1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

48302 Commits

Author SHA1 Message Date
Florian Westphal
347ea16797 sd-netlink: add nfnetlink helper routines
add nfnetlink_nftables helper functions to:
 * open a new nfnetlink socket to kernel
 * add tables, chains, rules, sets and maps
 * delete/flush table
 * add and delete elements from sets/maps
2020-12-16 00:35:56 +01:00
Florian Westphal
6f00fd9b7c sd-netlink: add nfnetlink/nftables type system
Will be used by upcoming nftables support -- it will use the netlink
interface directly rather than add another library dependency.
2020-12-16 00:35:56 +01:00
Florian Westphal
bcd1a2bb5c linux: import nf_tables and nfnetlink headers from Linux 5.8
Will be used/needed in the upcoming nfnetlink/nftables support.
This follows existing model where kernel uapi headers are cached
locally.
2020-12-16 00:35:56 +01:00
Florian Westphal
761cf19d7b firewall-util: introduce context structure
for planned nft backend we have three choices:

- open/close a new nfnetlink socket for every operation
- keep a nfnetlink socket open internally
- expose a opaque fw_ctx and stash all internal data here.

Originally I opted for the 2nd option, but during review it was
suggested to avoid static storage duration because of perceived
problems with threaded applications.

This adds fw_ctx and new/free functions, then converts the existing api
and nspawn and networkd to use it.
2020-12-16 00:35:56 +01:00
Florian Westphal
f51343d0af nspawn: pass userdata pointer, not inet_addr union
Next patch will need to pass two pointers to the callback instead
of just the addr mask.  Caller will pass a compound structure, so
make this 'void *userdata' to de-clutter the next patch.
2020-12-16 00:35:56 +01:00
Florian Westphal
3122097217 firewall-util: prepare for alternative to iptables backend
In a nutshell:
1. git mv firewall-util.c firewall-util-iptables.c
2. existing external functions gain _iptables_ in their names
3. firewall-util.c provides old function names
4. build system always compiles firewall-util.c,
   firewall-util-iptables.c is conditional instead (libiptc).
5. On first call to any of the 'old' API functions performs
   a probe that should return the preferred backend.

In a future step, can add firewall-util-FOOTYPE.c, add its
probe function to firewall-util.c and then have calls to
fw_add_masq/local_dnat handed to the detected backend.

For now, only iptables backend exists, and no special probing
takes place for it, i.e. when systemd was built with iptables,
that will be used.  If not, requets to add masquerade/dnat will
fail with same error (-EOPNOTSUPP) as before this change.

For reference, the rules added by the libiptc/iptables backend look like this:

for service export (via systemd-nspawn):
[0:0] -A PREROUTING -p tcp -m tcp --dport $exportedport -m addrtype --dst-type LOCAL -j DNAT --to-destination $containerip:$port
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport $exportedport -m addrtype --dst-type LOCAL -j DNAT --to-destination $containerip:$port

for ip masquerade:
[0:0] -A POSTROUTING -s network/prefix -j MASQUERADE
2020-12-16 00:35:56 +01:00
Florian Westphal
47ed20e1e0 firewall-util: reject NULL source or address with prefixlen 0
Make sure we don't add masquerading rules without a explicitly
specified network range we should be masquerading for.

The only caller aside from test case is
networkd-address.c which never passes a NULL source.

As it also passes the network prefix, that should always be > 0 as well.

This causes expected test failure:
Failed to modify firewall: Invalid argument
Failed to modify firewall: Invalid argument
Failed to modify firewall: Invalid argument
Failed to modify firewall: Protocol not available
Failed to modify firewall: Protocol not available
Failed to modify firewall: Protocol not available
Failed to modify firewall: Protocol not available

The failing test cases are amended to expect failure on
NULL source or prefix instead of success.
2020-12-16 00:35:56 +01:00
Susant Sahani
937e305e93 network: Allow to configure interface promiscuous mode 2020-12-15 20:25:08 +00:00
Christian Ehrhardt
43b49470d1 test: use modern qemu numa arguments
Upgrading to qemu 5.2 breaks TEST-36-NUMAPOLICY like:
  qemu-system-x86_64: total memory for NUMA nodes (0x0) should
  equal RAM size (0x20000000)

Use the new (as in >=2014) form of memdev in test 36:
 -object memory-backend-ram,id=mem0,size=512M -numa node,memdev=mem0,nodeid=0

Since some target systems are as old as qemu 1.5.3 (CentOS7) but the new
kind to specify was added in qemu 2.1 this needs to add version parsing and
add the argument only when qemu is >=5.2.

