mirror of
https://github.com/morgan9e/systemd
synced 2026-04-15 00:47:10 +09:00
0fa188307b
Add two new socket units, one for each of systemd-resolved's varlink servers: systemd-resolved-varlink.socket systemd-resolved-monitor.socket Add logic to grab socket fds via sd_varlink_server_listen_name(), but fallback to the existing sd_varlink_server_listen_address() calls if no fds were given. This will be used to make systemd-networkd-wait-online --dns more robust against systemd-resolved restarts etc.
61 lines
2.0 KiB
SYSTEMD
61 lines
2.0 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Network Name Resolution
|
|
Documentation=man:systemd-resolved.service(8)
|
|
Documentation=man:org.freedesktop.resolve1(5)
|
|
Documentation=https://systemd.io/WRITING_NETWORK_CONFIGURATION_MANAGERS
|
|
Documentation=https://systemd.io/WRITING_RESOLVER_CLIENTS
|
|
|
|
DefaultDependencies=no
|
|
After=systemd-sysctl.service systemd-sysusers.service systemd-resolved-varlink.socket systemd-resolved-monitor.socket
|
|
Before=sysinit.target network.target nss-lookup.target shutdown.target initrd-switch-root.target
|
|
Conflicts=shutdown.target initrd-switch-root.target
|
|
Wants=nss-lookup.target systemd-resolved-varlink.socket systemd-resolved-monitor.socket
|
|
|
|
[Service]
|
|
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
BusName=org.freedesktop.resolve1
|
|
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
ExecStart={{LIBEXECDIR}}/systemd-resolved
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
PrivateTmp=disconnected
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectSystem=strict
|
|
Restart=always
|
|
RestartSec=0
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RuntimeDirectory=systemd/resolve
|
|
RuntimeDirectoryPreserve=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
Type=notify-reload
|
|
User=systemd-resolve
|
|
ImportCredential=network.dns
|
|
ImportCredential=network.search_domains
|
|
{{SERVICE_WATCHDOG}}
|
|
|
|
[Install]
|
|
WantedBy=sysinit.target
|
|
Alias=dbus-org.freedesktop.resolve1.service
|
|
Also=systemd-resolved-varlink.socket systemd-resolved-monitor.socket
|