2020-11-09 04:23:58 +00:00
|
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
2017-11-18 16:35:03 +00:00
|
|
|
#
|
2014-05-16 18:14:23 +00:00
|
|
|
# This file is part of systemd.
|
|
|
|
#
|
|
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
2014-05-18 20:10:48 +00:00
|
|
|
[Unit]
|
|
|
|
Description=Network Name Resolution
|
|
|
|
Documentation=man:systemd-resolved.service(8)
|
2020-09-29 06:03:10 +00:00
|
|
|
Documentation=man:org.freedesktop.resolve1(5)
|
2017-06-29 02:54:12 +00:00
|
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
|
|
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
|
2020-09-29 06:03:10 +00:00
|
|
|
|
2017-12-11 18:27:49 +00:00
|
|
|
DefaultDependencies=no
|
2022-02-22 15:21:29 +00:00
|
|
|
After=systemd-sysusers.service
|
2017-12-11 18:27:49 +00:00
|
|
|
Before=network.target nss-lookup.target shutdown.target
|
|
|
|
Conflicts=shutdown.target
|
2017-04-21 09:21:17 +00:00
|
|
|
Wants=nss-lookup.target
|
2014-05-18 20:10:48 +00:00
|
|
|
|
|
|
|
[Service]
|
2017-08-09 14:15:07 +00:00
|
|
|
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
2020-09-11 08:56:06 +00:00
|
|
|
BusName=org.freedesktop.resolve1
|
2018-11-12 16:19:48 +00:00
|
|
|
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
2021-05-16 09:55:36 +00:00
|
|
|
ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-resolved
|
2018-11-12 16:19:48 +00:00
|
|
|
LockPersonality=yes
|
|
|
|
MemoryDenyWriteExecute=yes
|
|
|
|
NoNewPrivileges=yes
|
2016-08-26 11:23:27 +00:00
|
|
|
PrivateDevices=yes
|
2018-11-12 16:19:48 +00:00
|
|
|
PrivateTmp=yes
|
2020-08-06 12:50:38 +00:00
|
|
|
ProtectProc=invisible
|
2020-04-02 18:18:11 +00:00
|
|
|
ProtectClock=yes
|
2016-08-26 11:23:27 +00:00
|
|
|
ProtectControlGroups=yes
|
2018-11-12 16:19:48 +00:00
|
|
|
ProtectHome=yes
|
2020-08-06 12:50:38 +00:00
|
|
|
ProtectKernelLogs=yes
|
2017-02-09 10:09:50 +00:00
|
|
|
ProtectKernelModules=yes
|
2018-11-12 16:19:48 +00:00
|
|
|
ProtectKernelTunables=yes
|
|
|
|
ProtectSystem=strict
|
|
|
|
Restart=always
|
|
|
|
RestartSec=0
|
2016-08-26 11:23:27 +00:00
|
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
2018-11-12 16:19:48 +00:00
|
|
|
RestrictNamespaces=yes
|
|
|
|
RestrictRealtime=yes
|
2019-03-20 18:52:20 +00:00
|
|
|
RestrictSUIDSGID=yes
|
2017-08-09 14:15:07 +00:00
|
|
|
RuntimeDirectory=systemd/resolve
|
|
|
|
RuntimeDirectoryPreserve=yes
|
2018-11-12 16:19:48 +00:00
|
|
|
SystemCallArchitectures=native
|
|
|
|
SystemCallErrorNumber=EPERM
|
|
|
|
SystemCallFilter=@system-service
|
|
|
|
Type=notify
|
|
|
|
User=systemd-resolve
|
2021-05-16 09:55:36 +00:00
|
|
|
{{SERVICE_WATCHDOG}}
|
2014-05-18 20:10:48 +00:00
|
|
|
|
|
|
|
[Install]
|
units: start systemd-resolved in basic.target
In the olden days systemd-resolved used dbus and it didn't make sense to start
it before dbus which is started fairly late. But we have mostly ported resolved
over to varlink. The queries from nss-resolve are done using varlink, so name
resolution can work without dbus. resolvectl still uses dbus, so e.g. 'resolvectl
query' will not work, but by starting systemd-resolved earlier we're not making this
any worse.
If systemd-resolved is started after dbus, it registers the name and everything
is fine. If it is started before dbus, it'll watch for the dbus socket and
connect later. So it should be fine to start systemd-resolved earlier. (If dbus
is stopped and restarted, unfortunately systemd-resolved does not reconnect.
This seems to be a small bug: since our daemons know how to watch for
dbus.socket, they could restart the watch if they ever lose the connection. But
this scenario shouldn't happen in normal boot, and restarting dbus is not
supported anyway.)
Moving the start earlier the following advantages:
- name resolution becomes availabe earlier, in particular for synthesized
hostnames even before the network is up.
- basic.target is part of initrd.target, so systemd-resolved will get started
in the initrd if installed. This is required for nfs-root when the server is
specified using a name (https://bugzilla.redhat.com/show_bug.cgi?id=2037311).
2022-01-07 16:23:37 +00:00
|
|
|
WantedBy=basic.target
|
2017-02-16 16:48:48 +00:00
|
|
|
Alias=dbus-org.freedesktop.resolve1.service
|