mirror of
https://github.com/systemd/systemd.git
synced 2024-11-27 12:13:33 +08:00
NEWS: various fixes
This commit is contained in:
parent
b67ea78f23
commit
1ee3720e76
325
NEWS
325
NEWS
@ -2,12 +2,12 @@ systemd System and Service Manager
|
||||
|
||||
CHANGES WITH 253 in spe:
|
||||
|
||||
Deprecations and incompatible changes
|
||||
Deprecations and incompatible changes:
|
||||
|
||||
* systemctl will now warn when invoked without /proc mounted (e.g. when
|
||||
invoked after chroot into an image without the API mount points like
|
||||
/proc being set up.) Operation in such an environment is not fully
|
||||
supported.
|
||||
* systemctl will now warn when invoked without /proc/ mounted
|
||||
(e.g. when invoked after chroot() into an directory tree without the
|
||||
API mount points like /proc/ being set up.) Operation in such an
|
||||
environment is not fully supported.
|
||||
|
||||
* The return value of 'systemctl is-active|is-enabled|is-failed' for
|
||||
unknown units is changed: previously 1 or 3 were returned, but now 4
|
||||
@ -16,14 +16,15 @@ CHANGES WITH 253 in spe:
|
||||
* 'udevadm hwdb' subcommand is deprecated and will emit a warning.
|
||||
systemd-hwdb (added in 2014) should be used instead.
|
||||
|
||||
* 'bootctl --json' now outputs well-formed JSON, instead of a stream
|
||||
* 'bootctl --json' now outputs a single JSON array, instead of a stream
|
||||
of newline-separated JSON objects.
|
||||
|
||||
* Udev rules in 60-evdev.rules have been changed to load hwdb properties
|
||||
for all modalias patterns. Previously only the first matching pattern
|
||||
was used. This could change what properties are assigned if the user
|
||||
has more and less specific patterns that could match the same device,
|
||||
but it is expected that the change will have no effect for most users.
|
||||
* Udev rules in 60-evdev.rules have been changed to load hwdb
|
||||
properties for all modalias patterns. Previously only the first
|
||||
matching pattern was used. This could change what properties are
|
||||
assigned if the user has more and less specific patterns that could
|
||||
match the same device, but it is expected that the change will have
|
||||
no effect for most users.
|
||||
|
||||
* systemd-networkd-wait-online exits successfully when all interfaces
|
||||
are ready or unmanaged. Previously, if neither '--any' nor
|
||||
@ -34,99 +35,102 @@ CHANGES WITH 253 in spe:
|
||||
manager is also enabled and used.
|
||||
|
||||
* Some compatibility helpers were dropped: EmergencyAction= in the user
|
||||
manager, measuring kernel command line into PCR 8 along with the
|
||||
-Defi-tpm-pcr-compat compile-time option.
|
||||
manager, as well as measuring kernel command line into PCR 8 in
|
||||
systemd-stub, along with the -Defi-tpm-pcr-compat compile-time
|
||||
option.
|
||||
|
||||
* The '-Dupdate-helper-user-timeout=' build-time option has been renamed
|
||||
to '-Dupdate-helper-user-timeout-sec=', and now takes an integer as
|
||||
parameter instead of a string.
|
||||
* The '-Dupdate-helper-user-timeout=' build-time option has been
|
||||
renamed to '-Dupdate-helper-user-timeout-sec=', and now takes an
|
||||
integer as parameter instead of a string.
|
||||
|
||||
New components:
|
||||
|
||||
* A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
|
||||
(UKIs) has been added. This replaces functionality provided by
|
||||
'dracut --uefi' and extends it with automatic calculation of offsets,
|
||||
insertion of signed PCR policies generated by systemd-measure,
|
||||
support for initrd concatenation, signing of the embedded Linux image
|
||||
and the combined image with sbsign, and heuristics to autodetect the
|
||||
kernel uname and verify the splash image.
|
||||
'dracut --uefi' and extends it with automatic calculation of PE file
|
||||
offsets, insertion of signed PCR policies generated by
|
||||
systemd-measure, support for initrd concatenation, signing of the
|
||||
embedded Linux image and the combined image with sbsign, and
|
||||
heuristics to autodetect the kernel uname and verify the splash
|
||||
image.
