resolved: tone down comment in /run/systemd/{stub-,}resolve.conf

There are legitimate reasons to access the file directly, as currently discussed on fedora-devel. Hence tone things down from "must" to "should typically not". Also, let's use fputs() instead of fputs_unlocked() here, fopen_temporary_label() turns off stdio locking anyway for the whole FILE*, hence no need to do this manually each time.
Merge pull request #15448 from keszybz/logind-avoid-polkit-query
2020-04-16 19:43:00 +02:00 · 2020-04-16 19:42:42 +02:00 · 2020-04-16 16:33:01 +02:00 · 2020-04-16 16:32:05 +02:00 · 2020-04-16 16:11:24 +02:00 · 2020-04-16 14:11:44 +02:00
15 changed files with 108 additions and 50 deletions
--- a/man/nss-myhostname.xml
+++ b/man/nss-myhostname.xml
@ -67,9 +67,13 @@
    <para>To activate the NSS modules, add <literal>myhostname</literal> to the line starting with
    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>

-    <para>It is recommended to place <literal>myhostname</literal> last in the <filename>nsswitch.conf</filename>'
-    <literal>hosts:</literal> line to make sure that this mapping is only used as fallback, and that any DNS or
-    <filename>/etc/hosts</filename> based mapping takes precedence.</para>
+    <para>It is recommended to place <literal>myhostname</literal> either between <literal>resolve</literal>
+    and "traditional" modules like <literal>files</literal> and <literal>dns</literal>, or after them. In the
+    first version, well-known names like <literal>localhost</literal> and the machine hostname are given
+    higher priority than the external configuration. This is recommended when the external DNS servers and
+    network are not absolutely trusted. In the second version, external configuration is given higher
+    priority and <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable
+    in closely controlled networks, for example on a company LAN.</para>
  </refsect1>

  <refsect1>
@ -83,7 +87,10 @@
 group:          compat mymachines systemd
 shadow:         compat

-hosts:          files mymachines resolve [!UNAVAIL=return] dns <command>myhostname</command>
+# Either (untrusted network):
+hosts:          mymachines resolve [!UNAVAIL=return] <command>myhostname</command> files dns
+# Or (only trusted networks):
+hosts:          mymachines resolve [!UNAVAIL=return] files dns <command>myhostname</command>
 networks:       files

 protocols:      db files
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@ -69,7 +69,7 @@
 group:          compat <command>mymachines</command> systemd
 shadow:         compat

-hosts:          files <command>mymachines</command> resolve [!UNAVAIL=return] dns myhostname
+hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
 networks:       files

 protocols:      db files
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@ -34,14 +34,15 @@
    name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
    hostnames via DNS.</para>

-    <para>To activate the NSS module, add <literal>resolve</literal> to the line starting with
-    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is recommended to place
-    <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s <literal>hosts:</literal> line (but
-    after the <literal>files</literal> or <literal>mymachines</literal> entries), right before the
-    <literal>dns</literal> entry if it exists, followed by <literal>[!UNAVAIL=return]</literal>, to ensure DNS queries
-    are always routed via
-    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> if it is
-    running, but are routed to <command>nss-dns</command> if this service is not available.</para>
+    <para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
+    with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
+    recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
+    <literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
+    <filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
+    caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
+    local VMs and containers precedence over names received over DNS. Finally, we recommend placing
+    <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
+    <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>

    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource
    records in a few cases, for example for <literal>localhost</literal> and the
@ -66,7 +67,7 @@
 group:          compat mymachines systemd
 shadow:         compat

-hosts:          files mymachines <command>resolve [!UNAVAIL=return]</command> dns myhostname
+hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns
 networks:       files

 protocols:      db files
--- a/man/nss-systemd.xml
+++ b/man/nss-systemd.xml
@ -65,7 +65,7 @@
 group:          compat [SUCCESS=merge] mymachines [SUCCESS=merge] <command>systemd</command>
 shadow:         compat

-hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
+hosts:          mymachines resolve [!UNAVAIL=return] myhostname files dns
 networks:       files

 protocols:      db files
--- a/meson.build
+++ b/meson.build
@ -1714,7 +1714,7 @@ exe = executable('systemd-analyze',
                                 libmount,
                                 libblkid],
                 install_rpath : rootlibexecdir,
-                 install : true)
+                 install : get_option('analyze'))
 public_programs += exe

 executable('systemd-journald',
@ -3500,6 +3500,8 @@ foreach tuple : [
        ['link-systemctl-shared', get_option('link-systemctl-shared')],
        ['link-networkd-shared',  get_option('link-networkd-shared')],
        ['link-timesyncd-shared', get_option('link-timesyncd-shared')],
+        ['kernel-install',        get_option('kernel-install')],
+        ['systemd-analyze',       get_option('analyze')],
 ]

        if tuple.length() >= 2
--- a/meson_options.txt
+++ b/meson_options.txt
@ -363,4 +363,6 @@ option('oss-fuzz', type : 'boolean', value : 'false',
 option('llvm-fuzz', type : 'boolean', value : 'false',
       description : 'build against LLVM libFuzzer')
 option('kernel-install', type: 'boolean', value: 'true',
-       description : 'include kernel-install feature')
+       description : 'install kernel-install and associated files')
+option('analyze', type: 'boolean', value: 'true',
+       description : 'install systemd-analyze')
--- a/src/core/manager.c
+++ b/src/core/manager.c
@ -2931,12 +2931,10 @@ int manager_loop(Manager *m) {
                if (manager_dispatch_dbus_queue(m) > 0)
                        continue;

-                /* Sleep for half the watchdog time */
-                if (timestamp_is_set(m->runtime_watchdog) && MANAGER_IS_SYSTEM(m)) {
-                        wait_usec = m->runtime_watchdog / 2;
-                        if (wait_usec <= 0)
-                                wait_usec = 1;
-                } else
+                /* Sleep for watchdog runtime wait time */
+                if (MANAGER_IS_SYSTEM(m))
+                        wait_usec = watchdog_runtime_wait();
+                else
                        wait_usec = USEC_INFINITY;

                r = sd_event_run(m->event, wait_usec);
--- a/src/login/loginctl.c
+++ b/src/login/loginctl.c
@ -825,7 +825,15 @@ static int show_properties(sd_bus *bus, const char *path, bool *new_line) {

        *new_line = true;

-        r = bus_print_all_properties(bus, "org.freedesktop.login1", path, print_property, arg_property, arg_value, arg_all, NULL);
+        r = bus_print_all_properties(
+                        bus,
+                        "org.freedesktop.login1",
+                        path,
+                        print_property,
+                        arg_property,
+                        arg_value,
+                        arg_all,
+                        NULL);
        if (r < 0)
                return bus_log_parse_error(r);

@ -1347,7 +1355,6 @@ static int help(int argc, char *argv[], void *userdata) {
 }

 static int parse_argv(int argc, char *argv[]) {
-
        enum {
                ARG_VERSION = 0x100,
                ARG_VALUE,
@ -1486,7 +1493,6 @@ static int parse_argv(int argc, char *argv[]) {
 }

 static int loginctl_main(int argc, char *argv[], sd_bus *bus) {
-
        static const Verb verbs[] = {
                { "help",              VERB_ANY, VERB_ANY, 0,            help              },
                { "list-sessions",     VERB_ANY, 1,        VERB_DEFAULT, list_sessions     },
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@ -3170,6 +3170,12 @@ static int method_set_wall_message(
        if (r < 0)
                return r;

+        /* Short-circuit the operation if the desired state is already in place, to
+         * avoid an unnecessary polkit permission check. */
+        if (streq_ptr(m->wall_message, empty_to_null(wall_message)) &&
+            m->enable_wall_messages == enable_wall_messages)
+                goto done;
+
        r = bus_verify_polkit_async(message,
                                    CAP_SYS_ADMIN,
                                    "org.freedesktop.login1.set-wall-message",
@ -3189,6 +3195,7 @@ static int method_set_wall_message(

        m->enable_wall_messages = enable_wall_messages;

+ done:
        return sd_bus_reply_method_return(message, NULL);
 }

--- a/src/resolve/resolved-resolv-conf.c
+++ b/src/resolve/resolved-resolv-conf.c
@ -283,9 +283,9 @@ static int write_uplink_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSe
              "# This is a dynamic resolv.conf file for connecting local clients directly to\n"
              "# all known uplink DNS servers. This file lists all configured search domains.\n"
              "#\n"
-              "# Third party programs must not access this file directly, but only through the\n"
-              "# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,\n"
-              "# replace this symlink by a static file or a different symlink.\n"
+              "# Third party programs should typically not access this file directly, but only\n"
+              "# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
+              "# different way, replace this symlink by a static file or a different symlink.\n"
              "#\n"
              "# See man:systemd-resolved.service(8) for details about the supported modes of\n"
              "# operation for /etc/resolv.conf.\n"
@ -308,7 +308,7 @@ static int write_uplink_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSe
 }

