysctl_use_read_line
Yu Watanabe [Thu, 14 Dec 2017 04:58:53 +0000 (13:58 +0900)] 
Merge pull request #7618 from tiagosh/sysctl_use_read_line

Make systemd-sysctl use read_line() and LONG_LINE_MAX

2 years agoman: systemd.unit: move note about clearing lists (#7621)
Daniel Black [Thu, 14 Dec 2017 04:51:23 +0000 (15:51 +1100)] 
man: systemd.unit: move note about clearing lists (#7621)

This is mainly for drop-in files.

2 years agoMerge pull request #7627 from poettering/lowercase-systemd
Yu Watanabe [Thu, 14 Dec 2017 04:44:35 +0000 (13:44 +0900)] 
Merge pull request #7627 from poettering/lowercase-systemd

always spell out "systemd" in lowercase letters

2 years agosysctl: disable buffer while writing to /proc 7618/head
Tiago Salem Herrmann [Tue, 12 Dec 2017 15:52:45 +0000 (13:52 -0200)] 
sysctl: disable buffer while writing to /proc

fputs() writes only first 2048 bytes and fails
to write to /proc when values are larger than that.
This patch adds a new flag to WriteStringFileFlags
that make it possible to disable the buffer under
specific cases.

2 years agoUse read_line() and LONG_LINE_MAX to read values configuration files.
Tiago Salem Herrmann [Tue, 12 Dec 2017 15:43:17 +0000 (13:43 -0200)] 
Use read_line() and LONG_LINE_MAX to read values configuration files.

2 years agonetworkd/dhcp: shorten overlong hostname (#7616)
Luca Bruno [Wed, 13 Dec 2017 17:00:46 +0000 (17:00 +0000)] 
networkd/dhcp: shorten overlong hostname (#7616)

This commit updates networkd behavior to check if the hostname option
received via DHCP is too long for Linux limit, and in case shorten it.
An overlong hostname will be truncated to the first dot or to
`HOST_MAX_LEN`, whatever comes earlier.

2 years agocatalog: don't say "systemd" when we mean "system" 7627/head
Lennart Poettering [Wed, 13 Dec 2017 16:43:03 +0000 (17:43 +0100)] 
catalog: don't say "systemd" when we mean "system"

Yeah, it's hard to type "system", if all you ever type is "systemd", but
it's still a typo in this case.

2 years agoman: "systemd" is to be written in all lower-case, even at beginnings of sentences
Lennart Poettering [Wed, 13 Dec 2017 16:42:04 +0000 (17:42 +0100)] 
man: "systemd" is to be written in all lower-case, even at beginnings of sentences

This very important commit is very important.

2 years agoMerge pull request #7619 from msekletar/cryptsetup-image-name
Lennart Poettering [Wed, 13 Dec 2017 15:46:57 +0000 (16:46 +0100)] 
Merge pull request #7619 from msekletar/cryptsetup-image-name

cryptsetup: when unlocking always put path to the object into Id

2 years agotest: add CLI smoke tests for `--network-namespace-path` of nspawn
Dongsu Park [Sat, 25 Nov 2017 18:39:37 +0000 (19:39 +0100)] 
test: add CLI smoke tests for `--network-namespace-path` of nspawn

Since the new option `--network-namespace-path=` of systemd-nspawn
cannot be used together with other network-related options, we need
to add more smoke tests for checking these conditions of options.

2 years agonspawn: introduce an option for specifying network namespace path
Dongsu Park [Fri, 24 Nov 2017 17:22:17 +0000 (18:22 +0100)] 
nspawn: introduce an option for specifying network namespace path

Add a new option `--network-namespace-path` to systemd-nspawn to allow
users to specify an arbitrary network namespace, e.g. `/run/netns/foo`.
Then systemd-nspawn will open the netns file, pass the fd to
outer_child, and enter the namespace represented by the fd before
running inner_child.

$ sudo ip netns add foo
$ mount | grep /run/netns/foo
nsfs on /run/netns/foo type nsfs (rw)
$ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \
  /bin/readlink -f /proc/self/ns/net

Note that the option `--network-namespace-path=` cannot be used together
with other network-related options such as `--private-network` so that
the options do not conflict with each other.


