platform/upstream/systemd.git
8 years agoMerge pull request #2306 from walyong/exec_v01
Lennart Poettering [Tue, 26 Jan 2016 20:52:30 +0000 (21:52 +0100)]
Merge pull request #2306 from walyong/exec_v01

[v1] core: resolve specifier in config_parse_exec()

8 years agoMerge pull request #2444 from phomes/resolve-compare-function
Lennart Poettering [Tue, 26 Jan 2016 19:39:33 +0000 (20:39 +0100)]
Merge pull request #2444 from phomes/resolve-compare-function

resolve: fix compare function for EtcHostItem

8 years agoresolve: fix compare function for EtcHostItem
Thomas Hindoe Paaboel Andersen [Tue, 26 Jan 2016 19:13:34 +0000 (20:13 +0100)]
resolve: fix compare function for EtcHostItem

From dd0bc0f1

8 years agoMerge pull request #2442 from samukallio/nss-resolve-fix-aliases
Lennart Poettering [Tue, 26 Jan 2016 19:27:25 +0000 (20:27 +0100)]
Merge pull request #2442 from samukallio/nss-resolve-fix-aliases

nss-resolve: fix gethostbyaddr h_aliases

8 years agonss-resolve: fix gethostbyaddr h_aliases
Samu Kallio [Tue, 26 Jan 2016 17:26:48 +0000 (19:26 +0200)]
nss-resolve: fix gethostbyaddr h_aliases

Fix the comparison to include the first alias, which will
otherwise be left as a bogus pointer.

8 years agoMerge pull request #2440 from poettering/journal-fix
Tom Gundersen [Tue, 26 Jan 2016 17:16:48 +0000 (18:16 +0100)]
Merge pull request #2440 from poettering/journal-fix

journald: minor fixes

8 years agoMerge pull request #2437 from poettering/dnssec19
Tom Gundersen [Tue, 26 Jan 2016 17:07:19 +0000 (18:07 +0100)]
Merge pull request #2437 from poettering/dnssec19

nineteenth dnssec patch

8 years agoMerge pull request #2433 from dobyrch/master
Lennart Poettering [Tue, 26 Jan 2016 15:14:11 +0000 (16:14 +0100)]
Merge pull request #2433 from dobyrch/master

zsh-completion: Escape results for `journalctl --unit`

8 years agoMerge pull request #2441 from msekletar/killing-spree-excluded-log-v3
Lennart Poettering [Tue, 26 Jan 2016 13:50:43 +0000 (14:50 +0100)]
Merge pull request #2441 from msekletar/killing-spree-excluded-log-v3

shutdown: complain if process excluded from killing spree runs of the same rootfs as PID1 (v3)

8 years agojournald: add a couple of static asserts checking logging constants
Lennart Poettering [Tue, 26 Jan 2016 12:48:57 +0000 (13:48 +0100)]
journald: add a couple of static asserts checking logging constants

Whenever we include a log level or facility in a journal string field, make sure the compiler checks for us that that's
actually the right thing to do.

8 years agojournald: fix LOG_AUTH facility in audit code
Lennart Poettering [Tue, 26 Jan 2016 12:48:32 +0000 (13:48 +0100)]
journald: fix LOG_AUTH facility in audit code

Fixes: #2304

8 years agoman: document that logind's RemoveIPC= option excepts all system users
Lennart Poettering [Tue, 26 Jan 2016 12:42:04 +0000 (13:42 +0100)]
man: document that logind's RemoveIPC= option excepts all system users

Fixes #2324.

8 years agoupdate TODO
Lennart Poettering [Tue, 26 Jan 2016 12:37:42 +0000 (13:37 +0100)]
update TODO

This gets rid of the private DNSSEC TODO and moves it in the main TODO dump site, as the DNSSEC implementation is
pretty complete now, and the remaining bits are low-priority.

8 years agoresolved: prorize rtnl and sd-network event sources
Lennart Poettering [Tue, 26 Jan 2016 12:36:33 +0000 (13:36 +0100)]
resolved: prorize rtnl and sd-network event sources

Lets make sure we always take notice of network changes before answering client requests.

This way, calls like SetLinkDNS() become race-free as the specified interface index is guarantee to have been processed
if it exists before we make changes to it.

8 years agoresolved: fix the rcode to SUCCESS if we find at least one matching RR in a DNS response
Lennart Poettering [Tue, 26 Jan 2016 12:22:12 +0000 (13:22 +0100)]
resolved: fix the rcode to SUCCESS if we find at least one matching RR in a DNS response

If we encounter NXDOMAIN, but find at least one matching RR in a response, then patch it to become SUCCESS. This should
clean up handling of CNAME/DNAMEs, and makes sure broken servers and those conforming to RFC 6604 are treated the same
way. The new behaviour opposes the logic suggested in RFC 6604, but given that some servers don't implement it
correctly, and given that in some ways the CNAME/DNAME chains will be incomplete anyway, and given that DNSSEC
generally only allows us to prove the first element of a CNAME/DNAME chain, this should simplify things for us.

