systemd/NEWS
Lennart Poettering bb4525c8d8 update NEWS
2024-04-18 18:12:24 +02:00

17921 lines
948 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

systemd System and Service Manager
CHANGES WITH 256-rc1:
Announcements of Future Feature Removals and Incompatible Changes:
* Support for automatic flushing of the nscd user/group database caches
will be dropped in a future release.
* Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now
considered obsolete and systemd by default will refuse to boot under
it. To forcibly reenable cgroup v1 support,
SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must be set on kernel command
line. The meson option 'default-hierarchy=' is also deprecated, i.e.
only cgroup v2 ('unified' hierarchy) can be selected as build-time
default.
* Previously, systemd-networkd did not explicitly remove any bridge
VLAN IDs assigned on bridge master and ports. Since version 256, if a
.network file for an interface has at least one valid setting in the
[BridgeVLAN] section, then all assigned VLAN IDs on the interface
that are not configured in the .network file are removed.
* systemd-gpt-auto-generator will stop generating units for ESP or
XBOOTLDR partitions if it finds mount entries for or below the /boot/
or /efi/ hierarchies in /etc/fstab. This is to prevent the generator
from interfering with systems where the ESP is explicitly configured
to be mounted at some path, for example /boot/efi/ (this type of
setup is obsolete but still commonly found).
* The behavior of systemd-sleep and systemd-homed has been updated to
freeze user sessions when entering the various sleep modes or when
locking a homed-managed home area. This is known to cause issues with
the proprietary NVIDIA drivers. Packagers of the NVIDIA proprietary
drivers may want to add drop-in configuration files that set
SYSTEMD_SLEEP_FREEZE_USER_SESSION=false for systemd-suspend.service
and related services, and SYSTEMD_HOME_LOCK_FREEZE_SESSION=false for
systemd-homed.service.
* systemd-tmpfiles and systemd-sysusers, when given a relative
configuration file path (with at least one directory separator '/'),
will open the file directly, instead of searching for the given
partial path in the standard locations. The old mode wasn't useful
because tmpfiles.d/ and sysusers.d/ configuration has a flat
structure with no subdirectories under the standard locations and
this change makes it easier to work with local files with those
tools.
* systemd-tmpfiles now properly applies nested configuration to 'R' and
'D' stanzas. For example, with the combination of 'R /foo' and 'x
/foo/bar', /foo/bar will now be excluded from removal.
General Changes and New Features:
* Various programs will now attempt to load the main configuration file
from locations below /usr/lib/, /usr/local/lib/, and /run/, not just
below /etc/. For example, systemd-logind will look for
/etc/systemd/logind.conf, /run/systemd/logind.conf,
/usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf,
and use the first file that is found. This means that the search
logic for the main config file and for drop-ins is now the same.
Similarly, kernel-install will look for the config files in
/usr/lib/kernel/ and the other search locations, and now also
supports drop-ins.
systemd-udevd now supports drop-ins for udev.conf.
* A new 'systemd-vpick' binary has been added. It implements the new
vpick protocol, where a "*.v/" directory may contain multiple files
which have versions (following the UAPI version format specification)
embedded in the file name. The files are ordered by version and
the newest one is selected.
systemd-nspawn --image=/--directory=, systemd-dissect, and the
RootDirectory=, RootImage=, ExtensionImages=, and
ExtensionDirectories= settings for units now support the vpick
protocol and allow the latest version to be selected automatically if
a "*.v/" directory is specified as the source.
* Encrypted service credentials may now be made accessible to
unprivileged users. systemd-creds gained new options --user/--uid=
for encrypting/decrypting a credential for a specific user.
* New command-line tool 'importctl' to download, import, and export
disk images via systemd-importd is added with the following verbs:
pull-tar, pull-raw, import-tar, import-raw, import-fs, export-tar,
export-raw, list-transfers, cancel-transfer. This functionality was
previously available in "machinectl", where it was exclusively for
machine image. The new "importctl" generalizes this for sysext,
confext, portable service images, too.
Service Management:
* New system manager setting ProtectSystem= has been added. It is
analogous to the unit setting, but applies to the whole system. It is
enabled by default in the initrd.
* New unit setting WantsMountsFor= has been added. It is analogous to
RequiresMountsFor=, but with a Wants= dependency instead of
Requires=. This new logic is used in various places where mounts were
added as dependencies for other settings (WorkingDirectory=-…,
PrivateTmp=yes, cryptsetup lines with 'nofail').
* New unit setting MemoryZSwapWriteback= can be used to control the new
memory.zswap.writeback cgroup knob added in kernel 6.8.
* The manager gained a org.freedesktop.systemd1.StartAuxiliaryScope()
D-Bus method to devolve some processes from a service into a new
scope. This new scope will remain even if the original service unit
is restarted. Control group properties of the new scope are copied
from the originating unit, so various limits are retained.
* Units now expose properties EffectiveMemoryMax=,
EffectiveMemoryHigh=, and EffectiveTasksMax=, which report the
most stringent limit systemd is aware of for the given unit.
* A new unit file specifier %D expands to $XDG_DATA_HOME (for user
services) or /usr/share/ (for system services).
* AllowedCPUs= now supports specifier expansion.
* What= setting in .mount and .swap units now accepts fstab-style
identifiers, for example UUID=… or LABEL=….
* RestrictNetworkInterfaces= now supports alternative network interface
names.
* PAMName= now implies SetLoginEnvironment=yes.
* systemd.firstboot=no can be used on the kernel command-line to
disable interactive queries, but allow other first boot configuration
to happen based on credentials.
* The system's hostname can be configured via the systemd.hostname
system credential.
* The systemd binary will no longer chainload sysvinit's "telinit"
binary when called under the init/telinit name on a system that
isn't booted with systemd. This previously has been supported to make
sure a distribution that has both init systems installed can be
reasonably switched from one to the other via a simple
reboot. Distributions apparently have lost interest in this, and the
functionality has not been supported on the primary distribution this
was still intended for for a longer time, and hence has been removed
now.
* A new concept called "capsules" has been introduced. "Capsules"
encapsulate additional per-user service managers, whose users are
transient and are only defined as long as the service manager
is running (implemented via DynamicUser=1). These service managers run
off home directories defined in /var/lib/capsules/<name>, where
<name> is a the capsule's name. These home directories can contain
regular per-user services and other units. A capsule is started via a
simple "systemctl start capsule@<name>.service". See the
capsule@.service(5) man page for further details. Various systemd
tools (including, and most importantly, systemctl and systemd-run)
have been updated to interact with capsules via the new
"--capsule="/"-C" switch.
* .socket units gained a new setting PassFileDescriptorsToExec=, taking
a boolean value. If set to true the file descriptors the socket unit
encapsulates are passed to the ExecStartPost=, ExecStopPre=,
ExecStopPost= using the usual $LISTEN_FDS interface. This may be used
for doing additional initializations on the sockets once they are
allocated (for example, install an additional eBPF program on them).
* The .socket setting MaxConnectionsPerSource= (which so far put a
limit on concurrent connections per IP in Accept=yes socket units),
now also has an effect on AF_UNIX sockets: it will put a limit on the
number of simultaneous connections from the same source UID (as
determined via SO_PEERCRED). This is useful for implementing IPC
services in a simple Accept=yes mode.
* The service manager will now maintain a counter of soft reboot cycles
the system went through so far. It may be queried via the D-Bus APIs.
* systemd's execution logic now supports the new pidfd_spawn() API
introduced by glibc 2.39, which allows us to invoke a subprocess in a
target cgroup and get a pidfd back in a single operation.
* systemd/PID 1 will now send an additional sd_notify() message to its
supervising VMM or container manager reporting the selected hostname
("X_SYSTEMD_HOSTNAME=") and machine ID ("X_SYSTEMD_MACHINE_ID=") at
boot. Moreover, the service manager will send additional sd_notify()
messages ("X_SYSTEMD_UNIT_ACTIVE=") whenever a target unit is
reached. This can be used by VMMs/container managers to schedule
access to the system precisely. For example, the moment a system
reports "ssh-access.target" being reached a VMM/container manager
knows it can now connect to the system via SSH. Finally, a new
sd_notify() message ("X_SYSTEMD_SIGNALS_LEVEL=2") is sent the moment
PID 1 successfully completed installation of its various UNIX process
signal handlers (i.e. the moment where SIGRTMIN+4 sent to PID 1 will
start to have the effect of shutting down the system cleanly).
Journal:
* systemd-journald can now forward journal entries to a socket
(AF_INET, AF_INET6, AF_UNIX, or AF_VSOCK). The socket can be
specified in journald.conf via a new option ForwardAddress= or via
the 'journald.forward_address' credential. Log records are sent in
the Journal Export Format. A related setting MaxLevelSocket= has been
added to control the maximum log levels for the messages sent to this
socket.
* systemd-vmspawn gained a new --forward-journal= option to forward the
virtual machine's journal entries to the host. This is done over a
AF_VSOCK socket, i.e. it does not require networking in the guest.
* journalctl gained option '-i' as a shortcut for --file=.
* journalctl gained a new -T/--exclude-identifier= option to filter
out certain syslog identifiers.
* journalctl gained a new --list-namespaces option.
* systemd-journal-remote now also accepts AF_VSOCK and AF_UNIX sockets
(so it can be used to receive entries forwarded by systemd-journald).
* systemd-journal-gatewayd allows restricting the time range of
retrieved entries with a new "realtime=[<since>]:[<until>]" URL
parameter.
* systemd-cat gained a new option --namespace= to specify the target
journal namespace to which the output shall be connected.
* systemd-bsod gained a new option --tty= to specify the output TTY
Device Management:
* /dev/ now contains symlinks that combine by-path and by-{label,uuid}
information:
/dev/disk/by-path/<path>/by-<label|uuid|…>/<label|uuid|…>
This allows distinguishing partitions with identical contents on
multiple storage devices. This is useful, for example, when copying
raw disk contents between devices.
* systemd-udevd now creates persistent /dev/media/by-path/ symlinks for
media controllers. For example, the uvcvideo driver may create
/dev/media0 which will be linked as
/dev/media/by-path/pci-0000:04:00.3-usb-0:1:1.0-media-controller.
* A new unit systemd-udev-load-credentials.service has been added
to pick up udev.conf drop-ins and udev rules from credentials.
* An allowlist/denylist may be specified to filter which sysfs
attributes are used when crafting network interface names. Those
lists are stored as hwdb entries
ID_NET_NAME_ALLOW_<sysfsattr>=0|1
and
ID_NET_NAME_ALLOW=0|1.
The goal is to avoid unexpected changes to interface names when the
kernel is updated and new sysfs attributes become visible.
* A new unit tpm2.target has been added to provide a synchronization
point for units which expect the TPM hardware to be available. A new
generator "systemd-tpm2-generator" has been added that will insert
this target whenever it detects that the firmware has initialized a
TPM, but Linux hasn't loaded a driver for it yet.
* systemd-backlight now properly supports numbered devices which the
kernel creates to avoid collisions in the leds subsystem.
* systemd-hwdb update operation can be disabled with a new environment
variable SYSTEMD_HWDB_UPDATE_BYPASS=1.
systemd-hostnamed:
* systemd-hostnamed now exposes the machine ID and boot ID via
D-Bus. It also exposes the hosts AF_VSOCK CID, if available.
* systemd-hostnamed now provides a basic Varlink interface.
* systemd-hostnamed exports the full data in os-release(5) and
machine-info(5) via D-Bus and Varlink.
* hostnamectl now shows the system's product UUID and hardware serial
number if known.
Network Management:
* systemd-networkd now provides a basic Varlink interface.
* systemd-networkd's ARP proxy support gained a new option to configure
a private VLAN variant of the proxy ARP supported by the kernel under
the name IPv4ProxyARPPrivateVLAN=.
* systemd-networkd now exports the NamespaceId and NamespaceNSID
properties via D-Bus and Varlink. (which expose the inode and NSID of
the network namespace the networkd instance manages)
* systemd-networkd now supports IPv6RetransmissionTimeSec= and
UseRetransmissionTime= settings in .network files to configure
retransmission time for IPv6 neighbor solicitation messages.
* networkctl gained new verbs 'mask' and 'unmask' for masking networkd
configuration files such as .network files.
* 'networkctl edit --runtime' allows editing volatile configuration
under /run/systemd/network/.
* The implementation behind TTLPropagate= network setting has been
removed and the setting is now ignored.
* systemd-network-generator will now pick up .netdev/.link/.network/
networkd.conf configuration from system credentials.
* systemd-networkd will now pick up wireguard secrets from
credentials.
* systemd-networkd's Varlink API now supports enumerating LLDP peers.
* .link files now support new Property=, ImportProperty=,
UnsetProperty= fields for setting udev properties on a link.
* The various .link files that systemd ships for interfaces that are
supposed to be managed by systemd-networkd only now carry a
ID_NET_MANAGED_BY=io.systemd.Network udev property ensuring that
other network management solutions honouring this udev property do
not come into conflict with networkd, trying to manage these
interfaces.
* .link files now support a new ReceivePacketSteeringCPUMask= setting
for configuring which CPUs to steer incoming packets to.
systemd-nspawn:
* systemd-nspawn now provides a /run/systemd/nspawn/unix-export/
directory where the container payload can expose AF_UNIX sockets to
allow them them to be accessed from outside.
* systemd-nspawn will tint the terminal background for containers in a
blueish color. This can be controller with the new --background=
switch.
* systemd-nspawn gained support for the 'owneridmap' option for --bind=
mounts to map the target directory owner from inside the container to
the owner of the directory bound from the host filesystem.
* systemd-nspawn now supports moving Wi-Fi network devices into a
container, just like other network interfaces.
systemd-resolved:
* systemd-resolved now reads RFC 8914 EDE error codes provided by
upstream DNS services.
* systemd-resolved and resolvectl now support RFC 9460 SVCB and HTTPS
records, as well as RFC 2915 NAPTR records.
* resolvectl gained a new option --relax-single-label= to allow
querying single-label hostnames via unicast DNS on a per-query basis.
* systemd-resolved's Varlink IPC interface now supports resolving
DNS-SD services as well as an API for resolving raw DNS RRs.
* systemd-resolved's .dnssd DNS_SD service description files now
support DNS-SD "subtypes" via the new SubType= setting.
* systemd-resolved's configuration may now be reloaded without
restarting the service. (i.e. "systemctl reload systemd-resolved" is
now supported)
SSH Integration:
* An sshd config drop-in to allow ssh keys acquired via userdbctl (for
example expose by homed accounts) to be used for authorization of
incoming SSH connections.
* A small new unit generator "systemd-ssh-generator" has been added. It
checks if the sshd binary is installed. If so, it binds it via
per-connection socket activation to various sockets depending on the
execution context:
• If the system is run in a VM providing AF_VSOCK support, it
automatically binds sshd to AF_VSOCK port 22.
• If the system is invoked as a full-OS container and the container
manager pre-mounts a directory /run/host/unix-export/, it will
bind sshd to an AF_UNIX socket /run/host/unix-export/ssh. The
idea is the container manager bind mounts the directory to an
appropriate place on the host as well, so that the AF_UNIX socket
may be used to easily connect from the host to the container.
• sshd is also bound to an AF_UNIX socket
/run/ssh-unix-local/socket, which may be to use ssh/sftp in a
"sudo"-like fashion to access resources of other local users.
• Via the kernel command line option "systemd.ssh_listen=" and the
system credential "ssh.listen" sshd may be bound to additional,
explicitly configured options, including AF_INET/AF_INET6 ports.
In particular the first two mechanisms should make dealing with local
VMs and full OS containers a lot easier, as SSH connections will
*just* *work* from the host even if no networking is available
whatsoever.
systemd-ssh-generator optionally generates a per-connection
socket activation service file wrapping sshd. This is only done if
the distribution does not provide one on its own under the name
"sshd@.service". The generated unit only works correctly if the SSH
privilege separation ("privsep") directory exists. Unfortunately
distributions vary wildly where they place this directory. An
incomprehensive list:
• /usr/share/empty.sshd/ (new fedora)
• /var/empty/
• /var/empty/sshd/
• /run/sshd/ (debian/ubuntu?)
If the SSH privsep directory is placed below /var/ or /run/ care
needs to be taken that the directory is created automatically at boot
if needed, since these directories possibly or always come up
empty. This can be done via a tmpfiles.d/ drop-in. You may use the
"sshdprivsepdir" meson option provided by systemd to configure the
directory, in case you want systemd to create the directory as needed
automatically, if your distribution does not cover this natively.
Recommendations to distributions, in order to make things just work:
• Please provide a per-connection SSH service file under the name
"sshd@.service".
• Please move the SSH privsep dir into /usr/ (so that it is truly
immutable on image-based operating systems, is strictly under
package manager control, and never requires recreation if the
system boots up with an empty /run/ or /var/).
• As an extension of this: please consider following Fedora's lead
here, and use /usr/share/empty.sshd/ to minimize needless
differences between distributions.
• If your distribution insists on placing the directory in /var/ or
/run/ then please at least provide a tmpfiles.d/ drop-in to
recreate it automatically at boot, so that the sshd binary just
works, regardless in which context it is called.
* A small tool "systemd-ssh-proxy" has been added, which is supposed to
act as counterpart to "systemd-ssh-generator". It's a small plug-in
for the SSH client (via ProxyCommand/ProxyUseFdpass) to allow it to
connect to AF_VSOCK or AF_UNIX sockets. Example: "ssh vsock/4711"
connects to a local VM with cid 4711, or "ssh
unix/run/ssh-unix-local/socket" to connect to the local host via the
AF_UNIX socket /run/ssh-unix-local/socket.
systemd-boot and systemd-stub and Related Tools:
* TPM 1.2 PCR measurement support has been removed from systemd-stub.
TPM 1.2 is obsolete and due to the (by today's standards) weak
cryptographic algorithms it only supports does not actually provide
the security benefits it's supposed to provide. Given that the rest
of systemd's codebase never supported TPM 1.2, the support has now
been removed from systemd-stub as well.
* systemd-stub will now measure its payload via the new EFI
Confidential Computing APIs (CC), in addition to the pre-existing
measurements to TPM.
* confexts are loaded by systemd-stub from the ESP as well.
* kernel-install gained support for --root= for the 'list' verb.
* bootctl now provides a basic Varlink interface and can be run as a
daemon via a template unit.
* systemd-measure gained new options --certificate=, --private-key=,
and --private-key-source= to allow using OpenSSL's "engines" or
"providers" as the signing mechanism to use when creating signed
TPM2 PCR measurement values.
* ukify gained support for signing of PCR signatures via OpenSSL's
engines and providers.
* ukify now supports zboot kernels.
* systemd-boot now supports passing additional kernel command line
switches to invoked kernels via an SMBIOS Type #11 string
"io.systemd.boot.kernel-cmdline-extra". This is similar to the
pre-existing support for this in systemd-stub, but also applies to
Type #1 Boot Loader Specification Entries.
* systemd-boot's automatic SecureBoot enrollment support gained support
for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was
supported). It also now supports UEFI "Custom" mode.
* The pcrlock policy is saved in an unencrypted credential file
"pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the
/loader/credentials/ directory. It will be picked up at boot by
systemd-stub and passed to the initrd, where it can be used to unlock
the root file system.
* systemd-pcrlock gained an --entry-token= option to configure the
entry-token.
* systemd-pcrlock now provides a basic Varlink interface and can be run
as a daemon via a template unit.
* systemd-pcrlock's TPM nvindex access policy has been modified, this
means that previous pcrlock policies stored in nvindexes are
invalidated. They must be removed (systemd-pcrlock remove-policy) and
recreated (systemd-pcrlock make-policy). For the time being
systemd-pcrlock remains an experimental feature, but it is expected
to become stable in the next release, i.e. v257.
* systemd-pcrlock's --recovery-pin= switch now takes three values:
"hide", "show", "query". If "show" is selected the automatically
generated recovery PIN is shown to the user. If "query" is selected
then the PIN is queried from the user.
systemd-run/run0:
* systemd-run is now a multi-call binary. When invoked as 'run0', it
provides as interface similar to 'sudo', with all arguments starting
at the first non-option parameter being treated the command to invoke
as root. Unlike 'sudo' and similar tools, it does not make use of
setuid binaries or other privilege escalation methods, but instead
runs the specified command as a transient unit, which is started by
the system service manager, so privileges are dropped, rather than
gained, thus implementing a much more robust and safe security
model. As usual, authorization is managed via Polkit.
* systemd-run/run0 will now tint the terminal background on supported
terminals: in a reddish tone when invoking a root service, in a
yellowish tone otherwise. This may be controlled and turned off via
the new --background= switch.
* systemd-run gained a new option '--ignore-failure' to suppress
command failures.
Command-line tools:
* 'systemctl edit --stdin' allows creation of unit files and drop-ins
with contents supplied via standard input. This is useful when creating
configuration programmatically; the tool takes care of figuring out
the file name, creating any directories, and reloading the manager
afterwards.
* 'systemctl disable --now' and 'systemctl mask --now' now work
correctly with template units.
* 'systemd-analyze architectures' lists known CPU architectures.
* 'systemd-analyze --json=…' is supported for 'architectures',
'capability', 'exit-status'.
* 'systemd-tmpfiles --purge' will purge (remove) all files and
directories created via tmpfiles.d configuration.
* systemd-id128 gained new options --no-pager, --no-legend, and
-j/--json=.
* hostnamectl gained '-j' as shortcut for '--json=pretty' or
'--json=short'.
* loginctl now supports -j/--json=.
* resolvectl now supports -j/--json= for --type=.
* systemd-tmpfiles gained a new option --dry-run to print what would be
done without actually taking action.
* varlinkctl gained a new --collect switch to collect all responses of
a method call that supports multiple replies and turns it into a
single JSON array.
* systemd-dissect gained a new --make-archive option to generate an
archive file (tar.gz and similar) from a disk image.
systemd-vmspawn:
* systemd-vmspawn gained a new --firmware= option to configure or list
firmware definitions for Qemu, a new --tpm= option to enable or
disable the use of a software TPM, a new --linux= option to specify a
kernel binary for direct kernel boot, a new --initrd= option to
specify an initrd for direct kernel boot, a new -D/--directory option
to use a plain directory as the root file system, a new
--private-users option similar to the one in systemd-nspawn, new
options --bind= and --bind-ro= to bind part of the host's file system
hierarchy into the guest, a new --extra-drive= option to attach
additional storage, and -n/--network-tap/--network-user-mode to
configure networking.
* A new systemd-vmspawn@.service can be used to launch systemd-vmspawn
as a service.
* systemd-vmspawn gained the new --console= and --background= switches
that control how to interact with the VM. As before, by default an
interactive terminal interface is provided, but now with a background
tinted with a greenish hue.
* systemd-vmspawn can now register its VMs with systemd-machined,
controlled via the --register= switch.
* machinectl's start command (and related) can now invoke images either
as containers via `systemd-nspawn` (switch is --runner=nspawn, the
default) or as VMs via `systemd-vmspawn` (switch is --runner=vmspawn,
or short -V).
* systemd-vmspawn now supports two switches --pass-ssh-key= and
--ssh-key-type= to optionally set up transient SSH keys to pass to the
invoked VMs in order to be able to SSH into them once booted.
systemd-repart:
* systemd-repart gained new options --generate-fstab= and
--generate-crypttab= to write out fstab and crypttab files matching the
generated partitions.
* systemd-repart gained a new option --private-key-source= to allow
using OpenSSL's "engines" or "providers" as the signing mechanism to
use when creating verity signature partitions.
* systemd-repart gained a new DefaultSubvolume= setting in repart.d/
drop-ins that allow configuring the default btrfs subvolume for newly
formatted btrfs file systems.
Libraries:
* libsystemd gained new call sd_bus_creds_new_from_pidfd() to get a
credentials object for a pidfd and sd_bus_creds_get_pidfd_dup() to
retrieve the pidfd from a credentials object.
* sd-bus' credentials logic will now also acquire peer's UNIX group
lists and peer's pidfd if supported and requested.
* RPM macro %_kernel_install_dir has been added with the path
to the directory for kernel-install plugins.
* The liblz4, libzstd, liblzma, libkmod, libgcrypt dependencies have
been changed from regular shared library dependencies into dlopen()
based ones.
* The sd-journal API gained a new call
sd_journal_stream_fd_with_namespace() which is just like
sd_journal_stream_fd() but creates a log stream targeted at a
specific log namespace.
systemd-cryptsetup/systemd-cryptenroll:
* systemd-cryptenroll can now enroll directly with a PKCS11 public key
(instead of a certificate).
* systemd-cryptsetup/systemd-cryptenroll now may lock a disk against a
PKCS#11 provided EC key (before it only supported RSA).
* systemd-cryptsetup gained support for crypttab option
link-volume-key= to link the volume key into the kernel keyring when
the volume is opened.
* systemd-cryptenroll will no longer enable Dictionary Attack
Protection (i.e. turn on NO_DA) for TPM enrollments that do not
involve a PIN. DA should not be necessary in that case (since key
entropy is high enough to make this unnecessary), but risks
accidental lock-out in case of unexpected PCR changes.
* systemd-cryptenroll now supports enrolling a new slot while unlocking
the old slot via TPM2 (previously unlocking only worked via password
or FIDO2).
Documentation:
* The remaining documentation that was on
https://freedesktop.org/wiki/Software/systemd/ has been moved to
https://systemd.io/.
* A new text describing the VM integration interfaces of systemd has
been added:
https://systemd.io/VM_INTERFACE
* The sd_notify() man page has gained an example with C code that shows
how to implement the interface in C without involving libsystemd.
systemd-homed, systemd-logind, systemd-userdbd:
* systemd-homed now supports unlocking of home directories when logging
in via SSH. Previously home directories needed to be unlocked before
an SSH login is attempted.
* JSON User Records have been extended with a separate public storage
area called "User Record Blob Directories". This is intended to store
the user's background image, avatar picture, and other similar items
which are too large to fit into the User Record itself.
systemd-homed, userdbctl, and homectl gained support for blob
directories. homectl gained --avatar= and --login-background= to
control two specific items of the blob directories.
* A new "additionalLanguages" field has been added to JSON user records
(as supported by systemd-homed and systemd-userdbd), which is closely
related to the pre-existing "preferredLanguage", and allows
specifying multiple additional languages for the user account. It is
used to initialize the $LANGUAGES environment variable when used.
* A new pair of "preferredSessionType" and "preferredSessionLauncher"
fields have been added to JSON user records, that may be used to
control which kind of desktop session to preferable activate on
logins of the user.
* homectl gained a new verb 'firstboot', and a new
systemd-homed-firstboot.service unit uses this verb to create users
in a first boot environment, either from system credentials or by
querying interactively.
* systemd-logind now supports a new "background-light" session class
which does not pull in the user@.service unit. This is intended in
particular for lighter weight per-user cron jobs which do require any
per-user service manager to be around.
* The per-user service manager will now be tracked as a distinct "manager"
session type among logind sessions of each user.
* homectl now supports an --offline mode, by which certain account
properties can be changed without unlocking the home directory.
* systemd-logind gained a new
org.freedesktop.login1.Manager.ListSessionsEx() method that provides
additional metadata compared to ListSessions(). loginctl makes use of
this to list additional fields in list-sessions.
* systemd-logind gained a new org.freedesktop.login1.Manager.Sleep()
method that automatically redirects to SuspendThenHibernate(),
Suspend(), HybridSleep(), or Hibernate(), depending on what is
supported and configured, a new configuration setting SleepOperation=,
and an accompanying helper method
org.freedesktop.login1.Manager.CanSleep() and property
org.freedesktop.login1.Manager.SleepOperation.
'systemctl sleep' calls the new method to automatically put the
machine to sleep in the most appropriate way.
Credential Management:
* systemd-creds now provides a Varlink IPC API for encrypting and
decrypting credentials.
* systemd-creds' "tpm2-absent" key selection has been renamed to
"null", since that's what it actually does: "encrypt" and "sign"
with a fixed null key. --with-key=null should only be used in very
specific cases, as it provides zero integrity or confidentiality
protections. (i.e. it's only safe to use as fallback in environments
lacking both a TPM and access to the root fs to use the host
encryption key, or when integrity is provided some other way.)
* systemd-creds gained a new switch --allow-null. If specified, the
"decrypt" verb will decode encrypted credentials that use the "null"
key (by default this is refused, since using the "null" key defeats
the authenticated encryption normally done).
Suspend & Hibernate:
* The sleep.conf configuration file gained a new MemorySleepMode=
setting for configuring the sleep mode in more detail.
* A tiny new service systemd-hibernate-clear.service has been added
which clears hibernation information from the HibernateLocation EFI
variable, in case the resume device is gone. Normally, this variable
is supposed to be cleaned up by the code that initiates the resume
from hibernation image. But when the device is missing and that code
doesn't run, this service will now do the necessary work, ensuring
that no outdated hibernation image information remains on subsequent
boots.
Unprivileged User Namespaces & Mounts:
* A small new service systemd-nsresourced.service has been added. It
provides a Varlink IPC API that assigns a free, transiently allocated
64K UID/GID range to an uninitialized user namespace a client
provides. It may be used to implement unprivileged container managers
and other programs that need dynamic user ID ranges. It also provides
interfaces to then delegate mount file descriptors, control groups
and network interfaces to user namespaces set up this way.
* A small new service systemd-mountfsd.service has been added. It
provides a Varlink IPC API for mounting DDI images, and returning a set
of mount file descriptors for it. If a user namespace fd is provided
as input, then the mounts are registered with the user namespace. To
ensure trust in the image it must provide Verity information (or
alternatively interactive polkit authentication is required).
* The systemd-dissect tool now can access DDIs fully unprivileged by
using systemd-nsresourced/systemd-mountfsd.
* If the service manager runs unprivileged (i.e. systemd --user) it now
supports RootImage= for accessing DDI images, also implemented via
the systemd-nsresourced/systemd-mountfsd.
* systemd-nspawn may now operate without privileges, if a suitable DDI
is provided via --image=, again implemented via
systemd-nsresourced/systemd-mountfsd.
Other:
* timedatectl and machinectl gained option '-P', an alias for
'--value --property=…'.
* Various tools that pretty-print config files will now highlight
configuration directives.
* varlinkctl gained support for the "ssh:" transport. This requires
OpenSSH 9.4 or newer.
* systemd-sysext gained support for enabling system extensions in
mutable fashion, where a writeable upperdir is stored under
/var/lib/extensions.mutable/, and a new --mutable= option to
configure this behaviour. An "ephemeral" mode is not also supported
where the mutable layer is configured to be a tmpfs that is
automatically released when the system extensions are reattached.
* Coredumps are now retained for two weeks by default (instead of three
days, as before).
* portablectl --copy= parameter gained a new 'mixed' argument, that will
result in resources owned by the OS (e.g.: portable profiles) to be linked
but resources owned by the portable image (e.g.: the unit files and the
images themselves) to be copied.
* systemd will now register MIME types for various of its file types
(e.g. journal files, DDIs, encrypted credentials …) via the XDG
shared-mime-info infrastructure. (Files of these types will thus be
recognized as their own thing in desktop file managers such as GNOME
Files.)
* systemd-dissect will now show the detected sector size of a given DDI
in its default output.
* systemd-portabled now generates recognizable structured log messages
whenever a portable service is attached or detached.
* Verity signature checking in userspace (i.e. checking against
/etc/verity.d/ keys) when activating DDIs can now be turned on/off
via a kernel command line option systemd.allow_userspace_verity= and
an environment variable SYSTEMD_ALLOW_USERSPACE_VERITY=.
