picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #2623 from poettering/networkd-fixes 

Networkd, resolved, build-sys fixes
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2016-02-16 18:36:42 -05:00
parent 12343facf3 c77d26122a
commit 2c45295e47
13 changed files with 122 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Makefile.am
View File

@ -5759,6 +5759,7 @@ substitutions = \
'|PYTHON=$(PYTHON)|' \
'|NTP_SERVERS=$(NTP_SERVERS)|' \
'|DNS_SERVERS=$(DNS_SERVERS)|' \
'|DEFAULT_DNSSEC_MODE=$(DEFAULT_DNSSEC_MODE)|' \
'|systemuidmax=$(SYSTEM_UID_MAX)|' \
'|systemgidmax=$(SYSTEM_GID_MAX)|' \
'|TTY_GID=$(TTY_GID)|' \

17
NEWS
View File

@ -2,6 +2,23 @@ systemd System and Service Manager
CHANGES WITH 230 in spe:
* DNSSEC is now turned on by default in systemd-resolved (in
"allow-downgrade" mode), but may be turned off during compile time by
passing "--with-default-dnssec=no" to "configure" (and of course,
during runtime with DNSSEC= in resolved.conf). We recommend
downstreams to leave this on at least during development cycles and
report any issues with the DNSSEC logic upstream. We are very
interested in collecting feedback about the DNSSEC validator and its
limitations in the wild. Note however, that DNSSEC support is
probably nothing downstreams should turn on in stable distros just
yet, as it might create incompabilities with a few DNS servers and
networks. We tried hard to make sure we downgrade to non-DNSSEC mode
automatically whenever we detect such incompatible setups, but there
might be systems we do not cover yet. Hence: please help us testing
the DNSSEC code, leave this on where you can, report back, but then
again don't consider turning this on in your stable, LTS or
production release just yet.
* Testing tool /usr/lib/systemd/systemd-activate is renamed to
systemd-socket-activate and installed into /usr/bin. It is now fully
supported.

28
configure.ac
View File

@ -295,10 +295,8 @@ CAP_LIBS="$LIBS"
LIBS="$save_LIBS"
AC_SUBST(CAP_LIBS)
AC_CHECK_FUNCS([memfd_create])
AC_CHECK_FUNCS([__secure_getenv secure_getenv])
AC_CHECK_DECLS([gettid, pivot_root, name_to_handle_at, setns, getrandom, renameat2,
kcmp, keyctl, key_serial_t, char16_t, char32_t, LO_FLAGS_PARTSCAN],
AC_CHECK_DECLS([memfd_create, gettid, pivot_root, name_to_handle_at, setns, getrandom, renameat2, kcmp, keyctl, LO_FLAGS_PARTSCAN],
[], [], [[
#include <sys/types.h>
#include <unistd.h>
@ -309,6 +307,11 @@ AC_CHECK_DECLS([gettid, pivot_root, name_to_handle_at, setns, getrandom, renamea
#include <linux/random.h>
]])
AC_CHECK_TYPES([char16_t, char32_t, key_serial_t],
[], [], [[
#include <uchar.h>
]])
AC_CHECK_DECLS([IFLA_INET6_ADDR_GEN_MODE,
IFLA_MACVLAN_FLAGS,
IFLA_IPVLAN_MODE,
@ -1128,6 +1131,20 @@ AC_ARG_WITH(dns-servers,
AC_DEFINE_UNQUOTED(DNS_SERVERS, ["$DNS_SERVERS"], [Default DNS Servers])
AC_SUBST(DNS_SERVERS)
AC_ARG_WITH(default-dnssec,
AS_HELP_STRING([--with-default-dnssec=MODE],
[Default DNSSEC mode, defaults to "allow-downgrade"]),
[DEFAULT_DNSSEC_MODE="$withval"],
[DEFAULT_DNSSEC_MODE="allow-downgrade"])
AS_CASE("x${DEFAULT_DNSSEC_MODE}",
[xno], [mode=DNSSEC_NO],
[xyes], [mode=DNSSEC_YES],
[xallow-downgrade], [mode=DNSSEC_ALLOW_DOWNGRADE],
AC_MSG_ERROR(Bad DNSSEC mode ${DEFAULT_DNSSEC_MODE}))
AC_DEFINE_UNQUOTED(DEFAULT_DNSSEC_MODE, [$mode], [Default DNSSEC mode])
AC_SUBST(DEFAULT_DNSSEC_MODE)
# ------------------------------------------------------------------------------
have_networkd=no
AC_ARG_ENABLE(networkd, AS_HELP_STRING([--disable-networkd], [disable networkd]))
@ -1559,12 +1576,13 @@ AC_MSG_RESULT([
hostnamed: ${have_hostnamed}
timedated: ${have_timedated}
timesyncd: ${have_timesyncd}
default NTP servers: ${NTP_SERVERS}
Default NTP servers: ${NTP_SERVERS}
time epoch: ${TIME_EPOCH}
localed: ${have_localed}
networkd: ${have_networkd}
resolved: ${have_resolved}
default DNS servers: ${DNS_SERVERS}
Default DNS servers: ${DNS_SERVERS}
Default DNSSEC mode: ${DEFAULT_DNSSEC_MODE}
coredump: ${have_coredump}
polkit: ${have_polkit}
efi: ${have_efi}

