|
systemd System and Service Manager |
|
|
|
CHANGES WITH 254 in spe: |
|
|
|
Announcements of Future Feature Removals and Incompatible Changes: |
|
|
|
* We intend to remove cgroup v1 support from systemd release after the |
|
end of 2023. If you run services that make explicit use of cgroup v1 |
|
features (i.e. the “legacy hierarchy” with separate hierarchies for |
|
each controller), please implement compatibility with cgroup v2 (i.e. |
|
the “unified hierarchy”) sooner rather than later. Most of Linux |
|
userspace has been ported over already. |
|
|
|
* The next release (v255) will remove support for split-usr (/usr/ |
|
mounted separately during late boot, instead of being mounted by the |
|
initrd before switching to the rootfs) and unmerged-usr (parallel |
|
directories /bin/ and /usr/bin/, /lib/ and /usr/lib/, …). For more |
|
details, see: |
|
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html |
|
|
|
* EnvironmentFile= now treats the line following a comment line |
|
trailing with escape as a non comment line. For details, see: |
|
https://github.com/systemd/systemd/issues/27975 |
|
|
|
* Support for System V service scripts is now deprecated and will be |
|
removed in a future release. Please make sure to update your software |
|
*now* to include a native systemd unit file instead of a legacy |
|
System V script to retain compatibility with future systemd releases. |
|
|
|
* Behaviour of the per-user service manager units have changed w.r.t. |
|
sandboxing options, so that they work without having to manually |
|
enable PrivateUsers= as well, which is not required for system units. |
|
To make this work, we will implicitly enable user namespaces |
|
(PrivateUsers=yes) when a sandboxing option is enabled in a user unit. |
|
The drawback is that system users will no longer be visible (and |
|
appear as ‘nobody’) to the user unit when a sandboxing option is |
|
enabled. By definition a sandboxed user unit should run with reduced |
|
privileges, so impact should be small. This will remove a great source |
|
of confusion that has been reported by users over the years, due to |
|
how these options require an extra setting to be manually enabled when |
|
used in the per-user service manager, as opposed as to the system |
|
service manager. For more details, see: |
|
https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html |
|
|
|
Security Relevant Changes: |
|
|
|
* pam_systemd will now by default pass the CAP_WAKE_ALARM ambient |
|
process capability to invoked session processes of regular users on |
|
local seats (as well as to systemd –user), unless configured |
|
otherwise via data from JSON user records, or via the PAM module’s |
|
parameter list. This is useful in order allow desktop tools such as |
|
GNOME’s Alarm Clock application to set a timer for |
|
CLOCK_REALTIME_ALARM that wakes up the system when it elapses. A |
|
per-user service unit file may thus use AmbientCapability= to pass |
|
the capability to invoked processes. Note that this capability is |
|
relatively narrow in focus (in particular compared to other process |
|
capabilities such as CAP_SYS_ADMIN) and we already — by default — |
|
permit more impactful operations such as system suspend to local |
|
users. |
|
|
|
Service Manager: |
|
|
|
* “Startup” memory settings are now supported. Previously IO and CPU |
|
settings were already supported via StartupCPUWeight= and similar, |
|
this adds the same logic for the various per-unit memory settings |
|
StartupMemoryMax= and related. |
|
|
|
* The service manager gained support for enqueuing POSIX signals to |
|
services that carry an additional integer value, exposing the |
|
sigqueue() systemd call. This is accessible via new D-Bus calls |
|
QueueSignalUnit() (and related), as well as in systemctl via the new |
|
–kill-value= parameter. |
|
|
|
* systemctl gained a new “list-paths” verb, which shows all currently |
|
active .path units, similar to how “systemctl list-timers” shows |
|
active timers, and “systemctl list-sockets” shows active sockets. |
|
|
|
* If MemoryDenyWriteExecute= is enabled for a service and the kernel |
|
supports the new PR_SET_MDWE prctl() call it is used in preference |
|
over seccomp() based system call filtering to achieve the same effect. |
|
|
|
* systemctl gained a new –when= switch which is honoured by the various |
|
forms of shutdown (i.e. reboot, kexec, poweroff, halt) and allows |
|
scheduling these operations by time, similar in fashion to how this |
|
has been supported by SysV shutdown. |
|
|
|
* A new set of kernel command line options is now understood: |
|
systemd.tty.term.=, systemd.tty.rows.=, |
|
systemd.tty.columns.= allow configuring the TTY type and |
|
dimensions for the tty specified via . When systemd invokes a |
|
service on a tty (via TTYName=) it will look for these and configure |
|
the TTY accordingly. This is particularly useful in VM environments, |
|
to propagate host terminal settings into the appropriate TTYs of the |
|
guest. |
|
|
|
* A new RootEphemeral= setting is now understood in service units. It |
|
takes a boolean argument. If enabled for services that use RootImage= |
|
or RootDirectory= an ephemeral copy of the disk image or directory |
|
tree is made when the service is started. It is removed automatically |
|
when the service is stopped. That ephemeral copy is made using |
|
btrfs/xfs reflinks or btrfs snaphots, if available. |
|
|
|
* The service activation logic gained new settings RestartSteps= and |
|
RestartMaxDelaySec= which allow exponentially growing restart |
|
intervals for Restart=. |
|
|
|
* PID 1 will now automatically load the virtio_console kernel module |
|
during early initialization if running in a suitable VM. This is done |
|
so that early-boot logging can be written to the console if available. |
|
|
|
* Similar, virtio-vsock supported is loaded early too in suitable VM |
|
environments. Since PID 1 sends sd_notify() notifications via |
|
AF_VSOCK to the VMM these days (if requested), loading this early is |
|
beneficial. |
|
|
|
* A new verb “fdstore” has been added to systemd-analyze to show the |
|
current contents of the file descriptor store of a unit. This is |
|
backed by a new D-Bus call DumpUnitFileDescriptorStore() provided by |
|
the service manager. |
|
|
|
* The service manager will now set a new $FDSTORE environment variable |
|
when invoking processes for services that have the file descriptor |
|
store enabled. |
|
|
|
* A new service option FileDescriptorStorePreserve= has been added that |
|
allows tuning the life-cycle of the per-service file descriptor |
|
store. If set to “yes” the entries in the fd store are retained even |
|
after the service is fully stopped. |
|
|
|
* The “systemctl clean” command may now be used to clear the fdstore of |
|
a service. |
|
|
|
* Unit *.preset files gained a new directive “ignore”, in addition to |
|
the existing “enable” and “disable”. As the name suggests it leaves |
|
units defined like this in its status quo, i.e. neither enables nor |
|
disables them. |
|
|
|
* Service units gained a new setting DelegateSubgroup=. It takes the |
|
name of a sub-cgroup to place any processes the service manager forks |
|
off in. Previously, the service manager would place all service |
|
processes directly in the top-level cgroup it creates for them, no |
|
matter what. This usually meant that services with delegation enabled |
|
would first have to move themselves down some level in order to not |
|
conflict with the “no processes in inner cgroups” rule of |
|
cgroupv2. With this option it is now possible to configure the name |
|
of a subgroup to place all processes forked off by PID 1 in directly. |
|
|
|
* The service manager will now look for .upholds/ directories, similar |
|
to the existing support for .wants/ and .requires/ directories, and |
|
uses contained symlinked units for creating Upholds= |
|
dependencies. The [Install] section of unit files gained support for |
|
a new UpheldBy= directive to generate symlinks of this automatically |
|
when a unit is enabled. |
|
|
|
* The service manager now supports a new kernel command line option |
|
systemd.default_device_timeout_sec=, which may be used to override |
|
the default timeout for .device units. |
|
|
|
* A new “soft-reboot” mechanism has been added to the service |
|
manager. A “soft reboot” is similar to a regular reboot, except that |
|
it affects userspace only: the service manager shuts down the running |
|
services and other units, then optionally switches into a new root |
|
file system (mounted to /run/nextroot/), and then passes control to a |
|
systemd instace in the new file system which then starts the system |
|
up again. The kernel is not rebooted and neither is hardware, |
|
firmware or boot loader. It is a fast, lightweight mechanism to |
|
quickly reset or update userspace, without the latency that a full |
|
system reset involves. Moreover, open file descriptors may be passed |
|
across the soft reboot into the new system where they will be passed |
|
back to the originating services. This allows pinning resources |
|
across the reboot, thus minimizing grey-out time further. Moreover, |
|
it is possible to allow specific crucial services to survive the |
|
reboot process, if they run off a separate root file system (i.e. use |
|
RootDirectory= or RootImage=, or are portable services). This new |
|
reboot mechanism is accessible via the new “systemctl soft-reboot” |
|
command. |
|
|
|
* A new service setting MemoryKSM= has been added, which may be used to |
|
enable kernel same-page merging individually for services. |
|
|
|
* A new service setting ImportCredentials= has been added that augments |
|
LoadCredential= and LoadCredentialEncrypted= and searches for |
|
credentials to import from the system, and supports globbing. |
|
|
|
Journal: |
|
|
|
* The sd-journal API learnt a new call sd_journal_get_seqnum() for |
|
retrieving the current log record’s sequence number and sequence |
|
number ID, which allows applications to order records the same way as |
|
journal does internally already. The sequence number is now also |
|
exported in the JSON and “export” output of the journal. |
|
|
|
* journalctl gained a new switch –truncate-newline. If specified |
|
multi-line log records will be truncated at the first newline, |
|
i.e. only the first line of each log message is shown. |
|
|
|
systemd-repart: |
|
|
|
* systemd-repart’s drop-in files gained a new ExcludeFiles= option which |
|
may be used to exclude certain files from the effect of CopyFiles=, |
|
which allows populating newly created partitions automatically. |
|
|
|
* systemd-repart’s Verity support now implements the Minimize= setting |
|
to minimize the size of the resulting partition. |
|
|
|
* systemd-repart gained a new –offline= switch, which may be used to |
|
control whether images shall be built “online” or “offline”, |
|
i.e. whether to make use of kernel facilities such as loopback block |
|
devices and DM or not. |
|
|
|
* If systemd-repart is told to populate a newly created ESP or XBOOTLDR |
|
partition with some files it will now default to VFAT rather than |
|
ext4, unless specified otherwise. |
|
|
|
* systemd-repart gained a new –architecture= switch. If specified, the |
|
per-architecture GPT partition types (i.e. the root and /usr/ |
|
partitions) configured in the partition drop-in files are |
|
automatically adjusted to match the specified CPU architecture, in |
|
order to simplify cross-architecture DDI building. |
|
|
|
systemd-boot, systemd-stub, ukify, bootctl, kernel-install: |
|
|
|
* bootctl gained a new switch –print-root-device (or short: -R) that |
|
prints the main block device the root file system is backed by. It’s |
|
useful for invocations such as “cfdisk $(bootctl -R)” to quickly have |
|
a look at the partition table of the running OS. |
|
|
|
* systemd-stub will now look for the SMBIOS Type 1 field |
|
“io.systemd.stub.kernel-cmdline-extra” and append its value to the |
|
kernel command line it invokes. This is useful for VMMs such as qemu |
|
to pass additional kernel command lines into the system even when |
|
booting via full UEFI. It’s measured into TPM PCR 12. |
|
|
|
* The KERNEL_INSTALL_LAYOUT= setting for kernel-install gained a new |
|
value “auto”. If used a kernel will be automatically analyzed, and if |
|
it qualifies as UKI it will be installed as if the setting was to set |
|
to “uki”, otherwise via “bls”. |
|
|
|
* systemd-stub can now optionally load UEFI PE “add-on” images that may |
|
contain additional kernel command line information. These “add-ons” |
|
superficially look like a regular UEFI executable, and are expected |
|
to be signed via SecureBoot/shim. However, they do not actually |
|
contain code, but instead a subset of the PE sections that UKIs |
|
support. They are supposed to provide a way to extend UKIs with |
|
additional resources in a secure and authenticated way. Currently, |
|
only the .cmdline PE section may be used in add-ons, in which case |
|
any specified string is appended to the command line embedded into |
|
the UKI itself. A new ‘addon.efi.stub’ is now provided that |
|
can be used to trivially create addons, via ‘ukify’ or ‘objcopy’. In |
|
the future we expect other sections to be made extensible like this as |
|
well. |
|
|
|
* ukify has been updated to allow building these UEFI PE “add-on” |
|
images, using the new ‘addon.efi.stub’. |
|
|
|
* ukify gained a new “genkey” verb for generating a set of of key pairs |
|
to sign UKIs and their PCR data with. |
|
|
|
* The kernel-install script has been rewritten in C, and reuses much of |
|
the infrastructure of existing tools such as bootctl. Moreover it |
|
gained support for –root= and –image= switches, to operate relative |
|
to some root file system or DDI. It also gained –esp-path= and |
|
–boot-path= options to override the path to the ESP, and the $BOOT |
|
partition. Options –make-entry-directory= and –entry-token= have |
|
been added as well, similar to bootctl’s options of the same name. |
|
|
|
* A new kernel-install plugin 60-ukify has been added which will |
|
combine kernel/initrd locally into an UKI and sign them with a local |
|
key. This may be used to switch to UKI mode even on systems where a |
|
local kernel or initrd shall be supported. (Typically UKIs are built |
|
and signed on OS vendor systems.) |
|
|
|
* The ukify tool now supports “petool” in addition to the pre-existing |
|
“sbsign” for signing UKIs. |
|
|
|
* systemd-measure and systemd-stub now look for a new .uname PE section |
|
that should encode the kernel’s “uname -r” string. |
|
|
|
* systemd-measure may now calculate expected PCR hashes for a UKI |
|
“offline”, i.e. requires no access to a TPM (neither physical nor |
|
software emulated). |
|
|
|
Memory Pressure & Control: |
|
|
|
* The sd-event API gained new calls sd_event_add_memory_pressure(), |
|
sd_event_source_set_memory_pressure_type(), |
|
sd_event_source_set_memory_pressure_period() for creating and |
|
configuring an event source that is called whenever the OS signals |
|
memory pressure. Another call sd_event_trim_memory() is provided that |
|
compacts the process’ memory use by releasing allocated but unused |
|
malloc() memory back to the kernel. Services can also provide their |
|
own custom callback to do memory trimming. This should improve system |
|
behaviour under memory pressure, as on Linux traditionally provided no |
|
mechanism to return process memory back to the kernel if the kernel |
|
was under pressure to acquire some. This makes use of the kernel’s PSI |
|
interface. Most long-running services that systemd contains have been |
|
hooked up with this, and in particular systems with low memory should |
|
benefit from this. |
|
|
|
* Service units learnt the new MemoryPressureWatch=, |
|
MemoryPressureThresholdSec= for configuring the PSI memory pressure |
|
logic individually. If these options are used the |
|
$MEMORY_PRESSURE_WATCH and $MEMORY_PRESSURE_WRITE environment |
|
variables will be set for the invoked services processes to inform |
|
them about the requested memory pressure behaviour. (This is used by |
|
the aforementioned sd-events API additions, if set.) |
|
|
|
* systemd-analyze gained a new “malloc” verb that shows the output |
|
generated by glibc’s malloc_info() on services that support it. Right |
|
now, only the service manager has been updated accordingly. |
|
|
|
User & Session Management: |
|
|
|
* The sd-login API gained a new call sd_session_get_username() for |
|
returning the user name who owns a specific login session. It also |
|
gained a new call sd_session_get_start_time() for retrieving the time |
|
the login session started. A new call sd_session_get_leader() has |
|
been added to return the PID of the “leader” process of a session. A |
|
new call sd_uid_get_login_time() returns the time the specified user |
|
the time since when they most recently were logged in continously |
|
with at least one session. |
|
|
|
* JSON user records gained a new set of fields capabilityAmbientSet and |
|
capabilityBoundingSet which contain a list of POSIX capabilities to |
|
set for the logged in users in the ambient and bounding sets, |
|
respectively. homectl gained the ability to configure these two sets |
|
for users via –capability-bounding-set=/–capability-ambient-set=. |
|
|
|
* pam_systemd learnt two new module options |
|
default-capability-bounding-set= + default-capability-ambient-set= to |
|
configure the default bounding sets for users as they are logging in, |
|
if the JSON user record doesn’t specify this explicitly (see |
|
above). The built-in default for the ambient set now contains the |
|
CAP_WAKE_ALARM, thus allowing regular users who may log in locally to |
|
resume from a system suspend via a timer. (see above) |
|
|
|
* The Session D-Bus objects systemd-logind provides gained a new |
|
SetTTY() method call for updating the TTY of a session after it has |
|
been allocated already. This is useful for SSH sessions which are |
|
typically allocated first, and for which a TTY is added in later. |
|
|
|
* The sd-login API gained a new call sd_pid_notifyf_with_fds() which |
|
combines the various other sd_pid_notify() flavours into one: takes a |
|
format string, an overriding PID, and a set of file descriptors to |
|
send along. It also gained a new call sd_pid_notify_barrier() which |
|
is equivalent to sd_notify_barrier() but allows specification of the |
|
originating PID. |
|
|
|
* “loginctl list-users” and “loginctl list-sessions” will now show the |
|
state of each logged in user/session in their tabular output. It will |
|
also show the current idle state of sessions. |
|
|
|
DDIs: |
|
|
|
* systemd-dissect will now show the intended CPU architecture of an |
|
inspected DDI. |
|
|
|
* systemd-dissect will now install itself as mount helper for the “ddi” |
|
pseudo-file system type. This means you may now mount DDIs directly |
|
via /bin/mount or /etc/fstab, making full use of embedded Verity |
|
information and all other DDI features. Example: mount -t ddi |
|
myimage.raw /some/where |
|
|
|
* The systemd-dissect tool gained the new switches –attach/–detach for |
|
attaching a DDI to a loopback block device without mounting it. It |
|
will automatically derive the right sector size from the image and set |
|
up Verity and similar, but not mount the file systems in it. |
|
|
|
* When systemd-gpt-auto-generator or the DDI mounting logic mount an ESP |
|
or XBOOTLDR partition the MS_NOSYMFOLLOW mount option is now |
|
implied. Given that these file systems are typically untrusted |
|
territory this should make mounting them automatically have less of a |
|
security impact. |
|
|
|
* All tools that parse DDIs (such as systemd-nspawn, systemd-dissect, |
|
systemd-tmpfiles, …) now understand a new switch –image-policy= which |
|
takes a string encoding image dissection policy. With this mechanism |
|
automatic discovery and use of specific partition types and the |
|
cryptographic requirements on the partitions (Verity, LUKS, …) can be |
|
restricted, permitting better control of the exposed attack surfaces |
|
when mounting disk images. systemd-gpt-auto-generator will honour such |
|
an image policy too, configurable via the systemd.image_policy= kernel |
|
command line option. Unit files gained the RootImagePolicy=, |
|
MountImagePolicy= and ExtensionImagePolicy= to configure the same for |
|
disk images a service runs off. |
|
|
|
* systemd-analyze gained a new verb “image-policy” for validating and |
|
parsing image policy strings. |
|
|
|
* systemd-dissect gained support for a new –validate switch for |
|
superficially validating DDI structure, and checking whether a |
|
specific image policy allows the DDI. |
|
|
|
Network Management: |
|
|
|
* networkd’s GENEVE support as gained a new .network option |
|
InheritInnerProtocol=. |
|
|
|
Device Management: |
|
|
|
* udevadm gained the new “verify” verb for validating udev rules files |
|
offline. |
|
|
|
* udev will now create symlinks to loopback block devices in the |
|
/dev/loop/by-ref/ directory that are based on the .lo_file_name string |
|
field selected during allocation. The systemd-dissect tool and the |
|
util-linux losetup command now supports a complementing new switch |
|
–loop-ref= for selecting the string. This means a loopback block |
|
device may now be allocated under a caller chosen reference and can |
|
subsequently be referenced by that without first having to look up the |
|
block device name the caller ended up with. |
|
|
|
* udev also creates symlinks to loopback block devices in the |
|
/dev/loop/by-ref/ directory based on the .st_dev/st_ino fields of the |
|
inode attached to the loopback block device. This means that attaching |
|
a file to a loopback device will implicitly make a handle available to |
|
be found via that file’s inode information. |
|
|
|
* udev gained a new tool “iocost” that can be used to configure QoS IO |
|
cost data based on hwdb information onto suitable block devices. Also |
|
see https://github.com/iocost-benchmark/iocost-benchmarks. |
|
|
|
TPM2 Support + Disk Encryption & Authentication: |
|
|
|
* systemd-cryptenroll/systemd-cryptsetup will now install a TPM2 SRK |
|
(“Storage Root Key”) as first step in the TPM2, and then use that |
|
for binding FDE to, if TPM2 support is used. This matches |
|
recommendations of TCG (see |
|
https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf) |
|
|
|
* systemd-cryptenroll and other tools that take TPM2 PCR parameters now |
|
understand textual identifiers for these PCRs. |
|
|
|
* systemd-veritysetup + /etc/veritytab gained support for a series of |
|
new options: hash-offset=, superblock=, format=, data-block-size=, |
|
hash-block-size=, data-blocks=, salt=, uuid=, hash=, fec-device=, |
|
fec-offset=, fec-roots= to configure various aspects of a Verity |
|
volume. |
|
|
|
* systemd-cryptsetup + /etc/crypttab gained support for a new |
|
veracrypt-pim= option for setting the Personal Iteration Multiplier |
|
of veracrypt volumes. |
|
|
|
* systemd-integritysetup + /etc/integritytab gained support for a new |
|
mode= setting for controlling the dm-integrity mode (journal, bitmap, |
|
direct) for the volume. |
|
|
|
* systemd-analyze gained a new verb “pcrs” that shows the known TPM PCR |
|
registers, their symbolic names and current values. |
|
|
|
systemd-tmpfiles: |
|
|
|
* The ACL support in tmpfiles.d/ has been updated: if an uppercase “X” |
|
access right is specified this is equivalent to “x” but only if the |
|
inode in question already has the executable bit set for at least |
|
some user/group. Otherwise the “x” bit will be turned off. |
|
|
|
* tmpfiles.d/’s C line type now understands a new modifier “+”: a line |
|
with C+ will result in a “merge” copy, i.e. all files of the source |
|
tree are copied into the target tree, even if that tree already |
|
exists, resulting in a combined tree of files already present in the |
|
target tree and those copied in. |
|
|
|
* systemd-tmpfiles gained a new –graceful switch. If specified lines |
|
with unknown users/groups will silently be skipped. |
|
|
|
systemd-notify: |
|
|
|
* systemd-notify gained two new options –fd= and –fdname= for sending |
|
arbitrary file descriptors to the service manager (while specifying an |
|
explicit name for it). |
|
|
|
* systemd-notify gained a new –exec switch, which makes it execute the |
|
specified command line after sending the requested messages. This is |
|
useful for sending out READY=1 first, and then continuing invocation |
|
without changing process ID, so that the tool can be nicely used |
|
within an ExecStart= line of a unit file that uses Type=ready. |
|
|
|
sd-event + sd-bus APIs: |
|
|
|
* The sd-event API gained a new call sd_event_source_leave_ratelimit() |
|
which may be used to explicitly end a rate-limit state an event |
|
source might be in, resetting all rate limiting counters. |
|
|
|
* When the sd-bus library is used to make connections to AF_UNIX D-Bus |
|
sockets, it will now encode the “description” one can set via |
|
sd_bus_set_description into the source socket address. It will also |
|
look for this information when accepting a connection. This is useful |
|
to track individual D-Bus connections on a D-Bus broker for debug |
|
purposes. |
|
|
|
systemd-resolved: |
|
|
|
* systemd-resolved gained a new resolved.conf setting |
|
StateRetentionSec= which may be used to retain cached DNS records |
|
even after their nominal TTL, and use them in case upstream DNS |
|
servers cannot be reached. This should make name resolution more |
|
resilient in case of network problems. |
|
|
|
* resolvectl gained a new verb “show-cache” for showing current cache |
|
contents of systemd-resolved. |
|
|
|
Other: |
|
|
|
* The default keymap to apply may now be chosen at build-time via the |
|
new default-keymap meson option. |
|
|
|
* Most of systemd’s long-running services now have a generic handler of |
|
the SIGRTMIN+18 signal handler which executes various operations |
|
depending on the sigqueue() parameter sent along. For example, values |
|
0x100…0x107 allow changing the maximum log level of such |
|
services. 0x200…0x203 allow changing the log target of such |
|
services. 0x300 make the services trim their memory similar to the |
|
automatic PSI triggered action, see above. 0x301 make the services |
|
output their malloc_info() data to the logs. |
|
|
|
* machinectl gained new “edit” and “cat” verbs for editing .nspawn |
|
files, inspired by systemctl’s verbs of the same which edit unit |
|
files. Similar, networkctl gained the same verbs for editing |
|
.network, .netdev, .link files. |
|
|
|
* A new syscall filter group “@sandbox” has been added that contains |
|
syscalls for sandboxing system calls such as those for seccomp and |
|
Landlock. |
|
|
|
* New documentation has been added: |
|
|
|
https://systemd.io/COREDUMP |
|
https://systemd.io/MEMORY_PRESSURE |
|
|
|
* systemd-firstboot gained a new –reset option. If specified the |
|
settings in /etc/ it normally initializes are reset instead. |
|
|
|
* systemd-sysext is now a multi-call binary and also installed under the |
|
systemd-confext alias name (via a symlink). When invoked that way it |
|
will operate on /etc/ instead of /usr/ + /opt/. It thus becomes a |
|
powerful, atomic, secure configuration management of sorts, that |
|
locally can merge configuration from multiple confext configuration |
|
images into a single immutable tree. |
|
|
|
* The –network-macvlan=, –network-ipvlan=, –network-interface= |
|
switches of systemd-nspawn may now optionally take the intended |
|
network interface inside the container. |
|
|
|
* All our programs will now send an sd_notify() message with their exit |
|
status in the EXIT_STATUS= field when exiting, using the usual |
|
protocol, including PID 1. This is useful for VMMs and container |
|
managers to collect an exit status from a system as it shuts down, as |
|
set via “systemctl exit …”. This is particularly useful in test cases |
|
and similar, as invocations via a VM can now nicely propagate an exit |
|
status to the host, similar to local processes. |
|
|
|
* systemd-run gained a new switch –expand-environment=no to disable |
|
server-side enviornment variable expansion in specified command |
|
lines. |
|
|
|
* The systemd-system-update-generator has been update to also look for |
|
the special flag file /etc/system-update in addition to the existing |
|
support for /system-update to decide whether to enter system update |
|
mode. |
|
|
|
* The /dev/hugepages/ file system is now mounted with nosuid + nodev |
|
mount options by default. |
|
|
|
* systemd-fstab-generator now understands two new kernel command line |
|
options systemd.mount-extra= and systemd.swap-extra= which may be |
|
used to configure additional mounts or swaps via the kernel command |
|
line, in a format similar to /etc/fstab lines. |
|
|
|
* systemd-sysupdate’ sysupdate.d/ drop-ins gained a new setting |
|
PathRelativeTo=, which can be set to “esp”, “xbootldr”, “boot”, in |
|
which case the Path= setting is taken relative to the ESP or XBOOTLDR |
|
partitions, rather than the system’s root directory /. The relevant |
|
directories are automatically discovered. |
|
|
|
* The systemd-ac-power tool gained a new switch –low, which reports |
|
whether the battery charge is considered “low”, similar to how the |
|
s2h suspend logic checks this state to decide whether to enter system |
|
suspend or hibernation. |
|
|
|
* The /etc/os-release file now has two new optional fields VENDOR_NAME= |
|
and VENDOR_URL= carrying information about the vendor of the OS. |
|
|
|
* When the system hibernates information about the used device and |
|
offset is now written to a non-volatile EFI variable. On next boot |
|
the system will attempt to resume from the location indicated in this |
|
EFI variable. This should make hibernation a lot more robust, and |
|
requiring no manual configuration of the resume location. |
|
|
|
* The $XDG_STATE_HOME environment variable (added in more recent |
|
versions of the XDG basedir specification) is now honoured to |
|
implement the StateDirectory= setting in user services. |
|
|
|
* A new component “systemd-battery-check” has been added. It may run |
|
during early boot (usually in the initrd), and checks the battery |
|
charge level of the system. In case the charge level is very low the |
|
user is notified (graphically via Plymouth – if available – as well |
|
as in text form on the console), and the system is turned off after a |
|
10s delay. |
|
|
|
CHANGES WITH 253: |
|
|
|
Announcements of Future Feature Removals and Incompatible Changes: |
|
|
|
* We intend to remove cgroup v1 support from systemd release after the |
|
end of 2023. If you run services that make explicit use of cgroup v1 |
|
features (i.e. the “legacy hierarchy” with separate hierarchies for |
|
each controller), please implement compatibility with cgroup v2 (i.e. |
|
the “unified hierarchy”) sooner rather than later. Most of Linux |
|
userspace has been ported over already. |
|
|
|
* We intend to remove support for split-usr (/usr mounted separately |
|
during boot) and unmerged-usr (parallel directories /bin and |
|
/usr/bin, /lib and /usr/lib, etc). This will happen in the second |
|
half of 2023, in the first release that falls into that time window. |
|
For more details, see: |
|
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html |
|
|
|
* We intend to change behaviour w.r.t. units of the per-user service |
|
manager and sandboxing options, so that they work without having to |
|
manually enable PrivateUsers= as well, which is not required for |
|
system units. To make this work, we will implicitly enable user |
|
namespaces (PrivateUsers=yes) when a sandboxing option is enabled in a |
|
user unit. The drawback is that system users will no longer be visible |
|
(and appear as ‘nobody’) to the user unit when a sandboxing option is |
|
enabled. By definition a sandboxed user unit should run with reduced |
|
privileges, so impact should be small. This will remove a great source |
|
of confusion that has been reported by users over the years, due to |
|
how these options require an extra setting to be manually enabled when |
|
used in the per-user service manager, as opposed as to the system |
|
service manager. We plan to enable this change in the next release |
|
later this year. For more details, see: |
|
https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html |
|
|
|
Deprecations and incompatible changes: |
|
|
|
* systemctl will now warn when invoked without /proc/ mounted |
|
(e.g. when invoked after chroot() into an directory tree without the |
|
API mount points like /proc/ being set up.) Operation in such an |
|
environment is not fully supported. |
|
|
|
* The return value of ‘systemctl is-active|is-enabled|is-failed’ for |
|
unknown units is changed: previously 1 or 3 were returned, but now 4 |
|
(EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented. |
|
|
|
* ‘udevadm hwdb’ subcommand is deprecated and will emit a warning. |
|
systemd-hwdb (added in 2014) should be used instead. |
|
|
|
* ‘bootctl –json’ now outputs a single JSON array, instead of a stream |
|
of newline-separated JSON objects. |
|
|
|
* Udev rules in 60-evdev.rules have been changed to load hwdb |
|
properties for all modalias patterns. Previously only the first |
|
matching pattern was used. This could change what properties are |
|
assigned if the user has more and less specific patterns that could |
|
match the same device, but it is expected that the change will have |
|
no effect for most users. |
|
|
|
* systemd-networkd-wait-online exits successfully when all interfaces |
|
are ready or unmanaged. Previously, if neither ‘–any’ nor |
|
‘–interface=’ options were used, at least one interface had to be in |
|
configured state. This change allows the case where systemd-networkd |
|
is enabled, but no interfaces are configured, to be handled |
|
gracefully. It may occur in particular when a different network |
|
manager is also enabled and used. |
|
|
|
* Some compatibility helpers were dropped: EmergencyAction= in the user |
|
manager, as well as measuring kernel command line into PCR 8 in |
|
systemd-stub, along with the -Defi-tpm-pcr-compat compile-time |
|
option. |
|
|
|
* The ‘-Dupdate-helper-user-timeout=’ build-time option has been |
|
renamed to ‘-Dupdate-helper-user-timeout-sec=’, and now takes an |
|
integer as parameter instead of a string. |
|
|
|
* The DDI image dissection logic (which backs RootImage= in service |
|
unit files, the –image= switch in various tools such as |
|
systemd-nspawn, as well as systemd-dissect) will now only mount file |
|
systems of types btrfs, ext4, xfs, erofs, squashfs, vfat. This list |
|
can be overridden via the $SYSTEMD_DISSECT_FILE_SYSTEMS environment |
|
variable. These file systems are fairly well supported and maintained |
|
in current kernels, while others are usually more niche, exotic or |
|
legacy and thus typically do not receive the same level of security |
|
support and fixes. |
|
|
|
* The default per-link multicast DNS mode is changed to “yes” |
|
(that was previously “no”). As the default global multicast DNS mode |
|
has been “yes” (but can be changed by the build option), now the |
|
multicast DNS is enabled on all links by default. You can disable the |
|
multicast DNS on all links by setting MulticastDNS= in resolved.conf, |
|
or on an interface by calling “resolvectl mdns INTERFACE no”. |
|
|
|
New components: |
|
|
|
* A tool ‘ukify’ tool to build, measure, and sign Unified Kernel Images |
|
(UKIs) has been added. This replaces functionality provided by |
|
‘dracut –uefi’ and extends it with automatic calculation of PE file |
|
offsets, insertion of signed PCR policies generated by |
|
systemd-measure, support for initrd concatenation, signing of the |
|
embedded Linux image and the combined image with sbsign, and |
|
heuristics to autodetect the kernel uname and verify the splash |
|
image. |
|
|
|
Changes in systemd and units: |
|
|
|
* A new service type Type=notify-reload is defined. When such a unit is |
|
reloaded a UNIX process signal (typically SIGHUP) is sent to the main |
|
service process. The manager will then wait until it receives a |
|
“RELOADING=1” followed by a “READY=1” notification from the unit as |
|
response (via sd_notify()). Otherwise, this type is the same as |
|
Type=notify. A new setting ReloadSignal= may be used to change the |
|
signal to send from the default of SIGHUP. |
|
|
|
user@.service, systemd-networkd.service, systemd-udevd.service, and |
|
systemd-logind have been updated to this type. |
|
|
|
* Initrd environments which are not on a pure memory file system (e.g. |
|
overlayfs combination as opposed to tmpfs) are now supported. With |
|
this change, during the initrd → host transition (“switch root”) |
|
systemd will erase all files of the initrd only when the initrd is |
|
backed by a memory file system such as tmpfs. |
|
|
|
* New per-unit MemoryZSwapMax= option has been added to configure |
|
memory.zswap.max cgroup properties (the maximum amount of zswap |
|
used). |
|
|
|
* A new LogFilterPatterns= option has been added for units. It may be |
|
used to specify accept/deny regular expressions for log messages |
|
generated by the unit, that shall be enforced by systemd-journald. |
|
Rejected messages are neither stored in the journal nor forwarded. |
|
This option may be used to suppress noisy or uninteresting messages |
|
from units. |
|
|
|
* The manager has a new |
|
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() D-Bus method to |
|
query process ownership via a PIDFD, which is more resilient against |
|
PID recycling issues. |
|
|
|
* Scope units now support OOMPolicy=. Login session scopes default to |
|
OOMPolicy=continue, allowing login scopes to survive the OOM killer |
|
terminating some processes in the scope. |
|
|
|
* systemd-fstab-generator now supports x-systemd.makefs option for |
|
/sysroot/ (in the initrd). |
|
|
|
* The maximum rate at which daemon reloads are executed can now be |
|
limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst= |
|
options. (Or the equivalent on the kernel command line: |
|
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=). In |
|
addition, systemd now logs the originating unit and PID when a reload |
|
request is received over D-Bus. |
|
|
|
* When enabling a swap device systemd will now reinitialize the device |
|
when the page size of the swap space does not match the page size of |
|
the running kernel. Note that this requires the ‘swapon’ utility to |
|
provide the ‘–fixpgsz’ option, as implemented by util-linux, and it |
|
is not supported by busybox at the time of writing. |
|
|
|
* systemd now executes generator programs in a mount namespace |
|
“sandbox” with most of the file system read-only and write access |
|
restricted to the output directories, and with a temporary /tmp/ |
|
mount provided. This provides a safeguard against programming errors |
|
in the generators, but also fixes here-docs in shells, which |
|
previously didn’t work in early boot when /tmp/ wasn’t available |
|
yet. (This feature has no security implications, because the code is |
|
still privileged and can trivially exit the sandbox.) |
|
|
|
* The system manager will now parse a new “vmm.notify_socket” |
|
system credential, which may be supplied to a VM via SMBIOS. If |
|
found, the manager will send a “READY=1” notification on the |
|
specified socket after boot is complete. This allows readiness |
|
notification to be sent from a VM guest to the VM host over a VSOCK |
|
socket. |
|
|
|
* The sample PAM configuration file for systemd-user@.service now |
|
includes a call to pam_namespace. This puts children of user@.service |
|
in the expected namespace. (Many distributions replace their file |
|
with something custom, so this change has limited effect.) |
|
|
|
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST |
|
can be used to override the mount units burst late limit for |
|
parsing ‘/proc/self/mountinfo’, which was introduced in v249. |
|
Defaults to 5. |
|
|
|
* Drop-ins for init.scope changing control group resource limits are |
|
now applied, while they were previously ignored. |
|
|
|
* New build-time configuration options ‘-Ddefault-timeout-sec=’ and |
|
‘-Ddefault-user-timeout-sec=’ have been added, to let distributions |
|
choose the default timeout for starting/stopping/aborting system and |
|
user units respectively. |
|
|
|
* Service units gained a new setting OpenFile= which may be used to |
|
open arbitrary files in the file system (or connect to arbitrary |
|
AF_UNIX sockets in the file system), and pass the open file |
|
descriptor to the invoked process via the usual file descriptor |
|
passing protocol. This is useful to give unprivileged services access |
|
to select files which have restrictive access modes that would |
|
normally not allow this. It’s also useful in case RootDirectory= or |
|
RootImage= is used to allow access to files from the host environment |
|
(which is after all not visible from the service if these two options |
|
are used.) |
|
|
|
Changes in udev: |
|
|
|
* The new net naming scheme “v253” has been introduced. In the new |
|
scheme, ID_NET_NAME_PATH is also set for USB devices not connected via |
|
a PCI bus. This extends the coverage of predictable interface names |
|
in some embedded systems. |
|
|
|
The “amba” bus path is now included in ID_NET_NAME_PATH, resulting in |
|
a more informative path on some embedded systems. |
|
|
|
* Partition block devices will now also get symlinks in |
|
/dev/disk/by-diskseq/-part, which may be used to reference |
|
block device nodes via the kernel’s “diskseq” value. Previously those |
|
symlinks were only created for the main block device. |
|
|
|
* A new operator ‘-=’ is supported for SYMLINK variables. This allows |
|
symlinks to be unconfigured even if an earlier rule added them. |
|
|
|
* ‘udevadm –trigger –settle’ now also works for network devices |
|
that are being renamed. |
|
|
|
Changes in sd-boot, bootctl, and the Boot Loader Specification: |
|
|
|
* systemd-boot now passes its random seed directly to the kernel’s RNG |
|
via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which |
|
means the RNG gets seeded very early in boot before userspace has |
|
started. |
|
|
|
* systemd-boot will pass a disk-backed random seed – even when secure |
|
boot is enabled – if it can additionally get a random seed from EFI |
|
itself (via EFI’s RNG protocol), or a prior seed in |
|
LINUX_EFI_RANDOM_SEED_TABLE_GUID from a preceding bootloader. |
|
|
|
* systemd-boot-system-token.service was renamed to |
|
systemd-boot-random-seed.service and extended to always save a random |
|
seed to ESP on every boot when a compatible boot loader is used. This |
|
allows a refreshed random seed to be used in the boot loader. |
|
|
|
* systemd-boot handles various seed inputs using a domain- and |
|
field-separated hashing scheme. |
|
|
|
* systemd-boot’s ‘random-seed-mode’ option has been removed. A system |
|
token is now always required to be present for random seeds to be |
|
used. |
|
|
|
* systemd-boot now supports being loaded from other locations than the |
|
ESP, for example for direct kernel boot under QEMU or when embedded |
|
into the firmware. |
|
|
|
* systemd-boot now parses SMBIOS information to detect |
|
virtualization. This information is used to skip some warnings which |
|
are not useful in a VM and to conditionalize other aspects of |
|
behaviour. |
|
|
|
* systemd-boot now supports a new ‘if-safe’ mode that will perform UEFI |
|
Secure Boot automated certificate enrollment from the ESP only if it |
|
is considered ‘safe’ to do so. At the moment ‘safe’ means running in |
|
a virtual machine. |
|
|
|
* systemd-stub now processes random seeds in the same way as |
|
systemd-boot already does, in case a unified kernel image is being |
|
used from a different bootloader than systemd-boot, or without any |
|
boot load at all. |
|
|
|
* bootctl will now generate a system token on all EFI systems, even |
|
virtualized ones, and is activated in the case that the system token |
|
is missing from either sd-boot and sd-stub booted systems. |
|
|
|
* bootctl now implements two new verbs: ‘kernel-identify’ prints the |
|
type of a kernel image file, and ‘kernel-inspect’ provides |
|
information about the embedded command line and kernel version of |
|
UKIs. |
|
|
|
* bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning |
|
as for kernel-install. |
|
|
|
* The JSON output of “bootctl list” will now contain two more fields: |
|
isDefault and isSelected are boolean fields set to true on the |
|
default and currently booted boot menu entries. |
|
|
|
* bootctl gained a new verb “unlink” for removing a boot loader entry |
|
type #1 file from disk in a safe and robust way. |
|
|
|
* bootctl also gained a new verb “cleanup” that automatically removes |
|
all files from the ESP’s and XBOOTLDR’s “entry-token” directory, that |
|
is not referenced anymore by any installed Type #1 boot loader |
|
specification entry. This is particularly useful in environments where |
|
a large number of entries reference the same or partly the same |
|
resources (for example, for snapshot-based setups). |
|
|
|
Changes in kernel-install: |
|
|
|
* A new “installation layout” can be configured as layout=uki. With |
|
this setting, a Boot Loader Specification Type#1 entry will not be |
|
created. Instead, a new kernel-install plugin 90-uki-copy.install |
|
will copy any .efi files from the staging area into the boot |
|
partition. A plugin to generate the UKI .efi file must be provided |
|
separately. |
|
|
|
Changes in systemctl: |
|
|
|
* ‘systemctl reboot’ has dropped support for accepting a positional |
|
argument as the argument to the reboot(2) syscall. Please use the |
|
–reboot-argument= option instead. |
|
|
|
* ‘systemctl disable’ will now warn when called on units without |
|
install information. A new –no-warn option has been added that |
|
silences this warning. |
|
|
|
* New option ‘–drop-in=’ can be used to tell ‘systemctl edit’ the name |
|
of the drop-in to edit. (Previously, ‘override.conf’ was always |
|
used.) |
|
|
|
* ‘systemctl list-dependencies’ now respects –type= and –state=. |
|
|
|
* ‘systemctl kexec’ now supports XEN VMM environments. |
|
|
|
* ‘systemctl edit’ will now tell the invoked editor to jump into the |
|
first line with actual unit file data, skipping over synthesized |
|
comments. |
|
|
|
Changes in systemd-networkd and related tools: |
|
|
|
* The [DHCPv4] section in .network file gained new SocketPriority= |
|
setting that assigns the Linux socket priority used by the DHCPv4 raw |
|
socket. This may be used in conjunction with the |
|
EgressQOSMaps=setting in [VLAN] section of .netdev file to send the |
|
desired ethernet 802.1Q frame priority for DHCPv4 initial |
|
packets. This cannot be achieved with netfilter mangle tables because |
|
of the raw socket bypass. |
|
|
|
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained a |
|
new QuickAck= boolean setting that enables the TCP quick ACK mode for |
|
the routes configured by the acquired DHCPv4 lease or received router |
|
advertisements (RAs). |
|
|
|
* The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised |
|
routes) now accepts three values, for high, medium, and low preference |
|
of the router (which can be set with the RouterPreference=) setting. |
|
|
|
* systemd-networkd-wait-online now supports matching via alternative |
|
interface names. |
|
|
|
* The [DHCPv6] section in .network file gained new SendRelease= |
|
setting which enables the DHCPv6 client to send release when |
|
it stops. This is the analog of the [DHCPv4] SendRelease= setting. |
|
It is enabled by default. |
|
|
|
* If the Address= setting in [Network] or [Address] sections in .network |
|
specified without its prefix length, then now systemd-networkd assumes |
|
/32 for IPv4 or /128 for IPv6 addresses. |
|
|
|
* networkctl shows network and link file dropins in status output. |
|
|
|
Changes in systemd-dissect: |
|
|
|
* systemd-dissect gained a new option –list, to print the paths of |
|
all files and directories in a DDI. |
|
|
|
* systemd-dissect gained a new option –mtree, to generate a file |
|
manifest compatible with BSD mtree(5) of a DDI |
|
|
|
* systemd-dissect gained a new option –with, to execute a command with |
|
the specified DDI temporarily mounted and used as working |
|
directory. This is for example useful to convert a DDI to “tar” |
|
simply by running it within a “systemd-dissect –with” invocation. |
|
|
|
* systemd-dissect gained a new option –discover, to search for |
|
Discoverable Disk Images (DDIs) in well-known directories of the |
