Compare commits

..

30 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek 95b29f3267
Merge pull request #16396 from yuwata/network-configured-flag
network: about xxx_configured flags
2020-07-15 15:45:38 +02:00
Zbigniew Jędrzejewski-Szmek b8ff0663e8
Merge pull request #16468 from keszybz/two-unrelated-patches
Two unrelated patches
2020-07-15 13:40:22 +02:00
Yu Watanabe 43bf28741f network: drop doubled white space 2020-07-15 17:15:25 +09:00
Yu Watanabe 93b0b88c3a network: free address when it is removed 2020-07-15 17:15:25 +09:00
Yu Watanabe 6906794dd1 network: dhcp4: do not assign new address before old one is not removed
If DHCP4 client lost a lease, and then soon acquire new lease, then
the removal of the old address may not be completed. If that happens,
and the new and old addresses are the same, then the new address will be
considered as a foreign address. Such a situation can occur when the
DHCP4 server is restarted.

This makes networkd wait for the removal of the old address when a new
lease is acquired.

This also makes the link in configuring state when renewing address.
2020-07-15 17:15:25 +09:00
Yu Watanabe 5d976f5f64 network: do not call link_check_ready() in link_request_set_routing_policy_rule()
It will be called in link_request_set_nexthop() or serveral handlers().
2020-07-15 17:15:25 +09:00
Yu Watanabe 0c816fcc7b network: make link_request_set_nexthop() called from link_request_set_routes() or route_handler()
Then we can drop static_routes_ready() flag.
2020-07-15 17:15:25 +09:00
Yu Watanabe 659ad3a0af network: do not make link in configured state when no address is assigned
When DHCP6 and RA are enabled, and RA does not provide any addresses,
then link may become configured state even if no address is assigned,
due to the time-lag between RA completion and DHCP reply.
This makes if DHCP is explicitly enabled, then link must have at least
one valid address to be in the configured state.
2020-07-15 17:15:25 +09:00
Yu Watanabe d98c546dac network: ndisc: split ndisc_configured flag into for addresses and routes 2020-07-15 17:15:25 +09:00
Yu Watanabe 01c344bdd4 network: ndisc: do not ignore remaining addresses
Follow-up for c24c83dc67.
2020-07-15 17:15:25 +09:00
Yu Watanabe 571f953934 test-network: wait for addresses are not in tentative state 2020-07-15 17:15:25 +09:00
Yu Watanabe 39373cb984 network: add debugging log why link is not in configured state yet 2020-07-15 17:15:16 +09:00
Yu Watanabe c5fcd8a70a test-network: check assigned address is not tentative state 2020-07-15 17:14:30 +09:00
Yu Watanabe 491b79aeac test-network: set IPv6AcceptRA=no if no dynamic addresses are not required 2020-07-15 17:14:30 +09:00
Yu Watanabe eb01a2dfb1 network: make link_request_set_nexthop() static 2020-07-15 17:14:30 +09:00
Yu Watanabe a4623f84ed network: add a debugging log 2020-07-15 17:14:30 +09:00
Yu Watanabe feb596b5c3 network: include error code in the log message 2020-07-15 17:14:30 +09:00
Yu Watanabe 2a877f4560 network: set dhcp6_xxx_configured flag after routes/addresses are assigned 2020-07-15 17:14:30 +09:00
Lennart Poettering ee5c1311ee logs: when embedding catalog info in log output use a dash of color and unicode
let's separate things out a bit, to make it easier to discern log output
and catalog data.

catalog data is now colored green (which is a color we don't use for log
data currently), and prefixed with a block shade.
2020-07-15 09:32:03 +02:00
Zbigniew Jędrzejewski-Szmek a996ead6a2
Merge pull request #16398 from poettering/machined-varlink
machined: move UID/GID resolution logic to userdb, i.e. from nss-mymachines to nss-systemd
2020-07-15 09:24:49 +02:00
Filipe Brandenburger 26698337f3 timer: Adjust calendar timers based on monotonic timer instead of realtime
When the RTC time at boot is off in the future by a few days, OnCalendar=
timers will be scheduled based on the time at boot. But if the time has been
adjusted since boot, the timers will end up scheduled way in the future, which
may cause them not to fire as shortly or often as expected.

Update the logic so that the time will be adjusted based on monotonic time.
We do that by calculating the adjusted manager startup realtime from the
monotonic time stored at that time, by comparing that time with the realtime
and monotonic time of the current time.

Added a test case to validate this works as expected. The test case creates a
QEMU virtual machine with the clock 3 days in the future. Then we adjust the
clock back 3 days, and test creating a timer with an OnCalendar= for every 15
minutes. We also check the manager startup timestamp from both `systemd-analyze
dump` and from D-Bus.

Test output without the corresponding code changes that fix the issue:

  Timer elapse outside of the expected 20 minute window.
    next_elapsed=1594686119
    now=1594426921
    time_delta=259198

With the code changes in, the test passes as expected.
2020-07-15 09:23:09 +02:00
Zbigniew Jędrzejewski-Szmek b56a877ef8 test-fs-util: use log_info instead of printf
The test is failing in koji, and the line from printf() does not end up
in the logs for some reason. log_info() works fine, so let's just use
that here too.
2020-07-14 22:18:38 +02:00
Zbigniew Jędrzejewski-Szmek a318a5659a man: document F1 in sd-boot too
As suggested in https://github.com/systemd/systemd/issues/15125#issuecomment-658114524.
2020-07-14 19:31:21 +02:00
Lennart Poettering dad2062f40 update TODO 2020-07-14 17:08:12 +02:00
Lennart Poettering 38ccb55731 nss-mymachines: drop support for UID/GID resolving
Now that we make the user/group name resolving available via userdb and
thus nss-systemd, we do not need the UID/GID resolving support in
nss-mymachines anymore. Let's drop it hence.

We keep the module around, since besides UID/GID resolving it also does
hostname resolving, which we care about. (One of those days we should
replace that by some Varlink logic between
nss-resolve/systemd-resolved.service too)

The hooks are kept in the NSS module, but they do not resolve anything
anymore, in order to keep compat at a maximum.
2020-07-14 17:08:12 +02:00
Lennart Poettering 4c2cf15751 man: document new varlink service 2020-07-14 17:08:12 +02:00
Lennart Poettering 4751364e76 machined: implement user/group lookup varlink API in machined too
Let's natively support our own API in machined too.

This allows us to remove half of nss-mymachines in a later commit.
2020-07-14 17:06:23 +02:00
Lennart Poettering 74d1b7d2ad machined: refactor UID/GID machine translation
Let's move the heavy lifting out of the bus call implemntations, and
into generic code.

This allows us to expose them easily via Varlink too in a later commit.
2020-07-14 17:06:23 +02:00
Lennart Poettering a07f18cd30 process-util: make sure procfs_file_alloca() works for non-literal field names too 2020-07-14 17:06:23 +02:00
Lennart Poettering 56870d324b docs: permit user/group services that do not support enumeration
sssd people don't like enumeration and for some other cases it's not
nice to support either, in particular when synthesizing records for
container/userns UID/GID ranges.

Hence, let's make enumeration optional.
2020-07-14 16:44:52 +02:00
81 changed files with 1450 additions and 826 deletions

22
README
View File

@ -262,19 +262,19 @@ USERS AND GROUPS:
NSS:
systemd ships with four glibc NSS modules:
nss-myhostname resolves the local hostname to locally
configured IP addresses, as well as "localhost" to
127.0.0.1/::1.
nss-myhostname resolves the local hostname to locally configured IP
addresses, as well as "localhost" to 127.0.0.1/::1.
nss-resolve enables DNS resolution via the systemd-resolved
DNS/LLMNR caching stub resolver "systemd-resolved".
nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
caching stub resolver "systemd-resolved".
nss-mymachines enables resolution of all local containers registered
with machined to their respective IP addresses. It also maps UID/GIDs
ranges used by containers to useful names.
with machined to their respective IP addresses.
nss-systemd enables resolution of all dynamically allocated service
users. (See the DynamicUser= setting in unit files.)
nss-systemd enables resolution of users/group registered via the
User/Group Record Lookup API (https://systemd.io/USER_GROUP_API/),
including all dynamically allocated service users. (See the
DynamicUser= setting in unit files.)
To make use of these NSS modules, please add them to the "hosts:",
"passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
@ -283,8 +283,8 @@ NSS:
The four modules should be used in the following order:
passwd: compat mymachines systemd
group: compat mymachines systemd
passwd: compat systemd
group: compat systemd
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
SYSV INIT.D SCRIPTS:

1
TODO
View File

@ -336,7 +336,6 @@ Features:
* homed:
- when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
- hook up machined/nspawn users with a varlink user query interface
- rollback when resize fails mid-operation
- GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
- resize on login?

View File

@ -132,7 +132,7 @@ but downstreams are strongly advised against doing that.)
range is above the 16bit boundary. Moreover it's below the 31bit boundary,
as some broken code (specifically: the kernel's `devpts` file system)
erroneously considers UIDs signed integers, and hence can't deal with values
above 2^31. The `nss-mymachines` glibc NSS module will synthesize user
above 2^31. The `systemd-machined.service` service will synthesize user
database records for all UIDs assigned to a running container from this
range.
@ -240,14 +240,14 @@ the artifacts the container manager persistently leaves in the system.
| 5 | `tty` group | `systemd` | `/etc/passwd` |
| 6…999 | System users | Distributions | `/etc/passwd` |
| 1000…60000 | Regular users | Distributions | `/etc/passwd` + LDAP/NIS/… |
| 60001…60513 | Human Users (homed) | `systemd` | `nss-systemd`
| 60001…60513 | Human Users (homed) | `systemd` | `nss-systemd` |
| 60514…61183 | Unused | | |
| 61184…65519 | Dynamic service users | `systemd` | `nss-systemd` |
| 65520…65533 | Unused | | |
| 65534 | `nobody` user | Linux | `/etc/passwd` + `nss-systemd` |
| 65535 | 16bit `(uid_t) -1` | Linux | |
| 65536…524287 | Unused | | |
| 524288…1879048191 | Container UID ranges | `systemd` | `nss-mymachines` |
| 524288…1879048191 | Container UID ranges | `systemd` | `nss-systemd` |
| 1879048192…2147483647 | Unused | | |
| 2147483648…4294967294 | HIC SVNT LEONES | | |
| 4294967295 | 32bit `(uid_t) -1` | Linux | |

