resolved: tone down comment in /run/systemd/{stub-,}resolve.conf

There are legitimate reasons to access the file directly, as currently
discussed on fedora-devel. Hence tone things down from "must" to "should
typically not".

Also, let's use fputs() instead of fputs_unlocked() here,
fopen_temporary_label() turns off stdio locking anyway for the whole
FILE*, hence no need to do this manually each time.

man/nss-myhostname.xml

@@ -67,9 +67,13 @@
     <para>To activate the NSS modules, add <literal>myhostname</literal> to the line starting with
     <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
 
-    <para>It is recommended to place <literal>myhostname</literal> last in the <filename>nsswitch.conf</filename>'
+    <para>It is recommended to place <literal>myhostname</literal> either between <literal>resolve</literal>
-    <literal>hosts:</literal> line to make sure that this mapping is only used as fallback, and that any DNS or
+    and "traditional" modules like <literal>files</literal> and <literal>dns</literal>, or after them. In the
-    <filename>/etc/hosts</filename> based mapping takes precedence.</para>
+    first version, well-known names like <literal>localhost</literal> and the machine hostname are given
+    higher priority than the external configuration. This is recommended when the external DNS servers and
+    network are not absolutely trusted. In the second version, external configuration is given higher
+    priority and <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable
+    in closely controlled networks, for example on a company LAN.</para>
   </refsect1>
 
   <refsect1>
@@ -83,7 +87,10 @@
 group:          compat mymachines systemd
 shadow:         compat
 
-hosts:          files mymachines resolve [!UNAVAIL=return] dns <command>myhostname</command>
+# Either (untrusted network):
+hosts:          mymachines resolve [!UNAVAIL=return] <command>myhostname</command> files dns
+# Or (only trusted networks):
+hosts:          mymachines resolve [!UNAVAIL=return] files dns <command>myhostname</command>
 networks:       files
 
 protocols:      db files

man/nss-mymachines.xml

@@ -69,7 +69,7 @@
 group:          compat <command>mymachines</command> systemd
 shadow:         compat
 
-hosts:          files <command>mymachines</command> resolve [!UNAVAIL=return] dns myhostname
+hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
 networks:       files
 
 protocols:      db files

man/nss-resolve.xml

@@ -34,14 +34,15 @@
     name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
     hostnames via DNS.</para>
 
-    <para>To activate the NSS module, add <literal>resolve</literal> to the line starting with
+    <para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
-    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is recommended to place
+    with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
-    <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s <literal>hosts:</literal> line (but
+    recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
-    after the <literal>files</literal> or <literal>mymachines</literal> entries), right before the
+    <literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
-    <literal>dns</literal> entry if it exists, followed by <literal>[!UNAVAIL=return]</literal>, to ensure DNS queries
+    <filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
-    are always routed via
+    caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
-    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> if it is
+    local VMs and containers precedence over names received over DNS. Finally, we recommend placing
-    running, but are routed to <command>nss-dns</command> if this service is not available.</para>
+    <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
+    <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>
 
     <para>Note that <command>systemd-resolved</command> will synthesize DNS resource
     records in a few cases, for example for <literal>localhost</literal> and the
@@ -66,7 +67,7 @@
 group:          compat mymachines systemd
 shadow:         compat
 
-hosts:          files mymachines <command>resolve [!UNAVAIL=return]</command> dns myhostname
+hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns
 networks:       files
 
 protocols:      db files

man/nss-systemd.xml

@@ -65,7 +65,7 @@
 group:          compat [SUCCESS=merge] mymachines [SUCCESS=merge] <command>systemd</command>
 shadow:         compat
 
-hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
+hosts:          mymachines resolve [!UNAVAIL=return] myhostname files dns
 networks:       files
 
 protocols:      db files

meson.build

@@ -1714,7 +1714,7 @@ exe = executable('systemd-analyze',
                                  libmount,
                                  libblkid],
                  install_rpath : rootlibexecdir,
-                 install : true)
+                 install : get_option('analyze'))
 public_programs += exe
 
 executable('systemd-journald',
@@ -3500,6 +3500,8 @@ foreach tuple : [
         ['link-systemctl-shared', get_option('link-systemctl-shared')],
         ['link-networkd-shared',  get_option('link-networkd-shared')],
         ['link-timesyncd-shared', get_option('link-timesyncd-shared')],
+        ['kernel-install',        get_option('kernel-install')],
+        ['systemd-analyze',       get_option('analyze')],
 ]
 
         if tuple.length() >= 2

meson_options.txt

@@ -363,4 +363,6 @@ option('oss-fuzz', type : 'boolean', value : 'false',
 option('llvm-fuzz', type : 'boolean', value : 'false',
        description : 'build against LLVM libFuzzer')
 option('kernel-install', type: 'boolean', value: 'true',
-       description : 'include kernel-install feature')
+       description : 'install kernel-install and associated files')
+option('analyze', type: 'boolean', value: 'true',
+       description : 'install systemd-analyze')

src/core/manager.c

@@ -2931,12 +2931,10 @@ int manager_loop(Manager *m) {
                 if (manager_dispatch_dbus_queue(m) > 0)
                         continue;
 