8 years agoCONTRIBUTING: fix markdown layout
Lennart Poettering [Mon, 25 Jan 2016 22:48:32 +0000 (23:48 +0100)]
CONTRIBUTING: fix markdown layout

8 years agoresolved: allow configuration of routing domains in Domains=
Lennart Poettering [Mon, 25 Jan 2016 22:40:02 +0000 (23:40 +0100)]
resolved: allow configuration of routing domains in Domains=

8 years agoresolved: teach resolved the difference between "routing" and "search" domains
Lennart Poettering [Mon, 25 Jan 2016 22:19:49 +0000 (23:19 +0100)]
resolved: teach resolved the difference between "routing" and "search" domains

Following the changes to expose the "routing" and "search" domain concepts in networkd, actually make resolved use
them. It will now use routing domains exclusively for making DNS routing decisions, and use search domains additionally
for extending single-label names.

8 years agoutil: introduce fputs_with_space() and make use of it at various places
Lennart Poettering [Mon, 25 Jan 2016 21:42:36 +0000 (22:42 +0100)]
util: introduce fputs_with_space() and make use of it at various places

The call combines outputing a string with prefixing it with a space, optionally. This is useful to shorten the logic
for outputing lists of strings, that are space separated.

8 years agonetworkd: optinally use DHCP lease domain info for routing only
Lennart Poettering [Mon, 25 Jan 2016 21:27:01 +0000 (22:27 +0100)]
networkd: optinally use DHCP lease domain info for routing only

This changes the UseDomains= setting of .network files to take an optional third value "route", in addition to the
boolean values. If set, the passed domain information is used for routing rules only, but not for the search path
logic.

8 years agonetworkd: rename a few Network object properties to be more like the configuration...
Lennart Poettering [Mon, 25 Jan 2016 20:47:02 +0000 (21:47 +0100)]
networkd: rename a few Network object properties to be more like the configuration settings

All booleans called dhcp_xyz are now called ".dhcp_use_xyz", to match their respective configuration file settings. This
should clarify things a bit, in particular as there is a DHCP hostname that was previously called just ".hostname"
because ".dhcp_hostname" was already existing as a bool. Since this confusion is removed now because the bool is called
".dhcp_use_hostname", the string field is now renamed to ".dhcp_hostname".

8 years agoshared: normalize the root domain to "." rather than ""
Lennart Poettering [Mon, 25 Jan 2016 20:32:14 +0000 (21:32 +0100)]
shared: normalize the root domain to "." rather than ""

Let's make sure the root domain is normalized to ".", rather than then empty string, so that there's actually something
to see on screen. Normally, we don't append a trailing dot to normalized domain names, but do so in the one exception
of the root domain, taking inspiration from UNIX file system paths.

8 years agodhcp: make host/domain name validity checks stricter
Lennart Poettering [Mon, 25 Jan 2016 19:48:07 +0000 (20:48 +0100)]
dhcp: make host/domain name validity checks stricter

Also don't permit host/domain names that reference the root domain, and unify the codepaths for this.

8 years agonetworkd: when filtering out duplicate domain names use DNS comparison
Lennart Poettering [Mon, 25 Jan 2016 19:33:47 +0000 (20:33 +0100)]
networkd: when filtering out duplicate domain names use DNS comparison

When we collect the domain names of the various links and other sources in one ordered set, make sure to use proper DNS
name comparison to filter out duplicates.

8 years agonetworkd: use an OrderedSet instead of Set to collect link domains
Lennart Poettering [Mon, 25 Jan 2016 19:31:11 +0000 (20:31 +0100)]
networkd: use an OrderedSet instead of Set to collect link domains

For the search domain logic the order is highly relevant, hence make sure when collecting the various search domains to
add them to an ordered set, so that the order between search domains of a specific link is retained.

8 years agonetworkctl: move strv_isempty() check into dump_list()
Lennart Poettering [Mon, 25 Jan 2016 19:14:58 +0000 (20:14 +0100)]
networkctl: move strv_isempty() check into dump_list()

Previously, each invocation of dump_list() was prefixed with a call to strv_isempty() to suppress invocation of the
function when the list is empty anyway. Move the check into the function itself, so that we can reduce the code a bit
in size.

(Also, prefix a couple of invocations we knowingly ignore return errors with a (void) cast).

8 years agonetworkd: rework Domains= setting
Lennart Poettering [Mon, 25 Jan 2016 18:46:00 +0000 (19:46 +0100)]
networkd: rework Domains= setting

Previously, .network files only knew a vaguely defined "Domains=" concept, for which the documentation declared it was
the "DNS domain" for the network connection, without specifying what that means.

With this the Domains setting is reworked, so that there are now "routing" domains and "search" domains. The former are
to be used by resolved to route DNS request to specific network interfaces, the latter is to be used for searching
single-label hostnames with (in addition to being used for routing). Both settings are configured in the "Domains="
setting. Normal domain names listed in it are now considered search domains (for compatibility with existing setups),
while those prefixed with "~" are considered routing domains only. To route all lookups to a specific interface the
routing domain "." may be used, referring to the root domain. An alternative syntax for this is the "*", as was already
implemented before using the "wildcard" domain concept.