Fixes #17986.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-12-16 05:16:41 +09:00
Lennart Poettering
94b78105c6
Merge pull request #17967 from poettering/connect-user-bus
add support for "systemctl --user --machine=foobar@.host" for connecting to user bus of user "foobar"
2020-12-15 21:14:01 +01:00
d032747
6fe2a70b91 busctl: add a timestamp to the output of the busctl monitor command 2020-12-16 05:06:56 +09:00
Yu Watanabe
3a23834d6b
Merge pull request #17908 from ddstreet/dhcpv4_rfc2131_intervals
Fix dhcpv4 renew/rebind intervals to match rfc2131
2020-12-16 05:05:06 +09:00
shenyangyang4
b17f651a17 journalctl: don't skip the entries that have the same seqnum
These two judgement can't judge that two entries are repeating fully.
So i think seqnum is needed to make full judgement.
2020-12-15 18:07:11 +01:00
Lennart Poettering
1ecb46724c bus-util: improve logging when we can't connect to the bus
Previously, we'd already have explicit logging for the case where
$XDG_RUNTIME_DIR is not set. Let's also add some explicit logging for
the EPERM/ACCESS case. Let's also in both cases suggest the
--machine=<user>@.host syntax.

And while we are at it, let's remove side-effects from the macro.

By checking for both the EPERM/EACCES case and the $XDG_RUNTIME_DIR case
we will now catch both the cases where people use "su" to issue a
"systemctl --user" operation, and those where they (more correctly, but
still not good enough) call "su -".

Fixes: #17901
2020-12-15 18:01:23 +01:00
Lennart Poettering
cedfd142de stdio-bridge: add support for --system and --user
So far, the bridge always acted as if "--system" was used, i.e. would
unconditionally connect to the system bus. Let's add "--user" too, to
connect to the users session bus.

This is mostly for completeness' sake.

I wanted to use this when making sd-bus's ability to connect to other
user's D-Bus busses work, but it didn't exist so far. In the interest of
keeping things compatible the implementation in sd-bus will not use the
new "--user" switch, and instead manually construct the right bus path
via "--path=", but we still should add the proper switches, as
preparation for a brighter future, one day.
2020-12-15 18:01:20 +01:00
Lennart Poettering
ba4a31b7a6 man: document new ability to connect to user of container 2020-12-15 18:01:01 +01:00
Lennart Poettering
1b630835df sd-bus: add API for connecting to a specific user's user bus of a specific container
This is unfortunately harder to implement than it sounds. The user's bus
is bound a to the user's lifecycle after all (i.e. only exists as long
as the user has at least one PAM session), and the path dynamically (at
least theoretically, in practice it's going to be the same always)
generated via $XDG_RUNTIME_DIR in /run/.

To fix this properly, we'll thus go through PAM before connecting to a
user bus. Which is hard since we cannot just link against libpam in the
container, since the container might have been compiled entirely
differently. So our way out is to use systemd-run from outside, which
invokes a transient unit that does PAM from outside, doing so via D-Bus.
Inside the transient unit we then invoke systemd-stdio-bridge which
forwards D-Bus from the user bus to us. The systemd-stdio-bridge makes
up the PAM session and thus we can sure tht the bus exists at least as
long as the bus connection is kept.