|
system. This will list machine, portable service and system extension |
|
disk images. |
|
|
|
* systemd-dissect now understands 2nd stage initrd images stored as a |
|
Discoverable Disk Image (DDI). |
|
|
|
* systemd-dissect will now display the main UUID of GPT DDIs (i.e. the |
|
disk UUID stored in the GPT header) among the other data it can show. |
|
|
|
* systemd-dissect gained a new –in-memory switch to operate on an |
|
in-memory copy of the specified DDI file. This is useful to access a |
|
DDI with write access without persisting any changes. It’s also |
|
useful for accessing a DDI without keeping the originating file |
|
system busy. |
|
|
|
* The DDI dissection logic will now automatically detect the intended |
|
sector size of disk images stored in files, based on the GPT |
|
partition table arrangement. Loopback block devices for such DDIs |
|
will then be configured automatically for the right sector size. This |
|
is useful to make dealing with modern 4K sector size DDIs fully |
|
automatic. The systemd-dissect tool will now show the detected sector |
|
size among the other DDI information in its output. |
|
|
|
Changes in systemd-repart: |
|
|
|
* systemd-repart gained new options –include-partitions= and |
|
–exclude-partitions= to filter operation on partitions by type UUID. |
|
This allows systemd-repart to be used to build images in which the |
|
type of one partition is set based on the contents of another |
|
partition (for example when the boot partition shall include a verity |
|
hash of the root partition). |
|
|
|
* systemd-repart also gained a –defer-partitions= option that is |
|
similar to –exclude-partitions=, but the size of the partition is |
|
still taken into account when sizing partitions, but without |
|
populating it. |
|
|
|
* systemd-repart gained a new –sector-size= option to specify what |
|
sector size should be used when an image is created. |
|
|
|
* systemd-repart now supports generating erofs file systems via |
|
CopyFiles= (a read-only file system similar to squashfs). |
|
|
|
* The Minimize= option was extended to accept “best” (which means the |
|
most minimal image possible, but may require multiple attempts) and |
|
“guess” (which means a reasonably small image). |
|
|
|
* The systemd-growfs binary now comes with a regular unit file template |
|
systemd-growfs@.service which can be instantiated directly for any |
|
desired file system. (Previously, the unit was generated dynamically |
|
by various generators, but no regular unit file template was |
|
available.) |
|
|
|
Changes in journal tools: |
|
|
|
* Various systemd tools will append extra fields to log messages when |
|
in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently |
|
this includes information about D-Bus messages when sd-bus is used, |
|
e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information |
|
about devices when sd-device is used, e.g. DEVNAME= and DRIVER=. |
|
Details of what is logged and when are subject to change. |
|
|
|
* The systemd-journald-audit.socket can now be disabled via the usual |
|
“systemctl disable” mechanism to stop collection of audit |
|
messages. Please note that it is not enabled statically anymore and |
|
must be handled by the preset/enablement logic in package |
|
installation scripts. |
|
|
|
* New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can |
|
be used to curtail disk use by systemd-journal-remote. This is |
|
similar to the options supported by systemd-journald. |
|
|
|
Changes in systemd-cryptenroll, systemd-cryptsetup, and related |
|
components: |
|
|
|
* When enrolling new keys systemd-cryptenroll now supports unlocking |
|
via FIDO2 tokens (option –unlock-fido2-device=). Previously, a |
|
password was strictly required to be specified. |
|
|
|
* systemd-cryptsetup now supports pre-flight requests for FIDO2 tokens |
|
(except for tokens with user verification, UV) to identify tokens |
|
before authentication. Multiple FIDO2 tokens can now be enrolled at |
|
the same time, and systemd-cryptsetup will automatically select one |
|
that corresponds to one of the available LUKS key slots. |
|
|
|
* systemd-cryptsetup now supports new options tpm2-measure-bank= and |
|
tpm2-measure-pcr= in crypttab(5). These allow specifying the TPM2 PCR |
|
bank and number into which the volume key should be measured. This is |
|
automatically enabled for the encrypted root volume discovered and |
|
activated by systemd-gpt-auto-generator. |
|
|
|
* systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partitions with |
|
“noexec,nosuid,nodev”. |
|
|
|
* systemd-gpt-auto-generator will now honour the rootfstype= and |
|
rootflags= kernel command line switches for root file systems it |
|
discovers, to match behaviour in case an explicit root fs is |
|
specified via root=. |
|
|
|
* systemd-pcrphase gained new options –machine-id and –file-system= |
|
to measure the machine-id and mount point information into PCR 15. New |
|
service unit files systemd-pcrmachine.service and |
|
systemd-pcrfs@.service have been added that invoke the tool with |
|
these switches during early boot. |
|
|
|
* systemd-pcrphase gained a –graceful switch will make it exit cleanly |
|
with a success exit code even if no TPM device is detected. |
|
|
|
* systemd-cryptenroll now stores the user-supplied PIN with a salt, |
|
making it harder to brute-force. |
|
|
|
Changes in other tools: |
|
|
|
* systemd-homed gained support for luksPbkdfForceIterations (the |
|
intended number of iterations for the PBKDF operation on LUKS). |
|
|
|
* Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS, |
|
$SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS |
|
may now be used to specify additional arguments for mkfs when |
|
systemd-homed formats a file system. |
|
|
|
* systemd-hostnamed now exports the contents of |
|
/sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two |
|
new D-Bus properties: FirmwareVendor and FirmwareDate. This allows |
|
unprivileged code to access those values. |
|
|
|
systemd-hostnamed also exports the SUPPORT_END= field from |
|
os-release(5) as OperatingSystemSupportEnd. hostnamectl make uses of |
|
this to show the status of the installed system. |
|
|
|
* systemd-measure gained an –append= option to sign multiple phase |
|
paths with different signing keys. This allows secrets to be |
|
accessible only in certain parts of the boot sequence. Note that |
|
‘ukify’ provides similar functionality in a more accessible form. |
|
|
|
* systemd-timesyncd will now write a structured log message with |
|
MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based |
|
on a on-disk timestamp, similarly to what it did when reaching |
|
synchronization via NTP. |
|
|
|
* systemd-timesyncd will now update the on-disk timestamp file on each |
|
boot at least once, making it more likely that the system time |
|
increases in subsequent boots. |
|
|
|
* systemd-vconsole-setup gained support for system/service credentials: |
|
vconsole.keymap/vconsole.keymap_toggle and |
|
vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous |
|
the similarly-named options in vconsole.conf. |
|
|
|
* systemd-localed will now save the XKB keyboard configuration to |
|
/etc/vconsole.conf, and also read it from there with a higher |
|
preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config |
|
file. Previously, this information was stored in the former file in |
|
converted form, and only in latter file in the original form. Tools |
|
which want to access keyboard configuration can now do so from a |
|
standard location. |
|
|
|
* systemd-resolved gained support for configuring the nameservers and |
|
search domains via kernel command line (nameserver=, domain=) and |
|
credentials (network.dns, network.search_domains). |
|
|
|
* systemd-resolved will now synthesize host names for the DNS stub |
|
addresses it supports. Specifically when “_localdnsstub” is resolved, |
|
127.0.0.53 is returned, and if “_localdnsproxy” is resolved |
|
127.0.0.54 is returned. |
|
|
|
* systemd-notify will now send a “RELOADING=1” notification when called |
|
with –reloading, and “STOPPING=1” when called with –stopping. This |
|
can be used to implement notifications from units where it’s easier |
|
to call a program than to use the sd-daemon library. |
|
|
|
* systemd-analyze’s ‘plot’ command can now output its information in |
|
JSON, controlled via the –json= switch. Also, new –table, and |
|
–no-legend options have been added. |
|
|
|
* ‘machinectl enable’ will now automatically enable machines.target |
|
unit in addition to adding the machine unit to the target. |
|
|
|
Similarly, ‘machinectl start|stop’ gained a –now option to enable or |
|
disable the machine unit when starting or stopping it. |
|
|
|
* systemd-sysusers will now create /etc/ if it is missing. |
|
|
|
* systemd-sleep ‘HibernateDelaySec=’ setting is changed back to |
|
pre-v252’s behaviour, and a new ‘SuspendEstimationSec=’ setting is |
|
added to provide the new initial value for the new automated battery |
|
estimation functionality. If ‘HibernateDelaySec=’ is set to any value, |
|
the automated estimate (and thus the automated hibernation on low |
|
battery to avoid data loss) functionality will be disabled. |
|
|
|
* Default tmpfiles.d/ configuration will now automatically create |
|
credentials storage directory ‘/etc/credstore/’ with the appropriate, |
|
secure permissions. If ‘/run/credstore/’ exists, its permissions will |
|
be fixed too in case they are not correct. |
|
|
|
Changes in libsystemd and shared code: |
|
|
|
* sd-bus gained new convenience functions sd_bus_emit_signal_to(), |
|
sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to(). |
|
|
|
* sd-id128 functions now return -EUCLEAN (instead of -EIO) when the |
|
128bit ID in files such as /etc/machine-id has an invalid |
|
format. They also accept NULL as output parameter in more places, |
|
which is useful when the caller only wants to validate the inputs and |
|
does not need the output value. |
|
|
|
* sd-login gained new functions sd_pidfd_get_session(), |
|
sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(), |
|
sd_pidfd_get_user_unit(), sd_pidfd_get_slice(), |
|
sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and |
|
sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(), |
|
but accept a PIDFD instead of a PID. |
|
|
|
* sd-path (and systemd-path) now export four new paths: |
|
SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR, |
|
SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR, |
|
SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and |
|
SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR, |
|
|
|
* sd_notify() now supports AF_VSOCK as transport for notification |
|
messages (in addition to the existing AF_UNIX support). This is |
|
enabled if $NOTIFY_SOCKET is set in a “vsock:CID:port” format. |
|
|
|
* Detection of chroot() environments now works if /proc/ is not |
|
mounted. This affects systemd-detect-virt –chroot, but also means |
|
that systemd tools will silently skip various operations in such an |
|
environment. |
|
|
|
* “Lockheed Martin Hardened Security for Intel Processors” (HS SRE) |
|
virtualization is now detected. |
|
|
|
Changes in the build system: |
|
|
|
* Standalone variants of systemd-repart and systemd-shutdown may now be |
|
built (if -Dstandalone=true). |
|
|
|
* systemd-ac-power has been moved from /usr/lib/ to /usr/bin/, to, for |
|
example, allow scripts to conditionalize execution on AC power |
|
supply. |
|
|
|
* The libp11kit library is now loaded through dlopen(3). |
|
|
|
Changes in the documentation: |
|
|
|
* Specifications that are not closely tied to systemd have moved to |
|
https://uapi-group.org/specifications/: the Boot Loader Specification |
|
and the Discoverable Partitions Specification. |
|
|
|
Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas, |
|
Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang, |
|
Antonio Alvarez Feijoo, Arsen Arsenović, asavah, Benjamin Fogle, |
|
Benjamin Tissoires, berenddeschouwer, BerndAdameit, |
|
Bernd Steinhauser, blutch112, cake03, Callum Farmer, Carlo Teubner, |
|
Charles Hardin, chris, Christian Brauner, Christian Göttsche, |
|
Cristian Rodríguez, Daan De Meyer, Dan Streetman, DaPigGuy, |
|
Darrell Kavanagh, David Tardon, dependabot[bot], Dirk Su, |
|
Dmitry V. Levin, drosdeck, Edson Juliano Drosdeck, edupont, |
|
Eric DeVolder, Erik Moqvist, Evgeny Vereshchagin, Fabian Gurtner, |
|
Felix Riemann, Franck Bui, Frantisek Sumsal, Geert Lorang, |
|
Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho, |
|
igo95862, Ilya Leoshkevich, Ivan Shapovalov, Jacek Migacz, |
|
Jade Lovelace, Jan Engelhardt, Jan Janssen, Jan Macku, January, |
|
Jason A. Donenfeld, jcg, Jean-Tiare Le Bigot, Jelle van der Waa, |
|
Jeremy Linton, Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann, |
|
Jörg Thalheim, Joshua Goins, joshuazivkovic, Joshua Zivkovic, |
|
Kai-Chuan Hsieh, Khem Raj, Koba Ko, Lennart Poettering, lichao, |
|
Li kunyu, Luca Boccassi, Luca BRUNO, Ludwig Nussel, |
|
Łukasz Stelmach, Lycowolf, marcel151, Marcus Schäfer, Marek Vasut, |
|
Mark Laws, Michael Biebl, Michał Kotyla, Michal Koutný, |
|
Michal Sekletár, Mike Gilbert, Mike Yuan, MkfsSion, ml, |
|
msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore, Nick Rosbrook, |
|
noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv, Phaedrus Leeds, |
|
Philipp Jungkamp, Quentin Deslandes, Raul Tambre, Ray Strode, |
|
reuben olinsky, Richard E. van der Luit, Richard Phibel, |
|
Ricky Tigg, Robin Humble, rogg, Rudi Heitbaum, Sam James, |
|
Samuel Cabrero, Samuel Thibault, Siddhesh Poyarekar, Simon Brand, |
|
Space Meyer, Spindle Security, Steve Ramage, Takashi Sakamoto, |
|
Thomas Haller, Tonći Galić, Topi Miettinen, Torsten Hilbrich, |
|
Tuetuopay, uerdogan, Ulrich Ölmann, Valentin David, |
|
Vitaly Kuznetsov, Vito Caputo, Waltibaba, Will Fancher, |
|
William Roberts, wouter bolsterlee, Youfu Zhang, Yu Watanabe, |
|
Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, |
|
наб |
|
|
|
— Warsaw, 2023-02-15 |
|
|
|
CHANGES WITH 252 🎃: |
|
|
|
Announcements of Future Feature Removals: |
|
|
|
* We intend to remove cgroup v1 support from systemd release after the |
|
end of 2023. If you run services that make explicit use of cgroup v1 |
|
features (i.e. the “legacy hierarchy” with separate hierarchies for |
|
each controller), please implement compatibility with cgroup v2 (i.e. |
|
the “unified hierarchy”) sooner rather than later. Most of Linux |
|
userspace has been ported over already. |
|
|
|
* We intend to remove support for split-usr (/usr mounted separately |
|
during boot) and unmerged-usr (parallel directories /bin and |
|
/usr/bin, /lib and /usr/lib, etc). This will happen in the second |
|
half of 2023, in the first release that falls into that time window. |
|
For more details, see: |
|
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html |
|
|
|
Compatibility Breaks: |
|
|
|
* ConditionKernelVersion= checks that use the ‘=’ or ‘!=’ operators |
|
will now do simple string comparisons (instead of version comparisons |
|
à la stverscmp()). Version comparisons are still done for the |
|
ordering operators ‘<', '>‘, ‘<=', '>=’. Moreover, if no operator is |
|
specified, a shell-style glob match is now done. This creates a minor |
|
incompatibility compared to older systemd versions when the ‘*’, ‘?’, |
|
‘[‘, ‘]’ characters are used, as these will now match as shell globs |
|
instead of literally. Given that kernel version strings typically do |
|
not include these characters we expect little breakage through this |
|
change. |
|
|
|
* The service manager will now read the SELinux label used for SELinux |
|
access checks from the unit file at the time it loads the file. |
|
Previously, the label would be read at the moment of the access |
|
check, which was problematic since at that time the unit file might |
|
already have been updated or removed. |
|
|
|
New Features: |
|
|
|
* systemd-measure is a new tool for calculating and signing expected |
|
TPM2 PCR values for a given unified kernel image (UKI) booted via |
|
sd-stub. The public key used for the signature and the signed |
|
expected PCR information can be embedded inside the UKI. This |
|
information can be extracted from the UKI by external tools and code |
|
in the image itself and is made available to userspace in the booted |
|
kernel. |
|
|
|
systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been |
|
updated to make use of this information if available in the booted |
|
kernel: when locking an encrypted volume/credential to the TPM |
|
systemd-cryptenroll/systemd-creds will use the public key to bind the |
|
volume/credential to any kernel that carries PCR information signed |
|
by the same key pair. When unlocking such volumes/credentials |
|
systemd-cryptsetup/systemd-creds will use the signature embedded in |
|
the booted UKI to gain access. |
|
|
|
Binding TPM-based disk encryption to public keys/signatures of PCR |
|
values — instead of literal PCR values — addresses the inherent |
|
“brittleness” of traditional PCR-bound TPM disk encryption schemes: |
|
disks remain accessible even if the UKI is updated, without any TPM |
|
specific preparation during the OS update — as long as each UKI |
|
carries the necessary PCR signature information. |
|
|
|
Net effect: if you boot a properly prepared kernel, TPM-bound disk |
|
encryption now defaults to be locked to kernels which carry PCR |
|
signatures from the same key pair. Example: if a hypothetical distro |
|
FooOS prepares its UKIs like this, TPM-based disk encryption is now – |
|
by default – bound to only FooOS kernels, and encrypted volumes bound |
|
to the TPM cannot be unlocked on kernels from other sources. (But do |
|
note this behaviour requires preparation/enabling in the UKI, and of |
|
course users can always enroll non-TPM ways to unlock the volume.) |
|
|
|
* systemd-pcrphase is a new tool that is invoked at six places during |
|
system runtime, and measures additional words into TPM2 PCR 11, to |
|
mark milestones of the boot process. This allows binding access to |
|
specific TPM2-encrypted secrets to specific phases of the boot |
|
process. (Example: LUKS2 disk encryption key only accessible in the |
|
initrd, but not later.) |
|
|
|
Changes in systemd itself, i.e. the manager and units |
|
|
|
* The cpu controller is delegated to user manager units by default, and |
|
CPUWeight= settings are applied to the top-level user slice units |
|
(app.slice, background.slice, session.slice). This provides a degree |
|
of resource isolation between different user services competing for |
|
the CPU. |
|
|
|
* Systemd can optionally do a full preset in the “first boot” condition |
|
(instead of just enable-only). This behaviour is controlled by the |
|
compile-time option -Dfirst-boot-full-preset. Right now it defaults |
|
to ‘false’, but the plan is to switch it to ‘true’ for the subsequent |
|
release. |
|
|
|
* Drop-ins are now allowed for transient units too. |
|
|
|
* Systemd will set the taint flag ‘support-ended’ if it detects that |
|
the OS image is past its end-of-support date. This date is declared |
|
in a new /etc/os-release field SUPPORT_END= described below. |
|
|
|
* Two new settings ConditionCredential= and AssertCredential= can be |
|
used to skip or fail units if a certain system credential is not |
|
provided. |
|
|
|
* ConditionMemory= accepts size suffixes (K, M, G, T, …). |
|
|
|
* DefaultSmackProcessLabel= can be used in system.conf and user.conf to |
|
specify the SMACK security label to use when not specified in a unit |
|
file. |
|
|
|
* DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to |
|
specify the default timeout when waiting for device units to |
|
activate. |
|
|
|
* C.UTF-8 is used as the default locale if nothing else has been |
|
configured. |
|
|
|
* [Condition|Assert]Firmware= have been extended to support certain |
|
SMBIOS fields. For example |
|
|
|
ConditionFirmware=smbios-field(board_name = “Custom Board”) |
|
|
|
conditionalizes the unit to run only when |
|
/sys/class/dmi/id/board_name contains “Custom Board” (without the |
|
quotes). |
|
|
|
* ConditionFirstBoot= now correctly evaluates as true only during the |
|
boot phase of the first boot. A unit executed later, after booting |
|
has completed, will no longer evaluate this condition as true. |
|
|
|
* Socket units will now create sockets in the SELinuxContext= of the |
|
associated service unit, if any. |
|
|
|
* Boot phase transitions (start initrd → exit initrd → boot complete → |
|
shutdown) will be measured into TPM2 PCR 11, so that secrets can be |
|
bound to a specific runtime phase. E.g.: a LUKS encryption key can be |
|
unsealed only in the initrd. |
|
|
|
* Service credentials (i.e. SetCredential=/LoadCredential=/…) will now |
|
also be provided to ExecStartPre= processes. |
|
|
|
* Various units are now correctly ordered against |
|
initrd-switch-root.target where previously a conflict without |
|
ordering was configured. A stop job for those units would be queued, |
|
but without the ordering it could be executed only after |
|
initrd-switch-root.service, leading to units not being restarted in |
|
the host system as expected. |
|
|
|
* In order to fully support the IPMI watchdog driver, which has not yet |
|
been ported to the new common watchdog device interface, |
|
/dev/watchdog0 will be tried first and systemd will silently fallback |
|
to /dev/watchdog if it is not found. |
|
|
|
* New watchdog-related D-Bus properties are now published by systemd: |
|
WatchdogDevice, WatchdogLastPingTimestamp, |
|
WatchdogLastPingTimestampMonotonic. |
|
|
|
* At shutdown, API virtual files systems (proc, sys, etc.) will be |
|
unmounted lazily. |
|
|
|
* At shutdown, systemd will now log about processes blocking unmounting |
|
of file systems. |
|
|
|
* A new meson build option ‘clock-valid-range-usec-max’ was added to |
|
allow disabling system time correction if RTC returns a timestamp far |
|
in the future. |
|
|
|
* Propagated restart jobs will no longer be discarded while a unit is |
|
activating. |
|
|
|
* PID 1 will now import system credentials from SMBIOS Type 11 fields |
|
(“OEM vendor strings”), in addition to qemu_fwcfg. This provides a |
|
simple, fast and generic path for supplying credentials to a VM, |
|
without involving external tools such as cloud-init/ignition. |
|
|
|
* The CPUWeight= setting of unit files now accepts a new special value |
|
“idle”, which configures “idle” level scheduling for the unit. |
|
|
|
* Service processes that are activated due to a .timer or .path unit |
|
triggering will now receive information about this via environment |
|
variables. Note that this is information is lossy, as activation |
|
might be coalesced and only one of the activating triggers will be |
|
reported. This is hence more suited for debugging or tracing rather |
|
than for behaviour decisions. |
|
|
|
* The riscv_flush_icache(2) system call has been added to the list of |
|
system calls allowed by default when SystemCallFilter= is used. |
|
|
|
* The selinux context derived from the target executable, instead of |
|
‘init_t’ used for the manager itself, is now used when creating |
|
listening sockets for units that specify SELinuxContextFromNet=yes. |
|
|
|
Changes in sd-boot, bootctl, and the Boot Loader Specification: |
|
|
|
* The Boot Loader Specification has been cleaned up and clarified. |
|
Various corner cases in version string comparisons have been fixed |
|
(e.g. comparisons for empty strings). Boot counting is now part of |
|
the main specification. |
|
|
|
* New PCRs measurements are performed during boot: PCR 11 for the |
|
kernel+initrd combo, PCR 13 for any sysext images. If a measurement |
|
took place this is now reported to userspace via the new |
|
StubPcrKernelImage and StubPcrInitRDSysExts EFI variables. |
|
|
|
* As before, systemd-stub will measure kernel parameters and system |
|
credentials into PCR 12. It will now report this fact via the |
|
StubPcrKernelParameters EFI variable to userspace. |
|
|
|
* The UEFI monotonic boot counter is now included in the updated random |
|
seed file maintained by sd-boot, providing some additional entropy. |
|
|
|
* sd-stub will use LoadImage/StartImage to execute the kernel, instead |
|
of arranging the image manually and jumping to the kernel entry |
|
point. sd-stub also installs a temporary UEFI SecurityOverride to |
|
allow the (unsigned) nested image to be booted. This is safe because |
|
the outer (signed) stub+kernel binary must have been verified before |
|
the stub was executed. |
|
|
|
* Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware) |
|
is now supported by sd-boot. |
|
|
|
* bootctl gained a bunch of new options: –all-architectures to install |
|
binaries for all supported EFI architectures, –root= and –image= |
|
options to operate on a directory or disk image, and |
|
–install-source= to specify the source for binaries to install, |
|
–efi-boot-option-description= to control the name of the boot entry. |
|
|
|
* The sd-boot stub exports a StubFeatures flag, which is used by |
|
bootctl to show features supported by the stub that was used to boot. |
|
|
|
* The PE section offsets that are used by tools that assemble unified |
|
kernel images have historically been hard-coded. This may lead to |
|
overlapping PE sections which may break on boot. The UKI will now try |
|
to detect and warn about this. |
|
|
|
Any tools that assemble UKIs must update to calculate these offsets |
|
dynamically. Future sd-stub versions may use offsets that will not |
|
work with the currently used set of hard-coded offsets! |
|
|
|
* sd-stub now accepts (and passes to the initrd and then to the full |
|
OS) new PE sections ‘.pcrsig’ and ‘.pcrkey’ that can be used to embed |
|
signatures of expected PCR values, to allow sealing secrets via the |
|
TPM2 against pre-calculated PCR measurements. |
|
|
|
Changes in the hardware database: |
|
|
|
* ‘systemd-hwdb query’ now supports the –root= option. |
|
|
|
Changes in systemctl: |
|
|
|
* systemctl now supports –state= and –type= options for the ‘show’ |
|
and ‘status’ verbs. |
|
|
|
* systemctl gained a new verb ‘list-automounts’ to list automount |
|
points. |
|
|
|
* systemctl gained support for a new –image= switch to be able to |
|
operate on the specified disk image (similar to the existing –root= |
|
which operates relative to some directory). |
|
|
|
Changes in systemd-networkd: |
|
|
|
* networkd can set Linux NetLabel labels for integration with the |
|
network control in security modules via a new NetLabel= option. |
|
|
|
* The RapidCommit= is (re-)introduced to enable faster configuration |
|
via DHCPv6 (RFC 3315). |
|
|
|
* networkd gained a new option TCPCongestionControlAlgorithm= that |
|
allows setting a per-route TCP algorithm. |
|
|
|
* networkd gained a new option KeepFileDescriptor= to allow keeping a |
|
reference (file descriptor) open on TUN/TAP interfaces, which is |
|
useful to avoid link flaps while the underlying service providing the |
|
interface is being serviced. |
|
|
|
* RouteTable= now also accepts route table names. |
|
|
|
Changes in systemd-nspawn: |
|
|
|
* The –bind= and –overlay= options now support relative paths. |
|
|
|
* The –bind= option now supports a ‘rootidmap’ value, which will |
|
use id-mapped mounts to map the root user inside the container to the |
|
owner of the mounted directory on the host. |
|
|
|
Changes in systemd-resolved: |
|
|
|
* systemd-resolved now persists DNSOverTLS in its state file too. This |
|
fixes a problem when used in combination with NetworkManager, which |
|
sends the setting only once, causing it to be lost if resolved was |
|
restarted at any point. |
|
|
|
* systemd-resolved now exposes a varlink socket at |
|
/run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for |
|
root. Processed DNS requests in a JSON format will be published to |
|
any clients connected to this socket. |
|
|
|
resolvectl gained a ‘monitor’ verb to make use of this. |
|
|
|
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE |
|
instead of returning SERVFAIL, as per RFC: |
|
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2 |
|
|
|
* OpenSSL is the default crypto backend for systemd-resolved. (gnutls |
|
is still supported.) |
|
|
|
Changes in libsystemd and other libraries: |
|
|
|
* libsystemd now exports sd_bus_error_setfv() (a convenience function |
|
for setting bus errors), sd_id128_string_equal (a convenience |
|
function for 128bit ID string comparisons), and |
|
sd_bus_message_read_strv_extend() (a function to incrementally read |
|
string arrays). |
|
|
|
* libsystemd now exports sd_device_get_child_first()/_next() as a |
|
high-level interface for enumerating child devices. It also supports |
|
sd_device_new_child() for opening a child device given a device |
|
object. |
|
|
|
* libsystemd now exports sd_device_monitor_set()/get_description() |
|
which allow setting a custom description that will be used in log |
|
messages by sd_device_monitor*. |
|
|
|
* Private shared libraries (libsystemd-shared-nnn.so, |
|
libsystemd-core-nnn.so) are now installed into arch-specific |
|
directories to allow multi-arch installs. |
|
|
|
* A new sd-gpt.h header is now published, listing GUIDs from the |
|
Discoverable Partitions specification. For more details see: |
|
https://systemd.io/DISCOVERABLE_PARTITIONS/ |
|
|
|
* A new function sd_hwdb_new_from_path() has been added to open a hwdb |
|
database given an explicit path to the file. |
|
|
|
* The signal number argument to sd_event_add_signal() now can now be |
|
ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to |
|
be automatically invoked to block the specified signal. This is |
|
useful to simplify invocations as the caller doesn’t have to do this |
|
manually. |
|
|
|
* A new convenience call sd_event_set_signal_exit() has been added to |
|
sd-event to set up signal handling so that the event loop |
|
automatically terminates cleanly on SIGTERM/SIGINT. |
|
|
|
Changes in other components: |
|
|
|
* systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration |
|
can now be provided via the credential mechanism. |
|
|
|
* systemd-analyze gained a new verb ‘compare-versions’ that implements |
|
comparisons for versions strings (similarly to ‘rpmdev-vercmp’ and |
|
‘dpkg –compare-versions’). |
|
|
|
* ‘systemd-analyze dump’ is extended to accept glob patterns for unit |
|
names to limit the output to matching units. |
|
|
|
* tmpfiles.d/ lines can read file contents to write from a credential. |
|
The new modifier char ‘^’ is used to specify that the argument is a |
|
credential name. This mechanism is used to automatically populate |
|
/etc/motd, /etc/issue, and /etc/hosts from credentials. |
|
|
|
* tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of |
|
an inode if the specification is prefixed with ‘:’ and the inode |
|
already exists. |
|
|
|
* Default tmpfiles.d/ configuration now carries a line to automatically |
|
use an ‘ssh.authorized_keys.root’ credential if provided to set up |
|
the SSH authorized_keys file for the root user. |
|
|
|
* systemd-tmpfiles will now gracefully handle absent source of “C” copy |
|
lines. |
|
|
|
* tmpfiles.d/ F/w lines now optionally permit encoding of the payload |
|
in base64. This is useful to write arbitrary binary data into files. |
|
|
|
* The pkgconfig and rpm macros files now export the directory for user |
|
units as ‘user_tmpfiles_dir’ and ‘%_user_tmpfilesdir’. |
|
|
|
* Detection of Apple Virtualization and detection of Parallels and |
|
KubeVirt virtualization on non-x86 archs have been added. |
|
|
|
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the |
|
user when their system will become unsupported. |
|
|
|
* When performing suspend-then-hibernate, the system will estimate the |
|
discharge rate and use that to set the delay until hibernation and |
|
hibernate immediately instead of suspending when running from a |
|
battery and the capacity is below 5%. |
|
|
|
* systemd-sysctl gained a –strict option to fail when a sysctl |
|
setting is unknown to the kernel. |
|
|
|
* machinectl supports –force for the ‘copy-to’ and ‘copy-from’ |
|
verbs. |
|
|
|
* coredumpctl gained the –root and –image options to look for journal |
|
files under the specified root directory, image, or block device. |
|
|
|
* ‘journalctl -o’ and similar commands now implement a new output mode |
|
“short-delta”. It is similar to “short-monotonic”, but also shows the |
|
time delta between subsequent messages. |
|
|
|
* journalctl now respects the –quiet flag when verifying consistency |
|
of journal files. |
|
|
|
* Journal log messages gained a new implicit field _RUNTIME_SCOPE= that |
|
will indicate whether a message was logged in the ‘initrd’ phase or |
|
in the ‘system’ phase of the boot process. |
|
|
|
* Journal files gained a new compatibility flag |
|
‘HEADER_INCOMPATIBLE_COMPACT’. Files with this flag implement changes |
|
to the storage format that allow reducing size on disk. As with other |
|
compatibility flags, older journalctl versions will not be able to |
|
read journal files using this new format. The environment variable |
|
‘SYSTEMD_JOURNAL_COMPACT=0’ can be passed to systemd-journald to |
|
disable this functionality. It is enabled by default. |
|
|
|
* systemd-run’s –working-directory= switch now works when used in |
|
combination with –scope. |
|
|
|
* portablectl gained a –force flag to skip certain sanity checks. This |
|
is implemented using new flags accepted by systemd-portabled for the |
|
*WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH |
|
flag now means that the attach/detach checks whether the units are |
|
already present and running will be skipped. Similarly, |
|
SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether |
|
image name matches the name declared inside of the image will be |
|
skipped. Callers must be sure to do those checks themselves if |
|
appropriate. |
|
|
|
* systemd-portabled will now use the original filename to check |
|
extension-release.NAME for correctness, in case it is passed a |
|
symlink. |
|
|
|
* systemd-portabled now uses PrivateTmp=yes in the ‘trusted’ profile |
|
too. |
|
|
|
* sysext’s extension-release files now support ‘_any’ as a special |
|
value for the ID= field, to allow distribution-independent extensions |
|
(e.g.: fully statically compiled binaries, scripts). It also gained |
|
support for a new ARCHITECTURE= field that may be used to explicitly |
|
restrict an image to hosts of a specific architecture. |
|
|
|
* systemd-repart now supports creating squashfs partitions. This |
|
requires mksquashfs from squashfs-tools. |
|
|
|
* systemd-repart gained a –split flag to also generate split |
|
artifacts, i.e. a separate file for each partition. This is useful in |
|
conjunction with systemd-sysupdate or other tools, or to generate |
|
split dm-verity artifacts. |
|
|
|
* systemd-repart is now able to generate dm-verity partitions, including |
|
signatures. |
|
|
|
* systemd-repart can now set a partition UUID to zero, allowing it to |
|
be filled in later, such as when using verity partitions. |
|
|
|
* systemd-repart now supports drop-ins for its configuration files. |
|
|
|
* Package metadata logged by systemd-coredump in the system journal is |
|
now more compact. |
|
|
|
* xdg-autostart-service now expands ’tilde’ characters in Exec lines. |
|
|
|
* systemd-oomd now automatically links against libatomic, if available. |
|
|
|
* systemd-oomd now sends out a ‘Killed’ D-Bus signal when a cgroup is |
|
killed. |
|
|
|
* scope units now also provide oom-kill status. |
|
|
|
* systemd-pstore will now try to load only the efi_pstore kernel module |
|
before running, ensuring that pstore can be used. |
|
|
|
* systemd-logind gained a new StopIdleSessionSec= option to stop an idle |
|
session after a preconfigure timeout. |
|
|
|
* systemd-homed will now wait up to 30 seconds for workers to terminate, |
|
rather than indefinitely. |
|
|
|
* homectl gained a new ‘–luks-sector-size=’ flag that allows users to |
|
select the preferred LUKS sector size. Must be a power of 2 between 512 |
|
and 4096. systemd-userdbd records gained a corresponding field. |
|
|
|
* systemd-sysusers will now respect the ‘SOURCE_DATE_EPOCH’ environment |
|
variable when generating the ‘sp_lstchg’ field, to ensure an image |
|
build can be reproducible. |
|
|
|
* ‘udevadm wait’ will now listen to kernel uevents too when called with |
|
–initialized=no. |
|
|
|
* When naming network devices udev will now consult the Devicetree |
|
“alias” fields for the device. |
|
|
|
* systemd-udev will now create infiniband/by-path and |
|
infiniband/by-ibdev links for Infiniband verbs devices. |
|
|
|
* systemd-udev-trigger.service will now also prioritize input devices. |
|
|
|
* ConditionACPower= and systemd-ac-power will now assume the system is |
|
running on AC power if no battery can be found. |
|
|
|
* All features and tools using the TPM2 will now communicate with it |
|
using a bind key. Beforehand, the tpm2 support used encrypted sessions |
|
by creating a primary key that was used to encrypt traffic. This |
|
creates a problem as the key created for encrypting the traffic could |
|
be faked by an active interposer on the bus. In cases when a pin is |
|
used, a bind key will be used. The pin is used as the auth value for |
|
the seal key, aka the disk encryption key, and that auth value will be |
|
used in the session establishment. An attacker would need the pin |
|
value to create the secure session and thus an active interposer |
|
without the pin cannot interpose on TPM2 traffic. |
|
|
|
* systemd-growfs no longer requires udev to run. |
|
|
|
* systemd-backlight now will better support systems with multiple |
|
graphic cards. |
|
|
|
* systemd-cryptsetup’s keyfile-timeout= option now also works when a |
|
device is used as a keyfile. |
|
|
|
* systemd-cryptenroll gained a new –unlock-key-file= option to get the |
|
unlocking key from a key file (instead of prompting the user). Note |
|
that this is the key for unlocking the volume in order to be able to |
|
enroll a new key, but it is not the key that is enrolled. |
|
|
|
* systemd-dissect gained a new –umount switch that will safely and |
|
synchronously unmount all partitions of an image previously mounted |
|
with ‘systemd-dissect –mount’. |
|
|
|
* When using gcrypt, all systemd tools and services will now configure |
|
it to prefer the OS random number generator if present. |
|
|
|
* All example code shipped with documentation has been relicensed from CC0 |
|
to MIT-0. |
|
|
|
* Unit tests will no longer fail when running on a system without |
|
/etc/machine-id. |
|
|
|
Experimental features: |
|
|
|
* BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0 |
|
and bpftool >= 7.0). |
|
|
|
* sd-boot can automatically enroll SecureBoot keys from files found on |
|
the ESP. This enrollment can be either automatic (‘force’ mode) or |
|
controlled by the user (‘manual’ mode). It is sufficient to place the |
|
SecureBoot keys in the right place in the ESP and they will be picked |
|
up by sd-boot and shown in the boot menu. |
|
|
|
* The mkosi config in systemd gained support for automatically |
|
compiling a kernel with the configuration appropriate for testing |
|
systemd. This may be useful when developing or testing systemd in |
|
tandem with the kernel. |
|
|
|
Contributions from: 김인수, Adam Williamson, adrian5, Aidan Dang, |
|
Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev, |
|
Alexander Graf, Alexander Shopov, Alexander Wilson, |
|
Alper Nebi Yasak, anarcat, Anders Jonsson, Andre Kalb, |
|
Andrew Stone, Andrey Albershteyn, Anita Zhang, Ansgar Burchardt, |
|
Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah, |
|
Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera, |
|
Benjamin Franzke, BerndAdameit, bin456789, Celeste Liu, |
|
Chih-Hsuan Yen, Christian Brauner, Christian Göttsche, |
|
Christian Hesse, Clyde Byrd III, codefiles, Colin Walters, |
|
Cristian Rodríguez, Daan De Meyer, Daniel Braunwarth, |
|
Daniel Rusek, Dan Streetman, Darsey Litzenberger, David Edmundson, |
|
David Jaša, David Rheinsberg, David Seifert, David Tardon, |
|
dependabot[bot], Devendra Tewari, Dominique Martinet, drosdeck, |
|
Edson Juliano Drosdeck, Eduard Tolosa, eggfly, Einsler Lee, |
|
Elias Probst, Eli Schwartz, Evgeny Vereshchagin, exploide, Fei Li, |
|
Foster Snowhill, Franck Bui, Frank Dana, Frantisek Sumsal, |
|
Gerd Hoffmann, Gio, Goffredo Baroncelli, gtwang01, |
|
Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt, |
|
Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz, |
|
Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt, |
|
Jan Janssen, Jan Kuparinen, Jan Luebbe, Jan Macku, |
|
Jason A. Donenfeld, Javkhlanbayar Khongorzul, Jeremy Soller, |
|
JeroenHD, jiangchuangang, João Loureiro, |
|
Joaquín Ignacio Aramendía, Jochen Sprickerhof, |
|
Johannes Schauer Marin Rodrigues, Jonas Kümmerlin, |
|
Jonas Witschel, Jonathan Kang, Jonathan Lebon, Joost Heitbrink, |
|
Jörg Thalheim, josh-gordon-fb, Joyce, Kai Lueke, lastkrick, |
|
Lennart Poettering, Leon M. George, licunlong, Li kunyu, |
|
LockBlock-dev, Loïc Collignon, Lubomir Rintel, Luca Boccassi, |
|
Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123, |
|
Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro, |
|
Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl, |
|
Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert, |
|
Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oğuz Ersen, |
|
Oleg Solovyov, Olga Smirnova, Pablo Ceballos, Pavel Zhukov, |
|
Phaedrus Leeds, Philipp Gortan, Piotr Drąg, Pyfisch, |
|
Quentin Deslandes, Rahil Bhimjiani, Rene Hollander, Richard Huang, |
|
Richard Phibel, Rudi Heitbaum, Sam James, Sarah Brofeldt, |
|
Sean Anderson, Sebastian Scheibner, Shreenidhi Shedi, |
|
Sonali Srivastava, Steve Ramage, Suraj Krishnan, Swapnil Devesh, |
|
Takashi Sakamoto, Ted X. Toth, Temuri Doghonadze, Thomas Blume, |
|
Thomas Haller, Thomas Hebb, Tomáš Hnyk, Tomasz Paweł Gajc, |
|
Topi Miettinen, Ulrich Ölmann, undef, Uriel Corfa, |
|
Victor Westerhuis, Vincent Dagonneau, Vishal Chillara Srinivas, |
|
Vito Caputo, Weblate, Wenchao Hao, William Roberts, williamsumendap, |
|
wineway, xiaoyang, Yuri Chornoivan, Yu Watanabe, |
|
Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб |
|
|
|
– The Great Beyond, 2022-10-31 👻 |
|
|
|
CHANGES WITH 251: |
|
|
|
Backwards-incompatible changes: |
|
|
|
* The minimum kernel version required has been bumped from 3.13 to 4.15, |
|
and CLOCK_BOOTTIME is now assumed to always exist. |
|
|
|
* C11 with GNU extensions (aka “gnu11”) is now used to build our |
|
components. Public API headers are still restricted to ISO C89. |
|
|
|
* In v250, a systemd-networkd feature that automatically configures |
|
routes to addresses specified in AllowedIPs= was added and enabled by |
|
default. However, this causes network connectivity issues in many |
|
existing setups. Hence, it has been disabled by default since |
|
systemd-stable 250.3. The feature can still be used by explicitly |
|
configuring RouteTable= setting in .netdev files. |
|
|
|
* Jobs started via StartUnitWithFlags() will no longer return ‘skipped’ |
|
when a Condition*= check does not succeed, restoring the JobRemoved |
|
signal to the behaviour it had before v250. |
|
|
|
* The org.freedesktop.portable1 methods GetMetadataWithExtensions() and |
|
GetImageMetadataWithExtensions() have been fixed to provide an extra |
|
return parameter, containing the actual extension release metadata. |
|
The current implementation was judged to be broken and unusable, and |
|
thus the usual procedure of adding a new set of methods was skipped, |
|
and backward compatibility broken instead on the assumption that |
|
nobody can be affected given the current state of this interface. |
|
|
|
* All kernels supported by systemd mix bytes returned by RDRAND (or |
|
similar) into the entropy pool at early boot. This means that on |
|
those systems, even if /dev/urandom is not yet initialized, it still |
|
returns bytes that are of at least RDRAND quality. For that reason, |
|
we no longer have reason to invoke RDRAND from systemd itself, which |
|
has historically been a source of bugs. Furthermore, kernels ≥5.6 |
|
provide the getrandom(GRND_INSECURE) interface for returning random |
|
bytes before the entropy pool is initialized without warning into |
|
kmsg, which is what we attempt to use if available. systemd’s direct |
|
usage of RDRAND has been removed. x86 systems ≥Broadwell that are |
|
running an older kernel may experience kmsg warnings that were not |
|
seen with 250. For newer kernels, non-x86 systems, or older x86 |
|
systems, there should be no visible changes. |
|
|
|
* sd-boot will now measure the kernel command line into TPM PCR 12 |
|
rather than PCR 8. This improves usefulness of the measurements on |
|
systems where sd-boot is chainloaded from Grub. Grub measures all |
|
commands its executes into PCR 8, which makes it very hard to use |
|
reasonably, hence separate ourselves from that and use PCR 12 |
|
instead, which is what certain Ubuntu editions already do. To retain |
|
compatibility with systems running older systemd systems a new meson |
|
option ‘efi-tpm-pcr-compat’ has been added (which defaults to false). |
|
If enabled, the measurement is done twice: into the new-style PCR 12 |
|
*and* the old-style PCR 8. It’s strongly advised to migrate all users |
|
to PCR 12 for this purpose in the long run, as we intend to remove |
|
this compatibility feature in two years’ time. |
|
|
|
* busctl capture now writes output in the newer pcapng format instead |
|
of pcap. |
|
|
|
* A udev rule that imported hwdb matches for USB devices with lowercase |
|
hexadecimal vendor/product ID digits was added in systemd 250. This |
|
has been reverted, since uppercase hexadecimal digits are supposed to |
|
be used, and we already had a rule with the appropriate match. |
|
|
|
Users might need to adjust their local hwdb entries. |
|
|
|
* arch_prctl(2) has been moved to the @default set in the syscall filters |
|
(as exposed via the SystemCallFilter= setting in service unit files). |
|
It is apparently used by the linker now. |
|
|
|
* The tmpfiles entries that create the /run/systemd/netif directory and |
|
its subdirectories were moved from tmpfiles.d/systemd.conf to |
|
tmpfiles.d/systemd-network.conf. |
|
|
|
Users might need to adjust their files that override tmpfiles.d/systemd.conf |
|
to account for this change. |
|
|
|
* The requirement for Portable Services images to contain a well-formed |
|
os-release file (i.e.: contain at least an ID field) is now enforced. |
|
This applies to base images and extensions, and also to systemd-sysext. |
|
|
|
Changes in the Boot Loader Specification, kernel-install and sd-boot: |
|
|
|
* kernel-install’s and bootctl’s Boot Loader Specification Type #1 |
|
entry generation logic has been reworked. The user may now pick |
|
explicitly by which “token” string to name the installation’s boot |
|
entries, via the new /etc/kernel/entry-token file or the new |
|
–entry-token= switch to bootctl. By default — as before — the |
|
entries are named after the local machine ID. However, in “golden |
|
image” environments, where the machine ID shall be initialized on |
|
first boot (as opposed to at installation time before first boot) the |
|
machine ID will not be available at build time. In this case the |
|
–entry-token= switch to bootctl (or the /etc/kernel/entry-token |
|
file) may be used to override the “token” for the entries, for |
|
example the IMAGE_ID= or ID= fields from /etc/os-release. This will |
|
make the OS images independent of any machine ID, and ensure that the |
|
images will not carry any identifiable information before first boot, |
|
but on the other hand means that multiple parallel installations of |
|
the very same image on the same disk cannot be supported. |
|
|
|
Summary: if you are building golden images that shall acquire |
|
identity information exclusively on first boot, make sure to both |
|
remove /etc/machine-id *and* to write /etc/kernel/entry-token to the |
|
value of the IMAGE_ID= or ID= field of /etc/os-release or another |
|
suitable identifier before deploying the image. |
|
|
|
* The Boot Loader Specification has been extended with |
|
/loader/entries.srel file located in the EFI System Partition (ESP) |
|
that disambiguates the format of the entries in the /loader/entries/ |
|
directory (in order to discern them from incompatible uses of this |
|
directory by other projects). For entries that follow the |
|
Specification, the string “type1” is stored in this file. |
|
|
|
bootctl will now write this file automatically when installing the |
|
systemd-boot boot loader. |
|
|
|