|
||||
|
||||
Changes in systemd and units:
|
||||
|
||||
* A new unit type Type=notify-reload is defined. When such a unit is
|
||||
reloaded via a signal, the manager will wait until it receives a
|
||||
"READY=1" notification from the unit. Otherwise, this type is the
|
||||
same as Type=notify.
|
||||
* A new service type Type=notify-reload is defined. When such a unit is
|
||||
reloaded a signal (typically SIGHUP) is sent to the main service
|
||||
process. The manager will then wait until it receives a "RELOADING=1"
|
||||
followed by a "READY=1" notification from the unit as response (via
|
||||
sd_notify()). Otherwise, this type is the same as Type=notify.
|
||||
|
||||
user@.service, systemd-networkd.service, systemd-udevd.service, and
|
||||
systemd-logind have been updated to this type; their reloads are now
|
||||
synchronous.
|
||||
systemd-logind have been updated to this type.
|
||||
|
||||
* Initrd environments which are not on a temporary file system (for
|
||||
example an overlayfs combination) are now supported. Systemd will only
|
||||
skip removal of the files in the initrd if it doesn't detect a
|
||||
temporary file system.
|
||||
* Initrd environments which are not on a pure memory file system (e.g.
|
||||
overlayfs combination as opposed to tmpfs) are now supported. With
|
||||
this change, during the initrd → host transition ("switch root")
|
||||
systemd will no longer erase all files of the initrd unless it's
|
||||
backed by a memory file system such as tmpfs.
|
||||
|
||||
* New MemoryZSwapMax= option has been added to configure
|
||||
memory.zswap.max cgroup properties (the maximum amount of zswap used).
|
||||
* New per-unit MemoryZSwapMax= option has been added to configure
|
||||
memory.zswap.max cgroup properties (the maximum amount of zswap
|
||||
used).
|
||||
|
||||
* New LogFilterPatterns= option can be used to specify regexp
|
||||
accept/deny patterns for log entries generated by the unit. Based on
|
||||
the option value, the manager sets the
|
||||
user.journald_log_filter_patterns extended attribute on the unit
|
||||
cgroup. systemd-journald checks for this attribute when receiving
|
||||
messages, and will filter messages by matching the MESSAGE= part.
|
||||
* A new LogFilterPatterns= option has been added for units. It may be
|
||||
used to specify accept/deny regular expressions for log messages
|
||||
generated by the unit, that shall be enforced by systemd-journald.
|
||||
Rejected messages are neither stored in the journal nor forwarded.
|
||||
This option can be used to filter noisy or uninteresting messages
|
||||
This option may be used to suppress noisy or uninteresting messages
|
||||
from units.
|
||||
|
||||
* The manager has a new
|
||||
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() method to query
|
||||
process ownership via a PIDFD, which is more resilient against PID
|
||||
recycling issues.
|
||||
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() D-Bus method to
|
||||
query process ownership via a PIDFD, which is more resilient against
|
||||
PID recycling issues.
|
||||
|
||||
* Scope units now support OOMPolicy=. Login session scopes default to
|
||||
OOMPolicy=continue, allowing login scopes to survive the OOM killer
|
||||
terminating some processes in the scope.
|
||||
|
||||
* systemd-fstab-generator now supports x-systemd.makefs option for
|
||||
/sysroot (in the initrd).
|
||||
/sysroot/ (in the initrd).
|
||||
|
||||
* The maximum rate at which daemon reloads are executed can now be
|
||||
limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
|
||||
options. (Or the equivalent on the kernel command line:
|
||||
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=).
|
||||
In addition, systemd now logs the originating unit and PID when
|
||||
a reload request is received over D-Bus.
|
||||
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=). In
|
||||
addition, systemd now logs the originating unit and PID when a reload
|
||||
request is received over D-Bus.
|
||||
|
||||
* When enabling a swap device, instead of failing, systemd will now
|
||||
reinitialize the device when the page size of the swap space does not
|
||||
match the page size of the running kernel.
|
||||
* When enabling a swap device systemd will now reinitialize the device
|
||||
when the page size of the swap space does not match the page size of
|
||||
the running kernel.
