1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-05 06:52:22 +03:00
Commit Graph

23916 Commits

Author SHA1 Message Date
Lennart Poettering
a8273d1253 Merge pull request #1989 from keszybz/filetriggers-v2
Return of the file triggers
2015-11-27 13:52:43 +01:00
Lennart Poettering
6182e51efa Merge pull request #2040 from keszybz/randomized-delay
core: rename Random* to RandomizedDelay*
2015-11-27 13:48:12 +01:00
Daniel Mack
ab57824597 Merge pull request #2046 from evverx/rlimit-parsing
Fix rlimit parsing
2015-11-27 12:45:04 +01:00
Evgeny Vereshchagin
fdbbadbd0d core: dump rlim_cur too 2015-11-27 11:26:55 +00:00
Evgeny Vereshchagin
0316f2aeeb core: fix rlimit parsing
* refuse limits if soft > hard
* print an actual value instead of (null)

see https://github.com/systemd/systemd/pull/1994#issuecomment-159999123
2015-11-27 11:26:37 +00:00
Daniel Mack
c9ff64f725 Merge pull request #2030 from evverx/dont-run-tests-on-incomplete-setup
tests: don't run tests on incomplete setup
2015-11-27 12:22:12 +01:00
Martin Pitt
4ddb85b18b tests: add networkd integration test
This uses temporary configuration in /run and temporary veth devices, and does
not write anything on disk or change any system configuration; but it assumes
(and checks at the beginning) that networkd is not currently running.

This can be run on a normal installation, in QEMU, nspawn, or LXC.

As this requires root privileges, this is not integrated into "make check".
2015-11-27 11:53:07 +01:00
David Herrmann
ff7d5a5c7c Merge pull request #2044 from grawity/patch-1
resolved: fix typo in in_addr_is_localhost()
2015-11-27 10:35:34 +01:00
Martin Pitt
827661914a Merge pull request #2029 from teg/network-fixes
Network fixes
2015-11-27 10:20:18 +01:00
Mantas Mikulėnas
db15affc05 resolved: fix typo in in_addr_is_localhost() 2015-11-27 08:36:37 +02:00
Zbigniew Jędrzejewski-Szmek
e0d8c8015a Merge commit 'pr/2036^^' 2015-11-26 21:24:08 -05:00
Tom Gundersen
d74fb368b1 resolved: announce support for large UDP packets
This is often needed for proper DNSSEC support, and even to handle AAAA records
without falling back to TCP.

If the path between the client and server is fully compliant, this should always
work, however, that is not the case, and overlarge packets will get mysteriously
lost in some cases.

For that reason, we use a similar fallback mechanism as we do for palin EDNS0,
EDNS0+DO, etc.:

The large UDP size feature is different from the other supported feature, as we
cannot simply verify that it works based on receiving a reply (as the server
will usually send us much smaller packets than what we claim to support, so
simply receiving a reply does not mean much).

For that reason, we keep track of the largest UDP packet we ever received, as this
is the smallest known good size (defaulting to the standard 512 bytes). If
announcing the default large size of 4096 fails (in the same way as the other
features), we fall back to the known good size. The same logic of retrying after a
grace-period applies.
2015-11-27 01:35:47 +01:00
Tom Gundersen
7586f4d172 resolved: set the DNSSEC OK (DO) flag
This indicates that we can handle DNSSEC records (per RFC3225), even if
all we do is silently drop them. This feature requires EDNS0 support.

As we do not yet support larger UDP packets, this feature increases the
risk of getting truncated packets.

Similarly to how we fall back to plain UDP if EDNS0 fails, we will fall
back to plain EDNS0 if EDNS0+DO fails (with the same logic of remembering
success and retrying after a grace period after failure).
2015-11-27 01:35:34 +01:00
Tom Gundersen
9c5e12a431 resolved: implement minimal EDNS0 support
This is a minimal implementation of RFC6891. Only default values
are used, so in reality this will be a noop.