* kernel-install supports a new initrd_generator= setting in |
|
/etc/kernel/install.conf, that is exported as |
|
$KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This |
|
allows choosing different initrd generators. |
|
|
|
* kernel-install will now create a “staging area” (an initially-empty |
|
directory to gather files for a Boot Loader Specification Type #1 |
|
entry). The path to this directory is exported as |
|
$KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should |
|
drop files there instead of writing them directly to the final |
|
location. kernel-install will move them when all files have been |
|
prepared successfully. |
|
|
|
* New option sort-key= has been added to the Boot Loader Specification |
|
to override the sorting order of the entries in the boot menu. It is |
|
read by sd-boot and bootctl, and will be written by kernel-install, |
|
with the default value of IMAGE_ID= or ID= fields from |
|
os-release. Together, this means that on multiboot installations, |
|
entries should be grouped and sorted in a predictable way. |
|
|
|
* The sort order of boot entries has been updated: entries which have |
|
the new field sort-key= are sorted by it first, and all entries |
|
without it are ordered later. After that, entries are sorted by |
|
version so that newest entries are towards the beginning of the list. |
|
|
|
* The kernel-install tool gained a new ‘inspect’ verb which shows the |
|
paths and other settings used. |
|
|
|
* sd-boot can now optionally beep when the menu is shown and menu |
|
entries are selected, which can be useful on machines without a |
|
working display. (Controllable via a loader.conf setting.) |
|
|
|
* The –make-machine-id-directory= switch to bootctl has been replaced |
|
by –make-entry-directory=, given that the entry directory is not |
|
necessarily named after the machine ID, but after some other suitable |
|
ID as selected via –entry-token= described above. The old name of |
|
the option is still understood to maximize compatibility. |
|
|
|
* ‘bootctl list’ gained support for a new –json= switch to output boot |
|
menu entries in JSON format. |
|
|
|
* ‘bootctl is-installed’ now supports the –graceful, and various verbs |
|
omit output with the new option –quiet. |
|
|
|
Changes in systemd-homed: |
|
|
|
* Starting with v250 systemd-homed uses UID/GID mapping on the mounts |
|
of activated home directories it manages (if the kernel and selected |
|
file systems support it). So far it mapped three UID ranges: the |
|
range from 0…60000, the user’s own UID, and the range 60514…65534, |
|
leaving everything else unmapped (in other words, the 16bit UID range |
|
is mapped almost fully, with the exception of the UID subrange used |
|
for systemd-homed users, with one exception: the user’s own UID). |
|
Unmapped UIDs may not be used for file ownership in the home |
|
directory — any chown() attempts with them will fail. With this |
|
release a fourth range is added to these mappings: |
|
524288…1879048191. This range is the UID range intended for container |
|
uses, see: |
|
|
|
https://systemd.io/UIDS-GIDS |
|
|
|
This range may be used for container managers that place container OS |
|
trees in the home directory (which is a questionable approach, for |
|
quota, permission, SUID handling and network file system |
|
compatibility reasons, but nonetheless apparently commonplace). Note |
|
that this mapping is mapped 1:1 in a pass-through fashion, i.e. the |
|
UID assignments from the range are not managed or mapped by |
|
`systemd-homed`, and must be managed with other mechanisms, in the |
|
context of the local system. |
|
|
|
Typically, a better approach to user namespacing in relevant |
|
container managers would be to leave container OS trees on disk at |
|
UID offset 0, but then map them to a dynamically allocated runtime |
|
UID range via another UID mount map at container invocation |
|
time. That way user namespace UID ranges become strictly a runtime |
|
concept, and do not leak into persistent file systems, persistent |
|
user databases or persistent configuration, thus greatly simplifying |
|
handling, and improving compatibility with home directories intended |
|
to be portable like the ones managed by systemd-homed. |
|
|
|
Changes in shared libraries: |
|
|
|
* A new libsystemd-core-.so private shared library is |
|
installed under /usr/lib/systemd/system, mirroring the existing |
|
libsystemd-shared-.so library. This allows the total |
|
installation size to be reduced by binary code reuse. |
|
|
|
* The tag used in the name of libsystemd-shared.so and |
|
libsystemd-core.so can be configured via the meson option |
|
‘shared-lib-tag’. Distributions may build subsequent versions of the |
|
systemd package with unique tags (e.g. the full package version), |
|
thus allowing multiple installations of those shared libraries to be |
|
available at the same time. This is intended to fix an issue where |
|
programs that link to those libraries would fail to execute because |
|
they were installed earlier or later than the appropriate version of |
|
the library. |
|
|
|
* The sd-id128 API gained a new call sd_id128_to_uuid_string() that is |
|
similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID |
|
format instead of as a simple series of hex characters. |
|
|
|
* The sd-device API gained two new calls sd_device_new_from_devname() |
|
and sd_device_new_from_path() which permit allocating an sd_device |
|
object from a device node name or file system path. |
|
|
|
* sd-device also gained a new call sd_device_open() which will open the |
|
device node associated with a device for which an sd_device object |
|
has been allocated. The call is supposed to address races around |
|
device nodes being removed/recycled due to hotplug events, or media |
|
change events: the call checks internally whether the major/minor of |
|
the device node and the “diskseq” (in case of block devices) match |
|
with the metadata loaded in the sd_device object, thus ensuring that |
|
the device once opened really matches the provided sd_device object. |
|
|
|
Changes in PID1, systemctl, and systemd-oomd: |
|
|
|
* A new set of service monitor environment variables will be passed to |
|
OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the |
|
handler unit as OnFailure=/OnSuccess=. The variables are: |
|
$MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS, |
|
$MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single |
|
handler needs to watch multiple units, use a templated handler. |
|
|
|
* A new ExtensionDirectories= setting in service unit files allows |
|
system extensions to be loaded from a directory. (It is similar to |
|
ExtensionImages=, but takes paths to directories, instead of |
|
disk image files.) |
|
|
|
‘portablectl attach –extension=’ now also accepts directory paths. |
|
|
|
* The user.delegate and user.invocation_id extended attributes on |
|
cgroups are used in addition to trusted.delegate and |
|
trusted.invocation_id. The latter pair requires privileges to set, |
|
but the former doesn’t and can be also set by the unprivileged user |
|
manager. |
|
|
|
(Only supported on kernels ≥5.6.) |
|
|
|
* Units that were killed by systemd-oomd will now have a service result |
|
of ‘oom-kill’. The number of times a service was killed is tallied |
|
in the ‘user.oomd_ooms’ extended attribute. |
|
|
|
The OOMPolicy= unit file setting is now also honoured by |
|
systemd-oomd. |
|
|
|
* In unit files the new %y/%Y specifiers can be used to refer to |
|
normalized unit file path, which is particularly useful for symlinked |
|
unit files. |
|
|
|
The new %q specifier resolves to the pretty hostname |
|
(i.e. PRETTY_HOSTNAME= from /etc/machine-info). |
|
|
|
The new %d specifier resolves to the credentials directory of a |
|
service (same as $CREDENTIALS_DIRECTORY). |
|
|
|
* The RootDirectory=, MountAPIVFS=, ExtensionDirectories=, |
|
*Capabilities*=, ProtectHome=, *Directory=, TemporaryFileSystem=, |
|
PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=, |
|
PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=, |
|
ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=, |
|
MountFlags= service settings now also work in unprivileged user |
|
services, i.e. those run by the user’s –user service manager, as long |
|
as user namespaces are enabled on the system. |
|
|
|
* Services with Restart=always and a failing ExecCondition= will no |
|
longer be restarted, to bring ExecCondition= behaviour in line with |
|
Condition*= settings. |
|
|
|
* LoadCredential= now accepts a directory as the argument; all files |
|
from the directory will be loaded as credentials. |
|
|
|
* A new D-Bus property ControlGroupId is now exposed on service units, |
|
that encapsulates the service’s numeric cgroup ID that newer kernels |
|
assign to each cgroup. |
|
|
|
* PID 1 gained support for configuring the “pre-timeout” of watchdog |
|
devices and the associated governor, via the new |
|
RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration |
|
options in /etc/systemd/system.conf. |
|
|
|
* systemctl’s –timestamp= option gained a new choice “unix”, to show |
|
timestamp as unix times, i.e. seconds since 1970, Jan 1st. |
|
|
|
* A new “taint” flag named “old-kernel” is introduced which is set when |
|
the kernel systemd runs on is older then the current baseline version |
|
(see above). The flag is shown in “systemctl status” output. |
|
|
|
* Two additional taint flags “short-uid-range” and “short-gid-range” |
|
have been added as well, which are set when systemd notices it is run |
|
within a userns namespace that does not define the full 0…65535 UID |
|
range |
|
|
|
* A new “unmerged-usr” taint flag has been added that is set whenever |
|
running on systems where /bin/ + /sbin/ are *not* symlinks to their |
|
counterparts in /usr/, i.e. on systems where the /usr/-merge has not |
|
been completed. |
|
|
|
* Generators invoked by PID 1 will now have a couple of useful |
|
environment variables set describing the execution context a |
|
bit. $SYSTEMD_SCOPE encodes whether the generator is called from the |
|
system service manager, or from the per-user service |
|
manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked |
|
in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether |
|
systemd considers the current boot to be a “first” |
|
boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is |
|
detected and which type of hypervisor/container |
|
manager. $SYSTEMD_ARCHITECTURE indicates which architecture the |
|
kernel is built for. |
|
|
|
* PID 1 will now automatically pick up system credentials from qemu’s |
|
fw_cfg interface, thus allowing passing arbitrary data into VM |
|
systems similar to how this is already supported for passing them |
|
into `systemd-nspawn` containers. Credentials may now also be passed |
|
in via the new kernel command line option `systemd.set_credential=` |
|
(note that kernel command line options are world-readable during |
|
runtime, and only useful for credentials that require no |
|
confidentiality). The credentials that can be passed to unified |
|
kernels that use the `systemd-stub` UEFI stub are now similarly |
|
picked up automatically. Automatic importing of system credentials |
|
this way can be turned off via the new |
|
`systemd.import_credentials=no` kernel command line option. |
|
|
|
* LoadCredential= will now automatically look for credentials in the |
|
/etc/credstore/, /run/credstore/, /usr/lib/credstore/ directories if |
|
the argument is not an absolute path. Similarly, |
|
LoadCredentialEncrypted= will check the same directories plus |
|
/etc/credstore.encrypted/, /run/credstore.encrypted/ and |
|
/usr/lib/credstore.encrypted/. The idea is to use those directories |
|
as the system-wide location for credentials that services should pick |
|
up automatically. |
|
|
|
* System and service credentials are described in great detail in a new |
|
document: |
|
|
|
https://systemd.io/CREDENTIALS |
|
|
|
Changes in systemd-journald: |
|
|
|
* The journal JSON export format has been added to listed of stable |
|
interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/). |
|
|
|
* journalctl –list-boots now supports JSON output and the –reverse option. |
|
|
|
* Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and |
|
updated, BUILDING_IMAGES is new: |
|
|
|
https://systemd.io/JOURNAL_EXPORT_FORMATS |
|
https://systemd.io/BUILDING_IMAGES |
|
|
|
Changes in udev: |
|
|
|
* Two new hwdb files have been added. One lists “handhelds” (PDAs, |
|
calculators, etc.), the other AV production devices (DJ tables, |
|
keypads, etc.) that should accessible to the seat owner user by |
|
default. |
|
|
|
* udevadm trigger gained a new –prioritized-subsystem= option to |
|
process certain subsystems (and all their parent devices) earlier. |
|
|
|
systemd-udev-trigger.service now uses this new option to trigger |
|
block and TPM devices first, hopefully making the boot a bit faster. |
|
|
|
* udevadm trigger now implements –type=all, –initialized-match, |
|
–initialized-nomatch to trigger both subsystems and devices, only |
|
already-initialized devices, and only devices which haven’t been |
|
initialized yet, respectively. |
|
|
|
* udevadm gained a new “wait” command for safely waiting for a specific |
|
device to show up in the udev device database. This is useful in |
|
scripts that asynchronously allocate a block device (e.g. through |
|
repartitioning, or allocating a loopback device or similar) and need |
|
to synchronize on the creation to complete. |
|
|
|
* udevadm gained a new “lock” command for locking one or more block |
|
devices while formatting it or writing a partition table to it. It is |
|
an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and |
|
usable in scripts dealing with block devices. |
|
|
|
* udevadm info will show a couple of additional device fields in its |
|
output, and will not apply a limited set of coloring to line types. |
|
|
|
* udevadm info –tree will now show a tree of objects (i.e. devices and |
|
suchlike) in the /sys/ hierarchy. |
|
|
|
* Block devices will now get a new set of device symlinks in |
|
/dev/disk/by-diskseq/, which may be used to reference block |
|
device nodes via the kernel’s “diskseq” value. Note that this does |
|
not guarantee that opening a device by a symlink like this will |
|
guarantee that the opened device actually matches the specified |
|
diskseq value. To be safe against races, the actual diskseq value of |
|
the opened device (BLKGETDISKSEQ ioctl()) must still be compred with |
|
the one in the symlink path. |
|
|
|
* .link files gained support for setting MDI/MID-X on a link. |
|
|
|
* .link files gained support for [Match] Firmware= setting to match on |
|
the device firmware description string. By mistake, it was previously |
|
only supported in .network files. |
|
|
|
* .link files gained support for [Link] SR-IOVVirtualFunctions= setting |
|
and [SR-IOV] section to configure SR-IOV virtual functions. |
|
|
|
Changes in systemd-networkd: |
|
|
|
* The default scope for unicast routes configured through [Route] |
|
section is changed to “link”, to make the behavior consistent with |
|
“ip route” command. The manual configuration of [Route] Scope= is |
|
still honored. |
|
|
|
* A new unit systemd-networkd-wait-online@.service has been |
|
added that can be used to wait for a specific network interface to be |
|
up. |
|
|
|
* systemd-networkd gained a new [Bridge] Isolated=true|false setting |
|
that configures the eponymous kernel attribute on the bridge. |
|
|
|
* .netdev files now can be used to create virtual WLAN devices, and |
|
configure various settings on them, via the [WLAN] section. |
|
|
|
* .link/.network files gained support for [Match] Kind= setting to match |
|
on device kind (“bond”, “bridge”, “gre”, “tun”, “veth”, etc.) |
|
|
|
This value is also shown by ‘networkctl status’. |
|
|
|
* The Local= setting in .netdev files for various virtual network |
|
devices gained support for specifying, in addition to the network |
|
address, the name of a local interface which must have the specified |
|
address. |
|
|
|
* systemd-networkd gained a new [Tunnel] External= setting in .netdev |
|
files, to configure tunnels in external mode (a.k.a. collect metadata |
|
mode). |
|
|
|
* [Network] L2TP= setting was removed. Please use interface specifier in |
|
Local= setting in .netdev files of corresponding L2TP interface. |
|
|
|
* New [DHCPServer] BootServerName=, BootServerAddress=, and |
|
BootFilename= settings can be used to configure the server address, |
|
server name, and file name sent in the DHCP packet (e.g. to configure |
|
PXE boot). |
|
|
|
Changes in systemd-resolved: |
|
|
|
* systemd-resolved is started earlier (in sysinit.target), so it |
|
available earlier and will also be started in the initrd if installed |
|
there. |
|
|
|
Changes in disk encryption: |
|
|
|
* systemd-cryptenroll can now control whether to require the user to |
|
enter a PIN when using TPM-based unlocking of a volume via the new |
|
–tpm2-with-pin= option. |
|
|
|
Option tpm2-pin= can be used in /etc/crypttab. |
|
|
|
* When unlocking devices via TPM, TPM2 parameter encryption is now |
|
used, to ensure that communication between CPU and discrete TPM chips |
|
cannot be eavesdropped to acquire disk encryption keys. |
|
|
|
* A new switch –fido2-credential-algorithm= has been added to |
|
systemd-cryptenroll allowing selection of the credential algorithm to |
|
use when binding encryption to FIDO2 tokens. |
|
|
|
Changes in systemd-hostnamed: |
|
|
|
* HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info |
|
to override the values gleaned from the hwdb. |
|
|
|
* A ID_CHASSIS property can be set in the hwdb (for the DMI device |
|
/sys/class/dmi/id) to override the chassis that is reported by |
|
hostnamed. |
|
|
|
* hostnamed’s D-Bus interface gained a new method GetHardwareSerial() |
|
for reading the hardware serial number, as reportd by DMI. It also |
|
exposes a new method D-Bus property FirmwareVersion that encode the |
|
firmware version of the system. |
|
|
|
Changes in other components: |
|
|
|
* /etc/locale.conf is now populated through tmpfiles.d factory /etc/ |
|
handling with the values that were configured during systemd build |
|
(if /etc/locale.conf has not been created through some other |
|
mechanism). This means that /etc/locale.conf should always have |
|
reasonable contents and we avoid a potential mismatch in defaults. |
|
|
|
* The userdbctl tool will now show UID range information as part of the |
|
list of known users. |
|
|
|
* A new build-time configuration setting default-user-shell= can be |
|
used to set the default shell for user records and nspawn shell |
|
invocations (instead of the default /bin/bash). |
|
|
|
* systemd-timesyncd now provides a D-Bus API for receiving NTP server |
|
information dynamically at runtime via IPC. |
|
|
|
* The systemd-creds tool gained a new “has-tpm2” verb, which reports |
|
whether a functioning TPM2 infrastructure is available, i.e. if |
|
firmware, kernel driver and systemd all have TPM2 support enabled and |
|
a device found. |
|
|
|
* The systemd-creds tool gained support for generating encrypted |
|
credentials that are using an empty encryption key. While this |
|
provides no integrity nor confidentiality it’s useful to implement |
|
codeflows that work the same on TPM-ful and TPM2-less systems. The |
|
service manager will only accept credentials “encrypted” that way if |
|
a TPM2 device cannot be detected, to ensure that credentials |
|
“encrypted” like that cannot be used to trick TPM2 systems. |
|
|
|
* When deciding whether to colorize output, all systemd programs now |
|
also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and |
|
$TERM). |
|
|
|
* Meson’s new install_tag feature is now in use for several components, |
|
allowing to build and install select binaries only: pam, nss, devel |
|
(pkg-config files), systemd-boot, libsystemd, libudev. Example: |
|
$ meson build systemd-boot |
|
$ meson install –tags systemd-boot –no-rebuild |
|
https://mesonbuild.com/Installing.html#installation-tags |
|
|
|
* A new build configuration option has been added, to allow selecting the |
|
default compression algorithm used by systemd-journald and systemd-coredump. |
|
This allows to build-in support for decompressing all supported formats, |
|
but choose a specific one for compression. E.g.: |
|
$ meson -Ddefault-compression=xz |
|
|
|
Experimental features: |
|
|
|
* sd-boot gained a new *experimental* setting “reboot-for-bitlocker” in |
|
loader.conf that implements booting Microsoft Windows from the |
|
sd-boot in a way that first reboots the system, to reset the TPM |
|
PCRs. This improves compatibility with BitLocker’s TPM use, as the |
|
PCRs will only record the Windows boot process, and not sd-boot |
|
itself, thus retaining the PCR measurements not involving sd-boot. |
|
Note that this feature is experimental for now, and is likely going |
|
to be generalized and renamed in a future release, without retaining |
|
compatibility with the current implementation. |
|
|
|
* A new systemd-sysupdate component has been added that automatically |
|
discovers, downloads, and installs A/B-style updates for the host |
|
installation itself, or container images, portable service images, |
|
and other assets. See the new systemd-sysupdate man page for updates. |
|
|
|
Contributions from: 4piu, Adam Williamson, adrian5, Albert Brox, |
|
AlexCatze, Alex Henrie, Alfonso Sánchez-Beato, Alice S, |
|
Alvin Šipraga, amarjargal, Amarjargal, Andrea Pappacoda, |
|
Andreas Rammhold, Andy Chi, Anita Zhang, Antonio Alvarez Feijoo, |
|
Arfrever Frehtes Taifersar Arahesis, ash, Bastien Nocera, Be, |
|
bearhoney, Ben Efros, Benjamin Berg, Benjamin Franzke, |
|
Brett Holman, Christian Brauner, Clyde Byrd III, Curtis Klein, |
|
Daan De Meyer, Daniele Medri, Daniel Mack, Danilo Krummrich, |
|
David, David Bond, Davide Cavalca, David Tardon, davijosw, |
|
dependabot[bot], Donald Chan, Dorian Clay, Eduard Tolosa, |
|
Elias Probst, Eli Schwartz, Erik Sjölund, Evgeny Vereshchagin, |
|
Federico Ceratto, Franck Bui, Frantisek Sumsal, Gaël PORTAY, |
|
Georges Basile Stavracas Neto, Gibeom Gwon, Goffredo Baroncelli, |
|
Grigori Goronzy, Hans de Goede, Heiko Becker, Hugo Carvalho, |
|
Jakob Lell, James Hilliard, Jan Janssen, Jason A. Donenfeld, |
|
Joan Bruguera, Joerie de Gram, Josh Triplett, Julia Kartseva, |
|
Kazuo Moriwaka, Khem Raj, ksa678491784, Lance, Lan Tian, |
|
Laura Barcziova, Lennart Poettering, Leviticoh, licunlong, |
|
Lidong Zhong, lincoln auster, Lubomir Rintel, Luca Boccassi, |
|
Luca BRUNO, lucagoc, Ludwig Nussel, Marcel Hellwig, march1993, |
|
Marco Scardovi, Mario Limonciello, Mariusz Tkaczyk, |
|
Markus Weippert, Martin, Martin Liska, Martin Wilck, Matija Skala, |
|
Matthew Blythe, Matthias Lisin, Matthijs van Duin, Matt Walton, |
|
Max Gautier, Michael Biebl, Michael Olbrich, Michal Koutný, |
|
Michal Sekletár, Mike Gilbert, MkfsSion, Morten Linderud, |
|
Nick Rosbrook, Nikolai Grigoriev, Nikolai Kostrigin, |
|
Nishal Kulkarni, Noel Kuntze, Pablo Ceballos, Peter Hutterer, |
|
Peter Morrow, Pigmy-penguin, Piotr Drąg, prumian, Richard Neill, |
|
Rike-Benjamin Schuppner, rodin-ia, Romain Naour, Ruben Kerkhof, |
|
Ryan Hendrickson, Santa Wiryaman, Sebastian Pucilowski, Seth Falco, |
|
Simon Ellmann, Sonali Srivastava, Stefan Seering, |
|
Stephen Hemminger, tawefogo, techtino, Temuri Doghonadze, |
|
Thomas Batten, Thomas Haller, Thomas Weißschuh, Tobias Stoeckmann, |
|
Tomasz Pala, Tyson Whitehead, Vishal Chillara Srinivas, |
|
Vivien Didelot, w30023233, wangyuhang, Weblate, Xiaotian Wu, |
|
yangmingtai, YmrDtnJu, Yonathan Randolph, Yutsuten, Yu Watanabe, |
|
Zbigniew Jędrzejewski-Szmek, наб |
|
|
|
— Edinburgh, 2022-05-21 |
|
|
|
CHANGES WITH 250: |
|
|
|
* Support for encrypted and authenticated credentials has been added. |
|
This extends the credential logic introduced with v247 to support |
|
non-interactive symmetric encryption and authentication, based on a |
|
key that is stored on the /var/ file system or in the TPM2 chip (if |
|
available), or the combination of both (by default if a TPM2 chip |
|
exists the combination is used, otherwise the /var/ key only). The |
|
credentials are automatically decrypted at the moment a service is |
|
started, and are made accessible to the service itself in unencrypted |
|
form. A new tool ‘systemd-creds’ encrypts credentials for this |
|
purpose, and two new service file settings LoadCredentialEncrypted= |
|
and SetCredentialEncrypted= configure such credentials. |
|
|
|
This feature is useful to store sensitive material such as SSL |
|
certificates, passwords and similar securely at rest and only decrypt |
|
them when needed, and in a way that is tied to the local OS |
|
installation or hardware. |
|
|
|
* systemd-gpt-auto-generator can now automatically set up discoverable |
|
LUKS2 encrypted swap partitions. |
|
|
|
* The GPT Discoverable Partitions Specification has been substantially |
|
extended with support for root and /usr/ partitions for the majority |
|
of architectures systemd supports. This includes platforms that do |
|
not natively support UEFI, because even though GPT is specified under |
|
UEFI umbrella, it is useful on other systems too. Specifically, |
|
systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and |
|
Portable Services use the concept without requiring UEFI. |
|
|
|
* The GPT Discoverable Partitions Specifications has been extended with |
|
a new set of partitions that may carry PKCS#7 signatures for Verity |
|
partitions, encoded in a simple JSON format. This implements a simple |
|
mechanism for building disk images that are fully authenticated and |
|
can be tested against a set of cryptographic certificates. This is |
|
now implemented for the various systemd tools that can operate with |
|
disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect, |
|
Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers. |
|
The PKCS#7 signatures are passed to the kernel (where they are |
|
checked against certificates from the kernel keyring), or can be |
|
verified against certificates provided in userspace (via a simple |
|
drop-in file mechanism). |
|
|
|
* systemd-dissect’s inspection logic will now report for which uses a |
|
disk image is intended. Specifically, it will display whether an |
|
image is suitable for booting on UEFI or in a container (using |
|
systemd-nspawn’s –image= switch), whether it can be used as portable |
|
service, or attached as system extension. |
|
|
|
* The system-extension.d/ drop-in files now support a new field |
|
SYSEXT_SCOPE= that may encode which purpose a system extension image |
|
is for: one of “initrd”, “system” or “portable”. This is useful to |
|
make images more self-descriptive, and to ensure system extensions |
|
cannot be attached in the wrong contexts. |
|
|
|
* The os-release file learnt a new PORTABLE_PREFIXES= field which may |
|
be used in portable service images to indicate which unit prefixes |
|
are supported. |
|
|
|
* The GPT image dissection logic in systemd-nspawn/systemd-dissect/… |
|
now is able to decode images for non-native architectures as well. |
|
This allows systemd-nspawn to boot images of non-native architectures |
|
if the corresponding user mode emulator is installed and |
|
systemd-binfmtd is running. |
|
|
|
* systemd-logind gained new settings HandlePowerKeyLongPress=, |
|
HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and |
|
HandleHibernateKeyLongPress= which may be used to configure actions |
|
when the relevant keys are pressed for more than 5s. This is useful |
|
on devices that only have hardware for a subset of these keys. By |
|
default, if the reboot key is pressed long the poweroff operation is |
|
now triggered, and when the suspend key is pressed long the hibernate |
|
operation is triggered. Long pressing the other two keys currently |
|
does not trigger any operation by default. |
|
|
|
* When showing unit status updates on the console during boot and |
|
shutdown, and a service is slow to start so that the cylon animation |
|
is shown, the most recent sd_notify() STATUS= text is now shown as |
|
well. Services may use this to make the boot/shutdown output easier |
|
to understand, and to indicate what precisely a service that is slow |
|
to start or stop is waiting for. In particular, the per-user service |
|
manager instance now reports what it is doing and which service it is |
|
waiting for this way to the system service manager. |
|
|
|
* The service manager will now re-execute on reception of the |
|
SIGRTMIN+25 signal. It previously already did that on SIGTERM — but |
|
only when running as PID 1. There was no signal to request this when |
|
running as per-user service manager, i.e. as any other PID than 1. |
|
SIGRTMIN+25 works for both system and user managers. |
|
|
|
* The hardware watchdog logic in PID 1 gained support for operating |
|
with the default timeout configured in the hardware, instead of |
|
insisting on re-configuring it. Set RuntimeWatchdogSec=default to |
|
request this behavior. |
|
|
|
* A new kernel command line option systemd.watchdog_sec= is now |
|
understood which may be used to override the hardware watchdog |
|
time-out for the boot. |
|
|
|
* A new setting DefaultOOMScoreAdjust= is now supported in |
|
/etc/systemd/system.conf and /etc/systemd/user.conf. It may be used |
|
to set the default process OOM score adjustment value for processes |
|
started by the service manager. For per-user service managers this |
|
now defaults to 100, but for per-system service managers is left as |
|
is. This means that by default now services forked off the user |
|
service manager are more likely to be killed by the OOM killer than |
|
system services or the managers themselves. |
|
|
|
* A new per-service setting RestrictFileSystems= as been added that |
|
restricts the file systems a service has access to by their type. |
|
This is based on the new BPF LSM of the Linux kernel. It provides an |
|
effective way to make certain API file systems unavailable to |
|
services (and thus minimizing attack surface). A new command |
|
“systemd-analyze filesystems” has been added that lists all known |
|
file system types (and how they are grouped together under useful |
|
group handles). |
|
|
|
* Services now support a new setting RestrictNetworkInterfaces= for |
|
restricting access to specific network interfaces. |
|
|
|
* Service unit files gained new settings StartupAllowedCPUs= and |
|
StartupAllowedMemoryNodes=. These are similar to their counterparts |
|
without the “Startup” prefix and apply during the boot process |
|
only. This is useful to improve boot-time behavior of the system and |
|
assign resources differently during boot than during regular |
|
runtime. This is similar to the preexisting StartupCPUWeight= |
|
vs. CPUWeight. |
|
|
|
* Related to this: the various StartupXYZ= settings |
|
(i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied |
|
during shutdown. The settings not prefixed with “Startup” hence apply |
|
during regular runtime, and those that are prefixed like that apply |
|
during boot and shutdown. |
|
|
|
* A new per-unit set of conditions/asserts |
|
[Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a |
|
unit skip/fail activation if the system’s (or a slice’s) memory/cpu/io |
|
pressure is above the configured threshold, using the kernel PSI |
|
feature. For more details see systemd.unit(5) and |
|
https://docs.kernel.org/accounting/psi.html |
|
|
|
* The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or |
|
ProtectKernelLogs=yes can now be used. |
|
|
|
* The default maximum numbers of inodes have been raised from 64k to 1M |
|
for /dev/, and from 400k to 1M for /tmp/. |
|
|
|
* The per-user service manager learnt support for communicating with |
|
systemd-oomd to acquire OOM kill information. |
|
|
|
* A new service setting ExecSearchPath= has been added that allows |
|
changing the search path for executables for services. It affects |
|
where we look for the binaries specified in ExecStart= and similar, |
|
and the specified directories are also added the $PATH environment |
|
variable passed to invoked processes. |
|
|
|
* A new setting RuntimeRandomizedExtraSec= has been added for service |
|
and scope units that allows extending the runtime time-out as |
|
configured by RuntimeMaxSec= with a randomized amount. |
|
|
|
* The syntax of the service unit settings RuntimeDirectory=, |
|
StateDirectory=, CacheDirectory=, LogsDirectory= has been extended: |
|
if the specified value is now suffixed with a colon, followed by |
|
another filename, the latter will be created as symbolic link to the |
|
specified directory. This allows creating these service directories |
|
together with alias symlinks to make them available under multiple |
|
names. |
|
|
|
* Service unit files gained two new settings TTYRows=/TTYColumns= for |
|
configuring rows/columns of the TTY device passed to |
|
stdin/stdout/stderr of the service. This is useful to propagate TTY |
|
dimensions to a virtual machine. |
|
|
|
* A new service unit file setting ExitType= has been added that |
|
specifies when to assume a service has exited. By default systemd |
|
only watches the main process of a service. By setting |
|
ExitType=cgroup it can be told to wait for the last process in a |
|
cgroup instead. |
|
|
|
* Automount unit files gained a new setting ExtraOptions= that can be |
|
used to configure additional mount options to pass to the kernel when |
|
mounting the autofs instance. |
|
|
|
* “Urlification” (generation of ESC sequences that generate clickable |
|
hyperlinks in modern terminals) may now be turned off altogether |
|
during build-time. |
|
|
|
* Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec= |
|
settings that default to 200 and 2 s respectively. The ratelimit |
|
ensures that a path unit cannot cause PID1 to busy-loop when it is |
|
trying to trigger a service that is skipped because of a Condition*= |
|
not being satisfied. This matches the configuration and behaviour of |
|
socket units. |
|
|
|
* The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built |
|
as a plug-in for cryptsetup. This means the plain cryptsetup command |
|
may now be used to unlock volumes set up this way. |
|
|
|
* The TPM2 logic in cryptsetup will now automatically detect systems |
|
where the TPM2 chip advertises SHA256 PCR banks but the firmware only |
|
updates the SHA1 banks. In such a case PCR policies will be |
|
automatically bound to the latter, not the former. This makes the PCR |
|
policies reliable, but of course do not provide the same level of |
|
trust as SHA256 banks. |
|
|
|
* The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports |
|
RSA primary keys in addition to ECC, improving compatibility with |
|
TPM2 chips that do not support ECC. RSA keys are much slower to use |
|
than ECC, and hence are only used if ECC is not available. |
|
|
|
* /etc/crypttab gained support for a new token-timeout= setting for |
|
encrypted volumes that allows configuration of the maximum time to |
|
wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses |
|
the logic will query the user for a regular passphrase/recovery key |
|
instead. |
|
|
|
* Support for activating dm-integrity volumes at boot via a new file |
|
/etc/integritytab and the tool systemd-integritysetup have been |
|
added. This is similar to /etc/crypttab and /etc/veritytab, but deals |
|
with dm-integrity instead of dm-crypt/dm-verity. |
|
|
|
* The systemd-veritysetup-generator now understands a new usrhash= |
|
kernel command line option for specifying the Verity root hash for |
|
the partition backing the /usr/ file system. A matching set of |
|
systemd.verity_usr_* kernel command line options has been added as |
|
well. These all work similar to the corresponding options for the |
|
root partition. |
|
|
|
* The sd-device API gained a new API call sd_device_get_diskseq() to |
|
return the DISKSEQ property of a device structure. The “disk |
|
sequence” concept is a new feature recently introduced to the Linux |
|
kernel that allows detecting reuse cycles of block devices, i.e. can |
|
be used to recognize when loopback block devices are reused for a |
|
different purpose or CD-ROM drives get their media changed. |
|
|
|
* A new unit systemd-boot-update.service has been added. If enabled |
|
(the default) and the sd-boot loader is detected to be installed, it |
|
is automatically updated to the newest version when out of date. This |
|
is useful to ensure the boot loader remains up-to-date, and updates |
|
automatically propagate from the OS tree in /usr/. |
|
|
|
* sd-boot will now build with SBAT by default in order to facilitate |
|
working with recent versions of Shim that require it to be present. |
|
|
|
* sd-boot can now parse Microsoft Windows’ Boot Configuration Data. |
|
This is used to robustly generate boot entry titles for Windows. |
|
|
|
* A new generic target unit factory-reset.target has been added. It is |
|
hooked into systemd-logind similar in fashion to |
|
reboot/poweroff/suspend/hibernate, and is supposed to be used to |
|
initiate a factory reset operation. What precisely this operation |
|
entails is up for the implementer to decide, the primary goal of the |
|
new unit is provide a framework where to plug in the implementation |
|
and how to trigger it. |
|
|
|
* A new meson build-time option ‘clock-valid-range-usec-max’ has been |
|
added which takes a time in µs and defaults to 15 years. If the RTC |
|
time is noticed to be more than the specified time ahead of the |
|
built-in epoch of systemd (which by default is the release timestamp |
|
of systemd) it is assumed that the RTC is not working correctly, and |
|
the RTC is reset to the epoch. (It already is reset to the epoch when |
|
noticed to be before it.) This should increase the chance that time |
|
doesn’t accidentally jump too far ahead due to faulty hardware or |
|
batteries. |
|
|
|
* A new setting SaveIntervalSec= has been added to systemd-timesyncd, |
|
which may be used to automatically save the current system time to |
|
disk in regular intervals. This is useful to maintain a roughly |
|
monotonic clock even without RTC hardware and with some robustness |
|
against abnormal system shutdown. |
|
|
|
* systemd-analyze verify gained support for a pair of new –image= + |
|
–root= switches for verifying units below a specific root |
|
directory/image instead of on the host. |
|
|
|
* systemd-analyze verify gained support for verifying unit files under |
|
an explicitly specified unit name, independently of what the filename |
|
actually is. |
|
|
|
* systemd-analyze verify gained a new switch –recursive-errors= which |
|
controls whether to only fail on errors found in the specified units |
|
or recursively any dependent units. |
|
|
|
* systemd-analyze security now supports a new –offline mode for |
|
analyzing unit files stored on disk instead of loaded units. It may |
|
be combined with –root=/–image to analyze unit files under a root |
|
directory or disk image. It also learnt a new –threshold= parameter |
|
for specifying an exposure level threshold: if the exposure level |
|
exceeds the specified value the call will fail. It also gained a new |
|
–security-policy= switch for configuring security policies to |
|
enforce on the units. A policy is a JSON file that lists which tests |
|
shall be weighted how much to determine the overall exposure |
|
level. Altogether these new features are useful for fully automatic |
|
analysis and enforcement of security policies on unit files. |
|
|
|
* systemd-analyze security gain a new –json= switch for JSON output. |
|
|
|
* systemd-analyze learnt a new –quiet switch for reducing |
|
non-essential output. It’s honored by the “dot”, “syscall-filter”, |
|
“filesystems” commands. |
|
|
|
* systemd-analyze security gained a –profile= option that can be used |
|
to take into account a portable profile when analyzing portable |
|
services, since a lot of the security-related settings are enabled |
|
through them. |
|
|
|
* systemd-analyze learnt a new inspect-elf verb that parses ELF core |
|
files, binaries and executables and prints metadata information, |
|
including the build-id and other info described on: |
|
https://systemd.io/COREDUMP_PACKAGE_METADATA/ |
|
|
|
* .network files gained a new UplinkInterface= in the [IPv6SendRA] |
|
section, for automatically propagating DNS settings from other |
|
interfaces. |
|
|
|
* The static lease DHCP server logic in systemd-networkd may now serve |
|
IP addresses outside of the configured IP pool range for the server. |
|
|
|
* CAN support in systemd-networkd gained four new settings Loopback=, |
|
OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN |
|
control modes. It gained a number of further settings for tweaking |
|
CAN timing quanta. |
|
|
|
* The [CAN] section in .network file gained new TimeQuantaNSec=, |
|
PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=, |
|
SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=, |
|
DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and |
|
DataSyncJumpWidth= settings to control bit-timing processed by the |
|
CAN interface. |
|
|
|
* DHCPv4 client support in systemd-networkd learnt a new Label= option |
|
for configuring the address label to apply to configure IPv4 |
|
addresses. |
|
|
|
* The [IPv6AcceptRA] section of .network files gained support for a new |
|
UseMTU= setting that may be used to control whether to apply the |
|
announced MTU settings to the local interface. |
|
|
|
* The [DHCPv4] section in .network file gained a new Use6RD= boolean |
|
setting to control whether the DHCPv4 client request and process the |
|
DHCP 6RD option. |
|
|
|
* The [DHCPv6PrefixDelegation] section in .network file is renamed to |
|
[DHCPPrefixDelegation], as now the prefix delegation is also supported |
|
with DHCPv4 protocol by enabling the Use6RD= setting. |
|
|
|
* The [DHCPPrefixDelegation] section in .network file gained a new |
|
setting UplinkInterface= to specify the upstream interface. |
|
|
|
* The [DHCPv6] section in .network file gained a new setting |
|
UseDelegatedPrefix= to control whether the delegated prefixes will be |
|
propagated to the downstream interfaces. |
|
|
|
* The [IPv6AcceptRA] section of .network files now understands two new |
|
settings UseGateway=/UseRoutePrefix= for explicitly configuring |
|
whether to use the relevant fields from the IPv6 Router Advertisement |
|
records. |
|
|
|
* The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section |
|
has been removed. Please use the WithoutRA= and UseDelegatedPrefix= |
|
settings in the [DHCPv6] section and the DHCPv6Client= setting in the |
|
[IPv6AcceptRA] section to control when the DHCPv6 client is started |
|
and how the delegated prefixes are handled by the DHCPv6 client. |
|
|
|
* The IPv6Token= section in the [Network] section is deprecated, and |
|
the [IPv6AcceptRA] section gained the Token= setting for its |
|
replacement. The [IPv6Prefix] section also gained the Token= setting. |
|
The Token= setting gained ‘eui64’ mode to explicitly configure an |
|
address with the EUI64 algorithm based on the interface MAC address. |
|
The ‘prefixstable’ mode can now optionally take a secret key. The |
|
Token= setting in the [DHCPPrefixDelegation] section now supports all |
|
algorithms supported by the same settings in the other sections. |
|
|
|
* The [RoutingPolicyRule] section of .network file gained a new |
|
SuppressInterfaceGroup= setting. |
|
|
|
* The IgnoreCarrierLoss= setting in the [Network] section of .network |
|
files now allows a duration to be specified, controlling how long to |
|
wait before reacting to carrier loss. |
|
|
|
* The [DHCPServer] section of .network file gained a new Router= |
|
setting to specify the router address. |
|
|
|
* The [CAKE] section of .network files gained various new settings |
|
AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=, |
|
MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=, |
|
and UseRawPacketSize= for configuring CAKE. |
|
|
|
* systemd-networkd now ships with new default .network files: |
|
80-container-vb.network which matches host-side network bridge device |
|
created by systemd-nspawn’s –network-bridge or –network-zone |
|
switch, and 80-6rd-tunnel.network which matches automatically created |
|
sit tunnel with 6rd prefix when the DHCP 6RD option is received. |
|
|
|
* systemd-networkd’s handling of Endpoint= resolution for WireGuard |
|
interfaces has been improved. |
|
|
|
* systemd-networkd will now automatically configure routes to addresses |
|
specified in AllowedIPs=. This feature can be controlled via |
|
RouteTable= and RouteMetric= settings in [WireGuard] or |
|
[WireGuardPeer] sections. |
|
|
|
* systemd-networkd will now once again automatically generate persistent |
|
MAC addresses for batadv and bridge interfaces. Users can disable this |
|
by using MACAddress=none in .netdev files. |
|
|
|
* systemd-networkd and systemd-udevd now support IP over InfiniBand |
|
interfaces. The Kind= setting in .netdev file accepts “ipoib”. And |
|
systemd.netdev files gained the [IPoIB] section. |
|
|
|
* systemd-networkd and systemd-udevd now support net.ifname-policy= |
|
option on the kernel command-line. This is implemented through the |
|
systemd-network-generator service that automatically generates |
|
appropriate .link, .network, and .netdev files. |
|
|
|
* The various systemd-udevd “ethtool” buffer settings now understand |
|
the special value “max” to configure the buffers to the maximum the |
|
hardware supports. |
|
|
|
* systemd-udevd’s .link files may now configure a large variety of |
|
NIC coalescing settings, plus more hardware offload settings. |
|
|
|
* .link files gained a new WakeOnLanPassword= setting in the [Link] |
|
section that allows to specify a WoL “SecureOn” password on hardware |
|
that supports this. |
|
|
|
* systemd-nspawn’s –setenv= switch now supports an additional syntax: |
|
if only a variable name is specified (i.e. without being suffixed by |
|
a ‘=’ character and a value) the current value of the environment |
|
variable is propagated to the container. e.g. –setenv=FOO will |
|
lookup the current value of $FOO in the environment, and pass it down |
|
to the container. Similar behavior has been added to homectl’s, |
|
machinectl’s and systemd-run’s –setenv= switch. |
|
|
|
* systemd-nspawn gained a new switch –suppress-sync= which may be used |
|
to optionally suppress the effect of the sync()/fsync()/fdatasync() |
|
system calls for the container payload. This is useful for build |
|
system environments where safety against abnormal system shutdown is |
|
not essential as all build artifacts can be regenerated any time, but |
|
the performance win is beneficial. |
|
|
|
* systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the |
|
same value that PID 1 uses for most forked off processes. |
|
|
|
* systemd-nspawn’s –bind=/–bind-ro= switches now optionally take |
|
uidmap/nouidmap options as last parameter. If “uidmap” is used the |
|
bind mounts are created with UID mapping taking place that ensures |
|
the host’s file ownerships are mapped 1:1 to container file |
|
ownerships, even if user namespacing is used. This way |
|
files/directories bound into containers will no longer show up as |
|
owned by the nobody user as they typically did if no special care was |
|
taken to shift them manually. |
|
|
|
* When discovering Windows installations sd-boot will now attempt to |
|
show the Windows version. |
|
|
|
* The color scheme to use in sd-boot may now be configured at |
|
build-time. |
|
|
|
* sd-boot gained the ability to change screen resolution during |
|
boot-time, by hitting the “r” key. This will cycle through available |
|
resolutions and save the last selection. |
|
|
|
* sd-boot learnt a new hotkey “f”. When pressed the system will enter |
|
firmware setup. This is useful in environments where it is difficult |
|
to hit the right keys early enough to enter the firmware, and works |
|
on any firmware regardless which key it natively uses. |
|
|
|
* sd-boot gained support for automatically booting into the menu item |
|
selected on the last boot (using the “@saved” identifier for menu |
|
items). |
|
|
|
* sd-boot gained support for automatically loading all EFI drivers |
|
placed in the /EFI/systemd/drivers/ subdirectory of the EFI System |
|
Partition (ESP). These drivers are loaded before the menu entries are |
|
loaded. This is useful e.g. to load additional file system drivers |
|
for the XBOOTLDR partition. |
|
|
|
* systemd-boot will now paint the input cursor on its own instead of |
|
relying on the firmware to do so, increasing compatibility with broken |
|
firmware that doesn’t make the cursor reasonably visible. |