|
||||
|
||||
* Systemd now executes generators in a mount namespace "sandbox" with
|
||||
most of the file system read-only, but with write access to the
|
||||
output directories, and with a temporary /tmp/ mount provided. This
|
||||
provides a safeguard against programming errors in the generators,
|
||||
but also fixes here-docs in shells, which previously didn't work in
|
||||
early boot when /tmp/ wasn't available yet. (This feature has no
|
||||
security implications, because the code is still privileged and can
|
||||
trivially exit the sandbox.)
|
||||
* systemd now executes generator programs in a mount namespace
|
||||
"sandbox" with most of the file system read-only and write access
|
||||
restricted to the output directories, and with a temporary /tmp/
|
||||
mount provided. This provides a safeguard against programming errors
|
||||
in the generators, but also fixes here-docs in shells, which
|
||||
previously didn't work in early boot when /tmp/ wasn't available
|
||||
yet. (This feature has no security implications, because the code is
|
||||
still privileged and can trivially exit the sandbox.)
|
||||
|
||||
* The manager will load the vmm.notify_socket credential. If found,
|
||||
it will send a "READY=1" notification on the specified socket after
|
||||
boot is complete. This allows readiness notification to be sent
|
||||
from a VM guest to the host over a VSOCK socket.
|
||||
* The system manager manager will now parse a new "vmm.notify_socket"
|
||||
system credential, which may be supplied to a VM via SMBIOS. If
|
||||
found, it will send a "READY=1" notification on the specified socket
|
||||
after boot is complete. This allows readiness notification to be sent
|
||||
from a VM guest to the VM host over a VSOCK socket.
|
||||
|
||||
* The sample PAM configuration file for systemd-user@.service now
|
||||
includes a call to pam_namespace. This puts children of user@.service
|
||||
in the expected namespace. (Many distributions replace their file
|
||||
with something custom, so this change has limited effect.)
|
||||
|
||||
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST can
|
||||
can be used to override the mount units burst late limit for parsing
|
||||
'/proc/self/mountinfo', which was introduced in v249. Defaults to 5.
|
||||
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST
|
||||
can can be used to override the mount units burst late limit for
|
||||
parsing '/proc/self/mountinfo', which was introduced in
|
||||
v249. Defaults to 5.
|
||||
|
||||
* Drop-ins for init.scope changing control cgroup resource limits are
|
||||
* Drop-ins for init.scope changing control group resource limits are
|
||||
now applied, while they were previously ignored.
|
||||
|
||||
* New build-time configuration options '-Ddefault-timeout-sec=' and
|
||||
@ -144,7 +148,7 @@ CHANGES WITH 253 in spe:
|
||||
The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
|
||||
a more informative path on some embedded systems.
|
||||
|
||||
* Block partitions will now also get symlinks in
|
||||
* Partition block devices will now also get symlinks in
|
||||
/dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
|
||||
block device nodes via the kernel's "diskseq" value. Previously those
|
||||
symlinks were only created for the main block device.
|
||||
@ -162,16 +166,15 @@ CHANGES WITH 253 in spe:
|
||||
means the RNG gets seeded very early in boot before userspace has
|
||||
started.
|
||||
|
||||
* systemd-boot will pass a random seed when secure boot is enabled if
|
||||
it can additionally get a random seed from EFI itself, via EFI's RNG
|
||||
protocol or a prior seed in LINUX_EFI_RANDOM_SEED_TABLE_GUID from a
|
||||
preceding bootloader.
|
||||
* systemd-boot will pass a disk-backed random seed – even when secure
|
||||
boot is enabled – if it can additionally get a random seed from EFI
|
||||
itself (via EFI's RNG protocol), or a prior seed in
|
||||
LINUX_EFI_RANDOM_SEED_TABLE_GUID from a preceding bootloader.
|
||||
|
||||
* systemd-boot-system-token.service was renamed to
|
||||
systemd-boot-random-seed.service and extended to always save the
|
||||
random seed to ESP on every boot when a compatible boot loader is
|
||||
used. This allows a refreshed random seed to be used in the boot
|
||||
loader.
|
||||
systemd-boot-random-seed.service and extended to always save a random
|
||||
seed to ESP on every boot when a compatible boot loader is used. This
|
||||
allows a refreshed random seed to be used in the boot loader.