EDNS0 support is dependent on the current server's feature level,
so appending the OPT pseudo RR is done when the packet is emitted,
rather than when it is assembled. To handle different feature
levels on retransmission, we strip off the OPT RR again after
sending the packet.

Similarly, to how we fall back to TCP if UDP fails, we fall back
to plain UDP if EDNS0 fails (but if EDNS0 ever succeeded we never
fall back again, and after a timeout we will retry EDNS0).
2015-11-27 01:35:34 +01:00
Tom Gundersen
dc913c9a1f resolved: rr - add OPT pseudo-rr support
Needed for EDNS0.
2015-11-27 01:35:34 +01:00
Tom Gundersen
4e0b8b17a7 resolved: degrade the feature level on explicit failure
Previously, we would only degrade on packet loss, but when adding EDNS0 support,
we also have to handle the case where the server replies with an explicit error.
2015-11-27 01:35:33 +01:00
Tom Gundersen
be808ea083 resolved: fallback to TCP if UDP fails
This is inspired by the logic in BIND [0], follow-up patches
will implement the reset of that scheme.

If we get a server error back, or if after several attempts we don't
get a reply at all, we switch from UDP to TCP for the given
server for the current and all subsequent requests. However, if
we ever successfully received a reply over UDP, we never fall
back to TCP, and once a grace-period has passed, we try to upgrade
again to using UDP. The grace-period starts off at five minutes
after the current feature level was verified and then grows
exponentially to six hours. This is to mitigate problems due
to temporary lack of network connectivity, but at the same time
avoid flooding the network with retries when the feature attempted
feature level genuinely does not work.

Note that UDP is likely much more commonly supported than TCP,
but depending on the path between the client and the server, we
may have more luck with TCP in case something is wrong. We really
do prefer UDP though, as that is much more lightweight, that is
why TCP is only the last resort.

[0]: <https://kb.isc.org/article/AA-01219/0/Refinements-to-EDNS-fallback-behavior-can-cause-different-outcomes-in-Recursive-Servers.html>
2015-11-27 01:35:33 +01:00
Tom Gundersen
90c739259f Merge pull request #2042 from poettering/resolved-various-3
resolved: Flush caches more agressively, fixes #2038
2015-11-27 01:18:38 +01:00
Lennart Poettering
daa27350c3 update TODO 2015-11-27 00:46:51 +01:00
Lennart Poettering
d830ebbdf6 resolved: never cache RRs originating from localhost
After all, this is likely a local DNS forwarder that caches anyway,
hence there's no point in caching twice.

Fixes #2038.
2015-11-27 00:46:51 +01:00
Lennart Poettering
452b4e327d resolved: flush the global DNS cache if /etc/resolv.conf is touched
After all /etc/resolv.conf is usually done when the network
configuration changes, which is a good reason to flush the global cache.

See: #2038
2015-11-27 00:46:51 +01:00
Lennart Poettering
bf7fabd600 resolved: don't clear the server list too eagerly
If /etc/resolv.conf is missing, this should not result in the server
list to be cleared, after all the native data from resolved.conf
shouldn't be flushed out then. Hence flush out the data only if
/etc/resolv.conf exists, but we cannot read it for some reason.
2015-11-27 00:46:51 +01:00
Tom Gundersen
8a7a7e971e Merge pull request #2041 from poettering/resolved-various-2
various smaller fixes, plus one that makes the build succeed again
2015-11-27 00:42:56 +01:00
Lennart Poettering
039a8725fd resolved: fix build 2015-11-27 00:10:29 +01:00
Lennart Poettering
6627b7e221 resolved: don't follow the global search list on local scopes
It probably doesn't make sense to mix local and global configuration.
Applying global search lists to local DNS servers appears unnecessary
and creates problems because we'll traverse the search domains
non-simultaneously on multiple scopes.

