Sib kontenut simili

和 systemd-resolved 和 NetworkManager 鬥智鬥勇（順便仔細看看這二貨）。今天發現我的一個 #Ubuntu VM 的系統 DNS 127.0.0.53 基本無法解析域名。 > resolvectl query example.com example.com: resolve call failed: Lookup failed due to system error: Connection timed out 由於我的 ens160 LAN 端 IPv6 網路配置有點問題（爛 IT），在 auto 模式下我會獲得一個無法正常使用的 IPv6 DNS server，用 resolvectl status 可以查到： Global LLMNR setting: no MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: <good-ipv4-dns> DNS Servers: <good-ipv4-dns> ... Link 2 (ens160) Current Scopes: DNS DefaultRoute setting: yes LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: <bad-ipv6-dns> DNS Servers: <bad-ipv6-dns> DNS Domain: ~. 抓包可以看到 DNS 請求都是傳遞給 <bad-ipv6-dns> 而不是我在 resolved.conf 中指定的 Global DNS <good-ipv4-dns>，可能是因爲有最後那條 routing-only 配置 "~."。相比別的鏈路 Current Scopes 都是 none，因此我嘗試用 resolvectl revert ens160 清除掉這個配置，就好了。 這組 IPv6 DNS 配置是 NetworkManager 寫入的，因爲我一執行 systemctl restart NetworkManager.service 就又恢復了。問題是 NetworkManager 的 "ipv6.dns" 配置行爲是： If the IPv6 configuration method is 'auto' these DNS servers are appended to those (if any) returned by automatic configuration. 我又調整了 "ipv6.dns-priority"，沒有效果。此時我認爲只能從 systemd-networkd 和 systemd-resolved 入手，然後試遍了下面這些配置： [Match] Name=ens160 [Network] DNS=<good-ipv4-dns> [DHCPv6] UseDNS=false [IPv6AcceptRA] UseDomains=false 感覺 /etc/systemd/network/01-ens160.network 根本就被完全無視了。最後繞回去發現 NetworkManager 原來有一項 "ipv6.ignore-auto-dns" 配置，改成 yes 就好了。另外手動指定 "ipv4.dns" 也是可以的，因爲其實原來那個有問題的 IPv6 DNS 對 resolved 來說就是 link 上的唯一 DNS，我也不知道爲什麼我沒有改過這項，因爲這個接口 IPv4 都是手動配置的，可能以爲在 resolved.conf 寫了就行吧。 教訓是，我看 resolv.conf 被 systemd-resolved 接管，而我又不瞭解 systemd-resolved，並且 resolvectl 可以緩解問題，於是研究的重心就都在這邊了。🤣 其實早一點我在重啓 NetworkManager 復現問題的時候直接看看 nmcli connection show 'Wired connection 1' | rg dns 就好了。配個網而已。 #systemd

📰Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level.Tracked as CVE-2026-3888 (CVSS score: 7.8), the issue could allow an attacker to seize control of a susceptible system."This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access. 🔗 Source: https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html #systemd#ubuntu

📰 KaOS 2026.03 Released With Major Move Away From systemd Components KaOS 2026.03 removes systemd-boot and mkinitcpio, adopts Limine and Dracut, and introduces a new Niri-based desktop environment. 🔗 Source: https://linuxiac.com/kaos-2026-03-released-with-major-move-away-from-systemd-components/ #systemd

📰Someone Forked Systemd to Strip Out Its Age Verification Support The project removes the birthDate field systemd added last week in response to age verification laws. 🔗 Source: https://feed.itsfoss.com/link/24361/17304579/systemd-fork-strips-out-age-verification #systemd

📰 SysV Init 3.16 Released With Cleanups, Improved systemd Unit To SysV Script Conversion For any holdouts still running SysV Init instead of systemd or other alternatives like OpenRC, SysV Init 3.16 is out as the first release in a half-year and bringing a few refinements... 🔗 Source: https://www.phoronix.com/news/SysV-Init-3.16 #systemd

📰 systemd 260-rc1 Released: New "mstack" Feature, System V Service Scripts No Longer Supported The first release candidate of systemd 260 is now available for testing. Systemd 260 finally does away with System V service scripts support. Also notable to systemd 260 is the work around the new "mstack" feature... 🔗 Source: https://www.phoronix.com/news/systemd-260-rc1 #systemd

systemd birthDate Merge: Corporate Filings & Governance Failure Investigation pulled Amutable's founding documents from the German Handelsregister The corporate filings show three equal shareholders, no outside investors, and self-dealing exemptions that let any founder sign contracts between the company and their own personal entities All three founders were employed at Microsoft when they signed the founding deed. A hidden shareholders' agreement referenced three times in the Articles of Association but never filed publicly governs economic rights, IP assignment, and vesting terms the public cannot see. Three decisions put the birthDate field into #systemd. Each was made by someone with a direct financial interest in the outcome No one disclosed those interests. systemd has no conflict-of-interest policy, no steering committee, no community veto, and no disclosure requirements. The project that boots every major Linux distribution has less formal governance than a typical mid-size open source project.

Lennart Poettering intends to replace "sudo" with #systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new "root" process. This isn't the only bug of course, it's not possible on Linux to read the environment of a root owned process but as systemd creates a service in the system slice, you can query D-BUS and learn sensitive information passed to the process env, such as API keys or other secrets. https://fixupx.com/hackerfantastic/status/1785495587514638559 Nitter mirror: https://xcancel.com/hackerfantastic/status/1785495587514638559

📰 The One Trick That Made Immutable Linux Easier For Me There's a systemd utility that lets you "inject" tools into a read-only OS at runtime, without rebooting the system. Here's my exploration. 🔗 Source: https://feed.itsfoss.com/link/24361/17309280/systemd-sysext #linux#systemd

📰 Fish 4.6 Shell Brings Support For Recent systemd Environment Variables Fish 4.6 released today as the newest version of this Rust-based interactive shell for Linux and other platforms... 🔗 Source: https://www.phoronix.com/news/Fish-4.6-Released #systemd#linux

📰Systemd Introduces Birth Date Support for Upcoming Linux Desktop Age Controls A recent systemd update introduces birth date storage, supporting ongoing efforts to implement age-based access controls in the Linux desktop stack. 🔗 Source: https://linuxiac.com/systemd-introduces-birth-date-support-for-upcoming-linux-desktop-age-controls/ #linux#systemd

📰 systemd 260-rc2 Released With More Changes Last week marked the release of systemd 260-rc1 with a new "mstack" feature, a new "FANCY_NAME" field for os-release, dropping System V service script support, and other changes. Out today is systemd 260-rc2 release with more changes in further working its way toward a stable release for empowering 2026 Linux distributions... 🔗 Source: https://www.phoronix.com/news/systemd-260-rc2 #systemd#linux