8
src/basic/missing.h
View File

@ -167,7 +167,7 @@ static inline int pivot_root(const char *new_root, const char *put_old) {
# endif
#endif
#ifndef HAVE_MEMFD_CREATE
#if !HAVE_DECL_MEMFD_CREATE
static inline int memfd_create(const char *name, unsigned int flags) {
return syscall(__NR_memfd_create, name, flags);
}
@ -1089,7 +1089,7 @@ static inline int kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, uns
#define INPUT_PROP_ACCELEROMETER 0x06
#endif
#if !HAVE_DECL_KEY_SERIAL_T
#ifndef HAVE_KEY_SERIAL_T
typedef int32_t key_serial_t;
#endif
@ -1160,11 +1160,11 @@ static inline key_serial_t request_key(const char *type, const char *description
#ifndef IF_OPER_UP
#define IF_OPER_UP 6
#ifndef HAVE_DECL_CHAR32_T
#ifndef HAVE_CHAR32_T
#define char32_t uint32_t
#endif
#ifndef HAVE_DECL_CHAR16_T
#ifndef HAVE_CHAR16_T
#define char16_t uint16_t
#endif

2
src/core/timer.c
View File

@ -334,7 +334,7 @@ static void add_random(Timer *t, usec_t *v) {
usec_t add;
assert(t);
assert(*v);
assert(v);
if (t->random_usec == 0)
return;

19
src/network/networkd-manager.c
View File

@ -1091,22 +1091,19 @@ static bool manager_check_idle(void *userdata) {
assert(m);
/* Check whether we are idle now. The only case when we decide to be idle is when there's only a loopback
* device around, for which we have no configuration, and which already left the PENDING state. In all other
* cases we are not idle. */
HASHMAP_FOREACH(link, m->links, i) {
/* we are not woken on udev activity, so let's just wait for the
* pending udev event */
/* We are not woken on udev activity, so let's just wait for the pending udev event */
if (link->state == LINK_STATE_PENDING)
return false;
if (!link->network)
continue;
if ((link->flags & IFF_LOOPBACK) == 0)
return false;
/* we are not woken on netork activity, so let's stay around */
if (link_lldp_enabled(link) ||
link_ipv4ll_enabled(link) ||
link_dhcp4_server_enabled(link) ||
link_dhcp4_enabled(link) ||
link_dhcp6_enabled(link) ||
link_ipv6_accept_ra_enabled(link))
if (link->network)
return false;
}

17
src/resolve/dns-type.c
View File

@ -193,6 +193,23 @@ bool dns_type_is_obsolete(uint16_t type) {
DNS_TYPE_NULL);
}
bool dns_type_needs_authentication(uint16_t type) {
/* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
* authenticated. I.e. everything that contains crypto keys. */
return IN_SET(type,
DNS_TYPE_CERT,
DNS_TYPE_SSHFP,
DNS_TYPE_IPSECKEY,
DNS_TYPE_DS,
DNS_TYPE_DNSKEY,
DNS_TYPE_TLSA,
DNS_TYPE_CDNSKEY,
DNS_TYPE_OPENPGPKEY,
DNS_TYPE_CAA);
}
int dns_type_to_af(uint16_t t) {
switch (t) {

1
src/resolve/dns-type.h
View File

@ -132,6 +132,7 @@ bool dns_type_is_dnssec(uint16_t type);
bool dns_type_is_obsolete(uint16_t type);
bool dns_type_may_wildcard(uint16_t type);
bool dns_type_apex_only(uint16_t type);
bool dns_type_needs_authentication(uint16_t type);
int dns_type_to_af(uint16_t t);
bool dns_class_is_pseudo(uint16_t class);