-                /* Sleep for half the watchdog time */
+                /* Sleep for watchdog runtime wait time */
-                if (timestamp_is_set(m->runtime_watchdog) && MANAGER_IS_SYSTEM(m)) {
+                if (MANAGER_IS_SYSTEM(m))
-                        wait_usec = m->runtime_watchdog / 2;
+                        wait_usec = watchdog_runtime_wait();
-                        if (wait_usec <= 0)
+                else
-                                wait_usec = 1;
-                } else
                         wait_usec = USEC_INFINITY;
 
                 r = sd_event_run(m->event, wait_usec);

src/login/loginctl.c

@@ -825,7 +825,15 @@ static int show_properties(sd_bus *bus, const char *path, bool *new_line) {
 
         *new_line = true;
 
-        r = bus_print_all_properties(bus, "org.freedesktop.login1", path, print_property, arg_property, arg_value, arg_all, NULL);
+        r = bus_print_all_properties(
+                        bus,
+                        "org.freedesktop.login1",
+                        path,
+                        print_property,
+                        arg_property,
+                        arg_value,
+                        arg_all,
+                        NULL);
         if (r < 0)
                 return bus_log_parse_error(r);
 
@@ -1347,7 +1355,6 @@ static int help(int argc, char *argv[], void *userdata) {
 }
 
 static int parse_argv(int argc, char *argv[]) {
-
         enum {
                 ARG_VERSION = 0x100,
                 ARG_VALUE,
@@ -1486,7 +1493,6 @@ static int parse_argv(int argc, char *argv[]) {
 }
 
 static int loginctl_main(int argc, char *argv[], sd_bus *bus) {
-
         static const Verb verbs[] = {
                 { "help",              VERB_ANY, VERB_ANY, 0,            help              },
                 { "list-sessions",     VERB_ANY, 1,        VERB_DEFAULT, list_sessions     },

src/login/logind-dbus.c

@@ -3170,6 +3170,12 @@ static int method_set_wall_message(
         if (r < 0)
                 return r;
 
+        /* Short-circuit the operation if the desired state is already in place, to
+         * avoid an unnecessary polkit permission check. */
+        if (streq_ptr(m->wall_message, empty_to_null(wall_message)) &&
+            m->enable_wall_messages == enable_wall_messages)
+                goto done;
+
         r = bus_verify_polkit_async(message,
                                     CAP_SYS_ADMIN,
                                     "org.freedesktop.login1.set-wall-message",
@@ -3189,6 +3195,7 @@ static int method_set_wall_message(
 
         m->enable_wall_messages = enable_wall_messages;
 
+ done:
         return sd_bus_reply_method_return(message, NULL);
 }
 

src/resolve/resolved-resolv-conf.c

@@ -283,9 +283,9 @@ static int write_uplink_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSe
               "# This is a dynamic resolv.conf file for connecting local clients directly to\n"
               "# all known uplink DNS servers. This file lists all configured search domains.\n"
               "#\n"
-              "# Third party programs must not access this file directly, but only through the\n"
+              "# Third party programs should typically not access this file directly, but only\n"
-              "# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,\n"
+              "# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
-              "# replace this symlink by a static file or a different symlink.\n"
+              "# different way, replace this symlink by a static file or a different symlink.\n"
               "#\n"
               "# See man:systemd-resolved.service(8) for details about the supported modes of\n"
               "# operation for /etc/resolv.conf.\n"
@@ -308,7 +308,7 @@ static int write_uplink_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSe
 }
 
 static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *domains) {
-        fputs_unlocked("# This file is managed by man:systemd-resolved(8). Do not edit.\n"
+        fputs("# This file is managed by man:systemd-resolved(8). Do not edit.\n"
               "#\n"
               "# This is a dynamic resolv.conf file for connecting local clients to the\n"
               "# internal DNS stub resolver of systemd-resolved. This file lists all\n"
@@ -317,9 +317,9 @@ static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet
               "# Run \"resolvectl status\" to see details about the uplink DNS servers\n"
               "# currently in use.\n"
               "#\n"
-                       "# Third party programs must not access this file directly, but only through the\n"
+              "# Third party programs should typically not access this file directly, but only\n"
-                       "# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,\n"
+              "# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
-                       "# replace this symlink by a static file or a different symlink.\n"
+              "# different way, replace this symlink by a static file or a different symlink.\n"
               "#\n"
               "# See man:systemd-resolved.service(8) for details about the supported modes of\n"
               "# operation for /etc/resolv.conf.\n"