This commit adds proper parsers for this new logic, and exposes this via the sd-network API. This information is not
used by resolved yet, this will be added in a later commit.

8 years agoMerge pull request #2424 from keszybz/journald-disk-usage
Lennart Poettering [Tue, 26 Jan 2016 13:20:45 +0000 (14:20 +0100)]
Merge pull request #2424 from keszybz/journald-disk-usage

Journald disk usage

8 years agojournald: minor fixes
Lennart Poettering [Tue, 26 Jan 2016 13:06:35 +0000 (14:06 +0100)]
journald: minor fixes

This primarily contains some minor coding style fixups for 7a24f3bf2fb181243a1957a0cdd54cd919396793 and earlier changes. Specifically:

* Don't log at log levels above LOG_DEBUG from "library" code like journal-file.c

* Don't negate errno values before passing them to log_debug_errno(), as the call can handle this fine anyway

* Cast some calls we knowingly ignore the return values of to (void)

* Don't clobber function call-by-ref return values on failure

* Don't mix function calls and variable declarations in one line

There's also one more relevant change: when failing to enqueue a journal change fs event, we'll run it immediately.

8 years agoshutdown: complain if process excluded from killing spree runs of the same rootfs...
Michal Sekletar [Sun, 24 Jan 2016 15:08:36 +0000 (16:08 +0100)]
shutdown: complain if process excluded from killing spree runs of the same rootfs as PID1

8 years agoMerge pull request #2436 from grawity/fix/tasks-max
Daniel Mack [Tue, 26 Jan 2016 12:36:30 +0000 (13:36 +0100)]
Merge pull request #2436 from grawity/fix/tasks-max

logind: update documentation for cf7d1a30e44

8 years agologind: update documentation for cf7d1a30e44
Mantas Mikulėnas [Tue, 26 Jan 2016 12:24:06 +0000 (14:24 +0200)]
logind: update documentation for cf7d1a30e44

8 years agoMerge pull request #2434 from keszybz/man-pages
Daniel Mack [Tue, 26 Jan 2016 08:39:56 +0000 (09:39 +0100)]
Merge pull request #2434 from keszybz/man-pages

Man pages

8 years agoMerge pull request #2435 from evverx/tests-setup-selinux
Daniel Mack [Tue, 26 Jan 2016 08:12:38 +0000 (09:12 +0100)]
Merge pull request #2435 from evverx/tests-setup-selinux

tests: add setup_selinux

8 years agoman: add stub sd-bus(3)
Zbigniew Jędrzejewski-Szmek [Tue, 26 Jan 2016 01:20:58 +0000 (20:20 -0500)]
man: add stub sd-bus(3)

We have 126 broken links to sd-bus.html, it's nice to fix that.
Current version is mostly a stub, with a long list of links to other
pages. I think that's fine, especially that sd-bus might evolve
quite a bit before it is made public.

Not all of linked pages are written. Still missing:
sd_bus_can_send
sd_bus_get_name_creds
sd_bus_get_owner_creds
sd_bus_message_can_send
sd_bus_message_get_creds
sd_bus_message_set_allow_interactive_authorization
sd_bus_send
sd_bus_set_address
sd_bus_set_description
sd_bus_start
sd_event_set_prepare
sd-device
systemd.busname

8 years agoman: fix reference to sd_event_source_get_io_revents
Zbigniew Jędrzejewski-Szmek [Tue, 26 Jan 2016 00:05:47 +0000 (19:05 -0500)]
man: fix reference to sd_event_source_get_io_revents

8 years agoman: fix references to a few external man pages
Zbigniew Jędrzejewski-Szmek [Mon, 25 Jan 2016 22:56:42 +0000 (17:56 -0500)]
man: fix references to a few external man pages

Noticed in pull request #2067.

8 years agobuild-sys: provide fallback value for xsltproc
Zbigniew Jędrzejewski-Szmek [Mon, 25 Jan 2016 23:54:31 +0000 (18:54 -0500)]
build-sys: provide fallback value for xsltproc

Commit ab6f56debf made the change to allow building man pages even when disabled
with ./configure --disable-manpages. This works fine, as long as xsltproc is
present. If xsltproc is not present, the command to build a man page (obviously)
fails. Unfortnately it fails with a cryptic message '-o not found', because
$(XSLTPROC) is empty. Add a fallback, to use 'xsltproc' is $(XSLTPROC) is not
defined. This way we get a nice message:

make: xsltproc: Command not found

8 years agozsh-completion: Escape results for `journalctl --unit`
Douglas Christman [Mon, 25 Jan 2016 23:10:31 +0000 (18:10 -0500)]
zsh-completion: Escape results for `journalctl --unit`

Escape colons and backslashes in unit names.
This gives correct completions for units with names like
    systemd-backlight@backlight:acpi_video0.service
and
    systemd-fsck@dev-disk-by\x2duuid-...

8 years agoMerge pull request #2392 from poettering/dnssec18
Tom Gundersen [Mon, 25 Jan 2016 19:28:38 +0000 (20:28 +0100)]
Merge pull request #2392 from poettering/dnssec18

eightteenth dnssec patch

8 years agoMerge pull request #2240 from hgwalles/coredump-delete-bug
Lennart Poettering [Mon, 25 Jan 2016 18:34:52 +0000 (19:34 +0100)]
Merge pull request #2240 from hgwalles/coredump-delete-bug

coredump: fix bug that loses core dump files when core dumps are compressed and disk space is low.