View File

@ -108,7 +108,7 @@ example, introspection is not available, and the resolver logic is not used.
## Other Services
The `systemd` project provides two other services implementing this
The `systemd` project provides three other services implementing this
interface. Specifically:
1. `io.systemd.DynamicUser` → This service is implemented by the service
@ -119,6 +119,10 @@ interface. Specifically:
and provides records for the users and groups defined by the home
directories it manages.
3. `io.systemd.Machine` → This service is implemented by
`systemd-machined.service` and provides records for the users and groups used
by local containers that use user namespacing.
Other projects are invited to implement these services too. For example it
would make sense for LDAP/ActiveDirectory projects to implement these
interfaces, which would provide them a way to do per-user resource management
@ -185,6 +189,7 @@ error NoRecordFound()
error BadService()
error ServiceNotAvailable()
error ConflictingRecordFound()
error EnumerationNotSupported()
```
The `GetUserRecord` method looks up or enumerates a user record. If the `uid`
@ -264,4 +269,11 @@ services. Result of this is that it can be one service that defines a user A,
and another service that defines a group B, and a third service that declares
that A is a member of B.
Looking up explicit users/groups by their name or UID/GID, or querying
user/group memberships must be supported by all services implementing these
interfaces. However, supporting enumeration (i.e. user/group lookups that may
result in more than one reply, because neither UID/GID nor name is specified)
is optional. Services which are asked for enumeration may return the
`EnumerationNotSupported` error in this case.
And that's really all there is to it.

View File

@ -1,7 +1,7 @@
# This file is part of systemd.
passwd: compat mymachines systemd
group: compat [SUCCESS=merge] mymachines [SUCCESS=merge] systemd
passwd: compat systemd
group: compat [SUCCESS=merge] systemd
shadow: compat
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname

View File

@ -82,8 +82,8 @@
<command>nss-myhostname</command> correctly:</para>
<!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
<programlisting>passwd: compat mymachines systemd
group: compat mymachines systemd
<programlisting>passwd: compat systemd
group: compat systemd
shadow: compat
# Either (untrusted network):

View File

@ -39,22 +39,13 @@
Note that the name that is resolved is the one registered with <command>systemd-machined</command>, which
may be different than the hostname configured inside of the container.</para>
<para>The module also provides name resolution for user and group identifiers mapped to containers. All names from
the range allocated to a given container <replaceable>container</replaceable> are exposed on the host as
<literal>vu-<replaceable>container</replaceable>-<replaceable>uid</replaceable></literal> and
<literal>vg-<replaceable>container</replaceable>-<replaceable>gid</replaceable></literal> (see example below). This
functionality only applies to containers using user namespacing (see the description of
<option>--private-users</option> in
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
<para>To activate the NSS module, add <literal>mymachines</literal> to the lines starting with
<literal>hosts:</literal>, <literal>passwd:</literal> and <literal>group:</literal> in
<filename>/etc/nsswitch.conf</filename>.</para>
<para>To activate the NSS module, add <literal>mymachines</literal> to the line starting with
<literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
<para>It is recommended to place <literal>mymachines</literal> after the <literal>files</literal> or
<literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> lines to make sure that its mappings
are preferred over other resolvers such as DNS, but so that <filename>/etc/hosts</filename>,
<filename>/etc/passwd</filename> and <filename>/etc/group</filename> based mappings take precedence.</para>
<literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> line to make sure that its
mappings are preferred over other resolvers such as DNS, but so that <filename>/etc/hosts</filename>
based mappings take precedence.</para>
</refsect1>
<refsect1>
@ -64,8 +55,8 @@
<command>nss-mymachines</command> correctly:</para>
<!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
<programlisting>passwd: compat <command>mymachines</command> systemd
group: compat <command>mymachines</command> systemd
<programlisting>passwd: compat systemd
group: compat systemd
shadow: compat
hosts: <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
@ -81,7 +72,7 @@ netgroup: nis</programlisting>
</refsect1>
<refsect1>
<title>Mappings provided by <filename>nss-mymachines</filename></title>
<title>Example: Mappings provided by <filename>nss-mymachines</filename></title>
<para>The container <literal>rawhide</literal> is spawned using
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
@ -96,29 +87,6 @@ $ machinectl --max-addresses=3
MACHINE CLASS SERVICE OS VERSION ADDRESSES
rawhide container systemd-nspawn fedora 30 169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
$ getent passwd vu-rawhide-0 vu-rawhide-81
vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin
$ getent group vg-rawhide-0 vg-rawhide-81
vg-rawhide-0:*:20119552:
vg-rawhide-81:*:20119633:
$ ps -o user:15,pid,tty,command -e|grep '^vu-rawhide'
vu-rawhide-0 692 ? /usr/lib/systemd/systemd
vu-rawhide-0 731 ? /usr/lib/systemd/systemd-journald
vu-rawhide-192 734 ? /usr/lib/systemd/systemd-networkd
vu-rawhide-193 738 ? /usr/lib/systemd/systemd-resolved
vu-rawhide-0 742 ? /usr/lib/systemd/systemd-logind
vu-rawhide-81 744 ? /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
vu-rawhide-0 746 ? /usr/sbin/sshd -D ...
vu-rawhide-0 752 ? /usr/lib/systemd/systemd --user
vu-rawhide-0 753 ? (sd-pam)
vu-rawhide-0 1628 ? login -- zbyszek
vu-rawhide-1000 1630 ? /usr/lib/systemd/systemd --user
vu-rawhide-1000 1631 ? (sd-pam)
vu-rawhide-1000 1637 pts/8 -zsh
$ ping -c1 rawhide
PING rawhide(fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide)) 56 data bytes
64 bytes from fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide): icmp_seq=1 ttl=64 time=0.045 ms

View File

@ -63,8 +63,8 @@
correctly:</para>
<!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
<programlisting>passwd: compat mymachines systemd
group: compat mymachines systemd
<programlisting>passwd: compat systemd
group: compat systemd
shadow: compat
hosts: mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns

View File

@ -35,8 +35,8 @@
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> (for its
<varname>DynamicUser=</varname> feature, see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
details) or
<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
details),
<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<para>This module also ensures that the root and nobody users and groups (i.e. the users/groups with the UIDs/GIDs
0 and 65534) remain resolvable at all times, even if they aren't listed in <filename>/etc/passwd</filename> or
@ -55,14 +55,14 @@
</refsect1>
<refsect1>
<title>Example</title>
<title>Configuration in <filename>/etc/nsswitch.conf</filename></title>
<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
<command>nss-systemd</command> correctly:</para>
<!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
<programlisting>passwd: compat mymachines <command>systemd</command>
group: compat [SUCCESS=merge] mymachines [SUCCESS=merge] <command>systemd</command>
<programlisting>passwd: compat <command>systemd</command>
group: compat [SUCCESS=merge] <command>systemd</command>
shadow: compat
hosts: mymachines resolve [!UNAVAIL=return] myhostname files dns
@ -77,6 +77,47 @@ netgroup: nis</programlisting>
</refsect1>
<refsect1>
<title>Example: Mappings provided by <filename>systemd-machined.service</filename></title>
<para>The container <literal>rawhide</literal> is spawned using
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
</para>
<programlisting># systemd-nspawn -M rawhide --boot --network-veth --private-users=pick
Spawning container rawhide on /var/lib/machines/rawhide.
Selected user namespace base 20119552 and range 65536.
...
$ machinectl --max-addresses=3
MACHINE CLASS SERVICE OS VERSION ADDRESSES
rawhide container systemd-nspawn fedora 30 169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
$ getent passwd vu-rawhide-0 vu-rawhide-81
vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin
$ getent group vg-rawhide-0 vg-rawhide-81
vg-rawhide-0:*:20119552:
vg-rawhide-81:*:20119633:
$ ps -o user:15,pid,tty,command -e|grep '^vu-rawhide'
vu-rawhide-0 692 ? /usr/lib/systemd/systemd
vu-rawhide-0 731 ? /usr/lib/systemd/systemd-journald
vu-rawhide-192 734 ? /usr/lib/systemd/systemd-networkd
vu-rawhide-193 738 ? /usr/lib/systemd/systemd-resolved
vu-rawhide-0 742 ? /usr/lib/systemd/systemd-logind
vu-rawhide-81 744 ? /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
vu-rawhide-0 746 ? /usr/sbin/sshd -D ...
vu-rawhide-0 752 ? /usr/lib/systemd/systemd --user
vu-rawhide-0 753 ? (sd-pam)
vu-rawhide-0 1628 ? login -- zbyszek
vu-rawhide-1000 1630 ? /usr/lib/systemd/systemd --user
vu-rawhide-1000 1631 ? (sd-pam)
vu-rawhide-1000 1637 pts/8 -zsh
</programlisting>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
@ -85,6 +126,9 @@ netgroup: nis</programlisting>
<citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>
</para>

View File

@ -167,6 +167,7 @@
<varlistentry>
<term><keycap>h</keycap></term>
<term><keycap>?</keycap></term>
<term><keycap>F1</keycap></term>
<listitem><para>Show a help screen</para></listitem>
</varlistentry>

View File

@ -116,6 +116,13 @@
<citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
is also available, which implements importing, exporting, and downloading of container and VM images.
</para>
<para>For each container registered with <filename>systemd-machined.service</filename> that employs user
namespacing, users/groups are synthesized for the used UIDs/GIDs. These are made available to the system
using the <ulink url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via
Varlink</ulink>, and thus may be resolved with
<citerefentry><refentrytitle>userdbctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> or the
usual glibc NSS calls.</para>
</refsect1>
<refsect1>

View File

@ -186,6 +186,15 @@
available to the system.</para></listitem>
</varlistentry>
<varlistentry>
<term><constant>io.systemd.Machine</constant></term>
<listitem><para>This service is provided by
<citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
and synthesizes records for all users/groups used by a container that employs user
namespacing.</para></listitem>
</varlistentry>
<varlistentry>
<term><constant>io.systemd.Multiplexer</constant></term>

View File

@ -20,14 +20,16 @@
#define procfs_file_alloca(pid, field) \
({ \
pid_t _pid_ = (pid); \
const char *_r_; \
const char *_field_ = (field); \
char *_r_; \
if (_pid_ == 0) { \
_r_ = ("/proc/self/" field); \
_r_ = newa(char, STRLEN("/proc/self/") + strlen(_field_) + 1); \
strcpy(stpcpy(_r_, "/proc/self/"), _field_); \
} else { \
_r_ = newa(char, STRLEN("/proc/") + DECIMAL_STR_MAX(pid_t) + 1 + sizeof(field)); \
sprintf((char*) _r_, "/proc/"PID_FMT"/" field, _pid_); \
_r_ = newa(char, STRLEN("/proc/") + DECIMAL_STR_MAX(pid_t) + 1 + strlen(_field_) + 1); \
sprintf(_r_, "/proc/" PID_FMT "/%s", _pid_, _field_); \
} \
_r_; \
(const char*) _r_; \
})
typedef enum ProcessCmdlineFlags {

View File

@ -346,6 +346,7 @@ static void timer_enter_waiting(Timer *t, bool time_change) {
bool found_monotonic = false, found_realtime = false;
bool leave_around = false;
triple_timestamp ts;
dual_timestamp dts;
TimerValue *v;
Unit *trigger;
int r;
@ -389,10 +390,10 @@ static void timer_enter_waiting(Timer *t, bool time_change) {
/* To make the delay due to RandomizedDelaySec= work even at boot,
* if the scheduled time has already passed, set the time when systemd
* first started as the scheduled time.
* Also, we don't have to check t->persistent since the logic implicitly express true. */
if (v->next_elapse < UNIT(t)->manager->timestamps[MANAGER_TIMESTAMP_USERSPACE].realtime)
v->next_elapse = UNIT(t)->manager->timestamps[MANAGER_TIMESTAMP_USERSPACE].realtime;
* first started as the scheduled time. */
dual_timestamp_from_monotonic(&dts, UNIT(t)->manager->timestamps[MANAGER_TIMESTAMP_USERSPACE].monotonic);
if (v->next_elapse < dts.realtime)
v->next_elapse = dts.realtime;
if (!found_realtime)
t->next_elapse_realtime = v->next_elapse;

View File

@ -746,6 +746,143 @@ int machine_get_uid_shift(Machine *m, uid_t *ret) {
return 0;
}
static int machine_owns_uid_internal(
Machine *machine,
const char *map_file, /* "uid_map" or "gid_map" */
uid_t uid,
uid_t *ret_internal_uid) {
_cleanup_fclose_ FILE *f = NULL;
const char *p;
/* This is a generic implementation for both uids and gids, under the assumptions they have the same types and semantics. */
assert_cc(sizeof(uid_t) == sizeof(gid_t));
assert(machine);
/* Checks if the specified host UID is owned by the machine, and returns the UID it maps to
* internally in the machine */
if (machine->class != MACHINE_CONTAINER)
goto negative;
p = procfs_file_alloca(machine->leader, map_file);
f = fopen(p, "re");
if (!f) {
log_debug_errno(errno, "Failed to open %s, ignoring.", p);
goto negative;
}
for (;;) {
uid_t uid_base, uid_shift, uid_range, converted;
int k;
errno = 0;
k = fscanf(f, UID_FMT " " UID_FMT " " UID_FMT, &uid_base, &uid_shift, &uid_range);
if (k < 0 && feof(f))
break;
if (k != 3) {
if (ferror(f))
return errno_or_else(EIO);
return -EIO;
}
/* The private user namespace is disabled, ignoring. */
if (uid_shift == 0)
continue;
if (uid < uid_shift || uid >= uid_shift + uid_range)
continue;
converted = (uid - uid_shift + uid_base);
if (!uid_is_valid(converted))
return -EINVAL;
if (ret_internal_uid)
*ret_internal_uid = converted;
return true;
}
negative:
if (ret_internal_uid)
*ret_internal_uid = UID_INVALID;
return false;
}
int machine_owns_uid(Machine *machine, uid_t uid, uid_t *ret_internal_uid) {
return machine_owns_uid_internal(machine, "uid_map", uid, ret_internal_uid);
}
int machine_owns_gid(Machine *machine, gid_t gid, gid_t *ret_internal_gid) {
return machine_owns_uid_internal(machine, "gid_map", (uid_t) gid, (uid_t*) ret_internal_gid);