|
|
|
* sd-boot now embeds a .osrel PE section like we expect from Boot |
|
Loader Specification Type #2 Unified Kernels. This means sd-boot |
|
itself may be used in place of a Type #2 Unified Kernel. This is |
|
useful for debugging purposes as it allows chain-loading one a |
|
(development) sd-boot instance from another. |
|
|
|
* sd-boot now supports a new “devicetree” field in Boot Loader |
|
Specification Type #1 entries: if configured the specified device |
|
tree file is installed before the kernel is invoked. This is useful |
|
for installing/applying new devicetree files without updating the |
|
kernel image. |
|
|
|
* Similarly, sd-stub now can read devicetree data from a PE section |
|
“.dtb” and apply it before invoking the kernel. |
|
|
|
* sd-stub (the EFI stub that can be glued in front of a Linux kernel) |
|
gained the ability to pick up credentials and sysext files, wrap them |
|
in a cpio archive, and pass as an additional initrd to the invoked |
|
Linux kernel, in effect placing those files in the /.extra/ directory |
|
of the initrd environment. This is useful to implement trusted initrd |
|
environments which are fully authenticated but still can be extended |
|
(via sysexts) and parameterized (via encrypted/authenticated |
|
credentials, see above). |
|
|
|
Credentials can be located next to the kernel image file (credentials |
|
specific to a single boot entry), or in one of the shared directories |
|
(credentials applicable to multiple boot entries). |
|
|
|
* sd-stub now comes with a full man page, that explains its feature set |
|
and how to combine a kernel image, an initrd and the stub to build a |
|
complete EFI unified kernel image, implementing Boot Loader |
|
Specification Type #2. |
|
|
|
* sd-stub may now provide the initrd to the executed kernel via the |
|
LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for |
|
non-x86 architectures. |
|
|
|
* bootctl learnt new set-timeout and set-timeout-oneshot commands that |
|
may be used to set the boot menu time-out of the boot loader (for all |
|
or just the subsequent boot). |
|
|
|
* bootctl and kernel-install will now read variables |
|
KERNEL_INSTALL_LAYOUT= from /etc/machine-info and layout= from |
|
/etc/kernel/install.conf. When set, it specifies the layout to use |
|
for installation directories on the boot partition, so that tools |
|
don’t need to guess it based on the already-existing directories. The |
|
only value that is defined natively is “bls”, corresponding to the |
|
layout specified in |
|
https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for |
|
kernel-install that implement a different layout can declare other |
|
values for this variable. |
|
|
|
‘bootctl install’ will now write KERNEL_INSTALL_LAYOUT=bls, on the |
|
assumption that if the user installed sd-boot to the ESP, they intend |
|
to use the entry layout understood by sd-boot. It’ll also write |
|
KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID |
|
(and it wasn’t specified in the config file yet). Similarly, |
|
kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it |
|
wasn’t specified in the config file yet). Effectively, those changes |
|
mean that the machine-id used for boot loader entry installation is |
|
“frozen” upon first use and becomes independent of the actual |
|
machine-id. |
|
|
|
Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem: |
|
images created for distribution (“golden images”) are built with no |
|
machine-id, so that a unique machine-id can be created on the first |
|
boot. But those images may contain boot loader entries with the |
|
machine-id used during build included in paths. Using a “frozen” |
|
value allows unambiguously identifying entries that match the |
|
specific installation, while still permitting parallel installations |
|
without conflict. |
|
|
|
Configuring KERNEL_INSTALL_LAYOUT obviates the need for |
|
kernel-install to guess the installation layout. This fixes the |
|
problem where a (possibly empty) directory in the boot partition is |
|
created from a different layout causing kernel-install plugins to |
|
assume the wrong layout. A particular example of how this may happen |
|
is the grub2 package in Fedora which includes directories under /boot |
|
directly in its file list. Various other packages pull in grub2 as a |
|
dependency, so it may be installed even if unused, breaking |
|
installations that use the bls layout. |
|
|
|
* bootctl and systemd-bless-boot can now be linked statically. |
|
|
|
* systemd-sysext now optionally doesn’t insist on extension-release.d/ |
|
files being placed in the image under the image’s file name. If the |
|
file system xattr user.extension-release.strict is set on the |
|
extension release file, it is accepted regardless of its name. This |
|
relaxes security restrictions a bit, as system extension may be |
|
attached under a wrong name this way. |
|
|
|
* udevadm’s test-builtin command learnt a new –action= switch for |
|
testing the built-in with the specified action (in place of the |
|
default ‘add’). |
|
|
|
* udevadm info gained new switches –property=/–value for showing only |
|
specific udev properties/values instead of all. |
|
|
|
* A new hwdb database has been added that contains matches for various |
|
types of signal analyzers (protocol analyzers, logic analyzers, |
|
oscilloscopes, multimeters, bench power supplies, etc.) that should |
|
be accessible to regular users. |
|
|
|
* A new hwdb database entry has been added that carries information |
|
about types of cameras (regular or infrared), and in which direction |
|
they point (front or back). |
|
|
|
* A new rule to allow console users access to rfkill by default has been |
|
added to hwdb. |
|
|
|
* Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are |
|
now also owned by the system group “sgx”. |
|
|
|
* A new build-time meson option “extra-net-naming-schemes=” has been |
|
added to define additional naming schemes for udev’s network |
|
interface naming logic. This is useful for enterprise distributions |
|
and similar which want to pin the schemes of certain distribution |
|
releases under a specific name and previously had to patch the |
|
sources to introduce new named schemes. |
|
|
|
* The predictable naming logic for network interfaces has been extended |
|
to generate stable names from Xen netfront device information. |
|
|
|
* hostnamed’s chassis property can now be sourced from chassis-type |
|
field encoded in devicetree (in addition to the existing DMI |
|
support). |
|
|
|
* systemd-cgls now optionally displays cgroup IDs and extended |
|
attributes for each cgroup. (Controllable via the new –xattr= + |
|
–cgroup-id= switches.) |
|
|
|
* coredumpctl gained a new –all switch for operating on all |
|
Journal files instead of just the local ones. |
|
|
|
* systemd-coredump will now use libdw/libelf via dlopen() rather than |
|
directly linking, allowing users to easily opt-out of backtrace/metadata |
|
analysis of core files, and reduce image sizes when this is not needed. |
|
|
|
* systemd-coredump will now analyze core files with libdw/libelf in a |
|
forked, sandboxed process. |
|
|
|
* systemd-homed will now try to unmount an activate home area in |
|
regular intervals once the user logged out fully. Previously this was |
|
attempted exactly once but if the home directory was busy for some |
|
reason it was not tried again. |
|
|
|
* systemd-homed’s LUKS2 home area backend will now create a BSD file |
|
system lock on the image file while the home area is active |
|
(i.e. mounted). If a home area is found to be locked, logins are |
|
politely refused. This should improve behavior when using home areas |
|
images that are accessible via the network from multiple clients, and |
|
reduce the chance of accidental file system corruption in that case. |
|
|
|
* Optionally, systemd-homed will now drop the kernel buffer cache once |
|
a user has fully logged out, configurable via the new –drop-caches= |
|
homectl switch. |
|
|
|
* systemd-homed now makes use of UID mapped mounts for the home areas. |
|
If the kernel and used file system support it, files are now |
|
internally owned by the “nobody” user (i.e. the user typically used |
|
for indicating “this ownership is not mapped”), and dynamically |
|
mapped to the UID used locally on the system via the UID mapping |
|
mount logic of recent kernels. This makes migrating home areas |
|
between different systems cheaper because recursively chown()ing file |
|
system trees is no longer necessary. |
|
|
|
* systemd-homed’s CIFS backend now optionally supports CIFS service |
|
names with a directory suffix, in order to place home directories in |
|
a subdirectory of a CIFS share, instead of the top-level directory. |
|
|
|
* systemd-homed’s CIFS backend gained support for specifying additional |
|
mount options in the JSON user record (cifsExtraMountOptions field, |
|
and –cifs-extra-mount-options= homectl switch). This is for example |
|
useful for configuring mount options such as “noserverino” that some |
|
SMB3 services require (use that to run a homed home directory from a |
|
FritzBox SMB3 share this way). |
|
|
|
* systemd-homed will now default to btrfs’ zstd compression for home |
|
areas. This is inspired by Fedora’s recent decision to switch to zstd |
|
by default. |
|
|
|
* Additional mount options to use when mounting the file system of |
|
LUKS2 volumes in systemd-homed has been added. Via the |
|
$SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4, |
|
$SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to |
|
systemd-homed or via the luksExtraMountOptions user record JSON |
|
property. (Exposed via homectl –luks-extra-mount-options) |
|
|
|
* homectl’s resize command now takes the special size specifications |
|
“min” and “max” to shrink/grow the home area to the minimum/maximum |
|
size possible, taking disk usage/space constraints and file system |
|
limitations into account. Resizing is now generally graceful: the |
|
logic will try to get as close to the specified size as possible, but |
|
not consider it a failure if the request couldn’t be fulfilled |
|
precisely. |
|
|
|
* systemd-homed gained the ability to automatically shrink home areas |
|
on logout to their minimal size and grow them again on next |
|
login. This ensures that while inactive, a home area only takes up |
|
the minimal space necessary, but once activated, it provides |
|
sufficient space for the user’s needs. This behavior is only |
|
supported if btrfs is used as file system inside the home area |
|
(because only for btrfs online growing/shrinking is implemented in |
|
the kernel). This behavior is now enabled by default, but may be |
|
controlled via the new –auto-resize-mode= setting of homectl. |
|
|
|
* systemd-homed gained support for automatically re-balancing free disk |
|
space among active home areas, in case the LUKS2 backends are used, |
|
and no explicit disk size was requested. This way disk space is |
|
automatically managed and home areas resized in regular intervals and |
|
manual resizing when disk space becomes scarce should not be |
|
necessary anymore. This behavior is only supported if btrfs is used |
|
within the home areas (as only then online shrinking and growing is |
|
supported), and may be configured via the new rebalanceWeight JSON |
|
user record field (as exposed via the new –rebalance-weight= homectl |
|
setting). Re-balancing is mostly automatic, but can also be requested |
|
explicitly via “homectl rebalance”, which is synchronous, and thus |
|
may be used to wait until the rebalance run is complete. |
|
|
|
* userdbctl gained a –json= switch for configured the JSON formatting |
|
to use when outputting user or group records. |
|
|
|
* userdbctl gained a new –multiplexer= switch for explicitly |
|
configuring whether to use the systemd-userdbd server side user |
|
record resolution logic. |
|
|
|
* userdbctl’s ssh-authorized-keys command learnt a new –chain switch, |
|
for chaining up another command to execute after completing the |
|
look-up. Since the OpenSSH’s AuthorizedKeysCommand only allows |
|
configuration of a single command to invoke, this maybe used to |
|
invoke multiple: first userdbctl’s own implementation, and then any |
|
other also configured in the command line. |
|
|
|
* The sd-event API gained a new function sd_event_add_inotify_fd() that |
|
is similar to sd_event_add_inotify() but accepts a file descriptor |
|
instead of a path in the file system for referencing the inode to |
|
watch. |
|
|
|
* The sd-event API gained a new function |
|
sd_event_source_set_ratelimit_expire_callback() that may be used to |
|
define a callback function that is called whenever an event source |
|
leaves the rate limiting phase. |
|
|
|
* New documentation has been added explaining which steps are necessary |
|
to port systemd to a new architecture: |
|
|
|
https://systemd.io/PORTING_TO_NEW_ARCHITECTURES |
|
|
|
* The x-systemd.makefs option in /etc/fstab now explicitly supports |
|
ext2, ext3, and f2fs file systems. |
|
|
|
* Mount units and units generated from /etc/fstab entries with ‘noauto’ |
|
are now ordered the same as other units. Effectively, they will be |
|
started earlier (if something actually pulled them in) and stopped |
|
later, similarly to normal mount units that are part of |
|
fs-local.target. This change should be invisible to users, but |
|
should prevent those units from being stopped too early during |
|
shutdown. |
|
|
|
* The systemd-getty-generator now honors a new kernel command line |
|
argument systemd.getty_auto= and a new environment variable |
|
$SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for |
|
example useful to turn off gettys inside of containers or similar |
|
environments. |
|
|
|
* systemd-resolved now listens on a second DNS stub address: 127.0.0.54 |
|
(in addition to 127.0.0.53, as before). If DNS requests are sent to |
|
this address they are propagated in “bypass” mode only, i.e. are |
|
almost not processed locally, but mostly forwarded as-is to the |
|
current upstream DNS servers. This provides a stable DNS server |
|
address that proxies all requests dynamically to the right upstream |
|
DNS servers even if these dynamically change. This stub does not do |
|
mDNS/LLMNR resolution. However, it will translate look-ups to |
|
DNS-over-TLS if necessary. This new stub is particularly useful in |
|
container/VM environments, or for tethering setups: use DNAT to |
|
redirect traffic to any IP address to this stub. |
|
|
|
* systemd-importd now honors new environment variables |
|
$SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA, |
|
$SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume |
|
generation, btrfs quota setup and disk synchronization. |
|
|
|
* systemd-importd and systemd-resolved can now be optionally built with |
|
OpenSSL instead of libgcrypt. |
|
|
|
* systemd-repart no longer requires OpenSSL. |
|
|
|
* systemd-sysusers will no longer create the redundant ‘nobody’ group |
|
by default, as the ‘nobody’ user is already created with an |
|
appropriate primary group. |
|
|
|
* If a unit uses RuntimeMaxSec, systemctl show will now display it. |
|
|
|
* systemctl show-environment gained support for –output=json. |
|
|
|
* pam_systemd will now first try to use the X11 abstract socket, and |
|
fallback to the socket file in /tmp/.X11-unix/ only if that does not |
|
work. |
|
|
|
* systemd-journald will no longer go back to volatile storage |
|
regardless of configuration when its unit is restarted. |
|
|
|
* Initial support for the LoongArch architecture has been added (system |
|
call lists, GPT partition table UUIDs, etc). |
|
|
|
* systemd-journald’s own logging messages are now also logged to the |
|
journal itself when systemd-journald logs to /dev/kmsg. |
|
|
|
* systemd-journald now re-enables COW for archived journal files on |
|
filesystems that support COW. One benefit of this change is that |
|
archived journal files will now get compressed on btrfs filesystems |
|
that have compression enabled. |
|
|
|
* systemd-journald now deduplicates fields in a single log message |
|
before adding it to the journal. In archived journal files, it will |
|
also punch holes for unused parts and truncate the file as |
|
appropriate, leading to reductions in disk usage. |
|
|
|
* journalctl –verify was extended with more informative error |
|
messages. |
|
|
|
* More of sd-journal’s functions are now resistant against journal file |
|
corruption. |
|
|
|
* The shutdown command learnt a new option –show, to display the |
|
scheduled shutdown. |
|
|
|
* A LICENSES/ directory is now included in the git tree. It contains a |
|
README.md file that explains the licenses used by source files in |
|
this repository. It also contains the text of all applicable |
|
licenses as they appear on spdx.org. |
|
|
|
Contributions from: Aakash Singh, acsfer, Adolfo Jayme Barrientos, |
|
Adrian Vovk, Albert Brox, Alberto Mardegan, Alexander Kanavin, |
|
alexlzhu, Alfonso Sánchez-Beato, Alvin Šipraga, Alyssa Ross, |
|
Amir Omidi, Anatol Pomozov, Andika Triwidada, Andreas Rammhold, |
|
Andreas Valder, Andrej Lajovic, Andrew Soutar, Andrew Stone, Andy Chi, |
|
Anita Zhang, Anssi Hannula, Antonio Alvarez Feijoo, |
|
Antony Deepak Thomas, Arnaud Ferraris, Arvid E. Picciani, |
|
Bastien Nocera, Benjamin Berg, Benjamin Herrenschmidt, Ben Stockett, |
|
Bogdan Seniuc, Boqun Feng, Carl Lei, chlorophyll-zz, Chris Packham, |
|
Christian Brauner, Christian Göttsche, Christian Wehrli, |
|
Christoph Anton Mitterer, Cristian Rodríguez, Daan De Meyer, |
|
Daniel Maixner, Dann Frazier, Dan Streetman, Davide Cavalca, |
|
David Seifert, David Tardon, dependabot[bot], Dimitri John Ledkov, |
|
Dimitri Papadopoulos, Dimitry Ishenko, Dmitry Khlebnikov, |
|
Dominique Martinet, duament, Egor, Egor Ignatov, Emil Renner Berthing, |
|
Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin, Florian Klink, |
|
Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon, GnunuX, |
|
Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede, |
|
Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho, |
|
Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras, |
|
I-dont-need-name, igo95862, Jack Dähn, James Hilliard, Jan Janssen, |
|
Jan Kuparinen, Jan Macku, Jan Palus, Jarkko Sakkinen, Jayce Fayne, |
|
jiangchuangang, jlempen, John Lindgren, Jonas Dreßler, Jonas Jelten, |
|
Jonas Witschel, Joris Hartog, José Expósito, Julia Kartseva, |
|
Kai-Heng Feng, Kai Wohlfahrt, Kay Siver Bø, KennthStailey, |
|
Kevin Kuehler, Kevin Orr, Khem Raj, Kristian Klausen, Kyle Laker, |
|
lainahai, LaserEyess, Lennart Poettering, Lia Lenckowski, longpanda, |
|
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Lukas Senionis, |
|
Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi, |
|
Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez, |
|
Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro, |
|
Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert, |
|
Milo Turner, ml, monosans, Nacho Barrientos, nassir90, Nishal Kulkarni, |
|
nl6720, Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto, |
|
Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas, |
|
Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Robert Scheck, |
|
Ross Jennings, saikat0511, Scott Lamb, Scott Worley, |
|
Sergei Trofimovich, Sho Iizuka, Slava Bacherikov, Slimane Selyan Amiri, |
|
StefanBruens, Steven Siloti, svonohr, Taiki Sugawara, Takashi Sakamoto, |
|
Takuro Onoue, Thomas Blume, Thomas Haller, Thomas Mühlbacher, |
|
Tianlu Shao, Toke Høiland-Jørgensen, Tom Yan, Tony Asleson, |
|
Topi Miettinen, Ulrich Ölmann, Urs Ritzmann, Vincent Bernat, |
|
Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ, Wu Xiaotian, |
|
xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei, Yao Wei (魏銘廷), |
|
Yegor Alexeyev, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, |
|
Дамјан Георгиевски, наб |
|
|
|
— Warsaw, 2021-12-23 |
|
|
|
CHANGES WITH 249: |
|
|
|
* When operating on disk images via the –image= switch of various |
|
tools (such as systemd-nspawn or systemd-dissect), or when udev finds |
|
no ‘root=’ parameter on the kernel command line, and multiple |
|
suitable root or /usr/ partitions exist in the image, then a simple |
|
comparison inspired by strverscmp() is done on the GPT partition |
|
label, and the newest partition is picked. This permits a simple and |
|
generic whole-file-system A/B update logic where new operating system |
|
versions are dropped into partitions whose label is then updated with |
|
a matching version identifier. |
|
|
|
* systemd-sysusers now supports querying the passwords to set for the |
|
users it creates via the “credentials” logic introduced in v247: the |
|
passwd.hashed-password. and passwd.plaintext-password. |
|
credentials are consulted for the password to use (either in UNIX |
|
hashed form, or literally). By default these credentials are inherited |
|
down from PID1 (which in turn imports it from a container manager if |
|
there is one). This permits easy configuration of user passwords |
|
during first boot. Example: |
|
|
|
# systemd-nspawn -i foo.raw –volatile=yes –set-credential=passwd.plaintext-password.root:foo |
|
|
|
Note that systemd-sysusers operates in purely additive mode: it |
|
executes no operation if the declared users already exist, and hence |
|
doesn’t set any passwords as effect of the command line above if the |
|
specified root user exists already in the image. (Note that |
|
–volatile=yes ensures it doesn’t, though.) |
|
|
|
* systemd-firstboot now also supports querying various system |
|
parameters via the credential subsystems. Thus, as above this may be |
|
used to initialize important system parameters on first boot of |
|
previously unprovisioned images (i.e. images with a mostly empty |
|
/etc/). |
|
|
|
* PID 1 may now show both the unit name and the unit description |
|
strings in its status output during boot. This may be configured with |
|
StatusUnitFormat=combined in system.conf or |
|
systemd.status-unit-format=combined on the kernel command line. |
|
|
|
* The systemd-machine-id-setup tool now supports a –image= switch for |
|
provisioning a machine ID file into an OS disk image, similar to how |
|
–root= operates on an OS file tree. This matches the existing switch |
|
of the same name for systemd-tmpfiles, systemd-firstboot, and |
|
systemd-sysusers tools. |
|
|
|
* Similarly, systemd-repart gained support for the –image= switch too. |
|
In combination with the existing –size= option, this makes the tool |
|
particularly useful for easily growing disk images in a single |
|
invocation, following the declarative rules included in the image |
|
itself. |
|
|
|
* systemd-repart’s partition configuration files gained support for a |
|
new switch MakeDirectories= which may be used to create arbitrary |
|
directories inside file systems that are created, before registering |
|
them in the partition table. This is useful in particular for root |
|
partitions to create mount point directories for other partitions |
|
included in the image. For example, a disk image that contains a |
|
root, /home/, and /var/ partitions, may set MakeDirectories=yes to |
|
create /home/ and /var/ as empty directories in the root file system |
|
on its creation, so that the resulting image can be mounted |
|
immediately, even in read-only mode. |
|
|
|
* systemd-repart’s CopyBlocks= setting gained support for the special |
|
value “auto”. If used, a suitable matching partition on the booted OS |
|
is found as source to copy blocks from. This is useful when |
|
implementing replicating installers, that are booted from one medium |
|
and then stream their own root partition onto the target medium. |
|
|
|
* systemd-repart’s partition configuration files gained support for a |
|
Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these |
|
GPT partition flags for the created partitions: this is useful for |
|
marking newly created partitions as read-only, or as not being |
|
subject for automatic mounting from creation on. |
|
|
|
* The /etc/os-release file has been extended with two new (optional) |
|
variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version |
|
information for OS images that are updated comprehensively and |
|
atomically as one image. Two new specifiers %M, %A now resolve to |
|
these two fields in the various configuration options that resolve |
|
specifiers. |
|
|
|
* portablectl gained a new switch –extension= for enabling portable |
|
service images with extensions that follow the extension image |
|
concept introduced with v248, and thus allows layering multiple |
|
images when setting up the root filesystem of the service. |
|
|
|
* systemd-coredump will now extract ELF build-id information from |
|
processes dumping core and include it in the coredump report. |
|
Moreover, it will look for ELF .note.package sections with |
|
distribution packaging meta-information about the crashing process. |
|
This is useful to directly embed the rpm or deb (or any other) |
|
package name and version in ELF files, making it easy to match |
|
coredump reports with the specific package for which the software was |
|
compiled. This is particularly useful on environments with ELF files |
|
from multiple vendors, different distributions and versions, as is |
|
common today in our containerized and sand-boxed world. For further |
|
information, see: |
|
|
|
https://systemd.io/COREDUMP_PACKAGE_METADATA |
|
|
|
* A new udev hardware database has been added for FireWire devices |
|
(IEEE 1394). |
|
|
|
* The “net_id” built-in of udev has been updated with three |
|
backwards-incompatible changes: |
|
|
|
– PCI hotplug slot names on s390 systems are now parsed as |
|
hexadecimal numbers. They were incorrectly parsed as decimal |
|
previously, or ignored if the name was not a valid decimal |
|
number. |
|
|
|
– PCI onboard indices up to 65535 are allowed. Previously, numbers |
|
above 16383 were rejected. This primarily impacts s390 systems, |
|
where values up to 65535 are used. |
|
|
|
– Invalid characters in interface names are replaced with “_”. |
|
|
|
The new version of the net naming scheme is “v249”. The previous |
|
scheme can be selected via the “net.naming-scheme=v247” kernel |
|
command line parameter. |
|
|
|
* sd-bus’ sd_bus_is_ready() and sd_bus_is_open() calls now accept a |
|
NULL bus object, for which they will return false. Or in other words, |
|
an unallocated bus connection is neither ready nor open. |
|
|
|
* The sd-device API acquired a new API function |
|
sd_device_get_usec_initialized() that returns the monotonic time when |
|
the udev device first appeared in the database. |
|
|
|
* sd-device gained a new APIs sd_device_trigger_with_uuid() and |
|
sd_device_get_trigger_uuid(). The former is similar to |
|
sd_device_trigger() but returns a randomly generated UUID that is |
|
associated with the synthetic uevent generated by the call. This UUID |
|
may be read from the sd_device object a monitor eventually receives, |
|
via the sd_device_get_trigger_uuid(). This interface requires kernel |
|
4.13 or above to work, and allows tracking a synthetic uevent through |
|
the entire device management stack. The “udevadm trigger –settle” |
|
logic has been updated to make use of this concept if available to |
|
wait precisely for the uevents it generates. “udevadm trigger” also |
|
gained a new parameter –uuid that prints the UUID for each generated |
|
uevent. |
|
|
|
* sd-device also gained new APIs sd_device_new_from_ifname() and |
|
sd_device_new_from_ifindex() for allocating an sd-device object for |
|
the specified network interface. The former accepts an interface name |
|
(either a primary or an alternative name), the latter an interface |
|
index. |
|
|
|
* The native Journal protocol has been documented. Clients may talk |
|
this as alternative to the classic BSD syslog protocol for locally |
|
delivering log records to the Journal. The protocol has been stable |
|
for a long time and in fact been implemented already in a variety |
|
of alternative client libraries. This documentation makes the support |
|
for that official: |
|
|
|
https://systemd.io/JOURNAL_NATIVE_PROTOCOL |
|
|
|
* A new BPFProgram= setting has been added to service files. It may be |
|
set to a path to a loaded kernel BPF program, i.e. a path to a bpffs |
|
file, or a bind mount or symlink to one. This may be used to upload |
|
and manage BPF programs externally and then hook arbitrary systemd |
|
services into them. |
|
|
|
* The “home.arpa” domain that has been officially declared as the |
|
choice for domain for local home networks per RFC 8375 has been added |
|
to the default NTA list of resolved, since DNSSEC is generally not |
|
available on private domains. |
|
|
|
* The CPUAffinity= setting of unit files now resolves “%” specifiers. |
|
|
|
* A new ManageForeignRoutingPolicyRules= setting has been added to |
|
.network files which may be used to exclude foreign-created routing |
|
policy rules from systemd-networkd management. |
|
|
|
* systemd-network-wait-online gained two new switches -4 and -6 that |
|
may be used to tweak whether to wait for only IPv4 or only IPv6 |
|
connectivity. |
|
|
|
* .network files gained a new RequiredFamilyForOnline= setting to |
|
fine-tune whether to require an IPv4 or IPv6 address in order to |
|
consider an interface “online”. |
|
|
|
* networkctl will now show an over-all “online” state in the per-link |
|
information. |
|
|
|
* In .network files a new OutgoingInterface= setting has been added to |
|
specify the output interface in bridge FDB setups. |
|
|
|
* In .network files the Multipath group ID may now be configured for |
|
[NextHop] entries, via the new Group= setting. |
|
|
|
* The DHCP server logic configured in .network files gained a new |
|
setting RelayTarget= that turns the server into a DHCP server relay. |
|
The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used |
|
to further tweak the DHCP relay behaviour. |
|
|
|
* The DHCP server logic also gained a new ServerAddress= setting in |
|
.network files that explicitly specifies the server IP address to |
|
use. If not specified, the address is determined automatically, as |
|
before. |
|
|
|
* The DHCP server logic in systemd-networkd gained support for static |
|
DHCP leases, configurable via the [DHCPServerStaticLease] |
|
section. This allows explicitly mapping specific MAC addresses to |
|
fixed IP addresses and vice versa. |
|
|
|
* The RestrictAddressFamilies= setting in service files now supports a |
|
new special value “none”. If specified sockets of all address |
|
families will be made unavailable to services configured that way. |
|
|
|
* systemd-fstab-generator and systemd-repart have been updated to |
|
support booting from disks that carry only a /usr/ partition but no |
|
root partition yet, and where systemd-repart can add it in on the |
|
first boot. This is useful for implementing systems that ship with a |
|
single /usr/ file system, and whose root file system shall be set up |
|
and formatted on a LUKS-encrypted volume whose key is generated |
|
locally (and possibly enrolled in the TPM) during the first boot. |
|
|
|
* The [Address] section of .network files now accepts a new |
|
RouteMetric= setting that configures the routing metric to use for |
|
the prefix route created as effect of the address configuration. |
|
Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections |
|
gained matching settings for their prefix routes. (The option of the |
|
same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since |
|
it conceptually belongs there; the old option is still understood for |
|
compatibility.) |
|
|
|
* The DHCPv6 IAID and DUID are now explicitly configurable in .network |
|
files. |
|
|
|
* A new udev property ID_NET_DHCP_BROADCAST on network interface |
|
devices is now honoured by systemd-networkd, controlling whether to |
|
issue DHCP offers via broadcasting. This is used to ensure that s390 |
|
layer 3 network interfaces work out-of-the-box with systemd-networkd. |
|
|
|
* nss-myhostname and systemd-resolved will now synthesize address |
|
records for a new special hostname “_outbound”. The name will always |
|
resolve to the local IP addresses most likely used for outbound |
|
connections towards the default routes. On multi-homed hosts this is |
|
useful to have a stable handle referring to “the” local IP address |
|
that matters most, to the point where this is defined. |
|
|
|
* The Discoverable Partition Specification has been updated with a new |
|
GPT partition flag “grow-file-system” defined for its partition |
|
types. Whenever partitions with this flag set are automatically |
|
mounted (i.e. via systemd-gpt-auto-generator or the –image= switch |
|
of systemd-nspawn or other tools; and as opposed to explicit mounting |
|
via /etc/fstab), the file system within the partition is |
|
automatically grown to the full size of the partition. If the file |
|
system size already matches the partition size this flag has no |
|
effect. Previously, this functionality has been available via the |
|
explicit x-systemd.growfs mount option, and this new flag extends |
|
this to automatically discovered mounts. A new GrowFileSystem= |
|
setting has been added to systemd-repart drop-in files that allows |
|
configuring this partition flag. This new flag defaults to on for |
|
partitions automatically created by systemd-repart, except if they |
|
are marked read-only. See the specification for further details: |
|
|
|
https://systemd.io/DISCOVERABLE_PARTITIONS |
|
|
|
* .network files gained a new setting RoutesToNTP= in the [DHCPv4] |
|
section. If enabled (which is the default), and an NTP server address |
|
is acquired through a DHCP lease on this interface an explicit route |
|
to this address is created on this interface to ensure that NTP |
|
traffic to the NTP server acquired on an interface is also routed |
|
through that interface. The pre-existing RoutesToDNS= setting that |
|
implements the same for DNS servers is now enabled by default. |
|
|
|
* A pair of service settings SocketBindAllow= + SocketBindDeny= have |
|
been added that may be used to restrict the network interfaces |
|
sockets created by the service may be bound to. This is implemented |
|
via BPF. |
|
|
|
* A new ConditionFirmware= setting has been added to unit files to |
|
conditionalize on certain firmware features. At the moment it may |
|
check whether running on an UEFI system, a device.tree system, or if |
|
the system is compatible with some specified device-tree feature. |
|
|
|
* A new ConditionOSRelease= setting has been added to unit files to |
|
check os-release(5) fields. The “=”, “!=”, “<", "<=", ">=”, “>” |
|
operators may be used to check if some field has some specific value |
|
or do an alphanumerical comparison. Equality comparisons are useful |
|
for fields like ID, but relative comparisons for fields like |
|
VERSION_ID or IMAGE_VERSION. |
|
|
|
* hostnamed gained a new Describe() D-Bus method that returns a JSON |
|
serialization of the host data it exposes. This is exposed via |
|
“hostnamectl –json=” to acquire a host identity description in JSON. |
|
It’s our intention to add a similar features to most services and |
|
objects systemd manages, in order to simplify integration with |
|
program code that can consume JSON. |
|
|
|
* Similarly, networkd gained a Describe() method on its Manager and |
|
Link bus objects. This is exposed via “networkctl –json=”. |
|
|
|
* hostnamectl’s various “get-xyz”/”set-xyz” verb pairs |
|
(e.g. “hostnamectl get-hostname”, “hostnamectl “set-hostname”) have |
|
been replaced by a single “xyz” verb (e.g. “hostnamectl hostname”) |
|
that is used both to get the value (when no argument is given), and |
|
to set the value (when an argument is specified). The old names |
|
continue to be supported for compatibility. |
|
|
|
* systemd-detect-virt and ConditionVirtualization= are now able to |
|
correctly identify Amazon EC2 environments. |
|
|
|
* The LogLevelMax= setting of unit files now applies not only to log |
|
messages generated *by* the service, but also to log messages |
|
generated *about* the service by PID 1. To suppress logs concerning a |
|
specific service comprehensively, set this option to a high log |
|
level. |
|
|
|
* bootctl gained support for a new –make-machine-id-directory= switch |
|
that allows precise control on whether to create the top-level |
|
per-machine directory in the boot partition that typically contains |
|
Type 1 boot loader entries. |
|
|
|
* During build SBAT data to include in the systemd-boot EFI PE binaries |
|
may be specified now. |
|
|
|
* /etc/crypttab learnt a new option “headless”. If specified any |
|
requests to query the user interactively for passwords or PINs will |
|
be skipped. This is useful on systems that are headless, i.e. where |
|
an interactive user is generally not present. |
|
|
|
* /etc/crypttab also learnt a new option “password-echo=” that allows |
|
configuring whether the encryption password prompt shall echo the |
|
typed password and if so, do so literally or via asterisks. (The |
|
default is the same behaviour as before: provide echo feedback via |
|
asterisks.) |
|
|
|
* FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and |
|
systemd-homed has been updated to allow explicit configuration of the |
|
“user presence” and “user verification” checks, as well as whether a |
|
PIN is required for authentication, via the new switches |
|
–fido2-with-user-presence=, –fido2-with-user-verification=, |
|
–fido2-with-client-pin= to systemd-cryptenroll and homectl. Which |
|
features are available, and may be enabled or disabled depends on the |
|
used FIDO2 token. |
|
|
|
* systemd-nspawn’s –private-user= switch now accepts the special value |
|
“identity” which configures a user namespacing environment with an |
|
identity mapping of 65535 UIDs. This means the container UID 0 is |
|
mapped to the host UID 0, and the UID 1 to host UID 1. On first look |
|
this doesn’t appear to be useful, however it does reduce the attack |
|
surface a bit, since the resulting container will possess process |
|
capabilities only within its namespace and not on the host. |
|
|
|
* systemd-nspawn’s –private-user-chown switch has been replaced by a |
|
more generic –private-user-ownership= switch that accepts one of |
|
three values: “chown” is equivalent to the old –private-user-chown, |
|
and “off” is equivalent to the absence of the old switch. The value |
|
“map” uses the new UID mapping mounts of Linux 5.12 to map ownership |
|
of files and directories of the underlying image to the chosen UID |
|
range for the container. “auto” is equivalent to “map” if UID mapping |
|
mount are supported, otherwise it is equivalent to “chown”. The short |
|
-U switch systemd-nspawn now implies –private-user-ownership=auto |
|
instead of the old –private-user-chown. Effectively this means: if |
|
the backing file system supports UID mapping mounts the feature is |
|
now used by default if -U is used. Generally, it’s a good idea to use |
|
UID mapping mounts instead of recursive chown()ing, since it allows |
|
running containers off immutable images (since no modifications of |
|
the images need to take place), and share images between multiple |
|
instances. Moreover, the recursive chown()ing operation is slow and |
|
can be avoided. Conceptually it’s also a good thing if transient UID |
|
range uses do not leak into persistent file ownership anymore. TLDR: |
|
finally, the last major drawback of user namespacing has been |
|
removed, and -U should always be used (unless you use btrfs, where |
|
UID mapped mounts do not exist; or your container actually needs |
|
privileges on the host). |
|
|
|
* nss-systemd now synthesizes user and group shadow records in addition |
|
to the main user and group records. Thus, hashed passwords managed by |
|
systemd-homed are now accessible via the shadow database. |
|
|
|
* The userdb logic (and thus nss-systemd, and so on) now read |
|
additional user/group definitions in JSON format from the drop-in |
|
directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and |
|
/usr/lib/userdb/. This is a simple and powerful mechanism for making |
|
additional users available to the system, with full integration into |
|
NSS including the shadow databases. Since the full JSON user/group |
|
record format is supported this may also be used to define users with |
|
resource management settings and other runtime settings that |
|
pam_systemd and systemd-logind enforce at login. |
|
|
|
* The userdbctl tool gained two new switches –with-dropin= and |
|
–with-varlink= which can be used to fine-tune the sources used for |
|
user database lookups. |
|
|
|
* systemd-nspawn gained a new switch –bind-user= for binding a host |
|
user account into the container. This does three things: the user’s |
|
home directory is bind mounted from the host into the container, |
|
below the /run/userdb/home/ hierarchy. A free UID is picked in the |
|
container, and a user namespacing UID mapping to the host user’s UID |
|
installed. And finally, a minimal JSON user and group record (along |
|
with its hashed password) is dropped into /run/host/userdb/. These |
|
records are picked up automatically by the userdb drop-in logic |
|
describe above, and allow the user to login with the same password as |
|
on the host. Effectively this means: if host and container run new |
|
enough systemd versions making a host user available to the container |
|
is trivially simple. |
|
|
|
* systemd-journal-gatewayd now supports the switches –user, –system, |
|
–merge, –file= that are equivalent to the same switches of |
|
journalctl, and permit exposing only the specified subset of the |
|
Journal records. |
|
|
|
* The OnFailure= dependency between units is now augmented with a |
|
implicit reverse dependency OnFailureOf= (this new dependency cannot |
|
be configured directly it’s only created as effect of an OnFailure= |
|
dependency in the reverse order — it’s visible in “systemctl show” |
|
however). Similar, Slice= now has an reverse dependency SliceOf=, |
|
that is also not configurable directly, but useful to determine all |
|
units that are members of a slice. |
|
|
|
* A pair of new dependency types between units PropagatesStopTo= + |
|
StopPropagatedFrom= has been added, that allows propagation of unit |
|
stop events between two units. It operates similar to the existing |
|
PropagatesReloadTo= + ReloadPropagatedFrom= dependencies. |
|
|
|
* A new dependency type OnSuccess= has been added (plus the reverse |
|
dependency OnSuccessOf=, which cannot be configured directly, but |
|
exists only as effect of the reverse OnSuccess=). It is similar to |
|
OnFailure=, but triggers in the opposite case: when a service exits |
|
cleanly. This allows “chaining up” of services where one or more |
|
services are started once another service has successfully completed. |
|
|
|
* A new dependency type Upholds= has been added (plus the reverse |
|
dependency UpheldBy=, which cannot be configured directly, but exists |
|
only as effect of Upholds=). This dependency type is a stronger form |
|
of Wants=: if a unit has an UpHolds= dependency on some other unit |
|
and the former is active then the latter is started whenever it is |
|
found inactive (and no job is queued for it). This is an alternative |
|
to Restart= inside service units, but less configurable, and the |
|
request to uphold a unit is not encoded in the unit itself but in |
|
another unit that intends to uphold it. |
|
|
|
* The systemd-ask-password tool now also supports reading passwords |
|
from the credentials subsystem, via the new –credential= switch. |
|
|
|
* The systemd-ask-password tool learnt a new switch –emoji= which may |
|
be used to explicit control whether the lock and key emoji (🔐) is |
|
shown in the password prompt on suitable TTYs. |
|
|
|
* The –echo switch of systemd-ask-password now optionally takes a |
|
parameter that controls character echo. It may either show asterisks |
|
(default, as before), turn echo off entirely, or echo the typed |
|
characters literally. |
|
|
|
* The systemd-ask-password tool also gained a new -n switch for |
|
suppressing output of a trailing newline character when writing the |
|
acquired password to standard output, similar to /bin/echo’s -n |
|
switch. |
|
|
|
* New documentation has been added that describes the organization of |
|
the systemd source code tree: |
|
|
|
https://systemd.io/ARCHITECTURE |
|
|
|
* Units using ConditionNeedsUpdate= will no longer be activated in |
|
the initrd. |
|
|
|
* It is now possible to list a template unit in the WantedBy= or |
|
RequiredBy= settings of the [Install] section of another template |
|
unit, which will be instantiated using the same instance name. |
|
|
|
* A new MemoryAvailable property is available for units. If the unit, |
|
or the slices it is part of, have a memory limit set via MemoryMax=/ |
|
MemoryHigh=, MemoryAvailable will indicate how much more memory the |
|
unit can claim before hitting the limits. |
|
|
|
* systemd-coredump will now try to stay below the cgroup memory limit |
|
placed on itself or one of the slices it runs under, if the storage |
|
area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs, |
|
since files written on such filesystems count toward the cgroup memory |
|
limit. If there is not enough available memory in such cases to store |
|
the core file uncompressed, systemd-coredump will skip to compressed |
|
storage directly (if enabled) and it will avoid analyzing the core file |
|
to print backtrace and metadata in the journal. |
|
|
|
* tmpfiles.d/ drop-ins gained a new ‘=’ modifier to check if the type |
|
of a path matches the configured expectations, and remove it if not. |
|
|
|
* tmpfiles.d/’s ‘Age’ now accepts an ‘age-by’ argument, which allows to |
|
specify which of the several available filesystem timestamps (access |
|
time, birth time, change time, modification time) to look at when |
|
deciding whether a path has aged enough to be cleaned. |
|
|
|
* A new IPv6StableSecretAddress= setting has been added to .network |
|
files, which takes an IPv6 address to use as secret for IPv6 address |
|
generation. |
|
|
|
* The [DHCPServer] logic in .network files gained support for a new |
|
UplinkInterface= setting that permits configuration of the uplink |
|
interface name to propagate DHCP lease information from. |
|
|
|
* The WakeOnLan= setting in .link files now accepts a list of flags |
|
instead of a single one, to configure multiple wake-on-LAN policies. |
|
|
|
* User-space defined tracepoints (USDT) have been added to udev at |
|
strategic locations. This is useful for tracing udev behaviour and |
|
performance with bpftrace and similar tools. |
|
|
|
* systemd-journald-upload gained a new NetworkTimeoutSec= option for |
|
setting a network timeout time. |
|
|
|
* If a system service is running in a new mount namespace (RootDirectory= |
|
and friends), all file systems will be mounted with MS_NOSUID by |
|
default, unless the system is running with SELinux enabled. |
|
|
|
* When enumerating time zones the timedatectl tool will now consult the |
|
‘tzdata.zi’ file shipped by the IANA time zone database package, in |
|
addition to ‘zone1970.tab’, as before. This makes sure time zone |
|
aliases are now correctly supported. Some distributions so far did |
|
not install this additional file, most do however. If you |
|
distribution does not install it yet, it might make sense to change |
|
that. |
|
|
|
* Intel HID rfkill event is no longer masked, since it’s the only |
|
source of rfkill event on newer HP laptops. To have both backward and |
|
forward compatibility, userspace daemon needs to debounce duplicated |
|
events in a short time window. |
|
|
|
Contributions from: Aakash Singh, adrian5, Albert Brox, |
|
Alexander Sverdlin, Alexander Tsoy, Alexey Rubtsov, alexlzhu, |
|
Allen Webb, Alvin Šipraga, Alyssa Ross, Anders Wenhaug, |
|
Andrea Pappacoda, Anita Zhang, asavah, Balint Reczey, Bertrand Jacquin, |
|
borna-blazevic, caoxia2008cxx, Carlo Teubner, Christian Göttsche, |
|
Christian Hesse, Daniel Schaefer, Dan Streetman, |
|
David Santamaría Rogado, David Tardon, Deepak Rawat, dgcampea, |
|
Dimitri John Ledkov, ei-ke, Emilio Herrera, Emil Renner Berthing, |
|
Eric Cook, Flos Lonicerae, Franck Bui, Francois Gervais, |
|
Frantisek Sumsal, Gibeom Gwon, gitm0, Hamish Moffatt, Hans de Goede, |
|
Harsh Barsaiyan, Henri Chain, Hristo Venev, Icenowy Zheng, Igor Zhbanov, |
|
imayoda, Jakub Warczarek, James Buren, Jan Janssen, Jan Macku, |
|
Jan Synacek, Jason Francis, Jayanth Ananthapadmanaban, Jeremy Szu, |
|
Jérôme Carretero, Jesse Stricker, jiangchuangang, Joerg Behrmann, |
|
Jóhann B. Guðmundsson, Jörg Deckert, Jörg Thalheim, Juergen Hoetzel, |
|