8 years agocoredump: fix bug that loses core dump files when core dumps are compressed and disk...
Hayden Walles [Wed, 23 Dec 2015 18:59:31 +0000 (13:59 -0500)]
coredump: fix bug that loses core dump files when core dumps are compressed and disk space is low.

Previously the save_external_coredump function returned a file
descriptor corresponding to the dumped file.  This descriptor was used
for two different purposes by calling code: a) access to the raw core
dump data; b) testing candidate files (via inode comparisons) while
vacuuming to protect the current core dump from vacuuming.

The descriptor returned always corresponded to a file containing the raw
core dump data.  However if compresson was used and the core dump was
compressed then the descriptor returned did not correspond to the file
that would eventually be left on disk (ie the compressed file).  Thus
the file was never protected by vacuuming.  When disk space was low all
core dumps including the current one would be vacuumed and the
corresponding log message referred to a file that no longer existed.

This resulted in the following error message from coredumpctl if the
missing core dump was requested:
   Cannot retrieve coredump from journal nor disk.
   Failed to retrieve core: No such file or directory

save_external_coredump now returns two descriptors, one to be used for
inode comparisons to prevent overzealous vacuuming and one to be used
for raw data access.  When compression is not used the returned inode
comparison descriptor will be invalid, indicating that the raw data
access descriptor should be used for inode comparisons as well.

Corresponding use of save_external_coredump and the returned
descriptors also updated.

8 years agoMerge pull request #2430 from lnykryn/is-active-failed
Zbigniew Jędrzejewski-Szmek [Mon, 25 Jan 2016 16:52:22 +0000 (11:52 -0500)]
Merge pull request #2430 from lnykryn/is-active-failed

systemctl: is-active/failed should return 0 if at least one unit is in given state

Previously:
[lnykryn@notas lnykryn-systemd(is-active-failed)]$ systemctl is-failed fail cups; echo $?
failed
active
1

now:
[lnykryn@notas lnykryn-systemd(is-active-failed)]$ ./systemctl is-failed fail cups; echo $?
failed
active
0

8 years agoudev: filter out non-sensically high onboard indexes reported by the kernel
Lennart Poettering [Mon, 25 Jan 2016 16:16:27 +0000 (17:16 +0100)]
udev: filter out non-sensically high onboard indexes reported by the kernel

Let's not accept onboard interface indexes, that are so high that they are obviously non-sensical.

Fixes: #2407

8 years agoresolved: don't consider NSEC/NSEC3 RRs as "pimary" for transactions
Lennart Poettering [Mon, 25 Jan 2016 14:48:36 +0000 (15:48 +0100)]
resolved: don't consider NSEC/NSEC3 RRs as "pimary" for transactions

So far, abritrary NSEC and NSEC3 RRs were implicitly consider "primary" for any transaction, meaning we'd abort the
transaction immediately if we couldn't validate it. With this patch this logic is removed, and the NSEC/NSEC3 RRs will
not be considered primary anymore. This has the effect that they will be dropped from the message if they don't
validate, but processing continues. This is safe to do, as they are required anyway to validate positive wildcard and
negative responses, and if they are missing then, then message will be considered unsigned, which hence means the
outcome is effectively the same.

This is benefical in case the server sends us NSEC/NSEC3 RRs that are not directly related to the lookup we did, but
simply auxiliary information. Previously, if we couldn't authenticate those RRs we'd fail the entire lookup while with
this change we'll simply drop the auxiliary information and proceed without it.

8 years agoresolved: don't insist in RRSIG metadata for NSEC3 RRs that have not been authenticated
Lennart Poettering [Fri, 22 Jan 2016 17:43:41 +0000 (18:43 +0100)]
resolved: don't insist in RRSIG metadata for NSEC3 RRs that have not been authenticated

In some cases we get NSEC3 RRs that have not been authenticated (because the chain of trust to the root is somewhere
broken). We can use these for checking negative replies, as long as we don't claim they were ultimately authenticated.
This means we need to be able to deal with NSEC3 RRs that lack RRSIG metadata.

8 years agoresolved: use dns_query_reset_answer() where we can
Lennart Poettering [Fri, 22 Jan 2016 16:34:10 +0000 (17:34 +0100)]
resolved: use dns_query_reset_answer() where we can

8 years agoupdate DNSSEC TODO
Lennart Poettering [Fri, 22 Jan 2016 16:25:28 +0000 (17:25 +0100)]
update DNSSEC TODO

8 years agoresolved: properly propagate query candidate error
Lennart Poettering [Fri, 22 Jan 2016 16:24:05 +0000 (17:24 +0100)]
resolved: properly propagate query candidate error

We already properly propagate errors from transactions to queries. Make sure that errors that happened during handling
of query candidates are propagated to the query, too.