* ext4/xfs file system quota handling has been reworked, so that
quotacheck and quotaon are now invoked as per-file-system templated
services (as opposed to single system-wide singletons), similar in
style to the fsck, growfs, pcrfs logic. This means file systems with
quota enabled can now be reasonably enabled at runtime of the system,
not just at boot.
* "systemd-analyze dot" will now also show BindsTo= dependencies.
* systemd-debug-generator gained the ability add in arbitrary units
based on them being passed in via system credentials.
* A new kernel command-line option systemd.default_debug_tty= can be
used to specify the TTY for the debug shell, independently of
enabling or disabling it.
Contributions from: A S Alam, AKHIL KUMAR, Abraham Samuel Adekunle,
Adrian Vovk, Adrian Wannenmacher, Alan Liang, Alberto Planas,
Alexander Zavyalov, Anders Jonsson, Andika Triwidada, Andres Beltran,
Andrew Sayers, Antonio Alvarez Feijoo, Arthur Zamarin, Artur Pak,
AtariDreams, Benjamin Franzke, Bernhard M. Wiedemann, Black-Hole1,
Bryan Jacobs, Burak Gerz, Carlos Garnacho, Chandra Pratap,
Chris Simons, Christian Wesselhoeft, Clayton Craft, Colin Geniet,
Colin Walters, Costa Tsaousis, Cristian Rodríguez, Daan De Meyer,
Damien Challet, Dan Streetman, David Tardon, David Venhoek,
Diego Viola, Dionna Amalie Glaze, Dmitry Konishchev,
Edson Juliano Drosdeck, Eisuke Kawashima, Eli Schwartz,
Emanuele Giuseppe Esposito, Eric Daigle, Evgeny Vereshchagin,
Felix Riemann, Fernando Fernandez Mancera, Florian Schmaus, Franck Bui,
Frantisek Sumsal, Friedrich Altheide, Gabríel Arthúr Pétursson,
Gaël Donval, Georges Basile Stavracas Neto, Gerd Hoffmann, GNOME
Foundation, Guilhem Lettron, Göran Uddeborg, Hans de Goede, Harald
Brinkmann, Heinrich Schuchardt, Henry Li, Holger Assmann, Ivan Kruglov,
Ivan Shapovalov, Jakub Sitnicki, James Muir, Jan Engelhardt, Jan Macku,
Jeff King, JmbFountain, Joakim Nohlgård, Julius Alexandre,
Jörg Behrmann, Keian, Kirk, Kristian Klausen, Krzesimir Nowak,
Lars Ellenberg, Lennart Poettering, Luca Boccassi, Ludwig Nussel,
Lukáš Nykrýn, Luxiter, Maanya Goenka, Mariano Giménez,
Markus Merklinger, Martin Ivicic, Martin Trigaux, Martin Wilck,
Matt Layher, Matt Muggeridge, Matteo Croce, Matthias Lisin,
Max Gautier, Max Staudt, Michael Biebl, Michal Koutný, Michal Sekletár,
Mike Gilbert, Mike Yuan, Mikko Ylinen, MkfsSion, MrSmör,
Nandakumar Raghavan, Nick Cao, Nick Rosbrook, Ole Peder Brandtzæg,
Ondrej Kozina, Oğuz Ersen, Pablo Méndez Hernández, Pierre GRASSER,
Piotr Drąg, QuonXF, Rafaël Kooi, Raito Bezarius, Reid Wahl,
Renjaya Raga Zenta, Richard Maw, Roland Hieber, Ronan Pigott, Rose,
Ross Burton, Sam Leonard, Samuel BF, Sergei Zhmylev, Sergey A, Shulhan,
SidhuRupinder, Sludge, Stuart Hayhurst, Susant Sahani,
Takashi Sakamoto, Temuri Doghonadze, Thilo Fromm, Thomas Blume,
TobiPeterG, Tomáš Pecka, Topi Miettinen, Tycho Andersen, Unique-Usman,
Usman Akinyemi, Vasiliy Kovalev, Vasiliy Stelmachenok,
Vishal Chillara Srinivas, Vitaly Kuznetsov, Vito Caputo,
Vladimir Stoiakin, Werner Sembach, Will Springer, Winterhuman,
Xiaotian Wu, Yu Watanabe, Yuri Chornoivan, Zbigniew Jędrzejewski-Szmek,
Zmyeir, aslepykh, chenjiayi, cpackham-atlnz, cunshunxia, djantti,
hfavisado, hulkoba, ksaleem, medusalix, mille-feuille, mkubiak, mooo,
msizanoen, networkException, nl6720, r-vdp, runiq, samuelvw01,
sharad3001, sushmbha, wangyuhang, zzywysm, İ. Ensar Gülşen,
Štěpán Němec, 我超厉害, 김인수
— Happy Place, 2024-04-XX
CHANGES WITH 255:
Announcements of Future Feature Removals and Incompatible Changes:
* Support for split-usr (/usr/ mounted separately during late boot,
instead of being mounted by the initrd before switching to the rootfs)
and unmerged-usr (parallel directories /bin/ and /usr/bin/, /lib/ and
/usr/lib/, …) has been removed. For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* We intend to remove cgroup v1 support from a systemd release after
the end of 2023. If you run services that make explicit use of
cgroup v1 features (i.e. the "legacy hierarchy" with separate
hierarchies for each controller), please implement compatibility with
cgroup v2 (i.e. the "unified hierarchy") sooner rather than later.
Most of Linux userspace has been ported over already.
* Support for System V service scripts is now deprecated and will be
removed in a future release. Please make sure to update your software
*now* to include a native systemd unit file instead of a legacy
System V script to retain compatibility with future systemd releases.
* Support for the SystemdOptions EFI variable is deprecated.
'bootctl systemd-efi-options' will emit a warning when used. It seems
that this feature is little-used and it is better to use alternative
approaches like credentials and confexts. The plan is to drop support
altogether at a later point, but this might be revisited based on
user feedback.
* systemd-run's switch --expand-environment= which currently is disabled
by default when combined with --scope, will be changed in a future
release to be enabled by default.
* "systemctl switch-root" is now restricted to initrd transitions only.
Transitions between real systems should be done with
"systemctl soft-reboot" instead.
* The "ip=off" and "ip=none" kernel command line options interpreted by
systemd-network-generator will now result in IPv6RA + link-local
addressing being disabled, too. Previously DHCP was turned off, but
IPv6RA and IPv6 link-local addressing was left enabled.
* The NAMING_BRIDGE_MULTIFUNCTION_SLOT naming scheme has been deprecated
and is now disabled.
* SuspendMode=, HibernateState= and HybridSleepState= in the [Sleep]
section of systemd-sleep.conf are now deprecated and have no effect.
They did not (and could not) take any value other than the respective
default. HybridSleepMode= is also deprecated, and will now always use
the 'suspend' disk mode.
Service Manager:
* The way services are spawned has been overhauled. Previously, a
process was forked that shared all of the manager's memory (via
copy-on-write) while doing all the required setup (e.g.: mount
namespaces, CGroup configuration, etc.) before exec'ing the target
executable. This was problematic for various reasons: several glibc
APIs were called that are not supposed to be used after a fork but
before an exec, copy-on-write meant that if either process (the
manager or the child) touched a memory page a copy was triggered, and
also the memory footprint of the child process was that of the
manager, but with the memory limits of the service. From this version
onward, the new process is spawned using CLONE_VM and CLONE_VFORK
semantics via posix_spawn(3), and it immediately execs a new internal
binary, systemd-executor, that receives the configuration to apply
via memfd, and sets up the process before exec'ing the target
executable. The systemd-executor binary is pinned by file descriptor
by each manager instance (system and users), and the reference is
updated on daemon-reexec - it is thus important to reexec all running
manager instances when the systemd-executor and/or libsystemd*
libraries are updated on the filesystem.
* Most of the internal process tracking is being changed to use PIDFDs
instead of PIDs when the kernel supports it, to improve robustness
and reliability.
* A new option SurviveFinalKillSignal= can be used to configure the
unit to be skipped in the final SIGTERM/SIGKILL spree on shutdown.
This is part of the required configuration to let a unit's processes
survive a soft-reboot operation.
* System extension images (sysext) can now set
EXTENSION_RELOAD_MANAGER=1 in their extension-release files to
automatically reload the service manager (PID 1) when
merging/refreshing/unmerging on boot. Generally, while this can be
used to ship services in system extension images it's recommended to
do that via portable services instead.
* The ExtensionImages= and ExtensionDirectories= options now support
confexts images/directories.
* A new option NFTSet= provides a method for integrating dynamic cgroup
IDs into firewall rules with NFT sets. The benefit of using this
setting is to be able to use control group as a selector in firewall
rules easily and this in turn allows more fine grained filtering.
Also, NFT rules for cgroup matching use numeric cgroup IDs, which
change every time a service is restarted, making them hard to use in
systemd environment.
* A new option CoredumpReceive= can be set for service and scope units,
together with Delegate=yes, to make systemd-coredump on the host
forward core files from processes crashing inside the delegated
CGroup subtree to systemd-coredump running in the container. This new
option is by default used by systemd-nspawn containers that use the
"--boot" switch.
* A new ConditionSecurity=measured-uki option is now available, to ensure
a unit can only run when the system has been booted from a measured UKI.
* MemoryAvailable= now considers physical memory if there are no CGroup
memory limits set anywhere in the tree.
* The $USER environment variable is now always set for services, while
previously it was only set if User= was specified. A new option
SetLoginEnvironment= is now supported to determine whether to also set
$HOME, $LOGNAME, and $SHELL.
* Socket units now support a new pair of
PollLimitBurst=/PollLimitInterval= options to configure a limit on
how often polling events on the file descriptors backing this unit
will be considered within a time window.
* Scope units can now be created using PIDFDs instead of PIDs to select
the processes they should include.
* Sending SIGRTMIN+18 with 0x500 as sigqueue() value will now cause the
manager to dump the list of currently pending jobs.
* If the kernel supports MOVE_MOUNT_BENEATH, the systemctl and
machinectl bind and mount-image verbs will now cause the new mount to
replace the old mount (if any), instead of overmounting it.
* Units now have MemoryPeak, MemorySwapPeak, MemorySwapCurrent and
MemoryZSwapCurrent properties, which respectively contain the values
of the cgroup v2's memory.peak, memory.swap.peak, memory.swap.current
and memory.zswap.current properties. This information is also shown in
"systemctl status" output, if available.
TPM2 Support + Disk Encryption & Authentication:
* systemd-cryptenroll now allows specifying a PCR bank and explicit hash
value in the --tpm2-pcrs= option.
* systemd-cryptenroll now allows specifying a TPM2 key handle (nv
index) to be used instead of the default SRK via the new
--tpm2-seal-key-handle= option.
* systemd-cryptenroll now allows TPM2 enrollment using only a TPM2
public key (in TPM2B_PUBLIC format) without access to the TPM2
device itself which enables offline sealing of LUKS images for a
specific TPM2 chip, as long as the SRK public key is known. Pass the
public to the tool via the new --tpm2-device-key= switch.
* systemd-cryptsetup is now installed in /usr/bin/ and is no longer an
internal-only executable.
* The TPM2 Storage Root Key will now be set up, if not already present,
by a new systemd-tpm2-setup.service early boot service. The SRK will
be stored in PEM format and TPM2_PUBLIC format (the latter is useful
for systemd-cryptenroll --tpm2-device-key=, as mentioned above) for
easier access. A new "srk" verb has been added to systemd-analyze to
allow extracting it on demand if it is already set up.
* The internal systemd-pcrphase executable has been renamed to
systemd-pcrextend.
* The systemd-pcrextend tool gained a new --pcr= switch to override
which PCR to measure into.
* systemd-pcrextend now exposes a Varlink interface at
io.systemd.PCRExtend that can be used to do measurements and event
logging on demand.
* TPM measurements are now also written to an event log at
/run/log/systemd/tpm2-measure.log, using a derivative of the TCG
Canonical Event Log format. Previously we'd only log them to the
journal, where they however were subject to rotation and similar.
* A new component "systemd-pcrlock" has been added that allows managing
local TPM2 PCR policies for PCRs 0-7 and similar, which are hard to
predict by the OS vendor because of the inherently local nature of
what measurements they contain, such as firmware versions of the
system and extension cards and suchlike. pcrlock can predict PCR
measurements ahead of time based on various inputs, such as the local
TPM2 event log, GPT partition tables, PE binaries, UKI kernels, and
various other things. It can then pre-calculate a TPM2 policy from
this, which it stores in an TPM2 NV index. TPM2 objects (such as disk
encryption keys) can be locked against this NV index, so that they
are locked against a specific combination of system firmware and
state. Alternatives for each component are supported to allowlist
multiple kernel versions or boot loader version simultaneously
without losing access to the disk encryption keys. The tool can also
be used to analyze and validate the local TPM2 event log.
systemd-cryptsetup, systemd-cryptenroll, systemd-repart have all been
updated to support such policies. There's currently no support for
locking the system's root disk against a pcrlock policy, this will be
added soon. Moreover, it is currently not possible to combine a
pcrlock policy with a signed PCR policy. This component is
experimental and its public interface is subject to change.
systemd-boot, systemd-stub, ukify, bootctl, kernel-install:
* bootctl will now show whether the system was booted from a UKI in its
status output.
* systemd-boot and systemd-stub now use different project keys in their
respective SBAT sections, so that they can be revoked individually if
needed.
* systemd-boot will no longer load unverified Devicetree blobs when UEFI
SecureBoot is enabled. For more details see:
https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c
* systemd-boot gained new hotkeys to reboot and power off the system
from the boot menu ("B" and "O"). If the "auto-poweroff" and
"auto-reboot" options in loader.conf are set these entries are also
shown as menu items (which is useful on devices lacking a regular
keyboard).
* systemd-boot gained a new configuration value "menu-disabled" for the
set-timeout option, to allow completely disabling the boot menu,
including the hotkey.
* systemd-boot will now measure the content of loader.conf in TPM2
PCR 5.
* systemd-stub will now concatenate the content of all kernel
command-line addons before measuring them in TPM2 PCR 12, in a single
measurement, instead of measuring them individually.
* systemd-stub will now measure and load Devicetree Blob addons, which
are searched and loaded following the same model as the existing
kernel command-line addons.
* systemd-stub will now ignore unauthenticated kernel command line options
passed from systemd-boot when running inside Confidential VMs with UEFI
SecureBoot enabled.
* systemd-stub will now load a Devicetree blob even if the firmware did
not load any beforehand (e.g.: for ACPI systems).
* ukify is no longer considered experimental, and now ships in /usr/bin/.
* ukify gained a new verb inspect to describe the sections of a UKI and
print the contents of the well-known sections.
* ukify gained a new verb genkey to generate a set of key pairs for
signing UKIs and their PCR data.
* The 90-loaderentry kernel-install hook now supports installing device
trees.
* kernel-install now supports the --json=, --root=, --image=, and
--image-policy= options for the inspect verb.
* kernel-install now supports new list and add-all verbs. The former
lists all installed kernel images (if those are available in
/usr/lib/modules/). The latter will install all the kernels it can
find to the ESP.
systemd-repart:
* A new option --copy-from= has been added that synthesizes partition
definitions from the given image, which are then applied by the
systemd-repart algorithm.
* A new option --copy-source= has been added, which can be used to specify
a directory to which CopyFiles= is considered relative to.
* New --make-ddi=confext, --make-ddi=sysext, and --make-ddi=portable
options have been added to make it easier to generate these types of
DDIs, without having to provide repart.d definitions for them.
* The dm-verity salt and UUID will now be derived from the specified
seed value.
* New VerityDataBlockSizeBytes= and VerityHashBlockSizeBytes= can now be
configured in repart.d/ configuration files.
* A new Subvolumes= setting is now supported in repart.d/ configuration
files, to indicate which directories in the target partition should be
btrfs subvolumes.
* A new --tpm2-device-key= option can be used to lock a disk against a
specific TPM2 public key. This matches the same switch the
systemd-cryptenroll tool now supports (see above).
Journal:
* The journalctl --lines= parameter now accepts +N to show the oldest N
entries instead of the newest.
* journald now ensures that sealing happens once per epoch, and sets a
new compatibility flag to distinguish old journal files that were
created before this change, for backward compatibility.
Device Management:
* udev will now create symlinks to loopback block devices in the
/dev/disk/by-loop-ref/ directory that are based on the .lo_file_name
string field selected during allocation. The systemd-dissect tool and
the util-linux losetup command now supports a complementing new switch
--loop-ref= for selecting the string. This means a loopback block
device may now be allocated under a caller-chosen reference and can
subsequently be referenced without first having to look up the block
device name the caller ended up with.
* udev also creates symlinks to loopback block devices in the
/dev/disk/by-loop-inode/ directory based on the .st_dev/st_ino fields
of the inode attached to the loopback block device. This means that
attaching a file to a loopback device will implicitly make a handle
available to be found via that file's inode information.
* udevadm info gained support for JSON output via a new --json= flag, and
for filtering output using the same mechanism that udevadm trigger
already implements.
* The predictable network interface naming logic is extended to include
the SR-IOV-R "representor" information in network interface names.
This feature was intended for v254, but even though the code was
merged, the part that actually enabled the feature was forgotten.
It is now enabled by default and is part of the new "v255" naming
scheme.
* A new hwdb/rules file has been added that sets the
ID_NET_AUTO_LINK_LOCAL_ONLY=1 udev property on all network interfaces
that should usually only be configured with link-local addressing
(IPv4LL + IPv6LL), i.e. for PC-to-PC cables ("laplink") or
Thunderbolt networking. systemd-networkd and NetworkManager (soon)
will make use of this information to apply an appropriate network
configuration by default.
* The ID_NET_DRIVER property on network interfaces is now set
relatively early in the udev rule set so that other rules may rely on
its use. This is implemented in a new "net-driver" udev built-in.
Network Management:
* The "duid-only" option for DHCPv4 client's ClientIdentifier= setting
is now dropped, as it never worked, hence it should not be used by
anyone.
* The 'prefixstable' ipv6 address generation mode now considers the SSID
when generating stable addresses, so that a different stable address
is used when roaming between wireless networks. If you already use
'prefixstable' addresses with wireless networks, the stable address
will be changed by the update.
* The DHCPv4 client gained a RapidCommit option, true by default, which
enables RFC4039 Rapid Commit behavior to obtain a lease in a
simplified 2-message exchange instead of the typical 4-message
exchange, if also supported by the DHCP server.
* The DHCPv4 client gained new InitialCongestionWindow= and
InitialAdvertisedReceiveWindow= options for route configurations.
* The DHCPv4 client gained a new RequestAddress= option that allows
to send a preferred IP address in the initial DHCPDISCOVER message.
* The DHCPv4 server and client gained support for IPv6-only mode
(RFC8925).
* The SendHostname= and Hostname= options are now available for the
DHCPv6 client, independently of the DHCPv4= option, so that these
configuration values can be set independently for each client.
* The DHCPv4 and DHCPv6 client state can now be queried via D-Bus,
including lease information.
* The DHCPv6 client can now be configured to use a custom DUID type.
* .network files gained a new IPv4ReversePathFilter= setting in the
[Network] section, to control sysctl's rp_filter setting.
* .network files gaiend a new HopLimit= setting in the [Route] section,
to configure a per-route hop limit.
* .network files gained a new TCPRetransmissionTimeoutSec= setting in
the [Route] section, to configure a per-route TCP retransmission
timeout.
* A new directive NFTSet= provides a method for integrating network
configuration into firewall rules with NFT sets. The benefit of using
this setting is that static network configuration or dynamically
obtained network addresses can be used in firewall rules with the
indirection of NFT set types.
* The [IPv6AcceptRA] section supports the following new options:
UsePREF64=, UseHopLimit=, UseICMP6RateLimit=, and NFTSet=.
* The [IPv6SendRA] section supports the following new options:
RetransmitSec=, HopLimit=, HomeAgent=, HomeAgentLifetimeSec=, and
HomeAgentPreference=.
* A new [IPv6PREF64Prefix] set of options, containing Prefix= and
LifetimeSec=, has been introduced to append pref64 options in router
advertisements (RFC8781).
* The network generator now configures the interfaces with only
link-local addressing if "ip=link-local" is specified on the kernel
command line.
* The prefix of the configuration files generated by the network
generator from the kernel command line is now prefixed with '70-',
to make them have higher precedence over the default configuration
files.
* Added a new -Ddefault-network=BOOL meson option, that causes more
.network files to be installed as enabled by default. These configuration
files will which match generic setups, e.g. 89-ethernet.network matches
all Ethernet interfaces and enables both DHCPv4 and DHCPv6 clients.
* If a ID_NET_MANAGED_BY= udev property is set on a network device and
it is any other string than "io.systemd.Network" then networkd will
not manage this device. This may be used to allow multiple network
management services to run in parallel and assign ownership of
specific devices explicitly. NetworkManager will soon implement a
similar logic.
systemctl:
* systemctl is-failed now checks the system state if no unit is
specified.
* systemctl will now automatically soft-reboot if a new root file system
is found under /run/nextroot/ when a reboot operation is invoked.
Login management:
* Wall messages now work even when utmp support is disabled, using
systemd-logind to query the necessary information.
* systemd-logind now sends a new PrepareForShutdownWithMetadata D-Bus
signal before shutdown/reboot/soft-reboot that includes additional
information compared to the PrepareForShutdown signal. Currently the
additional information is the type of operation that is about to be
executed.
Hibernation & Suspend:
* The kernel and OS versions will no longer be checked on resume from
hibernation.
* Hibernation into swap files backed by btrfs are now
supported. (Previously this was supported only for other file
systems.)
Other:
* A new systemd-vmspawn tool has been added, that aims to provide for VMs
the same interfaces and functionality that systemd-nspawn provides for
containers. For now it supports QEMU as a backend, and exposes some of
its options to the user. This component is experimental and its public
interface is subject to change.
* "systemd-analyze plot" has gained tooltips on each unit name with
related-unit information in its svg output, such as Before=,
Requires=, and similar properties.
* A new varlinkctl tool has been added to allow interfacing with
Varlink services, and introspection has been added to all such
services. This component is experimental and its public interface is
subject to change.
* systemd-sysext and systemd-confext now expose a Varlink service
at io.systemd.sysext.
* portable services now accept confexts as extensions.
* systemd-sysupdate now accepts directories in the MatchPattern= option.
* systemd-run will now output the invocation ID of the launched
transient unit and its peak memory usage.
* systemd-analyze, systemd-tmpfiles, systemd-sysusers, systemd-sysctl,
and systemd-binfmt gained a new --tldr option that can be used instead
of --cat-config to suppress uninteresting configuration lines, such as
comments and whitespace.
* resolvectl gained a new "show-server-state" command that shows
current statistics of the resolver. This is backed by a new
DumpStatistics() Varlink method provided by systemd-resolved.
* systemd-timesyncd will now emit a D-Bus signal when the LinkNTPServers
property changes.
* vconsole now supports KEYMAP=@kernel for preserving the kernel keymap
as-is.
* seccomp now supports the LoongArch64 architecture.
* seccomp may now be enabled for services running as a non-root User=
without NoNewPrivileges=yes.
* systemd-id128 now supports a new -P option to show only values. The
combination of -P and --app options is also supported.
* A new pam_systemd_loadkey.so PAM module is now available, which will
automatically fetch the passphrase used by cryptsetup to unlock the
root file system and set it as the PAM authtok. This enables, among
other things, configuring auto-unlock of the GNOME Keyring / KDE
Wallet when autologin is configured.
* Many meson options now use the 'feature' type, which means they
take enabled/disabled/auto as values.
* A new meson option -Dconfigfiledir= can be used to change where
configuration files with default values are installed to.
* Options and verbs in man pages are now tagged with the version they
were first introduced in.
* A new component "systemd-storagetm" has been added, which exposes all
local block devices as NVMe-TCP devices, fully automatically. It's
hooked into a new target unit storage-target-mode.target that is
suppsoed to be booted into via
rd.systemd.unit=storage-target-mode.target on the kernel command
line. This is intended to be used for installers and debugging to
quickly get access to the local disk. It's inspired by MacOS "target
disk mode". This component is experimental and its public interface is
subject to change.
* A new component "systemd-bsod" has been added, which can show logged
error messages full screen, if they have a log level of LOG_EMERG log
level. This component is experimental and its public interface is
subject to change.
* The systemd-dissect tool's --with command will now set the
$SYSTEMD_DISSECT_DEVICE environment variable to the block device it
operates on for the invoked process.
* The systemd-mount tool gained a new --tmpfs switch for mounting a new
'tmpfs' instance. This is useful since it does so via .mount units
and thus can be executed remotely or in containers.
* The various tools in systemd that take "verbs" (such as systemctl,
loginctl, machinectl, …) now will suggest a close verb name in case
the user specified an unrecognized one.
* libsystemd now exports a new function sd_id128_get_app_specific()
that generates "app-specific" 128bit IDs from any ID. It's similar to
sd_id128_get_machine_app_specific() and
sd_id128_get_boot_app_specific() but takes the ID to base calculation
on as input. This new functionality is also exposed in the
"systemd-id128" tool where you can now combine --app= with `show`.
* All tools that parse timestamps now can also parse RFC3339 style
timestamps that include the "T" and Z" characters.
* New documentation has been added:
https://systemd.io/FILE_DESCRIPTOR_STORE
https://systemd.io/TPM2_PCR_MEASUREMENTS
https://systemd.io/MOUNT_REQUIREMENTS
* The codebase now recognizes the suffix .confext.raw and .sysext.raw
as alternative to the .raw suffix generally accepted for DDIs. It is
recommended to name configuration extensions and system extensions
with such suffixes, to indicate their purpose in the name.
* The sd-device API gained a new function
sd_device_enumerator_add_match_property_required() which allows
configuring matches on properties that are strictly required. This is
different from the existing sd_device_enumerator_add_match_property()
matches of which one one needs to apply.
* The MAC address the veth side of an nspawn container shall get
assigned may now be controlled via the $SYSTEMD_NSPAWN_NETWORK_MAC
environment variable.
* The libiptc dependency is now implemented via dlopen(), so that tools
such as networkd and nspawn no longer have a hard dependency on the
shared library when compiled with support for libiptc.
* New rpm macros have been added: %systemd_user_daemon_reexec does
daemon-reexec for all user managers, and %systemd_postun_with_reload
and %systemd_user_postun_with_reload do a reload for system and user
units on upgrades.
* coredumpctl now propagates SIGTERM to the debugger process.
Contributions from: 김인수, Abderrahim Kitouni, Adam Goldman,
Adam Williamson, Alexandre Peixoto Ferreira, Alex Hudspith,
Alvin Alvarado, André Paiusco, Antonio Alvarez Feijoo,
Anton Lundin, Arian van Putten, Arseny Maslennikov, Arthur Shau,
Balázs Úr, beh_10257, Benjamin Peterson, Bertrand Jacquin,
Brian Norris, Charles Lee, Cheng-Chia Tseng, Chris Patterson,
Christian Hergert, Christian Hesse, Christian Kirbach,
Clayton Craft, commondservice, cunshunxia, Curtis Klein, cvlc12,
Daan De Meyer, Daniele Medri, Daniel P. Berrangé, Daniel Rusek,
Daniel Thompson, Dan Nicholson, Dan Streetman, David Rheinsberg,
David Santamaría Rogado, David Tardon, dependabot[bot],
Diego Viola, Dmitry V. Levin, Emanuele Giuseppe Esposito,
Emil Renner Berthing, Emil Velikov, Etienne Dechamps, Fabian Vogt,
felixdoerre, Felix Dörre, Florian Schmaus, Franck Bui,
Frantisek Sumsal, G2-Games, Gioele Barabucci, Hugo Carvalho,
huyubiao, Iago López Galeiras, IllusionMan1212, Jade Lovelace,
janana, Jan Janssen, Jan Kuparinen, Jan Macku, Jeremy Fleischman,
Jin Liu, jjimbo137, Joerg Behrmann, Johannes Segitz, Jordan Rome,
Jordan Williams, Julien Malka, Juno Computers, Khem Raj, khm,
Kingbom Dou, Kiran Vemula, Krzesimir Nowak, Laszlo Gombos,
Lennart Poettering, linuxlion, Luca Boccassi, Lucas Adriano Salles,
Lukas, Lukáš Nykrýn, Maanya Goenka, Maarten, Malte Poll,
Marc Pervaz Boocha, Martin Beneš, Martin Joerg, Martin Wilck,
Mathieu Tortuyaux, Matthias Schiffer, Maxim Mikityanskiy,
Max Kellermann, Michael A Cassaniti, Michael Biebl, Michael Kuhn,
Michael Vasseur, Michal Koutný, Michal Sekletár, Mike Yuan,
Milton D. Miller II, mordner, msizanoen, NAHO, Nandakumar Raghavan,
Neil Wilson, Nick Rosbrook, Nils K, NRK, Oğuz Ersen,
Omojola Joshua, onenowy, Paul Meyer, Paymon MARANDI, pelaufer,
Peter Hutterer, PhylLu, Pierre GRASSER, Piotr Drąg, Priit Laes,
Rahil Bhimjiani, Raito Bezarius, Raul Cheleguini, Reto Schneider,
Richard Maw, Robby Red, RoepLuke, Roland Hieber, Roland Singer,
Ronan Pigott, Sam James, Sam Leonard, Sergey A, Susant Sahani,
Sven Joachim, Tad Fisher, Takashi Sakamoto, Thorsten Kukuk, Tj,
Tomasz Świątek, Topi Miettinen, Valentin David,
Valentin Lefebvre, Victor Westerhuis, Vincent Haupert,
Vishal Chillara Srinivas, Vito Caputo, Warren, Weblate,
Xiaotian Wu, xinpeng wang, Yaron Shahrabani, Yo-Jung Lin,
Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zeroskyx,
Дамјан Георгиевски, наб
— Edinburgh, 2023-12-06
CHANGES WITH 254:
Announcements of Future Feature Removals and Incompatible Changes:
* The next release (v255) will remove support for split-usr (/usr/
mounted separately during late boot, instead of being mounted by the
initrd before switching to the rootfs) and unmerged-usr (parallel
directories /bin/ and /usr/bin/, /lib/ and /usr/lib/, …). For more
details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* We intend to remove cgroup v1 support from a systemd release after
the end of 2023. If you run services that make explicit use of
cgroup v1 features (i.e. the "legacy hierarchy" with separate
hierarchies for each controller), please implement compatibility with
cgroup v2 (i.e. the "unified hierarchy") sooner rather than later.
Most of Linux userspace has been ported over already.
* Support for System V service scripts is now deprecated and will be
removed in a future release. Please make sure to update your software
*now* to include a native systemd unit file instead of a legacy
System V script to retain compatibility with future systemd releases.
* Support for the SystemdOptions EFI variable is deprecated.
'bootctl systemd-efi-options' will emit a warning when used. It seems
that this feature is little-used and it is better to use alternative
approaches like credentials and confexts. The plan is to drop support
altogether at a later point, but this might be revisited based on
user feedback.
* EnvironmentFile= now treats the line following a comment line
trailing with escape as a non comment line. For details, see:
https://github.com/systemd/systemd/issues/27975
* PrivateNetwork=yes and NetworkNamespacePath= now imply
PrivateMounts=yes unless PrivateMounts=no is explicitly specified.
* Behaviour of sandboxing options for the per-user service manager
units has changed. They now imply PrivateUsers=yes, which means user
namespaces will be implicitly enabled when a sandboxing option is
enabled in a user unit. Enabling user namespaces has the drawback
that system users will no longer be visible (and processes/files will
appear as owned by 'nobody') in the user unit.