}
static int machine_translate_uid_internal(
Machine *machine,
const char *map_file, /* "uid_map" or "gid_map" */
uid_t uid,
uid_t *ret_host_uid) {
_cleanup_fclose_ FILE *f = NULL;
const char *p;
/* This is a generic implementation for both uids and gids, under the assumptions they have the same types and semantics. */
assert_cc(sizeof(uid_t) == sizeof(gid_t));
assert(machine);
assert(uid_is_valid(uid));
if (machine->class != MACHINE_CONTAINER)
return -ESRCH;
/* Translates a machine UID into a host UID */
p = procfs_file_alloca(machine->leader, map_file);
f = fopen(p, "re");
if (!f)
return -errno;
for (;;) {
uid_t uid_base, uid_shift, uid_range, converted;
int k;
errno = 0;
k = fscanf(f, UID_FMT " " UID_FMT " " UID_FMT, &uid_base, &uid_shift, &uid_range);
if (k < 0 && feof(f))
break;
if (k != 3) {
if (ferror(f))
return errno_or_else(EIO);
return -EIO;
}
if (uid < uid_base || uid >= uid_base + uid_range)
continue;
converted = uid - uid_base + uid_shift;
if (!uid_is_valid(converted))
return -EINVAL;
if (ret_host_uid)
*ret_host_uid = converted;
return 0;
}
return -ESRCH;
}
int machine_translate_uid(Machine *machine, gid_t uid, gid_t *ret_host_uid) {
return machine_translate_uid_internal(machine, "uid_map", uid, ret_host_uid);
}
int machine_translate_gid(Machine *machine, gid_t gid, gid_t *ret_host_gid) {
return machine_translate_uid_internal(machine, "gid_map", (uid_t) gid, (uid_t*) ret_host_gid);
}
static const char* const machine_class_table[_MACHINE_CLASS_MAX] = {
[MACHINE_CONTAINER] = "container",
[MACHINE_VM] = "vm",

View File

@ -94,3 +94,9 @@ int machine_openpt(Machine *m, int flags, char **ret_slave);
int machine_open_terminal(Machine *m, const char *path, int mode);
int machine_get_uid_shift(Machine *m, uid_t *ret);
int machine_owns_uid(Machine *m, uid_t host_uid, uid_t *ret_internal_uid);
int machine_owns_gid(Machine *m, gid_t host_gid, gid_t *ret_internal_gid);
int machine_translate_uid(Machine *m, uid_t internal_uid, uid_t *ret_host_uid);
int machine_translate_gid(Machine *m, gid_t internal_gid, gid_t *ret_host_gid);

View File

@ -3,6 +3,7 @@
#include "machined.h"
#include "nscd-flush.h"
#include "strv.h"
#include "user-util.h"
static int on_nscd_cache_flush_event(sd_event_source *s, void *userdata) {
/* Let's ask glibc's nscd daemon to flush its caches. We request this for the three database machines may show
@ -34,3 +35,72 @@ int manager_enqueue_nscd_cache_flush(Manager *m) {
return 0;
}
int manager_find_machine_for_uid(Manager *m, uid_t uid, Machine **ret_machine, uid_t *ret_internal_uid) {
Machine *machine;
Iterator i;
int r;
assert(m);
assert(uid_is_valid(uid));
/* Finds the machine for the specified host UID and returns it along with the UID translated into the
* internal UID inside the machine */
HASHMAP_FOREACH(machine, m->machines, i) {
uid_t converted;
r = machine_owns_uid(machine, uid, &converted);
if (r < 0)
return r;
if (r) {
if (ret_machine)
*ret_machine = machine;
if (ret_internal_uid)
*ret_internal_uid = converted;
return true;
}
}
if (ret_machine)
*ret_machine = NULL;
if (ret_internal_uid)
*ret_internal_uid = UID_INVALID;
return false;
}
int manager_find_machine_for_gid(Manager *m, gid_t gid, Machine **ret_machine, gid_t *ret_internal_gid) {
Machine *machine;
Iterator i;
int r;
assert(m);
assert(gid_is_valid(gid));
HASHMAP_FOREACH(machine, m->machines, i) {
gid_t converted;
r = machine_owns_gid(machine, gid, &converted);
if (r < 0)
return r;
if (r) {
if (ret_machine)
*ret_machine = machine;
if (ret_internal_gid)
*ret_internal_gid = converted;
return true;
}
}
if (ret_machine)
*ret_machine = NULL;
if (ret_internal_gid)
*ret_internal_gid = GID_INVALID;
return false;
}

View File

@ -883,11 +883,11 @@ static int method_set_image_limit(sd_bus_message *message, void *userdata, sd_bu
}
static int method_map_from_machine_user(sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_fclose_ FILE *f = NULL;
Manager *m = userdata;
const char *name, *p;
const char *name;
Machine *machine;
uint32_t uid;
uid_t converted;
int r;
r = sd_bus_message_read(message, "su", &name, &uid);
@ -904,44 +904,20 @@ static int method_map_from_machine_user(sd_bus_message *message, void *userdata,
if (machine->class != MACHINE_CONTAINER)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Not supported for non-container machines.");
p = procfs_file_alloca(machine->leader, "uid_map");
f = fopen(p, "re");
if (!f)
return -errno;
r = machine_translate_uid(machine, uid, &converted);
if (r == -ESRCH)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_USER_MAPPING, "Machine '%s' has no matching user mappings.", name);
if (r < 0)
return r;
for (;;) {
uid_t uid_base, uid_shift, uid_range, converted;
int k;
errno = 0;
k = fscanf(f, UID_FMT " " UID_FMT " " UID_FMT, &uid_base, &uid_shift, &uid_range);
if (k < 0 && feof(f))
break;
if (k != 3) {
if (ferror(f))
return errno_or_else(EIO);
return -EIO;
}
if (uid < uid_base || uid >= uid_base + uid_range)
continue;
converted = uid - uid_base + uid_shift;
if (!uid_is_valid(converted))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid user ID " UID_FMT, uid);
return sd_bus_reply_method_return(message, "u", (uint32_t) converted);
}
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_USER_MAPPING, "Machine '%s' has no matching user mappings.", name);
return sd_bus_reply_method_return(message, "u", (uint32_t) converted);
}
static int method_map_to_machine_user(sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_free_ char *o = NULL;
Manager *m = userdata;
Machine *machine;
uid_t uid;
Iterator i;
uid_t uid, converted;
int r;
r = sd_bus_message_read(message, "u", &uid);
@ -952,63 +928,24 @@ static int method_map_to_machine_user(sd_bus_message *message, void *userdata, s
if (uid < 0x10000)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_USER_MAPPING, "User " UID_FMT " belongs to host UID range", uid);
HASHMAP_FOREACH(machine, m->machines, i) {
_cleanup_fclose_ FILE *f = NULL;
char p[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(pid_t) + 1];
r = manager_find_machine_for_uid(m, uid, &machine, &converted);
if (r < 0)
return r;
if (!r)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_USER_MAPPING, "No matching user mapping for " UID_FMT ".", uid);
if (machine->class != MACHINE_CONTAINER)
continue;
o = machine_bus_path(machine);
if (!o)
return -ENOMEM;
xsprintf(p, "/proc/" UID_FMT "/uid_map", machine->leader);
f = fopen(p, "re");
if (!f) {
log_warning_errno(errno, "Failed to open %s, ignoring,", p);
continue;
}
for (;;) {
_cleanup_free_ char *o = NULL;
uid_t uid_base, uid_shift, uid_range, converted;
int k;
errno = 0;
k = fscanf(f, UID_FMT " " UID_FMT " " UID_FMT, &uid_base, &uid_shift, &uid_range);
if (k < 0 && feof(f))
break;
if (k != 3) {
if (ferror(f))
return errno_or_else(EIO);
return -EIO;
}
/* The private user namespace is disabled, ignoring. */
if (uid_shift == 0)
continue;
if (uid < uid_shift || uid >= uid_shift + uid_range)
continue;
converted = (uid - uid_shift + uid_base);
if (!uid_is_valid(converted))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid user ID " UID_FMT, uid);
o = machine_bus_path(machine);
if (!o)
return -ENOMEM;
return sd_bus_reply_method_return(message, "sou", machine->name, o, (uint32_t) converted);
}
}
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_USER_MAPPING, "No matching user mapping for " UID_FMT ".", uid);
return sd_bus_reply_method_return(message, "sou", machine->name, o, (uint32_t) converted);
}
static int method_map_from_machine_group(sd_bus_message *message, void *groupdata, sd_bus_error *error) {
_cleanup_fclose_ FILE *f = NULL;
Manager *m = groupdata;
const char *name, *p;
static int method_map_from_machine_group(sd_bus_message *message, void *userdata, sd_bus_error *error) {
Manager *m = userdata;
const char *name;
Machine *machine;
gid_t converted;
uint32_t gid;
int r;
@ -1026,44 +963,20 @@ static int method_map_from_machine_group(sd_bus_message *message, void *groupdat
if (machine->class != MACHINE_CONTAINER)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Not supported for non-container machines.");
p = procfs_file_alloca(machine->leader, "gid_map");
f = fopen(p, "re");
if (!f)
return -errno;
r = machine_translate_gid(machine, gid, &converted);
if (r == -ESRCH)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_USER_MAPPING, "Machine '%s' has no matching group mappings.", name);
if (r < 0)
return r;
for (;;) {
gid_t gid_base, gid_shift, gid_range, converted;
int k;
errno = 0;
k = fscanf(f, GID_FMT " " GID_FMT " " GID_FMT, &gid_base, &gid_shift, &gid_range);
if (k < 0 && feof(f))
break;
if (k != 3) {
if (ferror(f))
return errno_or_else(EIO);
return -EIO;
}
if (gid < gid_base || gid >= gid_base + gid_range)
continue;
converted = gid - gid_base + gid_shift;
if (!gid_is_valid(converted))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid group ID " GID_FMT, gid);
return sd_bus_reply_method_return(message, "u", (uint32_t) converted);
}
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_GROUP_MAPPING, "Machine '%s' has no matching group mappings.", name);
return sd_bus_reply_method_return(message, "u", (uint32_t) converted);
}
static int method_map_to_machine_group(sd_bus_message *message, void *groupdata, sd_bus_error *error) {
Manager *m = groupdata;
static int method_map_to_machine_group(sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_free_ char *o = NULL;
Manager *m = userdata;
Machine *machine;
gid_t gid;
Iterator i;
gid_t gid, converted;
int r;
r = sd_bus_message_read(message, "u", &gid);
@ -1074,56 +987,17 @@ static int method_map_to_machine_group(sd_bus_message *message, void *groupdata,
if (gid < 0x10000)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_GROUP_MAPPING, "Group " GID_FMT " belongs to host GID range", gid);
HASHMAP_FOREACH(machine, m->machines, i) {
_cleanup_fclose_ FILE *f = NULL;
char p[STRLEN("/proc//gid_map") + DECIMAL_STR_MAX(pid_t) + 1];
r = manager_find_machine_for_gid(m, gid, &machine, &converted);
if (r < 0)
return r;
if (!r)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_GROUP_MAPPING, "No matching group mapping for " GID_FMT ".", gid);
if (machine->class != MACHINE_CONTAINER)
continue;
o = machine_bus_path(machine);
if (!o)
return -ENOMEM;
xsprintf(p, "/proc/" GID_FMT "/gid_map", machine->leader);
f = fopen(p, "re");
if (!f) {
log_warning_errno(errno, "Failed to open %s, ignoring,", p);
continue;
}
for (;;) {
_cleanup_free_ char *o = NULL;
gid_t gid_base, gid_shift, gid_range, converted;
int k;
errno = 0;
k = fscanf(f, GID_FMT " " GID_FMT " " GID_FMT, &gid_base, &gid_shift, &gid_range);
if (k < 0 && feof(f))
break;
if (k != 3) {
if (ferror(f))
return errno_or_else(EIO);
return -EIO;
}
/* The private user namespace is disabled, ignoring. */
if (gid_shift == 0)
continue;
if (gid < gid_shift || gid >= gid_shift + gid_range)
continue;
converted = (gid - gid_shift + gid_base);
if (!gid_is_valid(converted))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid group ID " GID_FMT, gid);
o = machine_bus_path(machine);
if (!o)
return -ENOMEM;
return sd_bus_reply_method_return(message, "sou", machine->name, o, (uint32_t) converted);
}
}
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_GROUP_MAPPING, "No matching group mapping for " GID_FMT ".", gid);
return sd_bus_reply_method_return(message, "sou", machine->name, o, (uint32_t) converted);
}
const sd_bus_vtable manager_vtable[] = {

View File

@ -0,0 +1,404 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#include "format-util.h"
#include "machined-varlink.h"
#include "mkdir.h"
#include "user-util.h"
#include "varlink.h"
typedef struct LookupParameters {
const char *user_name;
const char *group_name;
union {
uid_t uid;
gid_t gid;
};
const char *service;
} LookupParameters;
static int build_user_json(const char *user_name, uid_t uid, const char *real_name, JsonVariant **ret) {
assert(user_name);
assert(uid_is_valid(uid));
assert(ret);
return json_build(ret, JSON_BUILD_OBJECT(
JSON_BUILD_PAIR("record", JSON_BUILD_OBJECT(
JSON_BUILD_PAIR("userName", JSON_BUILD_STRING(user_name)),
JSON_BUILD_PAIR("uid", JSON_BUILD_UNSIGNED(uid)),
JSON_BUILD_PAIR("gid", JSON_BUILD_UNSIGNED(GID_NOBODY)),
JSON_BUILD_PAIR_CONDITION(!isempty(real_name), "realName", JSON_BUILD_STRING(real_name)),
JSON_BUILD_PAIR("homeDirectory", JSON_BUILD_STRING("/")),
JSON_BUILD_PAIR("shell", JSON_BUILD_STRING(NOLOGIN)),
JSON_BUILD_PAIR("locked", JSON_BUILD_BOOLEAN(true)),
JSON_BUILD_PAIR("service", JSON_BUILD_STRING("io.systemd.Machine")),
JSON_BUILD_PAIR("disposition", JSON_BUILD_STRING("container"))))));
}
static bool user_match_lookup_parameters(LookupParameters *p, const char *name, uid_t uid) {
assert(p);
if (p->user_name && !streq(name, p->user_name))
return false;
if (uid_is_valid(p->uid) && uid != p->uid)
return false;
return true;
}
static int user_lookup_uid(Manager *m, uid_t uid, char **ret_name, char **ret_real_name) {
_cleanup_free_ char *n = NULL, *rn = NULL;
uid_t converted_uid;
Machine *machine;
int r;
assert(m);
assert(uid_is_valid(uid));
assert(ret_name);
assert(ret_real_name);
if (uid < 0x10000) /* Host UID range */
return -ESRCH;
r = manager_find_machine_for_uid(m, uid, &machine, &converted_uid);
if (r < 0)
return r;
if (!r)
return -ESRCH;
if (asprintf(&n, "vu-%s-" UID_FMT, machine->name, converted_uid) < 0)
return -ENOMEM;
/* Don't synthesize invalid user/group names (too long...) */
if (!valid_user_group_name(n, 0))
return -ESRCH;
if (asprintf(&rn, "UID " UID_FMT " of Container %s", converted_uid, machine->name) < 0)
return -ENOMEM;
/* Don't synthesize invalid real names either, but since this field doesn't matter much, simply invalidate things */
if (!valid_gecos(rn))
rn = mfree(rn);
*ret_name = TAKE_PTR(n);
*ret_real_name = TAKE_PTR(rn);
return 0;
}
static int user_lookup_name(Manager *m, const char *name, uid_t *ret_uid, char **ret_real_name) {
_cleanup_free_ char *mn = NULL, *rn = NULL;
uid_t uid, converted_uid;
Machine *machine;
const char *e, *d;
int r;
assert(m);
if (!valid_user_group_name(name, 0))
return -ESRCH;
e = startswith(name, "vu-");
if (!e)
return -ESRCH;
d = strrchr(e, '-');
if (!d)
return -ESRCH;
if (parse_uid(d + 1, &uid) < 0)
return -ESRCH;
mn = strndup(e, d - e);
if (!mn)
return -ENOMEM;
machine = hashmap_get(m->machines, mn);
if (!machine)
return -ESRCH;
if (machine->class != MACHINE_CONTAINER)
return -ESRCH;
r = machine_translate_uid(machine, uid, &converted_uid);
if (r < 0)