 static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *domains) {
-        fputs_unlocked("# This file is managed by man:systemd-resolved(8). Do not edit.\n"
+        fputs("# This file is managed by man:systemd-resolved(8). Do not edit.\n"
              "#\n"
              "# This is a dynamic resolv.conf file for connecting local clients to the\n"
              "# internal DNS stub resolver of systemd-resolved. This file lists all\n"
@ -317,9 +317,9 @@ static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet
              "# Run \"resolvectl status\" to see details about the uplink DNS servers\n"
              "# currently in use.\n"
              "#\n"
-                       "# Third party programs must not access this file directly, but only through the\n"
-                       "# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,\n"
-                       "# replace this symlink by a static file or a different symlink.\n"
+              "# Third party programs should typically not access this file directly, but only\n"
+              "# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
+              "# different way, replace this symlink by a static file or a different symlink.\n"
              "#\n"
              "# See man:systemd-resolved.service(8) for details about the supported modes of\n"
              "# operation for /etc/resolv.conf.\n"
--- a/src/shared/watchdog.c
+++ b/src/shared/watchdog.c
@ -16,6 +16,7 @@
 static int watchdog_fd = -1;
 static char *watchdog_device = NULL;
 static usec_t watchdog_timeout = USEC_INFINITY;
+static usec_t watchdog_last_ping = USEC_INFINITY;

 static int update_timeout(void) {
        int r;
@ -57,6 +58,8 @@ static int update_timeout(void) {
                r = ioctl(watchdog_fd, WDIOC_KEEPALIVE, 0);
                if (r < 0)
                        return log_warning_errno(errno, "Failed to ping hardware watchdog: %m");
+
+                watchdog_last_ping = now(clock_boottime_or_monotonic());
        }

        return 0;
@ -114,9 +117,38 @@ int watchdog_set_timeout(usec_t *usec) {
        return r;
 }

+usec_t watchdog_runtime_wait(void) {
+        usec_t rtwait;
+        usec_t ntime;
+
+        if (!timestamp_is_set(watchdog_timeout))
+                return USEC_INFINITY;
+
+        /* Sleep half the watchdog timeout since the last succesful ping at most */
+        if (timestamp_is_set(watchdog_last_ping)) {
+                ntime = now(clock_boottime_or_monotonic());
+                assert(ntime >= watchdog_last_ping);
+                rtwait = usec_sub_unsigned(watchdog_last_ping + (watchdog_timeout / 2), ntime);
+        } else
+                rtwait = watchdog_timeout / 2;
+
+        return rtwait;
+}
+
 int watchdog_ping(void) {
+        usec_t ntime;
        int r;

+        ntime = now(clock_boottime_or_monotonic());
+
+        /* Never ping earlier than watchdog_timeout/4 and try to ping
+         * by watchdog_timeout/2 plus scheduling latencies the latest */
+        if (timestamp_is_set(watchdog_last_ping)) {
+                assert(ntime >= watchdog_last_ping);
+                if ((ntime - watchdog_last_ping) < (watchdog_timeout / 4))
+                        return 0;
+        }
+
        if (watchdog_fd < 0) {
                r = open_watchdog();
                if (r < 0)
@ -127,6 +159,8 @@ int watchdog_ping(void) {
        if (r < 0)
                return log_warning_errno(errno, "Failed to ping hardware watchdog: %m");

+        watchdog_last_ping = ntime;
+
        return 0;
 }

--- a/src/shared/watchdog.h
+++ b/src/shared/watchdog.h
@ -10,6 +10,7 @@ int watchdog_set_device(char *path);
 int watchdog_set_timeout(usec_t *usec);
 int watchdog_ping(void);
 void watchdog_close(bool disarm);
+usec_t watchdog_runtime_wait(void);