Julia Kartseva, Kai-Heng Feng, Khem Raj, KoyamaSohei, laineantti, |
|
Lennart Poettering, LetzteInstanz, Luca Adrian L, Luca Boccassi, |
|
Lucas Magasweran, Mantas Mikulėnas, Marco Antonio Mauro, Mark Wielaard, |
|
Masahiro Matsuya, Matt Johnston, Michael Catanzaro, Michal Koutný, |
|
Michal Sekletár, Mike Crowe, Mike Kazantsev, Milan, milaq, |
|
Miroslav Suchý, Morten Linderud, nerdopolis, nl6720, Noah Meyerhans, |
|
Oleg Popov, Olle Lundberg, Ondrej Kozina, Paweł Marciniak, Perry.Yuan, |
|
Peter Hutterer, Peter Kjellerstedt, Peter Morrow, Phaedrus Leeds, |
|
plattrap, qhill, Raul Tambre, Roman Beranek, Roshan Shariff, |
|
Ryan Hendrickson, Samuel BF, scootergrisen, Sebastian Blunt, |
|
Seong-ho Cho, Sergey Bugaev, Sevan Janiyan, Sibo Dong, simmon, |
|
Simon Watts, Srinidhi Kaushik, Štěpán Němec, Steve Bonds, Susant Sahani, |
|
sverdlin, syyhao1994, Takashi Sakamoto, Topi Miettinen, tramsay, |
|
Trent Piepho, Uwe Kleine-König, Viktor Mihajlovski, Vincent Dechenaux, |
|
Vito Caputo, William A. Kennington III, Yangyang Shen, Yegor Alexeyev, |
|
Yi Gao, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsien, наб |
|
|
|
— Edinburgh, 2021-07-07 |
|
|
|
CHANGES WITH 248: |
|
|
|
* A concept of system extension images is introduced. Such images may |
|
be used to extend the /usr/ and /opt/ directory hierarchies at |
|
runtime with additional files (even if the file system is read-only). |
|
When a system extension image is activated, its /usr/ and /opt/ |
|
hierarchies and os-release information are combined via overlayfs |
|
with the file system hierarchy of the host OS. |
|
|
|
A new systemd-sysext tool can be used to merge, unmerge, list, and |
|
refresh system extension hierarchies. See |
|
https://www.freedesktop.org/software/systemd/man/systemd-sysext.html. |
|
|
|
The systemd-sysext.service automatically merges installed system |
|
extensions during boot (before basic.target, but not in very early |
|
boot, since various file systems have to be mounted first). |
|
|
|
The SYSEXT_LEVEL= field in os-release(5) may be used to specify the |
|
supported system extension level. |
|
|
|
* A new ExtensionImages= unit setting can be used to apply the same |
|
system extension image concept from systemd-sysext to the namespaced |
|
file hierarchy of specific services, following the same rules and |
|
constraints. |
|
|
|
* Support for a new special “root=tmpfs” kernel command-line option has |
|
been added. When specified, a tmpfs is mounted on /, and mount.usr= |
|
should be used to point to the operating system implementation. |
|
|
|
* A new configuration file /etc/veritytab may be used to configure |
|
dm-verity integrity protection for block devices. Each line is in the |
|
format “volume-name data-device hash-device roothash options”, |
|
similar to /etc/crypttab. |
|
|
|
* A new kernel command-line option systemd.verity.root_options= may be |
|
used to configure dm-verity behaviour for the root device. |
|
|
|
* The key file specified in /etc/crypttab (the third field) may now |
|
refer to an AF_UNIX/SOCK_STREAM socket in the file system. The key is |
|
acquired by connecting to that socket and reading from it. This |
|
allows the implementation of a service to provide key information |
|
dynamically, at the moment when it is needed. |
|
|
|
* When the hostname is set explicitly to “localhost”, systemd-hostnamed |
|
will respect this. Previously such a setting would be mostly silently |
|
ignored. The goal is to honour configuration as specified by the |
|
user. |
|
|
|
* The fallback hostname that will be used by the system manager and |
|
systemd-hostnamed can now be configured in two new ways: by setting |
|
DEFAULT_HOSTNAME= in os-release(5), or by setting |
|
$SYSTEMD_DEFAULT_HOSTNAME in the environment block. As before, it can |
|
also be configured during compilation. The environment variable is |
|
intended for testing and local overrides, the os-release(5) field is |
|
intended to allow customization by different variants of a |
|
distribution that share the same compiled packages. |
|
|
|
* The environment block of the manager itself may be configured through |
|
a new ManagerEnvironment= setting in system.conf or user.conf. This |
|
complements existing ways to set the environment block (the kernel |
|
command line for the system manager, the inherited environment and |
|
user@.service unit file settings for the user manager). |
|
|
|
* systemd-hostnamed now exports the default hostname and the source of |
|
the configured hostname (“static”, “transient”, or “default”) as |
|
D-Bus properties. |
|
|
|
* systemd-hostnamed now exports the “HardwareVendor” and |
|
“HardwareModel” D-Bus properties, which are supposed to contain a |
|
pair of cleaned up, human readable strings describing the system’s |
|
vendor and model. It’s typically sourced from the firmware’s DMI |
|
tables, but may be augmented from a new hwdb database. hostnamectl |
|
shows this in the status output. |
|
|
|
* Support has been added to systemd-cryptsetup for extracting the |
|
PKCS#11 token URI and encrypted key from the LUKS2 JSON embedded |
|
metadata header. This allows the information how to open the |
|
encrypted device to be embedded directly in the device and obviates |
|
the need for configuration in an external file. |
|
|
|
* systemd-cryptsetup gained support for unlocking LUKS2 volumes using |
|
TPM2 hardware, as well as FIDO2 security tokens (in addition to the |
|
pre-existing support for PKCS#11 security tokens). |
|
|
|
* systemd-repart may enroll encrypted partitions using TPM2 |
|
hardware. This may be useful for example to create an encrypted /var |
|
partition bound to the machine on first boot. |
|
|
|
* A new systemd-cryptenroll tool has been added to enroll TPM2, FIDO2 |
|
and PKCS#11 security tokens to LUKS volumes, list and destroy |
|
them. See: |
|
|
|
https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html |
|
|
|
It also supports enrolling “recovery keys” and regular passphrases. |
|
|
|
* The libfido2 dependency is now based on dlopen(), so that the library |
|
is used at runtime when installed, but is not a hard runtime |
|
dependency. |
|
|
|
* systemd-cryptsetup gained support for two new options in |
|
/etc/crypttab: “no-write-workqueue” and “no-read-workqueue” which |
|
request synchronous processing of encryption/decryption IO. |
|
|
|
* The manager may be configured at compile time to use the fexecve() |
|
instead of the execve() system call when spawning processes. Using |
|
fexecve() closes a window between checking the security context of an |
|
executable and spawning it, but unfortunately the kernel displays |
|
stale information in the process’ “comm” field, which impacts ps |
|
output and such. |
|
|
|
* The configuration option -Dcompat-gateway-hostname has been dropped. |
|
“_gateway” is now the only supported name. |
|
|
|
* The ConditionSecurity=tpm2 unit file setting may be used to check if |
|
the system has at least one TPM2 (tpmrm class) device. |
|
|
|
* A new ConditionCPUFeature= has been added that may be used to |
|
conditionalize units based on CPU features. For example, |
|
ConditionCPUFeature=rdrand will condition a unit so that it is only |
|
run when the system CPU supports the RDRAND opcode. |
|
|
|
* The existing ConditionControlGroupController= setting has been |
|
extended with two new values “v1” and “v2”. “v2” means that the |
|
unified v2 cgroup hierarchy is used, and “v1” means that legacy v1 |
|
hierarchy or the hybrid hierarchy are used. |
|
|
|
* A new PrivateIPC= setting on a unit file allows executed processes to |
|
be moved into a private IPC namespace, with separate System V IPC |
|
identifiers and POSIX message queues. |
|
|
|
A new IPCNamespacePath= allows the unit to be joined to an existing |
|
IPC namespace. |
|
|
|
* The tables of system calls in seccomp filters are now automatically |
|
generated from kernel lists exported on |
|
https://fedora.juszkiewicz.com.pl/syscalls.html. |
|
|
|
The following architectures should now have complete lists: |
|
alpha, arc, arm64, arm, i386, ia64, m68k, mips64n32, mips64, mipso32, |
|
powerpc, powerpc64, s390, s390x, tilegx, sparc, x86_64, x32. |
|
|
|
* The MountAPIVFS= service file setting now additionally mounts a tmpfs |
|
on /run/ if it is not already a mount point. A writable /run/ has |
|
always been a requirement for a functioning system, but this was not |
|
guaranteed when using a read-only image. |
|
|
|
Users can always specify BindPaths= or InaccessiblePaths= as |
|
overrides, and they will take precedence. If the host’s root mount |
|
point is used, there is no change in behaviour. |
|
|
|
* New bind mounts and file system image mounts may be injected into the |
|
mount namespace of a service (without restarting it). This is exposed |
|
respectively as ‘systemctl bind …’ and |
|
‘systemctl mount-image …’. |
|
|
|
* The StandardOutput= and StandardError= settings can now specify files |
|
to be truncated for output (as “truncate:“). |
|
|
|
* The ExecPaths= and NoExecPaths= settings may be used to specify |
|
noexec for parts of the file system. |
|
|
|
* sd-bus has a new function sd_bus_open_user_machine() to open a |
|
connection to the session bus of a specific user in a local container |
|
or on the local host. This is exposed in the existing -M switch to |
|
systemctl and similar tools: |
|
|
|
systemctl –user -M lennart@foobar start foo |
|
|
|
This will connect to the user bus of a user “lennart” in container |
|
“foobar”. If no container name is specified, the specified user on |
|
the host itself is connected to |
|
|
|
systemctl –user -M lennart@ start quux |
|
|
|
* sd-bus also gained a convenience function sd_bus_message_send() to |
|
simplify invocations of sd_bus_send(), taking only a single |
|
parameter: the message to send. |
|
|
|
* sd-event allows rate limits to be set on event sources, for dealing |
|
with high-priority event sources that might starve out others. See |
|
the new man page sd_event_source_set_ratelimit(3) for details. |
|
|
|
* systemd.link files gained a [Link] Promiscuous= switch, which allows |
|
the device to be raised in promiscuous mode. |
|
|
|
New [Link] TransmitQueues= and ReceiveQueues= settings allow the |
|
number of TX and RX queues to be configured. |
|
|
|
New [Link] TransmitQueueLength= setting allows the size of the TX |
|
queue to be configured. |
|
|
|
New [Link] GenericSegmentOffloadMaxBytes= and |
|
GenericSegmentOffloadMaxSegments= allow capping the packet size and |
|
the number of segments accepted in Generic Segment Offload. |
|
|
|
* systemd-networkd gained support for the “B.A.T.M.A.N. advanced” |
|
wireless routing protocol that operates on ISO/OSI Layer 2 only and |
|
uses ethernet frames to route/bridge packets. This encompasses a new |
|
“batadv” netdev Type=, a new [BatmanAdvanced] section with a bunch of |
|
new settings in .netdev files, and a new BatmanAdvanced= setting in |
|
.network files. |
|
|
|
* systemd.network files gained a [Network] RouteTable= configuration |
|
switch to select the routing policy table. |
|
|
|
systemd.network files gained a [RoutingPolicyRule] Type= |
|
configuration switch (one of “blackhole, “unreachable”, “prohibit”). |
|
|
|
systemd.network files gained a [IPv6AcceptRA] RouteDenyList= and |
|
RouteAllowList= settings to ignore/accept route advertisements from |
|
routers matching specified prefixes. The DenyList= setting has been |
|
renamed to PrefixDenyList= and a new PrefixAllowList= option has been |
|
added. |
|
|
|
systemd.network files gained a [DHCPv6] UseAddress= setting to |
|
optionally ignore the address provided in the lease. |
|
|
|
systemd.network files gained a [DHCPv6PrefixDelegation] |
|
ManageTemporaryAddress= switch. |
|
|
|
systemd.network files gained a new ActivationPolicy= setting which |
|
allows configuring how the UP state of an interface shall be managed, |
|
i.e. whether the interface is always upped, always downed, or may be |
|
upped/downed by the user using “ip link set dev”. |
|
|
|
* The default for the Broadcast= setting in .network files has slightly |
|
changed: the broadcast address will not be configured for wireguard |
|
devices. |
|
|
|
* systemd.netdev files gained a [VLAN] Protocol=, IngressQOSMaps=, |
|
EgressQOSMaps=, and [MACVLAN] BroadcastMulticastQueueLength= |
|
configuration options for VLAN packet handling. |
|
|
|
* udev rules may now set log_level= option. This allows debug logs to |
|
be enabled for select events, e.g. just for a specific subsystem or |
|
even a single device. |
|
|
|
* udev now exports the VOLUME_ID, LOGICAL_VOLUME_ID, VOLUME_SET_ID, and |
|
DATA_PREPARED_ID properties for block devices with ISO9660 file |
|
systems. |
|
|
|
* udev now exports decoded DMI information about installed memory slots |
|
as device properties under the /sys/class/dmi/id/ pseudo device. |
|
|
|
* /dev/ is not mounted noexec anymore. This didn’t provide any |
|
significant security benefits and would conflict with the executable |
|
mappings used with /dev/sgx device nodes. The previous behaviour can |
|
be restored for individual services with NoExecPaths=/dev (or by allow- |
|
listing and excluding /dev from ExecPaths=). |
|
|
|
* Permissions for /dev/vsock are now set to 0o666, and /dev/vhost-vsock |
|
and /dev/vhost-net are owned by the kvm group. |
|
|
|
* The hardware database has been extended with a list of fingerprint |
|
readers that correctly support USB auto-suspend using data from |
|
libfprint. |
|
|
|
* systemd-resolved can now answer DNSSEC questions through the stub |
|
resolver interface in a way that allows local clients to do DNSSEC |
|
validation themselves. For a question with DO+CD set, it’ll proxy the |
|
DNS query and respond with a mostly unmodified packet received from |
|
the upstream server. |
|
|
|
* systemd-resolved learnt a new boolean option CacheFromLocalhost= in |
|
resolved.conf. If true the service will provide caching even for DNS |
|
lookups made to an upstream DNS server on the 127.0.0.1/::1 |
|
addresses. By default (and when the option is false) systemd-resolved |
|
will not cache such lookups, in order to avoid duplicate local |
|
caching, under the assumption the local upstream server caches |
|
anyway. |
|
|
|
* systemd-resolved now implements RFC5001 NSID in its local DNS |
|
stub. This may be used by local clients to determine whether they are |
|
talking to the DNS resolver stub or a different DNS server. |
|
|
|
* When resolving host names and other records resolvectl will now |
|
report where the data was acquired from (i.e. the local cache, the |
|
network, locally synthesized, …) and whether the network traffic it |
|
effected was encrypted or not. Moreover the tool acquired a number of |
|
new options –cache=, –synthesize=, –network=, –zone=, |
|
–trust-anchor=, –validate= that take booleans and may be used to |
|
tweak a lookup, i.e. whether it may be answered from cached |
|
information, locally synthesized information, information acquired |
|
through the network, the local mDNS/LLMNR zone, the DNSSEC trust |
|
anchor, and whether DNSSEC validation shall be executed for the |
|
lookup. |
|
|
|
* systemd-nspawn gained a new –ambient-capability= setting |
|
(AmbientCapability= in .nspawn files) to configure ambient |
|
capabilities passed to the container payload. |
|
|
|
* systemd-nspawn gained the ability to configure the firewall using the |
|
nftables subsystem (in addition to the existing iptables |
|
support). Similarly, systemd-networkd’s IPMasquerade= option now |
|
supports nftables as back-end, too. In both cases NAT on IPv6 is now |
|
supported too, in addition to IPv4 (the iptables back-end still is |
|
IPv4-only). |
|
|
|
“IPMasquerade=yes”, which was the same as “IPMasquerade=ipv4” before, |
|
retains its meaning, but has been deprecated. Please switch to either |
|
“ivp4” or “both” (if covering IPv6 is desired). |
|
|
|
* systemd-importd will now download .verity and .roothash.p7s files |
|
along with the machine image (as exposed via machinectl pull-raw). |
|
|
|
* systemd-oomd now gained a new DefaultMemoryPressureDurationSec= |
|
setting to configure the time a unit’s cgroup needs to exceed memory |
|
pressure limits before action will be taken, and a new |
|
ManagedOOMPreference=none|avoid|omit setting to avoid killing certain |
|
units. |
|
|
|
systemd-oomd is now considered fully supported (the usual |
|
backwards-compatibility promises apply). Swap is not required for |
|
operation, but it is still recommended. |
|
|
|
* systemd-timesyncd gained a new ConnectionRetrySec= setting which |
|
configures the retry delay when trying to contact servers. |
|
|
|
* systemd-stdio-bridge gained –system/–user options to connect to the |
|
system bus (previous default) or the user session bus. |
|
|
|
* systemd-localed may now call locale-gen to generate missing locales |
|
on-demand (UTF-8-only). This improves integration with Debian-based |
|
distributions (Debian/Ubuntu/PureOS/Tanglu/…) and Arch Linux. |
|
|
|
* systemctl –check-inhibitors=true may now be used to obey inhibitors |
|
even when invoked non-interactively. The old –ignore-inhibitors |
|
switch is now deprecated and replaced by –check-inhibitors=false. |
|
|
|
* systemctl import-environment will now emit a warning when called |
|
without any arguments (i.e. to import the full environment block of |
|
the called program). This command will usually be invoked from a |
|
shell, which means that it’ll inherit a bunch of variables which are |
|
specific to that shell, and usually to the TTY the shell is connected |
|
to, and don’t have any meaning in the global context of the system or |
|
user service manager. Instead, only specific variables should be |
|
imported into the manager environment block. |
|
|
|
Similarly, programs which update the manager environment block by |
|
directly calling the D-Bus API of the manager, should also push |
|
specific variables, and not the full inherited environment. |
|
|
|
* systemctl’s status output now shows unit state with a more careful |
|
choice of Unicode characters: units in maintenance show a “○” symbol |
|
instead of the usual “●”, failed units show “×”, and services being |
|
reloaded “↻”. |
|
|
|
* coredumpctl gained a –debugger-arguments= switch to pass arguments |
|
to the debugger. It also gained support for showing coredump info in |
|
a simple JSON format. |
|
|
|
* systemctl/loginctl/machinectl’s –signal= option now accept a special |
|
value “list”, which may be used to show a brief table with known |
|
process signals and their numbers. |
|
|
|
* networkctl now shows the link activation policy in status. |
|
|
|
* Various tools gained –pager/–no-pager/–json= switches to |
|
enable/disable the pager and provide JSON output. |
|
|
|
* Various tools now accept two new values for the SYSTEMD_COLORS |
|
environment variable: “16” and “256”, to configure how many terminal |
|
colors are used in output. |
|
|
|
* less 568 or newer is now required for the auto-paging logic of the |
|
various tools. Hyperlink ANSI sequences in terminal output are now |
|
used even if a pager is used, and older versions of less are not able |
|
to display these sequences correctly. SYSTEMD_URLIFY=0 may be used to |
|
disable this output again. |
|
|
|
* Builds with support for separate / and /usr/ hierarchies (“split-usr” |
|
builds, non-merged-usr builds) are now officially deprecated. A |
|
warning is emitted during build. Support is slated to be removed in |
|
about a year (when the Debian Bookworm release development starts). |
|
|
|
* Systems with the legacy cgroup v1 hierarchy are now marked as |
|
“tainted”, to make it clearer that using the legacy hierarchy is not |
|
recommended. |
|
|
|
* systemd-localed will now refuse to configure a keymap which is not |
|
installed in the file system. This is intended as a bug fix, but |
|
could break cases where systemd-localed was used to configure the |
|
keymap in advanced of it being installed. It is necessary to install |
|
the keymap file first. |
|
|
|
* The main git development branch has been renamed to ‘main’. |
|
|
|
* mmcblk[0-9]boot[0-9] devices will no longer be probed automatically |
|
for partitions, as in the vast majority of cases they contain none |
|
and are used internally by the bootloader (eg: uboot). |
|
|
|
* systemd will now set the $SYSTEMD_EXEC_PID environment variable for |
|
spawned processes to the PID of the process itself. This may be used |
|
by programs for detecting whether they were forked off by the service |
|
manager itself or are a process forked off further down the tree. |
|
|
|
* The sd-device API gained four new calls: sd_device_get_action() to |
|
determine the uevent add/remove/change/… action the device object has |
|
been seen for, sd_device_get_seqno() to determine the uevent sequence |
|
number, sd_device_new_from_stat_rdev() to allocate a new sd_device |
|
object from stat(2) data of a device node, and sd_device_trigger() to |
|
write to the ‘uevent’ attribute of a device. |
|
|
|
* For most tools the –no-legend= switch has been replaced by |
|
–legend=no and –legend=yes, to force whether tables are shown with |
|
headers/legends. |
|
|
|
* Units acquired a new property “Markers” that takes a list of zero, |
|
one or two of the following strings: “needs-reload” and |
|
“needs-restart”. These markers may be set via “systemctl |
|
set-property”. Once a marker is set, “systemctl reload-or-restart |
|
–marked” may be invoked to execute the operation the units are |
|
marked for. This is useful for package managers that want to mark |
|
units for restart/reload while updating, but effect the actual |
|
operations at a later step at once. |
|
|
|
* The sd_bus_message_read_strv() API call of sd-bus may now also be |
|
used to parse arrays of D-Bus signatures and D-Bus paths, in addition |
|
to regular strings. |
|
|
|
* bootctl will now report whether the UEFI firmware used a TPM2 device |
|
and measured the boot process into it. |
|
|
|
* systemd-tmpfiles learnt support for a new environment variable |
|
$SYSTEMD_TMPFILES_FORCE_SUBVOL which takes a boolean value. If true |
|
the v/q/Q lines in tmpfiles.d/ snippets will create btrfs subvolumes |
|
even if the root fs of the system is not itself a btrfs volume. |
|
|
|
* systemd-detect-virt/ConditionVirtualization= will now explicitly |
|
detect Docker/Podman environments where possible. Moreover, they |
|
should be able to generically detect any container manager as long as |
|
it assigns the container a cgroup. |
|
|
|
* portablectl gained a new “reattach” verb for detaching/reattaching a |
|
portable service image, useful for updating images on-the-fly. |
|
|
|
* Intel SGX enclave device nodes (which expose a security feature of |
|
newer Intel CPUs) will now be owned by a new system group “sgx”. |
|
|
|
Contributions from: Adam Nielsen, Adrian Vovk, AJ Jordan, Alan Perry, |
|
Alastair Pharo, Alexander Batischev, Ali Abdallah, Andrew Balmos, |
|
Anita Zhang, Annika Wickert, Ansgar Burchardt, Antonio Terceiro, |
|
Antonius Frie, Ardy, Arian van Putten, Ariel Fermani, Arnaud T, |
|
A S Alam, Bastien Nocera, Benjamin Berg, Benjamin Robin, Björn Daase, |
|
caoxia, Carlo Wood, Charles Lee, ChopperRob, chri2, Christian Ehrhardt, |
|
Christian Hesse, Christopher Obbard, clayton craft, corvusnix, cprn, |
|
Daan De Meyer, Daniele Medri, Daniel Rusek, Dan Sanders, Dan Streetman, |
|
Darren Ng, David Edmundson, David Tardon, Deepak Rawat, Devon Pringle, |
|
Dmitry Borodaenko, dropsignal, Einsler Lee, Endre Szabo, |
|
Evgeny Vereshchagin, Fabian Affolter, Fangrui Song, Felipe Borges, |
|
feliperodriguesfr, Felix Stupp, Florian Hülsmann, Florian Klink, |
|
Florian Westphal, Franck Bui, Frantisek Sumsal, Gablegritule, |
|
Gaël PORTAY, Gaurav, Giedrius Statkevičius, Greg Depoire-Ferrer, |
|
Gustavo Costa, Hans de Goede, Hela Basa, heretoenhance, hide, |
|
Iago López Galeiras, igo95862, Ilya Dmitrichenko, Jameer Pathan, |
|
Jan Tojnar, Jiehong, Jinyuan Si, Joerg Behrmann, John Slade, |
|
Jonathan G. Underwood, Jonathan McDowell, Josh Triplett, Joshua Watt, |
|
Julia Cartwright, Julien Humbert, Kairui Song, Karel Zak, |
|
Kevin Backhouse, Kevin P. Fleming, Khem Raj, Konomi, krissgjeng, |
|
l4gfcm, Lajos Veres, Lennart Poettering, Lincoln Ramsay, Luca Boccassi, |
|
Luca BRUNO, Lucas Werkmeister, Luka Kudra, Luna Jernberg, |
|
Marc-André Lureau, Martin Wilck, Matthias Klumpp, Matt Turner, |
|
Michael Gisbers, Michael Marley, Michael Trapp, Michal Fabik, |
|
Michał Kopeć, Michal Koutný, Michal Sekletár, Michele Guerini Rocco, |
|
Mike Gilbert, milovlad, moson-mo, Nick, nihilix-melix, Oğuz Ersen, |
|
Ondrej Mosnacek, pali, Pavel Hrdina, Pavel Sapezhko, Perry Yuan, |
|
Peter Hutterer, Pierre Dubouilh, Piotr Drąg, Pjotr Vertaalt, |
|
Richard Laager, RussianNeuroMancer, Sam Lunt, Sebastiaan van Stijn, |
|
Sergey Bugaev, shenyangyang4, simmon, Simonas Kazlauskas, |
|
Slimane Selyan Amiri, Stefan Agner, Steve Ramage, Susant Sahani, |
|
Sven Mueller, Tad Fisher, Takashi Iwai, Thomas Haller, Tom Shield, |
|
Topi Miettinen, Torsten Hilbrich, tpgxyz, Tyler Hicks, ulf-f, |
|
Ulrich Ölmann, Vincent Pelletier, Vinnie Magro, Vito Caputo, Vlad, |
|
walbit-de, Whired Planck, wouter bolsterlee, Xℹ Ruoyao, Yangyang Shen, |
|
Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, |
|
Zmicer Turok, Дамјан Георгиевски |
|
|
|
— Berlin, 2021-03-30 |
|
|
|
CHANGES WITH 247: |
|
|
|
* KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents |
|
“bind” and “unbind” to the Linux device model. When this kernel |
|
change was made, systemd-udevd was only minimally updated to handle |
|
and propagate these new event types. The introduction of these new |
|
uevents (which are typically generated for USB devices and devices |
|
needing a firmware upload before being functional) resulted in a |
|
number of issues which we so far didn’t address. We hoped the kernel |
|
maintainers would themselves address these issues in some form, but |
|
that did not happen. To handle them properly, many (if not most) udev |
|
rules files shipped in various packages need updating, and so do many |
|
programs that monitor or enumerate devices with libudev or sd-device, |
|
or otherwise process uevents. Please note that this incompatibility |
|
is not fault of systemd or udev, but caused by an incompatible kernel |
|
change that happened back in Linux 4.14, but is becoming more and |
|
more visible as the new uevents are generated by more kernel drivers. |
|
|
|
To minimize issues resulting from this kernel change (but not avoid |
|
them entirely) starting with systemd-udevd 247 the udev “tags” |
|
concept (which is a concept for marking and filtering devices during |
|
enumeration and monitoring) has been reworked: udev tags are now |
|
“sticky”, meaning that once a tag is assigned to a device it will not |
|
be removed from the device again until the device itself is removed |
|
(i.e. unplugged). This makes sure that any application monitoring |
|
devices that match a specific tag is guaranteed to both see uevents |
|
where the device starts being relevant, and those where it stops |
|
being relevant (the latter now regularly happening due to the new |
|
“unbind” uevent type). The udev tags concept is hence now a concept |
|
tied to a *device* instead of a device *event* — unlike for example |
|
udev properties whose lifecycle (as before) is generally tied to a |
|
device event, meaning that the previously determined properties are |
|
forgotten whenever a new uevent is processed. |
|
|
|
With the newly redefined udev tags concept, sometimes it’s necessary |
|
to determine which tags are the ones applied by the most recent |
|
uevent/database update, in order to discern them from those |
|
originating from earlier uevents/database updates of the same |
|
device. To accommodate for this a new automatic property CURRENT_TAGS |
|
has been added that works similar to the existing TAGS property but |
|
only lists tags set by the most recent uevent/database |
|
update. Similarly, the libudev/sd-device API has been updated with |
|
new functions to enumerate these ‘current’ tags, in addition to the |
|
existing APIs that now enumerate the ‘sticky’ ones. |
|
|
|
To properly handle “bind”/”unbind” on Linux 4.14 and newer it is |
|
essential that all udev rules files and applications are updated to |
|
handle the new events. Specifically: |
|
|
|
• All rule files that currently use a header guard similar to |
|
ACTION!=”add|change”,GOTO=”xyz_end” should be updated to use |
|
ACTION==”remove”,GOTO=”xyz_end” instead, so that the |
|
properties/tags they add are also applied whenever “bind” (or |
|
“unbind”) is seen. (This is most important for all physical device |
|
types — those for which “bind” and “unbind” are currently |
|
generated, for all other device types this change is still |
|
recommended but not as important — but certainly prepares for |
|
future kernel uevent type additions). |
|
|
|
• Similarly, all code monitoring devices that contains an ‘if’ branch |
|
discerning the “add” + “change” uevent actions from all other |
|
uevents actions (i.e. considering devices only relevant after “add” |
|
or “change”, and irrelevant on all other events) should be reworked |
|
to instead negatively check for “remove” only (i.e. considering |
|
devices relevant after all event types, except for “remove”, which |
|
invalidates the device). Note that this also means that devices |
|
should be considered relevant on “unbind”, even though conceptually |
|
this — in some form — invalidates the device. Since the precise |
|
effect of “unbind” is not generically defined, devices should be |
|
considered relevant even after “unbind”, however I/O errors |
|
accessing the device should then be handled gracefully. |
|
|
|
• Any code that uses device tags for deciding whether a device is |
|
relevant or not most likely needs to be updated to use the new |
|
udev_device_has_current_tag() API (or sd_device_has_current_tag() |
|
in case sd-device is used), to check whether the tag is set at the |
|
moment an uevent is seen (as opposed to the existing |
|
udev_device_has_tag() API which checks if the tag ever existed on |
|
the device, following the API concept redefinition explained |
|
above). |
|
|
|
We are very sorry for this breakage and the requirement to update |
|
packages using these interfaces. We’d again like to underline that |
|
this is not caused by systemd/udev changes, but result of a kernel |
|
behaviour change. |
|
|
|
* UPCOMING INCOMPATIBILITY: So far most downstream distribution |
|
packages have not retriggered devices once the udev package (or any |
|
auxiliary package installing additional udev rules) is updated. We |
|
intend to work with major distributions to change this, so that |
|
“udevadm trigger -a change” is issued on such upgrades, ensuring that |
|
the updated ruleset is applied to the devices already discovered, so |
|
that (asynchronously) after the upgrade completed the udev database |
|
is consistent with the updated rule set. This means udev rules must |
|
be ready to be retriggered with a “change” action any time, and |
|
result in correct and complete udev database entries. While the |
|
majority of udev rule files known to us currently get this right, |
|
some don’t. Specifically, there are udev rules files included in |
|
various packages that only set udev properties on the “add” action, |
|
but do not handle the “change” action. If a device matching those |
|
rules is retriggered with the “change” action (as is intended here) |
|
it would suddenly lose the relevant properties. This always has been |
|
problematic, but as soon as all udev devices are triggered on relevant |
|
package upgrades this will become particularly so. It is strongly |
|
recommended to fix offending rules so that they can handle a “change” |
|
action at any time, and acquire all necessary udev properties even |
|
then. Or in other words: the header guard mentioned above |
|
(ACTION==”remove”,GOTO=”xyz_end”) is the correct approach to handle |
|
this, as it makes sure rules are rerun on “change” correctly, and |
|
accumulate the correct and complete set of udev properties. udev rule |
|
definitions that cannot handle “change” events being triggered at |
|
arbitrary times should be considered buggy. |
|
|
|
* The MountAPIVFS= service file setting now defaults to on if |
|
RootImage= and RootDirectory= are used, which means that with those |
|
two settings /proc/, /sys/ and /dev/ are automatically properly set |
|
up for services. Previous behaviour may be restored by explicitly |
|
setting MountAPIVFS=off. |
|
|
|
* Since PAM 1.2.0 (2015) configuration snippets may be placed in |
|
/usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the |
|
latter it takes precedence over the former, similar to how most of |
|
systemd’s own configuration is handled. Given that PAM stack |
|
definitions are primarily put together by OS vendors/distributions |
|
(though possibly overridden by users), this systemd release moves its |
|
own PAM stack configuration for the “systemd-user” PAM service (i.e. |
|
for the PAM session invoked by the per-user user@.service instance) |
|
from /etc/pam.d/ to /usr/lib/pam.d/. We recommend moving all |
|
packages’ vendor versions of their PAM stack definitions from |
|
/etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not |
|
desired the location to which systemd installs its PAM stack |
|
configuration may be changed via the -Dpamconfdir Meson option. |
|
|
|
* The runtime dependencies on libqrencode, libpcre2, libidn/libidn2, |
|
libpwquality and libcryptsetup have been changed to be based on |
|
dlopen(): instead of regular dynamic library dependencies declared in |
|
the binary ELF headers, these libraries are now loaded on demand |
|
only, if they are available. If the libraries cannot be found the |
|
relevant operations will fail gracefully, or a suitable fallback |
|
logic is chosen. This is supposed to be useful for general purpose |
|
distributions, as it allows minimizing the list of dependencies the |
|
systemd packages pull in, permitting building of more minimal OS |
|
images, while still making use of these “weak” dependencies should |
|
they be installed. Since many package managers automatically |
|
synthesize package dependencies from ELF shared library dependencies, |
|
some additional manual packaging work has to be done now to replace |
|
those (slightly downgraded from “required” to “recommended” or |
|
whatever is conceptually suitable for the package manager). Note that |
|
this change does not alter build-time behaviour: as before the |
|
build-time dependencies have to be installed during build, even if |
|
they now are optional during runtime. |
|
|
|
* sd-event.h gained a new call sd_event_add_time_relative() for |
|
installing timers relative to the current time. This is mostly a |
|
convenience wrapper around the pre-existing sd_event_add_time() call |
|
which installs absolute timers. |
|
|
|
* sd-event event sources may now be placed in a new “exit-on-failure” |
|
mode, which may be controlled via the new |
|
sd_event_source_get_exit_on_failure() and |
|
sd_event_source_set_exit_on_failure() functions. If enabled, any |
|
failure returned by the event source handler functions will result in |
|
exiting the event loop (unlike the default behaviour of just |
|
disabling the event source but continuing with the event loop). This |
|
feature is useful to set for all event sources that define “primary” |
|
program behaviour (where failure should be fatal) in contrast to |
|
“auxiliary” behaviour (where failure should remain local). |
|
|
|
* Most event source types sd-event supports now accept a NULL handler |
|
function, in which case the event loop is exited once the event |
|
source is to be dispatched, using the userdata pointer — converted to |
|
a signed integer — as exit code of the event loop. Previously this |
|
was supported for IO and signal event sources already. Exit event |
|
sources still do not support this (simply because it makes little |
|
sense there, as the event loop is already exiting when they are |
|
dispatched). |
|
|
|
* A new per-unit setting RootImageOptions= has been added which allows |
|
tweaking the mount options for any file system mounted as effect of |
|
the RootImage= setting. |
|
|
|
* Another new per-unit setting MountImages= has been added, that allows |
|
mounting additional disk images into the file system tree accessible |
|
to the service. |
|
|
|
* Timer units gained a new FixedRandomDelay= boolean setting. If |
|
enabled, the random delay configured with RandomizedDelaySec= is |
|
selected in a way that is stable on a given system (though still |
|
different for different units). |
|
|
|
* Socket units gained a new setting Timestamping= that takes “us”, “ns” |
|
or “off”. This controls the SO_TIMESTAMP/SO_TIMESTAMPNS socket |
|
options. |
|
|
|
* systemd-repart now generates JSON output when requested with the new |
|
–json= switch. |
|
|
|
* systemd-machined’s OpenMachineShell() bus call will now pass |
|
additional policy metadata data fields to the PolicyKit |
|
authentication request. |
|
|
|
* systemd-tmpfiles gained a new -E switch, which is equivalent to |
|
–exclude-prefix=/dev –exclude-prefix=/proc –exclude=/run |
|
–exclude=/sys. It’s particularly useful in combination with –root=, |
|
when operating on OS trees that do not have any of these four runtime |
|
directories mounted, as this means no files below these subtrees are |
|
created or modified, since those mount points should probably remain |
|
empty. |
|
|
|
* systemd-tmpfiles gained a new –image= switch which is like –root=, |
|
but takes a disk image instead of a directory as argument. The |
|
specified disk image is mounted inside a temporary mount namespace |
|
and the tmpfiles.d/ drop-ins stored in the image are executed and |
|
applied to the image. systemd-sysusers similarly gained a new |
|
–image= switch, that allows the sysusers.d/ drop-ins stored in the |
|
image to be applied onto the image. |
|
|
|
* Similarly, the journalctl command also gained an –image= switch, |
|
which is a quick one-step solution to look at the log data included |
|
in OS disk images. |
|
|
|
* journalctl’s –output=cat option (which outputs the log content |
|
without any metadata, just the pure text messages) will now make use |
|
of terminal colors when run on a suitable terminal, similarly to the |
|
other output modes. |
|
|
|
* JSON group records now support a “description” string that may be |
|
used to add a human-readable textual description to such groups. This |
|
is supposed to match the user’s GECOS field which traditionally |
|
didn’t have a counterpart for group records. |
|
|
|
* The “systemd-dissect” tool that may be used to inspect OS disk images |
|
and that was previously installed to /usr/lib/systemd/ has now been |
|
moved to /usr/bin/, reflecting its updated status of an officially |
|
supported tool with a stable interface. It gained support for a new |
|
–mkdir switch which when combined with –mount has the effect of |
|
creating the directory to mount the image to if it is missing |
|
first. It also gained two new commands –copy-from and –copy-to for |
|
copying files and directories in and out of an OS image without the |
|
need to manually mount it. It also acquired support for a new option |
|
–json= to generate JSON output when inspecting an OS image. |
|
|
|
* The cgroup2 file system is now mounted with the |
|
“memory_recursiveprot” mount option, supported since kernel 5.7. This |
|
means that the MemoryLow= and MemoryMin= unit file settings now apply |
|
recursively to whole subtrees. |
|
|
|
* systemd-homed now defaults to using the btrfs file system — if |
|
available — when creating home directories in LUKS volumes. This may |
|
be changed with the DefaultFileSystemType= setting in homed.conf. |
|
It’s now the default file system in various major distributions and |
|
has the major benefit for homed that it can be grown and shrunk while |
|
mounted, unlike the other contenders ext4 and xfs, which can both be |
|
grown online, but not shrunk (in fact xfs is the technically most |
|
limited option here, as it cannot be shrunk at all). |
|
|
|
* JSON user records managed by systemd-homed gained support for |
|
“recovery keys”. These are basically secondary passphrases that can |
|
unlock user accounts/home directories. They are computer-generated |
|
rather than user-chosen, and typically have greater entropy. |
|
homectl’s –recovery-key= option may be used to add a recovery key to |
|
a user account. The generated recovery key is displayed as a QR code, |
|
so that it can be scanned to be kept in a safe place. This feature is |
|
particularly useful in combination with systemd-homed’s support for |
|
FIDO2 or PKCS#11 authentication, as a secure fallback in case the |
|
security tokens are lost. Recovery keys may be entered wherever the |
|
system asks for a password. |
|
|
|
* systemd-homed now maintains a “dirty” flag for each LUKS encrypted |
|
home directory which indicates that a home directory has not been |
|
deactivated cleanly when offline. This flag is useful to identify |
|
home directories for which the offline discard logic did not run when |
|
offlining, and where it would be a good idea to log in again to catch |
|
up. |
|
|
|
* systemctl gained a new parameter –timestamp= which may be used to |
|
change the style in which timestamps are output, i.e. whether to show |
|
them in local timezone or UTC, or whether to show µs granularity. |
|
|
|
* Alibaba’s “pouch” container manager is now detected by |
|
systemd-detect-virt, ConditionVirtualization= and similar |
|
constructs. Similar, they now also recognize IBM PowerVM machine |
|
virtualization. |
|
|
|
* systemd-nspawn has been reworked to use the /run/host/incoming/ as |
|
place to use for propagating external mounts into the |
|
container. Similarly /run/host/notify is now used as the socket path |
|
for container payloads to communicate with the container manager |
|
using sd_notify(). The container manager now uses the |
|
/run/host/inaccessible/ directory to place “inaccessible” file nodes |
|
of all relevant types which may be used by the container payload as |
|
bind mount source to over-mount inodes to make them inaccessible. |
|
/run/host/container-manager will now be initialized with the same |
|
string as the $container environment variable passed to the |
|
container’s PID 1. /run/host/container-uuid will be initialized with |
|
the same string as $container_uuid. This means the /run/host/ |
|
hierarchy is now the primary way to make host resources available to |
|
the container. The Container Interface documents these new files and |
|
directories: |
|
|
|
https://systemd.io/CONTAINER_INTERFACE |
|
|
|
* Support for the “ConditionNull=” unit file condition has been |
|
deprecated and undocumented for 6 years. systemd started to warn |
|
about its use 1.5 years ago. It has now been removed entirely. |
|
|
|
* sd-bus.h gained a new API call sd_bus_error_has_names(), which takes |
|
a sd_bus_error struct and a list of error names, and checks if the |
|
error matches one of these names. It’s a convenience wrapper that is |
|
useful in cases where multiple errors shall be handled the same way. |
|
|
|
* A new system call filter list “@known” has been added, that contains |
|
all system calls known at the time systemd was built. |
|
|
|
* Behaviour of system call filter allow lists has changed slightly: |
|
system calls that are contained in @known will result in EPERM by |
|
default, while those not contained in it result in ENOSYS. This |
|
should improve compatibility because known system calls will thus be |
|
communicated as prohibited, while unknown (and thus newer ones) will |
|
be communicated as not implemented, which hopefully has the greatest |
|
chance of triggering the right fallback code paths in client |
|
applications. |
|
|
|
* “systemd-analyze syscall-filter” will now show two separate sections |
|
at the bottom of the output: system calls known during systemd build |
|
time but not included in any of the filter groups shown above, and |
|
system calls defined on the local kernel but known during systemd |
|
build time. |
|
|
|
* If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for |
|
systemd-nspawn all system call filter violations will be logged by |
|
the kernel (audit). This is useful for tracking down system calls |
|
invoked by container payloads that are prohibited by the container’s |
|
system call filter policy. |
|
|
|
* If the $SYSTEMD_SECCOMP=0 environment variable is set for |
|
systemd-nspawn (and other programs that use seccomp) all seccomp |
|
filtering is turned off. |
|
|
|
* Two new unit file settings ProtectProc= and ProcSubset= have been |
|
added that expose the hidepid= and subset= mount options of procfs. |
|
All processes of the unit will only see processes in /proc that are |
|
are owned by the unit’s user. This is an important new sandboxing |
|
option that is recommended to be set on all system services. All |
|
long-running system services that are included in systemd itself set |
|
this option now. This option is only supported on kernel 5.8 and |
|
above, since the hidepid= option supported on older kernels was not a |
|
per-mount option but actually applied to the whole PID namespace. |
|
|
|
* Socket units gained a new boolean setting FlushPending=. If enabled |
|
all pending socket data/connections are flushed whenever the socket |
|
unit enters the “listening” state, i.e. after the associated service |
|
exited. |
|
|
|
* The unit file setting NUMAMask= gained a new “all” value: when used, |
|
all existing NUMA nodes are added to the NUMA mask. |
|
|
|
* A new “credentials” logic has been added to system services. This is |
|
a simple mechanism to pass privileged data to services in a safe and |
|
secure way. It’s supposed to be used to pass per-service secret data |
|
such as passwords or cryptographic keys but also associated less |
|
private information such as user names, certificates, and similar to |
|
system services. Each credential is identified by a short user-chosen |
|
name and may contain arbitrary binary data. Two new unit file |
|
settings have been added: SetCredential= and LoadCredential=. The |
|
former allows setting a credential to a literal string, the latter |
|
sets a credential to the contents of a file (or data read from a |
|
user-chosen AF_UNIX stream socket). Credentials are passed to the |
|
service via a special credentials directory, one file for each |
|
credential. The path to the credentials directory is passed in a new |
|
$CREDENTIALS_DIRECTORY environment variable. Since the credentials |
|
are passed in the file system they may be easily referenced in |
|
ExecStart= command lines too, thus no explicit support for the |
|
credentials logic in daemons is required (though ideally daemons |
|
would look for the bits they need in $CREDENTIALS_DIRECTORY |
|
themselves automatically, if set). The $CREDENTIALS_DIRECTORY is |
|
backed by unswappable memory if privileges allow it, immutable if |
|
privileges allow it, is accessible only to the service’s UID, and is |
|
automatically destroyed when the service stops. |
|
|
|
* systemd-nspawn supports the same credentials logic. It can both |
|
consume credentials passed to it via the aforementioned |
|
$CREDENTIALS_DIRECTORY protocol as well as pass these credentials on |
|
to its payload. The service manager/PID 1 has been updated to match |
|
this: it can also accept credentials from the container manager that |
|
invokes it (in fact: any process that invokes it), and passes them on |
|
to its services. Thus, credentials can be propagated recursively down |
|
the tree: from a system’s service manager to a systemd-nspawn |
|
service, to the service manager that runs as container payload and to |
|
the service it runs below. Credentials may also be added on the |
|
systemd-nspawn command line, using new –set-credential= and |
|
–load-credential= command line switches that match the |
|
aforementioned service settings. |
|
|
|
* systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in |
|
the partition drop-ins which may be used to format/LUKS |
|
encrypt/populate any created partitions. The partitions are |
|
encrypted/formatted/populated before they are registered in the |
|
partition table, so that they appear atomically: either the |
|
partitions do not exist yet or they exist fully encrypted, formatted, |
|
and populated — there is no time window where they are |
|
“half-initialized”. Thus the system is robust to abrupt shutdown: if |
|
the tool is terminated half-way during its operations on next boot it |
|
will start from the beginning. |
|
|
|
* systemd-repart’s –size= operation gained a new “auto” value. If |
|
specified, and operating on a loopback file it is automatically sized |