By definition a sandboxed user unit should run with reduced
privileges, so impact should be small. This will remove a great
source of confusion that has been reported by users over the years,
due to how these options require an extra setting to be manually
enabled when used in the per-user service manager, which is not
needed in the system service manager. For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html
* systemd-run's switch --expand-environment= which currently is disabled
by default when combined with --scope, will be changed in a future
release to be enabled by default.
Security Relevant Changes:
* pam_systemd will now by default pass the CAP_WAKE_ALARM ambient
process capability to invoked session processes of regular users on
local seats (as well as to systemd --user), unless configured
otherwise via data from JSON user records, or via the PAM module's
parameter list. This is useful in order allow desktop tools such as
GNOME's Alarm Clock application to set a timer for
CLOCK_REALTIME_ALARM that wakes up the system when it elapses. A
per-user service unit file may thus use AmbientCapability= to pass
the capability to invoked processes. Note that this capability is
relatively narrow in focus (in particular compared to other process
capabilities such as CAP_SYS_ADMIN) and we already — by default —
permit more impactful operations such as system suspend to local
users.
Service Manager:
* Memory limits that apply while the unit is activating are now
supported. Previously IO and CPU settings were already supported via
StartupCPUWeight= and similar. The same logic has been added for the
various manager and unit memory settings (DefaultStartupMemoryLow=,
StartupMemoryLow=, StartupMemoryHigh=, StartupMemoryMax=,
StartupMemorySwapMax=, StartupMemoryZSwapMax=).
* The service manager gained support for enqueuing POSIX signals to
services that carry an additional integer value, exposing the
sigqueue() system call. This is accessible via new D-Bus calls
org.freedesktop.systemd1.Manager.QueueSignalUnit() and
org.freedesktop.systemd1.Unit.QueueSignal(), as well as in systemctl
via the new --kill-value= option.
* systemctl gained a new "list-paths" verb, which shows all currently
active .path units, similarly to how "systemctl list-timers" shows
active timers, and "systemctl list-sockets" shows active sockets.
* systemctl gained a new --when= switch which is honoured by the various
forms of shutdown (i.e. reboot, kexec, poweroff, halt) and allows
scheduling these operations by time, similar in fashion to how this
has been supported by SysV shutdown.
* If MemoryDenyWriteExecute= is enabled for a service and the kernel
supports the new PR_SET_MDWE prctl() call, it is used instead of the
seccomp()-based system call filter to achieve the same effect.
* A new set of kernel command line options is now understood:
systemd.tty.term.<name>=, systemd.tty.rows.<name>=,
systemd.tty.columns.<name>= allow configuring the TTY type and
dimensions for the tty specified via <name>. When systemd invokes a
service on a tty (via TTYName=) it will look for these and configure
the TTY accordingly. This is particularly useful in VM environments
to propagate host terminal settings into the appropriate TTYs of the
guest.
* A new RootEphemeral= setting is now understood in service units. It
takes a boolean argument. If enabled for services that use RootImage=
or RootDirectory= an ephemeral copy of the disk image or directory
tree is made when the service is started. It is removed automatically
when the service is stopped. That ephemeral copy is made using
btrfs/xfs reflinks or btrfs snapshots, if available.
* The service activation logic gained new settings RestartSteps= and
RestartMaxDelaySec= which allow exponentially-growing restart
intervals for Restart=.
* The service activation logic gained a new setting RestartMode= which
can be set to 'direct' to skip the inactive/failed states when
restarting, so that dependent units are not notified until the service
converges to a final (successful or failed) state. For example, this
means that OnSuccess=/OnFailure= units will not be triggered until the
service state has converged.
* PID 1 will now automatically load the virtio_console kernel module
during early initialization if running in a suitable VM. This is done
so that early-boot logging can be written to the console if available.
* Similarly, virtio-vsock support is loaded early in suitable VM
environments. PID 1 will send sd_notify() notifications via AF_VSOCK
to the VMM if configured, thus loading this early is beneficial.
* A new verb "fdstore" has been added to systemd-analyze to show the
current contents of the file descriptor store of a unit. This is
backed by a new D-Bus call DumpUnitFileDescriptorStore() provided by
the service manager.
* The service manager will now set a new $FDSTORE environment variable
when invoking processes for services that have the file descriptor
store enabled.
* A new service option FileDescriptorStorePreserve= has been added that
allows tuning the lifecycle of the per-service file descriptor store.
If set to "yes", the entries in the fd store are retained even after
the service has been fully stopped.
* The "systemctl clean" command may now be used to clear the fdstore of
a service.
* Unit *.preset files gained a new directive "ignore", in addition to
the existing "enable" and "disable". As the name suggests, matching
units are left unchanged, i.e. neither enabled nor disabled.
* Service units gained a new setting DelegateSubgroup=. It takes the
name of a sub-cgroup to place any processes the service manager forks
off in. Previously, the service manager would place all service
processes directly in the top-level cgroup it created for the
service. This usually meant that main process in a service with
delegation enabled would first have to create a subgroup and move
itself down into it, in order to not conflict with the "no processes
in inner cgroups" rule of cgroup v2. With this option, this step is
now handled by PID 1.
* The service manager will now look for .upholds/ directories,
similarly to the existing support for .wants/ and .requires/
directories. Symlinks in this directory result in Upholds=
dependencies.
The [Install] section of unit files gained support for a new
UpheldBy= directive to generate .upholds/ symlinks automatically when
a unit is enabled.
* The service manager now supports a new kernel command line option
systemd.default_device_timeout_sec=, which may be used to override
the default timeout for .device units.
* A new "soft-reboot" mechanism has been added to the service manager.
A "soft reboot" is similar to a regular reboot, except that it
affects userspace only: the service manager shuts down any running
services and other units, then optionally switches into a new root
file system (mounted to /run/nextroot/), and then passes control to a
systemd instance in the new file system which then starts the system
up again. The kernel is not rebooted and neither is the hardware,
firmware or boot loader. This provides a fast, lightweight mechanism
to quickly reset or update userspace, without the latency that a full
system reset involves. Moreover, open file descriptors may be passed
across the soft reboot into the new system where they will be passed
back to the originating services. This allows pinning resources
across the reboot, thus minimizing grey-out time further. This new
reboot mechanism is accessible via the new "systemctl soft-reboot"
command.
* Services using RootDirectory= or RootImage= will now have read-only
access to a copy of the host's os-release file under
/run/host/os-release, which will be kept up-to-date on 'soft-reboot'.
This was already the case for Portable Services, and the feature has
now been extended to all services that do not run off the host's
root filesystem.
* A new service setting MemoryKSM= has been added to enable kernel
same-page merging individually for services.
* A new service setting ImportCredentials= has been added that augments
LoadCredential= and LoadCredentialEncrypted= and searches for
credentials to import from the system, and supports globbing.
* A new job mode "restart-dependencies" has been added to the service
manager (exposed via systemctl --job-mode=). It is only valid when
used with "start" jobs, and has the effect that the "start" job will
be propagated as "restart" jobs to currently running units that have
a BindsTo= or Requires= dependency on the started unit.
* A new verb "whoami" has been added to "systemctl" which determines as
part of which unit the command is being invoked. It writes the unit
name to standard output. If one or more PIDs are specified reports
the unit names the processes referenced by the PIDs belong to.
* The system and service credential logic has been improved: there's
now a clearly defined place where system provisioning tools running
in the initrd can place credentials that will be imported into the
system's set of credentials during the initrd → host transition: the
/run/credentials/@initrd/ directory. Once the credentials placed
there are imported into the system credential set they are deleted
from this directory, and the directory itself is deleted afterwards
too.
* A new kernel command line option systemd.set_credential_binary= has
been added, that is similar to the pre-existing
systemd.set_credential= but accepts arbitrary binary credential data,
encoded in Base64. Note that the kernel command line is not a
recommend way to transfer credentials into a system, since it is
world-readable from userspace.
* The default machine ID to use may now be configured via the
system.machine_id system credential. It will only be used if no
machine ID was set yet on the host.
* On Linux kernel 6.4 and newer system and service credentials will now
be placed in a tmpfs instance that has the "noswap" mount option
set. Previously, a "ramfs" instance was used. By switching to tmpfs
ACL support and overall size limits can now be enforced, without
compromising on security, as the memory is never paged out either
way.
* The service manager now can detect when it is running in a
'Confidential Virtual Machine', and a corresponding 'cvm' value is now
accepted by ConditionSecurity= for units that want to conditionalize
themselves on this. systemd-detect-virt gained new 'cvm' and
'--list-cvm' switches to respectively perform the detection or list
all known flavours of confidential VM, depending on the vendor. The
manager will publish a 'ConfidentialVirtualization' D-Bus property,
and will also set a SYSTEMD_CONFIDENTIAL_VIRTUALIZATION= environment
variable for unit generators. Finally, udev rules can match on a new
'cvm' key that will be set when in a confidential VM.
Additionally, when running in a 'Confidential Virtual Machine', SMBIOS
strings and QEMU's fw_cfg protocol will not be used to import
credentials and kernel command line parameters by the system manager,
systemd-boot and systemd-stub, because the hypervisor is considered
untrusted in this particular setting.
Journal:
* The sd-journal API gained a new call sd_journal_get_seqnum() to
retrieve the current log record's sequence number and sequence number
ID, which allows applications to order records the same way as
journal does internally. The sequence number is now also exported in
the JSON and "export" output of the journal.
* journalctl gained a new switch --truncate-newline. If specified
multi-line log records will be truncated at the first newline,
i.e. only the first line of each log message will be shown.
* systemd-journal-upload gained support for --namespace=, similar to
the switch of the same name of journalctl.
systemd-repart:
* systemd-repart's drop-in files gained a new ExcludeFiles= option which
may be used to exclude certain files from the effect of CopyFiles=.
* systemd-repart's Verity support now implements the Minimize= setting
to minimize the size of the resulting partition.
* systemd-repart gained a new --offline= switch, which may be used to
control whether images shall be built "online" or "offline",
i.e. whether to make use of kernel facilities such as loopback block
devices and device mapper or not.
* If systemd-repart is told to populate a newly created ESP or XBOOTLDR
partition with some files, it will now default to VFAT rather than
ext4.
* systemd-repart gained a new --architecture= switch. If specified, the
per-architecture GPT partition types (i.e. the root and /usr/
partitions) configured in the partition drop-in files are
automatically adjusted to match the specified CPU architecture, in
order to simplify cross-architecture DDI building.
* systemd-repart will now default to a minimum size of 300MB for XFS
filesystems if no size parameter is specified. This matches what the
XFS tools (xfsprogs) can support.
systemd-boot, systemd-stub, ukify, bootctl, kernel-install:
* gnu-efi is no longer required to build systemd-boot and systemd-stub.
Instead, pyelftools is now needed, and it will be used to perform the
ELF -> PE relocations at build time.
* bootctl gained a new switch --print-root-device/-R that prints the
block device the root file system is backed by. If specified twice,
it returns the whole disk block device (as opposed to partition block
device) the root file system is on. It's useful for invocations such
as "cfdisk $(bootctl -RR)" to quickly show the partition table of the
running OS.
* systemd-stub will now look for the SMBIOS Type 1 field
"io.systemd.stub.kernel-cmdline-extra" and append its value to the
kernel command line it invokes. This is useful for VMMs such as qemu
to pass additional kernel command lines into the system even when
booting via full UEFI. The contents of the field are measured into
TPM PCR 12.
* The KERNEL_INSTALL_LAYOUT= setting for kernel-install gained a new
value "auto". With this value, a kernel will be automatically
analyzed, and if it qualifies as UKI, it will be installed as if the
setting was to set to "uki", otherwise as "bls".
* systemd-stub can now optionally load UEFI PE "add-on" images that may
contain additional kernel command line information. These "add-ons"
superficially look like a regular UEFI executable, and are expected
to be signed via SecureBoot/shim. However, they do not actually
contain code, but instead a subset of the PE sections that UKIs
support. They are supposed to provide a way to extend UKIs with
additional resources in a secure and authenticated way. Currently,
only the .cmdline PE section may be used in add-ons, in which case
any specified string is appended to the command line embedded into
the UKI itself. A new 'addon<EFI-ARCH>.efi.stub' is now provided that
can be used to trivially create addons, via 'ukify' or 'objcopy'. In
the future we expect other sections to be made extensible like this as
well.
* ukify has been updated to allow building these UEFI PE "add-on"
images, using the new 'addon<EFI-ARCH>.efi.stub'.
* ukify now accepts SBAT information to place in the .sbat PE section
of UKIs and addons. If a UKI is built the SBAT information from the
inner kernel is merged with any SBAT information associated with
systemd-stub and the SBAT data specified on the ukify command line.
* The kernel-install script has been rewritten in C, and reuses much of
the infrastructure of existing tools such as bootctl. It also gained
--esp-path= and --boot-path= options to override the path to the ESP,
and the $BOOT partition. Options --make-entry-directory= and
--entry-token= have been added as well, similar to bootctl's options
of the same name.
* A new kernel-install plugin 60-ukify has been added which will
combine kernel/initrd locally into a UKI and optionally sign them
with a local key. This may be used to switch to UKI mode even on
systems where a local kernel or initrd is used. (Typically UKIs are
built and signed by the vendor.)
* The ukify tool now supports "pesign" in addition to the pre-existing
"sbsign" for signing UKIs.
* systemd-measure and systemd-stub now look for the .uname PE section
that should contain the kernel's "uname -r" string.
* systemd-measure and ukify now calculate expected PCR hashes for a UKI
"offline", i.e. without access to a TPM (physical or
software-emulated).
Memory Pressure & Control:
* The sd-event API gained new calls sd_event_add_memory_pressure(),
sd_event_source_set_memory_pressure_type(),
sd_event_source_set_memory_pressure_period() to create and configure
an event source that is called whenever the OS signals memory
pressure. Another call sd_event_trim_memory() is provided that
compacts the process' memory use by releasing allocated but unused
malloc() memory back to the kernel. Services can also provide their
own custom callback to do memory trimming. This should improve system
behaviour under memory pressure, as on Linux traditionally provided
no mechanism to return process memory back to the kernel if the
kernel was under memory pressure. This makes use of the kernel's PSI
interface. Most long-running services in systemd have been hooked up
with this, and in particular systems with low memory should benefit
from this.
* Service units gained new settings MemoryPressureWatch= and
MemoryPressureThresholdSec= to configure the PSI memory pressure
logic individually. If these options are used, the
$MEMORY_PRESSURE_WATCH and $MEMORY_PRESSURE_WRITE environment
variables will be set for the invoked processes to inform them about
the requested memory pressure behaviour. (This is used by the
aforementioned sd-events API additions, if set.)
* systemd-analyze gained a new "malloc" verb that shows the output
generated by glibc's malloc_info() on services that support it. Right
now, only the service manager has been updated accordingly. This
call requires privileges.
User & Session Management:
* The sd-login API gained a new call sd_session_get_username() to
return the user name of the owner of a login session. It also gained
a new call sd_session_get_start_time() to retrieve the time the login
session started. A new call sd_session_get_leader() has been added to
return the PID of the "leader" process of a session. A new call
sd_uid_get_login_time() returns the time since the specified user has
most recently been continuously logged in with at least one session.
* JSON user records gained a new set of fields capabilityAmbientSet and
capabilityBoundingSet which contain a list of POSIX capabilities to
set for the logged in users in the ambient and bounding sets,
respectively. homectl gained the ability to configure these two sets
for users via --capability-bounding-set=/--capability-ambient-set=.
* pam_systemd learnt two new module options
default-capability-bounding-set= and default-capability-ambient-set=,
which configure the default bounding sets for users as they are
logging in, if the JSON user record doesn't specify this explicitly
(see above). The built-in default for the ambient set now contains
the CAP_WAKE_ALARM, thus allowing regular users who may log in
locally to resume from a system suspend via a timer.
* The Session D-Bus objects systemd-logind gained a new SetTTY() method
call to update the TTY of a session after it has been allocated. This
is useful for SSH sessions which are typically allocated first, and
for which a TTY is added later.
* The sd-login API gained a new call sd_pid_notifyf_with_fds() which
combines the various other sd_pid_notify() flavours into one: takes a
format string, an overriding PID, and a set of file descriptors to
send. It also gained a new call sd_pid_notify_barrier() call which is
equivalent to sd_notify_barrier() but allows the originating PID to
be specified.
* "loginctl list-users" and "loginctl list-sessions" will now show the
state of each logged in user/session in their tabular output. It will
also show the current idle state of sessions.
DDIs:
* systemd-dissect will now show the intended CPU architecture of an
inspected DDI.
* systemd-dissect will now install itself as mount helper for the "ddi"
pseudo-file system type. This means you may now mount DDIs directly
via /bin/mount or /etc/fstab, making full use of embedded Verity
information and all other DDI features.
Example: mount -t ddi myimage.raw /some/where
* The systemd-dissect tool gained the new switches --attach/--detach to
attach/detach a DDI to a loopback block device without mounting it.
It will automatically derive the right sector size from the image
and set up Verity and similar, but not mount the file systems in it.
* When systemd-gpt-auto-generator or the DDI mounting logic mount an
ESP or XBOOTLDR partition the MS_NOSYMFOLLOW mount option is now
implied. Given that these file systems are typically untrusted, this
should make mounting them automatically have less of a security
impact.
* All tools that parse DDIs (such as systemd-nspawn, systemd-dissect,
systemd-tmpfiles, …) now understand a new switch --image-policy= which
takes a string encoding image dissection policy. With this mechanism
automatic discovery and use of specific partition types and the
cryptographic requirements on the partitions (Verity, LUKS, …) can be
restricted, permitting better control of the exposed attack surfaces
when mounting disk images. systemd-gpt-auto-generator will honour such
an image policy too, configurable via the systemd.image_policy= kernel
command line option. Unit files gained the RootImagePolicy=,
MountImagePolicy= and ExtensionImagePolicy= to configure the same for
disk images a service runs off.
* systemd-analyze gained a new verb "image-policy" to validate and
parse image policy strings.
* systemd-dissect gained support for a new --validate switch to
superficially validate DDI structure, and check whether a specific
image policy allows the DDI.
* systemd-dissect gained support for a new --mtree-hash switch to
optionally disable calculating mtree hashes, which can be slow on
large images.
* systemd-dissect --copy-to, --copy-from, --list and --mtree switches
are now able to operate on directories too, other than images.
Network Management:
* networkd's GENEVE support as gained a new .network option
InheritInnerProtocol=.
* The [Tunnel] section in .netdev files has gained a new setting
IgnoreDontFragment for controlling the IPv4 "DF" flag of datagrams.
* A new global IPv6PrivacyExtensions= setting has been added that
selects the default value of the per-network setting of the same
name.
* The predictable network interface naming logic was extended to
include SR-IOV-R "representor" information in network interface
names. Unfortunately, this feature was not enabled by default and can
only be enabled at compilation time by setting
-Ddefault-net-naming-scheme=v254.
* The DHCPv4 + DHCPv6 + IPv6 RA logic in networkd gained support for
the RFC8910 captive portal option.
Device Management:
* udevadm gained the new "verify" verb for validating udev rules files
offline.
* udev gained a new tool "iocost" that can be used to configure QoS IO
cost data based on hwdb information onto suitable block devices. Also
see https://github.com/iocost-benchmark/iocost-benchmarks.
TPM2 Support + Disk Encryption & Authentication:
* systemd-cryptenroll/systemd-cryptsetup will now install a TPM2 SRK
("Storage Root Key") as first step in the TPM2, and then use that
for binding FDE to, if TPM2 support is used. This matches
recommendations of TCG (see
https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf)
* systemd-cryptenroll and other tools that take TPM2 PCR parameters now
understand textual identifiers for these PCRs.
* systemd-veritysetup + /etc/veritytab gained support for a series of
new options: hash-offset=, superblock=, format=, data-block-size=,
hash-block-size=, data-blocks=, salt=, uuid=, hash=, fec-device=,
fec-offset=, fec-roots= to configure various aspects of a Verity
volume.
* systemd-cryptsetup + /etc/crypttab gained support for a new
veracrypt-pim= option for setting the Personal Iteration Multiplier
of veracrypt volumes.
* systemd-integritysetup + /etc/integritytab gained support for a new
mode= setting for controlling the dm-integrity mode (journal, bitmap,
direct) for the volume.
* systemd-analyze gained a new verb "pcrs" that shows the known TPM PCR
registers, their symbolic names and current values.
systemd-tmpfiles:
* The ACL support in tmpfiles.d/ has been updated: if an uppercase "X"
access right is specified this is equivalent to "x" but only if the
inode in question already has the executable bit set for at least
some user/group. Otherwise the "x" bit will be turned off.
* tmpfiles.d/'s C line type now understands a new modifier "+": a line
with C+ will result in a "merge" copy, i.e. all files of the source
tree are copied into the target tree, even if that tree already
exists, resulting in a combined tree of files already present in the
target tree and those copied in.
* systemd-tmpfiles gained a new --graceful switch. If specified lines
with unknown users/groups will silently be skipped.
systemd-notify:
* systemd-notify gained two new options --fd= and --fdname= for sending
arbitrary file descriptors to the service manager (while specifying an
explicit name for it).
* systemd-notify gained a new --exec switch, which makes it execute the
specified command line after sending the requested messages. This is
useful for sending out READY=1 first, and then continuing invocation
without changing process ID, so that the tool can be nicely used
within an ExecStart= line of a unit file that uses Type=notify.
sd-event + sd-bus APIs:
* The sd-event API gained a new call sd_event_source_leave_ratelimit()
which may be used to explicitly end a rate-limit state an event
source might be in, resetting all rate limiting counters.
* When the sd-bus library is used to make connections to AF_UNIX D-Bus
sockets, it will now encode the "description" set via
sd_bus_set_description() into the source socket address. It will also
look for this information when accepting a connection. This is useful
to track individual D-Bus connections on a D-Bus broker for debug
purposes.
systemd-resolved:
* systemd-resolved gained a new resolved.conf setting
StateRetentionSec= which may be used to retain cached DNS records
even after their nominal TTL, and use them in case upstream DNS
servers cannot be reached. This can be used to make name resolution
more resilient in case of network problems.
* resolvectl gained a new verb "show-cache" to show the current cache
contents of systemd-resolved. This verb communicates with the
systemd-resolved daemon and requires privileges.
Other:
* Meson >= 0.60.0 is now required to build systemd.
* The default keymap to apply may now be chosen at build-time via the
new -Ddefault-keymap= meson option.
* Most of systemd's long-running services now have a generic handler of
the SIGRTMIN+18 signal handler which executes various operations
depending on the sigqueue() parameter sent along. For example, values
0x100…0x107 allow changing the maximum log level of such
services. 0x200…0x203 allow changing the log target of such
services. 0x300 make the services trim their memory similarly to the
automatic PSI-triggered action, see above. 0x301 make the services
output their malloc_info() data to the logs.
* machinectl gained new "edit" and "cat" verbs for editing .nspawn
files, inspired by systemctl's verbs of the same name which edit unit
files. Similarly, networkctl gained the same verbs for editing
.network, .netdev, .link files.
* A new syscall filter group "@sandbox" has been added that contains
syscalls for sandboxing system calls such as those for seccomp and
Landlock.
* New documentation has been added:
https://systemd.io/COREDUMP
https://systemd.io/MEMORY_PRESSURE
smbios-type-11(7)
* systemd-firstboot gained a new --reset option. If specified, the
settings in /etc/ it knows how to initialize are reset.
* systemd-sysext is now a multi-call binary and is also installed under
the systemd-confext alias name (via a symlink). When invoked that way
it will operate on /etc/ instead of /usr/ + /opt/. It thus becomes a
powerful, atomic, secure configuration management of sorts, that
locally can merge configuration from multiple confext configuration
images into a single immutable tree.
* The --network-macvlan=, --network-ipvlan=, --network-interface=
switches of systemd-nspawn may now optionally take the intended
network interface inside the container.
* All our programs will now send an sd_notify() message with their exit
status in the EXIT_STATUS= field when exiting, using the usual
protocol, including PID 1. This is useful for VMMs and container
managers to collect an exit status from a system as it shuts down, as
set via "systemctl exit …". This is particularly useful in test cases
and similar, as invocations via a VM can now nicely propagate an exit
status to the host, similar to local processes.
* systemd-run gained a new switch --expand-environment=no to disable
server-side environment variable expansion in specified command
lines. Expansion defaults to enabled for all execution types except
--scope, where it defaults to off (and prints a warning) for backward
compatibility reasons. --scope will be flipped to enabled by default
too in a future release. If you are using --scope and passing a '$'
character in the payload you should start explicitly using
--expand-environment=yes/no according to the use case.
* The systemd-system-update-generator has been updated to also look for
the special flag file /etc/system-update in addition to the existing
support for /system-update to decide whether to enter system update
mode.
* The /dev/hugepages/ file system is now mounted with nosuid + nodev
mount options by default.
* systemd-fstab-generator now understands two new kernel command line
options systemd.mount-extra= and systemd.swap-extra=, which configure
additional mounts or swaps in a format similar to /etc/fstab. 'fsck'
will be ran on these block devices, like it already happens for
'root='. It also now supports the new fstab.extra and
fstab.extra.initrd credentials that may contain additional /etc/fstab
lines to apply at boot.
* systemd-getty-generator now understands two new credentials
getty.ttys.container and getty.ttys.serial. These credentials may
contain a list of TTY devices one per line to instantiate
container-getty@.service and serial-getty@.service on.
* The getty/serial-getty/container-getty units now import the 'agetty.*'
and 'login.*' credentials, which are consumed by the 'login' and
'agetty' programs starting from util-linux v2.40.
* systemd-sysupdate's sysupdate.d/ drop-ins gained a new setting
PathRelativeTo=, which can be set to "esp", "xbootldr", "boot", in
which case the Path= setting is taken relative to the ESP or XBOOTLDR
partitions, rather than the system's root directory /. The relevant
directories are automatically discovered.
* The systemd-ac-power tool gained a new switch --low, which reports
whether the battery charge is considered "low", similar to how the
s2h suspend logic checks this state to decide whether to enter system
suspend or hibernation.
* The /etc/os-release file can now have two new optional fields
VENDOR_NAME= and VENDOR_URL= to carry information about the vendor of
the OS.
* When the system hibernates, information about the device and offset
used is now written to a non-volatile EFI variable. On next boot the
system will attempt to resume from the location indicated in this EFI
variable. This should make hibernation a lot more robust, while
requiring no manual configuration of the resume location.
* The $XDG_STATE_HOME environment variable (added in more recent
versions of the XDG basedir specification) is now honoured to
implement the StateDirectory= setting in user services.
* A new component "systemd-battery-check" has been added. It may run
during early boot (usually in the initrd), and checks the battery
charge level of the system. In case the charge level is very low the
user is notified (graphically via Plymouth if available as well
as in text form on the console), and the system is turned off after a
10s delay. The feature can be disabled by passing
systemd.battery_check=0 through the kernel command line.
* The 'passwdqc' library is now supported as an alternative to the
'pwquality' library and can be selected at build time.
Contributions from: 김인수, 07416, Addison Snelling, Adrian Vovk,
Aidan Dang, Alexander Krabler, Alfred Klomp, Anatoli Babenia,
Andrei Stepanov, Andrew Baxter, Antonio Alvarez Feijoo,
Arian van Putten, Arthur Shau, A S Alam,
Asier Sarasua Garmendia, Balló György, Bastien Nocera,
Benjamin Herrenschmidt, Benjamin Raison, Bill Peterson,
Brad Fitzpatrick, Brett Holman, bri, Chen Qi, Chitoku,
Christian Hesse, Christoph Anton Mitterer, Christopher Gurnee,
Colin Walters, Cornelius Hoffmann, Cristian Rodríguez, cunshunxia,
cvlc12, Cyril Roelandt, Daan De Meyer, Daniele Medri,
Daniel P. Berrangé, Daniel Rusek, Dan Streetman, David Edmundson,
David Schroeder, David Tardon, dependabot[bot],
Dimitri John Ledkov, Dmitrii Fomchenkov, Dmitry V. Levin, dmkUK,
Dominique Martinet, don bright, drosdeck, Edson Juliano Drosdeck,
Egor Ignatov, EinBaum, Emanuele Giuseppe Esposito, Eric Curtin,
Erik Sjölund, Evgeny Vereshchagin, Florian Klink, Franck Bui,
François Rigault, Fran Diéguez, Franklin Yu, Frantisek Sumsal,
Fuminobu TAKEYAMA, Gaël PORTAY, Gerd Hoffmann, Gertalitec,
Gibeom Gwon, Gustavo Noronha Silva, Hannu Lounento,
Hans de Goede, Haochen Tong, HATAYAMA Daisuke, Henrik Holst,
Hoe Hao Cheng, Igor Tsiglyar, Ivan Vecera, James Hilliard,
Jan Engelhardt, Jan Janssen, Jan Luebbe, Jan Macku, Janne Sirén,
jcg, Jeidnx, Joan Bruguera, Joerg Behrmann, jonathanmetzman,
Jordan Rome, Josef Miegl, Joshua Goins, Joyce, Joyce Brum,
Juno Computers, Kai Lueke, Kevin P. Fleming, Kiran Vemula, Klaus,
Klaus Zipfel, Lawrence Thorpe, Lennart Poettering, licunlong,
Lily Foster, Luca Boccassi, Ludwig Nussel, Luna Jernberg,
maanyagoenka, Maanya Goenka, Maksim Kliazovich, Malte Poll,
Marko Korhonen, Masatake YAMATO, Mateusz Poliwczak, Matt Johnston,
Miao Wang, Micah Abbott, Michael A Cassaniti, Michal Koutný,
Michal Sekletár, Mike Yuan, mooo, Morten Linderud, msizanoen,
Nick Rosbrook, nikstur, Olivier Gayot, Omojola Joshua,
Paolo Velati, Paul Barker, Pavel Borecki, Petr Menšík,
Philipp Kern, Philip Withnall, Piotr Drąg, Quintin Hill,
Rene Hollander, Richard Phibel, Robert Meijers, Robert Scheck,
Roger Gammans, Romain Geissler, Ronan Pigott, Russell Harmon,
saikat0511, Samanta Navarro, Sam James, Sam Morris,
Simon Braunschmidt, Sjoerd Simons, Sorah Fukumori,
Stanislaw Gruszka, Stefan Roesch, Steven Luo, Steve Ramage,
Susant Sahani, taniishkaaa, Tanishka, Temuri Doghonadze,
Thierry Martin, Thomas Blume, Thomas Genty, Thomas Weißschuh,
Thorsten Kukuk, Times-Z, Tobias Powalowski, tofylion,
Topi Miettinen, Uwe Kleine-König, Velislav Ivanov,
Vitaly Kuznetsov, Vít Zikmund, Weblate, Will Fancher,
William Roberts, Winterhuman, Wolfgang Müller, Xeonacid,
Xiaotian Wu, Xi Ruoyao, Yuri Chornoivan, Yu Watanabe, Yuxiang Zhu,
Zbigniew Jędrzejewski-Szmek, zhmylove, ZjYwMj,
Дамјан Георгиевски, наб
— Edinburgh, 2023-07-28
CHANGES WITH 253:
Announcements of Future Feature Removals and Incompatible Changes:
* We intend to remove cgroup v1 support from systemd release after the
end of 2023. If you run services that make explicit use of cgroup v1
features (i.e. the "legacy hierarchy" with separate hierarchies for
each controller), please implement compatibility with cgroup v2 (i.e.
the "unified hierarchy") sooner rather than later. Most of Linux
userspace has been ported over already.
* We intend to remove support for split-usr (/usr mounted separately
during boot) and unmerged-usr (parallel directories /bin and
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
half of 2023, in the first release that falls into that time window.