 static inline void watchdog_free_device(void) {
        (void) watchdog_set_device(NULL);
--- a/test/test-functions
+++ b/test/test-functions
@ -879,7 +879,7 @@ install_execs() {
         # also, plymouth is pulled in by rescue.service, but even there the exit code
         # is ignored; as it's not present on some distros, don't fail if it doesn't exist
         dinfo "Attempting to install $i"
-         inst $i || [ "${i%.local}" != "$i" ] || [ "${i%systemd-update-done}" != "$i" ] || [ "/bin/plymouth" == "$i" ]
+         inst $i || [ "${i%.local}" != "$i" ] || [ "${i%systemd-update-done}" != "$i" ] || [ "${i##*/}" == "plymouth" ]
     done
    )
 }
--- a/units/emergency.service.in
+++ b/units/emergency.service.in
@ -19,7 +19,7 @@ Before=rescue.service
 [Service]
 Environment=HOME=/root
 WorkingDirectory=-/root
-ExecStartPre=-/bin/plymouth --wait quit
+ExecStartPre=-@rootbindir@/plymouth --wait quit
 ExecStart=-@rootlibexecdir@/systemd-sulogin-shell emergency
 Type=idle
 StandardInput=tty-force
--- a/units/rescue.service.in
+++ b/units/rescue.service.in
@ -18,7 +18,7 @@ Before=shutdown.target
 [Service]
 Environment=HOME=/root
 WorkingDirectory=-/root
-ExecStartPre=-/bin/plymouth --wait quit
+ExecStartPre=-@rootbindir@/plymouth --wait quit
 ExecStart=-@rootlibexecdir@/systemd-sulogin-shell rescue
 Type=idle
 StandardInput=tty-force
Author	SHA1	Message	Date
Lennart Poettering	ce416f425c	resolved: tone down comment in /run/systemd/{stub-,}resolve.conf There are legitimate reasons to access the file directly, as currently discussed on fedora-devel. Hence tone things down from "must" to "should typically not". Also, let's use fputs() instead of fputs_unlocked() here, fopen_temporary_label() turns off stdio locking anyway for the whole FILE*, hence no need to do this manually each time.	2020-04-16 19:43:00 +02:00
Lennart Poettering	b11b278097	Merge pull request #15448 from keszybz/logind-avoid-polkit-query logind: avoid polkit query for SetWallMessage()	2020-04-16 19:42:42 +02:00
Lennart Poettering	e46736fbb6	units: use correct path to refer to plymouth This doesn't really matter, since in non-/usr-merged systems plymouth needs to be in /bin and on merged ones it doesn't matter, but it is still prettier to insert the right path, and avoid /bin on merged systems, since it's just a compat symlink. Replaces: #15351	2020-04-16 16:33:01 +02:00
Alin Popa	c5f8a179a2	watchdog: reduce watchdog pings in timeout interval The watchdog ping is performed for every iteration of manager event loop. This results in a lot of ioctls on watchdog device driver especially during boot or if services are aggressively using sd_notify. Depending on the watchdog device driver this may have performance impact on embedded systems. The patch skips sending the watchdog to device driver if the ping is requested before half of the watchdog timeout.	2020-04-16 16:32:05 +02:00
Lennart Poettering	0f6d7be844	Merge pull request #15437 from keszybz/man-nss-resolve Move "files" and "dns" later in the recommended hosts: lines	2020-04-16 16:11:24 +02:00
Lennart Poettering	9ba4029f8f	Merge pull request #15441 from sartura/src/analyze systemd-analyze: Add new meson configure option for controlling systemd-analyze support	2020-04-16 14:11:44 +02:00
Zbigniew Jędrzejewski-Szmek	5644d47b7c	logind: skip polkit query with --no-wall Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1800875.	2020-04-16 14:07:39 +02:00
Zbigniew Jędrzejewski-Szmek	8183ebcd45	loginctl: adjust indentation	2020-04-16 13:18:03 +02:00
Zbigniew Jędrzejewski-Szmek	f2a20e9966	man: move "myhostname" right after "resolve" The text in the man page provides the justification why I think this is generally the right thing. An additional reason is that with the previous commit (to move resolved earlier), since resolved internally implements the same rules that nss-myhostname does, we'd have this strange inversion where the priority of external configuration would be different in the "resolve" path and in the fallback path.	2020-04-16 12:13:42 +02:00
Zbigniew Jędrzejewski-Szmek	44b7aedbde	man: move "files" after "resolve" in the suggested configuration resolved caches files, so we should move nss-files after nss-resolve to speed up local access (and yes, people like to have thousands of lines in /etc/hosts). See https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/LCX6YXLM62QEYJSOLJBWXXVXTZVL73GI/ for the background.	2020-04-16 12:13:39 +02:00
Jakov Smolic	f30bf4d937	Include new configure options in features list Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>	2020-04-16 10:40:31 +02:00
Jakov Smolic	dd0f79523f	Add new meson configure option for controlling systemd-analyze support Enables building systemd without systemd-analyze, which in return saves approx. 4 MB of space upon installing systemd. Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>	2020-04-15 17:53:43 +02:00