|
to the minimal size the size constraints permit. This is useful to |
|
use “systemd-repart” as an image builder for minimally sized images. |
|
|
|
* systemd-resolved now gained a third IPC interface for requesting name |
|
resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink |
|
interface is now supported. The nss-resolve NSS module has been |
|
modified to use this new interface instead of D-Bus. Using Varlink |
|
has a major benefit over D-Bus: it works without a broker service, |
|
and thus already during earliest boot, before the dbus daemon has |
|
been started. This means name resolution via systemd-resolved now |
|
works at the same time systemd-networkd operates: from earliest boot |
|
on, including in the initrd. |
|
|
|
* systemd-resolved gained support for a new DNSStubListenerExtra= |
|
configuration file setting which may be used to specify additional IP |
|
addresses the built-in DNS stub shall listen on, in addition to the |
|
main one on 127.0.0.53:53. |
|
|
|
* Name lookups issued via systemd-resolved’s D-Bus and Varlink |
|
interfaces (and thus also via glibc NSS if nss-resolve is used) will |
|
now honour a trailing dot in the hostname: if specified the search |
|
path logic is turned off. Thus “resolvectl query foo.” is now |
|
equivalent to “resolvectl query –search=off foo.”. |
|
|
|
* systemd-resolved gained a new D-Bus property “ResolvConfMode” that |
|
exposes how /etc/resolv.conf is currently managed: by resolved (and |
|
in which mode if so) or another subsystem. “resolvctl” will display |
|
this property in its status output. |
|
|
|
* The resolv.conf snippets systemd-resolved provides will now set “.” |
|
as the search domain if no other search domain is known. This turns |
|
off the derivation of an implicit search domain by nss-dns for the |
|
hostname, when the hostname is set to an FQDN. This change is done to |
|
make nss-dns using resolv.conf provided by systemd-resolved behave |
|
more similarly to nss-resolve. |
|
|
|
* systemd-tmpfiles’ file “aging” logic (i.e. the automatic clean-up of |
|
/tmp/ and /var/tmp/ based on file timestamps) now looks at the |
|
“birth” time (btime) of a file in addition to the atime, mtime, and |
|
ctime. |
|
|
|
* systemd-analyze gained a new verb “capability” that lists all known |
|
capabilities by the systemd build and by the kernel. |
|
|
|
* If a file /usr/lib/clock-epoch exists, PID 1 will read its mtime and |
|
advance the system clock to it at boot if it is noticed to be before |
|
that time. Previously, PID 1 would only advance the time to an epoch |
|
time that is set during build-time. With this new file OS builders |
|
can change this epoch timestamp on individual OS images without |
|
having to rebuild systemd. |
|
|
|
* systemd-logind will now listen to the KEY_RESTART key from the Linux |
|
input layer and reboot the system if it is pressed, similarly to how |
|
it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART |
|
was originally defined in the Multimedia context (to restart playback |
|
of a song or film), but is now primarily used in various embedded |
|
devices for “Reboot” buttons. Accordingly, systemd-logind will now |
|
honour it as such. This may configured in more detail via the new |
|
HandleRebootKey= and RebootKeyIgnoreInhibited=. |
|
|
|
* systemd-nspawn/systemd-machined will now reconstruct hardlinks when |
|
copying OS trees, for example in “systemd-nspawn –ephemeral”, |
|
“systemd-nspawn –template=”, “machinectl clone” and similar. This is |
|
useful when operating with OSTree images, which use hardlinks heavily |
|
throughout, and where such copies previously resulting in “exploding” |
|
hardlinks. |
|
|
|
* systemd-nspawn’s –console= setting gained support for a new |
|
“autopipe” value, which is identical to “interactive” when invoked on |
|
a TTY, and “pipe” otherwise. |
|
|
|
* systemd-networkd’s .network files gained support for explicitly |
|
configuring the multicast membership entries of bridge devices in the |
|
[BridgeMDB] section. It also gained support for the PIE queuing |
|
discipline in the [FlowQueuePIE] sections. |
|
|
|
* systemd-networkd’s .netdev files may now be used to create “BareUDP” |
|
tunnels, configured in the new [BareUDP] setting. |
|
|
|
* systemd-networkd’s Gateway= setting in .network files now accepts the |
|
special values “_dhcp4” and “_ipv6ra” to configure additional, |
|
locally defined, explicit routes to the gateway acquired via DHCP or |
|
IPv6 Router Advertisements. The old setting “_dhcp” is deprecated, |
|
but still accepted for backwards compatibility. |
|
|
|
* systemd-networkd’s [IPv6PrefixDelegation] section and |
|
IPv6PrefixDelegation= options have been renamed as [IPv6SendRA] and |
|
IPv6SendRA= (the old names are still accepted for backwards |
|
compatibility). |
|
|
|
* systemd-networkd’s .network files gained the DHCPv6PrefixDelegation= |
|
boolean setting in [Network] section. If enabled, the delegated prefix |
|
gained by another link will be configured, and an address within the |
|
prefix will be assigned. |
|
|
|
* systemd-networkd’s .network files gained the Announce= boolean setting |
|
in [DHCPv6PrefixDelegation] section. When enabled, the delegated |
|
prefix will be announced through IPv6 router advertisement (IPv6 RA). |
|
The setting is enabled by default. |
|
|
|
* VXLAN tunnels may now be marked as independent of any underlying |
|
network interface via the new Independent= boolean setting. |
|
|
|
* systemctl gained support for two new verbs: “service-log-level” and |
|
“service-log-target” may be used on services that implement the |
|
generic org.freedesktop.LogControl1 D-Bus interface to dynamically |
|
adjust the log level and target. All of systemd’s long-running |
|
services support this now, but ideally all system services would |
|
implement this interface to make the system more uniformly |
|
debuggable. |
|
|
|
* The SystemCallErrorNumber= unit file setting now accepts the new |
|
“kill” and “log” actions, in addition to arbitrary error number |
|
specifications as before. If “kill” the processes are killed on the |
|
event, if “log” the offending system call is audit logged. |
|
|
|
* A new SystemCallLog= unit file setting has been added that accepts a |
|
list of system calls that shall be logged about (audit). |
|
|
|
* The OS image dissection logic (as used by RootImage= in unit files or |
|
systemd-nspawn’s –image= switch) has gained support for identifying |
|
and mounting explicit /usr/ partitions, which are now defined in the |
|
discoverable partition specification. This should be useful for |
|
environments where the root file system is |
|
generated/formatted/populated dynamically on first boot and combined |
|
with an immutable /usr/ tree that is supplied by the vendor. |
|
|
|
* In the final phase of shutdown, within the systemd-shutdown binary |
|
we’ll now try to detach MD devices (i.e software RAID) in addition to |
|
loopback block devices and DM devices as before. This is supposed to |
|
be a safety net only, in order to increase robustness if things go |
|
wrong. Storage subsystems are expected to properly detach their |
|
storage volumes during regular shutdown already (or in case of |
|
storage backing the root file system: in the initrd hook we return to |
|
later). |
|
|
|
* If the SYSTEMD_LOG_TID environment variable is set all systemd tools |
|
will now log the thread ID in their log output. This is useful when |
|
working with heavily threaded programs. |
|
|
|
* If the SYSTEMD_RDRAND environment variable is set to “0”, systemd will |
|
not use the RDRAND CPU instruction. This is useful in environments |
|
such as replay debuggers where non-deterministic behaviour is not |
|
desirable. |
|
|
|
* The autopaging logic in systemd’s various tools (such as systemctl) |
|
has been updated to turn on “secure” mode in “less” |
|
(i.e. $LESSECURE=1) if execution in a “sudo” environment is |
|
detected. This disables invoking external programs from the pager, |
|
via the pipe logic. This behaviour may be overridden via the new |
|
$SYSTEMD_PAGERSECURE environment variable. |
|
|
|
* Units which have resource limits (.service, .mount, .swap, .slice, |
|
.socket, and .slice) gained new configuration settings |
|
ManagedOOMSwap=, ManagedOOMMemoryPressure=, and |
|
ManagedOOMMemoryPressureLimitPercent= that specify resource pressure |
|
limits and optional action taken by systemd-oomd. |
|
|
|
* A new service systemd-oomd has been added. It monitors resource |
|
contention for selected parts of the unit hierarchy using the PSI |
|
information reported by the kernel, and kills processes when memory |
|
or swap pressure is above configured limits. This service is only |
|
enabled by default in developer mode (see below) and should be |
|
considered a preview in this release. Behaviour details and option |
|
names are subject to change without the usual backwards-compatibility |
|
promises. |
|
|
|
* A new helper oomctl has been added to introspect systemd-oomd state. |
|
It is only enabled by default in developer mode and should be |
|
considered a preview without the usual backwards-compatibility |
|
promises. |
|
|
|
* New meson option -Dcompat-mutable-uid-boundaries= has been added. If |
|
enabled, systemd reads the system UID boundaries from /etc/login.defs |
|
at runtime, instead of using the built-in values selected during |
|
build. This is an option to improve compatibility for upgrades from |
|
old systems. It’s strongly recommended not to make use of this |
|
functionality on new systems (or even enable it during build), as it |
|
makes something runtime-configurable that is mostly an implementation |
|
detail of the OS, and permits avoidable differences in deployments |
|
that create all kinds of problems in the long run. |
|
|
|
* New meson option ‘-Dmode=developer|release’ has been added. When |
|
‘developer’, additional checks and features are enabled that are |
|
relevant during upstream development, e.g. verification that |
|
semi-automatically-generated documentation has been properly updated |
|
following API changes. Those checks are considered hints for |
|
developers and are not actionable in downstream builds. In addition, |
|
extra features that are not ready for general consumption may be |
|
enabled in developer mode. It is thus recommended to set |
|
‘-Dmode=release’ in end-user and distro builds. |
|
|
|
* systemd-cryptsetup gained support for processing detached LUKS |
|
headers specified on the kernel command line via the header= |
|
parameter of the luks.options= kernel command line option. The same |
|
device/path syntax as for key files is supported for header files |
|
like this. |
|
|
|
* The “net_id” built-in of udev has been updated to ignore ACPI _SUN |
|
slot index data for devices that are connected through a PCI bridge |
|
where the _SUN index is associated with the bridge instead of the |
|
network device itself. Previously this would create ambiguous device |
|
naming if multiple network interfaces were connected to the same PCI |
|
bridge. Since this is a naming scheme incompatibility on systems that |
|
possess hardware like this it has been introduced as new naming |
|
scheme “v247”. The previous scheme can be selected via the |
|
“net.naming-scheme=v245” kernel command line parameter. |
|
|
|
* ConditionFirstBoot= semantics have been modified to be safe towards |
|
abnormal system power-off during first boot. Specifically, the |
|
“systemd-machine-id-commit.service” service now acts as boot |
|
milestone indicating when the first boot process is sufficiently |
|
complete in order to not consider the next following boot also a |
|
first boot. If the system is reset before this unit is reached the |
|
first time, the next boot will still be considered a first boot; once |
|
it has been reached, no further boots will be considered a first |
|
boot. The “first-boot-complete.target” unit now acts as official hook |
|
point to order against this. If a service shall be run on every boot |
|
until the first boot fully succeeds it may thus be ordered before |
|
this target unit (and pull it in) and carry ConditionFirstBoot= |
|
appropriately. |
|
|
|
* bootctl’s set-default and set-oneshot commands now accept the three |
|
special strings “@default”, “@oneshot”, “@current” in place of a boot |
|
entry id. These strings are resolved to the current default and |
|
oneshot boot loader entry, as well as the currently booted one. Thus |
|
a command “bootctl set-default @current” may be used to make the |
|
currently boot menu item the new default for all subsequent boots. |
|
|
|
* “systemctl edit” has been updated to show the original effective unit |
|
contents in commented form in the text editor. |
|
|
|
* Units in user mode are now segregated into three new slices: |
|
session.slice (units that form the core of graphical session), |
|
app.slice (“normal” user applications), and background.slice |
|
(low-priority tasks). Unless otherwise configured, user units are |
|
placed in app.slice. The plan is to add resource limits and |
|
protections for the different slices in the future. |
|
|
|
* New GPT partition types for RISCV32/64 for the root and /usr |
|
partitions, and their associated Verity partitions have been defined, |
|
and are now understood by systemd-gpt-auto-generator, and the OS |
|
image dissection logic. |
|
|
|
Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa |
|
Ross, Amitanand Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar |
|
Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1, |
|
Beniamino Galvani, Benjamin Berg, Bjørn Mork, brainrom, Chandradeep |
|
Dey, Charles Lee, Chris Down, Christian Göttsche, Christof Efkemann, |
|
Christoph Ruegge, Clemens Gruber, Daan De Meyer, Daniele Medri, Daniel |
|
Mack, Daniel Rusek, Dan Streetman, David Tardon, Dimitri John Ledkov, |
|
Dmitry Borodaenko, Elias Probst, Elisei Roca, ErrantSpore, Etienne |
|
Doms, Fabrice Fontaine, fangxiuning, Felix Riemann, Florian Klink, |
|
Franck Bui, Frantisek Sumsal, fwSmit, George Rawlinson, germanztz, |
|
Gibeom Gwon, Glen Whitney, Gogo Gogsi, Göran Uddeborg, Grant Mathews, |
|
Hans de Goede, Hans Ulrich Niedermann, Haochen Tong, Harald Seiler, |
|
huangyong, Hubert Kario, igo95862, Ikey Doherty, Insun Pyo, Jan Chren, |
|
Jan Schlüter, Jérémy Nouhaud, Jian-Hong Pan, Joerg Behrmann, Jonathan |
|
Lebon, Jörg Thalheim, Josh Brobst, Juergen Hoetzel, Julien Humbert, |
|
Kai-Chuan Hsieh, Kairui Song, Kamil Dudka, Kir Kolyshkin, Kristijan |
|
Gjoshev, Kyle Huey, Kyle Russell, Lee Whalen, Lennart Poettering, |
|
lichangze, Luca Boccassi, Lucas Werkmeister, Luca Weiss, Marc |
|
Kleine-Budde, Marco Wang, Martin Wilck, Marti Raudsepp, masmullin2000, |
|
Máté Pozsgay, Matt Fenwick, Michael Biebl, Michael Scherer, Michal |
|
Koutný, Michal Sekletár, Michal Suchanek, Mikael Szreder, Milo |
|
Casagrande, mirabilos, Mitsuha_QuQ, mog422, Muhammet Kara, Nazar |
|
Vinnichuk, Nicholas Narsing, Nicolas Fella, Njibhu, nl6720, Oğuz Ersen, |
|
Olivier Le Moal, Ondrej Kozina, onlybugreports, Pass Automated Testing |
|
Suite, Pat Coulthard, Pavel Sapezhko, Pedro Ruiz, perry_yuan, Peter |
|
Hutterer, Phaedrus Leeds, PhoenixDiscord, Piotr Drąg, Plan C, |
|
Purushottam choudhary, Rasmus Villemoes, Renaud Métrich, Robert Marko, |
|
Roman Beranek, Ronan Pigott, Roy Chen (陳彥廷), RussianNeuroMancer, |
|
Samanta Navarro, Samuel BF, scootergrisen, Sorin Ionescu, Steve Dodd, |
|
Susant Sahani, Timo Rothenpieler, Tobias Hunger, Tobias Kaufmann, Topi |
|
Miettinen, vanou, Vito Caputo, Weblate, Wen Yang, Whired Planck, |
|
williamvds, Yu, Li-Yu, Yuri Chornoivan, Yu Watanabe, Zbigniew |
|
Jędrzejewski-Szmek, Zmicer Turok, Дамјан Георгиевски |
|
|
|
– Warsaw, 2020-11-26 |
|
|
|
CHANGES WITH 246: |
|
|
|
* The service manager gained basic support for cgroup v2 freezer. Units |
|
can now be suspended or resumed either using new systemctl verbs, |
|
freeze and thaw respectively, or via D-Bus. |
|
|
|
* PID 1 may now automatically load pre-compiled AppArmor policies from |
|
/etc/apparmor/earlypolicy during early boot. |
|
|
|
* The CPUAffinity= setting in service unit files now supports a new |
|
special value “numa” that causes the CPU affinity masked to be set |
|
based on the NUMA mask. |
|
|
|
* systemd will now log about all left-over processes remaining in a |
|
unit when the unit is stopped. It will now warn about services using |
|
KillMode=none, as this is generally an unsafe thing to make use of. |
|
|
|
* Two new unit file settings |
|
ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been |
|
added. They may be used to check whether a specific file system path |
|
resides on a block device that is encrypted on the block level |
|
(i.e. using dm-crypt/LUKS). |
|
|
|
* Another pair of new settings ConditionEnvironment=/AssertEnvironment= |
|
has been added that may be used for simple environment checks. This |
|
is particularly useful when passing in environment variables from a |
|
container manager (or from PAM in case of the systemd –user |
|
instance). |
|
|
|
* .service unit files now accept a new setting CoredumpFilter= which |
|
allows configuration of the memory sections coredumps of the |
|
service’s processes shall include. |
|
|
|
* .mount units gained a new ReadWriteOnly= boolean option. If set |
|
it will not be attempted to mount a file system read-only if mounting |
|
in read-write mode doesn’t succeed. An option x-systemd.rw-only is |
|
available in /etc/fstab to control the same. |
|
|
|
* .socket units gained a new boolean setting PassPacketInfo=. If |
|
enabled, the kernel will attach additional per-packet metadata to all |
|
packets read from the socket, as an ancillary message. This controls |
|
the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options, |
|
depending on socket type. |
|
|
|
* .service units gained a new setting RootHash= which may be used to |
|
specify the root hash for verity enabled disk images which are |
|
specified in RootImage=. RootVerity= may be used to specify a path to |
|
the Verity data matching a RootImage= file system. (The latter is |
|
only useful for images that do not contain the Verity data embedded |
|
into the same image that carries a GPT partition table following the |
|
Discoverable Partition Specification). Similarly, systemd-nspawn |
|
gained a new switch –verity-data= that takes a path to a file with |
|
the verity data of the disk image supplied in –image=, if the image |
|
doesn’t contain the verity data itself. |
|
|
|
* .service units gained a new setting RootHashSignature= which takes |
|
either a base64 encoded PKCS#7 signature of the root hash specified |
|
with RootHash=, or a path to a file to read the signature from. This |
|
allows validation of the root hash against public keys available in |
|
the kernel keyring, and is only supported on recent kernels |
|
(>= 5.4)/libcryptsetup (>= 2.30). A similar switch has been added to |
|
systemd-nspawn and systemd-dissect (–root-hash-sig=). Support for |
|
this mechanism has also been added to systemd-veritysetup. |
|
|
|
* .service unit files gained two new options |
|
TimeoutStartFailureMode=/TimeoutStopFailureMode= that may be used to |
|
tune behaviour if a start or stop timeout is hit, i.e. whether to |
|
terminate the service with SIGTERM, SIGABRT or SIGKILL. |
|
|
|
* Most options in systemd that accept hexadecimal values prefixed with |
|
0x in additional to the usual decimal notation now also support octal |
|
notation when the 0o prefix is used and binary notation if the 0b |
|
prefix is used. |
|
|
|
* Various command line parameters and configuration file settings that |
|
configure key or certificate files now optionally take paths to |
|
AF_UNIX sockets in the file system. If configured that way a stream |
|
connection is made to the socket and the required data read from |
|
it. This is a simple and natural extension to the existing regular |
|
file logic, and permits other software to provide keys or |
|
certificates via simple IPC services, for example when unencrypted |
|
storage on disk is not desired. Specifically, systemd-networkd’s |
|
Wireguard and MACSEC key file settings as well as |
|
systemd-journal-gatewayd’s and systemd-journal-remote’s PEM |
|
key/certificate parameters support this now. |
|
|
|
* Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other |
|
configuration files that support specifier expansion learnt six new |
|
specifiers: %a resolves to the current architecture, %o/%w/%B/%W |
|
resolve to the various ID fields from /etc/os-release, %l resolves to |
|
the “short” hostname of the system, i.e. the hostname configured in |
|
the kernel truncated at the first dot. |
|
|
|
* Support for the .include syntax in unit files has been removed. The |
|
concept has been obsolete for 6 years and we started warning about |
|
its pending removal 2 years ago (also see NEWS file below). It’s |
|
finally gone now. |
|
|
|
* StandardError= and StandardOutput= in unit files no longer support |
|
the “syslog” and “syslog-console” switches. They were long removed |
|
from the documentation, but will now result in warnings when used, |
|
and be converted to “journal” and “journal+console” automatically. |
|
|
|
* If the service setting User= is set to the “nobody” user, a warning |
|
message is now written to the logs (but the value is nonetheless |
|
accepted). Setting User=nobody is unsafe, since the primary purpose |
|
of the “nobody” user is to own all files whose owner cannot be mapped |
|
locally. It’s in particular used by the NFS subsystem and in user |
|
namespacing. By running a service under this user’s UID it might get |
|
read and even write access to all these otherwise unmappable files, |
|
which is quite likely a major security problem. |
|
|
|
* tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm, |
|
and others) now have a size and inode limits applied (50% of RAM for |
|
/tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note |
|
that the implicit kernel default is 50% too, so there is no change |
|
in the size limit for /tmp and /dev/shm. |
|
|
|
* nss-mymachines lost support for resolution of users and groups, and |
|
now only does resolution of hostnames. This functionality is now |
|
provided by nss-systemd. Thus, the ‘mymachines’ entry should be |
|
removed from the ‘passwd:’ and ‘group:’ lines in /etc/nsswitch.conf |
|
(and ‘systemd’ added if it is not already there). |
|
|
|
* A new kernel command line option systemd.hostname= has been added |
|
that allows controlling the hostname that is initialized early during |
|
boot. |
|
|
|
* A kernel command line option “udev.blockdev_read_only” has been |
|
added. If specified all hardware block devices that show up are |
|
immediately marked as read-only by udev. This option is useful for |
|
making sure that a specific boot under no circumstances modifies data |
|
on disk. Use “blockdev –setrw” to undo the effect of this, per |
|
device. |
|
|
|
* A new boolean kernel command line option systemd.swap= has been |
|
added, which may be used to turn off automatic activation of swap |
|
devices listed in /etc/fstab. |
|
|
|
* New kernel command line options systemd.condition-needs-update= and |
|
systemd.condition-first-boot= have been added, which override the |
|
result of the ConditionNeedsUpdate= and ConditionFirstBoot= |
|
conditions. |
|
|
|
* A new kernel command line option systemd.clock-usec= has been added |
|
that allows setting the system clock to the specified time in µs |
|
since Jan 1st, 1970 early during boot. This is in particular useful |
|
in order to make test cases more reliable. |
|
|
|
* The fs.suid_dumpable sysctl is set to 2 / “suidsafe”. This allows |
|
systemd-coredump to save core files for suid processes. When saving |
|
the core file, systemd-coredump will use the effective uid and gid of |
|
the process that faulted. |
|
|
|
* The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is |
|
now automatically set to “Y” at boot, in order to enable pstore |
|
generation for collection with systemd-pstore. |
|
|
|
* We provide a set of udev rules to enable auto-suspend on PCI and USB |
|
devices that were tested to correctly support it. Previously, this |
|
was distributed as a set of udev rules, but has now been replaced by |
|
by a set of hwdb entries (and a much shorter udev rule to take action |
|
if the device modalias matches one of the new hwdb entries). |
|
|
|
As before, entries are periodically imported from the database |
|
maintained by the ChromiumOS project. If you have a device that |
|
supports auto-suspend correctly and where it should be enabled by |
|
default, please submit a patch that adds it to the database (see |
|
/usr/lib/udev/hwdb.d/60-autosuspend.hwdb). |
|
|
|
* systemd-udevd gained the new configuration option timeout_signal= as well |
|
as a corresponding kernel command line option udev.timeout_signal=. |
|
The option can be used to configure the UNIX signal that the main |
|
daemon sends to the worker processes on timeout. Setting the signal |
|
to SIGABRT is useful for debugging. |
|
|
|
* .link files managed by systemd-udevd gained options RxFlowControl=, |
|
TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in |
|
order to configure various flow control parameters. They also gained |
|
RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo |
|
frame ring buffer sizes. |
|
|
|
* networkd.conf gained a new boolean setting ManageForeignRoutes=. If |
|
enabled systemd-networkd manages all routes configured by other tools. |
|
|
|
* .network files managed by systemd-networkd gained a new section |
|
[SR-IOV], in order to configure SR-IOV capable network devices. |
|
|
|
* systemd-networkd’s [IPv6Prefix] section in .network files gained a |
|
new boolean setting Assign=. If enabled an address from the prefix is |
|
automatically assigned to the interface. |
|
|
|
* systemd-networkd gained a new section [DHCPv6PrefixDelegation] which |
|
controls delegated prefixes assigned by DHCPv6 client. The section |
|
has three settings: SubnetID=, Assign=, and Token=. The setting |
|
SubnetID= allows explicit configuration of the preferred subnet that |
|
systemd-networkd’s Prefix Delegation logic assigns to interfaces. If |
|
Assign= is enabled (which is the default) an address from any acquired |
|
delegated prefix is automatically chosen and assigned to the |
|
interface. The setting Token= specifies an optional address generation |
|
mode for Assign=. |
|
|
|
* systemd-networkd’s [Network] section gained a new setting |
|
IPv4AcceptLocal=. If enabled the interface accepts packets with local |
|
source addresses. |
|
|
|
* systemd-networkd gained support for configuring the HTB queuing |
|
discipline in the [HierarchyTokenBucket] and |
|
[HierarchyTokenBucketClass] sections. Similar the “pfifo” qdisc may |
|
be configured in the [PFIFO] section, “GRED” in |
|
[GenericRandomEarlyDetection], “SFB” in [StochasticFairBlue], “cake” |
|
in [CAKE], “PIE” in [PIE], “DRR” in [DeficitRoundRobinScheduler] and |
|
[DeficitRoundRobinSchedulerClass], “BFIFO” in [BFIFO], |
|
“PFIFOHeadDrop” in [PFIFOHeadDrop], “PFIFOFast” in [PFIFOFast], “HHF” |
|
in [HeavyHitterFilter], “ETS” in [EnhancedTransmissionSelection] and |
|
“QFQ” in [QuickFairQueueing] and [QuickFairQueueingClass]. |
|
|
|
* systemd-networkd gained support for a new Termination= setting in the |
|
[CAN] section for configuring the termination resistor. It also |
|
gained a new ListenOnly= setting for controlling whether to only |
|
listen on CAN interfaces, without interfering with traffic otherwise |
|
(which is useful for debugging/monitoring CAN network |
|
traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have |
|
been added to configure various CAN-FD aspects. |
|
|
|
* systemd-networkd’s [DHCPv6] section gained a new option WithoutRA=. |
|
When enabled, DHCPv6 will be attempted right-away without requiring an |
|
Router Advertisement packet suggesting it first (i.e. without the ‘M’ |
|
or ‘O’ flags set). The [IPv6AcceptRA] section gained a boolean option |
|
DHCPv6Client= that may be used to turn off the DHCPv6 client even if |
|
the RA packets suggest it. |
|
|
|
* systemd-networkd’s [DHCPv4] section gained a new setting UseGateway= |
|
which may be used to turn off use of the gateway information provided |
|
by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be |
|
used to configure how to process leases that lack a lifetime option. |
|
|
|
* systemd-networkd’s [DHCPv4] and [DHCPServer] sections gained a new |
|
setting SendVendorOption= allowing configuration of additional vendor |
|
options to send in the DHCP requests/responses. The [DHCPv6] section |
|
gained a new SendOption= setting for sending arbitrary DHCP |
|
options. RequestOptions= has been added to request arbitrary options |
|
from the server. UserClass= has been added to set the DHCP user class |
|
field. |
|
|
|
* systemd-networkd’s [DHCPServer] section gained a new set of options |
|
EmitPOP3=/POP3=, EmitSMTP=/SMTP=, EmitLPR=/LPR= for including server |
|
information about these three protocols in the DHCP lease. It also |
|
gained support for including “MUD” URLs (“Manufacturer Usage |
|
Description”). Support for “MUD” URLs was also added to the LLDP |
|
stack, configurable in the [LLDP] section in .network files. |
|
|
|
* The Mode= settings in [MACVLAN] and [MACVTAP] now support ‘source’ |
|
mode. Also, the sections now support a new setting SourceMACAddress=. |
|
|
|
* systemd-networkd’s .netdev files now support a new setting |
|
VLANProtocol= in the [Bridge] section that allows configuration of |
|
the VLAN protocol to use. |
|
|
|
* systemd-networkd supports a new Group= setting in the [Link] section |
|
of the .network files, to control the link group. |
|
|
|
* systemd-networkd’s [Network] section gained a new |
|
IPv6LinkLocalAddressGenerationMode= setting, which specifies how IPv6 |
|
link local address is generated. |
|
|
|
* A new default .network file is now shipped that matches TUN/TAP |
|
devices that begin with “vt-” in their name. Such interfaces will |
|
have IP routing onto the host links set up automatically. This is |
|
supposed to be used by VM managers to trivially acquire a network |
|
interface which is fully set up for host communication, simply by |
|
carefully picking an interface name to use. |
|
|
|
* systemd-networkd’s [DHCPv6] section gained a new setting RouteMetric= |
|
which sets the route priority for routes specified by the DHCP server. |
|
|
|
* systemd-networkd’s [DHCPv6] section gained a new setting VendorClass= |
|
which configures the vendor class information sent to DHCP server. |
|
|
|
* The BlackList= settings in .network files’ [DHCPv4] and |
|
[IPv6AcceptRA] sections have been renamed DenyList=. The old names |
|
are still understood to provide compatibility. |
|
|
|
* networkctl gained the new “forcerenew” command for forcing all DHCP |
|
server clients to renew their lease. The interface “status” output |
|
will now show numerous additional fields of information about an |
|
interface. There are new “up” and “down” commands to bring specific |
|
interfaces up or down. |
|
|
|
* systemd-resolved’s DNS= configuration option now optionally accepts a |
|
port number (after “:”) and a host name (after “#”). When the host |
|
name is specified, the DNS-over-TLS certificate is validated to match |
|
the specified hostname. Additionally, in case of IPv6 addresses, an |
|
interface may be specified (after “%”). |
|
|
|
* systemd-resolved may be configured to forward single-label DNS names. |
|
This is not standard-conformant, but may make sense in setups where |
|
public DNS servers are not used. |
|
|
|
* systemd-resolved’s DNS-over-TLS support gained SNI validation. |
|
|
|
* systemd-nspawn’s –resolv-conf= switch gained a number of new |
|
supported values. Specifically, options starting with “replace-” are |
|
like those prefixed “copy-” but replace any existing resolv.conf |
|
file. And options ending in “-uplink” and “-stub” can now be used to |
|
propagate other flavours of resolv.conf into the container (as |
|
defined by systemd-resolved). |
|
|
|
* The various programs included in systemd can now optionally output |
|
their log messages on stderr prefixed with a timestamp, controlled by |
|
the $SYSTEMD_LOG_TIME environment variable. |
|
|
|
* systemctl gained a new “-P” switch that is a shortcut for “–value |
|
–property=…”. |
|
|
|
* “systemctl list-units” and “systemctl list-machines” no longer hide |
|
their first output column with –no-legend. To hide the first column, |
|
use –plain. |
|
|
|
* “systemctl reboot” takes the option “–reboot-argument=”. |
|
The optional positional argument to “systemctl reboot” is now |
|
being deprecated in favor of this option. |
|
|
|
* systemd-run gained a new switch –slice-inherit. If specified the |
|
unit it generates is placed in the same slice as the systemd-run |
|
process itself. |
|
|
|
* systemd-journald gained support for zstd compression of large fields |
|
in journal files. The hash tables in journal files have been hardened |
|
against hash collisions. This is an incompatible change and means |
|
that journal files created with new systemd versions are not readable |
|
with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean |
|
environment variable for systemd-journald.service is set to 0 this |
|
new hardening functionality may be turned off, so that generated |
|
journal files remain compatible with older journalctl |
|
implementations. |
|
|
|
* journalctl will now include a clickable link in the default output for |
|
each log message for which an URL with further documentation is |
|
known. This is only supported on terminal emulators that support |
|
clickable hyperlinks, and is turned off if a pager is used (since |
|
“less” still doesn’t support hyperlinks, |
|
unfortunately). Documentation URLs may be included in log messages |
|
either by including a DOCUMENTATION= journal field in it, or by |
|
associating a journal message catalog entry with the log message’s |
|
MESSAGE_ID, which then carries a “Documentation:” tag. |
|
|
|
* journald.conf gained a new boolean setting Audit= that may be used to |
|
control whether systemd-journald will enable audit during |
|
initialization. |
|
|
|
* when systemd-journald’s log stream is broken up into multiple lines |
|
because the PID of the sender changed this is indicated in the |
|
generated log records via the _LINE_BREAK=pid-change field. |
|
|
|
* journalctl’s “-o cat” output mode will now show one or more journal |
|
fields specified with –output-fields= instead of unconditionally |
|
MESSAGE=. This is useful to retrieve a very specific set of fields |
|
without any decoration. |
|
|
|
* The sd-journal.h API gained two new functions: |
|
sd_journal_enumerate_available_unique() and |
|
sd_journal_enumerate_available_data() that operate like their |
|
counterparts that lack the _available_ in the name, but skip items |
|
that cannot be read and processed by the local implementation |
|
(i.e. are compressed in an unsupported format or such), |
|
|
|
* coredumpctl gained a new –file= switch, matching the same one in |
|
journalctl: a specific journal file may be specified to read the |
|
coredump data from. |
|
|
|
* coredumps collected by systemd-coredump may now be compressed using |
|
the zstd algorithm. |
|
|
|
* systemd-binfmt gained a new switch –unregister for unregistering all |
|
registered entries at once. This is now invoked automatically at |
|
shutdown, so that binary formats registered with the “F” flag will |
|
not block clean file system unmounting. |
|
|
|
* systemd-notify’s –pid= switch gained new values: “parent”, “self”, |
|
“auto” for controlling which PID to send to the service manager: the |
|
systemd-notify process’ PID, or the one of the process invoking it. |
|
|
|
* systemd-logind’s Session bus object learnt a new method call |
|
SetType() for temporarily updating the session type of an already |
|
allocated session. This is useful for upgrading tty sessions to |
|
graphical ones once a compositor is invoked. |
|
|
|
* systemd-socket-proxy gained a new switch –exit-idle-time= for |
|
configuring an exit-on-idle time. |
|
|
|
* systemd-repart’s –empty= setting gained a new value “create”. If |
|
specified a new empty regular disk image file is created under the |
|
specified name. Its size may be specified with the new –size= |
|
option. The latter is also supported without the “create” mode, in |
|
order to grow existing disk image files to the specified size. These |
|
two new options are useful when creating or manipulating disk images |
|
instead of operating on actual block devices. |
|
|
|
* systemd-repart drop-ins now support a new UUID= setting to control |
|
the UUID to assign to a newly created partition. |
|
|
|
* systemd-repart’s SizeMin= per-partition parameter now defaults to 10M |
|
instead of 0. |
|
|
|
* systemd-repart’s Label= setting now support the usual, simple |
|
specifier expansion. |
|
|
|
* systemd-homed’s LUKS backend gained the ability to discard empty file |
|
system blocks automatically when the user logs out. This is enabled |
|
by default to ensure that home directories take minimal space when |
|
logged out but get full size guarantees when logged in. This may be |
|
controlled with the new –luks-offline-discard= switch to homectl. |
|
|
|
* If systemd-homed detects that /home/ is encrypted as a whole it will |
|
now default to the directory or subvolume backends instead of the |
|
LUKS backend, in order to avoid double encryption. The default |
|
storage and file system may now be configured explicitly, too, via |
|
the new /etc/systemd/homed.conf configuration file. |
|
|
|
* systemd-homed now supports unlocking home directories with FIDO2 |
|
security tokens that support the ‘hmac-secret’ extension, in addition |
|
to the existing support for PKCS#11 security token unlocking |
|
support. Note that many recent hardware security tokens support both |
|
interfaces. The FIDO2 support is accessible via homectl’s |
|
–fido2-device= option. |
|
|
|
* homectl’s –pkcs11-uri= setting now accepts two special parameters: |
|
if “auto” is specified and only one suitable PKCS#11 security token |
|
is plugged in, its URL is automatically determined and enrolled for |
|
unlocking the home directory. If “list” is specified a brief table of |
|
suitable PKCS#11 security tokens is shown. Similar, the new |
|
–fido2-device= option also supports these two special values, for |
|
automatically selecting and listing suitable FIDO2 devices. |
|
|
|
* The /etc/crypttab tmp option now optionally takes an argument |
|
selecting the file system to use. Moreover, the default is now |
|
changed from ext2 to ext4. |
|
|
|
* There’s a new /etc/crypttab option “keyfile-erase”. If specified the |
|
key file listed in the same line is removed after use, regardless if |
|
volume activation was successful or not. This is useful if the key |
|
file is only acquired transiently at runtime and shall be erased |
|
before the system continues to boot. |
|
|
|
* There’s also a new /etc/crypttab option “try-empty-password”. If |
|
specified, before asking the user for a password it is attempted to |
|
unlock the volume with an empty password. This is useful for |
|
installing encrypted images whose password shall be set on first boot |
|
instead of at installation time. |
|
|
|
* systemd-cryptsetup will now attempt to load the keys to unlock |
|
volumes with automatically from files in |
|
/etc/cryptsetup-keys.d/.key and |
|
/run/cryptsetup-keys.d/.key, if any of these files exist. |
|
|
|
* systemd-cryptsetup may now activate Microsoft BitLocker volumes via |
|
/etc/crypttab, during boot. |
|
|
|
* logind.conf gained a new RuntimeDirectoryInodesMax= setting to |
|
control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs |
|
instance. |
|
|
|
* A new generator systemd-xdg-autostart-generator has been added. It |
|
generates systemd unit files from XDG autostart .desktop files, and |
|
may be used to let the systemd user instance manage services that are |
|
started automatically as part of the desktop session. |
|
|
|
* “bootctl” gained a new verb “reboot-to-firmware” that may be used |
|
to query and change the firmware’s ‘reboot into firmware’ setup flag. |
|
|
|
* systemd-firstboot gained a new switch –kernel-command-line= that may |
|
be used to initialize the /etc/kernel/cmdline file of the image. It |
|
also gained a new switch –root-password-hashed= which is like |
|
–root-password= but accepts a pre-hashed UNIX password as |
|
argument. The new option –delete-root-password may be used to unset |
|
any password for the root user (dangerous!). The –root-shell= switch |
|
may be used to control the shell to use for the root account. A new |
|
–force option may be used to override any already set settings with |
|
the parameters specified on the command line (by default, the tool |
|
will not override what has already been set before, i.e. is purely |
|
incremental). |
|
|
|
* systemd-firstboot gained support for a new –image= switch, which is |
|
similar to –root= but accepts the path to a disk image file, on |
|
which it then operates. |
|
|
|
* A new sd-path.h API has been added to libsystemd. It provides a |
|
simple API for retrieving various search paths and primary |
|
directories for various resources. |
|
|
|
* A new call sd_notify_barrier() has been added to the sd-daemon.h |
|
API. The call will block until all previously sent sd_notify() |
|
messages have been processed by the service manager. This is useful |
|
to remove races caused by a process already having disappeared at the |
|
time a notification message is processed by the service manager, |
|
making correct attribution impossible. The systemd-notify tool will |
|
now make use of this call implicitly, but this can be turned off again |
|
via the new –no-block switch. |
|
|
|
* When sending a file descriptor (fd) to the service manager to keep |
|
track of, using the sd_notify() mechanism, a new parameter FDPOLL=0 |
|
may be specified. If passed the service manager will refrain from |
|
poll()ing on the file descriptor. Traditionally (and when the |
|
parameter is not specified), the service manager will poll it for |
|
POLLHUP or POLLERR events, and immediately close the fds in that |
|
case. |
|
|
|
* The service manager (PID1) gained a new D-Bus method call |
|
SetShowStatus() which may be used to control whether it shall show |
|
boot-time status output on the console. This method has a similar |
|
effect to sending SIGRTMIN+20/SIGRTMIN+21 to PID 1. |
|
|
|
* The sd-bus API gained a number of convenience functions that take |
|
va_list arguments rather than “…”. For example, there’s now |
|
sd_bus_call_methodv() to match sd_bus_call_method(). Those calls make |
|
it easier to build wrappers that accept variadic arguments and want |
|
to pass a ready va_list structure to sd-bus. |
|
|
|
* sd-bus vtable entries can have a new SD_BUS_VTABLE_ABSOLUTE_OFFSET |
|
flag which alters how the userdata pointer to pass to the callbacks |
|
is determined. When the flag is set, the offset field is converted |
|
as-is into a pointer, without adding it to the object pointer the |
|
vtable is associated with. |
|
|
|
* sd-bus now exposes four new functions: |
|
sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() + |
|
sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will |
|
validate strings to check if they qualify as various D-Bus concepts. |
|
|
|
* The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(), |
|
SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros |
|
that simplify adding argument names to D-Bus methods and signals. |
|
|
|
* The man pages for the sd-bus and sd-hwdb APIs have been completed. |
|
|
|
* Various D-Bus APIs of systemd daemons now have man pages that |
|
document the methods, signals and properties. |
|
|
|
* The expectations on user/group name syntax are now documented in |
|
detail; documentation on how classic home directories may be |
|
converted into home directories managed by homed has been added; |
|
documentation regarding integration of homed/userdb functionality in |
|
desktops has been added: |
|
|
|
https://systemd.io/USER_NAMES |
|
https://systemd.io/CONVERTING_TO_HOMED |
|
https://systemd.io/USERDB_AND_DESKTOPS |
|
|
|
* Documentation for the on-disk Journal file format has been updated |
|
and has now moved to: |
|
|
|
https://systemd.io/JOURNAL_FILE_FORMAT |
|
|
|
* The interface for containers (https://systemd.io/CONTAINER_INTERFACE) |
|
has been extended by a set of environment variables that expose |
|
select fields from the host’s os-release file to the container |
|
payload. Similarly, host’s os-release files can be mounted into the |
|
container underneath /run/host. Together, those mechanisms provide a |
|
standardized way to expose information about the host to the |
|
container payload. Both interfaces are implemented in systemd-nspawn. |
|
|
|
* All D-Bus services shipped in systemd now implement the generic |
|
LogControl1 D-Bus API which allows clients to change log level + |
|
target of the service during runtime. |
|
|
|
* Only relevant for developers: the mkosi.default symlink has been |
|
dropped from version control. Please create a symlink to one of the |
|
distribution-specific defaults in .mkosi/ based on your preference. |
|
|
|
Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander |
|
Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird, |
|
Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain, |
|
antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji |
|
Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg, |
|
Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian |
|
Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy, |
|
codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan, |
|
Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David |
|
Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri |
|
John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel |
|
Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin, |
|
ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger, |
|
Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui, |
|
Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius |
|
Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de |
|
Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan |
|
Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy |
|
Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg |
|
Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin |
|
Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard, |
|
Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas |
|
Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej |
|
S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc |
|
Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim |
|
Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels, |
|
Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár, |
|
Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys, |
|
nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert |
|
Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter |
|
Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross |
|
Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian |
|
Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas |
|
Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes, |
|
Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo, |
|
Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal |
|
Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew |
|
Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб |
|
|
|
– Warsaw, 2020-07-30 |
|
|
|
CHANGES WITH 245: |
|
|
|
* A new tool “systemd-repart” has been added, that operates as an |
|
idempotent declarative repartitioner for GPT partition tables. |
|
Specifically, a set of partitions that must or may exist can be |
|
configured via drop-in files, and during every boot the partition |
|
table on disk is compared with these files, creating missing |
|
partitions or growing existing ones based on configurable relative |
|
and absolute size constraints. The tool is strictly incremental, |
|
i.e. does not delete, shrink or move partitions, but only adds and |
|
grows them. The primary use-case is OS images that ship in minimized |
|
form, that on first boot are grown to the size of the underlying |
|
block device or augmented with additional partitions. For example, |
|
the root partition could be extended to cover the whole disk, or a |
|
swap or /home partitions could be added on first boot. It can also be |
|
used for systems that use an A/B update scheme but ship images with |
|
just the A partition, with B added on first boot. The tool is |
|
primarily intended to be run in the initrd, shortly before |
|