For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* We intend to change behaviour w.r.t. units of the per-user service
manager and sandboxing options, so that they work without having to
manually enable PrivateUsers= as well, which is not required for
system units. To make this work, we will implicitly enable user
namespaces (PrivateUsers=yes) when a sandboxing option is enabled in a
user unit. The drawback is that system users will no longer be visible
(and appear as 'nobody') to the user unit when a sandboxing option is
enabled. By definition a sandboxed user unit should run with reduced
privileges, so impact should be small. This will remove a great source
of confusion that has been reported by users over the years, due to
how these options require an extra setting to be manually enabled when
used in the per-user service manager, as opposed as to the system
service manager. We plan to enable this change in the next release
later this year. For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html
Deprecations and incompatible changes:
* systemctl will now warn when invoked without /proc/ mounted
(e.g. when invoked after chroot() into an directory tree without the
API mount points like /proc/ being set up.) Operation in such an
environment is not fully supported.
* The return value of 'systemctl is-active|is-enabled|is-failed' for
unknown units is changed: previously 1 or 3 were returned, but now 4
(EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented.
* 'udevadm hwdb' subcommand is deprecated and will emit a warning.
systemd-hwdb (added in 2014) should be used instead.
* 'bootctl --json' now outputs a single JSON array, instead of a stream
of newline-separated JSON objects.
* Udev rules in 60-evdev.rules have been changed to load hwdb
properties for all modalias patterns. Previously only the first
matching pattern was used. This could change what properties are
assigned if the user has more and less specific patterns that could
match the same device, but it is expected that the change will have
no effect for most users.
* systemd-networkd-wait-online exits successfully when all interfaces
are ready or unmanaged. Previously, if neither '--any' nor
'--interface=' options were used, at least one interface had to be in
configured state. This change allows the case where systemd-networkd
is enabled, but no interfaces are configured, to be handled
gracefully. It may occur in particular when a different network
manager is also enabled and used.
* Some compatibility helpers were dropped: EmergencyAction= in the user
manager, as well as measuring kernel command line into PCR 8 in
systemd-stub, along with the -Defi-tpm-pcr-compat compile-time
option.
* The '-Dupdate-helper-user-timeout=' build-time option has been
renamed to '-Dupdate-helper-user-timeout-sec=', and now takes an
integer as parameter instead of a string.
* The DDI image dissection logic (which backs RootImage= in service
unit files, the --image= switch in various tools such as
systemd-nspawn, as well as systemd-dissect) will now only mount file
systems of types btrfs, ext4, xfs, erofs, squashfs, vfat. This list
can be overridden via the $SYSTEMD_DISSECT_FILE_SYSTEMS environment
variable. These file systems are fairly well supported and maintained
in current kernels, while others are usually more niche, exotic or
legacy and thus typically do not receive the same level of security
support and fixes.
* The default per-link multicast DNS mode is changed to "yes"
(that was previously "no"). As the default global multicast DNS mode
has been "yes" (but can be changed by the build option), now the
multicast DNS is enabled on all links by default. You can disable the
multicast DNS on all links by setting MulticastDNS= in resolved.conf,
or on an interface by calling "resolvectl mdns INTERFACE no".
New components:
* A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
(UKIs) has been added. This replaces functionality provided by
'dracut --uefi' and extends it with automatic calculation of PE file
offsets, insertion of signed PCR policies generated by
systemd-measure, support for initrd concatenation, signing of the
embedded Linux image and the combined image with sbsign, and
heuristics to autodetect the kernel uname and verify the splash
image.
Changes in systemd and units:
* A new service type Type=notify-reload is defined. When such a unit is
reloaded a UNIX process signal (typically SIGHUP) is sent to the main
service process. The manager will then wait until it receives a
"RELOADING=1" followed by a "READY=1" notification from the unit as
response (via sd_notify()). Otherwise, this type is the same as
Type=notify. A new setting ReloadSignal= may be used to change the
signal to send from the default of SIGHUP.
user@.service, systemd-networkd.service, systemd-udevd.service, and
systemd-logind have been updated to this type.
* Initrd environments which are not on a pure memory file system (e.g.
overlayfs combination as opposed to tmpfs) are now supported. With
this change, during the initrd → host transition ("switch root")
systemd will erase all files of the initrd only when the initrd is
backed by a memory file system such as tmpfs.
* New per-unit MemoryZSwapMax= option has been added to configure
memory.zswap.max cgroup properties (the maximum amount of zswap
used).
* A new LogFilterPatterns= option has been added for units. It may be
used to specify accept/deny regular expressions for log messages
generated by the unit, that shall be enforced by systemd-journald.
Rejected messages are neither stored in the journal nor forwarded.
This option may be used to suppress noisy or uninteresting messages
from units.
* The manager has a new
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() D-Bus method to
query process ownership via a PIDFD, which is more resilient against
PID recycling issues.
* Scope units now support OOMPolicy=. Login session scopes default to
OOMPolicy=continue, allowing login scopes to survive the OOM killer
terminating some processes in the scope.
* systemd-fstab-generator now supports x-systemd.makefs option for
/sysroot/ (in the initrd).
* The maximum rate at which daemon reloads are executed can now be
limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
options. (Or the equivalent on the kernel command line:
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=). In
addition, systemd now logs the originating unit and PID when a reload
request is received over D-Bus.
* When enabling a swap device systemd will now reinitialize the device
when the page size of the swap space does not match the page size of
the running kernel. Note that this requires the 'swapon' utility to
provide the '--fixpgsz' option, as implemented by util-linux, and it
is not supported by busybox at the time of writing.
* systemd now executes generator programs in a mount namespace
"sandbox" with most of the file system read-only and write access
restricted to the output directories, and with a temporary /tmp/
mount provided. This provides a safeguard against programming errors
in the generators, but also fixes here-docs in shells, which
previously didn't work in early boot when /tmp/ wasn't available
yet. (This feature has no security implications, because the code is
still privileged and can trivially exit the sandbox.)
* The system manager will now parse a new "vmm.notify_socket"
system credential, which may be supplied to a VM via SMBIOS. If
found, the manager will send a "READY=1" notification on the
specified socket after boot is complete. This allows readiness
notification to be sent from a VM guest to the VM host over a VSOCK
socket.
* The sample PAM configuration file for systemd-user@.service now
includes a call to pam_namespace. This puts children of user@.service
in the expected namespace. (Many distributions replace their file
with something custom, so this change has limited effect.)
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST
can be used to override the mount units burst late limit for
parsing '/proc/self/mountinfo', which was introduced in v249.
Defaults to 5.
* Drop-ins for init.scope changing control group resource limits are
now applied, while they were previously ignored.
* New build-time configuration options '-Ddefault-timeout-sec=' and
'-Ddefault-user-timeout-sec=' have been added, to let distributions
choose the default timeout for starting/stopping/aborting system and
user units respectively.
* Service units gained a new setting OpenFile= which may be used to
open arbitrary files in the file system (or connect to arbitrary
AF_UNIX sockets in the file system), and pass the open file
descriptor to the invoked process via the usual file descriptor
passing protocol. This is useful to give unprivileged services access
to select files which have restrictive access modes that would
normally not allow this. It's also useful in case RootDirectory= or
RootImage= is used to allow access to files from the host environment
(which is after all not visible from the service if these two options
are used.)
Changes in udev:
* The new net naming scheme "v253" has been introduced. In the new
scheme, ID_NET_NAME_PATH is also set for USB devices not connected via
a PCI bus. This extends the coverage of predictable interface names
in some embedded systems.
The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
a more informative path on some embedded systems.
* Partition block devices will now also get symlinks in
/dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
block device nodes via the kernel's "diskseq" value. Previously those
symlinks were only created for the main block device.
* A new operator '-=' is supported for SYMLINK variables. This allows
symlinks to be unconfigured even if an earlier rule added them.
* 'udevadm --trigger --settle' now also works for network devices
that are being renamed.
Changes in sd-boot, bootctl, and the Boot Loader Specification:
* systemd-boot now passes its random seed directly to the kernel's RNG
via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which
means the RNG gets seeded very early in boot before userspace has
started.
* systemd-boot will pass a disk-backed random seed even when secure
boot is enabled if it can additionally get a random seed from EFI
itself (via EFI's RNG protocol), or a prior seed in
LINUX_EFI_RANDOM_SEED_TABLE_GUID from a preceding bootloader.
* systemd-boot-system-token.service was renamed to
systemd-boot-random-seed.service and extended to always save a random
seed to ESP on every boot when a compatible boot loader is used. This
allows a refreshed random seed to be used in the boot loader.
* systemd-boot handles various seed inputs using a domain- and
field-separated hashing scheme.
* systemd-boot's 'random-seed-mode' option has been removed. A system
token is now always required to be present for random seeds to be
used.
* systemd-boot now supports being loaded from other locations than the
ESP, for example for direct kernel boot under QEMU or when embedded
into the firmware.
* systemd-boot now parses SMBIOS information to detect
virtualization. This information is used to skip some warnings which
are not useful in a VM and to conditionalize other aspects of
behaviour.
* systemd-boot now supports a new 'if-safe' mode that will perform UEFI
Secure Boot automated certificate enrollment from the ESP only if it
is considered 'safe' to do so. At the moment 'safe' means running in
a virtual machine.
* systemd-stub now processes random seeds in the same way as
systemd-boot already does, in case a unified kernel image is being
used from a different bootloader than systemd-boot, or without any
boot load at all.
* bootctl will now generate a system token on all EFI systems, even
virtualized ones, and is activated in the case that the system token
is missing from either sd-boot and sd-stub booted systems.
* bootctl now implements two new verbs: 'kernel-identify' prints the
type of a kernel image file, and 'kernel-inspect' provides
information about the embedded command line and kernel version of
UKIs.
* bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
as for kernel-install.
* The JSON output of "bootctl list" will now contain two more fields:
isDefault and isSelected are boolean fields set to true on the
default and currently booted boot menu entries.
* bootctl gained a new verb "unlink" for removing a boot loader entry
type #1 file from disk in a safe and robust way.
* bootctl also gained a new verb "cleanup" that automatically removes
all files from the ESP's and XBOOTLDR's "entry-token" directory, that
is not referenced anymore by any installed Type #1 boot loader
specification entry. This is particularly useful in environments where
a large number of entries reference the same or partly the same
resources (for example, for snapshot-based setups).
Changes in kernel-install:
* A new "installation layout" can be configured as layout=uki. With
this setting, a Boot Loader Specification Type#1 entry will not be
created. Instead, a new kernel-install plugin 90-uki-copy.install
will copy any .efi files from the staging area into the boot
partition. A plugin to generate the UKI .efi file must be provided
separately.
Changes in systemctl:
* 'systemctl reboot' has dropped support for accepting a positional
argument as the argument to the reboot(2) syscall. Please use the
--reboot-argument= option instead.
* 'systemctl disable' will now warn when called on units without
install information. A new --no-warn option has been added that
silences this warning.
* New option '--drop-in=' can be used to tell 'systemctl edit' the name
of the drop-in to edit. (Previously, 'override.conf' was always
used.)
* 'systemctl list-dependencies' now respects --type= and --state=.
* 'systemctl kexec' now supports XEN VMM environments.
* 'systemctl edit' will now tell the invoked editor to jump into the
first line with actual unit file data, skipping over synthesized
comments.
Changes in systemd-networkd and related tools:
* The [DHCPv4] section in .network file gained new SocketPriority=
setting that assigns the Linux socket priority used by the DHCPv4 raw
socket. This may be used in conjunction with the
EgressQOSMaps=setting in [VLAN] section of .netdev file to send the
desired ethernet 802.1Q frame priority for DHCPv4 initial
packets. This cannot be achieved with netfilter mangle tables because
of the raw socket bypass.
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained a
new QuickAck= boolean setting that enables the TCP quick ACK mode for
the routes configured by the acquired DHCPv4 lease or received router
advertisements (RAs).
* The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
routes) now accepts three values, for high, medium, and low preference
of the router (which can be set with the RouterPreference=) setting.
* systemd-networkd-wait-online now supports matching via alternative
interface names.
* The [DHCPv6] section in .network file gained new SendRelease=
setting which enables the DHCPv6 client to send release when
it stops. This is the analog of the [DHCPv4] SendRelease= setting.
It is enabled by default.
* If the Address= setting in [Network] or [Address] sections in .network
specified without its prefix length, then now systemd-networkd assumes
/32 for IPv4 or /128 for IPv6 addresses.
* networkctl shows network and link file dropins in status output.
Changes in systemd-dissect:
* systemd-dissect gained a new option --list, to print the paths of
all files and directories in a DDI.
* systemd-dissect gained a new option --mtree, to generate a file
manifest compatible with BSD mtree(5) of a DDI
* systemd-dissect gained a new option --with, to execute a command with
the specified DDI temporarily mounted and used as working
directory. This is for example useful to convert a DDI to "tar"
simply by running it within a "systemd-dissect --with" invocation.
* systemd-dissect gained a new option --discover, to search for
Discoverable Disk Images (DDIs) in well-known directories of the
system. This will list machine, portable service and system extension
disk images.
* systemd-dissect now understands 2nd stage initrd images stored as a
Discoverable Disk Image (DDI).
* systemd-dissect will now display the main UUID of GPT DDIs (i.e. the
disk UUID stored in the GPT header) among the other data it can show.
* systemd-dissect gained a new --in-memory switch to operate on an
in-memory copy of the specified DDI file. This is useful to access a
DDI with write access without persisting any changes. It's also
useful for accessing a DDI without keeping the originating file
system busy.
* The DDI dissection logic will now automatically detect the intended
sector size of disk images stored in files, based on the GPT
partition table arrangement. Loopback block devices for such DDIs
will then be configured automatically for the right sector size. This
is useful to make dealing with modern 4K sector size DDIs fully
automatic. The systemd-dissect tool will now show the detected sector
size among the other DDI information in its output.
Changes in systemd-repart:
* systemd-repart gained new options --include-partitions= and
--exclude-partitions= to filter operation on partitions by type UUID.
This allows systemd-repart to be used to build images in which the
type of one partition is set based on the contents of another
partition (for example when the boot partition shall include a verity
hash of the root partition).
* systemd-repart also gained a --defer-partitions= option that is
similar to --exclude-partitions=, but the size of the partition is
still taken into account when sizing partitions, but without
populating it.
* systemd-repart gained a new --sector-size= option to specify what
sector size should be used when an image is created.
* systemd-repart now supports generating erofs file systems via
CopyFiles= (a read-only file system similar to squashfs).
* The Minimize= option was extended to accept "best" (which means the
most minimal image possible, but may require multiple attempts) and
"guess" (which means a reasonably small image).
* The systemd-growfs binary now comes with a regular unit file template
systemd-growfs@.service which can be instantiated directly for any
desired file system. (Previously, the unit was generated dynamically
by various generators, but no regular unit file template was
available.)
Changes in journal tools:
* Various systemd tools will append extra fields to log messages when
in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently
this includes information about D-Bus messages when sd-bus is used,
e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information
about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
Details of what is logged and when are subject to change.
* The systemd-journald-audit.socket can now be disabled via the usual
"systemctl disable" mechanism to stop collection of audit
messages. Please note that it is not enabled statically anymore and
must be handled by the preset/enablement logic in package
installation scripts.
* New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
be used to curtail disk use by systemd-journal-remote. This is
similar to the options supported by systemd-journald.
Changes in systemd-cryptenroll, systemd-cryptsetup, and related
components:
* When enrolling new keys systemd-cryptenroll now supports unlocking
via FIDO2 tokens (option --unlock-fido2-device=). Previously, a
password was strictly required to be specified.
* systemd-cryptsetup now supports pre-flight requests for FIDO2 tokens
(except for tokens with user verification, UV) to identify tokens
before authentication. Multiple FIDO2 tokens can now be enrolled at
the same time, and systemd-cryptsetup will automatically select one
that corresponds to one of the available LUKS key slots.
* systemd-cryptsetup now supports new options tpm2-measure-bank= and
tpm2-measure-pcr= in crypttab(5). These allow specifying the TPM2 PCR
bank and number into which the volume key should be measured. This is
automatically enabled for the encrypted root volume discovered and
activated by systemd-gpt-auto-generator.
* systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partitions with
"noexec,nosuid,nodev".
* systemd-gpt-auto-generator will now honour the rootfstype= and
rootflags= kernel command line switches for root file systems it
discovers, to match behaviour in case an explicit root fs is
specified via root=.
* systemd-pcrphase gained new options --machine-id and --file-system=
to measure the machine-id and mount point information into PCR 15.
New service unit files systemd-pcrmachine.service and
systemd-pcrfs@.service have been added that invoke the tool with
these switches during early boot.
* systemd-pcrphase gained a --graceful switch will make it exit cleanly
with a success exit code even if no TPM device is detected.
* systemd-cryptenroll now stores the user-supplied PIN with a salt,
making it harder to brute-force.
Changes in other tools:
* systemd-homed gained support for luksPbkdfForceIterations (the
intended number of iterations for the PBKDF operation on LUKS).
* Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
$SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
may now be used to specify additional arguments for mkfs when
systemd-homed formats a file system.
* systemd-hostnamed now exports the contents of
/sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two
new D-Bus properties: FirmwareVendor and FirmwareDate. This allows
unprivileged code to access those values.
systemd-hostnamed also exports the SUPPORT_END= field from
os-release(5) as OperatingSystemSupportEnd. hostnamectl make uses of
this to show the status of the installed system.
* systemd-measure gained an --append= option to sign multiple phase
paths with different signing keys. This allows secrets to be
accessible only in certain parts of the boot sequence. Note that
'ukify' provides similar functionality in a more accessible form.
* systemd-timesyncd will now write a structured log message with
MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
on a on-disk timestamp, similarly to what it did when reaching
synchronization via NTP.
* systemd-timesyncd will now update the on-disk timestamp file on each
boot at least once, making it more likely that the system time
increases in subsequent boots.
* systemd-vconsole-setup gained support for system/service credentials:
vconsole.keymap/vconsole.keymap_toggle and
vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
the similarly-named options in vconsole.conf.
* systemd-localed will now save the XKB keyboard configuration to
/etc/vconsole.conf, and also read it from there with a higher
preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config
file. Previously, this information was stored in the former file in
converted form, and only in latter file in the original form. Tools
which want to access keyboard configuration can now do so from a
standard location.
* systemd-resolved gained support for configuring the nameservers and
search domains via kernel command line (nameserver=, domain=) and
credentials (network.dns, network.search_domains).
* systemd-resolved will now synthesize host names for the DNS stub
addresses it supports. Specifically when "_localdnsstub" is resolved,
127.0.0.53 is returned, and if "_localdnsproxy" is resolved
127.0.0.54 is returned.
* systemd-notify will now send a "RELOADING=1" notification when called
with --reloading, and "STOPPING=1" when called with --stopping. This
can be used to implement notifications from units where it's easier
to call a program than to use the sd-daemon library.
* systemd-analyze's 'plot' command can now output its information in
JSON, controlled via the --json= switch. Also, new --table, and
--no-legend options have been added.
* 'machinectl enable' will now automatically enable machines.target
unit in addition to adding the machine unit to the target.
Similarly, 'machinectl start|stop' gained a --now option to enable or
disable the machine unit when starting or stopping it.
* systemd-sysusers will now create /etc/ if it is missing.
* systemd-sleep 'HibernateDelaySec=' setting is changed back to
pre-v252's behaviour, and a new 'SuspendEstimationSec=' setting is
added to provide the new initial value for the new automated battery
estimation functionality. If 'HibernateDelaySec=' is set to any value,
the automated estimate (and thus the automated hibernation on low
battery to avoid data loss) functionality will be disabled.
* Default tmpfiles.d/ configuration will now automatically create
credentials storage directory '/etc/credstore/' with the appropriate,
secure permissions. If '/run/credstore/' exists, its permissions will
be fixed too in case they are not correct.
Changes in libsystemd and shared code:
* sd-bus gained new convenience functions sd_bus_emit_signal_to(),
sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().
* sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
128-bit ID in files such as /etc/machine-id has an invalid
format. They also accept NULL as output parameter in more places,
which is useful when the caller only wants to validate the inputs and
does not need the output value.
* sd-login gained new functions sd_pidfd_get_session(),
sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
sd_pidfd_get_user_unit(), sd_pidfd_get_slice(),
sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and
sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(),
but accept a PIDFD instead of a PID.
* sd-path (and systemd-path) now export four new paths:
SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and
SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,
* sd_notify() now supports AF_VSOCK as transport for notification
messages (in addition to the existing AF_UNIX support). This is
enabled if $NOTIFY_SOCKET is set in a "vsock:CID:port" format.
* Detection of chroot() environments now works if /proc/ is not
mounted. This affects systemd-detect-virt --chroot, but also means
that systemd tools will silently skip various operations in such an
environment.
* "Lockheed Martin Hardened Security for Intel Processors" (HS SRE)
virtualization is now detected.
Changes in the build system:
* Standalone variants of systemd-repart and systemd-shutdown may now be
built (if -Dstandalone=true).
* systemd-ac-power has been moved from /usr/lib/ to /usr/bin/, to, for
example, allow scripts to conditionalize execution on AC power
supply.
* The libp11kit library is now loaded through dlopen(3).
Changes in the documentation:
* Specifications that are not closely tied to systemd have moved to
https://uapi-group.org/specifications/: the Boot Loader Specification
and the Discoverable Partitions Specification.
Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas,
Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang,
Antonio Alvarez Feijoo, Arsen Arsenović, asavah, Benjamin Fogle,
Benjamin Tissoires, berenddeschouwer, BerndAdameit,
Bernd Steinhauser, blutch112, cake03, Callum Farmer, Carlo Teubner,
Charles Hardin, chris, Christian Brauner, Christian Göttsche,
Cristian Rodríguez, Daan De Meyer, Dan Streetman, DaPigGuy,
Darrell Kavanagh, David Tardon, dependabot[bot], Dirk Su,
Dmitry V. Levin, drosdeck, Edson Juliano Drosdeck, edupont,
Eric DeVolder, Erik Moqvist, Evgeny Vereshchagin, Fabian Gurtner,
Felix Riemann, Franck Bui, Frantisek Sumsal, Geert Lorang,
Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho,
igo95862, Ilya Leoshkevich, Ivan Shapovalov, Jacek Migacz,
Jade Lovelace, Jan Engelhardt, Jan Janssen, Jan Macku, January,
Jason A. Donenfeld, jcg, Jean-Tiare Le Bigot, Jelle van der Waa,
Jeremy Linton, Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann,
Jörg Thalheim, Joshua Goins, joshuazivkovic, Joshua Zivkovic,
Kai-Chuan Hsieh, Khem Raj, Koba Ko, Lennart Poettering, lichao,
Li kunyu, Luca Boccassi, Luca BRUNO, Ludwig Nussel,
Łukasz Stelmach, Lycowolf, marcel151, Marcus Schäfer, Marek Vasut,
Mark Laws, Michael Biebl, Michał Kotyla, Michal Koutný,
Michal Sekletár, Mike Gilbert, Mike Yuan, MkfsSion, ml,
msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore, Nick Rosbrook,
noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv, Phaedrus Leeds,
Philipp Jungkamp, Quentin Deslandes, Raul Tambre, Ray Strode,
reuben olinsky, Richard E. van der Luit, Richard Phibel,
Ricky Tigg, Robin Humble, rogg, Rudi Heitbaum, Sam James,
Samuel Cabrero, Samuel Thibault, Siddhesh Poyarekar, Simon Brand,
Space Meyer, Spindle Security, Steve Ramage, Takashi Sakamoto,
Thomas Haller, Tonći Galić, Topi Miettinen, Torsten Hilbrich,
Tuetuopay, uerdogan, Ulrich Ölmann, Valentin David,
Vitaly Kuznetsov, Vito Caputo, Waltibaba, Will Fancher,
William Roberts, wouter bolsterlee, Youfu Zhang, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски,
наб
— Warsaw, 2023-02-15
CHANGES WITH 252 🎃:
Announcements of Future Feature Removals:
* We intend to remove cgroup v1 support from systemd release after the
end of 2023. If you run services that make explicit use of cgroup v1
features (i.e. the "legacy hierarchy" with separate hierarchies for
each controller), please implement compatibility with cgroup v2 (i.e.
the "unified hierarchy") sooner rather than later. Most of Linux
userspace has been ported over already.
* We intend to remove support for split-usr (/usr mounted separately
during boot) and unmerged-usr (parallel directories /bin and
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
half of 2023, in the first release that falls into that time window.
For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
Compatibility Breaks:
* ConditionKernelVersion= checks that use the '=' or '!=' operators
will now do simple string comparisons (instead of version comparisons
à la stverscmp()). Version comparisons are still done for the
ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
specified, a shell-style glob match is now done. This creates a minor
incompatibility compared to older systemd versions when the '*', '?',
'[', ']' characters are used, as these will now match as shell globs
instead of literally. Given that kernel version strings typically do
not include these characters we expect little breakage through this
change.
* The service manager will now read the SELinux label used for SELinux
access checks from the unit file at the time it loads the file.
Previously, the label would be read at the moment of the access
check, which was problematic since at that time the unit file might
already have been updated or removed.
New Features:
* systemd-measure is a new tool for calculating and signing expected
TPM2 PCR values for a given unified kernel image (UKI) booted via
sd-stub. The public key used for the signature and the signed
expected PCR information can be embedded inside the UKI. This
information can be extracted from the UKI by external tools and code
in the image itself and is made available to userspace in the booted
kernel.
systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been
updated to make use of this information if available in the booted
kernel: when locking an encrypted volume/credential to the TPM
systemd-cryptenroll/systemd-creds will use the public key to bind the
volume/credential to any kernel that carries PCR information signed
by the same key pair. When unlocking such volumes/credentials
systemd-cryptsetup/systemd-creds will use the signature embedded in
the booted UKI to gain access.
Binding TPM-based disk encryption to public keys/signatures of PCR
values — instead of literal PCR values — addresses the inherent
"brittleness" of traditional PCR-bound TPM disk encryption schemes:
disks remain accessible even if the UKI is updated, without any TPM
specific preparation during the OS update — as long as each UKI
carries the necessary PCR signature information.
Net effect: if you boot a properly prepared kernel, TPM-bound disk
encryption now defaults to be locked to kernels which carry PCR
signatures from the same key pair. Example: if a hypothetical distro
FooOS prepares its UKIs like this, TPM-based disk encryption is now
by default bound to only FooOS kernels, and encrypted volumes bound
to the TPM cannot be unlocked on kernels from other sources. (But do
note this behaviour requires preparation/enabling in the UKI, and of
course users can always enroll non-TPM ways to unlock the volume.)
* systemd-pcrphase is a new tool that is invoked at six places during
system runtime, and measures additional words into TPM2 PCR 11, to
mark milestones of the boot process. This allows binding access to
specific TPM2-encrypted secrets to specific phases of the boot
process. (Example: LUKS2 disk encryption key only accessible in the
initrd, but not later.)
Changes in systemd itself, i.e. the manager and units
* The cpu controller is delegated to user manager units by default, and
CPUWeight= settings are applied to the top-level user slice units
(app.slice, background.slice, session.slice). This provides a degree
of resource isolation between different user services competing for
the CPU.
* Systemd can optionally do a full preset in the "first boot" condition
(instead of just enable-only). This behaviour is controlled by the
compile-time option -Dfirst-boot-full-preset. Right now it defaults
to 'false', but the plan is to switch it to 'true' for the subsequent
release.
* Drop-ins are now allowed for transient units too.
* Systemd will set the taint flag 'support-ended' if it detects that
the OS image is past its end-of-support date. This date is declared
in a new /etc/os-release field SUPPORT_END= described below.
* Two new settings ConditionCredential= and AssertCredential= can be
used to skip or fail units if a certain system credential is not
provided.
* ConditionMemory= accepts size suffixes (K, M, G, T, …).
* DefaultSmackProcessLabel= can be used in system.conf and user.conf to
specify the SMACK security label to use when not specified in a unit
file.
* DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
specify the default timeout when waiting for device units to
activate.
* C.UTF-8 is used as the default locale if nothing else has been
configured.
* [Condition|Assert]Firmware= have been extended to support certain
SMBIOS fields. For example
ConditionFirmware=smbios-field(board_name = "Custom Board")
conditionalizes the unit to run only when
/sys/class/dmi/id/board_name contains "Custom Board" (without the
quotes).
* ConditionFirstBoot= now correctly evaluates as true only during the
boot phase of the first boot. A unit executed later, after booting
has completed, will no longer evaluate this condition as true.
* Socket units will now create sockets in the SELinuxContext= of the
associated service unit, if any.
* Boot phase transitions (start initrd → exit initrd → boot complete →
shutdown) will be measured into TPM2 PCR 11, so that secrets can be
bound to a specific runtime phase. E.g.: a LUKS encryption key can be
unsealed only in the initrd.
* Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
also be provided to ExecStartPre= processes.
* Various units are now correctly ordered against
initrd-switch-root.target where previously a conflict without
ordering was configured. A stop job for those units would be queued,
but without the ordering it could be executed only after
initrd-switch-root.service, leading to units not being restarted in
the host system as expected.
* In order to fully support the IPMI watchdog driver, which has not yet
been ported to the new common watchdog device interface,
/dev/watchdog0 will be tried first and systemd will silently fallback
to /dev/watchdog if it is not found.
* New watchdog-related D-Bus properties are now published by systemd:
WatchdogDevice, WatchdogLastPingTimestamp,
WatchdogLastPingTimestampMonotonic.
* At shutdown, API virtual files systems (proc, sys, etc.) will be
unmounted lazily.
* At shutdown, systemd will now log about processes blocking unmounting
of file systems.
* A new meson build option 'clock-valid-range-usec-max' was added to
allow disabling system time correction if RTC returns a timestamp far
in the future.
* Propagated restart jobs will no longer be discarded while a unit is
activating.
* PID 1 will now import system credentials from SMBIOS Type 11 fields
("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
simple, fast and generic path for supplying credentials to a VM,
without involving external tools such as cloud-init/ignition.
* The CPUWeight= setting of unit files now accepts a new special value
"idle", which configures "idle" level scheduling for the unit.
* Service processes that are activated due to a .timer or .path unit
triggering will now receive information about this via environment
variables. Note that this is information is lossy, as activation
might be coalesced and only one of the activating triggers will be
reported. This is hence more suited for debugging or tracing rather
than for behaviour decisions.
* The riscv_flush_icache(2) system call has been added to the list of
system calls allowed by default when SystemCallFilter= is used.
* The selinux context derived from the target executable, instead of
'init_t' used for the manager itself, is now used when creating
listening sockets for units that specify SELinuxContextFromNet=yes.
Changes in sd-boot, bootctl, and the Boot Loader Specification:
* The Boot Loader Specification has been cleaned up and clarified.
Various corner cases in version string comparisons have been fixed
(e.g. comparisons for empty strings). Boot counting is now part of
the main specification.
* New PCRs measurements are performed during boot: PCR 11 for the
kernel+initrd combo, PCR 13 for any sysext images. If a measurement
took place this is now reported to userspace via the new
StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
* As before, systemd-stub will measure kernel parameters and system
credentials into PCR 12. It will now report this fact via the
StubPcrKernelParameters EFI variable to userspace.
* The UEFI monotonic boot counter is now included in the updated random
seed file maintained by sd-boot, providing some additional entropy.
* sd-stub will use LoadImage/StartImage to execute the kernel, instead
of arranging the image manually and jumping to the kernel entry
point. sd-stub also installs a temporary UEFI SecurityOverride to
allow the (unsigned) nested image to be booted. This is safe because
the outer (signed) stub+kernel binary must have been verified before
the stub was executed.
* Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
is now supported by sd-boot.
* bootctl gained a bunch of new options: --all-architectures to install
binaries for all supported EFI architectures, --root= and --image=
options to operate on a directory or disk image, and
--install-source= to specify the source for binaries to install,
--efi-boot-option-description= to control the name of the boot entry.
* The sd-boot stub exports a StubFeatures flag, which is used by
bootctl to show features supported by the stub that was used to boot.
* The PE section offsets that are used by tools that assemble unified
kernel images have historically been hard-coded. This may lead to
overlapping PE sections which may break on boot. The UKI will now try
to detect and warn about this.
Any tools that assemble UKIs must update to calculate these offsets
dynamically. Future sd-stub versions may use offsets that will not
work with the currently used set of hard-coded offsets!
* sd-stub now accepts (and passes to the initrd and then to the full
OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
signatures of expected PCR values, to allow sealing secrets via the
TPM2 against pre-calculated PCR measurements.
Changes in the hardware database:
* 'systemd-hwdb query' now supports the --root= option.
Changes in systemctl:
* systemctl now supports --state= and --type= options for the 'show'
and 'status' verbs.
* systemctl gained a new verb 'list-automounts' to list automount
points.
* systemctl gained support for a new --image= switch to be able to
operate on the specified disk image (similar to the existing --root=
which operates relative to some directory).
Changes in systemd-networkd:
* networkd can set Linux NetLabel labels for integration with the
network control in security modules via a new NetLabel= option.
* The RapidCommit= is (re-)introduced to enable faster configuration
via DHCPv6 (RFC 3315).
* networkd gained a new option TCPCongestionControlAlgorithm= that
allows setting a per-route TCP algorithm.
* networkd gained a new option KeepFileDescriptor= to allow keeping a
reference (file descriptor) open on TUN/TAP interfaces, which is
useful to avoid link flaps while the underlying service providing the
interface is being serviced.
* RouteTable= now also accepts route table names.
Changes in systemd-nspawn:
* The --bind= and --overlay= options now support relative paths.
* The --bind= option now supports a 'rootidmap' value, which will
use id-mapped mounts to map the root user inside the container to the
owner of the mounted directory on the host.
Changes in systemd-resolved:
* systemd-resolved now persists DNSOverTLS in its state file too. This
fixes a problem when used in combination with NetworkManager, which
sends the setting only once, causing it to be lost if resolved was
restarted at any point.
* systemd-resolved now exposes a Varlink socket at
/run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
root. Processed DNS requests in a JSON format will be published to
any clients connected to this socket.
resolvectl gained a 'monitor' verb to make use of this.
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
instead of returning SERVFAIL, as per RFC:
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
* OpenSSL is the default crypto backend for systemd-resolved. (gnutls
is still supported.)
Changes in libsystemd and other libraries:
* libsystemd now exports sd_bus_error_setfv() (a convenience function
for setting bus errors), sd_id128_string_equal (a convenience
function for 128-bit ID string comparisons), and
sd_bus_message_read_strv_extend() (a function to incrementally read
string arrays).
* libsystemd now exports sd_device_get_child_first()/_next() as a
high-level interface for enumerating child devices. It also supports
sd_device_new_child() for opening a child device given a device
object.
* libsystemd now exports sd_device_monitor_set()/get_description()
which allow setting a custom description that will be used in log
messages by sd_device_monitor*.
* Private shared libraries (libsystemd-shared-nnn.so,
libsystemd-core-nnn.so) are now installed into arch-specific
directories to allow multi-arch installs.
* A new sd-gpt.h header is now published, listing GUIDs from the
Discoverable Partitions specification. For more details see:
https://systemd.io/DISCOVERABLE_PARTITIONS/
* A new function sd_hwdb_new_from_path() has been added to open a hwdb
database given an explicit path to the file.
* The signal number argument to sd_event_add_signal() now can now be
ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
be automatically invoked to block the specified signal. This is
useful to simplify invocations as the caller doesn't have to do this
manually.
* A new convenience call sd_event_set_signal_exit() has been added to
sd-event to set up signal handling so that the event loop
automatically terminates cleanly on SIGTERM/SIGINT.
Changes in other components:
* systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
can now be provided via the credential mechanism.
* systemd-analyze gained a new verb 'compare-versions' that implements
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
'dpkg --compare-versions').
* 'systemd-analyze dump' is extended to accept glob patterns for unit
names to limit the output to matching units.
* tmpfiles.d/ lines can read file contents to write from a credential.
The new modifier char '^' is used to specify that the argument is a
credential name. This mechanism is used to automatically populate
/etc/motd, /etc/issue, and /etc/hosts from credentials.
* tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
an inode if the specification is prefixed with ':' and the inode
already exists.
* Default tmpfiles.d/ configuration now carries a line to automatically
use an 'ssh.authorized_keys.root' credential if provided to set up
the SSH authorized_keys file for the root user.
* systemd-tmpfiles will now gracefully handle absent source of "C" copy
lines.
* tmpfiles.d/ F/w lines now optionally permit encoding of the payload
in base64. This is useful to write arbitrary binary data into files.
* The pkgconfig and rpm macros files now export the directory for user
units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.
* Detection of Apple Virtualization and detection of Parallels and
KubeVirt virtualization on non-x86 archs have been added.
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
user when their system will become unsupported.
* When performing suspend-then-hibernate, the system will estimate the
discharge rate and use that to set the delay until hibernation and
hibernate immediately instead of suspending when running from a
battery and the capacity is below 5%.
* systemd-sysctl gained a --strict option to fail when a sysctl
setting is unknown to the kernel.
* machinectl supports --force for the 'copy-to' and 'copy-from'
verbs.
* coredumpctl gained the --root and --image options to look for journal
files under the specified root directory, image, or block device.
* 'journalctl -o' and similar commands now implement a new output mode
"short-delta". It is similar to "short-monotonic", but also shows the
time delta between subsequent messages.
* journalctl now respects the --quiet flag when verifying consistency
of journal files.
* Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
will indicate whether a message was logged in the 'initrd' phase or
in the 'system' phase of the boot process.
* Journal files gained a new compatibility flag
'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
to the storage format that allow reducing size on disk. As with other
compatibility flags, older journalctl versions will not be able to
read journal files using this new format. The environment variable
'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
disable this functionality. It is enabled by default.
* systemd-run's --working-directory= switch now works when used in
combination with --scope.
* portablectl gained a --force flag to skip certain sanity checks. This
is implemented using new flags accepted by systemd-portabled for the
*WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH
flag now means that the attach/detach checks whether the units are
already present and running will be skipped. Similarly,
SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether
image name matches the name declared inside of the image will be
skipped. Callers must be sure to do those checks themselves if
appropriate.
* systemd-portabled will now use the original filename to check
extension-release.NAME for correctness, in case it is passed a
symlink.
* systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
too.
* sysext's extension-release files now support '_any' as a special
value for the ID= field, to allow distribution-independent extensions
(e.g.: fully statically compiled binaries, scripts). It also gained
support for a new ARCHITECTURE= field that may be used to explicitly
restrict an image to hosts of a specific architecture.
* systemd-repart now supports creating squashfs partitions. This
requires mksquashfs from squashfs-tools.
* systemd-repart gained a --split flag to also generate split
artifacts, i.e. a separate file for each partition. This is useful in
conjunction with systemd-sysupdate or other tools, or to generate
split dm-verity artifacts.
* systemd-repart is now able to generate dm-verity partitions, including
signatures.
* systemd-repart can now set a partition UUID to zero, allowing it to
be filled in later, such as when using verity partitions.
* systemd-repart now supports drop-ins for its configuration files.
* Package metadata logged by systemd-coredump in the system journal is
now more compact.
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
* systemd-oomd now automatically links against libatomic, if available.
* systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
killed.
* scope units now also provide oom-kill status.
* systemd-pstore will now try to load only the efi_pstore kernel module
before running, ensuring that pstore can be used.
* systemd-logind gained a new StopIdleSessionSec= option to stop an idle
session after a preconfigure timeout.
* systemd-homed will now wait up to 30 seconds for workers to terminate,
rather than indefinitely.
* homectl gained a new '--luks-sector-size=' flag that allows users to
select the preferred LUKS sector size. Must be a power of 2 between 512
and 4096. systemd-userdbd records gained a corresponding field.
* systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
variable when generating the 'sp_lstchg' field, to ensure an image
build can be reproducible.
* 'udevadm wait' will now listen to kernel uevents too when called with
--initialized=no.
* When naming network devices udev will now consult the Devicetree
"alias" fields for the device.
* systemd-udev will now create infiniband/by-path and
infiniband/by-ibdev links for Infiniband verbs devices.
* systemd-udev-trigger.service will now also prioritize input devices.
* ConditionACPower= and systemd-ac-power will now assume the system is
running on AC power if no battery can be found.
* All features and tools using the TPM2 will now communicate with it
using a bind key. Beforehand, the tpm2 support used encrypted sessions
by creating a primary key that was used to encrypt traffic. This
creates a problem as the key created for encrypting the traffic could
be faked by an active interposer on the bus. In cases when a pin is
used, a bind key will be used. The pin is used as the auth value for
the seal key, aka the disk encryption key, and that auth value will be
used in the session establishment. An attacker would need the pin
value to create the secure session and thus an active interposer
without the pin cannot interpose on TPM2 traffic.
* systemd-growfs no longer requires udev to run.
* systemd-backlight now will better support systems with multiple
graphic cards.
* systemd-cryptsetup's keyfile-timeout= option now also works when a
device is used as a keyfile.
* systemd-cryptenroll gained a new --unlock-key-file= option to get the
unlocking key from a key file (instead of prompting the user). Note
that this is the key for unlocking the volume in order to be able to
enroll a new key, but it is not the key that is enrolled.
* systemd-dissect gained a new --umount switch that will safely and
synchronously unmount all partitions of an image previously mounted
with 'systemd-dissect --mount'.
* When using gcrypt, all systemd tools and services will now configure
it to prefer the OS random number generator if present.
* All example code shipped with documentation has been relicensed from CC0
to MIT-0.
* Unit tests will no longer fail when running on a system without
/etc/machine-id.
Experimental features:
* BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
and bpftool >= 7.0).
* sd-boot can automatically enroll SecureBoot keys from files found on
the ESP. This enrollment can be either automatic ('force' mode) or
controlled by the user ('manual' mode). It is sufficient to place the
SecureBoot keys in the right place in the ESP and they will be picked
up by sd-boot and shown in the boot menu.
* The mkosi config in systemd gained support for automatically
compiling a kernel with the configuration appropriate for testing
systemd. This may be useful when developing or testing systemd in
tandem with the kernel.
Contributions from: 김인수, Adam Williamson, adrian5, Aidan Dang,
Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev,
Alexander Graf, Alexander Shopov, Alexander Wilson,
Alper Nebi Yasak, anarcat, Anders Jonsson, Andre Kalb,
Andrew Stone, Andrey Albershteyn, Anita Zhang, Ansgar Burchardt,
Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah,
Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera,
Benjamin Franzke, BerndAdameit, bin456789, Celeste Liu,
Chih-Hsuan Yen, Christian Brauner, Christian Göttsche,
Christian Hesse, Clyde Byrd III, codefiles, Colin Walters,
Cristian Rodríguez, Daan De Meyer, Daniel Braunwarth,
Daniel Rusek, Dan Streetman, Darsey Litzenberger, David Edmundson,
David Jaša, David Rheinsberg, David Seifert, David Tardon,
dependabot[bot], Devendra Tewari, Dominique Martinet, drosdeck,
Edson Juliano Drosdeck, Eduard Tolosa, eggfly, Einsler Lee,
Elias Probst, Eli Schwartz, Evgeny Vereshchagin, exploide, Fei Li,
Foster Snowhill, Franck Bui, Frank Dana, Frantisek Sumsal,
Gerd Hoffmann, Gio, Goffredo Baroncelli, gtwang01,
Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt,
Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz,
Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt,
Jan Janssen, Jan Kuparinen, Jan Luebbe, Jan Macku,
Jason A. Donenfeld, Javkhlanbayar Khongorzul, Jeremy Soller,
JeroenHD, jiangchuangang, João Loureiro,
Joaquín Ignacio Aramendía, Jochen Sprickerhof,
Johannes Schauer Marin Rodrigues, Jonas Kümmerlin,
Jonas Witschel, Jonathan Kang, Jonathan Lebon, Joost Heitbrink,
Jörg Thalheim, josh-gordon-fb, Joyce, Kai Lueke, lastkrick,
Lennart Poettering, Leon M. George, licunlong, Li kunyu,
LockBlock-dev, Loïc Collignon, Lubomir Rintel, Luca Boccassi,
Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oğuz Ersen,
Oleg Solovyov, Olga Smirnova, Pablo Ceballos, Pavel Zhukov,
Phaedrus Leeds, Philipp Gortan, Piotr Drąg, Pyfisch,
Quentin Deslandes, Rahil Bhimjiani, Rene Hollander, Richard Huang,
Richard Phibel, Rudi Heitbaum, Sam James, Sarah Brofeldt,
Sean Anderson, Sebastian Scheibner, Shreenidhi Shedi,
Sonali Srivastava, Steve Ramage, Suraj Krishnan, Swapnil Devesh,
Takashi Sakamoto, Ted X. Toth, Temuri Doghonadze, Thomas Blume,
Thomas Haller, Thomas Hebb, Tomáš Hnyk, Tomasz Paweł Gajc,
Topi Miettinen, Ulrich Ölmann, undef, Uriel Corfa,
Victor Westerhuis, Vincent Dagonneau, Vishal Chillara Srinivas,
Vito Caputo, Weblate, Wenchao Hao, William Roberts, williamsumendap,
wineway, xiaoyang, Yuri Chornoivan, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб
The Great Beyond, 2022-10-31 👻
CHANGES WITH 251:
Backwards-incompatible changes:
* The minimum kernel version required has been bumped from 3.13 to 4.15,
and CLOCK_BOOTTIME is now assumed to always exist.
* C11 with GNU extensions (aka "gnu11") is now used to build our
components. Public API headers are still restricted to ISO C89.
* In v250, a systemd-networkd feature that automatically configures
routes to addresses specified in AllowedIPs= was added and enabled by
default. However, this causes network connectivity issues in many
existing setups. Hence, it has been disabled by default since
systemd-stable 250.3. The feature can still be used by explicitly
configuring RouteTable= setting in .netdev files.
* Jobs started via StartUnitWithFlags() will no longer return 'skipped'
when a Condition*= check does not succeed, restoring the JobRemoved
signal to the behaviour it had before v250.
* The org.freedesktop.portable1 methods GetMetadataWithExtensions() and
GetImageMetadataWithExtensions() have been fixed to provide an extra
return parameter, containing the actual extension release metadata.
The current implementation was judged to be broken and unusable, and
thus the usual procedure of adding a new set of methods was skipped,
and backward compatibility broken instead on the assumption that
nobody can be affected given the current state of this interface.
* All kernels supported by systemd mix bytes returned by RDRAND (or
similar) into the entropy pool at early boot. This means that on
those systems, even if /dev/urandom is not yet initialized, it still
returns bytes that are of at least RDRAND quality. For that reason,
we no longer have reason to invoke RDRAND from systemd itself, which
has historically been a source of bugs. Furthermore, kernels ≥5.6
provide the getrandom(GRND_INSECURE) interface for returning random
bytes before the entropy pool is initialized without warning into
kmsg, which is what we attempt to use if available. systemd's direct
usage of RDRAND has been removed. x86 systems ≥Broadwell that are
running an older kernel may experience kmsg warnings that were not
seen with 250. For newer kernels, non-x86 systems, or older x86
systems, there should be no visible changes.
* sd-boot will now measure the kernel command line into TPM PCR 12
rather than PCR 8. This improves usefulness of the measurements on
systems where sd-boot is chainloaded from Grub. Grub measures all
commands its executes into PCR 8, which makes it very hard to use
reasonably, hence separate ourselves from that and use PCR 12
instead, which is what certain Ubuntu editions already do. To retain
compatibility with systems running older systemd systems a new meson
option 'efi-tpm-pcr-compat' has been added (which defaults to false).
If enabled, the measurement is done twice: into the new-style PCR 12
*and* the old-style PCR 8. It's strongly advised to migrate all users
to PCR 12 for this purpose in the long run, as we intend to remove
this compatibility feature in two years' time.
* busctl capture now writes output in the newer pcapng format instead
of pcap.
* A udev rule that imported hwdb matches for USB devices with lowercase
hexadecimal vendor/product ID digits was added in systemd 250. This
has been reverted, since uppercase hexadecimal digits are supposed to
be used, and we already had a rule with the appropriate match.
Users might need to adjust their local hwdb entries.
* arch_prctl(2) has been moved to the @default set in the syscall filters
(as exposed via the SystemCallFilter= setting in service unit files).
It is apparently used by the linker now.
* The tmpfiles entries that create the /run/systemd/netif directory and
its subdirectories were moved from tmpfiles.d/systemd.conf to
tmpfiles.d/systemd-network.conf.
Users might need to adjust their files that override tmpfiles.d/systemd.conf
to account for this change.
* The requirement for Portable Services images to contain a well-formed
os-release file (i.e.: contain at least an ID field) is now enforced.
This applies to base images and extensions, and also to systemd-sysext.
Changes in the Boot Loader Specification, kernel-install and sd-boot:
* kernel-install's and bootctl's Boot Loader Specification Type #1
entry generation logic has been reworked. The user may now pick
explicitly by which "token" string to name the installation's boot
entries, via the new /etc/kernel/entry-token file or the new
--entry-token= switch to bootctl. By default — as before — the
entries are named after the local machine ID. However, in "golden
image" environments, where the machine ID shall be initialized on
first boot (as opposed to at installation time before first boot) the
machine ID will not be available at build time. In this case the
--entry-token= switch to bootctl (or the /etc/kernel/entry-token
file) may be used to override the "token" for the entries, for
example the IMAGE_ID= or ID= fields from /etc/os-release. This will
make the OS images independent of any machine ID, and ensure that the
images will not carry any identifiable information before first boot,
but on the other hand means that multiple parallel installations of
the very same image on the same disk cannot be supported.
Summary: if you are building golden images that shall acquire
identity information exclusively on first boot, make sure to both
remove /etc/machine-id *and* to write /etc/kernel/entry-token to the
value of the IMAGE_ID= or ID= field of /etc/os-release or another
suitable identifier before deploying the image.
* The Boot Loader Specification has been extended with
/loader/entries.srel file located in the EFI System Partition (ESP)
that disambiguates the format of the entries in the /loader/entries/
directory (in order to discern them from incompatible uses of this
directory by other projects). For entries that follow the
Specification, the string "type1" is stored in this file.
bootctl will now write this file automatically when installing the
systemd-boot boot loader.
* kernel-install supports a new initrd_generator= setting in
/etc/kernel/install.conf, that is exported as
$KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This
allows choosing different initrd generators.
* kernel-install will now create a "staging area" (an initially-empty
directory to gather files for a Boot Loader Specification Type #1
entry). The path to this directory is exported as
$KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should
drop files there instead of writing them directly to the final
location. kernel-install will move them when all files have been
prepared successfully.
* New option sort-key= has been added to the Boot Loader Specification
to override the sorting order of the entries in the boot menu. It is
read by sd-boot and bootctl, and will be written by kernel-install,
with the default value of IMAGE_ID= or ID= fields from
os-release. Together, this means that on multiboot installations,
entries should be grouped and sorted in a predictable way.
* The sort order of boot entries has been updated: entries which have
the new field sort-key= are sorted by it first, and all entries
without it are ordered later. After that, entries are sorted by
version so that newest entries are towards the beginning of the list.
* The kernel-install tool gained a new 'inspect' verb which shows the
paths and other settings used.
* sd-boot can now optionally beep when the menu is shown and menu
entries are selected, which can be useful on machines without a
working display. (Controllable via a loader.conf setting.)
* The --make-machine-id-directory= switch to bootctl has been replaced
by --make-entry-directory=, given that the entry directory is not
necessarily named after the machine ID, but after some other suitable
ID as selected via --entry-token= described above. The old name of
the option is still understood to maximize compatibility.
* 'bootctl list' gained support for a new --json= switch to output boot
menu entries in JSON format.
* 'bootctl is-installed' now supports the --graceful, and various verbs
omit output with the new option --quiet.
Changes in systemd-homed:
* Starting with v250 systemd-homed uses UID/GID mapping on the mounts
of activated home directories it manages (if the kernel and selected
file systems support it). So far it mapped three UID ranges: the
range from 0…60000, the user's own UID, and the range 60514…65534,
leaving everything else unmapped (in other words, the 16-bit UID range
is mapped almost fully, with the exception of the UID subrange used
for systemd-homed users, with one exception: the user's own UID).
Unmapped UIDs may not be used for file ownership in the home
directory — any chown() attempts with them will fail. With this
release a fourth range is added to these mappings:
524288…1879048191. This range is the UID range intended for container
uses, see:
https://systemd.io/UIDS-GIDS
This range may be used for container managers that place container OS
trees in the home directory (which is a questionable approach, for
quota, permission, SUID handling and network file system
compatibility reasons, but nonetheless apparently commonplace). Note
that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
UID assignments from the range are not managed or mapped by
`systemd-homed`, and must be managed with other mechanisms, in the
context of the local system.
Typically, a better approach to user namespacing in relevant
container managers would be to leave container OS trees on disk at
UID offset 0, but then map them to a dynamically allocated runtime
UID range via another UID mount map at container invocation
time. That way user namespace UID ranges become strictly a runtime
concept, and do not leak into persistent file systems, persistent
user databases or persistent configuration, thus greatly simplifying
handling, and improving compatibility with home directories intended
to be portable like the ones managed by systemd-homed.
Changes in shared libraries:
* A new libsystemd-core-<version>.so private shared library is
installed under /usr/lib/systemd/system, mirroring the existing
libsystemd-shared-<version>.so library. This allows the total
installation size to be reduced by binary code reuse.
* The <version> tag used in the name of libsystemd-shared.so and
libsystemd-core.so can be configured via the meson option
'shared-lib-tag'. Distributions may build subsequent versions of the
systemd package with unique tags (e.g. the full package version),
thus allowing multiple installations of those shared libraries to be
available at the same time. This is intended to fix an issue where
programs that link to those libraries would fail to execute because
they were installed earlier or later than the appropriate version of
the library.
* The sd-id128 API gained a new call sd_id128_to_uuid_string() that is
similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID
format instead of as a simple series of hex characters.
* The sd-device API gained two new calls sd_device_new_from_devname()
and sd_device_new_from_path() which permit allocating an sd_device
object from a device node name or file system path.
* sd-device also gained a new call sd_device_open() which will open the
device node associated with a device for which an sd_device object
has been allocated. The call is supposed to address races around
device nodes being removed/recycled due to hotplug events, or media
change events: the call checks internally whether the major/minor of
the device node and the "diskseq" (in case of block devices) match
with the metadata loaded in the sd_device object, thus ensuring that
the device once opened really matches the provided sd_device object.
Changes in PID1, systemctl, and systemd-oomd:
* A new set of service monitor environment variables will be passed to
OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the
handler unit as OnFailure=/OnSuccess=. The variables are:
$MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
$MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single
handler needs to watch multiple units, use a templated handler.
* A new ExtensionDirectories= setting in service unit files allows
system extensions to be loaded from a directory. (It is similar to
ExtensionImages=, but takes paths to directories, instead of
disk image files.)
'portablectl attach --extension=' now also accepts directory paths.
* The user.delegate and user.invocation_id extended attributes on
cgroups are used in addition to trusted.delegate and
trusted.invocation_id. The latter pair requires privileges to set,
but the former doesn't and can be also set by the unprivileged user
manager.
(Only supported on kernels ≥5.6.)
* Units that were killed by systemd-oomd will now have a service result
of 'oom-kill'. The number of times a service was killed is tallied
in the 'user.oomd_ooms' extended attribute.
The OOMPolicy= unit file setting is now also honoured by
systemd-oomd.
* In unit files the new %y/%Y specifiers can be used to refer to
normalized unit file path, which is particularly useful for symlinked
unit files.
The new %q specifier resolves to the pretty hostname
(i.e. PRETTY_HOSTNAME= from /etc/machine-info).
The new %d specifier resolves to the credentials directory of a
service (same as $CREDENTIALS_DIRECTORY).
* The RootDirectory=, MountAPIVFS=, ExtensionDirectories=,
*Capabilities*=, ProtectHome=, *Directory=, TemporaryFileSystem=,
PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=,
PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=,
ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=,
MountFlags= service settings now also work in unprivileged user
services, i.e. those run by the user's --user service manager, as long
as user namespaces are enabled on the system.
* Services with Restart=always and a failing ExecCondition= will no
longer be restarted, to bring ExecCondition= behaviour in line with
Condition*= settings.
* LoadCredential= now accepts a directory as the argument; all files
from the directory will be loaded as credentials.
* A new D-Bus property ControlGroupId is now exposed on service units,
that encapsulates the service's numeric cgroup ID that newer kernels
assign to each cgroup.
* PID 1 gained support for configuring the "pre-timeout" of watchdog
devices and the associated governor, via the new
RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration
options in /etc/systemd/system.conf.
* systemctl's --timestamp= option gained a new choice "unix", to show
timestamp as unix times, i.e. seconds since 1970, Jan 1st.
* A new "taint" flag named "old-kernel" is introduced which is set when
the kernel systemd runs on is older then the current baseline version
(see above). The flag is shown in "systemctl status" output.
* Two additional taint flags "short-uid-range" and "short-gid-range"
have been added as well, which are set when systemd notices it is run
within a userns namespace that does not define the full 0…65535 UID
range
* A new "unmerged-usr" taint flag has been added that is set whenever
running on systems where /bin/ + /sbin/ are *not* symlinks to their
counterparts in /usr/, i.e. on systems where the /usr/-merge has not
been completed.
* Generators invoked by PID 1 will now have a couple of useful
environment variables set describing the execution context a
bit. $SYSTEMD_SCOPE encodes whether the generator is called from the
system service manager, or from the per-user service
manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked
in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether
systemd considers the current boot to be a "first"
boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is
detected and which type of hypervisor/container
manager. $SYSTEMD_ARCHITECTURE indicates which architecture the
kernel is built for.
* PID 1 will now automatically pick up system credentials from qemu's
fw_cfg interface, thus allowing passing arbitrary data into VM
systems similar to how this is already supported for passing them
into `systemd-nspawn` containers. Credentials may now also be passed
in via the new kernel command line option `systemd.set_credential=`
(note that kernel command line options are world-readable during
runtime, and only useful for credentials that require no
confidentiality). The credentials that can be passed to unified
kernels that use the `systemd-stub` UEFI stub are now similarly
picked up automatically. Automatic importing of system credentials
this way can be turned off via the new
`systemd.import_credentials=no` kernel command line option.
* LoadCredential= will now automatically look for credentials in the
/etc/credstore/, /run/credstore/, /usr/lib/credstore/ directories if
the argument is not an absolute path. Similarly,
LoadCredentialEncrypted= will check the same directories plus
/etc/credstore.encrypted/, /run/credstore.encrypted/ and
/usr/lib/credstore.encrypted/. The idea is to use those directories
as the system-wide location for credentials that services should pick
up automatically.
* System and service credentials are described in great detail in a new
document:
https://systemd.io/CREDENTIALS
Changes in systemd-journald:
* The journal JSON export format has been added to listed of stable
interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/).
* journalctl --list-boots now supports JSON output and the --reverse option.
* Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and
updated, BUILDING_IMAGES is new:
https://systemd.io/JOURNAL_EXPORT_FORMATS
https://systemd.io/BUILDING_IMAGES
Changes in udev:
* Two new hwdb files have been added. One lists "handhelds" (PDAs,
calculators, etc.), the other AV production devices (DJ tables,
keypads, etc.) that should accessible to the seat owner user by
default.
* udevadm trigger gained a new --prioritized-subsystem= option to
process certain subsystems (and all their parent devices) earlier.
systemd-udev-trigger.service now uses this new option to trigger
block and TPM devices first, hopefully making the boot a bit faster.
* udevadm trigger now implements --type=all, --initialized-match,
--initialized-nomatch to trigger both subsystems and devices, only
already-initialized devices, and only devices which haven't been
initialized yet, respectively.
* udevadm gained a new "wait" command for safely waiting for a specific
device to show up in the udev device database. This is useful in
scripts that asynchronously allocate a block device (e.g. through
repartitioning, or allocating a loopback device or similar) and need
to synchronize on the creation to complete.
* udevadm gained a new "lock" command for locking one or more block
devices while formatting it or writing a partition table to it. It is
an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and
usable in scripts dealing with block devices.
* udevadm info will show a couple of additional device fields in its
output, and will not apply a limited set of coloring to line types.
* udevadm info --tree will now show a tree of objects (i.e. devices and
suchlike) in the /sys/ hierarchy.
* Block devices will now get a new set of device symlinks in
/dev/disk/by-diskseq/<nr>, which may be used to reference block
device nodes via the kernel's "diskseq" value. Note that this does
not guarantee that opening a device by a symlink like this will
guarantee that the opened device actually matches the specified
diskseq value. To be safe against races, the actual diskseq value of
the opened device (BLKGETDISKSEQ ioctl()) must still be compred with
the one in the symlink path.
* .link files gained support for setting MDI/MID-X on a link.
* .link files gained support for [Match] Firmware= setting to match on
the device firmware description string. By mistake, it was previously
only supported in .network files.
* .link files gained support for [Link] SR-IOVVirtualFunctions= setting
and [SR-IOV] section to configure SR-IOV virtual functions.
Changes in systemd-networkd:
* The default scope for unicast routes configured through [Route]
section is changed to "link", to make the behavior consistent with
"ip route" command. The manual configuration of [Route] Scope= is
still honored.
* A new unit systemd-networkd-wait-online@<interface>.service has been
added that can be used to wait for a specific network interface to be
up.
* systemd-networkd gained a new [Bridge] Isolated=true|false setting
that configures the eponymous kernel attribute on the bridge.
* .netdev files now can be used to create virtual WLAN devices, and
configure various settings on them, via the [WLAN] section.
* .link/.network files gained support for [Match] Kind= setting to match
on device kind ("bond", "bridge", "gre", "tun", "veth", etc.)
This value is also shown by 'networkctl status'.
* The Local= setting in .netdev files for various virtual network
devices gained support for specifying, in addition to the network
address, the name of a local interface which must have the specified
address.
* systemd-networkd gained a new [Tunnel] External= setting in .netdev
files, to configure tunnels in external mode (a.k.a. collect metadata
mode).
* [Network] L2TP= setting was removed. Please use interface specifier in
Local= setting in .netdev files of corresponding L2TP interface.
* New [DHCPServer] BootServerName=, BootServerAddress=, and
BootFilename= settings can be used to configure the server address,
server name, and file name sent in the DHCP packet (e.g. to configure
PXE boot).
Changes in systemd-resolved:
* systemd-resolved is started earlier (in sysinit.target), so it
available earlier and will also be started in the initrd if installed
there.
Changes in disk encryption:
* systemd-cryptenroll can now control whether to require the user to
enter a PIN when using TPM-based unlocking of a volume via the new
--tpm2-with-pin= option.
Option tpm2-pin= can be used in /etc/crypttab.
* When unlocking devices via TPM, TPM2 parameter encryption is now
used, to ensure that communication between CPU and discrete TPM chips
cannot be eavesdropped to acquire disk encryption keys.
* A new switch --fido2-credential-algorithm= has been added to
systemd-cryptenroll allowing selection of the credential algorithm to
use when binding encryption to FIDO2 tokens.