|
||||
|
||||
* systemd-boot handles various seed inputs using a domain- and
|
||||
field-separated hashing scheme.
|
||||
@ -180,77 +183,85 @@ CHANGES WITH 253 in spe:
|
||||
token is now always required to be present for random seeds to be
|
||||
used.
|
||||
|
||||
* systemd-boot now supports being loaded not from the ESP, for example
|
||||
for direct kernel boot under QEMU or when embedded into the firmware.
|
||||
* systemd-boot now supports being loaded from other locations than the
|
||||
ESP, for example for direct kernel boot under QEMU or when embedded
|
||||
into the firmware.
|
||||
|
||||
* systemd-boot now parses SMBIOS info to detect virtualization. This
|
||||
information is used to skip some warnings which are not useful in a
|
||||
VM and to conditionalize other aspects of behaviour.
|
||||
* systemd-boot now parses SMBIOS information to detect
|
||||
virtualization. This information is used to skip some warnings which
|
||||
are not useful in a VM and to conditionalize other aspects of
|
||||
behaviour.
|
||||
|
||||
* systemd-boot now supports a new 'if-safe' mode that will perform UEFI
|
||||
Secure Boot automated certificate enrollment from the ESP only if it
|
||||
is considered 'safe' to do so. At the moment 'safe' means running in a
|
||||
virtual machine.
|
||||
is considered 'safe' to do so. At the moment 'safe' means running in
|
||||
a virtual machine.
|
||||
|
||||
* systemd-stub now processes random seeds in the same way as
|
||||
systemd-boot, in case a unified kernel image is being used from a
|
||||
different bootloader than systemd-boot.
|
||||
systemd-boot already does, in case a unified kernel image is being
|
||||
used from a different bootloader than systemd-boot, or without any
|
||||
boot load at all.
|
||||
|
||||
* bootctl will now generate a system token on all EFI systems, even
|
||||
virtualized ones, and is activated in the case that the system token
|
||||
is missing from either sd-boot and sd-stub booted systems.
|
||||
|
||||
* bootctl now implements two new verbs: 'kernel-identify' prints the
|
||||
type of a kernel image, and 'kernel-inspect' provides information
|
||||
about the embedded command line and kernel version.
|
||||
type of a kernel image file, and 'kernel-inspect' provides
|
||||
information about the embedded command line and kernel version of
|
||||
UKIs.
|
||||
|
||||
* bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
|
||||
as for kernel-install.
|
||||
|
||||
Changes in kernel-install:
|
||||
|
||||
* A new "installation layout" can be configured as layout=uki. With this
|
||||
setting, a Boot Loader Specification Type#1 entry will not be created.
|
||||
Instead, a new kernel-install plugin 90-uki-copy.install will copy any
|
||||
.efi files from the staging area into the boot partition. A plugin to
|
||||
generate the UKI .efi file must be provided separately.
|
||||
* A new "installation layout" can be configured as layout=uki. With
|
||||
this setting, a Boot Loader Specification Type#1 entry will not be
|
||||
created. Instead, a new kernel-install plugin 90-uki-copy.install
|
||||
will copy any .efi files from the staging area into the boot
|
||||
partition. A plugin to generate the UKI .efi file must be provided
|
||||
separately.
|
||||
|
||||
Changes in systemctl:
|
||||
|
||||
* 'systemctl reboot' has dropped support for accepting a positional
|
||||
argument as the argument to the reboot(2) syscall. Please use the
|
||||
--reboot-argument option instead.
|
||||
--reboot-argument= option instead.
|
||||
|
||||
* 'systemctl disable' will now warn when called on units without install
|
||||
information. A new --no-warn option has been added that silences this
|
||||
warning.
|
||||
* 'systemctl disable' will now warn when called on units without
|
||||
install information. A new --no-warn option has been added that
|
||||
silences this warning.
|
||||
|
||||
* New option '--drop-in=' can be used to tell 'systemctl edit' the name
|
||||
of the drop-in to edit. (Previously, 'override.conf' was always used.
|
||||
of the drop-in to edit. (Previously, 'override.conf' was always
|
||||
used.)