transitioning into the host OS, but can also be run after the |
|
transition took place. It automatically discovers the disk backing |
|
the root file system, and should hence not require any additional |
|
configuration besides the partition definition drop-ins. If no |
|
configuration drop-ins are present, no action is taken. |
|
|
|
* A new component “userdb” has been added, along with a small daemon |
|
“systemd-userdbd.service” and a client tool “userdbctl”. The framework |
|
allows defining rich user and group records in a JSON format, |
|
extending on the classic “struct passwd” and “struct group” |
|
structures. Various components in systemd have been updated to |
|
process records in this format, including systemd-logind and |
|
pam-systemd. The user records are intended to be extensible, and |
|
allow setting various resource management, security and runtime |
|
parameters that shall be applied to processes and sessions of the |
|
user as they log in. This facility is intended to allow associating |
|
such metadata directly with user/group records so that they can be |
|
produced, extended and consumed in unified form. We hope that |
|
eventually frameworks such as sssd will generate records this way, so |
|
that for the first time resource management and various other |
|
per-user settings can be configured in LDAP directories and then |
|
provided to systemd (specifically to systemd-logind and pam-system) |
|
to apply on login. For further details see: |
|
|
|
https://systemd.io/USER_RECORD |
|
https://systemd.io/GROUP_RECORD |
|
https://systemd.io/USER_GROUP_API |
|
|
|
* A small new service systemd-homed.service has been added, that may be |
|
used to securely manage home directories with built-in encryption. |
|
The complete user record data is unified with the home directory, |
|
thus making home directories naturally migratable. Its primary |
|
back-end is based on LUKS volumes, but fscrypt, plain directories, |
|
and other storage schemes are also supported. This solves a couple of |
|
problems we saw with traditional ways to manage home directories, in |
|
particular when it comes to encryption. For further discussion of |
|
this, see the video of Lennart’s talk at AllSystemsGo! 2019: |
|
|
|
https://media.ccc.de/v/ASG2019-164-reinventing-home-directories |
|
|
|
For further details about the format and expectations on home |
|
directories this new daemon makes, see: |
|
|
|
https://systemd.io/HOME_DIRECTORY |
|
|
|
* systemd-journald is now multi-instantiable. In addition to the main |
|
instance systemd-journald.service there’s now a template unit |
|
systemd-journald@.service, with each instance defining a new named |
|
log ‘namespace’ (whose name is specified via the instance part of the |
|
unit name). A new unit file setting LogNamespace= has been added, |
|
taking such a namespace name, that assigns services to the specified |
|
log namespaces. As each log namespace is serviced by its own |
|
independent journal daemon, this functionality may be used to improve |
|
performance and increase isolation of applications, at the price of |
|
losing global message ordering. Each instance of journald has a |
|
separate set of configuration files, with possibly different disk |
|
usage limitations and other settings. |
|
|
|
journalctl now takes a new option –namespace= to show logs from a |
|
specific log namespace. The sd-journal.h API gained |
|
sd_journal_open_namespace() for opening the log stream of a specific |
|
log namespace. systemd-journald also gained the ability to exit on |
|
idle, which is useful in the context of log namespaces, as this means |
|
log daemons for log namespaces can be activated automatically on |
|
demand and will stop automatically when no longer used, minimizing |
|
resource usage. |
|
|
|
* When systemd-tmpfiles copies a file tree using the ‘C’ line type it |
|
will now label every copied file according to the SELinux database. |
|
|
|
* When systemd/PID 1 detects it is used in the initrd it will now boot |
|
into initrd.target rather than default.target by default. This should |
|
make it simpler to build initrds with systemd as for many cases the |
|
only difference between a host OS image and an initrd image now is |
|
the presence of the /etc/initrd-release file. |
|
|
|
* A new kernel command line option systemd.cpu_affinity= is now |
|
understood. It’s equivalent to the CPUAffinity= option in |
|
/etc/systemd/system.conf and allows setting the CPU mask for PID 1 |
|
itself and the default for all other processes. |
|
|
|
* When systemd/PID 1 is reloaded (with systemctl daemon-reload or |
|
equivalent), the SELinux database is now reloaded, ensuring that |
|
sockets and other file system objects are generated taking the new |
|
database into account. |
|
|
|
* systemd/PID 1 accepts a new “systemd.show-status=error” setting, and |
|
“quiet” has been changed to imply that instead of |
|
“systemd.show-status=auto”. In this mode, only messages about errors |
|
and significant delays in boot are shown on the console. |
|
|
|
* The sd-event.h API gained native support for the new Linux “pidfd” |
|
concept. This permits watching processes using file descriptors |
|
instead of PID numbers, which fixes a number of races and makes |
|
process supervision more robust and efficient. All of systemd’s |
|
components will now use pidfds if the kernel supports it for process |
|
watching, with the exception of PID 1 itself, unfortunately. We hope |
|
to move PID 1 to exclusively using pidfds too eventually, but this |
|
requires some more kernel work first. (Background: PID 1 watches |
|
processes using waitid() with the P_ALL flag, and that does not play |
|
together nicely with pidfds yet.) |
|
|
|
* Closely related to this, the sd-event.h API gained two new calls |
|
sd_event_source_send_child_signal() (for sending a signal to a |
|
watched process) and sd_event_source_get_child_process_own() (for |
|
marking a process so that it is killed automatically whenever the |
|
event source watching it is freed). |
|
|
|
* systemd-networkd gained support for configuring Token Bucket Filter |
|
(TBF) parameters in its qdisc configuration support. Similarly, |
|
support for Stochastic Fairness Queuing (SFQ), Controlled-Delay |
|
Active Queue Management (CoDel), and Fair Queue (FQ) has been added. |
|
|
|
* systemd-networkd gained support for Intermediate Functional Block |
|
(IFB) network devices. |
|
|
|
* systemd-networkd gained support for configuring multi-path IP routes, |
|
using the new MultiPathRoute= setting in the [Route] section. |
|
|
|
* systemd-networkd’s DHCPv4 client has been updated to support a new |
|
SendDecline= option. If enabled, duplicate address detection is done |
|
after a DHCP offer is received from the server. If a conflict is |
|
detected, the address is declined. The DHCPv4 client also gained |
|
support for a new RouteMTUBytes= setting that allows to configure the |
|
MTU size to be used for routes generated from DHCPv4 leases. |
|
|
|
* The PrefixRoute= setting in systemd-networkd’s [Address] section of |
|
.network files has been deprecated, and replaced by AddPrefixRoute=, |
|
with its sense inverted. |
|
|
|
* The Gateway= setting of [Route] sections of .network files gained |
|
support for a special new value “_dhcp”. If set, the configured |
|
static route uses the gateway host configured via DHCP. |
|
|
|
* New User= and SuppressPrefixLength= settings have been implemented |
|
for the [RoutingPolicyRule] section of .network files to configure |
|
source routing based on UID ranges and prefix length, respectively. |
|
|
|
* The Type= match property of .link files has been generalized to |
|
always match the device type shown by ‘networkctl status’, even for |
|
devices where udev does not set DEVTYPE=. This allows e.g. Type=ether |
|
to be used. |
|
|
|
* sd-bus gained a new API call sd_bus_message_sensitive() that marks a |
|
D-Bus message object as “sensitive”. Those objects are erased from |
|
memory when they are freed. This concept is intended to be used for |
|
messages that contain security sensitive data. A new flag |
|
SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods |
|
in sd-bus vtables, causing any incoming and outgoing messages of |
|
those methods to be implicitly marked as “sensitive”. |
|
|
|
* sd-bus gained a new API call sd_bus_message_dump() for dumping the |
|
contents of a message (or parts thereof) to standard output for |
|
debugging purposes. |
|
|
|
* systemd-sysusers gained support for creating users with the primary |
|
group named differently than the user. |
|
|
|
* systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab) |
|
gained support for growing XFS partitions. Previously it supported |
|
only ext4 and btrfs partitions. |
|
|
|
* The support for /etc/crypttab gained a new x-initrd.attach option. If |
|
set, the specified encrypted volume is unlocked already in the |
|
initrd. This concept corresponds to the x-initrd.mount option in |
|
/etc/fstab. |
|
|
|
* systemd-cryptsetup gained native support for unlocking encrypted |
|
volumes utilizing PKCS#11 smartcards, i.e. for example to bind |
|
encryption of volumes to YubiKeys. This is exposed in the new |
|
pkcs11-uri= option in /etc/crypttab. |
|
|
|
* The /etc/fstab support in systemd now supports two new mount options |
|
x-systemd.{required,wanted}-by=, for explicitly configuring the units |
|
that the specified mount shall be pulled in by, in place of |
|
the usual local-fs.target/remote-fs.target. |
|
|
|
* The https://systemd.io/ web site has been relaunched, directly |
|
populated with most of the documentation included in the systemd |
|
repository. systemd also acquired a new logo, thanks to Tobias |
|
Bernard. |
|
|
|
* systemd-udevd gained support for managing “alternative” network |
|
interface names, as supported by new Linux kernels. For the first |
|
time this permits assigning multiple (and longer!) names to a network |
|
interface. systemd-udevd will now by default assign the names |
|
generated via all supported naming schemes to each interface. This |
|
may be further tweaked with .link files and the AlternativeName= and |
|
AlternativeNamesPolicy= settings. Other components of systemd have |
|
been updated to support the new alternative names wherever |
|
appropriate. For example, systemd-nspawn will now generate |
|
alternative interface names for the host-facing side of container |
|
veth links based on the full container name without truncation. |
|
|
|
* systemd-nspawn interface naming logic has been updated in another way |
|
too: if the main interface name (i.e. as opposed to new-style |
|
“alternative” names) based on the container name is truncated, a |
|
simple hashing scheme is used to give different interface names to |
|
multiple containers whose names all begin with the same prefix. Since |
|
this changes the primary interface names pointing to containers if |
|
truncation happens, the old scheme may still be requested by |
|
selecting an older naming scheme, via the net.naming-scheme= kernel |
|
command line option. |
|
|
|
* PrivateUsers= in service files now works in services run by the |
|
systemd –user per-user instance of the service manager. |
|
|
|
* A new per-service sandboxing option ProtectClock= has been added that |
|
locks down write access to the system clock. It takes away device |
|
node access to /dev/rtc as well as the system calls that set the |
|
system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities. |
|
Note that this option does not affect access to auxiliary services |
|
that allow changing the clock, for example access to |
|
systemd-timedated. |
|
|
|
* The systemd-id128 tool gained a new “show” verb for listing or |
|
resolving a number of well-known UUIDs/128bit IDs, currently mostly |
|
GPT partition table types. |
|
|
|
* The Discoverable Partitions Specification has been updated to support |
|
/var and /var/tmp partition discovery. Support for this has been |
|
added to systemd-gpt-auto-generator. For details see: |
|
|
|
https://systemd.io/DISCOVERABLE_PARTITIONS |
|
|
|
* “systemctl list-unit-files” has been updated to show a new column |
|
with the suggested enablement state based on the vendor preset files |
|
for the respective units. |
|
|
|
* “systemctl” gained a new option “–with-dependencies”. If specified |
|
commands such as “systemctl status” or “systemctl cat” will now show |
|
all specified units along with all units they depend on. |
|
|
|
* networkctl gained support for showing per-interface logs in its |
|
“status” output. |
|
|
|
* systemd-networkd-wait-online gained support for specifying the maximum |
|
operational state to wait for, and to wait for interfaces to |
|
disappear. |
|
|
|
* The [Match] section of .link and .network files now supports a new |
|
option PermanentMACAddress= which may be used to check against the |
|
permanent MAC address of a network device even if a randomized MAC |
|
address is used. |
|
|
|
* The [TrafficControlQueueingDiscipline] section in .network files has |
|
been renamed to [NetworkEmulator] with the “NetworkEmulator” prefix |
|
dropped from the individual setting names. |
|
|
|
* Any .link and .network files that have an empty [Match] section (this |
|
also includes empty and commented-out files) will now be |
|
rejected. systemd-udev and systemd-networkd started warning about |
|
such files in version 243. |
|
|
|
* systemd-logind will now validate access to the operation of changing |
|
the virtual terminal via a polkit action. By default, only users |
|
with at least one session on a local VT are granted permission. |
|
|
|
* When systemd sets up PAM sessions that invoked service processes |
|
shall run in, the pam_setcred() API is now invoked, thus permitting |
|
PAM modules to set additional credentials for the processes. |
|
|
|
* portablectl attach/detach verbs now accept –now and –enable options |
|
to combine attachment with enablement and invocation, or detachment |
|
with stopping and disablement. |
|
|
|
* UPGRADE ISSUE: a bug where some jobs were trimmed as redundant was |
|
fixed, which in turn exposed bugs in unit configuration of services |
|
which have Type=oneshot and should only run once, but do not have |
|
RemainAfterExit=yes set. Without RemainAfterExit=yes, a one-shot |
|
service may be started again after exiting successfully, for example |
|
as a dependency in another transaction. Affected services included |
|
some internal systemd services (most notably |
|
systemd-vconsole-setup.service, which was updated to have |
|
RemainAfterExit=yes), and plymouth-start.service. Please ensure that |
|
plymouth has been suitably updated or patched before upgrading to |
|
this systemd release. See |
|
https://bugzilla.redhat.com/show_bug.cgi?id=1807771 for some |
|
additional discussion. |
|
|
|
Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita |
|
Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis, |
|
Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles |
|
(Chas) Williams, cheese1, Chris Down, Chris Murphy, Christian Ehrhardt, |
|
Christian Göttsche, cvoinf, Daan De Meyer, Daniele Medri, Daniel Rusek, |
|
Daniel Shahaf, Dann Frazier, Dan Streetman, Dariusz Gadomski, David |
|
Michael, Dimitri John Ledkov, Emmanuel Bourg, Evgeny Vereshchagin, |
|
ezst036, Felipe Sateler, Filipe Brandenburger, Florian Klink, Franck |
|
Bui, Fran Dieguez, Frantisek Sumsal, Greg “GothAck” Miell, Guilhem |
|
Lettron, Guillaume Douézan-Grard, Hans de Goede, HATAYAMA Daisuke, Iain |
|
Lane, James Buren, Jan Alexander Steffens (heftig), Jérémy Rosen, Jin |
|
Park, Jun’ichi Nomura, Kai Krakow, Kevin Kuehler, Kevin P. Fleming, |
|
Lennart Poettering, Leonid Bloch, Leonid Evdokimov, lothrond, Luca |
|
Boccassi, Lukas K, Lynn Kirby, Mario Limonciello, Mark Deneen, Matthew |
|
Leeds, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Auty, Mike |
|
Gilbert, mtron, nabijaczleweli, Naïm Favier, Nate Jones, Norbert Lange, |
|
Oliver Giles, Paul Davey, Paul Menzel, Peter Hutterer, Piotr Drąg, Rafa |
|
Couto, Raphael, rhn, Robert Scheck, Rocka, Romain Naour, Ryan Attard, |
|
Sascha Dewald, Shengjing Zhu, Slava Kardakov, Spencer Michaels, Sylvain |
|
Plantefeve, Stanislav Angelovič, Susant Sahani, Thomas Haller, Thomas |
|
Schmitt, Timo Schlüßler, Timo Wilken, Tobias Bernard, Tobias Klauser, |
|
Tobias Stoeckmann, Topi Miettinen, tsia, WataruMatsuoka, Wieland |
|
Hoffmann, Wilhelm Schuster, Will Fleming, xduugu, Yong Cong Sin, Yuri |
|
Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zeyu |
|
DONG |
|
|
|
– Warsaw, 2020-03-06 |
|
|
|
CHANGES WITH 244: |
|
|
|
* Support for the cpuset cgroups v2 controller has been added. |
|
Processes may be restricted to specific CPUs using the new |
|
AllowedCPUs= setting, and to specific memory NUMA nodes using the new |
|
AllowedMemoryNodes= setting. |
|
|
|
* The signal used in restart jobs (as opposed to e.g. stop jobs) may |
|
now be configured using a new RestartKillSignal= setting. This |
|
allows units which signals to request termination to implement |
|
different behaviour when stopping in preparation for a restart. |
|
|
|
* “systemctl clean” may now be used also for socket, mount, and swap |
|
units. |
|
|
|
* systemd will also read configuration options from the EFI variable |
|
SystemdOptions. This may be used to configure systemd behaviour when |
|
modifying the kernel command line is inconvenient, but configuration |
|
on disk is read too late, for example for the options related to |
|
cgroup hierarchy setup. ‘bootctl systemd-efi-options’ may be used to |
|
set the EFI variable. |
|
|
|
* systemd will now disable printk ratelimits in early boot. This should |
|
allow us to capture more logs from the early boot phase where normal |
|
storage is not available and the kernel ring buffer is used for |
|
logging. Configuration on the kernel command line has higher priority |
|
and overrides the systemd setting. |
|
|
|
systemd programs which log to /dev/kmsg directly use internal |
|
ratelimits to prevent runaway logging. (Normally this is only used |
|
during early boot, so in practice this change has very little |
|
effect.) |
|
|
|
* Unit files now support top level dropin directories of the form |
|
.d/ (e.g. service.d/) that may be used to add configuration |
|
that affects all corresponding unit files. |
|
|
|
* systemctl gained support for ‘stop –job-mode=triggering’ which will |
|
stop the specified unit and any units which could trigger it. |
|
|
|
* Unit status display now includes units triggering and triggered by |
|
the unit being shown. |
|
|
|
* The RuntimeMaxSec= setting is now supported by scopes, not just |
|
.service units. This is particularly useful for PAM sessions which |
|
create a scope unit for the user login. systemd.runtime_max_sec= |
|
setting may used with the pam_systemd module to limit the duration |
|
of the PAM session, for example for time-limited logins. |
|
|
|
* A new @pkey system call group is now defined to make it easier to |
|
allow-list memory protection syscalls for containers and services |
|
which need to use them. |
|
|
|
* systemd-udevd: removed the 30s timeout for killing stale workers on |
|
exit. systemd-udevd now waits for workers to finish. The hard-coded |
|
exit timeout of 30s was too short for some large installations, where |
|
driver initialization could be prematurely interrupted during initrd |
|
processing if the root file system had been mounted and init was |
|
preparing to switch root. If udevd is run without systemd and workers |
|
are hanging while udevd receives an exit signal, udevd will now exit |
|
when udev.event_timeout is reached for the last hanging worker. With |
|
systemd, the exit timeout can additionally be configured using |
|
TimeoutStopSec= in systemd-udevd.service. |
|
|
|
* udev now provides a program (fido_id) that identifies FIDO CTAP1 |
|
(“U2F”)/CTAP2 security tokens based on the usage declared in their |
|
report and descriptor and outputs suitable environment variables. |
|
This replaces the externally maintained allow lists of all known |
|
security tokens that were used previously. |
|
|
|
* Automatically generated autosuspend udev rules for allow-listed |
|
devices have been imported from the Chromium OS project. This should |
|
improve power saving with many more devices. |
|
|
|
* udev gained a new “CONST{key}=value” setting that allows matching |
|
against system-wide constants without forking a helper binary. |
|
Currently “arch” and “virt” keys are supported. |
|
|
|
* udev now opens CDROMs in non-exclusive mode when querying their |
|
capabilities. This should fix issues where other programs trying to |
|
use the CDROM cannot gain access to it, but carries a risk of |
|
interfering with programs writing to the disk, if they did not open |
|
the device in exclusive mode as they should. |
|
|
|
* systemd-networkd does not create a default route for IPv4 link local |
|
addressing anymore. The creation of the route was unexpected and was |
|
breaking routing in various cases, but people who rely on it being |
|
created implicitly will need to adjust. Such a route may be requested |
|
with DefaultRouteOnDevice=yes. |
|
|
|
Similarly, systemd-networkd will not assign a link-local IPv6 address |
|
when IPv6 link-local routing is not enabled. |
|
|
|
* Receive and transmit buffers may now be configured on links with |
|
the new RxBufferSize= and TxBufferSize= settings. |
|
|
|
* systemd-networkd may now advertise additional IPv6 routes. A new |
|
[IPv6RoutePrefix] section with Route= and LifetimeSec= options is |
|
now supported. |
|
|
|
* systemd-networkd may now configure “next hop” routes using the |
|
[NextHop] section and Gateway= and Id= settings. |
|
|
|
* systemd-networkd will now retain DHCP config on restarts by default |
|
(but this may be overridden using the KeepConfiguration= setting). |
|
The default for SendRelease= has been changed to true. |
|
|
|
* The DHCPv4 client now uses the OPTION_INFORMATION_REFRESH_TIME option |
|
received from the server. |
|
|
|
The client will use the received SIP server list if UseSIP=yes is |
|
set. |
|
|
|
The client may be configured to request specific options from the |
|
server using a new RequestOptions= setting. |
|
|
|
The client may be configured to send arbitrary options to the server |
|
using a new SendOption= setting. |
|
|
|
A new IPServiceType= setting has been added to configure the “IP |
|
service type” value used by the client. |
|
|
|
* The DHCPv6 client learnt a new PrefixDelegationHint= option to |
|
request prefix hints in the DHCPv6 solicitation. |
|
|
|
* The DHCPv4 server may be configured to send arbitrary options using |
|
a new SendOption= setting. |
|
|
|
* The DHCPv4 server may now be configured to emit SIP server list using |
|
the new EmitSIP= and SIP= settings. |
|
|
|
* systemd-networkd and networkctl may now renew DHCP leases on demand. |
|
networkctl has a new ‘networkctl renew’ verb. |
|
|
|
* systemd-networkd may now reconfigure links on demand. networkctl |
|
gained two new verbs: “reload” will reload the configuration, and |
|
“reconfigure DEVICE…” will reconfigure one or more devices. |
|
|
|
* .network files may now match on SSID and BSSID of a wireless network, |
|
i.e. the access point name and hardware address using the new SSID= |
|
and BSSID= options. networkctl will display the current SSID and |
|
BSSID for wireless links. |
|
|
|
.network files may also match on the wireless network type using the |
|
new WLANInterfaceType= option. |
|
|
|
* systemd-networkd now includes default configuration that enables |
|
link-local addressing when connected to an ad-hoc wireless network. |
|
|
|
* systemd-networkd may configure the Traffic Control queueing |
|
disciplines in the kernel using the new |
|
[TrafficControlQueueingDiscipline] section and Parent=, |
|
NetworkEmulatorDelaySec=, NetworkEmulatorDelayJitterSec=, |
|
NetworkEmulatorPacketLimit=, NetworkEmulatorLossRate=, |
|
NetworkEmulatorDuplicateRate= settings. |
|
|
|
* systemd-tmpfiles gained a new w+ setting to append to files. |
|
|
|
* systemd-analyze dump will now report when the memory configuration in |
|
the kernel does not match what systemd has configured (usually, |
|
because some external program has modified the kernel configuration |
|
on its own). |
|
|
|
* systemd-analyze gained a new –base-time= switch instructs the |
|
‘calendar’ verb to resolve times relative to that timestamp instead |
|
of the present time. |
|
|
|
* journalctl –update-catalog now produces deterministic output (making |
|
reproducible image builds easier). |
|
|
|
* A new devicetree-overlay setting is now documented in the Boot Loader |
|
Specification. |
|
|
|
* The default value of the WatchdogSec= setting used in systemd |
|
services (the ones bundled with the project itself) may be set at |
|
configuration time using the -Dservice-watchdog= setting. If set to |
|
empty, the watchdogs will be disabled. |
|
|
|
* systemd-resolved validates IP addresses in certificates now when GnuTLS |
|
is being used. |
|
|
|
* libcryptsetup >= 2.0.1 is now required. |
|
|
|
* A configuration option -Duser-path= may be used to override the $PATH |
|
used by the user service manager. The default is again to use the same |
|
path as the system manager. |
|
|
|
* The systemd-id128 tool gained a new switch “-u” (or “–uuid”) for |
|
outputting the 128bit IDs in UUID format (i.e. in the “canonical |
|
representation”). |
|
|
|
* Service units gained a new sandboxing option ProtectKernelLogs= which |
|
makes sure the program cannot get direct access to the kernel log |
|
buffer anymore, i.e. the syslog() system call (not to be confused |
|
with the API of the same name in libc, which is not affected), the |
|
/proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made |
|
inaccessible to the service. It’s recommended to enable this setting |
|
for all services that should not be able to read from or write to the |
|
kernel log buffer, which are probably almost all. |
|
|
|
Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey, |
|
Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, Carlo |
|
Teubner, cbzxt, Chen Qi, Chris Down, Christian Rebischke, Claudio |
|
Zumbo, ClydeByrdIII, crashfistfight, Cyprien Laplace, Daniel Edgecumbe, |
|
Daniel Gorbea, Daniel Rusek, Daniel Stuart, Dan Streetman, David |
|
Pedersen, David Tardon, Dimitri John Ledkov, Dominique Martinet, Donald |
|
A. Cupp Jr, Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger, |
|
Franck Bui, Frantisek Sumsal, Georg Müller, Hans de Goede, Haochen |
|
Tong, HATAYAMA Daisuke, Iwan Timmer, Jan Janssen, Jan Kundrát, Jan |
|
Synacek, Jan Tojnar, Jay Strict, Jérémy Rosen, Jóhann B. Guðmundsson, |
|
Jonas Jelten, Jonas Thelemann, Justin Trudell, J. Xing, Kai-Heng Feng, |
|
Kenneth D’souza, Kevin Becker, Kevin Kuehler, Lennart Poettering, |
|
Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej Stanczew, Mario |
|
Limonciello, Marko Myllynen, Mark Stosberg, Martin Wilck, matthiasroos, |
|
Michael Biebl, Michael Olbrich, Michael Tretter, Michal Sekletar, |
|
Michal Sekletár, Michal Suchanek, Mike Gilbert, Mike Kazantsev, Nicolas |
|
Douma, nikolas, Norbert Lange, pan93412, Pascal de Bruijn, Paul Menzel, |
|
Pavel Hrdina, Peter Wu, Philip Withnall, Piotr Drąg, Rafael Fontenelle, |
|
Renaud Métrich, Riccardo Schirone, RoadrunnerWMC, Ronan Pigott, Ryan |
|
Attard, Sebastian Wick, Serge, Siddharth Chandrasekara, Steve Ramage, |
|
Steve Traylen, Susant Sahani, Thibault Nélis, Tim Teichmann, Tom |
|
Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo, ypf791, Yu Watanabe, |
|
Zach Smith, Zbigniew Jędrzejewski-Szmek |
|
|
|
– Warsaw, 2019-11-29 |
|
|
|
CHANGES WITH 243: |
|
|
|
* This release enables unprivileged programs (i.e. requiring neither |
|
setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests |
|
by turning on the “net.ipv4.ping_group_range” sysctl of the Linux |
|
kernel for the whole UNIX group range, i.e. all processes. This |
|
change should be reasonably safe, as the kernel support for it was |
|
specifically implemented to allow safe access to ICMP Echo for |
|
processes lacking any privileges. If this is not desirable, it can be |
|
disabled again by setting the parameter to “1 0”. |
|
|
|
* Previously, filters defined with SystemCallFilter= would have the |
|
effect that any calling of an offending system call would terminate |
|
the calling thread. This behaviour never made much sense, since |
|
killing individual threads of unsuspecting processes is likely to |
|
create more problems than it solves. With this release the default |
|
action changed from killing the thread to killing the whole |
|
process. For this to work correctly both a kernel version (>= 4.14) |
|
and a libseccomp version (>= 2.4.0) supporting this new seccomp |
|
action is required. If an older kernel or libseccomp is used the old |
|
behaviour continues to be used. This change does not affect any |
|
services that have no system call filters defined, or that use |
|
SystemCallErrorNumber= (and thus see EPERM or another error instead |
|
of being killed when calling an offending system call). Note that |
|
systemd documentation always claimed that the whole process is |
|
killed. With this change behaviour is thus adjusted to match the |
|
documentation. |
|
|
|
* On 64 bit systems, the “kernel.pid_max” sysctl is now bumped to |
|
4194304 by default, i.e. the full 22bit range the kernel allows, up |
|
from the old 16bit range. This should improve security and |
|
robustness, as PID collisions are made less likely (though certainly |
|
still possible). There are rumours this might create compatibility |
|
problems, though at this moment no practical ones are known to |
|
us. Downstream distributions are hence advised to undo this change in |
|
their builds if they are concerned about maximum compatibility, but |
|
for everybody else we recommend leaving the value bumped. Besides |
|
improving security and robustness this should also simplify things as |
|
the maximum number of allowed concurrent tasks was previously bounded |
|
by both “kernel.pid_max” and “kernel.threads-max” and now effectively |
|
only a single knob is left (“kernel.threads-max”). There have been |
|
concerns that usability is affected by this change because larger PID |
|
numbers are harder to type, but we believe the change from 5 digits |
|
to 7 digits doesn’t hamper usability. |
|
|
|
* MemoryLow= and MemoryMin= gained hierarchy-aware counterparts, |
|
DefaultMemoryLow= and DefaultMemoryMin=, which can be used to |
|
hierarchically set default memory protection values for a particular |
|
subtree of the unit hierarchy. |
|
|
|
* Memory protection directives can now take a value of zero, allowing |
|
explicit opting out of a default value propagated by an ancestor. |
|
|
|
* systemd now defaults to the “unified” cgroup hierarchy setup during |
|
build-time, i.e. -Ddefault-hierarchy=unified is now the build-time |
|
default. Previously, -Ddefault-hierarchy=hybrid was the default. This |
|
change reflects the fact that cgroupsv2 support has matured |
|
substantially in both systemd and in the kernel, and is clearly the |
|
way forward. Downstream production distributions might want to |
|
continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for |
|
their builds as unfortunately the popular container managers have not |
|
caught up with the kernel API changes. |
|
|
|
* Man pages are not built by default anymore (html pages were already |
|
disabled by default), to make development builds quicker. When |
|
building systemd for a full installation with documentation, meson |
|
should be called with -Dman=true and/or -Dhtml=true as appropriate. |
|
The default was changed based on the assumption that quick one-off or |
|
repeated development builds are much more common than full optimized |
|
builds for installation, and people need to pass various other |
|
options to when doing “proper” builds anyway, so the gain from making |
|
development builds quicker is bigger than the one time disruption for |
|
packagers. |
|
|
|
Two scripts are created in the *build* directory to generate and |
|
preview man and html pages on demand, e.g.: |
|
|
|
build/man/man systemctl |
|
build/man/html systemd.index |
|
|
|
* libidn2 is used by default if both libidn2 and libidn are installed. |
|
Please use -Dlibidn=true if libidn is preferred. |
|
|
|
* The D-Bus “wire format” of the CPUAffinity= attribute is changed on |
|
big-endian machines. Before, bytes were written and read in native |
|
machine order as exposed by the native libc __cpu_mask interface. |
|
Now, little-endian order is always used (CPUs 0–7 are described by |
|
bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on). |
|
This change fixes D-Bus calls that cross endianness boundary. |
|
|
|
The presentation format used for CPUAffinity= by “systemctl show” and |
|
“systemd-analyze dump” is changed to present CPU indices instead of |
|
the raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be |
|
shown as CPUAffinity=03000000000000000000000000000… (on |
|
little-endian) or CPUAffinity=00000000000000300000000000000… (on |
|
64-bit big-endian), and is now shown as CPUAffinity=0-1, matching the |
|
input format. The maximum integer that will be printed in the new |
|
format is 8191 (four digits), while the old format always used a very |
|
long number (with the length varying by architecture), so they can be |
|
unambiguously distinguished. |
|
|
|
* /usr/sbin/halt.local is no longer supported. Implementation in |
|
distributions was inconsistent and it seems this functionality was |
|
very rarely used. |
|
|
|
To replace this functionality, users should: |
|
– either define a new unit and make it a dependency of final.target |
|
(systemctl add-wants final.target my-halt-local.service) |
|
– or move the shutdown script to /usr/lib/systemd/system-shutdown/ |
|
and ensure that it accepts “halt”, “poweroff”, “reboot”, and |
|
“kexec” as an argument, see the description in systemd-shutdown(8). |
|
|
|
* When a [Match] section in .link or .network file is empty (contains |
|
no match patterns), a warning will be emitted. Please add any “match |
|
all” pattern instead, e.g. OriginalName=* or Name=* in case all |
|
interfaces should really be matched. |
|
|
|
* A new setting NUMAPolicy= may be used to set process memory |
|
allocation policy. This setting can be specified in |
|
/etc/systemd/system.conf and hence will set the default policy for |
|
PID1. The default policy can be overridden on a per-service |
|
basis. The related setting NUMAMask= is used to specify NUMA node |
|
mask that should be associated with the selected policy. |
|
|
|
* PID 1 will now listen to Out-Of-Memory (OOM) events the kernel |
|
generates when processes it manages are reaching their memory limits, |
|
and will place their units in a special state, and optionally kill or |
|
stop the whole unit. |
|
|
|
* The service manager will now expose bus properties for the IO |
|
resources used by units. This information is also shown in “systemctl |
|
status” now (for services that have IOAccounting=yes set). Moreover, |
|
the IO accounting data is included in the resource log message |
|
generated whenever a unit stops. |
|
|
|
* Units may now configure an explicit timeout to wait for when killed |
|
with SIGABRT, for example when a service watchdog is hit. Previously, |
|
the regular TimeoutStopSec= timeout was applied in this case too — |
|
now a separate timeout may be set using TimeoutAbortSec=. |
|
|
|
* Services may now send a special WATCHDOG=trigger message with |
|
sd_notify() to trigger an immediate “watchdog missed” event, and thus |
|
trigger service termination. This is useful both for testing watchdog |
|
handling, but also for defining error paths in services, that shall |
|
be handled the same way as watchdog events. |
|
|
|
* There are two new per-unit settings IPIngressFilterPath= and |
|
IPEgressFilterPath= which allow configuration of a BPF program |
|
(usually by specifying a path to a program uploaded to /sys/fs/bpf/) |
|
to apply to the IP packet ingress/egress path of all processes of a |
|
unit. This is useful to allow running systemd services with BPF |
|
programs set up externally. |
|
|
|
* systemctl gained a new “clean” verb for removing the state, cache, |
|
runtime or logs directories of a service while it is terminated. The |
|
new verb may also be used to remove the state maintained on disk for |
|
timer units that have Persistent= configured. |
|
|
|
* During the last phase of shutdown systemd will now automatically |
|
increase the log level configured in the “kernel.printk” sysctl so |
|
that any relevant loggable events happening during late shutdown are |
|
made visible. Previously, loggable events happening so late during |
|
shutdown were generally lost if the “kernel.printk” sysctl was set to |
|
high thresholds, as regular logging daemons are terminated at that |
|
time and thus nothing is written to disk. |
|
|
|
* If processes terminated during the last phase of shutdown do not exit |
|
quickly systemd will now show their names after a short time, to make |
|
debugging easier. After a longer timeout they are forcibly killed, |
|
as before. |
|
|
|
* journalctl (and the other tools that display logs) will now highlight |
|
warnings in yellow (previously, both LOG_NOTICE and LOG_WARNING where |
|
shown in bright bold, now only LOG_NOTICE is). Moreover, audit logs |
|
are now shown in blue color, to separate them visually from regular |
|
logs. References to configuration files are now turned into clickable |
|
links on terminals that support that. |
|
|
|
* systemd-journald will now stop logging to /var/log/journal during |
|
shutdown when /var/ is on a separate mount, so that it can be |
|
unmounted safely during shutdown. |
|
|
|
* systemd-resolved gained support for a new ‘strict’ DNS-over-TLS mode. |
|
|
|
* systemd-resolved “Cache=” configuration option in resolved.conf has |
|
been extended to also accept the ‘no-negative’ value. Previously, |
|
only a boolean option was allowed (yes/no), having yes as the |
|
default. If this option is set to ‘no-negative’, negative answers are |
|
not cached while the old cache heuristics are used positive answers. |
|
The default remains unchanged. |
|
|
|
* The predictable naming scheme for network devices now supports |
|
generating predictable names for “netdevsim” devices. |
|
|
|
Moreover, the “en” prefix was dropped from the ID_NET_NAME_ONBOARD |
|
udev property. |
|
|
|
Those two changes form a new net.naming-policy-scheme= entry. |
|
Distributions which want to preserve naming stability may want to set |
|
the -Ddefault-net-naming-scheme= configuration option. |
|
|
|
* systemd-networkd now supports MACsec, nlmon, IPVTAP and Xfrm |
|
interfaces natively. |
|
|
|
* systemd-networkd’s bridge FDB support now allows configuration of a |
|
destination address for each entry (Destination=), as well as the |
|
VXLAN VNI (VNI=), as well as an option to declare what an entry is |
|
associated with (AssociatedWith=). |
|
|
|
* systemd-networkd’s DHCPv4 support now understands a new MaxAttempts= |
|
option for configuring the maximum number of DHCP lease requests. It |
|
also learnt a new BlackList= option for deny-listing DHCP servers (a |
|
similar setting has also been added to the IPv6 RA client), as well |
|
as a SendRelease= option for configuring whether to send a DHCP |
|
RELEASE message when terminating. |
|
|
|
* systemd-networkd’s DHCPv4 and DHCPv6 stacks can now be configured |
|
separately in the [DHCPv4] and [DHCPv6] sections. |
|
|
|
* systemd-networkd’s DHCP support will now optionally create an |
|
implicit host route to the DNS server specified in the DHCP lease, in |
|
addition to the routes listed explicitly in the lease. This should |
|
ensure that in multi-homed systems DNS traffic leaves the systems on |
|
the interface that acquired the DNS server information even if other |
|
routes such as default routes exist. This behaviour may be turned on |
|
with the new RoutesToDNS= option. |
|
|
|
* systemd-networkd’s VXLAN support gained a new option |
|
GenericProtocolExtension= for enabling VXLAN Generic Protocol |
|
Extension support, as well as IPDoNotFragment= for setting the IP |
|
“Don’t fragment” bit on outgoing packets. A similar option has been |
|
added to the GENEVE support. |
|
|
|
* In systemd-networkd’s [Route] section you may now configure |
|
FastOpenNoCookie= for configuring per-route TCP fast-open support, as |
|
well as TTLPropagate= for configuring Label Switched Path (LSP) TTL |
|
propagation. The Type= setting now supports local, broadcast, |
|
anycast, multicast, any, xresolve routes, too. |
|
|
|
* systemd-networkd’s [Network] section learnt a new option |
|
DefaultRouteOnDevice= for automatically configuring a default route |
|
onto the network device. |
|
|
|
* systemd-networkd’s bridging support gained two new options ProxyARP= |
|
and ProxyARPWifi= for configuring proxy ARP behaviour as well as |
|
MulticastRouter= for configuring multicast routing behaviour. A new |
|
option MulticastIGMPVersion= may be used to change bridge’s multicast |
|
Internet Group Management Protocol (IGMP) version. |
|
|
|
* systemd-networkd’s FooOverUDP support gained the ability to configure |
|
local and peer IP addresses via Local= and Peer=. A new option |
|
PeerPort= may be used to configure the peer’s IP port. |
|
|
|
* systemd-networkd’s TUN support gained a new setting VnetHeader= for |
|
tweaking Generic Segment Offload support. |
|
|
|
* The address family for policy rules may be specified using the new |
|
Family= option in the [RoutingPolicyRule] section. |
|
|
|
* networkctl gained a new “delete” command for removing virtual network |
|
devices, as well as a new “–stats” switch for showing device |
|
statistics. |
|
|
|
* networkd.conf gained a new setting SpeedMeter= and |
|
SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The |
|
measured speed may be shown by ‘networkctl status’. |
|
|
|
* “networkctl status” now displays MTU and queue lengths, and more |
|
detailed information about VXLAN and bridge devices. |
|
|
|
* systemd-networkd’s .network and .link files gained a new Property= |
|
setting in the [Match] section, to match against devices with |
|
specific udev properties. |
|
|
|
* systemd-networkd’s tunnel support gained a new option |
|
AssignToLoopback= for selecting whether to use the loopback device |
|
“lo” as underlying device. |
|
|
|
* systemd-networkd’s MACAddress= setting in the [Neighbor] section has |
|
been renamed to LinkLayerAddress=, and it now allows configuration of |
|
IP addresses, too. |
|
|
|
* systemd-networkd’s handling of the kernel’s disable_ipv6 sysctl is |
|
simplified: systemd-networkd will disable the sysctl (enable IPv6) if |
|
IPv6 configuration (static or DHCPv6) was found for a given |
|
interface. It will not touch the sysctl otherwise. |
|
|
|
* The order of entries is $PATH used by the user manager instance was |
|
changed to put bin/ entries before the corresponding sbin/ entries. |
|
It is recommended to not rely on this order, and only ever have one |
|
binary with a given name in the system paths under /usr. |
|
|
|
* A new tool systemd-network-generator has been added that may generate |
|
.network, .netdev and .link files from IP configuration specified on |
|
the kernel command line in the format used by Dracut. |
|
|
|
* The CriticalConnection= setting in .network files is now deprecated, |
|
and replaced by a new KeepConfiguration= setting which allows more |
|
detailed configuration of the IP configuration to keep in place. |
|
|
|
* systemd-analyze gained a few new verbs: |
|
|
|
– “systemd-analyze timestamp” parses and converts timestamps. This is |
|
similar to the existing “systemd-analyze calendar” command which |
|
does the same for recurring calendar events. |
|
|
|
– “systemd-analyze timespan” parses and converts timespans (i.e. |
|
durations as opposed to points in time). |
|
|
|
– “systemd-analyze condition” will parse and test ConditionXYZ= |
|
expressions. |
|
|
|
– “systemd-analyze exit-status” will parse and convert exit status |
|
codes to their names and back. |
|
|
|
– “systemd-analyze unit-files” will print a list of all unit |
|
file paths and unit aliases. |
|
|
|
* SuccessExitStatus=, RestartPreventExitStatus=, and |
|
RestartForceExitStatus= now accept exit status names (e.g. “DATAERR” |
|
is equivalent to “65”). Those exit status name mappings may be |
|
displayed with the systemd-analyze exit-status verb describe above. |
|
|
|
* systemd-logind now exposes a per-session SetBrightness() bus call, |
|
which may be used to securely change the brightness of a kernel |
|
brightness device, if it belongs to the session’s seat. By using this |
|
call unprivileged clients can make changes to “backlight” and “leds” |
|
devices securely with strict requirements on session membership. |
|
Desktop environments may use this to generically make brightness |
|
changes to such devices without shipping private SUID binaries or |
|
udev rules for that purpose. |
|
|
|
* “udevadm info” gained a –wait-for-initialization switch to wait for |
|
a device to be initialized. |
|
|
|
* systemd-hibernate-resume-generator will now look for resumeflags= on |
|
the kernel command line, which is similar to rootflags= and may be |
|
used to configure device timeout for the hibernation device. |
|
|
|
* sd-event learnt a new API call sd_event_source_disable_unref() for |
|
disabling and unref’ing an event source in a single function. A |
|
related call sd_event_source_disable_unrefp() has been added for use |
|
with gcc’s cleanup extension. |
|
|
|
* The sd-id128.h public API gained a new definition |
|
SD_ID128_UUID_FORMAT_STR for formatting a 128bit ID in UUID format |
|
with printf(). |
|
|
|
* “busctl introspect” gained a new switch –xml-interface for dumping |
|
XML introspection data unmodified. |
|
|
|
* PID 1 may now show the unit name instead of the unit description |
|
string in its status output during boot. This may be configured in |
|
the StatusUnitFormat= setting in /etc/systemd/system.conf or the |
|
kernel command line option systemd.status_unit_format=. |
|
|
|
* PID 1 now understands a new option KExecWatchdogSec= in |
|
/etc/systemd/system.conf to set a watchdog timeout for kexec reboots. |
|
Previously watchdog functionality was only available for regular |
|
reboots. The new setting defaults to off, because we don’t know in |
|
the general case if the watchdog will be reset after kexec (some |
|
drivers do reset it, but not all), and the new userspace might not be |
|
configured to handle the watchdog. |
|
|
|
Moreover, the old ShutdownWatchdogSec= setting has been renamed to |
|
RebootWatchdogSec= to more clearly communicate what it is about. The |
|
old name is still accepted for compatibility. |
|
|
|
* The systemd.debug_shell kernel command line option now optionally |
|
takes a tty name to spawn the debug shell on, which allows a |
|
different tty to be selected than the built-in default. |
|
|
|
* Service units gained a new ExecCondition= setting which will run |
|
before ExecStartPre= and either continue execution of the unit (for |
|
clean exit codes), stop execution without marking the unit failed |
|
(for exit codes 1 through 254), or stop execution and fail the unit |
|
(for exit code 255 or abnormal termination). |
|
|
|
* A new service systemd-pstore.service has been added that pulls data |
|
from /sys/fs/pstore/ and saves it to /var/lib/pstore for later |
|
review. |
|
|
|
* timedatectl gained new verbs for configuring per-interface NTP |
|
service configuration for systemd-timesyncd. |
|
|
|
* “localectl list-locales” won’t list non-UTF-8 locales anymore. It’s |
|
2019. (You can set non-UTF-8 locales though, if you know their name.) |
|
|
|
* If variable assignments in sysctl.d/ files are prefixed with “-” any |
|
failures to apply them are now ignored. |
|
|
|
* systemd-random-seed.service now optionally credits entropy when |
|
applying the seed to the system. Set $SYSTEMD_RANDOM_SEED_CREDIT to |
|
true for the service to enable this behaviour, but please consult the |
|
documentation first, since this comes with a couple of caveats. |
|
|
|
* systemd-random-seed.service is now a synchronization point for full |
|
initialization of the kernel’s entropy pool. Services that require |
|
/dev/urandom to be correctly initialized should be ordered after this |
|
service. |
|
|
|
* The systemd-boot boot loader has been updated to optionally maintain |
|
a random seed file in the EFI System Partition (ESP). During the boot |
|
phase, this random seed is read and updated with a new seed |
|
cryptographically derived from it. Another derived seed is passed to |
|
the OS. The latter seed is then credited to the kernel’s entropy pool |
|
