mirror of
https://github.com/systemd/systemd
synced 2024-07-22 10:44:58 +00:00
79a67f3ca4
In the olden days systemd-resolved used dbus and it didn't make sense to start it before dbus which is started fairly late. But we have mostly ported resolved over to varlink. The queries from nss-resolve are done using varlink, so name resolution can work without dbus. resolvectl still uses dbus, so e.g. 'resolvectl query' will not work, but by starting systemd-resolved earlier we're not making this any worse. If systemd-resolved is started after dbus, it registers the name and everything is fine. If it is started before dbus, it'll watch for the dbus socket and connect later. So it should be fine to start systemd-resolved earlier. (If dbus is stopped and restarted, unfortunately systemd-resolved does not reconnect. This seems to be a small bug: since our daemons know how to watch for dbus.socket, they could restart the watch if they ever lose the connection. But this scenario shouldn't happen in normal boot, and restarting dbus is not supported anyway.) Moving the start earlier the following advantages: - name resolution becomes availabe earlier, in particular for synthesized hostnames even before the network is up. - basic.target is part of initrd.target, so systemd-resolved will get started in the initrd if installed. This is required for nfs-root when the server is specified using a name (https://bugzilla.redhat.com/show_bug.cgi?id=2037311).
59 lines
1.7 KiB
SYSTEMD
59 lines
1.7 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Network Name Resolution
|
|
Documentation=man:systemd-resolved.service(8)
|
|
Documentation=man:org.freedesktop.resolve1(5)
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
|
|
|
|
DefaultDependencies=no
|
|
After=systemd-sysusers.service systemd-networkd.service
|
|
Before=network.target nss-lookup.target shutdown.target
|
|
Conflicts=shutdown.target
|
|
Wants=nss-lookup.target
|
|
|
|
[Service]
|
|
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
BusName=org.freedesktop.resolve1
|
|
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-resolved
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectProc=invisible
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectSystem=strict
|
|
Restart=always
|
|
RestartSec=0
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RuntimeDirectory=systemd/resolve
|
|
RuntimeDirectoryPreserve=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
Type=notify
|
|
User=systemd-resolve
|
|
{{SERVICE_WATCHDOG}}
|
|
|
|
[Install]
|
|
WantedBy=basic.target
|
|
Alias=dbus-org.freedesktop.resolve1.service
|