|
||||
|
||||
* 'systemctl list-dependencies' now respects --type= and --state=.
|
||||
|
||||
* 'systemctl kexec' now supports XEN.
|
||||
* 'systemctl kexec' now supports XEN VMM environments.
|
||||
|
||||
Changes in systemd-networkd and related tools:
|
||||
|
||||
* The [DHCPv4] section in .network file gained new SocketPriority=
|
||||
setting that assigns the Linux socket priority used by the DHCPv4
|
||||
raw socket. Can be used in conjunction with the EgressQOSMaps=setting
|
||||
in [VLAN] section of .netdev file to send the desired ethernet 802.1Q
|
||||
frame priority for DHCPv4 initial packets. This cannot be achieved
|
||||
with netfilter mangle tables because of the raw socket bypass.
|
||||
setting that assigns the Linux socket priority used by the DHCPv4 raw
|
||||
socket. This may be used in conjunction with the
|
||||
EgressQOSMaps=setting in [VLAN] section of .netdev file to send the
|
||||
desired ethernet 802.1Q frame priority for DHCPv4 initial
|
||||
packets. This cannot be achieved with netfilter mangle tables because
|
||||
of the raw socket bypass.
|
||||
|
||||
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained new
|
||||
QuickAck= boolean setting that enables the TCP quick ACK mode for the
|
||||
routes configured by the acquired DHCPv4 lease or received router
|
||||
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained a
|
||||
new QuickAck= boolean setting that enables the TCP quick ACK mode for
|
||||
the routes configured by the acquired DHCPv4 lease or received router
|
||||
advertisements (RAs).
|
||||
|
||||
* The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
|
||||
routes) now accepts three values, for high, medium, and low preference
|
||||
of the router (which can be set with the RouterPreference=) setting.
|
||||
|
||||
* systemd-networkd-wait-online now supports alternative interface names.
|
||||
* systemd-networkd-wait-online now supports matching via alternative
|
||||
interface names.
|
||||
|
||||
* The [DHCPv6] section in .network file gained new SendRelease=
|
||||
setting which enables the DHCPv6 client to send release when
|
||||
@ -265,18 +276,21 @@ CHANGES WITH 253 in spe:
|
||||
|
||||
Changes in systemd-dissect:
|
||||
|
||||
* systemd-dissect gained a new option --list, to print the paths fo the
|
||||
files and directories in the image.
|
||||
* systemd-dissect gained a new option --list, to print the paths off
|
||||
all files and directories in a DDI.
|
||||
|
||||
* systemd-dissect gained a new option --mtree, to generate output
|
||||
compatible with BSD mtree(5).
|
||||
* systemd-dissect gained a new option --mtree, to generate a file
|
||||
manifest compatible with BSD mtree(5) of a DDI
|
||||
|
||||
* systemd-dissect gained a new option --with, to execute a command in
|
||||
the image temporarily mounted.
|
||||
* systemd-dissect gained a new option --with, to execute a command with
|
||||
the specified DDI temporarily mounted and used as working
|
||||
directory. This is for example useful to convert a DDI to "tar"
|
||||
simply by running it within a "systemd-dissect --with" invocation.
|
||||
|
||||
* systemd-dissect gained a new option --discover, to search for
|
||||
Discoverable Disk Images (DDIs) in well-known directories. This will
|
||||
list machine, portable service and system extension disk images.
|
||||
Discoverable Disk Images (DDIs) in well-known directories of the
|
||||
system. This will list machine, portable service and system extension
|
||||
disk images.
|
||||
|
||||
* systemd-dissect now understands 2nd stage initrd images stored as a
|
||||
Discoverable Disk Image (DDI).
|
||||
@ -292,13 +306,14 @@ CHANGES WITH 253 in spe:
|
||||
|
||||
* systemd-repart also gained a --defer-partitions= option that is
|
||||
similar to --exclude-partitions=, but the size of the partition is
|
||||
taken into account without populating it.
|
||||
still taken into account when sizing partitions, but without
|
||||
populating it.
|
||||
|
||||
* systemd-repart gained a new --sector-size= option to specify what
|
||||
sector size should be used when an image is created.
|
||||
|
||||
* systemd-repart now supports erofs (a read-only file system similar to
|
||||
squashfs).