Or so say this differently: if you use "systemctl -M lennart@foobar"
now, the bus connection works like this:

        1. sd-bus on the host forks off:

                systemd-run -M foobar -PGq --wait -pUser=lennart -pPAMName=login systemd-stdio-bridge

        2. systemd-run gets a connection to the "foobar" container's
           system bus, and invokes the "systemd-stdio-bridge" binary as
           transient service inside a PAM session for the user "lennart"

        3. The systemd-stdio-bridge then proxies our D-Bus traffic to
           the user bus.

sd-bus (on host) → systemd-run (on host) → systemd-stdio-bridge (in container)

Complicated? Well, to some point yes, but otoh it's actually nice in
various other ways, primarily as it makes the -H and -M codepaths more
alike. In the -H case (i.e. connect to remote host via SSH) a very
similar three steps are used. The only difference is that instead of
"systemd-run" the "ssh" binary is used to invoke the stdio bridge in a
PAM session of some other system. Thus we get similar implementation and
isolation for similar operations.

Fixes: #14580
2020-12-15 18:00:15 +01:00
Lennart Poettering
1ca37419b1 sd-bus: 'ret' parameter to sd_bus_query_sender_creds() is not optional, check for it 2020-12-15 18:00:11 +01:00
Lennart Poettering
f8ecc2c00d sd-bus: make credential acquisition more graceful
So far when asked for augmented bus credentials and the process was
already gone we'd fail fatally. Let's make this graceful instead, and
never allow augmenting fail due to PID having vanished — unless the
augmenting is the explicit and only purpose of the requested operation.

This should be safe as clients have to explicitly query the acquired
creds anyway and handle if they couldn't be acquired. Moreover we
already handle permission problems gracefully, thus clients must be
ready to deal with missing creds.

This is useful to make selinux authorization work for short-lived client
proceses. PReviously we'd augment creds to have more info to log about
(the selinux decision would not be based on augmented data however,
because that'd be unsafe), and would fail if we couldn't get it. Now,
we'll try to acquire the data, but if we cannot acquire it, we'll still
do the selinux check, except that logging will be more limited.
2020-12-15 18:00:06 +01:00
Lennart Poettering
79485fc27a firstboot: clean-up the copied hostname, not argv[] directly, as that's ugly 2020-12-15 18:00:02 +01:00
Lennart Poettering
d4e9809465 hostname-setup: clarify that failures reading /etc/hostname are ignored 2020-12-15 17:59:58 +01:00
Lennart Poettering
52ef5dd798 hostname-util: flagsify hostname_is_valid(), drop machine_name_is_valid()
Let's clean up hostname_is_valid() a bit: let's turn the second boolean
argument into a more explanatory flags field, and add a flag that
accepts the special name ".host" as valid. This is useful for the
container logic, where the special hostname ".host" refers to the "root
container", i.e. the host system itself, and can be specified at various
places.

let's also get rid of machine_name_is_valid(). It was just an alias,
which is confusing and even more so now that we have the flags param.
2020-12-15 17:59:48 +01:00
Lennart Poettering
9e815cf2c2 hostname-util: explain what 'LDH' is 2020-12-15 17:59:44 +01:00
Lennart Poettering
1feb8eee2d logs-show: drop redundant validation of machine name
The immediately following container_get_leader() call validate the name
anyway, no need to twice exactly the same way twice immediately after
each other.
2020-12-15 17:59:41 +01:00
Lennart Poettering
c4dd2d7575 machine: drop really old kdbus left-over
The "x-machine-kernel" dbus address has been removed a long time ago,
hence don't generate it either.
2020-12-15 17:59:37 +01:00
Lennart Poettering
68a3d91538 sd-bus: use SOCK_CLOEXEC on one more socket 2020-12-15 17:58:40 +01:00
Gaurav
fa8342228b Fix review comments in added debug log. 2020-12-15 17:47:03 +01:00
Gaurav
d66b0ed4cc Fix build warning. 2020-12-15 17:47:03 +01:00
Gaurav
6ef03f7a0d Handle escape characters in interface name
Updated the patch as per review comments.
2020-12-15 17:47:03 +01:00
Gaurav
17f8a21fd0 Detect special character in dbus interface name
Added debug log to detect special character in dbus interface names.
Helps to detect a case mentioned in https://github.com/systemd/systemd/issues/14636
2020-12-15 17:47:03 +01:00
Fabian Affolter
04b2224957 Translated using Weblate (German)
Currently translated at 61.4% (115 of 187 strings)