return r;
if (asprintf(&rn, "UID " UID_FMT " of Container %s", uid, machine->name) < 0)
return -ENOMEM;
if (!valid_gecos(rn))
rn = mfree(rn);
*ret_uid = converted_uid;
*ret_real_name = TAKE_PTR(rn);
return 0;
}
static int vl_method_get_user_record(Varlink *link, JsonVariant *parameters, VarlinkMethodFlags flags, void *userdata) {
static const JsonDispatch dispatch_table[] = {
{ "uid", JSON_VARIANT_UNSIGNED, json_dispatch_uid_gid, offsetof(LookupParameters, uid), 0 },
{ "userName", JSON_VARIANT_STRING, json_dispatch_const_string, offsetof(LookupParameters, user_name), JSON_SAFE },
{ "service", JSON_VARIANT_STRING, json_dispatch_const_string, offsetof(LookupParameters, service), 0 },
{}
};
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
LookupParameters p = {
.uid = UID_INVALID,
};
_cleanup_free_ char *found_name = NULL, *found_real_name = NULL;
uid_t found_uid = UID_INVALID, uid;
Manager *m = userdata;
const char *un;
int r;
assert(parameters);
assert(m);
r = json_dispatch(parameters, dispatch_table, NULL, 0, &p);
if (r < 0)
return r;
if (!streq_ptr(p.service, "io.systemd.Machine"))
return varlink_error(link, "io.systemd.UserDatabase.BadService", NULL);
if (uid_is_valid(p.uid))
r = user_lookup_uid(m, p.uid, &found_name, &found_real_name);
else if (p.user_name)
r = user_lookup_name(m, p.user_name, &found_uid, &found_real_name);
else
return varlink_error(link, "io.systemd.UserDatabase.EnumerationNotSupported", NULL);
if (r == -ESRCH)
return varlink_error(link, "io.systemd.UserDatabase.NoRecordFound", NULL);
if (r < 0)
return r;
uid = uid_is_valid(found_uid) ? found_uid : p.uid;
un = found_name ?: p.user_name;
if (!user_match_lookup_parameters(&p, un, uid))
return varlink_error(link, "io.systemd.UserDatabase.ConflictingRecordFound", NULL);
r = build_user_json(un, uid, found_real_name, &v);
if (r < 0)
return r;
return varlink_reply(link, v);
}
static int build_group_json(const char *group_name, gid_t gid, JsonVariant **ret) {
assert(group_name);
assert(gid_is_valid(gid));
assert(ret);
return json_build(ret, JSON_BUILD_OBJECT(
JSON_BUILD_PAIR("record", JSON_BUILD_OBJECT(
JSON_BUILD_PAIR("groupName", JSON_BUILD_STRING(group_name)),
JSON_BUILD_PAIR("gid", JSON_BUILD_UNSIGNED(gid)),
JSON_BUILD_PAIR("service", JSON_BUILD_STRING("io.systemd.Machine")),
JSON_BUILD_PAIR("disposition", JSON_BUILD_STRING("container"))))));
}
static bool group_match_lookup_parameters(LookupParameters *p, const char *name, gid_t gid) {
assert(p);
if (p->group_name && !streq(name, p->group_name))
return false;
if (gid_is_valid(p->gid) && gid != p->gid)
return false;
return true;
}
static int group_lookup_gid(Manager *m, gid_t gid, char **ret_name) {
_cleanup_free_ char *n = NULL;
gid_t converted_gid;
Machine *machine;
int r;
assert(m);
assert(gid_is_valid(gid));
assert(ret_name);
if (gid < 0x10000) /* Host GID range */
return -ESRCH;
r = manager_find_machine_for_gid(m, gid, &machine, &converted_gid);
if (r < 0)
return r;
if (!r)
return -ESRCH;
if (asprintf(&n, "vg-%s-" GID_FMT, machine->name, converted_gid) < 0)
return -ENOMEM;
if (!valid_user_group_name(n, 0))
return -ESRCH;
*ret_name = TAKE_PTR(n);
return 0;
}
static int group_lookup_name(Manager *m, const char *name, gid_t *ret_gid) {
_cleanup_free_ char *mn = NULL;
gid_t gid, converted_gid;
Machine *machine;
const char *e, *d;
int r;
assert(m);
if (!valid_user_group_name(name, 0))
return -ESRCH;
e = startswith(name, "vg-");
if (!e)
return -ESRCH;
d = strrchr(e, '-');
if (!d)
return -ESRCH;
if (parse_gid(d + 1, &gid) < 0)
return -ESRCH;
mn = strndup(e, d - e);
if (!mn)
return -ENOMEM;
machine = hashmap_get(m->machines, mn);
if (!mn)
return -ESRCH;
if (machine->class != MACHINE_CONTAINER)
return -ESRCH;
r = machine_translate_gid(machine, gid, &converted_gid);
if (r < 0)
return r;
*ret_gid = converted_gid;
return 0;
}
static int vl_method_get_group_record(Varlink *link, JsonVariant *parameters, VarlinkMethodFlags flags, void *userdata) {
static const JsonDispatch dispatch_table[] = {
{ "gid", JSON_VARIANT_UNSIGNED, json_dispatch_uid_gid, offsetof(LookupParameters, gid), 0 },
{ "groupName", JSON_VARIANT_STRING, json_dispatch_const_string, offsetof(LookupParameters, group_name), JSON_SAFE },
{ "service", JSON_VARIANT_STRING, json_dispatch_const_string, offsetof(LookupParameters, service), 0 },
{}
};
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
LookupParameters p = {
.gid = GID_INVALID,
};
_cleanup_free_ char *found_name = NULL;
uid_t found_gid = GID_INVALID, gid;
Manager *m = userdata;
const char *gn;
int r;
assert(parameters);
assert(m);
r = json_dispatch(parameters, dispatch_table, NULL, 0, &p);
if (r < 0)
return r;
if (!streq_ptr(p.service, "io.systemd.Machine"))
return varlink_error(link, "io.systemd.UserDatabase.BadService", NULL);
if (gid_is_valid(p.gid))
r = group_lookup_gid(m, p.gid, &found_name);
else if (p.group_name)
r = group_lookup_name(m, p.group_name, (uid_t*) &found_gid);
else
return varlink_error(link, "io.systemd.UserDatabase.EnumerationNotSupported", NULL);
if (r == -ESRCH)
return varlink_error(link, "io.systemd.UserDatabase.NoRecordFound", NULL);
if (r < 0)
return r;
gid = gid_is_valid(found_gid) ? found_gid : p.gid;
gn = found_name ?: p.group_name;
if (!group_match_lookup_parameters(&p, gn, gid))
return varlink_error(link, "io.systemd.UserDatabase.ConflictingRecordFound", NULL);
r = build_group_json(gn, gid, &v);
if (r < 0)
return r;
return varlink_reply(link, v);
}
static int vl_method_get_memberships(Varlink *link, JsonVariant *parameters, VarlinkMethodFlags flags, void *userdata) {
static const JsonDispatch dispatch_table[] = {
{ "userName", JSON_VARIANT_STRING, json_dispatch_const_string, offsetof(LookupParameters, user_name), JSON_SAFE },
{ "groupName", JSON_VARIANT_STRING, json_dispatch_const_string, offsetof(LookupParameters, group_name), JSON_SAFE },
{ "service", JSON_VARIANT_STRING, json_dispatch_const_string, offsetof(LookupParameters, service), 0 },
{}
};
LookupParameters p = {};
int r;
assert(parameters);
r = json_dispatch(parameters, dispatch_table, NULL, 0, &p);
if (r < 0)
return r;
if (!streq_ptr(p.service, "io.systemd.Machine"))
return varlink_error(link, "io.systemd.UserDatabase.BadService", NULL);
/* We don't support auxiliary groups for machines. */
return varlink_error(link, "io.systemd.UserDatabase.NoRecordFound", NULL);
}
int manager_varlink_init(Manager *m) {
_cleanup_(varlink_server_unrefp) VarlinkServer *s = NULL;
int r;
assert(m);
if (m->varlink_server)
return 0;
r = varlink_server_new(&s, VARLINK_SERVER_ACCOUNT_UID);
if (r < 0)
return log_error_errno(r, "Failed to allocate varlink server object: %m");
varlink_server_set_userdata(s, m);
r = varlink_server_bind_method_many(
s,
"io.systemd.UserDatabase.GetUserRecord", vl_method_get_user_record,
"io.systemd.UserDatabase.GetGroupRecord", vl_method_get_group_record,
"io.systemd.UserDatabase.GetMemberships", vl_method_get_memberships);
if (r < 0)
return log_error_errno(r, "Failed to register varlink methods: %m");
(void) mkdir_p("/run/systemd/userdb", 0755);
r = varlink_server_listen_address(s, "/run/systemd/userdb/io.systemd.Machine", 0666);
if (r < 0)
return log_error_errno(r, "Failed to bind to varlink socket: %m");
r = varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
if (r < 0)
return log_error_errno(r, "Failed to attach varlink connection to event loop: %m");
m->varlink_server = TAKE_PTR(s);
return 0;
}
void manager_varlink_done(Manager *m) {
assert(m);
m->varlink_server = varlink_server_unref(m->varlink_server);
}

View File

@ -0,0 +1,7 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once
#include "machined.h"
int manager_varlink_init(Manager *m);
void manager_varlink_done(Manager *m);

View File

@ -20,6 +20,7 @@
#include "hostname-util.h"
#include "label.h"
#include "machine-image.h"
#include "machined-varlink.h"
#include "machined.h"
#include "main-func.h"
#include "process-util.h"
@ -86,6 +87,8 @@ static Manager* manager_unref(Manager *m) {
bus_verify_polkit_async_registry_free(m->polkit_registry);
manager_varlink_done(m);
sd_bus_flush_close_unref(m->bus);
sd_event_unref(m->event);
@ -272,6 +275,11 @@ static int manager_startup(Manager *m) {
if (r < 0)
return r;
/* Set up Varlink service */
r = manager_varlink_init(m);
if (r < 0)
return r;
/* Deserialize state */
manager_enumerate_machines(m);
@ -291,6 +299,9 @@ static bool check_idle(void *userdata) {
if (m->operations)
return false;
if (varlink_server_current_connections(m->varlink_server) > 0)
return false;
manager_gc(m, true);
return hashmap_isempty(m->machines);

View File

@ -6,15 +6,15 @@
#include "sd-bus.h"
#include "sd-event.h"
#include "hashmap.h"
#include "list.h"
typedef struct Manager Manager;
#include "hashmap.h"
#include "image-dbus.h"
#include "list.h"
#include "machine-dbus.h"
#include "machine.h"
#include "operation.h"
#include "varlink.h"
struct Manager {
sd_event *event;
@ -37,6 +37,8 @@ struct Manager {
unsigned n_operations;
sd_event_source *nscd_cache_flush_event;
VarlinkServer *varlink_server;
};
int manager_add_machine(Manager *m, const char *name, Machine **_machine);
@ -56,3 +58,6 @@ int manager_unit_is_active(Manager *manager, const char *unit);
int manager_job_is_active(Manager *manager, const char *path);
int manager_enqueue_nscd_cache_flush(Manager *m);
int manager_find_machine_for_uid(Manager *m, uid_t host_uid, Machine **ret_machine, uid_t *ret_internal_uid);
int manager_find_machine_for_gid(Manager *m, gid_t host_gid, Machine **ret_machine, gid_t *ret_internal_gid);

View File

@ -6,14 +6,16 @@ systemd_machined_sources = files('''
'''.split())
libmachine_core_sources = files('''
machine.c
machine.h
machined-dbus.c
machined-core.c
machine-dbus.c
machine-dbus.h
image-dbus.c
image-dbus.h
machine-dbus.c
machine-dbus.h
machine.c
machine.h
machined-core.c
machined-dbus.c
machined-varlink.c
machined-varlink.h
operation.c
operation.h
'''.split())

View File

@ -288,7 +288,7 @@ int link_set_bond(Link *link) {
r = netlink_call_async(link->manager->rtnl, NULL, req, link_set_bond_handler,
link_netlink_destroy_callback, link);
if (r < 0)
return log_link_error_errno(link, r, "Could not send rtnetlink message: %m");
return log_link_error_errno(link, r, "Could not send rtnetlink message: %m");
link_ref(link);

View File

@ -218,7 +218,7 @@ int link_set_bridge(Link *link) {
return log_link_error_errno(link, r, "Could not append IFLA_BRPORT_FAST_LEAVE attribute: %m");
}
if (link->network->allow_port_to_be_root >= 0) {
if (link->network->allow_port_to_be_root >= 0) {
r = sd_netlink_message_append_u8(req, IFLA_BRPORT_PROTECT, link->network->allow_port_to_be_root);
if (r < 0)
return log_link_error_errno(link, r, "Could not append IFLA_BRPORT_PROTECT attribute: %m");

View File

@ -1662,7 +1662,7 @@ static int link_status_one(
r = table_add_many(table,
TABLE_EMPTY,
TABLE_STRING, "Mode:",
TABLE_STRING, bond_mode_to_string(info->mode),
TABLE_STRING, bond_mode_to_string(info->mode),
TABLE_EMPTY,
TABLE_STRING, "Miimon:",
TABLE_TIMESPAN_MSEC, jiffies_to_usec(info->miimon),

View File

@ -444,6 +444,8 @@ static int address_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, Link
r = sd_netlink_message_get_errno(m);
if (r < 0 && r != -EADDRNOTAVAIL)
log_link_message_warning_errno(link, m, r, "Could not drop address");
else
(void) manager_rtnl_process_address(rtnl, m, link->manager);
return 1;
}

View File

@ -20,12 +20,12 @@
#include "sysctl-util.h"
#include "web-util.h"
static int dhcp_remove_routes(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, bool remove_all);
static int dhcp_remove_router(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, bool remove_all);
static int dhcp_remove_dns_routes(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, bool remove_all);
static int dhcp_remove_routes(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, bool remove_all, link_netlink_message_handler_t callback);
static int dhcp_remove_router(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, bool remove_all, link_netlink_message_handler_t callback);
static int dhcp_remove_dns_routes(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, bool remove_all, link_netlink_message_handler_t callback);
static int dhcp_remove_address(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, link_netlink_message_handler_t callback);
static int dhcp_remove_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link);
static int dhcp_lease_renew(sd_dhcp_client *client, Link *link);
static int dhcp4_update_address(Link *link, bool announce);
static int dhcp4_remove_all(Link *link);
void dhcp4_release_old_lease(Link *link) {
struct in_addr address = {}, address_old = {};
@ -40,9 +40,9 @@ void dhcp4_release_old_lease(Link *link) {
(void) sd_dhcp_lease_get_address(link->dhcp_lease_old, &address_old);
(void) sd_dhcp_lease_get_address(link->dhcp_lease, &address);
(void) dhcp_remove_routes(link, link->dhcp_lease_old, &address_old, false);
(void) dhcp_remove_router(link, link->dhcp_lease_old, &address_old, false);
(void) dhcp_remove_dns_routes(link, link->dhcp_lease_old, &address_old, false);
(void) dhcp_remove_routes(link, link->dhcp_lease_old, &address_old, false, NULL);
(void) dhcp_remove_router(link, link->dhcp_lease_old, &address_old, false, NULL);
(void) dhcp_remove_dns_routes(link, link->dhcp_lease_old, &address_old, false, NULL);
if (!in4_addr_equal(&address_old, &address))
(void) dhcp_remove_address(link, link->dhcp_lease_old, &address_old, NULL);
@ -88,17 +88,12 @@ static int dhcp4_route_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *li
if (link->dhcp4_messages == 0) {
if (link->dhcp4_route_failed) {
struct in_addr address = {};
link->dhcp4_route_failed = false;
link->dhcp4_route_retrying = true;
(void) sd_dhcp_lease_get_address(link->dhcp_lease, &address);
(void) dhcp_remove_routes(link, link->dhcp_lease, &address, true);
(void) dhcp_remove_router(link, link->dhcp_lease, &address, true);
(void) dhcp_remove_dns_routes(link, link->dhcp_lease, &address, true);
(void) dhcp_remove_address(link, link->dhcp_lease, &address, dhcp_remove_address_handler);
r = dhcp4_remove_all(link);
if (r < 0)
link_enter_failed(link);
return 1;
}
if (!link->network->dhcp_send_decline)
@ -177,7 +172,7 @@ static int link_set_dns_routes(Link *link, const struct in_addr *address) {
r = route_new(&route);
if (r < 0)
return log_link_error_errno(link, r, "Could not allocate route: %m");
return log_link_error_errno(link, r, "Could not allocate route: %m");