2 years agotree-wide: use STRLEN() to allocate buffer of constant size 7625/head
Thomas Haller [Wed, 13 Dec 2017 07:41:11 +0000 (08:41 +0100)] 
tree-wide: use STRLEN() to allocate buffer of constant size

Using strlen() to declare a buffer results in a variable-length array,
even if the compiler likely optimizes it to be a compile time constant.

When building with -Wvla, certain versions of gcc complain about such
buffers. Compiling with -Wvla has the advantage of preventing variably
length array, which defeat static asserts that are implemented by
declaring an array of negative length.

2 years agobasic/macros: add STRLEN() to get length of string literal as constant expression
Thomas Haller [Wed, 13 Dec 2017 07:17:07 +0000 (08:17 +0100)] 
basic/macros: add STRLEN() to get length of string literal as constant expression

While the compiler likely optimizes strlen(x) for string literals,
it is not a constant expression.


  char buffer[strlen("OPTION_000") + 1];

declares a variable-length array. STRLEN() can be used instead
when a constant espression is needed.

It's not entirely identical to strlen(), as STRLEN("a\0") counts 2.
Also, it only works with string literals and the macro enforces
that the argument is a literal.

2 years agonetworkd: don't try to configure IPv6 proxy NDP if IPv6 is not available (#7613)
Lennart Poettering [Wed, 13 Dec 2017 04:47:10 +0000 (05:47 +0100)] 
networkd: don't try to configure IPv6 proxy NDP if IPv6 is not available (#7613)

Fixes: #7612

2 years agoMerge pull request #7588 from poettering/resolve-route-tweak
Yu Watanabe [Wed, 13 Dec 2017 04:43:55 +0000 (13:43 +0900)] 
Merge pull request #7588 from poettering/resolve-route-tweak

resolved domain routing tweaks and /etc/resolv.conf handling improvements

2 years agoMerge pull request #7569 from keszybz/doc-reverse-settings
Yu Watanabe [Wed, 13 Dec 2017 04:42:19 +0000 (13:42 +0900)] 
Merge pull request #7569 from keszybz/doc-reverse-settings

Document reverse settings

2 years agoMerge pull request #7591 from poettering/retry-on-servfail
Zbigniew Jędrzejewski-Szmek [Tue, 12 Dec 2017 21:22:06 +0000 (22:22 +0100)] 
Merge pull request #7591 from poettering/retry-on-servfail

resolved: retry with a different server on SERVFAIL

2 years agoMerge pull request #7611 from poettering/bootspec-fixes
Zbigniew Jędrzejewski-Szmek [Tue, 12 Dec 2017 21:16:34 +0000 (22:16 +0100)] 
Merge pull request #7611 from poettering/bootspec-fixes

minor fixes to bootctl.c/bootspec.c to make sure the tool works cleanly on my system

2 years agoMerge pull request #7608 from poettering/more-news-v236
Zbigniew Jędrzejewski-Szmek [Tue, 12 Dec 2017 20:11:31 +0000 (21:11 +0100)] 
Merge pull request #7608 from poettering/more-news-v236

2 years agocryptsetup: use more descriptive name for the variable and drop redundant function 7619/head
Michal Sekletar [Tue, 12 Dec 2017 19:00:31 +0000 (20:00 +0100)] 
cryptsetup: use more descriptive name for the variable and drop redundant function

Let's rename escaped_name to disk_path since this is an actual content
that pointer refers to. It is either path to encrypted block device
or path to encrypted image file.

Also drop redundant function disk_major_minor(). src is always set, and
it always points to either encrypted block device path (or symlink to
such device) or to encrypted image. In case it is set to device path
there is no need to reset it to /dev/block/major:minor symlink since
those paths are equivalent.

2 years agomeson: link NSS modules with -z nodelete (#7607)
Lennart Poettering [Tue, 12 Dec 2017 19:13:16 +0000 (20:13 +0100)] 
meson: link NSS modules with -z nodelete (#7607)

We might end up allocating mempools, and when we are unloaded we might
orphan them, thus leaking them. Hence, let's just stick around for good,
so the mempools remain referenced continously and for good, and thus no
memory is leaked (though the memory isn't cleaned up either).