8 years agoresolved: replace DNS_TRANSACTION_RESOURCES by DNS_TRANSACTION_ERRNO
Lennart Poettering [Fri, 22 Jan 2016 16:22:23 +0000 (17:22 +0100)]
resolved: replace DNS_TRANSACTION_RESOURCES by DNS_TRANSACTION_ERRNO

Whenever we encounter an OS error we did not expect, we so far put the transaction into DNS_TRANSACTION_RESOURCES
state. Rename this state to DNS_TRANSACTION_ERRNO, and save + propagate the actual system error to the caller. This
should make error messages triggered by system errors much more readable by the user.

8 years agocatalog: add DNSSEC log messages to message catalog
Lennart Poettering [Fri, 22 Jan 2016 15:20:25 +0000 (16:20 +0100)]
catalog: add DNSSEC log messages to message catalog

8 years agocatalog: fix line width to 79 chars
Lennart Poettering [Fri, 22 Jan 2016 15:16:33 +0000 (16:16 +0100)]
catalog: fix line width to 79 chars

Line breaks default to 119 characters for systemd sources now, configured through the .vimrc and .dir-local.el files.
However, for the catalog files we really should stick to 79 chars, as they are regularly shown on terminal screens.

8 years agoresolved: log recognizably about DNSSEC downgrades
Lennart Poettering [Fri, 22 Jan 2016 12:39:31 +0000 (13:39 +0100)]
resolved: log recognizably about DNSSEC downgrades

If we downgrade from DNSSEC to non-DNSSEC mode, let's log about this in a recognizable way (i.e. with a message ID),
after all, this is of major importance.

8 years agoresolved: synthesize RRs for data from /etc/hosts
Lennart Poettering [Fri, 22 Jan 2016 11:24:20 +0000 (12:24 +0100)]
resolved: synthesize RRs for data from /etc/hosts

This way the difference between lookups via NSS and our native bus API should become minimal.

8 years agoresolved: when synthesizing RR responses, own the name fully
Lennart Poettering [Fri, 22 Jan 2016 11:22:05 +0000 (12:22 +0100)]
resolved: when synthesizing RR responses, own the name fully

When we synthesize A/AAAA for domains like "localhost", then make sure we generate ENODATA if the user asks for RR
types such a RP to be solved on the name. Previously, we'd pass the error back in that case that was generated from the
usual lookup procedure.

8 years agoresolved: properly handle LLMNR/TCP connection errors
Lennart Poettering [Fri, 22 Jan 2016 11:09:38 +0000 (12:09 +0100)]
resolved: properly handle LLMNR/TCP connection errors

The LLMNR spec suggests to do do reverse address lookups by doing direct LLMNR/TCP connections to the indicated
address, instead of doing any LLMNR multicast queries. When we do this and the peer doesn't actually implement LLMNR
this will result in a TCP connection error, which we need to handle. In contrast to most LLMNR lookups this will give
us a quick response on whether we can find a suitable name. Report this as new transaction state, since this should
mostly be treated like an NXDOMAIN rcode, except that it's not one.

8 years agocore: normalize error handling a bit, in setup_pam()
Lennart Poettering [Fri, 22 Jan 2016 11:06:39 +0000 (12:06 +0100)]
core: normalize error handling a bit, in setup_pam()

Assign errno-style errors to a variable called "r" when they happen, the same way we do this in most other calls. It's
bad enough that the error handling part of the function deals with two different error variables (pam_code and r) now,
but before this fix it was even three!

8 years agoresolved: fix rcode formatting string length
Lennart Poettering [Fri, 22 Jan 2016 11:04:36 +0000 (12:04 +0100)]
resolved: fix rcode formatting string length

Since we honour the edns rcode extension we need more than 4 bits to format it. To avoid further confusion, derive the
right length from the type.

8 years agogithub: extend README.md a bit
Lennart Poettering [Fri, 22 Jan 2016 11:03:35 +0000 (12:03 +0100)]
github: extend README.md a bit

Link up more stuff on the GitHub landing page.

8 years agogithub: add a CONTRIBUTING.md file that github shows when a PR or issue is filed
Lennart Poettering [Fri, 22 Jan 2016 11:02:03 +0000 (12:02 +0100)]
github: add a CONTRIBUTING.md file that github shows when a PR or issue is filed

github links up CONTRIBUTING.md if it exists from the issue/PR filing form. Let's add one, in the hope that people have
a look before filing a PR.

8 years agoREADME: drop link to systemd-commits ML
Lennart Poettering [Fri, 22 Jan 2016 11:01:04 +0000 (12:01 +0100)]
README: drop link to systemd-commits ML

Since we moved to github the commits ML is basically dead, hence don't advertise it anymore.

8 years agoCODING_STYLE: make sure line break recommendation matches edit configuration
Lennart Poettering [Fri, 22 Jan 2016 10:57:59 +0000 (11:57 +0100)]
CODING_STYLE: make sure line break recommendation matches edit configuration

In the .vimrc and .dir-locals.el we suggest a line width of 119. We should recommend the same in CODING_STYLE.

8 years agoresolve: fix wording in resolver statistics output
Lennart Poettering [Thu, 21 Jan 2016 01:27:44 +0000 (02:27 +0100)]
resolve: fix wording in resolver statistics output

Now that we count both negative and positive validation results, we shouldn't claim we just counted RRsets.