/* Set routes to DNS servers. */
@ -266,7 +261,7 @@ static int link_set_dhcp_routes(Link *link) {
r = dhcp_prefix_route_from_lease(link->dhcp_lease, table, &address, &prefix_route);
if (r < 0)
return log_link_error_errno(link, r, "Could not create prefix route: %m");
return log_link_error_errno(link, r, "Could not create prefix route: %m");
r = dhcp_route_configure(&prefix_route, link);
if (r < 0)
@ -344,7 +339,7 @@ static int link_set_dhcp_routes(Link *link) {
r = route_new(&route_gw);
if (r < 0)
return log_link_error_errno(link, r, "Could not allocate route: %m");
return log_link_error_errno(link, r, "Could not allocate route: %m");
/* The dhcp netmask may mask out the gateway. Add an explicit
* route for the gw host so that we can route no matter the
@ -401,7 +396,26 @@ static int link_set_dhcp_routes(Link *link) {
return link_set_dns_routes(link, &address);
}
static int dhcp_remove_routes(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, bool remove_all) {
static int dhcp_route_remove(Route *route, Link *link, link_netlink_message_handler_t callback) {
int r;
r = route_remove(route, link, callback);
if (r < 0)
return r;
if (callback)
link->dhcp4_remove_messages++;
return 0;
}
static int dhcp_remove_routes(
Link *link,
sd_dhcp_lease *lease,
const struct in_addr *address,
bool remove_all,
link_netlink_message_handler_t callback) {
_cleanup_free_ sd_dhcp_route **routes = NULL;
uint32_t table;
int n, i, r;
@ -440,13 +454,21 @@ static int dhcp_remove_routes(Link *link, sd_dhcp_lease *lease, const struct in_
if (!remove_all && set_contains(link->dhcp_routes, route))
continue;
(void) route_remove(route, link, NULL);
r = dhcp_route_remove(route, link, callback);
if (r < 0)
return r;
}
return n;
}
static int dhcp_remove_router(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, bool remove_all) {
static int dhcp_remove_router(
Link *link,
sd_dhcp_lease *lease,
const struct in_addr *address,
bool remove_all,
link_netlink_message_handler_t callback) {
_cleanup_(route_freep) Route *route_gw = NULL, *route = NULL;
const struct in_addr *router;
uint32_t table;
@ -484,8 +506,11 @@ static int dhcp_remove_router(Link *link, sd_dhcp_lease *lease, const struct in_
route_gw->priority = link->network->dhcp_route_metric;
route_gw->table = table;
if (remove_all || !set_contains(link->dhcp_routes, route_gw))
(void) route_remove(route_gw, link, NULL);
if (remove_all || !set_contains(link->dhcp_routes, route_gw)) {
r = dhcp_route_remove(route_gw, link, callback);
if (r < 0)
return r;
}
r = route_new(&route);
if (r < 0)
@ -498,8 +523,11 @@ static int dhcp_remove_router(Link *link, sd_dhcp_lease *lease, const struct in_
route->priority = link->network->dhcp_route_metric;
route->table = table;
if (remove_all || !set_contains(link->dhcp_routes, route))
(void) route_remove(route, link, NULL);
if (remove_all || !set_contains(link->dhcp_routes, route)) {
r = dhcp_route_remove(route, link, callback);
if (r < 0)
return r;
}
Route *rt;
LIST_FOREACH(routes, rt, link->network->static_routes) {
@ -512,13 +540,21 @@ static int dhcp_remove_router(Link *link, sd_dhcp_lease *lease, const struct in_
if (!remove_all && in4_addr_equal(router, &rt->gw.in))
continue;
(void) route_remove(rt, link, NULL);
r = dhcp_route_remove(rt, link, callback);
if (r < 0)
return r;
}
return 0;
}
static int dhcp_remove_dns_routes(Link *link, sd_dhcp_lease *lease, const struct in_addr *address, bool remove_all) {
static int dhcp_remove_dns_routes(
Link *link,
sd_dhcp_lease *lease,
const struct in_addr *address,
bool remove_all,
link_netlink_message_handler_t callback) {
const struct in_addr *dns;
uint32_t table;
int i, n, r;
@ -544,7 +580,7 @@ static int dhcp_remove_dns_routes(Link *link, sd_dhcp_lease *lease, const struct
r = route_new(&route);
if (r < 0)
return log_link_error_errno(link, r, "Could not allocate route: %m");
return log_link_error_errno(link, r, "Could not allocate route: %m");
route->family = AF_INET;
route->dst.in = dns[i];
@ -558,7 +594,9 @@ static int dhcp_remove_dns_routes(Link *link, sd_dhcp_lease *lease, const struct
if (!remove_all && set_contains(link->dhcp_routes, route))
continue;
(void) route_remove(route, link, NULL);
r = dhcp_route_remove(route, link, callback);
if (r < 0)
return r;
}
if (!link_prefixroute(link)) {
@ -566,36 +604,18 @@ static int dhcp_remove_dns_routes(Link *link, sd_dhcp_lease *lease, const struct
r = dhcp_prefix_route_from_lease(lease, table, address, &prefix_route);
if (r < 0)
return log_link_warning_errno(link, r, "Could not delete prefix route: %m");
return log_link_warning_errno(link, r, "Could not create prefix route: %m");
if (remove_all || !set_contains(link->dhcp_routes, prefix_route))
(void) route_remove(prefix_route, link, NULL);
if (remove_all || !set_contains(link->dhcp_routes, prefix_route)) {
r = dhcp_route_remove(prefix_route, link, callback);
if (r < 0)
return r;
}
}
return 0;
}
static int dhcp_remove_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
int r;
assert(link);
/* This is only used when retrying to assign the address received from DHCPv4 server.
* See dhcp4_route_handler(). */
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
return 1;
r = sd_netlink_message_get_errno(m);
if (r < 0)
log_link_message_warning_errno(link, m, r, "Failed to remove DHCPv4 address, ignoring");
else
(void) manager_rtnl_process_address(rtnl, m, link->manager);
(void) dhcp_lease_renew(link->dhcp_client, link);
return 1;
}
static int dhcp_remove_address(
Link *link, sd_dhcp_lease *lease,
const struct in_addr *address,
@ -621,7 +641,12 @@ static int dhcp_remove_address(
if (sd_dhcp_lease_get_netmask(lease, &netmask) >= 0)
a->prefixlen = in4_addr_netmask_to_prefixlen(&netmask);
(void) address_remove(a, link, callback);
r = address_remove(a, link, callback);
if (r < 0)
return r;
if (callback)
link->dhcp4_remove_messages++;
return 0;
}
@ -676,8 +701,90 @@ static int dhcp_reset_hostname(Link *link) {
return 0;
}
static int dhcp4_remove_route_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
int r;
assert(m);
assert(link);
assert(link->dhcp4_remove_messages > 0);
link->dhcp4_remove_messages--;
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
return 1;
r = sd_netlink_message_get_errno(m);
if (r < 0 && r != -ESRCH)
log_link_message_warning_errno(link, m, r, "Failed to remove DHCPv4 route, ignoring");
if (link->dhcp4_remove_messages == 0) {
r = dhcp4_update_address(link, false);
if (r < 0)
link_enter_failed(link);
}
return 1;
}
static int dhcp4_remove_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
int r;
assert(m);
assert(link);
assert(link->dhcp4_remove_messages > 0);
link->dhcp4_remove_messages--;
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
return 1;
r = sd_netlink_message_get_errno(m);
if (r < 0 && r != -EADDRNOTAVAIL)
log_link_message_warning_errno(link, m, r, "Failed to remove DHCPv4 address, ignoring");
else
(void) manager_rtnl_process_address(rtnl, m, link->manager);
if (link->dhcp4_remove_messages == 0) {
r = dhcp4_update_address(link, false);
if (r < 0)
link_enter_failed(link);
}
return 1;
}
static int dhcp4_remove_all(Link *link) {
struct in_addr address;
int r;
assert(link);
assert(link->dhcp_lease);
r = sd_dhcp_lease_get_address(link->dhcp_lease, &address);
if (r < 0)
return log_link_error_errno(link, r, "Failed to get DHCPv4 address: %m");
r = dhcp_remove_routes(link, link->dhcp_lease, &address, true, dhcp4_remove_route_handler);
if (r < 0)
return r;
r = dhcp_remove_router(link, link->dhcp_lease, &address, true, dhcp4_remove_route_handler);
if (r < 0)
return r;
r = dhcp_remove_dns_routes(link, link->dhcp_lease, &address, true, dhcp4_remove_route_handler);
if (r < 0)
return r;
r = dhcp_remove_address(link, link->dhcp_lease, &address, dhcp4_remove_address_handler);
if (r < 0)
return r;
return 0;
}
static int dhcp_lease_lost(Link *link) {
struct in_addr address = {};
int r;
assert(link);
assert(link->dhcp_lease);
@ -686,13 +793,17 @@ static int dhcp_lease_lost(Link *link) {
link->dhcp4_configured = false;
(void) sd_dhcp_lease_get_address(link->dhcp_lease, &address);
(void) dhcp_remove_routes(link, link->dhcp_lease, &address, true);
(void) dhcp_remove_router(link, link->dhcp_lease, &address, true);
(void) dhcp_remove_dns_routes(link, link->dhcp_lease, &address, true);
(void) dhcp_remove_address(link, link->dhcp_lease, &address, NULL);
(void) dhcp_reset_mtu(link);
(void) dhcp_reset_hostname(link);
r = dhcp4_remove_all(link);
if (r < 0)
return r;
r = dhcp_reset_mtu(link);
if (r < 0)
return r;
r = dhcp_reset_hostname(link);
if (r < 0)
return r;
link->dhcp_lease = sd_dhcp_lease_unref(link->dhcp_lease);
link_dirty(link);
@ -830,30 +941,81 @@ static int dhcp4_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *
return 1;
}
static int dhcp4_update_address(Link *link,
struct in_addr *address,
struct in_addr *netmask,
uint32_t lifetime) {
static int dhcp4_update_address(Link *link, bool announce) {
_cleanup_(address_freep) Address *addr = NULL;
uint32_t lifetime = CACHE_INFO_INFINITY_LIFE_TIME;
struct in_addr address, netmask;
unsigned prefixlen;
int r;
assert(address);
assert(netmask);
assert(lifetime);
assert(link);
assert(link->network);
prefixlen = in4_addr_netmask_to_prefixlen(netmask);
if (!link->dhcp_lease)
return 0;
link_set_state(link, LINK_STATE_CONFIGURING);
link->dhcp4_configured = false;
/* address_handler calls link_request_set_routes() and link_request_set_nexthop(). Before they
* are called, the related flags must be cleared. Otherwise, the link becomes configured state
* before routes are configured. */
link->static_routes_configured = false;
link->static_nexthops_configured = false;
r = sd_dhcp_lease_get_address(link->dhcp_lease, &address);
if (r < 0)
return log_link_warning_errno(link, r, "DHCP error: no address: %m");
r = sd_dhcp_lease_get_netmask(link->dhcp_lease, &netmask);
if (r < 0)
return log_link_warning_errno(link, r, "DHCP error: no netmask: %m");
if (!FLAGS_SET(link->network->keep_configuration, KEEP_CONFIGURATION_DHCP)) {
r = sd_dhcp_lease_get_lifetime(link->dhcp_lease, &lifetime);
if (r < 0)
return log_link_warning_errno(link, r, "DHCP error: no lifetime: %m");
}
prefixlen = in4_addr_netmask_to_prefixlen(&netmask);
if (announce) {
const struct in_addr *router;
r = sd_dhcp_lease_get_router(link->dhcp_lease, &router);
if (r < 0 && r != -ENODATA)
return log_link_error_errno(link, r, "DHCP error: Could not get gateway: %m");
if (r > 0 && !in4_addr_is_null(&router[0]))
log_struct(LOG_INFO,
LOG_LINK_INTERFACE(link),
LOG_LINK_MESSAGE(link, "DHCPv4 address %u.%u.%u.%u/%u via %u.%u.%u.%u",
ADDRESS_FMT_VAL(address),
prefixlen,
ADDRESS_FMT_VAL(router[0])),
"ADDRESS=%u.%u.%u.%u", ADDRESS_FMT_VAL(address),
"PREFIXLEN=%u", prefixlen,
"GATEWAY=%u.%u.%u.%u", ADDRESS_FMT_VAL(router[0]));
else
log_struct(LOG_INFO,
LOG_LINK_INTERFACE(link),
LOG_LINK_MESSAGE(link, "DHCPv4 address %u.%u.%u.%u/%u",
ADDRESS_FMT_VAL(address),
prefixlen),
"ADDRESS=%u.%u.%u.%u", ADDRESS_FMT_VAL(address),
"PREFIXLEN=%u", prefixlen);
}
r = address_new(&addr);
if (r < 0)
return r;
return log_oom();
addr->family = AF_INET;
addr->in_addr.in.s_addr = address->s_addr;
addr->in_addr.in.s_addr = address.s_addr;
addr->cinfo.ifa_prefered = lifetime;
addr->cinfo.ifa_valid = lifetime;
addr->prefixlen = prefixlen;
addr->broadcast.s_addr = address->s_addr | ~netmask->s_addr;
addr->broadcast.s_addr = address.s_addr | ~netmask.s_addr;
addr->prefix_route = link_prefixroute(link);
/* allow reusing an existing address and simply update its lifetime
@ -867,102 +1029,34 @@ static int dhcp4_update_address(Link *link,
static int dhcp_lease_renew(sd_dhcp_client *client, Link *link) {
sd_dhcp_lease *lease;
struct in_addr address;
struct in_addr netmask;
uint32_t lifetime = CACHE_INFO_INFINITY_LIFE_TIME;
int r;
assert(link);
assert(client);
assert(link->network);
r = sd_dhcp_client_get_lease(client, &lease);
if (r < 0)
return log_link_warning_errno(link, r, "DHCP error: no lease: %m");
sd_dhcp_lease_unref(link->dhcp_lease);
link->dhcp4_configured = false;
link->dhcp_lease = sd_dhcp_lease_ref(lease);
link_dirty(link);
r = sd_dhcp_lease_get_address(lease, &address);
if (r < 0)
return log_link_warning_errno(link, r, "DHCP error: no address: %m");
r = sd_dhcp_lease_get_netmask(lease, &netmask);
if (r < 0)
return log_link_warning_errno(link, r, "DHCP error: no netmask: %m");
if (!FLAGS_SET(link->network->keep_configuration, KEEP_CONFIGURATION_DHCP)) {
r = sd_dhcp_lease_get_lifetime(link->dhcp_lease, &lifetime);
if (r < 0)
return log_link_warning_errno(link, r, "DHCP error: no lifetime: %m");
}
r = dhcp4_update_address(link, &address, &netmask, lifetime);
if (r < 0)
return log_link_warning_errno(link, r, "Could not update IP address: %m");
return 0;
return dhcp4_update_address(link, false);
}
static int dhcp_lease_acquired(sd_dhcp_client *client, Link *link) {
const struct in_addr *router;
sd_dhcp_lease *lease;
struct in_addr address;
struct in_addr netmask;
unsigned prefixlen;
uint32_t lifetime = CACHE_INFO_INFINITY_LIFE_TIME;
int r;
assert(client);
assert(link);
link->dhcp4_configured = false;
r = sd_dhcp_client_get_lease(client, &lease);
if (r < 0)
return log_link_error_errno(link, r, "DHCP error: No lease: %m");
r = sd_dhcp_lease_get_address(lease, &address);
if (r < 0)
return log_link_error_errno(link, r, "DHCP error: No address: %m");
r = sd_dhcp_lease_get_netmask(lease, &netmask);
if (r < 0)
return log_link_error_errno(link, r, "DHCP error: No netmask: %m");
prefixlen = in4_addr_netmask_to_prefixlen(&netmask);
if (!FLAGS_SET(link->network->keep_configuration, KEEP_CONFIGURATION_DHCP)) {
r = sd_dhcp_lease_get_lifetime(lease, &lifetime);
if (r < 0)
return log_link_warning_errno(link, r, "DHCP error: no lifetime: %m");
}
r = sd_dhcp_lease_get_router(lease, &router);
if (r < 0 && r != -ENODATA)
return log_link_error_errno(link, r, "DHCP error: Could not get gateway: %m");
if (r > 0 && !in4_addr_is_null(&router[0]))
log_struct(LOG_INFO,
LOG_LINK_INTERFACE(link),
LOG_LINK_MESSAGE(link, "DHCPv4 address %u.%u.%u.%u/%u via %u.%u.%u.%u",
ADDRESS_FMT_VAL(address),
prefixlen,
ADDRESS_FMT_VAL(router[0])),
"ADDRESS=%u.%u.%u.%u", ADDRESS_FMT_VAL(address),
"PREFIXLEN=%u", prefixlen,
"GATEWAY=%u.%u.%u.%u", ADDRESS_FMT_VAL(router[0]));
else
log_struct(LOG_INFO,
LOG_LINK_INTERFACE(link),
LOG_LINK_MESSAGE(link, "DHCPv4 address %u.%u.%u.%u/%u",
ADDRESS_FMT_VAL(address),
prefixlen),
