[systemd-devel] [PATCH] resolved: Move symlink creation from tmpfiles to daemon runtime

[Colin Walters]

On Mon, Jul 7, 2014, at 10:35 AM, Lennart Poettering wrote:

> And of course, it's the most reasonable thing to do really, as in
> today's world it's populated dynamically from DHCP more often than not,
> and hence more runtime material than static configuration material.

I agree.  But...

> Humm, well, NM really shouldn't write around in /etc all the time.

This is Anaconda, not NM, though its goal is to propagate network
configuration from the runtime system to the target which is using
NetworkManager and most specifically redhat initscripts ifcfg files.

> For
> most cases it really should consider /etc read-only. In fact, I wished
> it would be written in a style that makes sure ProtectSystem=full can be
> used on it, i.e. with write access to /run, but certainly never to /etc.

Yes, NM is happy with it being a symbolic link for that reason, but:

> I really don't see anything to fix here in systemd. Anaconda should be
> fixed.

Two things:

First, there's the case where resolved is compiled out; right now
systemd is unconditionally creating the link.  This patch addresses that
as well.

Now for the Fedora case, we're really talking about quite a number of
system creation tools that are not ready for this.  This is also
reflected in the fact that the systemd unit file is disabled by default.

We could carry the patch downstream I guess.  Or maybe this gets more
into a case where we want parts of tmpfiles.d snippets tied to services
being enabled, not just installed.