8 years agoresolved: log each time we increase the DNSSEC verdict counters
Lennart Poettering [Thu, 21 Jan 2016 01:21:58 +0000 (02:21 +0100)]
resolved: log each time we increase the DNSSEC verdict counters

Also, don't consider RRs that aren't primary to the lookups we do as relevant to the lookups.

8 years agoresolved: never store NSEC/NSEC3 RRs from the upper zone of a zone cut in cache
Lennart Poettering [Thu, 21 Jan 2016 00:24:30 +0000 (01:24 +0100)]
resolved: never store NSEC/NSEC3 RRs from the upper zone of a zone cut in cache

When using NSEC/NSEC3 RRs from the cache to derive existance of arbitrary RRs, we should not get confused by the fact
that NSEC/NSEC3 RRs exist twice at zone cuts: once in the parent zone, and once in the child zone. For most RR types we
should only consult the latter since that's where the beef is. However, for DS lookups we have to check the former.

This change makes sure we never cache NSEC/NSEC3 RRs from any parent zone of a zone-cut. It also makes sure that when
we look for a DS RR in the cache we never consider any cached NSEC RR, as those are now always from the child zone.

8 years agoresolved: if we detect a message with incomplete DNSSEC data, consider this an invali...
Lennart Poettering [Thu, 21 Jan 2016 00:07:56 +0000 (01:07 +0100)]
resolved: if we detect a message with incomplete DNSSEC data, consider this an invalid packet event

8 years agoresolved: also collect statistics about negative DNSSEC proofs
Lennart Poettering [Thu, 21 Jan 2016 00:06:28 +0000 (01:06 +0100)]
resolved: also collect statistics about negative DNSSEC proofs

We already maintain statistics about positive DNSSEC proofs, and count them up by 1 for each validated RRset. Now,
update the same counters each time we validated a negative query, so that the statistics are the combined result of all
validation checks, both positive and negative.

8 years agoresolve: use different bitmap checking rules when we find an exact NSEC3 match, or...
Lennart Poettering [Wed, 20 Jan 2016 23:58:49 +0000 (00:58 +0100)]
resolve: use different bitmap checking rules when we find an exact NSEC3 match, or just a covering enclosure

If we are looking for a DS RR we need to check the NSEC3 bitmap of the parent zone's NSEC3 RR, not the one from the
child. For any other RR we need to look at the child's however, hence enforce this with the bitmaps.

Note that not coverign checks only the lower zone's NSEC3 bitmaps matter, hence the existing check is fine.

8 years agoresolve: minor strings improvements
Lennart Poettering [Wed, 20 Jan 2016 23:05:37 +0000 (00:05 +0100)]
resolve: minor strings improvements

8 years agoman: document systemd-resolve(8)
Lennart Poettering [Wed, 20 Jan 2016 23:04:19 +0000 (00:04 +0100)]
man: document systemd-resolve(8)

This also links up the new manpage from systemd-resolved.service(8), and makes a couple of unrelated additions.

8 years agojournald: restore oom safety
Zbigniew Jędrzejewski-Szmek [Wed, 11 Nov 2015 12:54:50 +0000 (07:54 -0500)]
journald: restore oom safety

v2:
- use xsprintf

8 years agoemacs: also configure nxml parameters in .dir-locals.el
Lennart Poettering [Wed, 20 Jan 2016 23:03:08 +0000 (00:03 +0100)]
emacs: also configure nxml parameters in .dir-locals.el

We configure the parameters we use for the docbook XML.

8 years agoresolve: rename "systemd-resolve-host" tool to simply "systemd-resolve"
Lennart Poettering [Wed, 20 Jan 2016 21:10:00 +0000 (22:10 +0100)]
resolve: rename "systemd-resolve-host" tool to simply "systemd-resolve"

The tool resolves way more than just hosts, hence give it a more generic name. This should be safe, as the tool is
currently undocumented. Before we add documentation for it, let's get the name right.

This also moves the C source into src/resolve/ (from src/resolve-host/), since the old name is a misnomer now. Also,
since it links directly to many of the C files of resolved it really belongs into resolved's directory anyway.

8 years agoresolved: get rid of unnecessary if check
Lennart Poettering [Wed, 20 Jan 2016 21:07:48 +0000 (22:07 +0100)]
resolved: get rid of unnecessary if check

DNS_ANSWER_FOREACH() can deal with NULL answers anyway, let's simplify our code here.

8 years agoresolved: split out RR synthesis logic into its own C file
Lennart Poettering [Wed, 20 Jan 2016 21:06:26 +0000 (22:06 +0100)]
resolved: split out RR synthesis logic into its own C file

Also, while we are at it, set the "authenticated" bit for everything we synthesize

8 years agoresolved: move dns_type_to_af() to dns-type.c
Lennart Poettering [Wed, 20 Jan 2016 20:30:59 +0000 (21:30 +0100)]
resolved: move dns_type_to_af() to dns-type.c

8 years agoresolve: generate a nice clean error when clients try to resolve a name when the...
Lennart Poettering [Wed, 20 Jan 2016 20:28:22 +0000 (21:28 +0100)]
resolve: generate a nice clean error when clients try to resolve a name when the network is down

8 years agoresolved: when checking whether a link is relevant, check kernel operstate
Lennart Poettering [Wed, 20 Jan 2016 20:22:26 +0000 (21:22 +0100)]
resolved: when checking whether a link is relevant, check kernel operstate

This mimics what networkd is doing to detect a carrier.