Co-authored-by: Fabian Affolter <mail@fabian-affolter.ch>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/de/
Translation: systemd/master
2020-12-15 17:40:56 +01:00
Ondrej Mosnacek
7b87bece5d resolved: create stub-resolv.conf symlink with correct security label
Use symlink_atomic_label() instead of symlink_atomic() as the symlink
may need a different label than the parent directory.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 14:12:08 +01:00
Yu Watanabe
fc874bf3bf
Merge pull request #17977 from yuwata/namespace-mount-procfs-follow-up
core/namespace: do not ignore non-EPERM mount error
2020-12-15 12:07:30 +09:00
Andrew Balmos
361f41645c efi: Only use arm flags if supported
Support gcc 8 on arm
2020-12-15 12:06:52 +09:00
Yu Watanabe
7843706caf
Merge pull request #17936 from keszybz/more-nss-logging
Add debug logging for varlink
2020-12-15 12:05:45 +09:00
Susant Sahani
e81a44bf5f timesync: Make delaying attempts to contact servers configurable
```
❯ ssh sus@xx.xx.xx.xx
Last login: Sat Nov 14 17:32:08 2020 from 10.104.45.138
 17:36:19 up 0 min,  0 users,  load average: 0.00, 0.00, 0.00
> systemd-analyze blame
Bootup is not yet finished (org.freedesktop.systemd1.Manager.FinishTimestampMonotonic=0).
Please try again later.
Hint: Use 'systemctl list-jobs' to see active jobs
> systemd-analyze blame
43.954s systemd-time-wait-sync.service
 1.969s systemd-networkd-wait-online.service
 1.559s cloud-init-local.service
 1.039s cloud-init.service
  414ms cloud-final.service
  387ms dracut-initqueue.service
  382ms initrd-switch-root.service
  380ms cloud-config.service
  198ms systemd-journal-flush.service
  136ms systemd-udev-trigger.service
  115ms initrd-parse-etc.service
   97ms systemd-timesyncd.service
   84ms systemd-journald.service

```

After made it configurable and set to 5s

```
❯ ssh sus@xx.xx.xx.xx
Last login: Sat Nov 14 18:41:42 2020 from 10.104.45.138
 18:42:36 up 0 min,  0 users,  load average: 0.16, 0.03, 0.01
> systemd-analyze blame
10.450s systemd-time-wait-sync.service
 8.303s systemd-networkd-wait-online.service
 1.621s cloud-init-local.service
 1.068s cloud-init.service
```
2020-12-15 08:52:51 +09:00
Dan Streetman
b226c15cfb test-network: increase wait_online timeout to handle longer dhcpv4 transient timeout
Previous commits changed the dhcpv4 retransmission algorithm to be
slightly slower, changing the amount of time it takes to notify
systemd-networkd that the dhcpv4 configuration has (transiently)
failed from around 14 second up to 28 seconds.

Since the test_dhcp_client_with_ipv4ll_without_dhcp_server test
configures an interface to use dhcpv4 without any operating dhcpv4
server running, it must increase the amount of time it waits for
the test interface to reach degraded state.
2020-12-14 18:19:32 -05:00
Dan Streetman
f3808b872f sd-dhcp-client: correct retransmission timeout to match RFC
This changes the retransmission timeout algorithm for requests
other than RENEW and REBIND. Previously, the retransmission timeout
started at 2 seconds, then doubling each retransmission up to a max
of 64 seconds. This is changed to match what RFC2131 section 4.1 describes,
which skips the initial 2 second timeout and starts with a 4 second timeout
instead. Note that -1 to +1 seconds of random 'fuzz' is added to each
timeout, in previous and current behavior.

This change is therefore slightly slower than the previous behavior in
attempting retransmissions when no server response is received, since the
first transmission times out in 4 seconds instead of 2.

Since TRANSIENT_FAILURE_ATTEMPTS is set to 3, the previous length of time
before a transient failure was reported back to systemd-networkd was
2 + 4 + 8 = 14 seconds, plus, on average, 3 seconds of random 'fuzz' for
a transient failure timeout between 11 and 17 seconds. Now, since the
first timeout starts at 4, the transient failure will be reported at
4 + 8 + 16 = 28 seconds, again plus 3 random seconds for a transient
failure timeout between 25 and 31 seconds.