Also see:

https://github.com/systemd/systemd/pull/2031
2015-11-27 00:06:19 +01:00
Lennart Poettering
f9ebb22ab4 resolved: handle properly if there are multiple transactions for the same key per scope
When the zone probing code looks for a transaction to reuse it will
refuse to look at transactions that have been answered from cache or the
zone itself, but insist on the network. This has the effect that there
might be multiple transactions around for the same key on the same
scope. Previously we'd track all transactions in a hashmap, indexed by
the key, which implied that there would be only one transaction per key,
per scope. With this change the hashmap will only store the most recent
transaction per key, and a linked list will be used to track all
transactions per scope, allowing multiple per-key per-scope.

Note that the linked list fields for this actually already existed in
the DnsTransaction structure, but were previously unused.
2015-11-27 00:03:39 +01:00
Lennart Poettering
c3bc53e624 resolved: for a transaction, keep track where the answer data came from
Let's track where the data came from: from the network, the cache or the
local zone. This is not only useful for debugging purposes, but is also
useful when the zone probing wants to ensure it's not reusing
transactions that were answered from the cache or the zone itself.
2015-11-27 00:03:39 +01:00
Lennart Poettering
ae6a4bbf31 resolved: store just the DnsAnswer instead of a DnsPacket as answer in DnsTransaction objects
Previously we'd only store the DnsPacket in the DnsTransaction, and the
DnsQuery would then take the DnsPacket's DnsAnswer and return it. With
this change we already pull the DnsAnswer out inside the transaction.

We still store the DnsPacket in the transaction, if we have it, since we
still need to determine from which peer a response originates, to
implement caching properly. However, the DnsQuery logic doesn't care
anymore for the packet, it now only looks at answers and rcodes from the
successfuly candidate.

This also has the benefit of unifying how we propagate incoming packets,
data from the local zone or the local cache.
2015-11-27 00:03:39 +01:00
Lennart Poettering
b05f5ae7c5 resolved: change query flag definitions
Let's use a more useful way to write the flags. Also, leave some space
in the middle for the mDNS flags. After all, these flags are exposed on
the bus, and we should really make sure to expose flags that are going
to be stable, hence allow some room here...

(Not that the room really mattered, except to be nice to one's OCD)
2015-11-27 00:03:39 +01:00
Tom Gundersen
c283267467 Merge pull request #2031 from poettering/resolved-search-domains
resolved. Fully implement search domains for single-label names
2015-11-26 23:58:45 +01:00
Zbigniew Jędrzejewski-Szmek
20cc0ac7a0 man: remove repeated words in description of RandomizedDelay 2015-11-26 16:45:27 -05:00
Zbigniew Jędrzejewski-Szmek
6f5d79986a core: rename Random* to RandomizedDelay*
The name RandomSec is too generic: "Sec" just specifies the default
unit type, and "Random" by itself is not enough. Rename to something
that should give the user general idea what the setting does without
looking at documentation.
2015-11-26 16:32:41 -05:00
Lennart Poettering
f7b5b034e8 Merge pull request #1994 from karelzak/rlimits
core: support <soft:hard> ranges for RLIMIT options
2015-11-26 13:17:25 +01:00
Lennart Poettering
fedb9a51e6 Merge pull request #2022 from alkino/master
man: Add a not that mount unit cannot be templated
2015-11-26 13:09:56 +01:00
Daniel Mack
845f09c86e Merge pull request #2034 from teg/resolved-fix
minor resolved fixes
2015-11-26 10:56:42 +01:00
Daniel Mack
30e07c7dbc Merge pull request #2035 from evverx/man-fix-io-revents
man: fix function name
2015-11-26 10:55:29 +01:00
Evgeny Vereshchagin
13b6b49fa2 man: fix function name 2015-11-26 07:54:08 +00:00
Tom Gundersen
95d46fcaa4 resolved: bus - follow CNAME chains when resolving addresses
It may be unexpected to find a CNAME record when doing a reverse lookup, as we
expect to find a PTR record directly. However, it is explicitly supported
according to <https://tools.ietf.org/html/rfc2181#section-10.2>, and there
seems to be no benefit to not supporting it.
2015-11-26 04:03:08 +01:00
Tom Gundersen
09eaf68ce4 resolved: do not reject NSEC records with empty bitmaps
The assumption that no NSEC bitmap could be empty due to the presence of the bit representing
the record itself turns out to be flawed. See (the admittedly experimental) RFC4956 for a
counter example.
2015-11-26 04:03:08 +01:00
Lennart Poettering
422baca0f2 dns-domain: rework dns_label_escape() to not imply memory allocation
The new dns_label_escape() call now operates on a buffer passed in,
similar to dns_label_unescape(). This should make decoding a bit faster,
and nicer.
2015-11-25 22:00:07 +01:00
Lennart Poettering
7e8131e9c6 dns-domain: change dns_srv_type_is_valid() return value to bool
For similar reasons as dns_name_is_root() got changed in the previous
commit.
2015-11-25 22:00:07 +01:00
Lennart Poettering
dc477e7385 dns-domain: simplify dns_name_is_root() and dns_name_is_single_label()
Let's change the return value to bool. If we encounter an error while
parsing, return "false" instead of the actual parsing error, after all
the specified hostname does not qualify for what the function is
supposed to test.

