1
0
mirror of https://github.com/systemd/systemd synced 2025-10-05 16:03:15 +02:00
Files
systemd/units/systemd-resolved.service.in
Mike Yuan e803ec1e25 units: unify deps between service and socket units
The current arrangement of service and socket units is
sort of all over the place. Let's clean it up a little,
roughly following the principles below:

- socket units have implicit ordering deps (not to be confused
  with default ones which are subject to DefaultDependencies=)
  before associated service, so drop any explicit After=

- If socket can be enabled, remember to link to it in service
  via Also= and Sockets= (the latter replaces Wants=).
  If the service Requires= socket however, Sockets= is omitted.

- If socket is statically enabled, no need for service
  to pull it in - machined
2025-04-30 21:27:37 +02:00

62 lines
1.9 KiB
SYSTEMD

# SPDX-License-Identifier: LGPL-2.1-or-later
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Network Name Resolution
Documentation=man:systemd-resolved.service(8)
Documentation=man:org.freedesktop.resolve1(5)
Documentation=https://systemd.io/WRITING_NETWORK_CONFIGURATION_MANAGERS
Documentation=https://systemd.io/WRITING_RESOLVER_CLIENTS
DefaultDependencies=no
After=systemd-sysctl.service systemd-sysusers.service
Before=sysinit.target network.target nss-lookup.target shutdown.target initrd-switch-root.target
Conflicts=shutdown.target initrd-switch-root.target
Wants=nss-lookup.target
[Service]
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
BusName=org.freedesktop.resolve1
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart={{LIBEXECDIR}}/systemd-resolved
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=disconnected
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/resolve
RuntimeDirectoryPreserve=yes
Sockets=systemd-resolved-varlink.socket systemd-resolved-monitor.socket
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=notify-reload
User=systemd-resolve
ImportCredential=network.dns
ImportCredential=network.search_domains
{{SERVICE_WATCHDOG}}
[Install]
WantedBy=sysinit.target
Alias=dbus-org.freedesktop.resolve1.service
Also=systemd-resolved-varlink.socket systemd-resolved-monitor.socket