src/shared/watchdog.c

@@ -16,6 +16,7 @@
 static int watchdog_fd = -1;
 static char *watchdog_device = NULL;
 static usec_t watchdog_timeout = USEC_INFINITY;
+static usec_t watchdog_last_ping = USEC_INFINITY;
 
 static int update_timeout(void) {
         int r;
@@ -57,6 +58,8 @@ static int update_timeout(void) {
                 r = ioctl(watchdog_fd, WDIOC_KEEPALIVE, 0);
                 if (r < 0)
                         return log_warning_errno(errno, "Failed to ping hardware watchdog: %m");
+
+                watchdog_last_ping = now(clock_boottime_or_monotonic());
         }
 
         return 0;
@@ -114,9 +117,38 @@ int watchdog_set_timeout(usec_t *usec) {
         return r;
 }
 
+usec_t watchdog_runtime_wait(void) {
+        usec_t rtwait;
+        usec_t ntime;
+
+        if (!timestamp_is_set(watchdog_timeout))
+                return USEC_INFINITY;
+
+        /* Sleep half the watchdog timeout since the last succesful ping at most */
+        if (timestamp_is_set(watchdog_last_ping)) {
+                ntime = now(clock_boottime_or_monotonic());
+                assert(ntime >= watchdog_last_ping);
+                rtwait = usec_sub_unsigned(watchdog_last_ping + (watchdog_timeout / 2), ntime);
+        } else
+                rtwait = watchdog_timeout / 2;
+
+        return rtwait;
+}
+
 int watchdog_ping(void) {
+        usec_t ntime;
         int r;
 
+        ntime = now(clock_boottime_or_monotonic());
+
+        /* Never ping earlier than watchdog_timeout/4 and try to ping
+         * by watchdog_timeout/2 plus scheduling latencies the latest */
+        if (timestamp_is_set(watchdog_last_ping)) {
+                assert(ntime >= watchdog_last_ping);
+                if ((ntime - watchdog_last_ping) < (watchdog_timeout / 4))
+                        return 0;
+        }
+
         if (watchdog_fd < 0) {
                 r = open_watchdog();
                 if (r < 0)
@@ -127,6 +159,8 @@ int watchdog_ping(void) {
         if (r < 0)
                 return log_warning_errno(errno, "Failed to ping hardware watchdog: %m");
 
+        watchdog_last_ping = ntime;
+
         return 0;
 }
 

src/shared/watchdog.h

@@ -10,6 +10,7 @@ int watchdog_set_device(char *path);
 int watchdog_set_timeout(usec_t *usec);
 int watchdog_ping(void);
 void watchdog_close(bool disarm);
+usec_t watchdog_runtime_wait(void);
 
 static inline void watchdog_free_device(void) {
         (void) watchdog_set_device(NULL);

test/test-functions

@@ -879,7 +879,7 @@ install_execs() {
          # also, plymouth is pulled in by rescue.service, but even there the exit code
          # is ignored; as it's not present on some distros, don't fail if it doesn't exist
          dinfo "Attempting to install $i"
-         inst $i || [ "${i%.local}" != "$i" ] || [ "${i%systemd-update-done}" != "$i" ] || [ "/bin/plymouth" == "$i" ]
+         inst $i || [ "${i%.local}" != "$i" ] || [ "${i%systemd-update-done}" != "$i" ] || [ "${i##*/}" == "plymouth" ]
      done
     )
 }

units/emergency.service.in

@@ -19,7 +19,7 @@ Before=rescue.service
 [Service]
 Environment=HOME=/root
 WorkingDirectory=-/root
-ExecStartPre=-/bin/plymouth --wait quit
+ExecStartPre=-@rootbindir@/plymouth --wait quit
 ExecStart=-@rootlibexecdir@/systemd-sulogin-shell emergency
 Type=idle
 StandardInput=tty-force

units/rescue.service.in

@@ -18,7 +18,7 @@ Before=shutdown.target
 [Service]
 Environment=HOME=/root
 WorkingDirectory=-/root
-ExecStartPre=-/bin/plymouth --wait quit
+ExecStartPre=-@rootbindir@/plymouth --wait quit
 ExecStart=-@rootlibexecdir@/systemd-sulogin-shell rescue
 Type=idle
 StandardInput=tty-force