Additionally, if MaxAttempts= is set, it will take slightly longer to
reach than with previous behavior.
2020-12-14 18:19:29 -05:00
Dan Streetman
c24288d21e sd-dhcp-client: correct dhcpv4 renew/rebind retransmit timeouts
Use the request timeout algorithm specified in RFC2131 section 4.4.5 for
handling timed out RENEW and REBIND requests.

This changes behavior, as previously only 2 RENEW and 2 REBIND requests
were sent, no matter how long the lease lifetime. Now, requests are
send according to the RFC, which results in starting with a timeout
of 1/2 the t1 or t2 period, and halving the timeout for each retry
down to a minimum of 60 seconds.

Fixes: #17909
2020-12-14 18:19:22 -05:00
Dan Streetman
b0d7d8063c sd-dhcp-client: simplify dhcp4 t1/t2 parsing
The parsing of the dhcpv4 lease lifetime, as well as the t1/t2
times, is simplified by this commit.

This differs from previous behavior; previously, the lease lifetime and
t1/t2 values were modified by random 'fuzz' by subtracting 3, then adding
a random number between 0 and (slightly over) 2 seconds. The resulting
values were therefore always between 1-3 seconds shorter than the value
provided by the server (or the default, in case of t1/t2). Now, as
described in RFC2131, the random 'fuzz' is between -1 and +1 seconds,
meaning the actual t1 and t2 value will be up to 1 second earlier or
later than the server-provided (or default) t1/t2 value.

This also differs in handling the lease lifetime, as described above it
previously was adjusted by the random 'fuzz', but the RFC does not state
that the lease expiration time should be adjusted, so now the code uses
exactly the lease lifetime as provided by the server with no adjustment.
2020-12-14 18:19:07 -05:00
Dan Streetman
3d75a443ee sd-dhcp-client: add RFC2131 retransmission details
RFC2131, providing the details for dhcpv4, has specific retransmission
intervals that it outlines. This adds functions to compute the timeouts
as the RFC describes.
2020-12-14 18:19:01 -05:00
Dan Streetman
0c3c59783b sd-dhcp-client: track dhcp4 t1, t2, expire times
Add fields to dhcp4 client to track t1, t2, and lease expiry times
2020-12-14 17:39:26 -05:00
Dan Streetman
f3bd46c657 sd-dhcp-client: don't log timeouts if already expired 2020-12-14 17:39:26 -05:00
Luca Boccassi
e3284031ae
Merge pull request #17960 from yuwata/network-log-routing-policy-rule
network: introduce log_routing_policy_rule()
2020-12-14 22:22:51 +00:00
Luca Boccassi
e1f3685750
Merge pull request #17959 from yuwata/network-log-address
network: introduce log_address_debug()
2020-12-14 22:21:50 +00:00
Luca Boccassi
e82b77e984
Merge pull request #17958 from yuwata/network-route-log
network: introduce log_route_debug()
2020-12-14 22:17:33 +00:00
Yu Watanabe
bcdb3b7d50 core: detect_container() may return negative errno 2020-12-14 19:35:11 +01:00
Zbigniew Jędrzejewski-Szmek
db3d4222e9 varlink: add debug logging
When something fails, we need some logs to figure out what happened.
This is primarily relevant for connection errors, but in general we
want to log about all errors, even if they are relatively unlikely.

We want one log on failure, and generally no logs on success.
The general idea is to not log in static functions, and to log in the
non-static functions. Non-static functions which call other functions
may thus log or not log as appropriate to have just one log entry in the
end.
2020-12-14 19:21:55 +01:00
Yu Watanabe
c4837f4567 Revert "core/namespace: ignore ENOENT for /proc/sys/kernel/domainname and hostname"
This reverts commit 0ebc9f23fa.

With the previous commit, these files should always exist.

Closes #17979.
2020-12-15 02:38:35 +09:00
Yu Watanabe
ad74f28a13 core/namespace: do not ignore non-EPERM mount error
Follow-up for 61f8a7bd3e.
2020-12-15 02:37:03 +09:00