Changes in systemd-hostnamed:
* HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info
to override the values gleaned from the hwdb.
* A ID_CHASSIS property can be set in the hwdb (for the DMI device
/sys/class/dmi/id) to override the chassis that is reported by
hostnamed.
* hostnamed's D-Bus interface gained a new method GetHardwareSerial()
for reading the hardware serial number, as reportd by DMI. It also
exposes a new method D-Bus property FirmwareVersion that encode the
firmware version of the system.
Changes in other components:
* /etc/locale.conf is now populated through tmpfiles.d factory /etc/
handling with the values that were configured during systemd build
(if /etc/locale.conf has not been created through some other
mechanism). This means that /etc/locale.conf should always have
reasonable contents and we avoid a potential mismatch in defaults.
* The userdbctl tool will now show UID range information as part of the
list of known users.
* A new build-time configuration setting default-user-shell= can be
used to set the default shell for user records and nspawn shell
invocations (instead of the default /bin/bash).
* systemd-timesyncd now provides a D-Bus API for receiving NTP server
information dynamically at runtime via IPC.
* The systemd-creds tool gained a new "has-tpm2" verb, which reports
whether a functioning TPM2 infrastructure is available, i.e. if
firmware, kernel driver and systemd all have TPM2 support enabled and
a device found.
* The systemd-creds tool gained support for generating encrypted
credentials that are using an empty encryption key. While this
provides no integrity nor confidentiality it's useful to implement
codeflows that work the same on TPM-ful and TPM2-less systems. The
service manager will only accept credentials "encrypted" that way if
a TPM2 device cannot be detected, to ensure that credentials
"encrypted" like that cannot be used to trick TPM2 systems.
* When deciding whether to colorize output, all systemd programs now
also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and
$TERM).
* Meson's new install_tag feature is now in use for several components,
allowing to build and install select binaries only: pam, nss, devel
(pkg-config files), systemd-boot, libsystemd, libudev. Example:
$ meson build systemd-boot
$ meson install --tags systemd-boot --no-rebuild
https://mesonbuild.com/Installing.html#installation-tags
* A new build configuration option has been added, to allow selecting the
default compression algorithm used by systemd-journald and systemd-coredump.
This allows to build-in support for decompressing all supported formats,
but choose a specific one for compression. E.g.:
$ meson -Ddefault-compression=xz
Experimental features:
* sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
loader.conf that implements booting Microsoft Windows from the
sd-boot in a way that first reboots the system, to reset the TPM
PCRs. This improves compatibility with BitLocker's TPM use, as the
PCRs will only record the Windows boot process, and not sd-boot
itself, thus retaining the PCR measurements not involving sd-boot.
Note that this feature is experimental for now, and is likely going
to be generalized and renamed in a future release, without retaining
compatibility with the current implementation.
* A new systemd-sysupdate component has been added that automatically
discovers, downloads, and installs A/B-style updates for the host
installation itself, or container images, portable service images,
and other assets. See the new systemd-sysupdate man page for updates.
Contributions from: 4piu, Adam Williamson, adrian5, Albert Brox,
AlexCatze, Alex Henrie, Alfonso Sánchez-Beato, Alice S,
Alvin Šipraga, amarjargal, Amarjargal, Andrea Pappacoda,
Andreas Rammhold, Andy Chi, Anita Zhang, Antonio Alvarez Feijoo,
Arfrever Frehtes Taifersar Arahesis, ash, Bastien Nocera, Be,
bearhoney, Ben Efros, Benjamin Berg, Benjamin Franzke,
Brett Holman, Christian Brauner, Clyde Byrd III, Curtis Klein,
Daan De Meyer, Daniele Medri, Daniel Mack, Danilo Krummrich,
David, David Bond, Davide Cavalca, David Tardon, davijosw,
dependabot[bot], Donald Chan, Dorian Clay, Eduard Tolosa,
Elias Probst, Eli Schwartz, Erik Sjölund, Evgeny Vereshchagin,
Federico Ceratto, Franck Bui, Frantisek Sumsal, Gaël PORTAY,
Georges Basile Stavracas Neto, Gibeom Gwon, Goffredo Baroncelli,
Grigori Goronzy, Hans de Goede, Heiko Becker, Hugo Carvalho,
Jakob Lell, James Hilliard, Jan Janssen, Jason A. Donenfeld,
Joan Bruguera, Joerie de Gram, Josh Triplett, Julia Kartseva,
Kazuo Moriwaka, Khem Raj, ksa678491784, Lance, Lan Tian,
Laura Barcziova, Lennart Poettering, Leviticoh, licunlong,
Lidong Zhong, lincoln auster, Lubomir Rintel, Luca Boccassi,
Luca BRUNO, lucagoc, Ludwig Nussel, Marcel Hellwig, march1993,
Marco Scardovi, Mario Limonciello, Mariusz Tkaczyk,
Markus Weippert, Martin, Martin Liska, Martin Wilck, Matija Skala,
Matthew Blythe, Matthias Lisin, Matthijs van Duin, Matt Walton,
Max Gautier, Michael Biebl, Michael Olbrich, Michal Koutný,
Michal Sekletár, Mike Gilbert, MkfsSion, Morten Linderud,
Nick Rosbrook, Nikolai Grigoriev, Nikolai Kostrigin,
Nishal Kulkarni, Noel Kuntze, Pablo Ceballos, Peter Hutterer,
Peter Morrow, Pigmy-penguin, Piotr Drąg, prumian, Richard Neill,
Rike-Benjamin Schuppner, rodin-ia, Romain Naour, Ruben Kerkhof,
Ryan Hendrickson, Santa Wiryaman, Sebastian Pucilowski, Seth Falco,
Simon Ellmann, Sonali Srivastava, Stefan Seering,
Stephen Hemminger, tawefogo, techtino, Temuri Doghonadze,
Thomas Batten, Thomas Haller, Thomas Weißschuh, Tobias Stoeckmann,
Tomasz Pala, Tyson Whitehead, Vishal Chillara Srinivas,
Vivien Didelot, w30023233, wangyuhang, Weblate, Xiaotian Wu,
yangmingtai, YmrDtnJu, Yonathan Randolph, Yutsuten, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, наб
— Edinburgh, 2022-05-21
CHANGES WITH 250:
* Support for encrypted and authenticated credentials has been added.
This extends the credential logic introduced with v247 to support
non-interactive symmetric encryption and authentication, based on a
key that is stored on the /var/ file system or in the TPM2 chip (if
available), or the combination of both (by default if a TPM2 chip
exists the combination is used, otherwise the /var/ key only). The
credentials are automatically decrypted at the moment a service is
started, and are made accessible to the service itself in unencrypted
form. A new tool 'systemd-creds' encrypts credentials for this
purpose, and two new service file settings LoadCredentialEncrypted=
and SetCredentialEncrypted= configure such credentials.
This feature is useful to store sensitive material such as SSL
certificates, passwords and similar securely at rest and only decrypt
them when needed, and in a way that is tied to the local OS
installation or hardware.
* systemd-gpt-auto-generator can now automatically set up discoverable
LUKS2 encrypted swap partitions.
* The GPT Discoverable Partitions Specification has been substantially
extended with support for root and /usr/ partitions for the majority
of architectures systemd supports. This includes platforms that do
not natively support UEFI, because even though GPT is specified under
UEFI umbrella, it is useful on other systems too. Specifically,
systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
Portable Services use the concept without requiring UEFI.
* The GPT Discoverable Partitions Specifications has been extended with
a new set of partitions that may carry PKCS#7 signatures for Verity
partitions, encoded in a simple JSON format. This implements a simple
mechanism for building disk images that are fully authenticated and
can be tested against a set of cryptographic certificates. This is
now implemented for the various systemd tools that can operate with
disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers.
The PKCS#7 signatures are passed to the kernel (where they are
checked against certificates from the kernel keyring), or can be
verified against certificates provided in userspace (via a simple
drop-in file mechanism).
* systemd-dissect's inspection logic will now report for which uses a
disk image is intended. Specifically, it will display whether an
image is suitable for booting on UEFI or in a container (using
systemd-nspawn's --image= switch), whether it can be used as portable
service, or attached as system extension.
* The system-extension.d/ drop-in files now support a new field
SYSEXT_SCOPE= that may encode which purpose a system extension image
is for: one of "initrd", "system" or "portable". This is useful to
make images more self-descriptive, and to ensure system extensions
cannot be attached in the wrong contexts.
* The os-release file learnt a new PORTABLE_PREFIXES= field which may
be used in portable service images to indicate which unit prefixes
are supported.
* The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
now is able to decode images for non-native architectures as well.
This allows systemd-nspawn to boot images of non-native architectures
if the corresponding user mode emulator is installed and
systemd-binfmtd is running.
* systemd-logind gained new settings HandlePowerKeyLongPress=,
HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
HandleHibernateKeyLongPress= which may be used to configure actions
when the relevant keys are pressed for more than 5s. This is useful
on devices that only have hardware for a subset of these keys. By
default, if the reboot key is pressed long the poweroff operation is
now triggered, and when the suspend key is pressed long the hibernate
operation is triggered. Long pressing the other two keys currently
does not trigger any operation by default.
* When showing unit status updates on the console during boot and
shutdown, and a service is slow to start so that the cylon animation
is shown, the most recent sd_notify() STATUS= text is now shown as
well. Services may use this to make the boot/shutdown output easier
to understand, and to indicate what precisely a service that is slow
to start or stop is waiting for. In particular, the per-user service
manager instance now reports what it is doing and which service it is
waiting for this way to the system service manager.
* The service manager will now re-execute on reception of the
SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
only when running as PID 1. There was no signal to request this when
running as per-user service manager, i.e. as any other PID than 1.
SIGRTMIN+25 works for both system and user managers.
* The hardware watchdog logic in PID 1 gained support for operating
with the default timeout configured in the hardware, instead of
insisting on re-configuring it. Set RuntimeWatchdogSec=default to
request this behavior.
* A new kernel command line option systemd.watchdog_sec= is now
understood which may be used to override the hardware watchdog
time-out for the boot.
* A new setting DefaultOOMScoreAdjust= is now supported in
/etc/systemd/system.conf and /etc/systemd/user.conf. It may be used
to set the default process OOM score adjustment value for processes
started by the service manager. For per-user service managers this
now defaults to 100, but for per-system service managers is left as
is. This means that by default now services forked off the user
service manager are more likely to be killed by the OOM killer than
system services or the managers themselves.
* A new per-service setting RestrictFileSystems= as been added that
restricts the file systems a service has access to by their type.
This is based on the new BPF LSM of the Linux kernel. It provides an
effective way to make certain API file systems unavailable to
services (and thus minimizing attack surface). A new command
"systemd-analyze filesystems" has been added that lists all known
file system types (and how they are grouped together under useful
group handles).
* Services now support a new setting RestrictNetworkInterfaces= for
restricting access to specific network interfaces.
* Service unit files gained new settings StartupAllowedCPUs= and
StartupAllowedMemoryNodes=. These are similar to their counterparts
without the "Startup" prefix and apply during the boot process
only. This is useful to improve boot-time behavior of the system and
assign resources differently during boot than during regular
runtime. This is similar to the preexisting StartupCPUWeight=
vs. CPUWeight.
* Related to this: the various StartupXYZ= settings
(i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied
during shutdown. The settings not prefixed with "Startup" hence apply
during regular runtime, and those that are prefixed like that apply
during boot and shutdown.
* A new per-unit set of conditions/asserts
[Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a
unit skip/fail activation if the system's (or a slice's) memory/cpu/io
pressure is above the configured threshold, using the kernel PSI
feature. For more details see systemd.unit(5) and
https://docs.kernel.org/accounting/psi.html
* The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
ProtectKernelLogs=yes can now be used.
* The default maximum numbers of inodes have been raised from 64k to 1M
for /dev/, and from 400k to 1M for /tmp/.
* The per-user service manager learnt support for communicating with
systemd-oomd to acquire OOM kill information.
* A new service setting ExecSearchPath= has been added that allows
changing the search path for executables for services. It affects
where we look for the binaries specified in ExecStart= and similar,
and the specified directories are also added the $PATH environment
variable passed to invoked processes.
* A new setting RuntimeRandomizedExtraSec= has been added for service
and scope units that allows extending the runtime time-out as
configured by RuntimeMaxSec= with a randomized amount.
* The syntax of the service unit settings RuntimeDirectory=,
StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
if the specified value is now suffixed with a colon, followed by
another filename, the latter will be created as symbolic link to the
specified directory. This allows creating these service directories
together with alias symlinks to make them available under multiple
names.
* Service unit files gained two new settings TTYRows=/TTYColumns= for
configuring rows/columns of the TTY device passed to
stdin/stdout/stderr of the service. This is useful to propagate TTY
dimensions to a virtual machine.
* A new service unit file setting ExitType= has been added that
specifies when to assume a service has exited. By default systemd
only watches the main process of a service. By setting
ExitType=cgroup it can be told to wait for the last process in a
cgroup instead.
* Automount unit files gained a new setting ExtraOptions= that can be
used to configure additional mount options to pass to the kernel when
mounting the autofs instance.
* "Urlification" (generation of ESC sequences that generate clickable
hyperlinks in modern terminals) may now be turned off altogether
during build-time.
* Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec=
settings that default to 200 and 2 s respectively. The ratelimit
ensures that a path unit cannot cause PID1 to busy-loop when it is
trying to trigger a service that is skipped because of a Condition*=
not being satisfied. This matches the configuration and behaviour of
socket units.
* The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built
as a plug-in for cryptsetup. This means the plain cryptsetup command
may now be used to unlock volumes set up this way.
* The TPM2 logic in cryptsetup will now automatically detect systems
where the TPM2 chip advertises SHA256 PCR banks but the firmware only
updates the SHA1 banks. In such a case PCR policies will be
automatically bound to the latter, not the former. This makes the PCR
policies reliable, but of course do not provide the same level of
trust as SHA256 banks.
* The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports
RSA primary keys in addition to ECC, improving compatibility with
TPM2 chips that do not support ECC. RSA keys are much slower to use
than ECC, and hence are only used if ECC is not available.
* /etc/crypttab gained support for a new token-timeout= setting for
encrypted volumes that allows configuration of the maximum time to
wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses
the logic will query the user for a regular passphrase/recovery key
instead.
* Support for activating dm-integrity volumes at boot via a new file
/etc/integritytab and the tool systemd-integritysetup have been
added. This is similar to /etc/crypttab and /etc/veritytab, but deals
with dm-integrity instead of dm-crypt/dm-verity.
* The systemd-veritysetup-generator now understands a new usrhash=
kernel command line option for specifying the Verity root hash for
the partition backing the /usr/ file system. A matching set of
systemd.verity_usr_* kernel command line options has been added as
well. These all work similar to the corresponding options for the
root partition.
* The sd-device API gained a new API call sd_device_get_diskseq() to
return the DISKSEQ property of a device structure. The "disk
sequence" concept is a new feature recently introduced to the Linux
kernel that allows detecting reuse cycles of block devices, i.e. can
be used to recognize when loopback block devices are reused for a
different purpose or CD-ROM drives get their media changed.
* A new unit systemd-boot-update.service has been added. If enabled
(the default) and the sd-boot loader is detected to be installed, it
is automatically updated to the newest version when out of date. This
is useful to ensure the boot loader remains up-to-date, and updates
automatically propagate from the OS tree in /usr/.
* sd-boot will now build with SBAT by default in order to facilitate
working with recent versions of Shim that require it to be present.
* sd-boot can now parse Microsoft Windows' Boot Configuration Data.
This is used to robustly generate boot entry titles for Windows.
* A new generic target unit factory-reset.target has been added. It is
hooked into systemd-logind similar in fashion to
reboot/poweroff/suspend/hibernate, and is supposed to be used to
initiate a factory reset operation. What precisely this operation
entails is up for the implementer to decide, the primary goal of the
new unit is provide a framework where to plug in the implementation
and how to trigger it.
* A new meson build-time option 'clock-valid-range-usec-max' has been
added which takes a time in µs and defaults to 15 years. If the RTC
time is noticed to be more than the specified time ahead of the
built-in epoch of systemd (which by default is the release timestamp
of systemd) it is assumed that the RTC is not working correctly, and
the RTC is reset to the epoch. (It already is reset to the epoch when
noticed to be before it.) This should increase the chance that time
doesn't accidentally jump too far ahead due to faulty hardware or
batteries.
* A new setting SaveIntervalSec= has been added to systemd-timesyncd,
which may be used to automatically save the current system time to
disk in regular intervals. This is useful to maintain a roughly
monotonic clock even without RTC hardware and with some robustness
against abnormal system shutdown.
* systemd-analyze verify gained support for a pair of new --image= +
--root= switches for verifying units below a specific root
directory/image instead of on the host.
* systemd-analyze verify gained support for verifying unit files under
an explicitly specified unit name, independently of what the filename
actually is.
* systemd-analyze verify gained a new switch --recursive-errors= which
controls whether to only fail on errors found in the specified units
or recursively any dependent units.
* systemd-analyze security now supports a new --offline mode for
analyzing unit files stored on disk instead of loaded units. It may
be combined with --root=/--image to analyze unit files under a root
directory or disk image. It also learnt a new --threshold= parameter
for specifying an exposure level threshold: if the exposure level
exceeds the specified value the call will fail. It also gained a new
--security-policy= switch for configuring security policies to
enforce on the units. A policy is a JSON file that lists which tests
shall be weighted how much to determine the overall exposure
level. Altogether these new features are useful for fully automatic
analysis and enforcement of security policies on unit files.
* systemd-analyze security gain a new --json= switch for JSON output.
* systemd-analyze learnt a new --quiet switch for reducing
non-essential output. It's honored by the "dot", "syscall-filter",
"filesystems" commands.
* systemd-analyze security gained a --profile= option that can be used
to take into account a portable profile when analyzing portable
services, since a lot of the security-related settings are enabled
through them.
* systemd-analyze learnt a new inspect-elf verb that parses ELF core
files, binaries and executables and prints metadata information,
including the build-id and other info described on:
https://systemd.io/COREDUMP_PACKAGE_METADATA/
* .network files gained a new UplinkInterface= in the [IPv6SendRA]
section, for automatically propagating DNS settings from other
interfaces.
* The static lease DHCP server logic in systemd-networkd may now serve
IP addresses outside of the configured IP pool range for the server.
* CAN support in systemd-networkd gained four new settings Loopback=,
OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN
control modes. It gained a number of further settings for tweaking
CAN timing quanta.
* The [CAN] section in .network file gained new TimeQuantaNSec=,
PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=,
SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=,
DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and
DataSyncJumpWidth= settings to control bit-timing processed by the
CAN interface.
* DHCPv4 client support in systemd-networkd learnt a new Label= option
for configuring the address label to apply to configure IPv4
addresses.
* The [IPv6AcceptRA] section of .network files gained support for a new
UseMTU= setting that may be used to control whether to apply the
announced MTU settings to the local interface.
* The [DHCPv4] section in .network file gained a new Use6RD= boolean
setting to control whether the DHCPv4 client request and process the
DHCP 6RD option.
* The [DHCPv6PrefixDelegation] section in .network file is renamed to
[DHCPPrefixDelegation], as now the prefix delegation is also supported
with DHCPv4 protocol by enabling the Use6RD= setting.
* The [DHCPPrefixDelegation] section in .network file gained a new
setting UplinkInterface= to specify the upstream interface.
* The [DHCPv6] section in .network file gained a new setting
UseDelegatedPrefix= to control whether the delegated prefixes will be
propagated to the downstream interfaces.
* The [IPv6AcceptRA] section of .network files now understands two new
settings UseGateway=/UseRoutePrefix= for explicitly configuring
whether to use the relevant fields from the IPv6 Router Advertisement
records.
* The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
settings in the [DHCPv6] section and the DHCPv6Client= setting in the
[IPv6AcceptRA] section to control when the DHCPv6 client is started
and how the delegated prefixes are handled by the DHCPv6 client.
* The IPv6Token= section in the [Network] section is deprecated, and
the [IPv6AcceptRA] section gained the Token= setting for its
replacement. The [IPv6Prefix] section also gained the Token= setting.
The Token= setting gained 'eui64' mode to explicitly configure an
address with the EUI64 algorithm based on the interface MAC address.
The 'prefixstable' mode can now optionally take a secret key. The
Token= setting in the [DHCPPrefixDelegation] section now supports all
algorithms supported by the same settings in the other sections.
* The [RoutingPolicyRule] section of .network file gained a new
SuppressInterfaceGroup= setting.
* The IgnoreCarrierLoss= setting in the [Network] section of .network
files now allows a duration to be specified, controlling how long to
wait before reacting to carrier loss.
* The [DHCPServer] section of .network file gained a new Router=
setting to specify the router address.
* The [CAKE] section of .network files gained various new settings
AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=,
MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=,
and UseRawPacketSize= for configuring CAKE.
* systemd-networkd now ships with new default .network files:
80-container-vb.network which matches host-side network bridge device
created by systemd-nspawn's --network-bridge or --network-zone
switch, and 80-6rd-tunnel.network which matches automatically created
sit tunnel with 6rd prefix when the DHCP 6RD option is received.
* systemd-networkd's handling of Endpoint= resolution for WireGuard
interfaces has been improved.
* systemd-networkd will now automatically configure routes to addresses
specified in AllowedIPs=. This feature can be controlled via
RouteTable= and RouteMetric= settings in [WireGuard] or
[WireGuardPeer] sections.
* systemd-networkd will now once again automatically generate persistent
MAC addresses for batadv and bridge interfaces. Users can disable this
by using MACAddress=none in .netdev files.
* systemd-networkd and systemd-udevd now support IP over InfiniBand
interfaces. The Kind= setting in .netdev file accepts "ipoib". And
systemd.netdev files gained the [IPoIB] section.
* systemd-networkd and systemd-udevd now support net.ifname_policy=
option on the kernel command-line. This is implemented through the
systemd-network-generator service that automatically generates
appropriate .link, .network, and .netdev files.
* The various systemd-udevd "ethtool" buffer settings now understand
the special value "max" to configure the buffers to the maximum the
hardware supports.
* systemd-udevd's .link files may now configure a large variety of
NIC coalescing settings, plus more hardware offload settings.
* .link files gained a new WakeOnLanPassword= setting in the [Link]
section that allows to specify a WoL "SecureOn" password on hardware
that supports this.
* systemd-nspawn's --setenv= switch now supports an additional syntax:
if only a variable name is specified (i.e. without being suffixed by
a '=' character and a value) the current value of the environment
variable is propagated to the container. e.g. --setenv=FOO will
lookup the current value of $FOO in the environment, and pass it down
to the container. Similar behavior has been added to homectl's,
machinectl's and systemd-run's --setenv= switch.
* systemd-nspawn gained a new switch --suppress-sync= which may be used
to optionally suppress the effect of the sync()/fsync()/fdatasync()
system calls for the container payload. This is useful for build
system environments where safety against abnormal system shutdown is
not essential as all build artifacts can be regenerated any time, but
the performance win is beneficial.
* systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the
same value that PID 1 uses for most forked off processes.
* systemd-nspawn's --bind=/--bind-ro= switches now optionally take
uidmap/nouidmap options as last parameter. If "uidmap" is used the
bind mounts are created with UID mapping taking place that ensures
the host's file ownerships are mapped 1:1 to container file
ownerships, even if user namespacing is used. This way
files/directories bound into containers will no longer show up as
owned by the nobody user as they typically did if no special care was
taken to shift them manually.
* When discovering Windows installations sd-boot will now attempt to
show the Windows version.
* The color scheme to use in sd-boot may now be configured at
build-time.
* sd-boot gained the ability to change screen resolution during
boot-time, by hitting the "r" key. This will cycle through available
resolutions and save the last selection.
* sd-boot learnt a new hotkey "f". When pressed the system will enter
firmware setup. This is useful in environments where it is difficult
to hit the right keys early enough to enter the firmware, and works
on any firmware regardless which key it natively uses.
* sd-boot gained support for automatically booting into the menu item
selected on the last boot (using the "@saved" identifier for menu
items).
* sd-boot gained support for automatically loading all EFI drivers
placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
Partition (ESP). These drivers are loaded before the menu entries are
loaded. This is useful e.g. to load additional file system drivers
for the XBOOTLDR partition.
* systemd-boot will now paint the input cursor on its own instead of
relying on the firmware to do so, increasing compatibility with broken
firmware that doesn't make the cursor reasonably visible.
* sd-boot now embeds a .osrel PE section like we expect from Boot
Loader Specification Type #2 Unified Kernels. This means sd-boot
itself may be used in place of a Type #2 Unified Kernel. This is
useful for debugging purposes as it allows chain-loading one a
(development) sd-boot instance from another.
* sd-boot now supports a new "devicetree" field in Boot Loader
Specification Type #1 entries: if configured the specified device
tree file is installed before the kernel is invoked. This is useful
for installing/applying new devicetree files without updating the
kernel image.
* Similarly, sd-stub now can read devicetree data from a PE section
".dtb" and apply it before invoking the kernel.
* sd-stub (the EFI stub that can be glued in front of a Linux kernel)
gained the ability to pick up credentials and sysext files, wrap them
in a cpio archive, and pass as an additional initrd to the invoked
Linux kernel, in effect placing those files in the /.extra/ directory
of the initrd environment. This is useful to implement trusted initrd
environments which are fully authenticated but still can be extended
(via sysexts) and parameterized (via encrypted/authenticated
credentials, see above).
Credentials can be located next to the kernel image file (credentials
specific to a single boot entry), or in one of the shared directories
(credentials applicable to multiple boot entries).
* sd-stub now comes with a full man page, that explains its feature set
and how to combine a kernel image, an initrd and the stub to build a
complete EFI unified kernel image, implementing Boot Loader
Specification Type #2.
* sd-stub may now provide the initrd to the executed kernel via the
LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
non-x86 architectures.
* bootctl learnt new set-timeout and set-timeout-oneshot commands that
may be used to set the boot menu time-out of the boot loader (for all
or just the subsequent boot).
* bootctl and kernel-install will now read variables
KERNEL_INSTALL_LAYOUT= from /etc/machine-info and layout= from
/etc/kernel/install.conf. When set, it specifies the layout to use
for installation directories on the boot partition, so that tools
don't need to guess it based on the already-existing directories. The
only value that is defined natively is "bls", corresponding to the
layout specified in
https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for
kernel-install that implement a different layout can declare other
values for this variable.
'bootctl install' will now write KERNEL_INSTALL_LAYOUT=bls, on the
assumption that if the user installed sd-boot to the ESP, they intend
to use the entry layout understood by sd-boot. It'll also write
KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID
(and it wasn't specified in the config file yet). Similarly,
kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it
wasn't specified in the config file yet). Effectively, those changes
mean that the machine-id used for boot loader entry installation is
"frozen" upon first use and becomes independent of the actual
machine-id.
Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem:
images created for distribution ("golden images") are built with no
machine-id, so that a unique machine-id can be created on the first
boot. But those images may contain boot loader entries with the
machine-id used during build included in paths. Using a "frozen"
value allows unambiguously identifying entries that match the
specific installation, while still permitting parallel installations
without conflict.
Configuring KERNEL_INSTALL_LAYOUT obviates the need for
kernel-install to guess the installation layout. This fixes the
problem where a (possibly empty) directory in the boot partition is
created from a different layout causing kernel-install plugins to
assume the wrong layout. A particular example of how this may happen
is the grub2 package in Fedora which includes directories under /boot
directly in its file list. Various other packages pull in grub2 as a
dependency, so it may be installed even if unused, breaking
installations that use the bls layout.
* bootctl and systemd-bless-boot can now be linked statically.
* systemd-sysext now optionally doesn't insist on extension-release.d/
files being placed in the image under the image's file name. If the
file system xattr user.extension-release.strict is set on the
extension release file, it is accepted regardless of its name. This
relaxes security restrictions a bit, as system extension may be
attached under a wrong name this way.
* udevadm's test-builtin command learnt a new --action= switch for
testing the built-in with the specified action (in place of the
default 'add').
* udevadm info gained new switches --property=/--value for showing only
specific udev properties/values instead of all.
* A new hwdb database has been added that contains matches for various
types of signal analyzers (protocol analyzers, logic analyzers,
oscilloscopes, multimeters, bench power supplies, etc.) that should
be accessible to regular users.
* A new hwdb database entry has been added that carries information
about types of cameras (regular or infrared), and in which direction
they point (front or back).
* A new rule to allow console users access to rfkill by default has been
added to hwdb.
* Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are
now also owned by the system group "sgx".
* A new build-time meson option "extra-net-naming-schemes=" has been
added to define additional naming schemes for udev's network
interface naming logic. This is useful for enterprise distributions
and similar which want to pin the schemes of certain distribution
releases under a specific name and previously had to patch the
sources to introduce new named schemes.
* The predictable naming logic for network interfaces has been extended
to generate stable names from Xen netfront device information.
* hostnamed's chassis property can now be sourced from chassis-type
field encoded in devicetree (in addition to the existing DMI
support).
* systemd-cgls now optionally displays cgroup IDs and extended
attributes for each cgroup. (Controllable via the new --xattr= +
--cgroup-id= switches.)
* coredumpctl gained a new --all switch for operating on all
Journal files instead of just the local ones.
* systemd-coredump will now use libdw/libelf via dlopen() rather than
directly linking, allowing users to easily opt-out of backtrace/metadata
analysis of core files, and reduce image sizes when this is not needed.
* systemd-coredump will now analyze core files with libdw/libelf in a
forked, sandboxed process.
* systemd-homed will now try to unmount an activate home area in
regular intervals once the user logged out fully. Previously this was
attempted exactly once but if the home directory was busy for some
reason it was not tried again.
* systemd-homed's LUKS2 home area backend will now create a BSD file
system lock on the image file while the home area is active
(i.e. mounted). If a home area is found to be locked, logins are
politely refused. This should improve behavior when using home areas
images that are accessible via the network from multiple clients, and
reduce the chance of accidental file system corruption in that case.
* Optionally, systemd-homed will now drop the kernel buffer cache once
a user has fully logged out, configurable via the new --drop-caches=
homectl switch.
* systemd-homed now makes use of UID mapped mounts for the home areas.
If the kernel and used file system support it, files are now
internally owned by the "nobody" user (i.e. the user typically used
for indicating "this ownership is not mapped"), and dynamically
mapped to the UID used locally on the system via the UID mapping
mount logic of recent kernels. This makes migrating home areas
between different systems cheaper because recursively chown()ing file
system trees is no longer necessary.
* systemd-homed's CIFS backend now optionally supports CIFS service
names with a directory suffix, in order to place home directories in
a subdirectory of a CIFS share, instead of the top-level directory.
* systemd-homed's CIFS backend gained support for specifying additional
mount options in the JSON user record (cifsExtraMountOptions field,
and --cifs-extra-mount-options= homectl switch). This is for example
useful for configuring mount options such as "noserverino" that some
SMB3 services require (use that to run a homed home directory from a
FritzBox SMB3 share this way).
* systemd-homed will now default to btrfs' zstd compression for home
areas. This is inspired by Fedora's recent decision to switch to zstd
by default.
* Additional mount options to use when mounting the file system of
LUKS2 volumes in systemd-homed has been added. Via the
$SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4,
$SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to
systemd-homed or via the luksExtraMountOptions user record JSON
property. (Exposed via homectl --luks-extra-mount-options)
* homectl's resize command now takes the special size specifications
"min" and "max" to shrink/grow the home area to the minimum/maximum
size possible, taking disk usage/space constraints and file system
limitations into account. Resizing is now generally graceful: the
logic will try to get as close to the specified size as possible, but
not consider it a failure if the request couldn't be fulfilled
precisely.