Fixes: #7596

2 years agocryptsetup: when unlocking always put path to the object into Id
Michal Sekletar [Tue, 12 Dec 2017 16:49:14 +0000 (17:49 +0100)] 
cryptsetup: when unlocking always put path to the object into Id

Some ask-password agents (e.g. clevis-luks-askpass) use Id option from
/run/systemd/ask-password/ask* file in order to obtain the password for
the device.

Id option should be in the following format,
e.g. Id=subsystem:data. Where data part is supposed to identify object
that ask-password query is done for. Since
e51b9486d1b59e72c293028fed1384f4e4ef09aa this field has format
Id=cryptsetup:/dev/block/major:minor when systemd-cryptsetup is
unlocking encrypted block device. However, crypttab also supports
encrypted image files in which case we usually set data part of Id to
"vol on mountpoint". This is unexpected and actually breaks network
based device encryption as implemented by clevis.

$ cat /etc/crypttab
clevis-unlocked /clevis-test-disk-image none luks,_netdev
$ systemctl start 'systemd-cryptsetup@clevis\x2dunlocked.service'
$ grep Id /run/systemd/ask-password/ask*

$ Id=cryptsetup:clevis-unlocked on /clevis-test-disk-image-mnt

$ Id=cryptsetup:/clevis-test-disk-image

2 years agoresolve: add support for RFC 8080 (#7600)
ott [Tue, 12 Dec 2017 15:30:12 +0000 (16:30 +0100)] 
resolve: add support for RFC 8080 (#7600)

RFC 8080 describes how to use EdDSA keys and signatures in DNSSEC. It
uses the curves Ed25519 and Ed448. Libgcrypt 1.8.1 does not support
Ed448, so only the Ed25519 is supported at the moment. Once Libgcrypt
supports Ed448, support for it can be trivially added to resolve.

2 years agonetworkd: Fix race condition in [RoutingPolicyRule] handling (#7615)
Saran Tunyasuvunakool [Tue, 12 Dec 2017 15:25:36 +0000 (15:25 +0000)] 
networkd: Fix race condition in [RoutingPolicyRule] handling (#7615)

The routing policy rule setup logic is moved to the routes setup phase (rather than the addresses setup phase as it is now). Additionally, a call to `link_check_ready` is added to the routing policy rules setup handler. This prevents a race condition with the routes setup handler.

Also give each async handler its own message counter to prevent race conditions when logging successes.

Fixes: #7614

2 years agoresolved: try a different server if server is too dumb to do DNSSEC 7591/head
Lennart Poettering [Fri, 8 Dec 2017 19:11:36 +0000 (20:11 +0100)] 
resolved: try a different server if server is too dumb to do DNSSEC

If we are in strict DNSSEC mode it's worthy to try a different DNS
server before accepting that DNSSEC is not actually supported.

Fixes: #7040

2 years agoresolved: cast dns_scope_get_dns_server() to NULL when we ignore it
Lennart Poettering [Fri, 8 Dec 2017 18:50:51 +0000 (19:50 +0100)] 
resolved: cast dns_scope_get_dns_server() to NULL when we ignore it

2 years agoresolved: when a server consistently returns SERVFAIL, try another one
Lennart Poettering [Fri, 8 Dec 2017 18:48:15 +0000 (19:48 +0100)] 
resolved: when a server consistently returns SERVFAIL, try another one

Currently, we accept SERVFAIL after downgrading fully, cache it and move
on. Let's extend this a bit: after downgrading fully, if the SERVFAIL
logic continues to be an issue, then use a different DNS server if there
are any.

Fixes: #7147

2 years agoverbs: add a new VERB_MUSTBEROOT flag 7611/head
Lennart Poettering [Mon, 11 Dec 2017 22:10:11 +0000 (23:10 +0100)] 
verbs: add a new VERB_MUSTBEROOT flag

Given that we regularly have verbs that require privileges, let's just
make this a flag of the verb.