8 years agoresolved: fix typo
Lennart Poettering [Wed, 20 Jan 2016 19:30:50 +0000 (20:30 +0100)]
resolved: fix typo

Noticed by @vcaputo

8 years agoresolved: fix RR key reduction logic
Lennart Poettering [Wed, 20 Jan 2016 19:30:03 +0000 (20:30 +0100)]
resolved: fix RR key reduction logic

Fixes #2380.

8 years agologind,machined: bump TasksMax=
Lennart Poettering [Wed, 20 Jan 2016 19:27:21 +0000 (20:27 +0100)]
logind,machined: bump TasksMax=

Issue #2388 suggests the current TasksMax= setting for user processes is to low. Bump it to 12K. Also, bump the
container TasksMax= from 8K to 16K, so that it remains higher than the one for user processes.

(Compare: the kernel default limit for processes system-wide is 32K).

Fixes #2388

8 years agosystemctl: is-active/failed should return 0 if at least one unit is in given state
Lukas Nykryn [Mon, 25 Jan 2016 14:21:28 +0000 (15:21 +0100)]
systemctl: is-active/failed should return 0 if at least one unit is in given state

Previously we have return the not-found code, in the case that we found a
unit which does not belong to set active (resp. failed), which is the
opposite than what is written in man page.

8 years agoMerge pull request #2428 from msekletar/nspawn-alloca-fix
Lennart Poettering [Mon, 25 Jan 2016 12:46:23 +0000 (13:46 +0100)]
Merge pull request #2428 from msekletar/nspawn-alloca-fix

nspawn: fix memory leak

8 years agonspawn: fix memory leak
Michal Sekletar [Mon, 25 Jan 2016 11:06:38 +0000 (12:06 +0100)]
nspawn: fix memory leak

8 years agotests: fix install_pam
Evgeny Vereshchagin [Mon, 25 Jan 2016 05:00:34 +0000 (05:00 +0000)]
tests: fix install_pam

* pam_unix depends on unix_chkpwd
* selinux=1 -> pam_unix runs unix_chkpwd for root too

https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/passverify.c?id=e89d4c97385ff8180e6e81e84c5aa745daf28a79#n202

8 years agotests: add setup_selinux
Evgeny Vereshchagin [Mon, 25 Jan 2016 02:45:43 +0000 (02:45 +0000)]
tests: add setup_selinux

8 years agoMerge pull request #2425 from yuwata/journal-remote-v4
Zbigniew Jędrzejewski-Szmek [Sun, 24 Jan 2016 16:47:19 +0000 (11:47 -0500)]
Merge pull request #2425 from yuwata/journal-remote-v4

ZJS: remove unnecessary oom check after strdupa().

8 years agoMerge pull request #2423 from keszybz/udevd-crash-in-cleanup
Daniel Mack [Sun, 24 Jan 2016 14:09:33 +0000 (15:09 +0100)]
Merge pull request #2423 from keszybz/udevd-crash-in-cleanup

udevd: do not clean up fds in main

8 years agojournal-remote: fix broken --getter option
Yu Watanabe [Sun, 24 Jan 2016 06:55:07 +0000 (15:55 +0900)]
journal-remote: fix broken --getter option

This commit fixes the following broken --getter option:
when systemd-journal-remote is called with --getter option,
it causes the error meesage "Zero sources specified" and
the getter command will not be called.

8 years agojournal-remote: add an example to man
Yu Watanabe [Sun, 24 Jan 2016 06:54:05 +0000 (15:54 +0900)]
journal-remote: add an example to man

8 years agojournal-remote: output file name is determined by the remote hostname
Yu Watanabe [Sun, 24 Jan 2016 06:49:04 +0000 (15:49 +0900)]
journal-remote: output file name is determined by the remote hostname

When --url option is specified, e.g. --url='http://some.host:19531/entries'
retrieved remote journal entries will be stored to
/var/log/journal/remote/remote-some.host.journal

8 years agojournal-remote: make --url option support arbitrary url
Yu Watanabe [Sun, 24 Jan 2016 06:45:47 +0000 (15:45 +0900)]
journal-remote: make --url option support arbitrary url

Currently, --url option supports the only form like http(s)://some.host:19531.
This commit adds support to call systemd-journal-remote as follwos:
systemd-journal-remote --url='http://some.host:19531'
systemd-journal-remote --url='http://some.host:19531/'
systemd-journal-remote --url='http://some.host:19531/entries'
systemd-journal-remote --url='http://some.host:19531/entries?boot&follow'
The first three example result the same and retrieve all entries.
The last example retrieves only current boot entries and wait new events.