|
||||
* systemd-repart now supports generating erofs file systems via
|
||||
CopyFiles= (a read-only file system similar to squashfs).
|
||||
|
||||
* The Minimize= option was extended to accept "best" (which means the
|
||||
most minimal image possible, but may require multiple attempts) and
|
||||
@ -313,20 +328,22 @@ CHANGES WITH 253 in spe:
|
||||
about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
|
||||
Details of what is logged and when are subject to change.
|
||||
|
||||
* The systemd-journald-audit.socket can now be normally disabled to stop
|
||||
collection of audit messages. Please note that it is not enabled
|
||||
statically anymore and must be handled by the preset/enablement logic
|
||||
in package installation scripts.
|
||||
* The systemd-journald-audit.socket can now be disabled via the usual
|
||||
"systemctl disable" mechanism to stop collection of audit
|
||||
messages. Please note that it is not enabled statically anymore and
|
||||
must be handled by the preset/enablement logic in package
|
||||
installation scripts.
|
||||
|
||||
* New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
|
||||
be used to curtail disk use by systemd-journal-remote. This is
|
||||
similar to the options supported by systemd-journald.
|
||||
|
||||
Changes in systemd-cryptenroll, systemd-cryptsetup, and related
|
||||
components
|
||||
components:
|
||||
|
||||
* systemd-cryptenroll now supports unlocking via FIDO2 tokens (option
|
||||
--unlock-fido2-device=).
|
||||
* When enrolling new keys systemd-cryptenroll now supports unlocking
|
||||
via FIDO2 tokens (option --unlock-fido2-device=). Previously, a
|
||||
password was strictly required to be specified.
|
||||
|
||||
* systemd-cryptsetup now supports pre-flight requests for FIDO2 tokens
|
||||
(except for tokens with user verification, UV) to identify tokens
|
||||
@ -334,24 +351,18 @@ CHANGES WITH 253 in spe:
|
||||
the same time, and systemd-cryptsetup will automatically select one
|
||||
that corresponds to one of the available LUKS key slots.
|
||||
|
||||
* systemd-cryptsetup now supports new options tpm2-measure-pcr= and
|
||||
tpm2-measure-bank= in crypttab(5). These allow specifying the
|
||||
PCR bank and number into which the volume key should be measured.
|
||||
|
||||
* When measuring data into a PCR, an authenticated hash (HMAC) is used
|
||||
on the CPU, to further protect the data before it leaves the CPU.
|
||||
* systemd-cryptsetup now supports new options tpm2-measure-bank= and
|
||||
tpm2-measure-pcr= in crypttab(5). These allow specifying the TPM2 PCR
|
||||
bank and number into which the volume key should be measured.
|
||||
|
||||
* systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partitions with
|
||||
"noexec,nosuid,nodev".
|
||||
|
||||
* systemd-pcrphase gained new options --machine-id and --file-system=
|
||||
to measure the machine-id and mount point information into a PCR.
|
||||
|
||||
* The machine-id is measured into PCR 15 during early boot.
|
||||
|
||||
* For the root and /var/ volumes, the mount point information and
|
||||
options, and volume encryption keys in case encryption is used, will
|
||||
be measured into PCR 15.
|
||||
to measure the machine-id and mount point information into PCR 15. New
|
||||
service unit files systemd-pcrmachine.service and
|
||||
systemd-pcrfs@.service have been added that invoke the tool with
|
||||
these switches during early boot.
|
||||
|
||||
* systemd-cryptenroll now stores the user-supplied PIN with a salt,
|
||||
making it harder to brute-force.
|
||||
@ -363,7 +374,7 @@ CHANGES WITH 253 in spe:
|
||||
|
||||
* Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
|
||||
$SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
|
||||
can be used to specify additional arguments for mkfs when
|
||||
may now be used to specify additional arguments for mkfs when
|
||||
systemd-homed formats a file system.
|
||||
|
||||
* systemd-hostnamed now exports the contents of
|
||||
@ -372,7 +383,7 @@ CHANGES WITH 253 in spe:
|
||||
unprivileged code to access those values.