"ADDRESS=%u.%u.%u.%u", ADDRESS_FMT_VAL(address),
"PREFIXLEN=%u", prefixlen);
sd_dhcp_lease_unref(link->dhcp_lease);
link->dhcp_lease = sd_dhcp_lease_ref(lease);
link_dirty(link);
@ -1013,9 +1107,14 @@ static int dhcp_lease_acquired(sd_dhcp_client *client, Link *link) {
}
}
r = dhcp4_update_address(link, &address, &netmask, lifetime);
if (r < 0)
return log_link_warning_errno(link, r, "Could not update IP address: %m");
if (link->dhcp4_remove_messages == 0) {
r = dhcp4_update_address(link, true);
if (r < 0)
return r;
} else
log_link_debug(link,
"The link has previously assigned DHCPv4 address or routes. "
"The newly assigned address and routes will set up after old ones are removed.");
return 0;
}

View File

@ -24,7 +24,6 @@
#include "radv-internal.h"
#include "web-util.h"
static int dhcp6_lease_address_acquired(sd_dhcp6_client *client, Link *link);
static Link *dhcp6_prefix_get(Manager *m, struct in6_addr *addr);
static int dhcp6_prefix_add(Manager *m, struct in6_addr *addr, Link *link);
static int dhcp6_prefix_remove_all(Manager *m, Link *link);
@ -33,7 +32,7 @@ static int dhcp6_assign_delegated_prefix(Link *link, const struct in6_addr *pref
uint32_t lifetime_preferred,
uint32_t lifetime_valid);
static bool dhcp6_get_prefix_delegation(Link *link) {
bool dhcp6_get_prefix_delegation(Link *link) {
if (!link->network)
return false;
@ -125,7 +124,7 @@ static int dhcp6_get_preferred_delegated_prefix(
r = in_addr_prefix_next(AF_INET6, &prefix, 64);
if (r < 0)
return log_link_error_errno(link, r, "Can't allocate another prefix. Out of address space?");
return log_link_error_errno(link, r, "Can't allocate another prefix. Out of address space?: %m");
}
return log_link_warning_errno(link, SYNTHETIC_ERRNO(ERANGE), "Couldn't find a suitable prefix. Ran out of address space.");
@ -172,11 +171,9 @@ static int dhcp6_pd_prefix_assign(Link *link, struct in6_addr *prefix,
if (r < 0)
return r;
if (link->network->dhcp6_pd_assign_prefix) {
r = dhcp6_assign_delegated_prefix(link, prefix, prefix_len, lifetime_preferred, lifetime_valid);
if (r < 0)
return r;
}
r = dhcp6_assign_delegated_prefix(link, prefix, prefix_len, lifetime_preferred, lifetime_valid);
if (r < 0)
return r;
return 0;
}
@ -324,13 +321,25 @@ static int dhcp6_route_handler(sd_netlink *nl, sd_netlink_message *m, Link *link
int r;
assert(link);
assert(link->dhcp6_route_messages > 0);
link->dhcp6_route_messages--;
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
return 1;
r = sd_netlink_message_get_errno(m);
if (r < 0 && r != -EEXIST)
log_link_message_warning_errno(link, m, r, "Received error when adding unreachable route for DHCPv6 delegated subnet");
if (r < 0 && r != -EEXIST) {
log_link_message_warning_errno(link, m, r, "Failed to add unreachable route for DHCPv6 delegated subnet");
link_enter_failed(link);
return 1;
}
if (link->dhcp6_route_messages == 0) {
log_link_debug(link, "Unreachable routes for DHCPv6 delegated subnets set");
link->dhcp6_route_configured = true;
link_check_ready(link);
}
return 1;
}
@ -342,6 +351,8 @@ static int dhcp6_lease_pd_prefix_acquired(sd_dhcp6_client *client, Link *link) {
uint8_t pd_prefix_len;
int r;
link->dhcp6_route_configured = false;
r = sd_dhcp6_client_get_lease(client, &lease);
if (r < 0)
return r;
@ -386,6 +397,8 @@ static int dhcp6_lease_pd_prefix_acquired(sd_dhcp6_client *client, Link *link) {
pd_prefix_len);
continue;
}
if (r > 0)
link->dhcp6_route_messages++;
log_link_debug(link, "Configuring unreachable route for %s/%u",
strnull(buf), pd_prefix_len);
@ -435,6 +448,14 @@ static int dhcp6_lease_pd_prefix_acquired(sd_dhcp6_client *client, Link *link) {
* fulfill those with the next available pd delegated prefix. */
}
if (link->dhcp6_route_messages == 0) {
link->dhcp6_route_configured = true;
link_check_ready(link);
} else {
log_link_debug(link, "Setting unreachable routes for DHCPv6 delegated subnets");
link_set_state(link, LINK_STATE_CONFIGURING);
}
return 0;
}
@ -461,14 +482,14 @@ int dhcp6_request_prefix_delegation(Link *link) {
r = sd_dhcp6_client_get_prefix_delegation(l->dhcp6_client, &enabled);
if (r < 0) {
log_link_warning_errno(l, r, "Cannot get prefix delegation when adding new link");
log_link_warning_errno(l, r, "Cannot get prefix delegation when adding new link: %m");
continue;
}
if (enabled == 0) {
r = sd_dhcp6_client_set_prefix_delegation(l->dhcp6_client, 1);
if (r < 0) {
log_link_warning_errno(l, r, "Cannot enable prefix delegation when adding new link");
log_link_warning_errno(l, r, "Cannot enable prefix delegation when adding new link: 5m");
continue;
}
}
@ -486,13 +507,13 @@ int dhcp6_request_prefix_delegation(Link *link) {
r = sd_dhcp6_client_stop(l->dhcp6_client);
if (r < 0) {
log_link_warning_errno(l, r, "Cannot stop DHCPv6 prefix delegation client after adding new link");
log_link_warning_errno(l, r, "Cannot stop DHCPv6 prefix delegation client after adding new link: %m");
continue;
}
r = sd_dhcp6_client_start(l->dhcp6_client);
if (r < 0) {
log_link_warning_errno(l, r, "Cannot restart DHCPv6 prefix delegation client after adding new link");
log_link_warning_errno(l, r, "Cannot restart DHCPv6 prefix delegation client after adding new link: %m");
continue;
}
@ -506,6 +527,9 @@ static int dhcp6_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *
int r;
assert(link);
assert(link->dhcp6_address_messages > 0);
link->dhcp6_address_messages--;
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
return 1;
@ -518,10 +542,14 @@ static int dhcp6_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *
} else if (r >= 0)
(void) manager_rtnl_process_address(rtnl, m, link->manager);
r = link_request_set_routes(link);
if (r < 0) {
link_enter_failed(link);
return 1;
if (link->dhcp6_address_messages == 0) {
log_link_debug(link, "DHCPv6 addresses set");
link->dhcp6_address_configured = true;
r = link_request_set_routes(link);
if (r < 0) {
link_enter_failed(link);
return 1;
}
}
return 1;
@ -556,6 +584,8 @@ static int dhcp6_address_change(
r = address_configure(addr, link, dhcp6_address_handler, true);
if (r < 0)
return log_link_warning_errno(link, r, "Could not assign DHCPv6 address: %m");
if (r > 0)
link->dhcp6_address_messages++;
return 0;
}
@ -566,12 +596,13 @@ static int dhcp6_lease_address_acquired(sd_dhcp6_client *client, Link *link) {
struct in6_addr ip6_addr;
uint32_t lifetime_preferred, lifetime_valid;
link->dhcp6_address_configured = false;
r = sd_dhcp6_client_get_lease(client, &lease);
if (r < 0)
return r;
sd_dhcp6_lease_reset_address_iter(lease);
while (sd_dhcp6_lease_get_address(lease, &ip6_addr,
&lifetime_preferred,
&lifetime_valid) >= 0) {
@ -581,6 +612,19 @@ static int dhcp6_lease_address_acquired(sd_dhcp6_client *client, Link *link) {
return r;
}
if (link->dhcp6_address_messages == 0) {
link->dhcp6_address_configured = true;
return link_request_set_routes(link);
} else {
log_link_debug(link, "Setting DHCPv6 addresses");
/* address_handler calls link_request_set_routes() and link_request_set_nexthop().
* Before they are called, the related flags must be cleared. Otherwise, the link
* becomes configured state before routes are configured. */
link->static_routes_configured = false;
link->static_nexthops_configured = false;
link_set_state(link, LINK_STATE_CONFIGURING);
}
return 0;
}
@ -605,7 +649,6 @@ static void dhcp6_handler(sd_dhcp6_client *client, int event, void *userdata) {
(void) dhcp6_prefix_remove_all(link->manager, link);
link_dirty(link);
link->dhcp6_configured = false;
break;
case SD_DHCP6_CLIENT_EVENT_IP_ACQUIRE:
@ -617,7 +660,7 @@ static void dhcp6_handler(sd_dhcp6_client *client, int event, void *userdata) {
r = dhcp6_lease_pd_prefix_acquired(client, link);
if (r < 0)
log_link_debug(link, "DHCPv6 did not receive prefixes to delegate");
log_link_debug_errno(link, r, "DHCPv6 did not receive prefixes to delegate: %m");
_fallthrough_;
case SD_DHCP6_CLIENT_EVENT_INFORMATION_REQUEST:
@ -628,7 +671,6 @@ static void dhcp6_handler(sd_dhcp6_client *client, int event, void *userdata) {
}
link_dirty(link);
link->dhcp6_configured = true;
break;
default:
@ -665,7 +707,7 @@ int dhcp6_request_address(Link *link, int ir) {
r = sd_dhcp6_client_set_address_request(link->dhcp6_client,
false);
if (r < 0 )
if (r < 0)
return r;
ir = false;
@ -812,7 +854,6 @@ int dhcp6_configure(Link *link) {
log_link_debug(link, "DHCP6 CLIENT: Failed to set request flag for '%u' already exists, ignoring.", option);
continue;
}
if (r < 0)
return log_link_error_errno(link, r, "DHCP6 CLIENT: Failed to set request flag for '%u': %m", option);
}
@ -865,21 +906,30 @@ static Link *dhcp6_prefix_get(Manager *m, struct in6_addr *addr) {
return hashmap_get(m->dhcp6_prefixes, addr);
}
static int dhcp6_route_add_handler(sd_netlink *nl, sd_netlink_message *m, Link *link) {
static int dhcp6_pd_route_handler(sd_netlink *nl, sd_netlink_message *m, Link *link) {
int r;
assert(link);
assert(link->dhcp6_pd_route_messages > 0);
link->dhcp6_pd_route_messages--;
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
return 1;
r = sd_netlink_message_get_errno(m);
if (r < 0 && r != -EEXIST) {
log_link_message_warning_errno(link, m, r, "Received error adding DHCPv6 Prefix Delegation route");
log_link_message_warning_errno(link, m, r, "Failed to add DHCPv6 Prefix Delegation route");
link_enter_failed(link);
return 1;
}
if (link->dhcp6_pd_route_messages == 0) {
log_link_debug(link, "DHCPv6 prefix delegation routes set");
link->dhcp6_pd_route_configured = true;
link_check_ready(link);
}
return 1;
}
@ -901,9 +951,14 @@ static int dhcp6_prefix_add(Manager *m, struct in6_addr *addr, Link *link) {
route->dst.in6 = *addr;
route->dst_prefixlen = 64;
r = route_configure(route, link, dhcp6_route_add_handler);
link->dhcp6_pd_route_configured = false;
link_set_state(link, LINK_STATE_CONFIGURING);
r = route_configure(route, link, dhcp6_pd_route_handler);
if (r < 0)
return r;
if (r > 0)
link->dhcp6_pd_route_messages++;
(void) in_addr_to_string(AF_INET6, (union in_addr_union *) addr, &buf);
log_link_debug(link, "Adding prefix route %s/64", strnull(buf));
@ -998,26 +1053,33 @@ static int dhcp6_prefix_remove_all(Manager *m, Link *link) {
return 0;
}
static int dhcp6_assign_delegeted_prefix_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
static int dhcp6_pd_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
int r;
assert(link);
assert(link->dhcp6_pd_address_messages > 0);
link->dhcp6_pd_address_messages--;
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
return 1;
r = sd_netlink_message_get_errno(m);
if (r < 0 && r != -EEXIST) {
log_link_message_warning_errno(link, m, r, "Could not set DHCPv6 delegated prefix address ");
log_link_message_warning_errno(link, m, r, "Could not set DHCPv6 delegated prefix address");
link_enter_failed(link);
return 1;
} else if (r >= 0)
(void) manager_rtnl_process_address(rtnl, m, link->manager);
r = link_request_set_routes(link);
if (r < 0) {
link_enter_failed(link);
return 1;
if (link->dhcp6_pd_address_messages == 0) {
log_link_debug(link, "DHCPv6 delegated prefix addresses set");
link->dhcp6_pd_address_configured = true;
r = link_request_set_routes(link);
if (r < 0) {
link_enter_failed(link);
return 1;
}
}
return 1;
@ -1036,8 +1098,10 @@ static int dhcp6_assign_delegated_prefix(Link *link,
assert(link->network);
assert(prefix);
if (!link->network->dhcp6_pd_assign_prefix)
if (!link->network->dhcp6_pd_assign_prefix) {
link->dhcp6_pd_address_configured = true;
return 0;
}
r = address_new(&address);
if (r < 0)
@ -1058,11 +1122,19 @@ static int dhcp6_assign_delegated_prefix(Link *link,
address->cinfo.ifa_prefered = lifetime_preferred;
address->cinfo.ifa_valid = lifetime_valid;
/* address_handler calls link_request_set_routes() and link_request_set_nexthop(). Before they
* are called, the related flags must be cleared. Otherwise, the link becomes configured state
* before routes are configured. */
link->static_routes_configured = false;
link->static_nexthops_configured = false;
link->dhcp6_pd_address_configured = false;
link_set_state(link, LINK_STATE_CONFIGURING);
r = address_configure(address, link, dhcp6_assign_delegeted_prefix_address_handler, true);
r = address_configure(address, link, dhcp6_pd_address_handler, true);
if (r < 0)
return log_link_warning_errno(link, r, "Failed to set acquired DHCPv6 delegated prefix address: %m");
if (r > 0)
link->dhcp6_pd_address_messages++;
return 0;
}

View File

@ -17,6 +17,7 @@ typedef enum DHCP6ClientStartMode {
typedef struct Link Link;
typedef struct Manager Manager;
bool dhcp6_get_prefix_delegation(Link *link);
int dhcp6_request_prefix_delegation(Link *link);
int dhcp6_configure(Link *link);
int dhcp6_request_address(Link *link, int ir);

View File

@ -932,10 +932,9 @@ static int link_request_set_routing_policy_rule(Link *link) {
}
routing_policy_rule_purge(link->manager, link);
if (link->routing_policy_rule_messages == 0) {
if (link->routing_policy_rule_messages == 0)
link->routing_policy_rules_configured = true;
link_check_ready(link);
} else {
else {
log_link_debug(link, "Setting routing policy rules");
link_set_state(link, LINK_STATE_CONFIGURING);
}
@ -972,10 +971,12 @@ static int nexthop_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link)
return 1;
}
int link_request_set_nexthop(Link *link) {
static int link_request_set_nexthop(Link *link) {
NextHop *nh;
int r;
link->static_nexthops_configured = false;
LIST_FOREACH(nexthops, nh, link->network->static_nexthops) {
r = nexthop_configure(nh, link, nexthop_handler);
if (r < 0)
@ -1018,7 +1019,7 @@ static int route_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
if (link->route_messages == 0) {
log_link_debug(link, "Routes set");
link->static_routes_configured = true;
link_check_ready(link);
link_request_set_nexthop(link);
}
return 1;
@ -1040,7 +1041,6 @@ int link_request_set_routes(Link *link) {
assert(link->state != _LINK_STATE_INVALID);
link->static_routes_configured = false;
link->static_routes_ready = false;
if (!link_has_carrier(link) && !link->network->configure_without_carrier)
/* During configuring addresses, the link lost its carrier. As networkd is dropping
@ -1069,7 +1069,7 @@ int link_request_set_routes(Link *link) {
if (link->route_messages == 0) {
link->static_routes_configured = true;
link_check_ready(link);
link_request_set_nexthop(link);
} else {
log_link_debug(link, "Setting routes");
link_set_state(link, LINK_STATE_CONFIGURING);
@ -1085,70 +1085,107 @@ void link_check_ready(Link *link) {
assert(link);