8 years agoMerge pull request #2318 from vcaputo/coalesce-ftruncates-redux
Zbigniew Jędrzejewski-Szmek [Sun, 24 Jan 2016 03:09:51 +0000 (22:09 -0500)]
Merge pull request #2318 from vcaputo/coalesce-ftruncates-redux

journal: coalesce ftruncate()s in 250ms windows

8 years agojournald: use structured message + catalog entry for disk usage
Zbigniew Jędrzejewski-Szmek [Tue, 10 Nov 2015 12:44:19 +0000 (07:44 -0500)]
journald: use structured message + catalog entry for disk usage

The format of the journald disk usage log entry was changed back and
forth a few times. It is annoying to have a very verbose message, but
if it is short it is hard to understand. But we have a tool for this,
the catalogue.

$ journalctl -x -u systemd-journald
Jan 23 18:48:50 rawhide systemd-journald[891]: Runtime journal (/run/log/journal/) is 8.0M, max 196.2M, 188.2M free.
-- Subject: Disk space used by the journal
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Runtime journal (/run/log/journal/) is currently using 8.0M.
-- Maximum allowed usage is set to 196.2M.
-- Leaving at least 294.3M free (of currently available 1.9G of disk space).
-- Enforced usage limit is thus 196.2M, of which 188.2M are still available.
--
-- The limits controlling how much disk space is used by the journal may
-- be configured with SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=,
-- RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize= settings in
-- /etc/systemd/journald.conf. See journald.conf(5) for details.
Jan 23 18:48:50 rawhide systemd-journald[891]: System journal (/var/log/journal/) is 480.1M, max 1.6G, 1.2G free.
-- Subject: Disk space used by the journal
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- System journal (/var/log/journal/) is currently using 480.1M.
-- Maximum allowed usage is set to 1.6G.
-- Leaving at least 2.5G free (of currently available 5.8G of disk space).
-- Enforced usage limit is thus 1.6G, of which 1.2G are still available.
--
-- The limits controlling how much disk space is used by the journal may
-- be configured with SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=,
-- RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize= settings in
-- /etc/systemd/journald.conf. See journald.conf(5) for details.

8 years agojournald: allow additional payload in server_driver_message
Zbigniew Jędrzejewski-Szmek [Sun, 8 Nov 2015 19:05:55 +0000 (14:05 -0500)]
journald: allow additional payload in server_driver_message

The code to format the iovec is shared with log.c. All call sites to
server_driver_message are changed to include the additional "MESSAGE="
part, but the new functionality is not used and change in functionality
is not expected.

iovec is preallocated, so the maximum number of messages is limited.
In server_driver_message N_IOVEC_PAYLOAD_FIELDS is currently set to 1.

New code is not oom safe, it will fail if memory cannot be allocated.
This will be fixed in subsequent commit.

8 years agoTODO: remove syslog broadcasting
Zbigniew Jędrzejewski-Szmek [Sun, 24 Jan 2016 00:41:45 +0000 (19:41 -0500)]
TODO: remove syslog broadcasting

This should most likely be implemented as part of journal-netlogd
(https://github.com/systemd/systemd/pull/1890), which it seems
is not going to be merged.

systemctl edit was mentioned twice.

8 years agoudevd: do not clean up fds in main
Zbigniew Jędrzejewski-Szmek [Sat, 23 Jan 2016 16:45:22 +0000 (11:45 -0500)]
udevd: do not clean up fds in main

fds will also be closed during manager cleanup in run, leading
to an error when we try to close them again. It is now possible
to "leak" the fds on error, but it's an unlikely event and we
will exit immediately anyway.

Fixes #2418.

8 years agoMerge pull request #2410 from dobyrch/master
Lennart Poettering [Fri, 22 Jan 2016 16:28:59 +0000 (17:28 +0100)]
Merge pull request #2410 from dobyrch/master

systemctl: Allow 'edit' and 'cat' on unloaded units

8 years agoMerge pull request #2412 from fbuihuu/device-fixes
Lennart Poettering [Fri, 22 Jan 2016 16:28:05 +0000 (17:28 +0100)]
Merge pull request #2412 from fbuihuu/device-fixes

Device fixes

8 years agodevice: make sure to not ignore re-plugged device
Franck Bui [Fri, 22 Jan 2016 06:18:19 +0000 (07:18 +0100)]
device: make sure to not ignore re-plugged device

systemd automatically mounts device unless 'noauto' is part of the
mount options. This can happen during boot if the device is plugged at
that time or later when the system is already running (the latter case
is not documented AFAICS).

After the systemd booted, I plugged my USB device which had an entry
in /etc/fstab with the default options and systemd automatically
mounted it.

However I noticed that if I unplugged and re-plugged the device the
automatic mounting of the device didn't work anymore: systemd didn't
notice that the device was re-plugged.

This was due to the device unit which was not recycled by the GC
during the unplug event because in the case of automounting, the mount
unit still referenced it. When the device was re-plugged, the old
device unit was reused but it still had the old sysfs path (amongst
other useful information).

Systemd was confused by the stalled sysfs path and decided to ignore
the plug event.

This patch fixes this issue by simply not doing the sanity checking on
the sysfs path if the device is in unplugged state.