mirror of
https://github.com/systemd/systemd
synced 2024-07-22 10:44:58 +00:00
29a8fbf49a
79a67f3ca4pulled systemd-resolved.service in from basic.target instead of multi-user.target, i.e. the idea is to make it an early boot service, instead of a regular service. However, early boot services are supposed to be in sysinit.target, not basic.target (the latter is just one that combines the early boot services in sysinit.target, the sockets in sockets.targt, the mounts in local-fs.target and so on into one big target). Also, the comit actually didn't add a synchronization point, i.e. not Before=, so that the whole thing was racy. Let's fix all that. Follow-up for79a67f3ca4
59 lines
1.7 KiB
SYSTEMD
59 lines
1.7 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Network Name Resolution
|
|
Documentation=man:systemd-resolved.service(8)
|
|
Documentation=man:org.freedesktop.resolve1(5)
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
|
|
|
|
DefaultDependencies=no
|
|
After=systemd-sysusers.service
|
|
Before=sysinit.target network.target nss-lookup.target shutdown.target
|
|
Conflicts=shutdown.target
|
|
Wants=nss-lookup.target
|
|
|
|
[Service]
|
|
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
BusName=org.freedesktop.resolve1
|
|
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-resolved
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectProc=invisible
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectSystem=strict
|
|
Restart=always
|
|
RestartSec=0
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RuntimeDirectory=systemd/resolve
|
|
RuntimeDirectoryPreserve=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
Type=notify
|
|
User=systemd-resolve
|
|
{{SERVICE_WATCHDOG}}
|
|
|
|
[Install]
|
|
WantedBy=sysinit.target
|
|
Alias=dbus-org.freedesktop.resolve1.service
|