Dealing with the additional error codes was always cumbersome, and
easily misused, like for example in the DHCP code.

Let's also rename the functions from dns_name_root() to
dns_name_is_root(), to indicate that this function checks something and
returns a bool. Similar for dns_name_is_signal_label().
2015-11-25 22:00:07 +01:00
Lennart Poettering
801ad6a6a9 resolved: fully support DNS search domains
This adds support for searching single-label hostnames in a set of
configured search domains.

A new object DnsQueryCandidate is added that links queries to scopes.
It keeps track of the search domain last used for a query on a specific
link. Whenever a host name was unsuccessfuly resolved on a scope all its
transactions are flushed out and replaced by a new set, with the next
search domain appended.

This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain
behaviour. The "systemd-resolve-host" tool is updated to make this
configurable via --search=.

Fixes #1697
2015-11-25 21:59:16 +01:00
Lennart Poettering
7f220d94a9 resolved: expose some properties on the bus
For now, let's just expose the LLMNR hostname currently in use;  a
combined list of all dns servers with their interface indexes; a
combined list of all search domains with their interface indexes.
2015-11-25 21:58:38 +01:00
Lennart Poettering
9176a57c10 resolved: split out calls to compile full list of dns servers and search domains
Let's split this out from the resolv.conf parser, so that this becomes
generically useful.
2015-11-25 21:58:38 +01:00
Lennart Poettering
0264d0726f util-lib: add ordered_set_ensure_allocated()
ordered_set_ensure_allocated() does for an OrderedSet, what
set_ensure_allicated() does for a Set.
2015-11-25 21:58:38 +01:00
Lennart Poettering
eed857b717 resolved: enforce a maximum limit on both dns servers and search domains 2015-11-25 21:58:38 +01:00
Lennart Poettering
4b95f1798f resolved: unify DnsServer handling code between Link and Manager
This copies concepts we introduced for the DnsSearchDomain stuff, and
reworks the operations on lists of dns servers to be reusable and
generic for use both with the Link and the Manager object.
2015-11-25 21:58:38 +01:00
Lennart Poettering
a51c10485a resolved: add a generic DnsSearchDomain concept
With this change, we add a new object to resolved, "DnsSearchDomain="
which wraps a search domain. This is then used to introduce a global
search domain list, in addition to the existing per-link search domain
list which is reword to make use of this new object too.

This is preparation for implement proper unicast DNS search domain
support.
2015-11-25 21:58:38 +01:00
Lennart Poettering
0b58db658b resolved: make sure order of dns servers is stable
Previously, we'd keep adding new dns servers we discover to the end of
our linked list of servers. When we encountered a pre-existing server,
we'd just leave it where it was. In essence that meant that old servers
ended up at the front, and new servers at the end, but not in an order
that would reflect the configuration.

With this change we ensure that every pre-existing server we want to add
again we move to the back of the linked list, so that the order is
stable and in sync with the requested configuration.
2015-11-25 21:58:38 +01:00