2 years agotree-wide: unify logging of "Must be root" message
Lennart Poettering [Mon, 11 Dec 2017 22:00:57 +0000 (23:00 +0100)] 
tree-wide: unify logging of "Must be root" message

Let's unify this in one call, generalizing must_be_root() from

2 years agobootspec: sprinkle some argument assert()s all over the place
Lennart Poettering [Mon, 11 Dec 2017 21:22:04 +0000 (22:22 +0100)] 
bootspec: sprinkle some argument assert()s all over the place

The previous commit fixed a NULL parameter issue, let's check for such,
to make it easier to find issues like this.

2 years agobootctl: don't trip up in "bootctl status" when we can't find the ESP because of...
Lennart Poettering [Mon, 11 Dec 2017 21:15:03 +0000 (22:15 +0100)] 
bootctl: don't trip up in "bootctl status" when we can't find the ESP because of lack of privilges

On my system the boot and EFI partitions are protected, hence "bootctl
status" can't find the ESP, and then the tool continues with arg_path ==
NULL, which it really should not. Handle these cases, and simply
suppress all output that needs arg_path.

2 years agoefi: rework find_esp() error propagation/logging a bit
Lennart Poettering [Mon, 11 Dec 2017 21:04:46 +0000 (22:04 +0100)] 
efi: rework find_esp() error propagation/logging a bit

This renames find_esp() to find_esp_and_warn() and tries to normalize its

1. Change the error that is returned when we can't find the ESP to
   ENOKEY (from ENOENT). This way the error code can only mean one
   thing: that our search loop didn't find a good candidate.
2. Really log about all errors, except for ENOKEY and EACCES, and
   document the letter cases.
3. Normalize parameters to the call: separate out the path parameter in
   two: an input path and an output path. That way the memory management
   is clear: we will access the input parameter only for reading, and
   only write out the output parameter, using malloc() memory.
   Before the calling convention were quire surprising for internal API
   code, as the path parameter had to be malloc() memory and might and
   might not have changed.
4. Rename bootctl's find_esp_warn() to acquire_esp(), and make it a
   simple wrapper around find_esp_warn(), that basically just adds the
   friendly logging for the ENOKEY case. This rework removes double
   logging in a number of error cases, as we no longer log here in
   anything but ENOKEY, and leave that entirely to find_esp_warn().
5. find_esp_and_warn() now takes a bool flag parameter
   "unprivileged_mode", which disables logging in the EACCES case, and
   skips privileged validation of the path. This makes the function less
   magic, and doesn't hide this internal silencing automatism from the
   caller anymore.

With all that in place "bootctl list" and "bootctl status" work properly
(or as good as they can) when I invoke the tools whithout privileges on
my system where /boot is not world-readable

2 years agoNEWS: more updates for v236
Lennart Poettering [Fri, 8 Dec 2017 21:25:49 +0000 (22:25 +0100)] 
NEWS: more updates for v236

2 years agomailmap: add more names from the v236 cycle
Lennart Poettering [Mon, 11 Dec 2017 12:30:19 +0000 (13:30 +0100)] 
mailmap: add more names from the v236 cycle

Let's clean up after github's "squash" feature…

2 years agotree-wide: drop a few == NULL and != NULL comparison
Lennart Poettering [Fri, 8 Dec 2017 19:52:38 +0000 (20:52 +0100)] 
tree-wide: drop a few == NULL and != NULL comparison

Our CODING_STYLE suggests not comparing with NULL, but relying on C's
downgrade-to-bool feature for that. Fix up some code to match these
guidelines. (This is not comprehensive, the coccinelle output for this
is unfortunately kinda borked)

2 years agorun: allow to specify multiple timer options 7606/head
Yu Watanabe [Mon, 11 Dec 2017 12:21:10 +0000 (21:21 +0900)] 
run: allow to specify multiple timer options

2 years agocore,run: add timer related options to Bus-API
Yu Watanabe [Mon, 11 Dec 2017 12:19:19 +0000 (21:19 +0900)] 
core,run: add timer related options to Bus-API

2 years agobus-unit-util: check returned value
Yu Watanabe [Mon, 11 Dec 2017 12:04:06 +0000 (21:04 +0900)] 
bus-unit-util: check returned value

Follow-up for 784b9a1a327c23652c945785dab6f2979c0af06c.