very early during userspace initialization (from PID 1). This allows |
|
systems to boot up with a fully initialized kernel entropy pool from |
|
earliest boot on, and thus entirely removes all entropy pool |
|
initialization delays from systems using systemd-boot. Special care |
|
is taken to ensure different seeds are derived on system images |
|
replicated to multiple systems. “bootctl status” will show whether |
|
a seed was received from the boot loader. |
|
|
|
* bootctl gained two new verbs: |
|
|
|
– “bootctl random-seed” will generate the file in ESP and an EFI |
|
variable to allow a random seed to be passed to the OS as described |
|
above. |
|
|
|
– “bootctl is-installed” checks whether systemd-boot is currently |
|
installed. |
|
|
|
* bootctl will warn if it detects that boot entries are misconfigured |
|
(for example if the kernel image was removed without purging the |
|
bootloader entry). |
|
|
|
* A new document has been added describing systemd’s use and support |
|
for the kernel’s entropy pool subsystem: |
|
|
|
https://systemd.io/RANDOM_SEEDS |
|
|
|
* When the system is hibernated the swap device to write the |
|
hibernation image to is now automatically picked from all available |
|
swap devices, preferring the swap device with the highest configured |
|
priority over all others, and picking the device with the most free |
|
space if there are multiple devices with the highest priority. |
|
|
|
* /etc/crypttab support has learnt a new keyfile-timeout= per-device |
|
option that permits selecting the timeout how long to wait for a |
|
device with an encryption key before asking for the password. |
|
|
|
* IOWeight= has learnt to properly set the IO weight when using the |
|
BFQ scheduler officially found in kernels 5.0+. |
|
|
|
* A new mailing list has been created for reporting of security issues: |
|
systemd-security@redhat.com. For mode details, see |
|
https://systemd.io/CONTRIBUTING#security-vulnerability-reports. |
|
|
|
Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht |
|
Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey, |
|
Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris |
|
Chiu, Chris Down, Christian Göttsche, Christian Kellner, Clinton Roy, |
|
Connor Reeder, Daniel Black, Daniel Lublin, Daniele Medri, Dan |
|
Streetman, Dave Reisner, Dave Ross, David Art, David Tardon, Debarshi |
|
Ray, Dimitri John Ledkov, Dominick Grift, Donald Buczek, Douglas |
|
Christman, Eric DeVolder, EtherGraf, Evgeny Vereshchagin, Feldwor, |
|
Felix Riemann, Florian Dollinger, Francesco Pennica, Franck Bui, |
|
Frantisek Sumsal, Franz Pletz, frederik, Hans de Goede, Iago López |
|
Galeiras, Insun Pyo, Ivan Shapovalov, Iwan Timmer, Jack, Jakob |
|
Unterwurzacher, Jan Chren, Jan Klötzke, Jan Losinski, Jan Pokorný, Jan |
|
Synacek, Jan-Michael Brummer, Jeka Pats, Jeremy Soller, Jérémy Rosen, |
|
Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann B. Guðmundsson, |
|
Johannes Christ, Johannes Schmitz, Jonathan Rouleau, Jorge Niedbalski, |
|
Jörg Thalheim, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy, |
|
Krayushkin Konstantin, Lennart Poettering, Lubomir Rintel, Luca |
|
Boccassi, Luís Ferreira, Marc-André Lureau, Markus Felten, Martin Pitt, |
|
Matthew Leeds, Mattias Jernberg, Michael Biebl, Michael Olbrich, |
|
Michael Prokop, Michael Stapelberg, Michael Zhivich, Michal Koutný, |
|
Michal Sekletar, Mike Gilbert, Milan Broz, Miroslav Lichvar, mpe85, |
|
Mr-Foo, Network Silence, Oliver Harley, pan93412, Paul Menzel, pEJipE, |
|
Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Robert |
|
Scheck, Roberto Santalla, Ronan Pigott, root, RussianNeuroMancer, |
|
Sebastian Jennen, shinygold, Shreyas Behera, Simon Schricker, Susant |
|
Sahani, Thadeu Lima de Souza Cascardo, Theo Ouzhinski, Thiebaud |
|
Weksteen, Thomas Haller, Thomas Weißschuh, Tomas Mraz, Tommi Rantala, |
|
Topi Miettinen, VD-Lycos, ven, Vladimir Yerilov, Wieland Hoffmann, |
|
William A. Kennington III, William Wold, Xi Ruoyao, Yuri Chornoivan, |
|
Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei |
|
|
|
– Camerino, 2019-09-03 |
|
|
|
CHANGES WITH 242: |
|
|
|
* In .link files, MACAddressPolicy=persistent (the default) is changed |
|
to cover more devices. For devices like bridges, tun, tap, bond, and |
|
similar interfaces that do not have other identifying information, |
|
the interface name is used as the basis for persistent seed for MAC |
|
and IPv4LL addresses. The way that devices that were handled |
|
previously is not changed, and this change is about covering more |
|
devices then previously by the “persistent” policy. |
|
|
|
MACAddressPolicy=random may be used to force randomized MACs and |
|
IPv4LL addresses for a device if desired. |
|
|
|
Hint: the log output from udev (at debug level) was enhanced to |
|
clarify what policy is followed and which attributes are used. |
|
`SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/` |
|
may be used to view this. |
|
|
|
Hint: if a bridge interface is created without any slaves, and gains |
|
a slave later, then now the bridge does not inherit slave’s MAC. |
|
To inherit slave’s MAC, for example, create the following file: |
|
“` |
|
# /etc/systemd/network/98-bridge-inherit-mac.link |
|
[Match] |
|
Type=bridge |
|
|
|
[Link] |
|
MACAddressPolicy=none |
|
“` |
|
|
|
* The .device units generated by systemd-fstab-generator and other |
|
generators do not automatically pull in the corresponding .mount unit |
|
as a Wants= dependency. This means that simply plugging in the device |
|
will not cause the mount unit to be started automatically. But please |
|
note that the mount unit may be started for other reasons, in |
|
particular if it is part of local-fs.target, and any unit which |
|
(transitively) depends on local-fs.target is started. |
|
|
|
* networkctl list/status/lldp now accept globbing wildcards for network |
|
interface names to match against all existing interfaces. |
|
|
|
* The $PIDFILE environment variable is set to point the absolute path |
|
configured with PIDFile= for processes of that service. |
|
|
|
* The fallback DNS server list was augmented with Cloudflare public DNS |
|
servers. Use `-Ddns-servers=` to set a different fallback. |
|
|
|
* A new special target usb-gadget.target will be started automatically |
|
when a USB Device Controller is detected (which means that the system |
|
is a USB peripheral). |
|
|
|
* A new unit setting CPUQuotaPeriodSec= assigns the time period |
|
relatively to which the CPU time quota specified by CPUQuota= is |
|
measured. |
|
|
|
* A new unit setting ProtectHostname= may be used to prevent services |
|
from modifying hostname information (even if they otherwise would |
|
have privileges to do so). |
|
|
|
* A new unit setting NetworkNamespacePath= may be used to specify a |
|
namespace for service or socket units through a path referring to a |
|
Linux network namespace pseudo-file. |
|
|
|
* The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now |
|
have an effect on .socket units: when used the listening socket is |
|
created within the configured network namespace instead of the host |
|
namespace. |
|
|
|
* ExecStart= command lines in unit files may now be prefixed with ‘:’ |
|
in which case environment variable substitution is |
|
disabled. (Supported for the other ExecXYZ= settings, too.) |
|
|
|
* .timer units gained two new boolean settings OnClockChange= and |
|
OnTimezoneChange= which may be used to also trigger a unit when the |
|
system clock is changed or the local timezone is |
|
modified. systemd-run has been updated to make these options easily |
|
accessible from the command line for transient timers. |
|
|
|
* Two new conditions for units have been added: ConditionMemory= may be |
|
used to conditionalize a unit based on installed system |
|
RAM. ConditionCPUs= may be used to conditionalize a unit based on |
|
installed CPU cores. |
|
|
|
* The @default system call filter group understood by SystemCallFilter= |
|
has been updated to include the new rseq() system call introduced in |
|
kernel 4.15. |
|
|
|
* A new time-set.target has been added that indicates that the system |
|
time has been set from a local source (possibly imprecise). The |
|
existing time-sync.target is stronger and indicates that the time has |
|
been synchronized with a precise external source. Services where |
|
approximate time is sufficient should use the new target. |
|
|
|
* “systemctl start” (and related commands) learnt a new |
|
–show-transaction option. If specified brief information about all |
|
jobs queued because of the requested operation is shown. |
|
|
|
* systemd-networkd recognizes a new operation state ‘enslaved’, used |
|
(instead of ‘degraded’ or ‘carrier’) for interfaces which form a |
|
bridge, bond, or similar, and an new ‘degraded-carrier’ operational |
|
state used for the bond or bridge master interface when one of the |
|
enslaved devices is not operational. |
|
|
|
* .network files learnt the new IgnoreCarrierLoss= option for leaving |
|
networks configured even if the carrier is lost. |
|
|
|
* The RequiredForOnline= setting in .network files may now specify a |
|
minimum operational state required for the interface to be considered |
|
“online” by systemd-networkd-wait-online. Related to this |
|
systemd-networkd-wait-online gained a new option –operational-state= |
|
to configure the same, and its –interface= option was updated to |
|
optionally also take an operational state specific for an interface. |
|
|
|
* systemd-networkd-wait-online gained a new setting –any for waiting |
|
for only one of the requested interfaces instead of all of them. |
|
|
|
* systemd-networkd now implements L2TP tunnels. |
|
|
|
* Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix= |
|
may be used to cause autonomous and onlink prefixes received in IPv6 |
|
Router Advertisements to be ignored. |
|
|
|
* New MulticastFlood=, NeighborSuppression=, and Learning= .network |
|
file settings may be used to tweak bridge behaviour. |
|
|
|
* The new TripleSampling= option in .network files may be used to |
|
configure CAN triple sampling. |
|
|
|
* A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be |
|
used to point to private or preshared key for a WireGuard interface. |
|
|
|
* /etc/crypttab now supports the same-cpu-crypt and |
|
submit-from-crypt-cpus options to tweak encryption work scheduling |
|
details. |
|
|
|
* systemd-tmpfiles will now take a BSD file lock before operating on a |
|
contents of directory. This may be used to temporarily exclude |
|
directories from aging by taking the same lock (useful for example |
|
when extracting a tarball into /tmp or /var/tmp as a privileged user, |
|
which might create files with really old timestamps, which |
|
nevertheless should not be deleted). For further details, see: |
|
|
|
https://systemd.io/TEMPORARY_DIRECTORIES |
|
|
|
* systemd-tmpfiles’ h line type gained support for the |
|
FS_PROJINHERIT_FL (‘P’) file attribute (introduced in kernel 4.5), |
|
controlling project quota inheritance. |
|
|
|
* sd-boot and bootctl now implement support for an Extended Boot Loader |
|
(XBOOTLDR) partition, that is intended to be mounted to /boot, in |
|
addition to the ESP partition mounted to /efi or /boot/efi. |
|
Configuration file fragments, kernels, initrds and other EFI images |
|
to boot will be loaded from both the ESP and XBOOTLDR partitions. |
|
The XBOOTLDR partition was previously described by the Boot Loader |
|
Specification, but implementation was missing in sd-boot. Support for |
|
this concept allows using the sd-boot boot loader in more |
|
conservative scenarios where the boot loader itself is placed in the |
|
ESP but the kernels to boot (and their metadata) in a separate |
|
partition. |
|
|
|
* A system may now be booted with systemd.volatile=overlay on the |
|
kernel command line, which causes the root file system to be set up |
|
an overlayfs mount combining the root-only root directory with a |
|
writable tmpfs. In this setup, the underlying root device is not |
|
modified, and any changes are lost at reboot. |
|
|
|
* Similar, systemd-nspawn can now boot containers with a volatile |
|
overlayfs root with the new –volatile=overlay switch. |
|
|
|
* systemd-nspawn can now consume OCI runtime bundles using a new |
|
–oci-bundle= option. This implementation is fully usable, with most |
|
features in the specification implemented, but since this a lot of |
|
new code and functionality, this feature should most likely not |
|
be used in production yet. |
|
|
|
* systemd-nspawn now supports various options described by the OCI |
|
runtime specification on the command-line and in .nspawn files: |
|
–inaccessible=/Inaccessible= may be used to mask parts of the file |
|
system tree, –console=/–pipe may be used to configure how standard |
|
input, output, and error are set up. |
|
|
|
* busctl learned the `emit` verb to generate D-Bus signals. |
|
|
|
* systemd-analyze cat-config may be used to gather and display |
|
configuration spread over multiple files, for example system and user |
|
presets, tmpfiles.d, sysusers.d, udev rules, etc. |
|
|
|
* systemd-analyze calendar now takes an optional new parameter |
|
–iterations= which may be used to show a maximum number of iterations |
|
the specified expression will elapse next. |
|
|
|
* The sd-bus C API gained support for naming method parameters in the |
|
introspection data. |
|
|
|
* systemd-logind gained D-Bus APIs to specify the “reboot parameter” |
|
the reboot() system call expects. |
|
|
|
* journalctl learnt a new –cursor-file= option that points to a file |
|
from which a cursor should be loaded in the beginning and to which |
|
the updated cursor should be stored at the end. |
|
|
|
* ACRN hypervisor and Windows Subsystem for Linux (WSL) are now |
|
detected by systemd-detect-virt (and may also be used in |
|
ConditionVirtualization=). |
|
|
|
* The behaviour of systemd-logind may now be modified with environment |
|
variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP, |
|
$SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and |
|
$SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either |
|
skip the relevant operation completely (when set to false), or to |
|
create a flag file in /run/systemd (when set to true), instead of |
|
actually commencing the real operation when requested. The presence |
|
of /run/systemd/reboot-to-firmware-setup, |
|
/run/systemd/reboot-to-boot-loader-menu, and |
|
/run/systemd/reboot-to-boot-loader-entry, may be used by alternative |
|
boot loader implementations to replace some steps logind performs |
|
during reboot with their own operations. |
|
|
|
* systemctl can be used to request a reboot into the boot loader menu |
|
or a specific boot loader entry with the new –boot-load-menu= and |
|
–boot-loader-entry= options to a reboot command. (This requires a |
|
boot loader that supports this, for example sd-boot.) |
|
|
|
* kernel-install will no longer unconditionally create the output |
|
directory (e.g. /efi//) for boot loader |
|
snippets, but will do only if the machine-specific parent directory |
|
(i.e. /efi//) already exists. bootctl has been modified |
|
to create this parent directory during sd-boot installation. |
|
|
|
This makes it easier to use kernel-install with plugins which support |
|
a different layout of the bootloader partitions (for example grub2). |
|
|
|
* During package installation (with `ninja install`), we would create |
|
symlinks for getty@tty1.service, systemd-networkd.service, |
|
systemd-networkd.socket, systemd-resolved.service, |
|
remote-cryptsetup.target, remote-fs.target, |
|
systemd-networkd-wait-online.service, and systemd-timesyncd.service |
|
in /etc, as if `systemctl enable` was called for those units, to make |
|
the system usable immediately after installation. Now this is not |
|
done anymore, and instead calling `systemctl preset-all` is |
|
recommended after the first installation of systemd. |
|
|
|
* A new boolean sandboxing option RestrictSUIDSGID= has been added that |
|
is built on seccomp. When turned on creation of SUID/SGID files is |
|
prohibited. |
|
|
|
* The NoNewPrivileges= and the new RestrictSUIDSGID= options are now |
|
implied if DynamicUser= is turned on for a service. This hardens |
|
these services, so that they neither can benefit from nor create |
|
SUID/SGID executables. This is a minor compatibility breakage, given |
|
that when DynamicUser= was first introduced SUID/SGID behaviour was |
|
unaffected. However, the security benefit of these two options is |
|
substantial, and the setting is still relatively new, hence we opted |
|
to make it mandatory for services with dynamic users. |
|
|
|
Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin, |
|
Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani, |
|
Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin, |
|
Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black, |
|
Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny |
|
Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal, |
|
Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun |
|
Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski, |
|
Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart |
|
Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias |
|
Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal |
|
Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone, |
|
Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan |
|
Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant |
|
Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo |
|
Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi |
|
Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu, |
|
Yu Watanabe, Zbigniew Jędrzejewski-Szmek |
|
|
|
— Warsaw, 2019-04-11 |
|
|
|
CHANGES WITH 241: |
|
|
|
* The default locale can now be configured at compile time. Otherwise, |
|
a suitable default will be selected automatically (one of C.UTF-8, |
|
en_US.UTF-8, and C). |
|
|
|
* The version string shown by systemd and other tools now includes the |
|
git commit hash when built from git. An override may be specified |
|
during compilation, which is intended to be used by distributions to |
|
include the package release information. |
|
|
|
* systemd-cat can now filter standard input and standard error streams |
|
for different syslog priorities using the new –stderr-priority= |
|
option. |
|
|
|
* systemd-journald and systemd-journal-remote reject entries which |
|
contain too many fields (CVE-2018-16865) and set limits on the |
|
process’ command line length (CVE-2018-16864). |
|
|
|
* $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd |
|
again. |
|
|
|
* A new network device NamePolicy “keep” is implemented for link files, |
|
and used by default in 99-default.link (the fallback configuration |
|
provided by systemd). With this policy, if the network device name |
|
was already set by userspace, the device will not be renamed again. |
|
This matches the naming scheme that was implemented before |
|
systemd-240. If naming-scheme < 240 is specified, the "keep" policy |
|
is also enabled by default, even if not specified. Effectively, this |
|
means that if naming-scheme >= 240 is specified, network devices will |
|
be renamed according to the configuration, even if they have been |
|
renamed already, if “keep” is not specified as the naming policy in |
|
the .link file. The 99-default.link file provided by systemd includes |
|
“keep” for backwards compatibility, but it is recommended for user |
|
installed .link files to *not* include it. |
|
|
|
The “kernel” policy, which keeps kernel names declared to be |
|
“persistent”, now works again as documented. |
|
|
|
* kernel-install script now optionally takes the paths to one or more |
|
initrd files, and passes them to all plugins. |
|
|
|
* The mincore() system call has been dropped from the @system-service |
|
system call filter group, as it is pretty exotic and may potentially |
|
used for side-channel attacks. |
|
|
|
* -fPIE is dropped from compiler and linker options. Please specify |
|
-Db_pie=true option to meson to build position-independent |
|
executables. Note that the meson option is supported since meson-0.49. |
|
|
|
* The fs.protected_regular and fs.protected_fifos sysctls, which were |
|
added in Linux 4.19 to make some data spoofing attacks harder, are |
|
now enabled by default. While this will hopefully improve the |
|
security of most installations, it is technically a backwards |
|
incompatible change; to disable these sysctls again, place the |
|
following lines in /etc/sysctl.d/60-protected.conf or a similar file: |
|
|
|
fs.protected_regular = 0 |
|
fs.protected_fifos = 0 |
|
|
|
Note that the similar hardlink and symlink protection has been |
|
enabled since v199, and may be disabled likewise. |
|
|
|
* The files read from the EnvironmentFile= setting in unit files now |
|
parse backslashes inside quotes literally, matching the behaviour of |
|
POSIX shells. |
|
|
|
* udevadm trigger, udevadm control, udevadm settle and udevadm monitor |
|
now automatically become NOPs when run in a chroot() environment. |
|
|
|
* The tmpfiles.d/ “C” line type will now copy directory trees not only |
|
when the destination is so far missing, but also if it already exists |
|
as a directory and is empty. This is useful to cater for systems |
|
where directory trees are put together from multiple separate mount |
|
points but otherwise empty. |
|
|
|
* A new function sd_bus_close_unref() (and the associated |
|
sd_bus_close_unrefp()) has been added to libsystemd, that combines |
|
sd_bus_close() and sd_bus_unref() in one. |
|
|
|
* udevadm control learnt a new option for –ping for testing whether a |
|
systemd-udevd instance is running and reacting. |
|
|
|
* udevadm trigger learnt a new option for –wait-daemon for waiting |
|
systemd-udevd daemon to be initialized. |
|
|
|
Contributions from: Aaron Plattner, Alberts Muktupāvels, Alex Mayer, |
|
Ayman Bagabas, Beniamino Galvani, Burt P, Chris Down, Chris Lamb, Chris |
|
Morin, Christian Hesse, Claudius Ellsel, dana, Daniel Axtens, Daniele |
|
Medri, Dave Reisner, David Santamaría Rogado, Diego Canuhe, Dimitri |
|
John Ledkov, Evgeny Vereshchagin, Fabrice Fontaine, Filipe |
|
Brandenburger, Franck Bui, Frantisek Sumsal, govwin, Hans de Goede, |
|
James Hilliard, Jan Engelhardt, Jani Uusitalo, Jan Janssen, Jan |
|
Synacek, Jonathan McDowell, Jonathan Roemer, Jonathon Kowalski, Joost |
|
Heitbrink, Jörg Thalheim, Lance, Lennart Poettering, Louis Taylor, |
|
Lucas Werkmeister, Mantas Mikulėnas, Marc-Antoine Perennou, |
|
marvelousblack, Michael Biebl, Michael Sloan, Michal Sekletar, Mike |
|
Auty, Mike Gilbert, Mikhail Kasimov, Neil Brown, Niklas Hambüchen, |
|
Patrick Williams, Paul Seyfert, Peter Hutterer, Philip Withnall, Roger |
|
James, Ronnie P. Thomas, Ryan Gonzalez, Sam Morris, Stephan Edel, |
|
Stephan Gerhold, Susant Sahani, Taro Yamada, Thomas Haller, Topi |
|
Miettinen, YiFei Zhu, YmrDtnJu, YunQiang Su, Yu Watanabe, Zbigniew |
|
Jędrzejewski-Szmek, zsergeant77, Дамјан Георгиевски |
|
|
|
— Berlin, 2019-02-14 |
|
|
|
CHANGES WITH 240: |
|
|
|
* NoNewPrivileges=yes has been set for all long-running services |
|
implemented by systemd. Previously, this was problematic due to |
|
SELinux (as this would also prohibit the transition from PID1’s label |
|
to the service’s label). This restriction has since been lifted, but |
|
an SELinux policy update is required. |
|
(See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.) |
|
|
|
* DynamicUser=yes is dropped from systemd-networkd.service, |
|
systemd-resolved.service and systemd-timesyncd.service, which was |
|
enabled in v239 for systemd-networkd.service and systemd-resolved.service, |
|
and since v236 for systemd-timesyncd.service. The users and groups |
|
systemd-network, systemd-resolve and systemd-timesync are created |
|
by systemd-sysusers again. Distributors or system administrators |
|
may need to create these users and groups if they not exist (or need |
|
to re-enable DynamicUser= for those units) while upgrading systemd. |
|
Also, the clock file for systemd-timesyncd may need to move from |
|
/var/lib/private/systemd/timesync/clock to /var/lib/systemd/timesync/clock. |
|
|
|
* When unit files are loaded from disk, previously systemd would |
|
sometimes (depending on the unit loading order) load units from the |
|
target path of symlinks in .wants/ or .requires/ directories of other |
|
units. This meant that unit could be loaded from different paths |
|
depending on whether the unit was requested explicitly or as a |
|
dependency of another unit, not honouring the priority of directories |
|
in search path. It also meant that it was possible to successfully |
|
load and start units which are not found in the unit search path, as |
|
long as they were requested as a dependency and linked to from |
|
.wants/ or .requires/. The target paths of those symlinks are not |
|
used for loading units anymore and the unit file must be found in |
|
the search path. |
|
|
|
* A new service type has been added: Type=exec. It’s very similar to |
|
Type=simple but ensures the service manager will wait for both fork() |
|
and execve() of the main service binary to complete before proceeding |
|
with follow-up units. This is primarily useful so that the manager |
|
propagates any errors in the preparation phase of service execution |
|
back to the job that requested the unit to be started. For example, |
|
consider a service that has ExecStart= set to a file system binary |
|
that doesn’t exist. With Type=simple starting the unit would be |
|
considered instantly successful, as only fork() has to complete |
|
successfully and the manager does not wait for execve(), and hence |
|
its failure is seen “too late”. With the new Type=exec service type |
|
starting the unit will fail, as the manager will wait for the |
|
execve() and notice its failure, which is then propagated back to the |
|
start job. |
|
|
|
NOTE: with the next release 241 of systemd we intend to change the |
|
systemd-run tool to default to Type=exec for transient services |
|
started by it. This should be mostly safe, but in specific corner |
|
cases might result in problems, as the systemd-run tool will then |
|
block on NSS calls (such as user name look-ups due to User=) done |
|
between the fork() and execve(), which under specific circumstances |
|
might cause problems. It is recommended to specify “-p Type=simple” |
|
explicitly in the few cases where this applies. For regular, |
|
non-transient services (i.e. those defined with unit files on disk) |
|
we will continue to default to Type=simple. |
|
|
|
* The Linux kernel’s current default RLIMIT_NOFILE resource limit for |
|
userspace processes is set to 1024 (soft) and 4096 |
|
(hard). Previously, systemd passed this on unmodified to all |
|
processes it forked off. With this systemd release the hard limit |
|
systemd passes on is increased to 512K, overriding the kernel’s |
|
defaults and substantially increasing the number of simultaneous file |
|
descriptors unprivileged userspace processes can allocate. Note that |
|
the soft limit remains at 1024 for compatibility reasons: the |
|
traditional UNIX select() call cannot deal with file descriptors >= |
|
1024 and increasing the soft limit globally might thus result in |
|
programs unexpectedly allocating a high file descriptor and thus |
|
failing abnormally when attempting to use it with select() (of |
|
course, programs shouldn’t use select() anymore, and prefer |
|
poll()/epoll, but the call unfortunately remains undeservedly popular |
|
at this time). This change reflects the fact that file descriptor |
|
handling in the Linux kernel has been optimized in more recent |
|
kernels and allocating large numbers of them should be much cheaper |
|
both in memory and in performance than it used to be. Programs that |
|
want to take benefit of the increased limit have to “opt-in” into |
|
high file descriptors explicitly by raising their soft limit. Of |
|
course, when they do that they must acknowledge that they cannot use |
|
select() anymore (and neither can any shared library they use — or |
|
any shared library used by any shared library they use and so on). |
|
Which default hard limit is most appropriate is of course hard to |
|
decide. However, given reports that ~300K file descriptors are used |
|
in real-life applications we believe 512K is sufficiently high as new |
|
default for now. Note that there are also reports that using very |
|
high hard limits (e.g. 1G) is problematic: some software allocates |
|
large arrays with one element for each potential file descriptor |
|
(Java, …) — a high hard limit thus triggers excessively large memory |
|
allocations in these applications. Hopefully, the new default of 512K |
|
is a good middle ground: higher than what real-life applications |
|
currently need, and low enough for avoid triggering excessively large |
|
allocations in problematic software. (And yes, somebody should fix |
|
Java.) |
|
|
|
* The fs.nr_open and fs.file-max sysctls are now automatically bumped |
|
to the highest possible values, as separate accounting of file |
|
descriptors is no longer necessary, as memcg tracks them correctly as |
|
part of the memory accounting anyway. Thus, from the four limits on |
|
file descriptors currently enforced (fs.file-max, fs.nr_open, |
|
RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two, |
|
and keep only the latter two. A set of build-time options |
|
(-Dbump-proc-sys-fs-file-max=false and -Dbump-proc-sys-fs-nr-open=false) |
|
has been added to revert this change in behaviour, which might be |
|
an option for systems that turn off memcg in the kernel. |
|
|
|
* When no /etc/locale.conf file exists (and hence no locale settings |
|
are in place), systemd will now use the “C.UTF-8” locale by default, |
|
and set LANG= to it. This locale is supported by various |
|
distributions including Fedora, with clear indications that upstream |
|
glibc is going to make it available too. This locale enables UTF-8 |
|
mode by default, which appears appropriate for 2018. |
|
|
|
* The “net.ipv4.conf.all.rp_filter” sysctl will now be set to 2 by |
|
default. This effectively switches the RFC3704 Reverse Path filtering |
|
from Strict mode to Loose mode. This is more appropriate for hosts |
|
that have multiple links with routes to the same networks (e.g. |
|
a client with a Wi-Fi and Ethernet both connected to the internet). |
|
|
|
Consult the kernel documentation for details on this sysctl: |
|
https://docs.kernel.org/networking/ip-sysctl.html |
|
|
|
* The v239 change to turn on “net.ipv4.tcp_ecn” by default has been |
|
reverted. |
|
|
|
* CPUAccounting=yes no longer enables the CPU controller when using |
|
kernel 4.15+ and the unified cgroup hierarchy, as required accounting |
|
statistics are now provided independently from the CPU controller. |
|
|
|
* Support for disabling a particular cgroup controller within a sub-tree |
|
has been added through the DisableControllers= directive. |
|
|
|
* cgroup_no_v1=all on the kernel command line now also implies |
|
using the unified cgroup hierarchy, unless one explicitly passes |
|
systemd.unified_cgroup_hierarchy=0 on the kernel command line. |
|
|
|
* The new “MemoryMin=” unit file property may now be used to set the |
|
memory usage protection limit of processes invoked by the unit. This |
|
controls the cgroup v2 memory.min attribute. Similarly, the new |
|
“IODeviceLatencyTargetSec=” property has been added, wrapping the new |
|
cgroup v2 io.latency cgroup property for configuring per-service I/O |
|
latency. |
|
|
|
* systemd now supports the cgroup v2 devices BPF logic, as counterpart |
|
to the cgroup v1 “devices” cgroup controller. |
|
|
|
* systemd-escape now is able to combine –unescape with –template. It |
|
also learnt a new option –instance for extracting and unescaping the |
|
instance part of a unit name. |
|
|
|
* sd-bus now provides the sd_bus_message_readv() which is similar to |
|
sd_bus_message_read() but takes a va_list object. The pair |
|
sd_bus_set_method_call_timeout() and sd_bus_get_method_call_timeout() |
|
has been added for configuring the default method call timeout to |
|
use. sd_bus_error_move() may be used to efficiently move the contents |
|
from one sd_bus_error structure to another, invalidating the |
|
source. sd_bus_set_close_on_exit() and sd_bus_get_close_on_exit() may |
|
be used to control whether a bus connection object is automatically |
|
flushed when an sd-event loop is exited. |
|
|
|
* When processing classic BSD syslog log messages, journald will now |
|
save the original time-stamp string supplied in the new |
|
SYSLOG_TIMESTAMP= journal field. This permits consumers to |
|
reconstruct the original BSD syslog message more correctly. |
|
|
|
* StandardOutput=/StandardError= in service files gained support for |
|
new “append:…” parameters, for connecting STDOUT/STDERR of a service |
|
to a file, and appending to it. |
|
|
|
* The signal to use as last step of killing of unit processes is now |
|
configurable. Previously it was hard-coded to SIGKILL, which may now |
|
be overridden with the new KillSignal= setting. Note that this is the |
|
signal used when regular termination (i.e. SIGTERM) does not suffice. |
|
Similarly, the signal used when aborting a program in case of a |
|
watchdog timeout may now be configured too (WatchdogSignal=). |
|
|
|
* The XDG_SESSION_DESKTOP environment variable may now be configured in |
|
the pam_systemd argument line, using the new desktop= switch. This is |
|
useful to initialize it properly from a display manager without |
|
having to touch C code. |
|
|
|
* Most configuration options that previously accepted percentage values |
|
now also accept permille values with the ‘‰’ suffix (instead of ‘%’). |
|
|
|
* systemd-resolved may now optionally use OpenSSL instead of GnuTLS for |
|
DNS-over-TLS. |
|
|
|
* systemd-resolved’s configuration file resolved.conf gained a new |
|
option ReadEtcHosts= which may be used to turn off processing and |
|
honoring /etc/hosts entries. |
|
|
|
* The “–wait” switch may now be passed to “systemctl |
|
is-system-running”, in which case the tool will synchronously wait |
|
until the system finished start-up. |
|
|
|
* hostnamed gained a new bus call to determine the DMI product UUID. |
|
|
|
* On x86-64 systemd will now prefer using the RDRAND processor |
|
instruction over /dev/urandom whenever it requires randomness that |
|
neither has to be crypto-grade nor should be reproducible. This |
|
should substantially reduce the amount of entropy systemd requests |
|
from the kernel during initialization on such systems, though not |
|
reduce it to zero. (Why not zero? systemd still needs to allocate |
|
UUIDs and such uniquely, which require high-quality randomness.) |
|
|
|
* networkd gained support for Foo-Over-UDP, ERSPAN and ISATAP |
|
tunnels. It also gained a new option ForceDHCPv6PDOtherInformation= |
|
for forcing the “Other Information” bit in IPv6 RA messages. The |
|
bonding logic gained four new options AdActorSystemPriority=, |
|
AdUserPortKey=, AdActorSystem= for configuring various 802.3ad |
|
aspects, and DynamicTransmitLoadBalancing= for enabling dynamic |
|
shuffling of flows. The tunnel logic gained a new |
|
IPv6RapidDeploymentPrefix= option for configuring IPv6 Rapid |
|
Deployment. The policy rule logic gained four new options IPProtocol=, |
|
SourcePort= and DestinationPort=, InvertRule=. The bridge logic gained |
|
support for the MulticastToUnicast= option. networkd also gained |
|
support for configuring static IPv4 ARP or IPv6 neighbor entries. |
|
|
|
* .preset files (as read by ‘systemctl preset’) may now be used to |
|
instantiate services. |
|
|
|
* /etc/crypttab now understands the sector-size= option to configure |
|
the sector size for an encrypted partition. |
|
|
|
* Key material for encrypted disks may now be placed on a formatted |
|
medium, and referenced from /etc/crypttab by the UUID of the file |
|
system, followed by “=” suffixed by the path to the key file. |
|
|
|
* The “collect” udev component has been removed without replacement, as |
|
it is neither used nor maintained. |
|
|
|
* When the RuntimeDirectory=, StateDirectory=, CacheDirectory=, |
|
LogsDirectory=, ConfigurationDirectory= settings are used in a |
|
service the executed processes will now receive a set of environment |
|
variables containing the full paths of these directories. |
|
Specifically, RUNTIME_DIRECTORY=, STATE_DIRECTORY, CACHE_DIRECTORY, |
|
LOGS_DIRECTORY, CONFIGURATION_DIRECTORY are now set if these options |
|
are used. Note that these options may be used multiple times per |
|
service in which case the resulting paths will be concatenated and |
|
separated by colons. |
|
|
|
* Predictable interface naming has been extended to cover InfiniBand |
|
NICs. They will be exposed with an “ib” prefix. |
|
|
|
* tmpfiles.d/ line types may now be suffixed with a ‘-‘ character, in |
|
which case the respective line failing is ignored. |
|
|
|
* .link files may now be used to configure the equivalent to the |
|
“ethtool advertise” commands. |
|
|
|
* The sd-device.h and sd-hwdb.h APIs are now exported, as an |
|
alternative to libudev.h. Previously, the latter was just an internal |
|
wrapper around the former, but now these two APIs are exposed |
|
directly. |
|
|
|
* sd-id128.h gained a new function sd_id128_get_boot_app_specific() |
|
which calculates an app-specific boot ID similar to how |
|
sd_id128_get_machine_app_specific() generates an app-specific machine |
|
ID. |
|
|
|
* A new tool systemd-id128 has been added that can be used to determine |
|
and generate various 128bit IDs. |
|
|
|
* /etc/os-release gained two new standardized fields DOCUMENTATION_URL= |
|
and LOGO=. |
|
|
|
* systemd-hibernate-resume-generator will now honor the “noresume” |
|
kernel command line option, in which case it will bypass resuming |
|
from any hibernated image. |
|
|
|
* The systemd-sleep.conf configuration file gained new options |
|
AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=, |
|
AllowHybridSleep= for prohibiting specific sleep modes even if the |
|
kernel exports them. |
|
|
|
* portablectl is now officially supported and has thus moved to |
|
/usr/bin/. |
|
|
|
* bootctl learnt the two new commands “set-default” and “set-oneshot” |
|
for setting the default boot loader item to boot to (either |
|
persistently or only for the next boot). This is currently only |
|
compatible with sd-boot, but may be implemented on other boot loaders |
|
too, that follow the boot loader interface. The updated interface is |
|
now documented here: |
|
|
|
https://systemd.io/BOOT_LOADER_INTERFACE |
|
|
|
* A new kernel command line option systemd.early_core_pattern= is now |
|
understood which may be used to influence the core_pattern PID 1 |
|
installs during early boot. |
|
|
|
* busctl learnt two new options -j and –json= for outputting method |
|
call replies, properties and monitoring output in JSON. |
|
|
|
* journalctl’s JSON output now supports simple ANSI coloring as well as |
|
a new “json-seq” mode for generating RFC7464 output. |
|
|
|
* Unit files now support the %g/%G specifiers that resolve to the UNIX |
|
group/GID of the service manager runs as, similar to the existing |
|
%u/%U specifiers that resolve to the UNIX user/UID. |
|
|
|
* systemd-logind learnt a new global configuration option |
|
UserStopDelaySec= that may be set in logind.conf. It specifies how |
|
long the systemd –user instance shall remain started after a user |
|
logs out. This is useful to speed up repetitive re-connections of the |
|
same user, as it means the user’s service manager doesn’t have to be |
|
stopped/restarted on each iteration, but can be reused between |
|
subsequent options. This setting defaults to 10s. systemd-logind also |
|
exports two new properties on its Manager D-Bus objects indicating |
|
whether the system’s lid is currently closed, and whether the system |
|
is on AC power. |
|
|
|
* systemd gained support for a generic boot counting logic, which |
|
generically permits automatic reverting to older boot loader entries |
|
if newer updated ones don’t work. The boot loader side is implemented |
|
in sd-boot, but is kept open for other boot loaders too. For details |
|
see: |
|
|
|
https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT |
|
|
|
* The SuccessAction=/FailureAction= unit file settings now learnt two |
|
new parameters: “exit” and “exit-force”, which result in immediate |
|
exiting of the service manager, and are only useful in systemd –user |
|
and container environments. |
|
|
|
* Unit files gained support for a pair of options |
|
FailureActionExitStatus=/SuccessActionExitStatus= for configuring the |
|
exit status to use as service manager exit status when |
|
SuccessAction=/FailureAction= is set to exit or exit-force. |
|
|
|
* A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service |
|
options may now be used to configure the log rate limiting applied by |
|
journald per-service. |
|
|
|
* systemd-analyze gained a new verb “timespan” for parsing and |
|
normalizing time span values (i.e. strings like “5min 7s 8us”). |
|
|
|
* systemd-analyze also gained a new verb “security” for analyzing the |
|
security and sand-boxing settings of services in order to determine an |
|
“exposure level” for them, indicating whether a service would benefit |
|
from more sand-boxing options turned on for them. |
|
|
|
* “systemd-analyze syscall-filter” will now also show system calls |
|
supported by the local kernel but not included in any of the defined |
|
groups. |
|
|
|
* .nspawn files now understand the Ephemeral= setting, matching the |
|
–ephemeral command line switch. |
|
|
|
* sd-event gained the new APIs sd_event_source_get_floating() and |
|
sd_event_source_set_floating() for controlling whether a specific |
|
event source is “floating”, i.e. destroyed along with the even loop |
|
object itself. |
|
|
|
* Unit objects on D-Bus gained a new “Refs” property that lists all |
|
clients that currently have a reference on the unit (to ensure it is |
|
not unloaded). |
|
|
|
* The JoinControllers= option in system.conf is no longer supported, as |
|
it didn’t work correctly, is hard to support properly, is legacy (as |
|
the concept only exists on cgroup v1) and apparently wasn’t used. |
|
|
|
* Journal messages that are generated whenever a unit enters the failed |
|
state are now tagged with a unique MESSAGE_ID. Similarly, messages |
|
generated whenever a service process exits are now made recognizable, |
|
too. A tagged message is also emitted whenever a unit enters the |
|
“dead” state on success. |
|
|
|
* systemd-run gained a new switch –working-directory= for configuring |
|
the working directory of the service to start. A shortcut -d is |
|
equivalent, setting the working directory of the service to the |
|
current working directory of the invoking program. The new –shell |
|
(or just -S) option has been added for invoking the $SHELL of the |
|
caller as a service, and implies –pty –same-dir –wait –collect |
|
–service-type=exec. Or in other words, “systemd-run -S” is now the |
|
quickest way to quickly get an interactive in a fully clean and |
|
well-defined system service context. |
|
|
|
* machinectl gained a new verb “import-fs” for importing an OS tree |
|
from a directory. Moreover, when a directory or tarball is imported |
|
and single top-level directory found with the OS itself below the OS |
|
tree is automatically mangled and moved one level up. |
|
|
|
* systemd-importd will no longer set up an implicit btrfs loop-back |
|
file system on /var/lib/machines. If one is already set up, it will |
|
continue to be used. |
|
|
|
* A new generator “systemd-run-generator” has been added. It will |
|
synthesize a unit from one or more program command lines included in |
|
the kernel command line. This is very useful in container managers |
|
for example: |
|
|
|
# systemd-nspawn -i someimage.raw -b systemd.run='”some command line”‘ |
|
|
|
This will run “systemd-nspawn” on an image, invoke the specified |
|
command line and immediately shut down the container again, returning |
|
the command line’s exit code. |
|
|
|
* The block device locking logic is now documented: |
|
|
|
https://systemd.io/BLOCK_DEVICE_LOCKING |
|
|
|
* loginctl and machinectl now optionally output the various tables in |
|
JSON using the –output= switch. It is our intention to add similar |
|
support to systemctl and all other commands. |
|
|
|
* udevadm’s query and trigger verb now optionally take a .device unit |
|
name as argument. |
|
|
|
* systemd-udevd’s network naming logic now understands a new |
|
net.naming-scheme= kernel command line switch, which may be used to |
|
pick a specific version of the naming scheme. This helps stabilizing |
|
interface names even as systemd/udev are updated and the naming logic |
|
is improved. |
|
|
|
* sd-id128.h learnt two new auxiliary helpers: sd_id128_is_allf() and |
|
SD_ID128_ALLF to test if a 128bit ID is set to all 0xFF bytes, and to |
|
initialize one to all 0xFF. |
|
|
|
* After loading the SELinux policy systemd will now recursively relabel |
|
all files and directories listed in |
|
/run/systemd/relabel-extra.d/*.relabel (which should be simple |
|
newline separated lists of paths) in addition to the ones it already |
|
implicitly relabels in /run, /dev and /sys. After the relabelling is |
|
completed the *.relabel files (and /run/systemd/relabel-extra.d/) are |
|
removed. This is useful to permit initrds (i.e. code running before |
|
the SELinux policy is in effect) to generate files in the host |
|
filesystem safely and ensure that the correct label is applied during |
|
the transition to the host OS. |
|
|
|
* KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding |
|
mknod() handling in user namespaces. Previously mknod() would always |
|
fail with EPERM in user namespaces. Since 4.18 mknod() will succeed |
|
but device nodes generated that way cannot be opened, and attempts to |
|
open them result in EPERM. This breaks the “graceful fallback” logic |
|
in systemd’s PrivateDevices= sand-boxing option. This option is |
|
implemented defensively, so that when systemd detects it runs in a |
|
restricted environment (such as a user namespace, or an environment |
|
where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD) |
|
where device nodes cannot be created the effect of PrivateDevices= is |
|
bypassed (following the logic that 2nd-level sand-boxing is not |
|
essential if the system systemd runs in is itself already sand-boxed |
|
as a whole). This logic breaks with 4.18 in container managers where |
|
user namespacing is used: suddenly PrivateDevices= succeeds setting |
|
up a private /dev/ file system containing devices nodes — but when |
|
these are opened they don’t work. |
|
|
|
At this point it is recommended that container managers utilizing |
|
user namespaces that intend to run systemd in the payload explicitly |
|
block mknod() with seccomp or similar, so that the graceful fallback |
|
logic works again. |
|
|
|
We are very sorry for the breakage and the requirement to change |
|
container configurations for newer kernels. It’s purely caused by an |
|
incompatible kernel change. The relevant kernel developers have been |
|
notified about this userspace breakage quickly, but they chose to |
|
ignore it. |
|
|
|
* PermissionsStartOnly= setting is deprecated (but is still supported |
|
for backwards compatibility). The same functionality is provided by |
|
the more flexible “+”, “!”, and “!!” prefixes to ExecStart= and other |
|
commands. |
|
|
|
* $DBUS_SESSION_BUS_ADDRESS environment variable is not set by |
|
pam_systemd anymore. |
|
|
|
* The naming scheme for network devices was changed to always rename |
|
devices, even if they were already renamed by userspace. The “kernel” |
|
policy was changed to only apply as a fallback, if no other naming |
|
policy took effect. |
|
|
|
* The requirements to build systemd is bumped to meson-0.46 and |
|
python-3.5. |
|
|
|
Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander |
|
Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson, |
|
Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov, |
|
asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt |
|
Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen |
|
Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius |
|
Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn |
|
Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner, |
|
David Anderson, Davide Cavalca, David Leeds, David Malcolm, David |
|
Strauss, David Tardon, Dimitri John Ledkov, Dmitry Torokhov, dj-kaktus, |
|
Dongsu Park, Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters, |
|
|