* systemd-homed gained the ability to automatically shrink home areas
on logout to their minimal size and grow them again on next
login. This ensures that while inactive, a home area only takes up
the minimal space necessary, but once activated, it provides
sufficient space for the user's needs. This behavior is only
supported if btrfs is used as file system inside the home area
(because only for btrfs online growing/shrinking is implemented in
the kernel). This behavior is now enabled by default, but may be
controlled via the new --auto-resize-mode= setting of homectl.
* systemd-homed gained support for automatically re-balancing free disk
space among active home areas, in case the LUKS2 backends are used,
and no explicit disk size was requested. This way disk space is
automatically managed and home areas resized in regular intervals and
manual resizing when disk space becomes scarce should not be
necessary anymore. This behavior is only supported if btrfs is used
within the home areas (as only then online shrinking and growing is
supported), and may be configured via the new rebalanceWeight JSON
user record field (as exposed via the new --rebalance-weight= homectl
setting). Re-balancing is mostly automatic, but can also be requested
explicitly via "homectl rebalance", which is synchronous, and thus
may be used to wait until the rebalance run is complete.
* userdbctl gained a --json= switch for configured the JSON formatting
to use when outputting user or group records.
* userdbctl gained a new --multiplexer= switch for explicitly
configuring whether to use the systemd-userdbd server side user
record resolution logic.
* userdbctl's ssh-authorized-keys command learnt a new --chain switch,
for chaining up another command to execute after completing the
look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
configuration of a single command to invoke, this maybe used to
invoke multiple: first userdbctl's own implementation, and then any
other also configured in the command line.
* The sd-event API gained a new function sd_event_add_inotify_fd() that
is similar to sd_event_add_inotify() but accepts a file descriptor
instead of a path in the file system for referencing the inode to
watch.
* The sd-event API gained a new function
sd_event_source_set_ratelimit_expire_callback() that may be used to
define a callback function that is called whenever an event source
leaves the rate limiting phase.
* New documentation has been added explaining which steps are necessary
to port systemd to a new architecture:
https://systemd.io/PORTING_TO_NEW_ARCHITECTURES
* The x-systemd.makefs option in /etc/fstab now explicitly supports
ext2, ext3, and f2fs file systems.
* Mount units and units generated from /etc/fstab entries with 'noauto'
are now ordered the same as other units. Effectively, they will be
started earlier (if something actually pulled them in) and stopped
later, similarly to normal mount units that are part of
fs-local.target. This change should be invisible to users, but
should prevent those units from being stopped too early during
shutdown.
* The systemd-getty-generator now honors a new kernel command line
argument systemd.getty_auto= and a new environment variable
$SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
example useful to turn off gettys inside of containers or similar
environments.
* systemd-resolved now listens on a second DNS stub address: 127.0.0.54
(in addition to 127.0.0.53, as before). If DNS requests are sent to
this address they are propagated in "bypass" mode only, i.e. are
almost not processed locally, but mostly forwarded as-is to the
current upstream DNS servers. This provides a stable DNS server
address that proxies all requests dynamically to the right upstream
DNS servers even if these dynamically change. This stub does not do
mDNS/LLMNR resolution. However, it will translate look-ups to
DNS-over-TLS if necessary. This new stub is particularly useful in
container/VM environments, or for tethering setups: use DNAT to
redirect traffic to any IP address to this stub.
* systemd-importd now honors new environment variables
$SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA,
$SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume
generation, btrfs quota setup and disk synchronization.
* systemd-importd and systemd-resolved can now be optionally built with
OpenSSL instead of libgcrypt.
* systemd-repart no longer requires OpenSSL.
* systemd-sysusers will no longer create the redundant 'nobody' group
by default, as the 'nobody' user is already created with an
appropriate primary group.
* If a unit uses RuntimeMaxSec, systemctl show will now display it.
* systemctl show-environment gained support for --output=json.
* pam_systemd will now first try to use the X11 abstract socket, and
fallback to the socket file in /tmp/.X11-unix/ only if that does not
work.
* systemd-journald will no longer go back to volatile storage
regardless of configuration when its unit is restarted.
* Initial support for the LoongArch architecture has been added (system
call lists, GPT partition table UUIDs, etc).
* systemd-journald's own logging messages are now also logged to the
journal itself when systemd-journald logs to /dev/kmsg.
* systemd-journald now re-enables COW for archived journal files on
filesystems that support COW. One benefit of this change is that
archived journal files will now get compressed on btrfs filesystems
that have compression enabled.
* systemd-journald now deduplicates fields in a single log message
before adding it to the journal. In archived journal files, it will
also punch holes for unused parts and truncate the file as
appropriate, leading to reductions in disk usage.
* journalctl --verify was extended with more informative error
messages.
* More of sd-journal's functions are now resistant against journal file
corruption.
* The shutdown command learnt a new option --show, to display the
scheduled shutdown.
* A LICENSES/ directory is now included in the git tree. It contains a
README.md file that explains the licenses used by source files in
this repository. It also contains the text of all applicable
licenses as they appear on spdx.org.
Contributions from: Aakash Singh, acsfer, Adolfo Jayme Barrientos,
Adrian Vovk, Albert Brox, Alberto Mardegan, Alexander Kanavin,
alexlzhu, Alfonso Sánchez-Beato, Alvin Šipraga, Alyssa Ross,
Amir Omidi, Anatol Pomozov, Andika Triwidada, Andreas Rammhold,
Andreas Valder, Andrej Lajovic, Andrew Soutar, Andrew Stone, Andy Chi,
Anita Zhang, Anssi Hannula, Antonio Alvarez Feijoo,
Antony Deepak Thomas, Arnaud Ferraris, Arvid E. Picciani,
Bastien Nocera, Benjamin Berg, Benjamin Herrenschmidt, Ben Stockett,
Bogdan Seniuc, Boqun Feng, Carl Lei, chlorophyll-zz, Chris Packham,
Christian Brauner, Christian Göttsche, Christian Wehrli,
Christoph Anton Mitterer, Cristian Rodríguez, Daan De Meyer,
Daniel Maixner, Dann Frazier, Dan Streetman, Davide Cavalca,
David Seifert, David Tardon, dependabot[bot], Dimitri John Ledkov,
Dimitri Papadopoulos, Dimitry Ishenko, Dmitry Khlebnikov,
Dominique Martinet, duament, Egor, Egor Ignatov, Emil Renner Berthing,
Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin, Florian Klink,
Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon, GnunuX,
Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede,
Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho,
Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras,
I-dont-need-name, igo95862, Jack Dähn, James Hilliard, Jan Janssen,
Jan Kuparinen, Jan Macku, Jan Palus, Jarkko Sakkinen, Jayce Fayne,
jiangchuangang, jlempen, John Lindgren, Jonas Dreßler, Jonas Jelten,
Jonas Witschel, Joris Hartog, José Expósito, Julia Kartseva,
Kai-Heng Feng, Kai Wohlfahrt, Kay Siver Bø, KennthStailey,
Kevin Kuehler, Kevin Orr, Khem Raj, Kristian Klausen, Kyle Laker,
lainahai, LaserEyess, Lennart Poettering, Lia Lenckowski, longpanda,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Lukas Senionis,
Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi,
Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez,
Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro,
Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert,
Milo Turner, ml, monosans, Nacho Barrientos, nassir90, Nishal Kulkarni,
nl6720, Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto,
Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas,
Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Robert Scheck,
Ross Jennings, saikat0511, Scott Lamb, Scott Worley,
Sergei Trofimovich, Sho Iizuka, Slava Bacherikov, Slimane Selyan Amiri,
StefanBruens, Steven Siloti, svonohr, Taiki Sugawara, Takashi Sakamoto,
Takuro Onoue, Thomas Blume, Thomas Haller, Thomas Mühlbacher,
Tianlu Shao, Toke Høiland-Jørgensen, Tom Yan, Tony Asleson,
Topi Miettinen, Ulrich Ölmann, Urs Ritzmann, Vincent Bernat,
Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ, Wu Xiaotian,
xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei, Yao Wei (魏銘廷),
Yegor Alexeyev, Yu Watanabe, Zbigniew Jędrzejewski-Szmek,
Дамјан Георгиевски, наб
— Warsaw, 2021-12-23
CHANGES WITH 249:
* When operating on disk images via the --image= switch of various
tools (such as systemd-nspawn or systemd-dissect), or when udev finds
no 'root=' parameter on the kernel command line, and multiple
suitable root or /usr/ partitions exist in the image, then a simple
comparison inspired by strverscmp() is done on the GPT partition
label, and the newest partition is picked. This permits a simple and
generic whole-file-system A/B update logic where new operating system
versions are dropped into partitions whose label is then updated with
a matching version identifier.
* systemd-sysusers now supports querying the passwords to set for the
users it creates via the "credentials" logic introduced in v247: the
passwd.hashed-password.<user> and passwd.plaintext-password.<user>
credentials are consulted for the password to use (either in UNIX
hashed form, or literally). By default these credentials are inherited
down from PID1 (which in turn imports it from a container manager if
there is one). This permits easy configuration of user passwords
during first boot. Example:
# systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo
Note that systemd-sysusers operates in purely additive mode: it
executes no operation if the declared users already exist, and hence
doesn't set any passwords as effect of the command line above if the
specified root user exists already in the image. (Note that
--volatile=yes ensures it doesn't, though.)
* systemd-firstboot now also supports querying various system
parameters via the credential subsystems. Thus, as above this may be
used to initialize important system parameters on first boot of
previously unprovisioned images (i.e. images with a mostly empty
/etc/).
* PID 1 may now show both the unit name and the unit description
strings in its status output during boot. This may be configured with
StatusUnitFormat=combined in system.conf or
systemd.status-unit-format=combined on the kernel command line.
* The systemd-machine-id-setup tool now supports a --image= switch for
provisioning a machine ID file into an OS disk image, similar to how
--root= operates on an OS file tree. This matches the existing switch
of the same name for systemd-tmpfiles, systemd-firstboot, and
systemd-sysusers tools.
* Similarly, systemd-repart gained support for the --image= switch too.
In combination with the existing --size= option, this makes the tool
particularly useful for easily growing disk images in a single
invocation, following the declarative rules included in the image
itself.
* systemd-repart's partition configuration files gained support for a
new switch MakeDirectories= which may be used to create arbitrary
directories inside file systems that are created, before registering
them in the partition table. This is useful in particular for root
partitions to create mount point directories for other partitions
included in the image. For example, a disk image that contains a
root, /home/, and /var/ partitions, may set MakeDirectories=yes to
create /home/ and /var/ as empty directories in the root file system
on its creation, so that the resulting image can be mounted
immediately, even in read-only mode.
* systemd-repart's CopyBlocks= setting gained support for the special
value "auto". If used, a suitable matching partition on the booted OS
is found as source to copy blocks from. This is useful when
implementing replicating installers, that are booted from one medium
and then stream their own root partition onto the target medium.
* systemd-repart's partition configuration files gained support for a
Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these
GPT partition flags for the created partitions: this is useful for
marking newly created partitions as read-only, or as not being
subject for automatic mounting from creation on.
* The /etc/os-release file has been extended with two new (optional)
variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version
information for OS images that are updated comprehensively and
atomically as one image. Two new specifiers %M, %A now resolve to
these two fields in the various configuration options that resolve
specifiers.
* portablectl gained a new switch --extension= for enabling portable
service images with extensions that follow the extension image
concept introduced with v248, and thus allows layering multiple
images when setting up the root filesystem of the service.
* systemd-coredump will now extract ELF build-id information from
processes dumping core and include it in the coredump report.
Moreover, it will look for ELF .note.package sections with
distribution packaging meta-information about the crashing process.
This is useful to directly embed the rpm or deb (or any other)
package name and version in ELF files, making it easy to match
coredump reports with the specific package for which the software was
compiled. This is particularly useful on environments with ELF files
from multiple vendors, different distributions and versions, as is
common today in our containerized and sand-boxed world. For further
information, see:
https://systemd.io/COREDUMP_PACKAGE_METADATA
* A new udev hardware database has been added for FireWire devices
(IEEE 1394).
* The "net_id" built-in of udev has been updated with three
backwards-incompatible changes:
- PCI hotplug slot names on s390 systems are now parsed as
hexadecimal numbers. They were incorrectly parsed as decimal
previously, or ignored if the name was not a valid decimal
number.
- PCI onboard indices up to 65535 are allowed. Previously, numbers
above 16383 were rejected. This primarily impacts s390 systems,
where values up to 65535 are used.
- Invalid characters in interface names are replaced with "_".
The new version of the net naming scheme is "v249". The previous
scheme can be selected via the "net.naming_scheme=v247" kernel
command line parameter.
* sd-bus' sd_bus_is_ready() and sd_bus_is_open() calls now accept a
NULL bus object, for which they will return false. Or in other words,
an unallocated bus connection is neither ready nor open.
* The sd-device API acquired a new API function
sd_device_get_usec_initialized() that returns the monotonic time when
the udev device first appeared in the database.
* sd-device gained a new APIs sd_device_trigger_with_uuid() and
sd_device_get_trigger_uuid(). The former is similar to
sd_device_trigger() but returns a randomly generated UUID that is
associated with the synthetic uevent generated by the call. This UUID
may be read from the sd_device object a monitor eventually receives,
via the sd_device_get_trigger_uuid(). This interface requires kernel
4.13 or above to work, and allows tracking a synthetic uevent through
the entire device management stack. The "udevadm trigger --settle"
logic has been updated to make use of this concept if available to
wait precisely for the uevents it generates. "udevadm trigger" also
gained a new parameter --uuid that prints the UUID for each generated
uevent.
* sd-device also gained new APIs sd_device_new_from_ifname() and
sd_device_new_from_ifindex() for allocating an sd-device object for
the specified network interface. The former accepts an interface name
(either a primary or an alternative name), the latter an interface
index.
* The native Journal protocol has been documented. Clients may talk
this as alternative to the classic BSD syslog protocol for locally
delivering log records to the Journal. The protocol has been stable
for a long time and in fact been implemented already in a variety
of alternative client libraries. This documentation makes the support
for that official:
https://systemd.io/JOURNAL_NATIVE_PROTOCOL
* A new BPFProgram= setting has been added to service files. It may be
set to a path to a loaded kernel BPF program, i.e. a path to a bpffs
file, or a bind mount or symlink to one. This may be used to upload
and manage BPF programs externally and then hook arbitrary systemd
services into them.
* The "home.arpa" domain that has been officially declared as the
choice for domain for local home networks per RFC 8375 has been added
to the default NTA list of resolved, since DNSSEC is generally not
available on private domains.
* The CPUAffinity= setting of unit files now resolves "%" specifiers.
* A new ManageForeignRoutingPolicyRules= setting has been added to
.network files which may be used to exclude foreign-created routing
policy rules from systemd-networkd management.
* systemd-network-wait-online gained two new switches -4 and -6 that
may be used to tweak whether to wait for only IPv4 or only IPv6
connectivity.
* .network files gained a new RequiredFamilyForOnline= setting to
fine-tune whether to require an IPv4 or IPv6 address in order to
consider an interface "online".
* networkctl will now show an over-all "online" state in the per-link
information.
* In .network files a new OutgoingInterface= setting has been added to
specify the output interface in bridge FDB setups.
* In .network files the Multipath group ID may now be configured for
[NextHop] entries, via the new Group= setting.
* The DHCP server logic configured in .network files gained a new
setting RelayTarget= that turns the server into a DHCP server relay.
The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used
to further tweak the DHCP relay behaviour.
* The DHCP server logic also gained a new ServerAddress= setting in
.network files that explicitly specifies the server IP address to
use. If not specified, the address is determined automatically, as
before.
* The DHCP server logic in systemd-networkd gained support for static
DHCP leases, configurable via the [DHCPServerStaticLease]
section. This allows explicitly mapping specific MAC addresses to
fixed IP addresses and vice versa.
* The RestrictAddressFamilies= setting in service files now supports a
new special value "none". If specified sockets of all address
families will be made unavailable to services configured that way.
* systemd-fstab-generator and systemd-repart have been updated to
support booting from disks that carry only a /usr/ partition but no
root partition yet, and where systemd-repart can add it in on the
first boot. This is useful for implementing systems that ship with a
single /usr/ file system, and whose root file system shall be set up
and formatted on a LUKS-encrypted volume whose key is generated
locally (and possibly enrolled in the TPM) during the first boot.
* The [Address] section of .network files now accepts a new
RouteMetric= setting that configures the routing metric to use for
the prefix route created as effect of the address configuration.
Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections
gained matching settings for their prefix routes. (The option of the
same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since
it conceptually belongs there; the old option is still understood for
compatibility.)
* The DHCPv6 IAID and DUID are now explicitly configurable in .network
files.
* A new udev property ID_NET_DHCP_BROADCAST on network interface
devices is now honoured by systemd-networkd, controlling whether to
issue DHCP offers via broadcasting. This is used to ensure that s390
layer 3 network interfaces work out-of-the-box with systemd-networkd.
* nss-myhostname and systemd-resolved will now synthesize address
records for a new special hostname "_outbound". The name will always
resolve to the local IP addresses most likely used for outbound
connections towards the default routes. On multi-homed hosts this is
useful to have a stable handle referring to "the" local IP address
that matters most, to the point where this is defined.
* The Discoverable Partition Specification has been updated with a new
GPT partition flag "grow-file-system" defined for its partition
types. Whenever partitions with this flag set are automatically
mounted (i.e. via systemd-gpt-auto-generator or the --image= switch
of systemd-nspawn or other tools; and as opposed to explicit mounting
via /etc/fstab), the file system within the partition is
automatically grown to the full size of the partition. If the file
system size already matches the partition size this flag has no
effect. Previously, this functionality has been available via the
explicit x-systemd.growfs mount option, and this new flag extends
this to automatically discovered mounts. A new GrowFileSystem=
setting has been added to systemd-repart drop-in files that allows
configuring this partition flag. This new flag defaults to on for
partitions automatically created by systemd-repart, except if they
are marked read-only. See the specification for further details:
https://systemd.io/DISCOVERABLE_PARTITIONS
* .network files gained a new setting RoutesToNTP= in the [DHCPv4]
section. If enabled (which is the default), and an NTP server address
is acquired through a DHCP lease on this interface an explicit route
to this address is created on this interface to ensure that NTP
traffic to the NTP server acquired on an interface is also routed
through that interface. The pre-existing RoutesToDNS= setting that
implements the same for DNS servers is now enabled by default.
* A pair of service settings SocketBindAllow= + SocketBindDeny= have
been added that may be used to restrict the network interfaces
sockets created by the service may be bound to. This is implemented
via BPF.
* A new ConditionFirmware= setting has been added to unit files to
conditionalize on certain firmware features. At the moment it may
check whether running on a UEFI system, a device.tree system, or if
the system is compatible with some specified device-tree feature.
* A new ConditionOSRelease= setting has been added to unit files to
check os-release(5) fields. The "=", "!=", "<", "<=", ">=", ">"
operators may be used to check if some field has some specific value
or do an alphanumerical comparison. Equality comparisons are useful
for fields like ID, but relative comparisons for fields like
VERSION_ID or IMAGE_VERSION.
* hostnamed gained a new Describe() D-Bus method that returns a JSON
serialization of the host data it exposes. This is exposed via
"hostnamectl --json=" to acquire a host identity description in JSON.
It's our intention to add a similar features to most services and
objects systemd manages, in order to simplify integration with
program code that can consume JSON.
* Similarly, networkd gained a Describe() method on its Manager and
Link bus objects. This is exposed via "networkctl --json=".
* hostnamectl's various "get-xyz"/"set-xyz" verb pairs
(e.g. "hostnamectl get-hostname", "hostnamectl "set-hostname") have
been replaced by a single "xyz" verb (e.g. "hostnamectl hostname")
that is used both to get the value (when no argument is given), and
to set the value (when an argument is specified). The old names
continue to be supported for compatibility.
* systemd-detect-virt and ConditionVirtualization= are now able to
correctly identify Amazon EC2 environments.
* The LogLevelMax= setting of unit files now applies not only to log
messages generated *by* the service, but also to log messages
generated *about* the service by PID 1. To suppress logs concerning a
specific service comprehensively, set this option to a high log
level.
* bootctl gained support for a new --make-machine-id-directory= switch
that allows precise control on whether to create the top-level
per-machine directory in the boot partition that typically contains
Type 1 boot loader entries.
* During build SBAT data to include in the systemd-boot EFI PE binaries
may be specified now.
* /etc/crypttab learnt a new option "headless". If specified any
requests to query the user interactively for passwords or PINs will
be skipped. This is useful on systems that are headless, i.e. where
an interactive user is generally not present.
* /etc/crypttab also learnt a new option "password-echo=" that allows
configuring whether the encryption password prompt shall echo the
typed password and if so, do so literally or via asterisks. (The
default is the same behaviour as before: provide echo feedback via
asterisks.)
* FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and
systemd-homed has been updated to allow explicit configuration of the
"user presence" and "user verification" checks, as well as whether a
PIN is required for authentication, via the new switches
--fido2-with-user-presence=, --fido2-with-user-verification=,
--fido2-with-client-pin= to systemd-cryptenroll and homectl. Which
features are available, and may be enabled or disabled depends on the
used FIDO2 token.
* systemd-nspawn's --private-user= switch now accepts the special value
"identity" which configures a user namespacing environment with an
identity mapping of 65535 UIDs. This means the container UID 0 is
mapped to the host UID 0, and the UID 1 to host UID 1. On first look
this doesn't appear to be useful, however it does reduce the attack
surface a bit, since the resulting container will possess process
capabilities only within its namespace and not on the host.
* systemd-nspawn's --private-user-chown switch has been replaced by a
more generic --private-user-ownership= switch that accepts one of
three values: "chown" is equivalent to the old --private-user-chown,
and "off" is equivalent to the absence of the old switch. The value
"map" uses the new UID mapping mounts of Linux 5.12 to map ownership
of files and directories of the underlying image to the chosen UID
range for the container. "auto" is equivalent to "map" if UID mapping
mount are supported, otherwise it is equivalent to "chown". The short
-U switch systemd-nspawn now implies --private-user-ownership=auto
instead of the old --private-user-chown. Effectively this means: if
the backing file system supports UID mapping mounts the feature is
now used by default if -U is used. Generally, it's a good idea to use
UID mapping mounts instead of recursive chown()ing, since it allows
running containers off immutable images (since no modifications of
the images need to take place), and share images between multiple
instances. Moreover, the recursive chown()ing operation is slow and
can be avoided. Conceptually it's also a good thing if transient UID
range uses do not leak into persistent file ownership anymore. TLDR:
finally, the last major drawback of user namespacing has been
removed, and -U should always be used (unless you use btrfs, where
UID mapped mounts do not exist; or your container actually needs
privileges on the host).
* nss-systemd now synthesizes user and group shadow records in addition
to the main user and group records. Thus, hashed passwords managed by
systemd-homed are now accessible via the shadow database.
* The userdb logic (and thus nss-systemd, and so on) now read
additional user/group definitions in JSON format from the drop-in
directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and
/usr/lib/userdb/. This is a simple and powerful mechanism for making
additional users available to the system, with full integration into
NSS including the shadow databases. Since the full JSON user/group
record format is supported this may also be used to define users with
resource management settings and other runtime settings that
pam_systemd and systemd-logind enforce at login.
* The userdbctl tool gained two new switches --with-dropin= and
--with-varlink= which can be used to fine-tune the sources used for
user database lookups.
* systemd-nspawn gained a new switch --bind-user= for binding a host
user account into the container. This does three things: the user's
home directory is bind mounted from the host into the container,
below the /run/userdb/home/ hierarchy. A free UID is picked in the
container, and a user namespacing UID mapping to the host user's UID
installed. And finally, a minimal JSON user and group record (along
with its hashed password) is dropped into /run/host/userdb/. These
records are picked up automatically by the userdb drop-in logic
describe above, and allow the user to login with the same password as
on the host. Effectively this means: if host and container run new
enough systemd versions making a host user available to the container
is trivially simple.
* systemd-journal-gatewayd now supports the switches --user, --system,
--merge, --file= that are equivalent to the same switches of
journalctl, and permit exposing only the specified subset of the
Journal records.
* The OnFailure= dependency between units is now augmented with a
implicit reverse dependency OnFailureOf= (this new dependency cannot
be configured directly it's only created as effect of an OnFailure=
dependency in the reverse order — it's visible in "systemctl show"
however). Similar, Slice= now has an reverse dependency SliceOf=,
that is also not configurable directly, but useful to determine all
units that are members of a slice.
* A pair of new dependency types between units PropagatesStopTo= +
StopPropagatedFrom= has been added, that allows propagation of unit
stop events between two units. It operates similar to the existing
PropagatesReloadTo= + ReloadPropagatedFrom= dependencies.
* A new dependency type OnSuccess= has been added (plus the reverse
dependency OnSuccessOf=, which cannot be configured directly, but
exists only as effect of the reverse OnSuccess=). It is similar to
OnFailure=, but triggers in the opposite case: when a service exits
cleanly. This allows "chaining up" of services where one or more
services are started once another service has successfully completed.
* A new dependency type Upholds= has been added (plus the reverse
dependency UpheldBy=, which cannot be configured directly, but exists
only as effect of Upholds=). This dependency type is a stronger form
of Wants=: if a unit has an UpHolds= dependency on some other unit
and the former is active then the latter is started whenever it is
found inactive (and no job is queued for it). This is an alternative
to Restart= inside service units, but less configurable, and the
request to uphold a unit is not encoded in the unit itself but in
another unit that intends to uphold it.
* The systemd-ask-password tool now also supports reading passwords
from the credentials subsystem, via the new --credential= switch.
* The systemd-ask-password tool learnt a new switch --emoji= which may
be used to explicit control whether the lock and key emoji (🔐) is
shown in the password prompt on suitable TTYs.
* The --echo switch of systemd-ask-password now optionally takes a
parameter that controls character echo. It may either show asterisks
(default, as before), turn echo off entirely, or echo the typed
characters literally.
* The systemd-ask-password tool also gained a new -n switch for
suppressing output of a trailing newline character when writing the
acquired password to standard output, similar to /bin/echo's -n
switch.
* New documentation has been added that describes the organization of
the systemd source code tree:
https://systemd.io/ARCHITECTURE
* Units using ConditionNeedsUpdate= will no longer be activated in
the initrd.
* It is now possible to list a template unit in the WantedBy= or
RequiredBy= settings of the [Install] section of another template
unit, which will be instantiated using the same instance name.
* A new MemoryAvailable property is available for units. If the unit,
or the slices it is part of, have a memory limit set via MemoryMax=/
MemoryHigh=, MemoryAvailable will indicate how much more memory the
unit can claim before hitting the limits.
* systemd-coredump will now try to stay below the cgroup memory limit
placed on itself or one of the slices it runs under, if the storage
area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs,
since files written on such filesystems count toward the cgroup memory
limit. If there is not enough available memory in such cases to store
the core file uncompressed, systemd-coredump will skip to compressed
storage directly (if enabled) and it will avoid analyzing the core file
to print backtrace and metadata in the journal.
* tmpfiles.d/ drop-ins gained a new '=' modifier to check if the type
of a path matches the configured expectations, and remove it if not.
* tmpfiles.d/'s 'Age' now accepts an 'age-by' argument, which allows to
specify which of the several available filesystem timestamps (access
time, birth time, change time, modification time) to look at when
deciding whether a path has aged enough to be cleaned.
* A new IPv6StableSecretAddress= setting has been added to .network
files, which takes an IPv6 address to use as secret for IPv6 address
generation.
* The [DHCPServer] logic in .network files gained support for a new
UplinkInterface= setting that permits configuration of the uplink
interface name to propagate DHCP lease information from.
* The WakeOnLan= setting in .link files now accepts a list of flags
instead of a single one, to configure multiple wake-on-LAN policies.
* User-space defined tracepoints (USDT) have been added to udev at
strategic locations. This is useful for tracing udev behaviour and
performance with bpftrace and similar tools.
* systemd-journald-upload gained a new NetworkTimeoutSec= option for
setting a network timeout time.
* If a system service is running in a new mount namespace (RootDirectory=
and friends), all file systems will be mounted with MS_NOSUID by
default, unless the system is running with SELinux enabled.
* When enumerating time zones the timedatectl tool will now consult the
'tzdata.zi' file shipped by the IANA time zone database package, in
addition to 'zone1970.tab', as before. This makes sure time zone
aliases are now correctly supported. Some distributions so far did
not install this additional file, most do however. If you
distribution does not install it yet, it might make sense to change
that.
* Intel HID rfkill event is no longer masked, since it's the only
source of rfkill event on newer HP laptops. To have both backward and
forward compatibility, userspace daemon needs to debounce duplicated
events in a short time window.
Contributions from: Aakash Singh, adrian5, Albert Brox,
Alexander Sverdlin, Alexander Tsoy, Alexey Rubtsov, alexlzhu,
Allen Webb, Alvin Šipraga, Alyssa Ross, Anders Wenhaug,
Andrea Pappacoda, Anita Zhang, asavah, Balint Reczey, Bertrand Jacquin,
borna-blazevic, caoxia2008cxx, Carlo Teubner, Christian Göttsche,
Christian Hesse, Daniel Schaefer, Dan Streetman,
David Santamaría Rogado, David Tardon, Deepak Rawat, dgcampea,
Dimitri John Ledkov, ei-ke, Emilio Herrera, Emil Renner Berthing,
Eric Cook, Flos Lonicerae, Franck Bui, Francois Gervais,
Frantisek Sumsal, Gibeom Gwon, gitm0, Hamish Moffatt, Hans de Goede,
Harsh Barsaiyan, Henri Chain, Hristo Venev, Icenowy Zheng, Igor Zhbanov,
imayoda, Jakub Warczarek, James Buren, Jan Janssen, Jan Macku,
Jan Synacek, Jason Francis, Jayanth Ananthapadmanaban, Jeremy Szu,
Jérôme Carretero, Jesse Stricker, jiangchuangang, Joerg Behrmann,
Jóhann B. Guðmundsson, Jörg Deckert, Jörg Thalheim, Juergen Hoetzel,
Julia Kartseva, Kai-Heng Feng, Khem Raj, KoyamaSohei, laineantti,
Lennart Poettering, LetzteInstanz, Luca Adrian L, Luca Boccassi,
Lucas Magasweran, Mantas Mikulėnas, Marco Antonio Mauro, Mark Wielaard,
Masahiro Matsuya, Matt Johnston, Michael Catanzaro, Michal Koutný,
Michal Sekletár, Mike Crowe, Mike Kazantsev, Milan, milaq,
Miroslav Suchý, Morten Linderud, nerdopolis, nl6720, Noah Meyerhans,
Oleg Popov, Olle Lundberg, Ondrej Kozina, Paweł Marciniak, Perry.Yuan,
Peter Hutterer, Peter Kjellerstedt, Peter Morrow, Phaedrus Leeds,
plattrap, qhill, Raul Tambre, Roman Beranek, Roshan Shariff,
Ryan Hendrickson, Samuel BF, scootergrisen, Sebastian Blunt,
Seong-ho Cho, Sergey Bugaev, Sevan Janiyan, Sibo Dong, simmon,
Simon Watts, Srinidhi Kaushik, Štěpán Němec, Steve Bonds, Susant Sahani,
sverdlin, syyhao1994, Takashi Sakamoto, Topi Miettinen, tramsay,
Trent Piepho, Uwe Kleine-König, Viktor Mihajlovski, Vincent Dechenaux,
Vito Caputo, William A. Kennington III, Yangyang Shen, Yegor Alexeyev,
Yi Gao, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsien, наб
— Edinburgh, 2021-07-07
CHANGES WITH 248:
* A concept of system extension images is introduced. Such images may
be used to extend the /usr/ and /opt/ directory hierarchies at
runtime with additional files (even if the file system is read-only).