2 years agoresolved: fix wrong error code (#7601)
Yu Watanabe [Sun, 10 Dec 2017 15:27:19 +0000 (00:27 +0900)] 
resolved: fix wrong error code (#7601)

2 years agocore: fix undefined behaviour due to uninitialized string buffer (#7597)
Alan Jenkins [Sun, 10 Dec 2017 10:58:01 +0000 (10:58 +0000)] 
core: fix undefined behaviour due to uninitialized string buffer (#7597)

Failure of systemd to respond on the bus interface was bisected to af6b0ecc
"core: make "taint" string logic a bit more generic and output it at boot".

Failure was presumably caused by trying to append strings to an
unintialized buffer, leading to writing outside the unterminated buffer
and hence undefined behaviour.

2 years agoMerge pull request #7352 from eddiejames/master
Lennart Poettering [Fri, 8 Dec 2017 21:22:02 +0000 (22:22 +0100)] 
Merge pull request #7352 from eddiejames/master

Add path configuration for hardware watchdog device

2 years agovirt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581)
Olaf Hering [Fri, 8 Dec 2017 21:21:42 +0000 (22:21 +0100)] 
virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581)

The detection of ConditionVirtualisation= relies on the presence of
/proc/xen/capabilities. If the file exists and contains the string
"control_d", the running system is a dom0 and VIRTUALIZATION_NONE should
be set. In case /proc/xen exists, or some sysfs files indicate "xen",
VIRTUALIZATION_XEN should be set to indicate the system is a domU.

With an (old) xenlinux based kernel, /proc/xen/capabilities is always
available and the detection described above works always. But with a
pvops based kernel, xenfs must be mounted on /proc/xen to get
"capabilities". This is done by a proc-xen.mount unit, which is part of
xen.git. Since the mounting happens "late", other units may be scheduled
before "proc-xen.mount". If these other units make use of
"ConditionVirtualisation=", the virtualization detection returns
incorect results. detect_vm() will set VIRTUALIZATION_XEN because "xen"
is found in sysfs. This value will be cached. Once xenfs is mounted, the
next process that runs detect_vm() will get VIRTUALIZATION_NONE.

This misdetection can be fixed by using
/sys/hypervisor/properties/features, which exports the value returned by
the "XENVER_get_features" hypercall. If the bit XENFEAT_dom0 is set, the
domain is the "hardware domain". It is supposed to have permissions to
access all hardware. The used sysfs file is available since v2.6.31.

The commonly used term "dom0" refers to the control domain which runs
the toolstack and has access to all hardware. But the virtualization
host may be configured such that one dedicated domain becomes the
"hardware domain", and another one the "toolstack domain".

2 years agoMerge pull request #6993 from rojkov/dnssd
Lennart Poettering [Fri, 8 Dec 2017 21:21:01 +0000 (22:21 +0100)] 
Merge pull request #6993 from rojkov/dnssd

Add support for server-side DNS-SD in mDNS zones.

2 years agodocumentation: add description for watchdog device path 7352/head
Edward A. James [Fri, 8 Dec 2017 17:27:01 +0000 (11:27 -0600)] 
documentation: add description for watchdog device path

Document the command line parameter and the system configuration file

2 years agocore: Add WatchdogDevice config option and implement it
Edward A. James [Fri, 8 Dec 2017 17:26:44 +0000 (11:26 -0600)] 
core: Add WatchdogDevice config option and implement it

This option allows a device path to be specified for the systemd
watchdog (both runtime and shutdown).

If a system requires a watchdog other than /dev/watchdog (pointing to
/dev/watchdog0) to be used to reboot the system, this setting should be
changed to the relevant watchdog device path (e.g. /dev/watchdog1).