|
||||
|
||||
systemd-hostnamed also exports the SUPPORT_END= field from
|
||||
os-release(5) as OperatingSystemSupportEnd. timedatectl make uses of
|
||||
os-release(5) as OperatingSystemSupportEnd. hostnamectl make uses of
|
||||
this to show the status of the installed system.
|
||||
|
||||
* systemd-measure gained an --append= option to sign multiple phase
|
||||
@ -382,14 +393,14 @@ CHANGES WITH 253 in spe:
|
||||
|
||||
* systemd-timesyncd will now write a structured log message with
|
||||
MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
|
||||
on a disk timestamp, similarly to what it did when reaching
|
||||
on a on-disk timestamp, similarly to what it did when reaching
|
||||
synchronization via NTP.
|
||||
|
||||
systemd-timesyncd will now also update the timestamp file on each
|
||||
boot, making it more likely that the system time increases in
|
||||
subsequent boots.
|
||||
* systemd-timesyncd will now update the on-disk timestamp file on each
|
||||
boot at least once, making it more likely that the system time
|
||||
increases in subsequent boots.
|
||||
|
||||
* systemd-vconsole-setup gained support for credentials:
|
||||
* systemd-vconsole-setup gained support for system/service credentials:
|
||||
vconsole.keymap/vconsole.keymap_toggle and
|
||||
vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
|
||||
the similarly-named options in vconsole.conf.
|
||||
@ -420,7 +431,7 @@ CHANGES WITH 253 in spe:
|
||||
Similarly, 'machinectl start|stop' gained a --now option to enable or
|
||||
disable the machine unit when starting or stopping it.
|
||||
|
||||
* systemd-sysusers will now create /etc if it is missing.
|
||||
* systemd-sysusers will now create /etc/ if it is missing.
|
||||
|
||||
* systemd-sleep 'HibernateDelaySec=' setting is changed back to
|
||||
pre-v252's behaviour, and a new 'SuspendEstimationSec=' setting is
|
||||
@ -440,9 +451,10 @@ CHANGES WITH 253 in spe:
|
||||
sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().
|
||||
|
||||
* sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
|
||||
id128_t parameter has an invalid format. They also accept NULL as
|
||||
output parameter in more places, which is useful when the caller only
|
||||
wants to check the inputs and does not need the output value.
|
||||
128bit ID in files such as /etc/machine-id has an invalid
|
||||
format. They also accept NULL as output parameter in more places,
|
||||
which is useful when the caller only wants to validate the inputs and
|
||||
does not need the output value.
|
||||
|
||||
* sd-login gained new functions sd_pidfd_get_session(),
|
||||
sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
|
||||
@ -458,21 +470,24 @@ CHANGES WITH 253 in spe:
|
||||
SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,
|
||||
|
||||
* sd-notify now supports AF_VSOCK, in the "vsock:CID:port" format, for
|
||||
the notify_socket parameter/environment variable/credential.
|
||||
the $NOTIFY_SOCKET parameter/environment variable/credential.
|
||||
|
||||
* Detection of chroot environments now works if /proc/ is not mounted.
|
||||
This affects systemd-detect-virt --chroot, but also means that systemd
|
||||
tools will silently skip various operations in such an environment.
|
||||
* Detection of chroot() environments now works if /proc/ is not
|
||||
mounted. This affects systemd-detect-virt --chroot, but also means
|
||||
that systemd tools will silently skip various operations in such an
|
||||
environment.
|
||||
|
||||
* "Lockheed Matrin Hardened Security for Intel Processors" (HS SRE)
|
||||
virtualization is now detected.
|
||||
|
||||
Changes in the build system:
|
||||
|
||||
* Standalone variant of systemd-repart is built (if -Dstandalone=true).
|
||||
* A standalone variant of systemd-repart may now be built (if
|
||||
-Dstandalone=true).
|
||||
|
||||
* systemd-ac-power has been moved to /usr/bin/, to, for example, allow
|
||||
scripts to conditionalize execution on AC power supply.
|
||||
* systemd-ac-power has been moved from /usr/lib/ to /usr/bin/, to, for
|
||||
example, allow scripts to conditionalize execution on AC power
|
||||
supply.
|
||||
|
||||
* The libp11kit library is now loaded through dlopen(3).
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user