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER)) {
log_link_debug(link, "%s(): link is in failed or linger state.", __func__);
return;
}
if (!link->network)
return;
if (!link->addresses_configured)
if (!link->addresses_configured) {
log_link_debug(link, "%s(): static addresses are not configured.", __func__);
return;
}
if (!link->neighbors_configured)
if (!link->neighbors_configured) {
log_link_debug(link, "%s(): static neighbors are not configured.", __func__);
return;
}
SET_FOREACH(a, link->addresses, i)
if (!address_is_ready(a))
if (!address_is_ready(a)) {
_cleanup_free_ char *str = NULL;
(void) in_addr_to_string(a->family, &a->in_addr, &str);
log_link_debug(link, "%s(): an address %s/%d is not ready.", __func__, strnull(str), a->prefixlen);
return;
}
if (!link->addresses_ready) {
link->addresses_ready = true;
r = link_request_set_routes(link);
if (r < 0)
link_enter_failed(link);
log_link_debug(link, "%s(): static addresses are configured. Configuring static routes.", __func__);
return;
}
if (!link->static_routes_configured)
return;
if (!link->static_routes_ready) {
link->static_routes_ready = true;
r = link_request_set_nexthop(link);
if (r < 0)
link_enter_failed(link);
if (!link->static_routes_configured) {
log_link_debug(link, "%s(): static routes are not configured.", __func__);
return;
}
if (!link->static_nexthops_configured)
if (!link->static_nexthops_configured) {
log_link_debug(link, "%s(): static nexthops are not configured.", __func__);
return;
}
if (!link->routing_policy_rules_configured)
if (!link->routing_policy_rules_configured) {
log_link_debug(link, "%s(): static routing policy rules are not configured.", __func__);
return;
}
if (!link->tc_configured)
if (!link->tc_configured) {
log_link_debug(link, "%s(): traffic controls are not configured.", __func__);
return;
}
if (!link->sr_iov_configured)
if (!link->sr_iov_configured) {
log_link_debug(link, "%s(): SR-IOV is not configured.", __func__);
return;
}
if (link_has_carrier(link) || !link->network->configure_without_carrier) {
if (link_ipv4ll_enabled(link, ADDRESS_FAMILY_IPV4) && !link->ipv4ll_address)
if (link_ipv4ll_enabled(link, ADDRESS_FAMILY_IPV4) && !link->ipv4ll_address) {
log_link_debug(link, "%s(): IPv4LL is not configured.", __func__);
return;
}
if (link_ipv6ll_enabled(link) &&
in_addr_is_null(AF_INET6, (const union in_addr_union*) &link->ipv6ll_address))
in_addr_is_null(AF_INET6, (const union in_addr_union*) &link->ipv6ll_address)) {
log_link_debug(link, "%s(): IPv6LL is not configured.", __func__);
return;
}
if ((link_dhcp4_enabled(link) || link_dhcp6_enabled(link) || link_ipv6_accept_ra_enabled(link)) &&
!link->dhcp4_configured &&
!link->dhcp6_configured &&
!link->ndisc_configured &&
!(link_ipv4ll_enabled(link, ADDRESS_FAMILY_FALLBACK_IPV4) && link->ipv4ll_address))
/* When DHCP or RA is enabled, at least one protocol must provide an address, or
* an IPv4ll fallback address must be configured. */
if ((link_dhcp4_enabled(link) || link_dhcp6_enabled(link)) && set_isempty(link->addresses)) {
log_link_debug(link, "%s(): DHCP4 or DHCP6 is enabled but no address is assigned yet.", __func__);
return;
}
if (link_dhcp4_enabled(link) || link_dhcp6_enabled(link) || dhcp6_get_prefix_delegation(link) || link_ipv6_accept_ra_enabled(link)) {
if (!link->dhcp4_configured &&
!(link->dhcp6_address_configured && link->dhcp6_route_configured) &&
!(link->dhcp6_pd_address_configured && link->dhcp6_pd_route_configured) &&
!(link->ndisc_addresses_configured && link->ndisc_routes_configured) &&
!(link_ipv4ll_enabled(link, ADDRESS_FAMILY_FALLBACK_IPV4) && link->ipv4ll_address)) {
/* When DHCP or RA is enabled, at least one protocol must provide an address, or
* an IPv4ll fallback address must be configured. */
log_link_debug(link, "%s(): dynamic addresses or routes are not configured.", __func__);
return;
}
log_link_debug(link, "%s(): dhcp4:%s dhcp6_addresses:%s dhcp_routes:%s dhcp_pd_addresses:%s dhcp_pd_routes:%s ndisc_addresses:%s ndisc_routes:%s",
__func__,
yes_no(link->dhcp4_configured),
yes_no(link->dhcp6_address_configured),
yes_no(link->dhcp6_route_configured),
yes_no(link->dhcp6_pd_address_configured),
yes_no(link->dhcp6_pd_route_configured),
yes_no(link->ndisc_addresses_configured),
yes_no(link->ndisc_routes_configured));
}
}
if (link->state != LINK_STATE_CONFIGURED)
@ -1245,7 +1282,6 @@ static int link_request_set_addresses(Link *link) {
link->addresses_ready = false;
link->neighbors_configured = false;
link->static_routes_configured = false;
link->static_routes_ready = false;
link->static_nexthops_configured = false;
link->routing_policy_rules_configured = false;

View File

@ -100,13 +100,23 @@ typedef struct Link {
char *lease_file;
uint32_t original_mtu;
unsigned dhcp4_messages;
unsigned dhcp4_remove_messages;
unsigned dhcp6_address_messages;
unsigned dhcp6_route_messages;
unsigned dhcp6_pd_address_messages;
unsigned dhcp6_pd_route_messages;
bool dhcp4_route_failed:1;
bool dhcp4_route_retrying:1;
bool dhcp4_configured:1;
bool dhcp6_configured:1;
bool dhcp6_address_configured:1;
bool dhcp6_route_configured:1;
bool dhcp6_pd_address_configured:1;
bool dhcp6_pd_route_configured:1;
unsigned ndisc_messages;
bool ndisc_configured;
unsigned ndisc_addresses_messages;
unsigned ndisc_routes_messages;
bool ndisc_addresses_configured:1;
bool ndisc_routes_configured:1;
sd_ipv4ll *ipv4ll;
bool ipv4ll_address:1;
@ -115,7 +125,6 @@ typedef struct Link {
bool addresses_ready:1;
bool neighbors_configured:1;
bool static_routes_configured:1;
bool static_routes_ready:1;
bool static_nexthops_configured:1;
bool routing_policy_rules_configured:1;
bool tc_configured:1;
@ -217,7 +226,6 @@ uint32_t link_get_vrf_table(Link *link);
uint32_t link_get_dhcp_route_table(Link *link);
uint32_t link_get_ipv6_accept_ra_route_table(Link *link);
int link_request_set_routes(Link *link);
int link_request_set_nexthop(Link *link);
int link_reconfigure(Link *link, bool force);

View File

@ -82,64 +82,60 @@ static int make_stableprivate_address(Link *link, const struct in6_addr *prefix,
return 0;
}
static int ndisc_netlink_route_message_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
static int ndisc_route_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
int r;
assert(link);
assert(link->ndisc_messages > 0);
assert(link->ndisc_routes_messages > 0);
link->ndisc_messages--;
link->ndisc_routes_messages--;
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
return 1;
r = sd_netlink_message_get_errno(m);
if (r < 0 && r != -EEXIST) {
log_link_message_error_errno(link, m, r, "Could not set NDisc route or address");
log_link_message_error_errno(link, m, r, "Could not set NDisc route");
link_enter_failed(link);
return 1;
}
if (link->ndisc_messages == 0) {
link->ndisc_configured = true;
r = link_request_set_routes(link);
if (r < 0) {
link_enter_failed(link);
return 1;
}
if (link->ndisc_routes_messages == 0) {
log_link_debug(link, "NDisc routes set.");
link->ndisc_routes_configured = true;
link_check_ready(link);
}
return 1;
}
static int ndisc_netlink_address_message_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
static int ndisc_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
int r;
assert(link);
assert(link->ndisc_messages > 0);
assert(link->ndisc_addresses_messages > 0);
link->ndisc_messages--;
link->ndisc_addresses_messages--;
if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
return 1;
r = sd_netlink_message_get_errno(m);
if (r < 0 && r != -EEXIST) {
log_link_message_error_errno(link, m, r, "Could not set NDisc route or address");
log_link_message_error_errno(link, m, r, "Could not set NDisc address");
link_enter_failed(link);
return 1;
} else if (r >= 0)
(void) manager_rtnl_process_address(rtnl, m, link->manager);
if (link->ndisc_messages == 0) {
link->ndisc_configured = true;
if (link->ndisc_addresses_messages == 0) {
log_link_debug(link, "NDisc SLAAC addresses set.");
link->ndisc_addresses_configured = true;
r = link_request_set_routes(link);
if (r < 0) {
link_enter_failed(link);
return 1;
}
link_check_ready(link);
}
return 1;
@ -223,14 +219,14 @@ static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) {
route->lifetime = time_now + lifetime * USEC_PER_SEC;
route->mtu = mtu;
r = route_configure(route, link, ndisc_netlink_route_message_handler);
r = route_configure(route, link, ndisc_route_handler);
if (r < 0) {
log_link_warning_errno(link, r, "Could not set default route: %m");
link_enter_failed(link);
return r;
}
if (r > 0)
link->ndisc_messages++;
link->ndisc_routes_messages++;
Route *route_gw;
LIST_FOREACH(routes, route_gw, link->network->static_routes) {
@ -242,14 +238,14 @@ static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) {
route_gw->gw = gateway;
r = route_configure(route_gw, link, ndisc_netlink_route_message_handler);
r = route_configure(route_gw, link, ndisc_route_handler);
if (r < 0) {
log_link_error_errno(link, r, "Could not set gateway: %m");
link_enter_failed(link);
return r;
}
if (r > 0)
link->ndisc_messages++;
link->ndisc_routes_messages++;
}
return 0;
@ -404,20 +400,19 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r
} else if (lifetime_valid > 0)
a->cinfo.ifa_valid = lifetime_valid;
else
return 0; /* see RFC4862 section 5.5.3.d */
continue; /* see RFC4862 section 5.5.3.d */
if (a->cinfo.ifa_valid == 0)
continue;
r = address_configure(a, link, ndisc_netlink_address_message_handler, true);
r = address_configure(a, link, ndisc_address_handler, true);
if (r < 0) {
log_link_warning_errno(link, r, "Could not set SLAAC address: %m");
link_enter_failed(link);
return r;
}
if (r > 0)
link->ndisc_messages++;
link->ndisc_addresses_messages++;
}
return 0;
@ -461,14 +456,14 @@ static int ndisc_router_process_onlink_prefix(Link *link, sd_ndisc_router *rt) {
if (r < 0)
return log_link_error_errno(link, r, "Failed to get prefix address: %m");
r = route_configure(route, link, ndisc_netlink_route_message_handler);
r = route_configure(route, link, ndisc_route_handler);
if (r < 0) {
log_link_warning_errno(link, r, "Could not set prefix route: %m");
link_enter_failed(link);
return r;
}
if (r > 0)
link->ndisc_messages++;
link->ndisc_routes_messages++;
return 0;
}
@ -523,14 +518,14 @@ static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
if (r < 0)
return log_link_error_errno(link, r, "Failed to get route address: %m");
r = route_configure(route, link, ndisc_netlink_route_message_handler);
r = route_configure(route, link, ndisc_route_handler);
if (r < 0) {
log_link_warning_errno(link, r, "Could not set additional route: %m");
link_enter_failed(link);
return r;
}
if (r > 0)
link->ndisc_messages++;
link->ndisc_routes_messages++;
return 0;
}
@ -816,11 +811,38 @@ static void ndisc_handler(sd_ndisc *nd, sd_ndisc_event event, sd_ndisc_router *r
switch (event) {
case SD_NDISC_EVENT_ROUTER:
link->ndisc_addresses_configured = false;
link->ndisc_routes_configured = false;
(void) ndisc_router_handler(link, rt);
if (link->ndisc_addresses_messages == 0)
link->ndisc_addresses_configured = true;
else {
log_link_debug(link, "Setting SLAAC addresses.");
/* address_handler calls link_request_set_routes() and link_request_set_nexthop().
* Before they are called, the related flags must be cleared. Otherwise, the link
* becomes configured state before routes are configured. */
link->static_routes_configured = false;
link->static_nexthops_configured = false;
}
if (link->ndisc_routes_messages == 0)
link->ndisc_routes_configured = true;
else
log_link_debug(link, "Setting NDisc routes.");
if (link->ndisc_addresses_configured && link->ndisc_routes_configured)
link_check_ready(link);
else
link_set_state(link, LINK_STATE_CONFIGURING);
break;
case SD_NDISC_EVENT_TIMEOUT:
link->ndisc_configured = true;
log_link_debug(link, "NDISC handler get timeout event");
link->ndisc_addresses_configured = true;
link->ndisc_routes_configured = true;
link_check_ready(link);
break;

View File

@ -52,7 +52,7 @@ void network_apply_anonymize_if_set(Network *network) {
/* RFC7844 section 3.6.:
The client intending to protect its privacy SHOULD only request a
minimal number of options in the PRL and SHOULD also randomly shuffle
the ordering of option codes in the PRL. If this random ordering
the ordering of option codes in the PRL. If this random ordering
cannot be implemented, the client MAY order the option codes in the
PRL by option code number (lowest to highest).
*/

View File

@ -26,7 +26,7 @@ int tc_init(double *ret_ticks_in_usec, uint32_t *ret_hz) {
if (r < 4)
return -EIO;
clock_factor = (double) clock_resolution / USEC_PER_SEC;
clock_factor = (double) clock_resolution / USEC_PER_SEC;
ticks_in_usec = (double) ticks_to_usec / usec_to_ticks * clock_factor;
}
@ -57,7 +57,7 @@ int tc_time_to_tick(usec_t t, uint32_t *ret) {
return 0;
}
int parse_tc_percent(const char *s, uint32_t *percent) {
int parse_tc_percent(const char *s, uint32_t *percent) {
int r;
assert(s);

View File

@ -323,7 +323,7 @@ int manager_new(Manager **ret, Hashmap *interfaces, char **ignore,
if (r < 0)
return r;
(void) sd_event_add_signal(m->event, NULL, SIGTERM, NULL, NULL);
(void) sd_event_add_signal(m->event, NULL, SIGTERM, NULL, NULL);
(void) sd_event_add_signal(m->event, NULL, SIGINT, NULL, NULL);
if (timeout > 0) {

View File

@ -4636,7 +4636,7 @@ static int run_container(
if (!barrier_place_and_sync(&barrier)) /* #5 */
return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Child died too early.");
/* At this point we have made use of the UID we picked, and thus nss-mymachines
/* At this point we have made use of the UID we picked, and thus nss-systemd/systemd-machined.service
* will make them appear in getpwuid(), thus we can release the /etc/passwd lock. */
etc_passwd_lock = safe_close(etc_passwd_lock);

View File

@ -19,15 +19,11 @@
#include "nss-util.h"
#include "signal-util.h"
#include "string-util.h"
#include "user-util.h"
NSS_GETHOSTBYNAME_PROTOTYPES(mymachines);
NSS_GETPW_PROTOTYPES(mymachines);
NSS_GETGR_PROTOTYPES(mymachines);
#define HOST_UID_LIMIT ((uid_t) UINT32_C(0x10000))
#define HOST_GID_LIMIT ((gid_t) UINT32_C(0x10000))
static int count_addresses(sd_bus_message *m, int af, unsigned *ret) {
unsigned c = 0;
int r;
@ -402,94 +398,7 @@ enum nss_status _nss_mymachines_getpwnam_r(
char *buffer, size_t buflen,
int *errnop) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
const char *p, *e, *machine;
uint32_t mapped;
uid_t uid;
size_t l;
int r;
PROTECT_ERRNO;
BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
assert(name);
assert(pwd);
p = startswith(name, "vu-");
if (!p)
return NSS_STATUS_NOTFOUND;
e = strrchr(p, '-');
if (!e || e == p)
return NSS_STATUS_NOTFOUND;
if (e - p > HOST_NAME_MAX - 1) /* -1 for the last dash */
return NSS_STATUS_NOTFOUND;
r = parse_uid(e + 1, &uid);
if (r < 0)
return NSS_STATUS_NOTFOUND;
machine = strndupa(p, e - p);
if (!machine_name_is_valid(machine))
return NSS_STATUS_NOTFOUND;
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
/* Make sure we can't deadlock if we are invoked by dbus-daemon. This way, it won't be able to resolve
* these UIDs, but that should be unproblematic as containers should never be able to connect to a bus
* running on the host. */
return NSS_STATUS_NOTFOUND;
if (avoid_deadlock()) {
r = -EDEADLK;
goto fail;
}
r = sd_bus_open_system(&bus);
if (r < 0)
goto fail;
r = bus_call_method(bus, bus_machine_mgr, "MapFromMachineUser", &error, &reply, "su", machine, (uint32_t) uid);
if (r < 0) {
if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
return NSS_STATUS_NOTFOUND;
goto fail;
}
r = sd_bus_message_read(reply, "u", &mapped);
if (r < 0)
goto fail;
/* Refuse to work if the mapped address is in the host UID range, or if there was no mapping at all. */
if (mapped < HOST_UID_LIMIT || mapped == uid)
return NSS_STATUS_NOTFOUND;
l = strlen(name);
if (buflen < l+1) {
UNPROTECT_ERRNO;
*errnop = ERANGE;
return NSS_STATUS_TRYAGAIN;
}
memcpy(buffer, name, l+1);
pwd->pw_name = buffer;
pwd->pw_uid = mapped;
pwd->pw_gid = GID_NOBODY;
pwd->pw_gecos = buffer;
pwd->pw_passwd = (char*) "*"; /* locked */
pwd->pw_dir = (char*) "/";
pwd->pw_shell = (char*) NOLOGIN;
return NSS_STATUS_SUCCESS;
fail:
UNPROTECT_ERRNO;
*errnop = -r;
return NSS_STATUS_UNAVAIL;
return NSS_STATUS_NOTFOUND;
}
enum nss_status _nss_mymachines_getpwuid_r(
@ -498,162 +407,16 @@ enum nss_status _nss_mymachines_getpwuid_r(
char *buffer, size_t buflen,
int *errnop) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
const char *machine;
uint32_t mapped;
int r;
PROTECT_ERRNO;
BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
if (!uid_is_valid(uid))
return NSS_STATUS_NOTFOUND;
/* We consider all uids < 65536 host uids */
if (uid < HOST_UID_LIMIT)
return NSS_STATUS_NOTFOUND;
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
return NSS_STATUS_NOTFOUND;
if (avoid_deadlock()) {
r = -EDEADLK;
goto fail;
}
r = sd_bus_open_system(&bus);
if (r < 0)
goto fail;
r = bus_call_method(bus, bus_machine_mgr, "MapToMachineUser", &error, &reply, "u", (uint32_t) uid);
if (r < 0) {
if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
return NSS_STATUS_NOTFOUND;
goto fail;
}
r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
if (r < 0)
goto fail;
if (mapped == uid)
return NSS_STATUS_NOTFOUND;
if (snprintf(buffer, buflen, "vu-%s-" UID_FMT, machine, (uid_t) mapped) >= (int) buflen) {
UNPROTECT_ERRNO;
*errnop = ERANGE;
return NSS_STATUS_TRYAGAIN;
}
pwd->pw_name = buffer;
pwd->pw_uid = uid;
pwd->pw_gid = GID_NOBODY;
pwd->pw_gecos = buffer;
pwd->pw_passwd = (char*) "*"; /* locked */
pwd->pw_dir = (char*) "/";
pwd->pw_shell = (char*) NOLOGIN;
return NSS_STATUS_SUCCESS;
fail:
UNPROTECT_ERRNO;
*errnop = -r;
return NSS_STATUS_UNAVAIL;
return NSS_STATUS_NOTFOUND;
}
#pragma GCC diagnostic ignored "-Wsizeof-pointer-memaccess"
enum nss_status _nss_mymachines_getgrnam_r(
const char *name,
struct group *gr,
char *buffer, size_t buflen,
int *errnop) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
const char *p, *e, *machine;
uint32_t mapped;
uid_t gid;
size_t l;
int r;
PROTECT_ERRNO;
BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
assert(name);
assert(gr);
p = startswith(name, "vg-");
if (!p)
return NSS_STATUS_NOTFOUND;
e = strrchr(p, '-');
if (!e || e == p)
return NSS_STATUS_NOTFOUND;
if (e - p > HOST_NAME_MAX - 1) /* -1 for the last dash */
return NSS_STATUS_NOTFOUND;
r = parse_gid(e + 1, &gid);
if (r < 0)
return NSS_STATUS_NOTFOUND;
machine = strndupa(p, e - p);
if (!machine_name_is_valid(machine))
return NSS_STATUS_NOTFOUND;
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
return NSS_STATUS_NOTFOUND;
if (avoid_deadlock()) {
r = -EDEADLK;
goto fail;
}
r = sd_bus_open_system(&bus);
if (r < 0)
goto fail;
r = bus_call_method(bus, bus_machine_mgr, "MapFromMachineGroup", &error, &reply, "su", machine, (uint32_t) gid);
if (r < 0) {
if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
return NSS_STATUS_NOTFOUND;
goto fail;
}
r = sd_bus_message_read(reply, "u", &mapped);
if (r < 0)
goto fail;
if (mapped < HOST_GID_LIMIT || mapped == gid)
return NSS_STATUS_NOTFOUND;
l = sizeof(char*) + strlen(name) + 1;
if (buflen < l) {
UNPROTECT_ERRNO;
*errnop = ERANGE;
return NSS_STATUS_TRYAGAIN;
}
memzero(buffer, sizeof(char*));
strcpy(buffer + sizeof(char*), name);
gr->gr_name = buffer + sizeof(char*);
gr->gr_gid = mapped;
gr->gr_passwd = (char*) "*"; /* locked */
gr->gr_mem = (char**) buffer;
return NSS_STATUS_SUCCESS;
fail:
UNPROTECT_ERRNO;
*errnop = -r;
return NSS_STATUS_UNAVAIL;
return NSS_STATUS_NOTFOUND;
}
enum nss_status _nss_mymachines_getgrgid_r(
@ -662,72 +425,5 @@ enum nss_status _nss_mymachines_getgrgid_r(
char *buffer, size_t buflen,
int *errnop) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
const char *machine;
uint32_t mapped;
int r;
PROTECT_ERRNO;
BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
if (!gid_is_valid(gid))
return NSS_STATUS_NOTFOUND;
/* We consider all gids < 65536 host gids */
if (gid < HOST_GID_LIMIT)
return NSS_STATUS_NOTFOUND;
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
return NSS_STATUS_NOTFOUND;
if (avoid_deadlock()) {
r = -EDEADLK;
goto fail;
}
r = sd_bus_open_system(&bus);
if (r < 0)
goto fail;
r = bus_call_method(bus, bus_machine_mgr, "MapToMachineGroup", &error, &reply, "u", (uint32_t) gid);
if (r < 0) {
if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
return NSS_STATUS_NOTFOUND;
goto fail;
}
r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
if (r < 0)
goto fail;
if (mapped == gid)
return NSS_STATUS_NOTFOUND;
if (buflen < sizeof(char*) + 1) {
UNPROTECT_ERRNO;
*errnop = ERANGE;
return NSS_STATUS_TRYAGAIN;
}
memzero(buffer, sizeof(char*));
if (snprintf(buffer + sizeof(char*), buflen - sizeof(char*), "vg-%s-" GID_FMT, machine, (gid_t) mapped) >= (int) buflen) {
UNPROTECT_ERRNO;
*errnop = ERANGE;
return NSS_STATUS_TRYAGAIN;
}
gr->gr_name = buffer + sizeof(char*);
gr->gr_gid = gid;
gr->gr_passwd = (char*) "*"; /* locked */
gr->gr_mem = (char**) buffer;
return NSS_STATUS_SUCCESS;
fail:
UNPROTECT_ERRNO;
*errnop = -r;
return NSS_STATUS_UNAVAIL;
return NSS_STATUS_NOTFOUND;
}

View File

@ -50,6 +50,7 @@
static int print_catalog(FILE *f, sd_journal *j) {
_cleanup_free_ char *t = NULL, *z = NULL;
const char *newline, *prefix;
int r;
assert(j);
@ -60,13 +61,31 @@ static int print_catalog(FILE *f, sd_journal *j) {
if (r < 0)
return log_error_errno(r, "Failed to find catalog entry: %m");
z = strreplace(strstrip(t), "\n", "\n-- ");
if (is_locale_utf8())
prefix = strjoina(special_glyph(SPECIAL_GLYPH_LIGHT_SHADE), special_glyph(SPECIAL_GLYPH_LIGHT_SHADE));
else
prefix = "--";
if (colors_enabled())
newline = strjoina(ANSI_NORMAL "\n" ANSI_GREY, prefix, ANSI_NORMAL " " ANSI_GREEN);
else
newline = strjoina("\n", prefix, " ");
z = strreplace(strstrip(t), "\n", newline);
if (!z)
return log_oom();
fputs("-- ", f);
if (colors_enabled())
fprintf(f, ANSI_GREY "%s" ANSI_NORMAL " " ANSI_GREEN, prefix);
else
fprintf(f, "%s ", prefix);
fputs(z, f);
fputc('\n', f);
if (colors_enabled())
fputs(ANSI_NORMAL "\n", f);
else
fputc('\n', f);
return 1;
}

View File

@ -156,6 +156,8 @@ static int userdb_on_query_reply(
r = -ESRCH;
else if (streq(error_id, "io.systemd.UserDatabase.ServiceNotAvailable"))
r = -EHOSTDOWN;
else if (streq(error_id, "io.systemd.UserDatabase.EnumerationNotSupported"))
r = -EOPNOTSUPP;
else if (streq(error_id, VARLINK_ERROR_TIMEOUT))
r = -ETIMEDOUT;
else

View File

@ -858,7 +858,7 @@ static void test_path_is_encrypted_one(const char *p, int expect) {
return;
assert_se(r >= 0);
printf("%s encrypted: %s\n", p, yes_no(r));
log_info("%s encrypted: %s", p, yes_no(r));
assert_se(expect < 0 || ((r > 0) == (expect > 0)));
}

View File

@ -0,0 +1 @@
../TEST-01-BASIC/Makefile

View File

@ -0,0 +1,11 @@
#!/usr/bin/env bash
set -e
TEST_DESCRIPTION="test timer units when initial clock is ahead"
TEST_NO_NSPAWN=1
future_date=$(date -u +%Y-%m-%dT%H:%M:%S -d '+3 days')
QEMU_OPTIONS="-rtc base=${future_date}"
. $TEST_BASE_DIR/test-functions
do_test "$@" 53

View File

@ -376,7 +376,7 @@ DHCP={}
# IPv6, but we want to wait for both
for _ in range(10):
out = subprocess.check_output(['ip', 'a', 'show', 'dev', self.iface])
if b'state UP' in out and b'inet6 2600' in out and b'inet 192.168' in out:
if b'state UP' in out and b'inet6 2600' in out and b'inet 192.168' in out and b'tentative' not in out:
break
time.sleep(1)
else:

View File

@ -1,2 +1,5 @@
[Match]
Name=bond199
[Network]
IPv6AcceptRA=no

View File

@ -2,4 +2,5 @@
Name=veth-peer
[Network]
IPv6AcceptRA=no
EmitLLDP=yes

View File

@ -2,4 +2,5 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
KeepConfiguration=static

View File

@ -2,4 +2,5 @@
Name=veth99
[Network]
IPv6AcceptRA=no
LLDP=yes

View File

@ -2,6 +2,7 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Address=192.168.42.100/24
DNS=192.168.42.1
Domains= one two three four five six seven eight nine ten

View File

@ -3,3 +3,6 @@ Name=dummy98
[Link]
MACAddress=00:01:02:aa:bb:cc
[Network]
IPv6AcceptRA=no

View File

@ -2,6 +2,8 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
# these lines are ignored
Address=hogehoge
Address=foofoo

View File

@ -1,6 +1,9 @@
[Match]
Name=test1
[Network]
IPv6AcceptRA=no
[RoutingPolicyRule]
TypeOfService=0x08
Table=7

View File

@ -1,6 +1,9 @@
[Match]
Name=test1
[Network]
IPv6AcceptRA=no
[RoutingPolicyRule]
TypeOfService=0x08
Table=7

View File

@ -1,6 +1,9 @@
[Match]
Name=test1
[Network]
IPv6AcceptRA=no
[RoutingPolicyRule]
TypeOfService=0x08
Table=7

View File

@ -2,5 +2,6 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Address=149.10.124.58/28
Gateway=149.10.124.60

View File

@ -2,5 +2,6 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Address=149.10.124.58/28
Gateway=149.10.124.59

View File

@ -1,6 +1,9 @@
[Match]
Name=dummy98
[Network]
IPv6AcceptRA=no
[IPv6AddressLabel]
Label=4444
Prefix=2004:da8:1:0::/64

View File

@ -2,6 +2,7 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
VRF=vrf99
Address=192.168.100.2/24
Gateway=192.168.100.1

View File

@ -1,2 +1,5 @@
[Match]
Name=vrf99
[Network]
IPv6AcceptRA=no

View File

@ -2,4 +2,5 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=sittun99

View File

@ -2,5 +2,6 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=erspan99
Tunnel=erspan98

View File

@ -2,5 +2,6 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=gretap99
Tunnel=gretap98

View File

@ -2,6 +2,7 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=gretun99
Tunnel=gretun98
Tunnel=gretun97

View File

@ -2,5 +2,6 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=ip6gretap99
Tunnel=ip6gretap98

View File

@ -2,6 +2,7 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=ip6gretun99
Tunnel=ip6gretun98
Tunnel=ip6gretun97

View File

@ -2,6 +2,7 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=ip6tnl99
Tunnel=ip6tnl98
Tunnel=ip6tnl97

View File

@ -2,6 +2,7 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=ipiptun99
Tunnel=ipiptun98
Tunnel=ipiptun97

View File

@ -2,4 +2,5 @@
Name=test1
[Network]
IPv6AcceptRA=no
IPVLAN=ipvlan99

View File

@ -2,4 +2,5 @@
Name=test1
[Network]
IPv6AcceptRA=no
IPVTAP=ipvtap99

View File

@ -2,4 +2,5 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=isataptun99

View File

@ -2,4 +2,5 @@
Name=test1
[Network]
IPv6AcceptRA=no
MACVLAN=macvlan99

View File

@ -2,4 +2,5 @@
Name=test1
[Network]
IPv6AcceptRA=no
MACVTAP=macvtap99

View File

@ -1,6 +1,9 @@
[Match]
Name=dummy98
[Network]
IPv6AcceptRA=no
[RoutingPolicyRule]
TypeOfService=0x08
Table=8

View File

@ -1,6 +1,9 @@
[Match]
Name=test1
[Network]
IPv6AcceptRA=no
[RoutingPolicyRule]
TypeOfService=0x08
Table=7

View File

@ -2,6 +2,7 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=sittun99
Tunnel=sittun98
Tunnel=sittun97

View File

@ -5,6 +5,7 @@ Name=dummy98
RequiredForOnline=routable
[Network]
IPv6AcceptRA=no
DNS=10.10.10.10 10.10.10.11
NTP=0.fedora.pool.ntp.org 1.fedora.pool.ntp.org
Domains=hogehoge ~foofoo

View File

@ -2,6 +2,7 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=vtitun99
Tunnel=vtitun98
Tunnel=vtitun97

View File

@ -2,6 +2,7 @@
Name=dummy98
[Network]
IPv6AcceptRA=no
Tunnel=vti6tun99
Tunnel=vti6tun98
Tunnel=vti6tun97

View File

@ -557,7 +557,7 @@ class Utilities():
if i > 0:
time.sleep(1)
output = check_output(f'ip {ipv} address show dev {link} scope {scope}')
if re.search(address_regex, output):
if re.search(address_regex, output) and 'tentative' not in output:
break
else:
self.assertRegex(output, address_regex)
@ -3168,6 +3168,12 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities):
self.assertRegex(output, '2600::')
self.assertNotRegex(output, '192.168.5')
output = check_output('ip addr show dev veth99')
print(output)
self.assertRegex(output, '2600::')
self.assertNotRegex(output, '192.168.5')
self.assertNotRegex(output, 'tentative')
# Confirm that ipv6 token is not set in the kernel
output = check_output('ip token show dev veth99')
print(output)

View File

@ -0,0 +1,7 @@
[Unit]
Description=TEST-53-ISSUE-16347
[Service]
ExecStartPre=rm -f /failed /testok
ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
Type=oneshot

30
test/units/testsuite-53.sh Executable file
View File

@ -0,0 +1,30 @@
#!/usr/bin/env bash
set -ex
set -o pipefail
>/failed
# Reset host date to current time, 3 days in the past.
date -s "-3 days"
# Run a timer for every 15 minutes.
systemd-run --unit test-timer --on-calendar "*:0/15:0" true
next_elapsed=$(systemctl show test-timer.timer -p NextElapseUSecRealtime --value)
next_elapsed=$(date -d "${next_elapsed}" +%s)
now=$(date +%s)
time_delta=$((next_elapsed - now))
# Check that the timer will elapse in less than 20 minutes.
((0 < time_delta && time_delta < 1200)) || {
echo 'Timer elapse outside of the expected 20 minute window.'
echo " next_elapsed=${next_elapsed}"
echo " now=${now}"
echo " time_delta=${time_delta}"
echo ''
} >>/failed
if test ! -s /failed ; then
rm -f /failed
touch /testok
fi