2 years agowatchdog: allow a device path to be specified
Edward A. James [Fri, 8 Dec 2017 17:26:30 +0000 (11:26 -0600)] 
watchdog: allow a device path to be specified

Currently systemd hardcodes the use of /dev/watchdog. This is a legacy
chardev that points to watchdog0 in the system.

Modify the watchdog API to allow a different device path to be passed
and stored. Opening the watchdog defaults to /dev/watchdog, maintaining
existing behavior.

2 years agoshared: use _cleanup_ in specifier_printf (#7586)
Zbigniew Jędrzejewski-Szmek [Fri, 8 Dec 2017 16:28:02 +0000 (17:28 +0100)] 
shared: use _cleanup_ in specifier_printf (#7586)

Follow-up for e62d316561.

2 years agoresolved: tweak domain routing logic a bit 7588/head
Lennart Poettering [Fri, 8 Dec 2017 16:21:42 +0000 (17:21 +0100)] 
resolved: tweak domain routing logic a bit

This makes sure that a classic DNS scope that has no DNS servers
assigned is never considered for routing requests to even if it has
matching search/routing domains associated.

This is inspired by #7544, where lookup requests are refused since a
scope with no DNS server is configured. This change does not deliver
what the reporter intended, but is generally useful in general, as it
makes us mor robust to misconfiguration.

2 years agoresolved: synchronize introduction blurbs in all three resolv.conf files we provide
Lennart Poettering [Fri, 8 Dec 2017 16:19:27 +0000 (17:19 +0100)] 
resolved: synchronize introduction blurbs in all three resolv.conf files we provide

Let's use the same wording and same contents in all three versions.

2 years agoresolved: beef up logic to detect our own configuration files
Lennart Poettering [Fri, 8 Dec 2017 16:01:47 +0000 (17:01 +0100)] 
resolved: beef up logic to detect our own configuration files

Let's also check for the static resolv.conf, so that we filter all three
of our own files out.

2 years agoresolved: don't make defines needlessly public
Lennart Poettering [Fri, 8 Dec 2017 15:55:00 +0000 (16:55 +0100)] 
resolved: don't make defines needlessly public

2 years agoresolved: store the mtime of the file we read
Lennart Poettering [Fri, 8 Dec 2017 15:53:36 +0000 (16:53 +0100)] 
resolved: store the mtime of the file we read

Let's make sure we use the mtime of the current fstat() data, rather
than the mtime of the old stat(), fixing a theoretical race.

2 years agoresolved: fix a minimal race, when reading /etc/resolv.conf
Lennart Poettering [Fri, 8 Dec 2017 15:51:46 +0000 (16:51 +0100)] 
resolved: fix a minimal race, when reading /etc/resolv.conf

The user might replace a foreign /etc/resolv.conf with a symlink to one
of ours between the time we did stat() and open the file. Hence, let's
check the fstat() data right after opening the file, a second time.

2 years agoman: normalize indentation in systemd.unit.xml 7569/head
Zbigniew Jędrzejewski-Szmek [Thu, 7 Dec 2017 08:48:59 +0000 (09:48 +0100)] 
man: normalize indentation in systemd.unit.xml

2 years agoman: add a table of setting inverses
Zbigniew Jędrzejewski-Szmek [Thu, 7 Dec 2017 08:47:34 +0000 (09:47 +0100)] 
man: add a table of setting inverses

It would be nicer to use <footnote> to place the notes directly in the table,
but docbook renders this improperly.

- also add "RequiredBy=" to the notes section
- remove duplicated paragraph
- clarify the description
- drop References/ReferenceBy which are only shown in systemd-analyze dump

2 years agoacl: fix typo in comment (#7580)
Yu Watanabe [Fri, 8 Dec 2017 12:34:25 +0000 (21:34 +0900)] 
acl: fix typo in comment (#7580)

2 years agonetworkd: Ignore DNS information when uplink is not managed (#7571)
Patrik Flykt [Fri, 8 Dec 2017 12:33:40 +0000 (14:33 +0200)] 
networkd: Ignore DNS information when uplink is not managed (#7571)

When another networking daemon or configuration is handling the
uplink connection, systemd-networkd won't have a network configuration
associated with the link, and therefore link->network will be NULL.
An assert will be triggered later on in the code when link->network is

2 years agoresolved: support multiple TXT RRs per DNS-SD service 6993/head
Dmitry Rozhkov [Wed, 29 Nov 2017 09:03:44 +0000 (11:03 +0200)] 
resolved: support multiple TXT RRs per DNS-SD service

Section 6.8 of RFC 6763 allows having service instances with
multiple TXT resource records.