17
src/resolve/resolve-tool.c
View File

@ -339,6 +339,7 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
uint64_t flags;
int r;
usec_t ts;
bool needs_authentication = false;
assert(name);
@ -421,6 +422,10 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex);
printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname);
if (dns_type_needs_authentication(t))
needs_authentication = true;
n++;
}
if (r < 0)
@ -441,6 +446,18 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
print_source(flags, ts);
if ((flags & SD_RESOLVED_AUTHENTICATED) == 0 && needs_authentication) {
fflush(stdout);
fprintf(stderr, "\n%s"
"WARNING: The resources shown contain cryptographic key data which could not be\n"
" authenticated. It is not suitable to authenticate any communication.\n"
" This is usually indication that DNSSEC authentication was not enabled\n"
" or is not available for the selected protocol or DNS servers.%s\n",
ansi_highlight_red(),
ansi_normal());
}
return 0;
}

34
src/resolve/resolved-bus.c
View File

@ -140,6 +140,7 @@ static int append_address(sd_bus_message *reply, DnsResourceRecord *rr, int ifin
static void bus_method_resolve_hostname_complete(DnsQuery *q) {
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
_cleanup_free_ char *normalized = NULL;
DnsResourceRecord *rr;
unsigned added = 0;
int ifindex, r;
@ -199,11 +200,17 @@ static void bus_method_resolve_hostname_complete(DnsQuery *q) {
if (r < 0)
goto finish;
/* The key names are not necessarily normalized, make sure that they are when we return them to our bus
* clients. */
r = dns_name_normalize(DNS_RESOURCE_KEY_NAME(canonical->key), &normalized);
if (r < 0)
goto finish;
/* Return the precise spelling and uppercasing and CNAME target reported by the server */
assert(canonical);
r = sd_bus_message_append(
reply, "st",
DNS_RESOURCE_KEY_NAME(canonical->key),
normalized,
SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
if (r < 0)
goto finish;
@ -395,13 +402,19 @@ static void bus_method_resolve_address_complete(DnsQuery *q) {
question = dns_query_question_for_protocol(q, q->answer_protocol);
DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, q->answer) {
_cleanup_free_ char *normalized = NULL;
r = dns_question_matches_rr(question, rr, NULL);
if (r < 0)
goto finish;
if (r == 0)
continue;
r = sd_bus_message_append(reply, "(is)", ifindex, rr->ptr.name);
r = dns_name_normalize(rr->ptr.name, &normalized);
if (r < 0)
goto finish;
r = sd_bus_message_append(reply, "(is)", ifindex, normalized);
if (r < 0)
goto finish;
@ -671,6 +684,7 @@ fail:
static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr) {
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL;
_cleanup_free_ char *normalized = NULL;
DnsQuery *aux;
int r;
@ -727,10 +741,14 @@ static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr)
if (r < 0)
return r;
r = dns_name_normalize(rr->srv.name, &normalized);
if (r < 0)
return r;
r = sd_bus_message_append(
reply,
"qqqs",
rr->srv.priority, rr->srv.weight, rr->srv.port, rr->srv.name);
rr->srv.priority, rr->srv.weight, rr->srv.port, normalized);
if (r < 0)
return r;
@ -776,9 +794,17 @@ static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr)
if (r < 0)
return r;
if (canonical) {
normalized = mfree(normalized);
r = dns_name_normalize(DNS_RESOURCE_KEY_NAME(canonical->key), &normalized);
if (r < 0)
return r;
}
/* Note that above we appended the hostname as encoded in the
* SRV, and here the canonical hostname this maps to. */
r = sd_bus_message_append(reply, "s", canonical ? DNS_RESOURCE_KEY_NAME(canonical->key) : rr->srv.name);
r = sd_bus_message_append(reply, "s", normalized);
if (r < 0)
return r;

2
src/resolve/resolved-manager.c
View File

@ -485,7 +485,7 @@ int manager_new(Manager **ret) {
m->llmnr_support = RESOLVE_SUPPORT_YES;
m->mdns_support = RESOLVE_SUPPORT_NO;
m->dnssec_mode = DNSSEC_NO;
m->dnssec_mode = DEFAULT_DNSSEC_MODE;
m->read_resolv_conf = true;
m->need_builtin_fallbacks = true;
m->etc_hosts_last = m->etc_hosts_mtime = USEC_INFINITY;

2
src/resolve/resolved.conf.in
View File

@ -16,4 +16,4 @@
#FallbackDNS=@DNS_SERVERS@
#Domains=
#LLMNR=yes
#DNSSEC=no
#DNSSEC=@DEFAULT_DNSSEC_MODE@

2
src/udev/udevd.c
View File

@ -1715,7 +1715,7 @@ int main(int argc, char *argv[]) {
by PID1. otherwise we are not guaranteed to have a dedicated cgroup */
r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup);
if (r < 0) {
if (r == -ENOENT || r == -ENOEXEC)
if (r == -ENOENT || r == -ENOMEDIUM)
log_debug_errno(r, "did not find dedicated cgroup: %m");
else
log_warning_errno(r, "failed to get cgroup: %m");