2 years agoresolved: consult Polkit for privileges when manipulating DNS-SD
Dmitry Rozhkov [Wed, 22 Nov 2017 14:49:23 +0000 (16:49 +0200)] 
resolved: consult Polkit for privileges when manipulating DNS-SD

2 years agoresolved: resolve possible conflicts for DNS-SD RRs
Dmitry Rozhkov [Tue, 31 Oct 2017 07:47:37 +0000 (09:47 +0200)] 
resolved: resolve possible conflicts for DNS-SD RRs

It might happen that a DNS-SD service doesn't include local host's
name in its RR keys and still conflicts with a remote service.

In this case try to resolve the conflict by changing name for
this particular service.

2 years agoresolved: don't check conflicts for DNS-SD enumeration RRs
Dmitry Rozhkov [Fri, 27 Oct 2017 09:16:54 +0000 (12:16 +0300)] 
resolved: don't check conflicts for DNS-SD enumeration RRs

2 years agoresolved: add man page for systemd.dnssd
Dmitry Rozhkov [Wed, 4 Oct 2017 12:56:19 +0000 (15:56 +0300)] 
resolved: add man page for systemd.dnssd

2 years agoresolved: implement D-Bus API for DNS-SD
Dmitry Rozhkov [Mon, 23 Oct 2017 11:46:13 +0000 (14:46 +0300)] 
resolved: implement D-Bus API for DNS-SD

2 years agoresolved: detect and handle mDNS race condition upon probing
Dmitry Rozhkov [Tue, 17 Oct 2017 08:35:06 +0000 (11:35 +0300)] 
resolved: detect and handle mDNS race condition upon probing

As discussed in RFC 6762, Section 8.2 a race condition may
happen when two hosts are probing for the same name simultaniously.

Detect and handle such race conditions.

2 years agoresolved: add authority section to mDNS probing queries
Dmitry Rozhkov [Mon, 16 Oct 2017 14:25:17 +0000 (17:25 +0300)] 
resolved: add authority section to mDNS probing queries

According to RFC 6762 Section 8.2 "Simultaneous Probe Tiebreaking"
probing queries' Authority Section is populated with proposed
resource records in order to resolve possible race conditions.

2 years agoresolved: set cache-flush bit on mDNS responses
Dmitry Rozhkov [Tue, 31 Oct 2017 08:34:58 +0000 (10:34 +0200)] 
resolved: set cache-flush bit on mDNS responses

From RFC 6762, Section 10.2
"They (the rules about when to set the cache-flush bit) apply to
startup announcements as described in Section 8.3, "Announcing",
and to responses generated as a result of receiving query messages."

So, set the cache-flush bit for mDNS answers except for DNS-SD
service enumerattion PTRs described in RFC 6763, Section 4.1.

2 years agoresolved: make rfc4795-specific code run for LLMNR only
Dmitry Rozhkov [Fri, 13 Oct 2017 09:19:21 +0000 (12:19 +0300)] 
resolved: make rfc4795-specific code run for LLMNR only

RFC6762 specifies different procedure for conflict resolution and
the code is not applicable for the mDNS case.

2 years agoresolved: announce DNS-SD records in mDNS scopes
Dmitry Rozhkov [Wed, 4 Oct 2017 07:07:44 +0000 (10:07 +0300)] 
resolved: announce DNS-SD records in mDNS scopes

2 years agoresolved: put DNS-SD records to mDNS-enabled zones.
Dmitry Rozhkov [Wed, 4 Oct 2017 08:34:39 +0000 (11:34 +0300)] 
resolved: put DNS-SD records to mDNS-enabled zones.