When a system extension image is activated, its /usr/ and /opt/
hierarchies and os-release information are combined via overlayfs
with the file system hierarchy of the host OS.
A new systemd-sysext tool can be used to merge, unmerge, list, and
refresh system extension hierarchies. See
https://www.freedesktop.org/software/systemd/man/systemd-sysext.html.
The systemd-sysext.service automatically merges installed system
extensions during boot (before basic.target, but not in very early
boot, since various file systems have to be mounted first).
The SYSEXT_LEVEL= field in os-release(5) may be used to specify the
supported system extension level.
* A new ExtensionImages= unit setting can be used to apply the same
system extension image concept from systemd-sysext to the namespaced
file hierarchy of specific services, following the same rules and
constraints.
* Support for a new special "root=tmpfs" kernel command-line option has
been added. When specified, a tmpfs is mounted on /, and mount.usr=
should be used to point to the operating system implementation.
* A new configuration file /etc/veritytab may be used to configure
dm-verity integrity protection for block devices. Each line is in the
format "volume-name data-device hash-device roothash options",
similar to /etc/crypttab.
* A new kernel command-line option systemd.verity.root_options= may be
used to configure dm-verity behaviour for the root device.
* The key file specified in /etc/crypttab (the third field) may now
refer to an AF_UNIX/SOCK_STREAM socket in the file system. The key is
acquired by connecting to that socket and reading from it. This
allows the implementation of a service to provide key information
dynamically, at the moment when it is needed.
* When the hostname is set explicitly to "localhost", systemd-hostnamed
will respect this. Previously such a setting would be mostly silently
ignored. The goal is to honour configuration as specified by the
user.
* The fallback hostname that will be used by the system manager and
systemd-hostnamed can now be configured in two new ways: by setting
DEFAULT_HOSTNAME= in os-release(5), or by setting
$SYSTEMD_DEFAULT_HOSTNAME in the environment block. As before, it can
also be configured during compilation. The environment variable is
intended for testing and local overrides, the os-release(5) field is
intended to allow customization by different variants of a
distribution that share the same compiled packages.
* The environment block of the manager itself may be configured through
a new ManagerEnvironment= setting in system.conf or user.conf. This
complements existing ways to set the environment block (the kernel
command line for the system manager, the inherited environment and
user@.service unit file settings for the user manager).
* systemd-hostnamed now exports the default hostname and the source of
the configured hostname ("static", "transient", or "default") as
D-Bus properties.
* systemd-hostnamed now exports the "HardwareVendor" and
"HardwareModel" D-Bus properties, which are supposed to contain a
pair of cleaned up, human readable strings describing the system's
vendor and model. It's typically sourced from the firmware's DMI
tables, but may be augmented from a new hwdb database. hostnamectl
shows this in the status output.
* Support has been added to systemd-cryptsetup for extracting the
PKCS#11 token URI and encrypted key from the LUKS2 JSON embedded
metadata header. This allows the information how to open the
encrypted device to be embedded directly in the device and obviates
the need for configuration in an external file.
* systemd-cryptsetup gained support for unlocking LUKS2 volumes using
TPM2 hardware, as well as FIDO2 security tokens (in addition to the
pre-existing support for PKCS#11 security tokens).
* systemd-repart may enroll encrypted partitions using TPM2
hardware. This may be useful for example to create an encrypted /var
partition bound to the machine on first boot.
* A new systemd-cryptenroll tool has been added to enroll TPM2, FIDO2
and PKCS#11 security tokens to LUKS volumes, list and destroy
them. See:
https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
It also supports enrolling "recovery keys" and regular passphrases.
* The libfido2 dependency is now based on dlopen(), so that the library
is used at runtime when installed, but is not a hard runtime
dependency.
* systemd-cryptsetup gained support for two new options in
/etc/crypttab: "no-write-workqueue" and "no-read-workqueue" which
request synchronous processing of encryption/decryption IO.
* The manager may be configured at compile time to use the fexecve()
instead of the execve() system call when spawning processes. Using
fexecve() closes a window between checking the security context of an
executable and spawning it, but unfortunately the kernel displays
stale information in the process' "comm" field, which impacts ps
output and such.
* The configuration option -Dcompat-gateway-hostname has been dropped.
"_gateway" is now the only supported name.
* The ConditionSecurity=tpm2 unit file setting may be used to check if
the system has at least one TPM2 (tpmrm class) device.
* A new ConditionCPUFeature= has been added that may be used to
conditionalize units based on CPU features. For example,
ConditionCPUFeature=rdrand will condition a unit so that it is only
run when the system CPU supports the RDRAND opcode.
* The existing ConditionControlGroupController= setting has been
extended with two new values "v1" and "v2". "v2" means that the
unified v2 cgroup hierarchy is used, and "v1" means that legacy v1
hierarchy or the hybrid hierarchy are used.
* A new PrivateIPC= setting on a unit file allows executed processes to
be moved into a private IPC namespace, with separate System V IPC
identifiers and POSIX message queues.
A new IPCNamespacePath= allows the unit to be joined to an existing
IPC namespace.
* The tables of system calls in seccomp filters are now automatically
generated from kernel lists exported on
https://fedora.juszkiewicz.com.pl/syscalls.html.
The following architectures should now have complete lists:
alpha, arc, arm64, arm, i386, ia64, m68k, mips64n32, mips64, mipso32,
powerpc, powerpc64, s390, s390x, tilegx, sparc, x86_64, x32.
* The MountAPIVFS= service file setting now additionally mounts a tmpfs
on /run/ if it is not already a mount point. A writable /run/ has
always been a requirement for a functioning system, but this was not
guaranteed when using a read-only image.
Users can always specify BindPaths= or InaccessiblePaths= as
overrides, and they will take precedence. If the host's root mount
point is used, there is no change in behaviour.
* New bind mounts and file system image mounts may be injected into the
mount namespace of a service (without restarting it). This is exposed
respectively as 'systemctl bind <unit> <path>…' and
'systemctl mount-image <unit> <image>…'.
* The StandardOutput= and StandardError= settings can now specify files
to be truncated for output (as "truncate:<path>").
* The ExecPaths= and NoExecPaths= settings may be used to specify
noexec for parts of the file system.
* sd-bus has a new function sd_bus_open_user_machine() to open a
connection to the session bus of a specific user in a local container
or on the local host. This is exposed in the existing -M switch to
systemctl and similar tools:
systemctl --user -M lennart@foobar start foo
This will connect to the user bus of a user "lennart" in container
"foobar". If no container name is specified, the specified user on
the host itself is connected to
systemctl --user -M lennart@ start quux
* sd-bus also gained a convenience function sd_bus_message_send() to
simplify invocations of sd_bus_send(), taking only a single
parameter: the message to send.
* sd-event allows rate limits to be set on event sources, for dealing
with high-priority event sources that might starve out others. See
the new man page sd_event_source_set_ratelimit(3) for details.
* systemd.link files gained a [Link] Promiscuous= switch, which allows
the device to be raised in promiscuous mode.
New [Link] TransmitQueues= and ReceiveQueues= settings allow the
number of TX and RX queues to be configured.
New [Link] TransmitQueueLength= setting allows the size of the TX
queue to be configured.
New [Link] GenericSegmentOffloadMaxBytes= and
GenericSegmentOffloadMaxSegments= allow capping the packet size and
the number of segments accepted in Generic Segment Offload.
* systemd-networkd gained support for the "B.A.T.M.A.N. advanced"
wireless routing protocol that operates on ISO/OSI Layer 2 only and
uses ethernet frames to route/bridge packets. This encompasses a new
"batadv" netdev Type=, a new [BatmanAdvanced] section with a bunch of
new settings in .netdev files, and a new BatmanAdvanced= setting in
.network files.
* systemd.network files gained a [Network] RouteTable= configuration
switch to select the routing policy table.
systemd.network files gained a [RoutingPolicyRule] Type=
configuration switch (one of "blackhole, "unreachable", "prohibit").
systemd.network files gained a [IPv6AcceptRA] RouteDenyList= and
RouteAllowList= settings to ignore/accept route advertisements from
routers matching specified prefixes. The DenyList= setting has been
renamed to PrefixDenyList= and a new PrefixAllowList= option has been
added.
systemd.network files gained a [DHCPv6] UseAddress= setting to
optionally ignore the address provided in the lease.
systemd.network files gained a [DHCPv6PrefixDelegation]
ManageTemporaryAddress= switch.
systemd.network files gained a new ActivationPolicy= setting which
allows configuring how the UP state of an interface shall be managed,
i.e. whether the interface is always upped, always downed, or may be
upped/downed by the user using "ip link set dev".
* The default for the Broadcast= setting in .network files has slightly
changed: the broadcast address will not be configured for wireguard
devices.
* systemd.netdev files gained a [VLAN] Protocol=, IngressQOSMaps=,
EgressQOSMaps=, and [MACVLAN] BroadcastMulticastQueueLength=
configuration options for VLAN packet handling.
* udev rules may now set log_level= option. This allows debug logs to
be enabled for select events, e.g. just for a specific subsystem or
even a single device.
* udev now exports the VOLUME_ID, LOGICAL_VOLUME_ID, VOLUME_SET_ID, and
DATA_PREPARED_ID properties for block devices with ISO9660 file
systems.
* udev now exports decoded DMI information about installed memory slots
as device properties under the /sys/class/dmi/id/ pseudo device.
* /dev/ is not mounted noexec anymore. This didn't provide any
significant security benefits and would conflict with the executable
mappings used with /dev/sgx device nodes. The previous behaviour can
be restored for individual services with NoExecPaths=/dev (or by allow-
listing and excluding /dev from ExecPaths=).
* Permissions for /dev/vsock are now set to 0o666, and /dev/vhost-vsock
and /dev/vhost-net are owned by the kvm group.
* The hardware database has been extended with a list of fingerprint
readers that correctly support USB auto-suspend using data from
libfprint.
* systemd-resolved can now answer DNSSEC questions through the stub
resolver interface in a way that allows local clients to do DNSSEC
validation themselves. For a question with DO+CD set, it'll proxy the
DNS query and respond with a mostly unmodified packet received from
the upstream server.
* systemd-resolved learnt a new boolean option CacheFromLocalhost= in
resolved.conf. If true the service will provide caching even for DNS
lookups made to an upstream DNS server on the 127.0.0.1/::1
addresses. By default (and when the option is false) systemd-resolved
will not cache such lookups, in order to avoid duplicate local
caching, under the assumption the local upstream server caches
anyway.
* systemd-resolved now implements RFC5001 NSID in its local DNS
stub. This may be used by local clients to determine whether they are
talking to the DNS resolver stub or a different DNS server.
* When resolving host names and other records resolvectl will now
report where the data was acquired from (i.e. the local cache, the
network, locally synthesized, …) and whether the network traffic it
effected was encrypted or not. Moreover the tool acquired a number of
new options --cache=, --synthesize=, --network=, --zone=,
--trust-anchor=, --validate= that take booleans and may be used to
tweak a lookup, i.e. whether it may be answered from cached
information, locally synthesized information, information acquired
through the network, the local mDNS/LLMNR zone, the DNSSEC trust
anchor, and whether DNSSEC validation shall be executed for the
lookup.
* systemd-nspawn gained a new --ambient-capability= setting
(AmbientCapability= in .nspawn files) to configure ambient
capabilities passed to the container payload.
* systemd-nspawn gained the ability to configure the firewall using the
nftables subsystem (in addition to the existing iptables
support). Similarly, systemd-networkd's IPMasquerade= option now
supports nftables as back-end, too. In both cases NAT on IPv6 is now
supported too, in addition to IPv4 (the iptables back-end still is
IPv4-only).
"IPMasquerade=yes", which was the same as "IPMasquerade=ipv4" before,
retains its meaning, but has been deprecated. Please switch to either
"ivp4" or "both" (if covering IPv6 is desired).
* systemd-importd will now download .verity and .roothash.p7s files
along with the machine image (as exposed via machinectl pull-raw).
* systemd-oomd now gained a new DefaultMemoryPressureDurationSec=
setting to configure the time a unit's cgroup needs to exceed memory
pressure limits before action will be taken, and a new
ManagedOOMPreference=none|avoid|omit setting to avoid killing certain
units.
systemd-oomd is now considered fully supported (the usual
backwards-compatibility promises apply). Swap is not required for
operation, but it is still recommended.
* systemd-timesyncd gained a new ConnectionRetrySec= setting which
configures the retry delay when trying to contact servers.
* systemd-stdio-bridge gained --system/--user options to connect to the
system bus (previous default) or the user session bus.
* systemd-localed may now call locale-gen to generate missing locales
on-demand (UTF-8-only). This improves integration with Debian-based
distributions (Debian/Ubuntu/PureOS/Tanglu/...) and Arch Linux.
* systemctl --check-inhibitors=true may now be used to obey inhibitors
even when invoked non-interactively. The old --ignore-inhibitors
switch is now deprecated and replaced by --check-inhibitors=false.
* systemctl import-environment will now emit a warning when called
without any arguments (i.e. to import the full environment block of
the called program). This command will usually be invoked from a
shell, which means that it'll inherit a bunch of variables which are
specific to that shell, and usually to the TTY the shell is connected
to, and don't have any meaning in the global context of the system or
user service manager. Instead, only specific variables should be
imported into the manager environment block.
Similarly, programs which update the manager environment block by
directly calling the D-Bus API of the manager, should also push
specific variables, and not the full inherited environment.
* systemctl's status output now shows unit state with a more careful
choice of Unicode characters: units in maintenance show a "○" symbol
instead of the usual "●", failed units show "×", and services being
reloaded "↻".
* coredumpctl gained a --debugger-arguments= switch to pass arguments
to the debugger. It also gained support for showing coredump info in
a simple JSON format.
* systemctl/loginctl/machinectl's --signal= option now accept a special
value "list", which may be used to show a brief table with known
process signals and their numbers.
* networkctl now shows the link activation policy in status.
* Various tools gained --pager/--no-pager/--json= switches to
enable/disable the pager and provide JSON output.
* Various tools now accept two new values for the SYSTEMD_COLORS
environment variable: "16" and "256", to configure how many terminal
colors are used in output.
* less 568 or newer is now required for the auto-paging logic of the
various tools. Hyperlink ANSI sequences in terminal output are now
used even if a pager is used, and older versions of less are not able
to display these sequences correctly. SYSTEMD_URLIFY=0 may be used to
disable this output again.
* Builds with support for separate / and /usr/ hierarchies ("split-usr"
builds, non-merged-usr builds) are now officially deprecated. A
warning is emitted during build. Support is slated to be removed in
about a year (when the Debian Bookworm release development starts).
* Systems with the legacy cgroup v1 hierarchy are now marked as
"tainted", to make it clearer that using the legacy hierarchy is not
recommended.
* systemd-localed will now refuse to configure a keymap which is not
installed in the file system. This is intended as a bug fix, but
could break cases where systemd-localed was used to configure the
keymap in advanced of it being installed. It is necessary to install
the keymap file first.
* The main git development branch has been renamed to 'main'.
* mmcblk[0-9]boot[0-9] devices will no longer be probed automatically
for partitions, as in the vast majority of cases they contain none
and are used internally by the bootloader (eg: uboot).
* systemd will now set the $SYSTEMD_EXEC_PID environment variable for
spawned processes to the PID of the process itself. This may be used
by programs for detecting whether they were forked off by the service
manager itself or are a process forked off further down the tree.
* The sd-device API gained four new calls: sd_device_get_action() to
determine the uevent add/remove/change/… action the device object has
been seen for, sd_device_get_seqno() to determine the uevent sequence
number, sd_device_new_from_stat_rdev() to allocate a new sd_device
object from stat(2) data of a device node, and sd_device_trigger() to
write to the 'uevent' attribute of a device.
* For most tools the --no-legend= switch has been replaced by
--legend=no and --legend=yes, to force whether tables are shown with
headers/legends.
* Units acquired a new property "Markers" that takes a list of zero,
one or two of the following strings: "needs-reload" and
"needs-restart". These markers may be set via "systemctl
set-property". Once a marker is set, "systemctl reload-or-restart
--marked" may be invoked to execute the operation the units are
marked for. This is useful for package managers that want to mark
units for restart/reload while updating, but effect the actual
operations at a later step at once.
* The sd_bus_message_read_strv() API call of sd-bus may now also be
used to parse arrays of D-Bus signatures and D-Bus paths, in addition
to regular strings.
* bootctl will now report whether the UEFI firmware used a TPM2 device
and measured the boot process into it.
* systemd-tmpfiles learnt support for a new environment variable
$SYSTEMD_TMPFILES_FORCE_SUBVOL which takes a boolean value. If true
the v/q/Q lines in tmpfiles.d/ snippets will create btrfs subvolumes
even if the root fs of the system is not itself a btrfs volume.
* systemd-detect-virt/ConditionVirtualization= will now explicitly
detect Docker/Podman environments where possible. Moreover, they
should be able to generically detect any container manager as long as
it assigns the container a cgroup.
* portablectl gained a new "reattach" verb for detaching/reattaching a
portable service image, useful for updating images on-the-fly.
* Intel SGX enclave device nodes (which expose a security feature of
newer Intel CPUs) will now be owned by a new system group "sgx".
Contributions from: Adam Nielsen, Adrian Vovk, AJ Jordan, Alan Perry,
Alastair Pharo, Alexander Batischev, Ali Abdallah, Andrew Balmos,
Anita Zhang, Annika Wickert, Ansgar Burchardt, Antonio Terceiro,
Antonius Frie, Ardy, Arian van Putten, Ariel Fermani, Arnaud T,
A S Alam, Bastien Nocera, Benjamin Berg, Benjamin Robin, Björn Daase,
caoxia, Carlo Wood, Charles Lee, ChopperRob, chri2, Christian Ehrhardt,
Christian Hesse, Christopher Obbard, clayton craft, corvusnix, cprn,
Daan De Meyer, Daniele Medri, Daniel Rusek, Dan Sanders, Dan Streetman,
Darren Ng, David Edmundson, David Tardon, Deepak Rawat, Devon Pringle,
Dmitry Borodaenko, dropsignal, Einsler Lee, Endre Szabo,
Evgeny Vereshchagin, Fabian Affolter, Fangrui Song, Felipe Borges,
feliperodriguesfr, Felix Stupp, Florian Hülsmann, Florian Klink,
Florian Westphal, Franck Bui, Frantisek Sumsal, Gablegritule,
Gaël PORTAY, Gaurav, Giedrius Statkevičius, Greg Depoire-Ferrer,
Gustavo Costa, Hans de Goede, Hela Basa, heretoenhance, hide,
Iago López Galeiras, igo95862, Ilya Dmitrichenko, Jameer Pathan,
Jan Tojnar, Jiehong, Jinyuan Si, Joerg Behrmann, John Slade,
Jonathan G. Underwood, Jonathan McDowell, Josh Triplett, Joshua Watt,
Julia Cartwright, Julien Humbert, Kairui Song, Karel Zak,
Kevin Backhouse, Kevin P. Fleming, Khem Raj, Konomi, krissgjeng,
l4gfcm, Lajos Veres, Lennart Poettering, Lincoln Ramsay, Luca Boccassi,
Luca BRUNO, Lucas Werkmeister, Luka Kudra, Luna Jernberg,
Marc-André Lureau, Martin Wilck, Matthias Klumpp, Matt Turner,
Michael Gisbers, Michael Marley, Michael Trapp, Michal Fabik,
Michał Kopeć, Michal Koutný, Michal Sekletár, Michele Guerini Rocco,
Mike Gilbert, milovlad, moson-mo, Nick, nihilix-melix, Oğuz Ersen,
Ondrej Mosnacek, pali, Pavel Hrdina, Pavel Sapezhko, Perry Yuan,
Peter Hutterer, Pierre Dubouilh, Piotr Drąg, Pjotr Vertaalt,
Richard Laager, RussianNeuroMancer, Sam Lunt, Sebastiaan van Stijn,
Sergey Bugaev, shenyangyang4, simmon, Simonas Kazlauskas,
Slimane Selyan Amiri, Stefan Agner, Steve Ramage, Susant Sahani,
Sven Mueller, Tad Fisher, Takashi Iwai, Thomas Haller, Tom Shield,
Topi Miettinen, Torsten Hilbrich, tpgxyz, Tyler Hicks, ulf-f,
Ulrich Ölmann, Vincent Pelletier, Vinnie Magro, Vito Caputo, Vlad,
walbit-de, Whired Planck, wouter bolsterlee, X Ruoyao, Yangyang Shen,
Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek,
Zmicer Turok, Дамјан Георгиевски
— Berlin, 2021-03-30
CHANGES WITH 247:
* KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents
"bind" and "unbind" to the Linux device model. When this kernel
change was made, systemd-udevd was only minimally updated to handle
and propagate these new event types. The introduction of these new
uevents (which are typically generated for USB devices and devices
needing a firmware upload before being functional) resulted in a
number of issues which we so far didn't address. We hoped the kernel
maintainers would themselves address these issues in some form, but
that did not happen. To handle them properly, many (if not most) udev
rules files shipped in various packages need updating, and so do many
programs that monitor or enumerate devices with libudev or sd-device,
or otherwise process uevents. Please note that this incompatibility
is not fault of systemd or udev, but caused by an incompatible kernel
change that happened back in Linux 4.14, but is becoming more and
more visible as the new uevents are generated by more kernel drivers.
To minimize issues resulting from this kernel change (but not avoid
them entirely) starting with systemd-udevd 247 the udev "tags"
concept (which is a concept for marking and filtering devices during
enumeration and monitoring) has been reworked: udev tags are now
"sticky", meaning that once a tag is assigned to a device it will not
be removed from the device again until the device itself is removed
(i.e. unplugged). This makes sure that any application monitoring
devices that match a specific tag is guaranteed to both see uevents
where the device starts being relevant, and those where it stops
being relevant (the latter now regularly happening due to the new
"unbind" uevent type). The udev tags concept is hence now a concept
tied to a *device* instead of a device *event* — unlike for example
udev properties whose lifecycle (as before) is generally tied to a
device event, meaning that the previously determined properties are
forgotten whenever a new uevent is processed.
With the newly redefined udev tags concept, sometimes it's necessary
to determine which tags are the ones applied by the most recent
uevent/database update, in order to discern them from those
originating from earlier uevents/database updates of the same
device. To accommodate for this a new automatic property CURRENT_TAGS
has been added that works similar to the existing TAGS property but
only lists tags set by the most recent uevent/database
update. Similarly, the libudev/sd-device API has been updated with
new functions to enumerate these 'current' tags, in addition to the
existing APIs that now enumerate the 'sticky' ones.
To properly handle "bind"/"unbind" on Linux 4.14 and newer it is
essential that all udev rules files and applications are updated to
handle the new events. Specifically:
• All rule files that currently use a header guard similar to
ACTION!="add|change",GOTO="xyz_end" should be updated to use
ACTION=="remove",GOTO="xyz_end" instead, so that the
properties/tags they add are also applied whenever "bind" (or
"unbind") is seen. (This is most important for all physical device
types — those for which "bind" and "unbind" are currently
generated, for all other device types this change is still
recommended but not as important — but certainly prepares for
future kernel uevent type additions).
• Similarly, all code monitoring devices that contains an 'if' branch
discerning the "add" + "change" uevent actions from all other
uevents actions (i.e. considering devices only relevant after "add"
or "change", and irrelevant on all other events) should be reworked
to instead negatively check for "remove" only (i.e. considering
devices relevant after all event types, except for "remove", which
invalidates the device). Note that this also means that devices
should be considered relevant on "unbind", even though conceptually
this — in some form — invalidates the device. Since the precise
effect of "unbind" is not generically defined, devices should be
considered relevant even after "unbind", however I/O errors
accessing the device should then be handled gracefully.
• Any code that uses device tags for deciding whether a device is
relevant or not most likely needs to be updated to use the new
udev_device_has_current_tag() API (or sd_device_has_current_tag()
in case sd-device is used), to check whether the tag is set at the
moment an uevent is seen (as opposed to the existing
udev_device_has_tag() API which checks if the tag ever existed on
the device, following the API concept redefinition explained
above).
We are very sorry for this breakage and the requirement to update
packages using these interfaces. We'd again like to underline that
this is not caused by systemd/udev changes, but result of a kernel
behaviour change.
* UPCOMING INCOMPATIBILITY: So far most downstream distribution
packages have not retriggered devices once the udev package (or any
auxiliary package installing additional udev rules) is updated. We
intend to work with major distributions to change this, so that
"udevadm trigger -c change" is issued on such upgrades, ensuring that
the updated ruleset is applied to the devices already discovered, so
that (asynchronously) after the upgrade completed the udev database
is consistent with the updated rule set. This means udev rules must
be ready to be retriggered with a "change" action any time, and
result in correct and complete udev database entries. While the
majority of udev rule files known to us currently get this right,
some don't. Specifically, there are udev rules files included in
various packages that only set udev properties on the "add" action,
but do not handle the "change" action. If a device matching those
rules is retriggered with the "change" action (as is intended here)
it would suddenly lose the relevant properties. This always has been
problematic, but as soon as all udev devices are triggered on relevant
package upgrades this will become particularly so. It is strongly
recommended to fix offending rules so that they can handle a "change"
action at any time, and acquire all necessary udev properties even
then. Or in other words: the header guard mentioned above
(ACTION=="remove",GOTO="xyz_end") is the correct approach to handle
this, as it makes sure rules are rerun on "change" correctly, and
accumulate the correct and complete set of udev properties. udev rule
definitions that cannot handle "change" events being triggered at
arbitrary times should be considered buggy.
* The MountAPIVFS= service file setting now defaults to on if
RootImage= and RootDirectory= are used, which means that with those
two settings /proc/, /sys/ and /dev/ are automatically properly set
up for services. Previous behaviour may be restored by explicitly
setting MountAPIVFS=off.
* Since PAM 1.2.0 (2015) configuration snippets may be placed in
/usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the
latter it takes precedence over the former, similar to how most of
systemd's own configuration is handled. Given that PAM stack
definitions are primarily put together by OS vendors/distributions
(though possibly overridden by users), this systemd release moves its
own PAM stack configuration for the "systemd-user" PAM service (i.e.
for the PAM session invoked by the per-user user@.service instance)
from /etc/pam.d/ to /usr/lib/pam.d/. We recommend moving all
packages' vendor versions of their PAM stack definitions from
/etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not
desired the location to which systemd installs its PAM stack
configuration may be changed via the -Dpamconfdir Meson option.
* The runtime dependencies on libqrencode, libpcre2, libidn/libidn2,
libpwquality and libcryptsetup have been changed to be based on
dlopen(): instead of regular dynamic library dependencies declared in
the binary ELF headers, these libraries are now loaded on demand
only, if they are available. If the libraries cannot be found the
relevant operations will fail gracefully, or a suitable fallback
logic is chosen. This is supposed to be useful for general purpose
distributions, as it allows minimizing the list of dependencies the
systemd packages pull in, permitting building of more minimal OS
images, while still making use of these "weak" dependencies should
they be installed. Since many package managers automatically
synthesize package dependencies from ELF shared library dependencies,
some additional manual packaging work has to be done now to replace
those (slightly downgraded from "required" to "recommended" or
whatever is conceptually suitable for the package manager). Note that
this change does not alter build-time behaviour: as before the
build-time dependencies have to be installed during build, even if
they now are optional during runtime.
* sd-event.h gained a new call sd_event_add_time_relative() for
installing timers relative to the current time. This is mostly a
convenience wrapper around the pre-existing sd_event_add_time() call
which installs absolute timers.
* sd-event event sources may now be placed in a new "exit-on-failure"
mode, which may be controlled via the new
sd_event_source_get_exit_on_failure() and
sd_event_source_set_exit_on_failure() functions. If enabled, any
failure returned by the event source handler functions will result in
exiting the event loop (unlike the default behaviour of just
disabling the event source but continuing with the event loop). This
feature is useful to set for all event sources that define "primary"
program behaviour (where failure should be fatal) in contrast to
"auxiliary" behaviour (where failure should remain local).
* Most event source types sd-event supports now accept a NULL handler
function, in which case the event loop is exited once the event
source is to be dispatched, using the userdata pointer — converted to
a signed integer — as exit code of the event loop. Previously this
was supported for IO and signal event sources already. Exit event
sources still do not support this (simply because it makes little
sense there, as the event loop is already exiting when they are
dispatched).
* A new per-unit setting RootImageOptions= has been added which allows
tweaking the mount options for any file system mounted as effect of
the RootImage= setting.
* Another new per-unit setting MountImages= has been added, that allows
mounting additional disk images into the file system tree accessible
to the service.
* Timer units gained a new FixedRandomDelay= boolean setting. If
enabled, the random delay configured with RandomizedDelaySec= is
selected in a way that is stable on a given system (though still
different for different units).
* Socket units gained a new setting Timestamping= that takes "us", "ns"
or "off". This controls the SO_TIMESTAMP/SO_TIMESTAMPNS socket
options.
* systemd-repart now generates JSON output when requested with the new
--json= switch.
* systemd-machined's OpenMachineShell() bus call will now pass
additional policy metadata data fields to the PolicyKit
authentication request.
* systemd-tmpfiles gained a new -E switch, which is equivalent to
--exclude-prefix=/dev --exclude-prefix=/proc --exclude=/run
--exclude=/sys. It's particularly useful in combination with --root=,
when operating on OS trees that do not have any of these four runtime
directories mounted, as this means no files below these subtrees are
created or modified, since those mount points should probably remain
empty.
* systemd-tmpfiles gained a new --image= switch which is like --root=,
but takes a disk image instead of a directory as argument. The
specified disk image is mounted inside a temporary mount namespace
and the tmpfiles.d/ drop-ins stored in the image are executed and
applied to the image. systemd-sysusers similarly gained a new
--image= switch, that allows the sysusers.d/ drop-ins stored in the
image to be applied onto the image.
* Similarly, the journalctl command also gained an --image= switch,
which is a quick one-step solution to look at the log data included
in OS disk images.
* journalctl's --output=cat option (which outputs the log content
without any metadata, just the pure text messages) will now make use
of terminal colors when run on a suitable terminal, similarly to the
other output modes.
* JSON group records now support a "description" string that may be
used to add a human-readable textual description to such groups. This
is supposed to match the user's GECOS field which traditionally
didn't have a counterpart for group records.
* The "systemd-dissect" tool that may be used to inspect OS disk images
and that was previously installed to /usr/lib/systemd/ has now been
moved to /usr/bin/, reflecting its updated status of an officially
supported tool with a stable interface. It gained support for a new
--mkdir switch which when combined with --mount has the effect of
creating the directory to mount the image to if it is missing
first. It also gained two new commands --copy-from and --copy-to for
copying files and directories in and out of an OS image without the
need to manually mount it. It also acquired support for a new option
--json= to generate JSON output when inspecting an OS image.
* The cgroup2 file system is now mounted with the
"memory_recursiveprot" mount option, supported since kernel 5.7. This
means that the MemoryLow= and MemoryMin= unit file settings now apply
recursively to whole subtrees.
* systemd-homed now defaults to using the btrfs file system — if
available — when creating home directories in LUKS volumes. This may
be changed with the DefaultFileSystemType= setting in homed.conf.
It's now the default file system in various major distributions and
has the major benefit for homed that it can be grown and shrunk while
mounted, unlike the other contenders ext4 and xfs, which can both be
grown online, but not shrunk (in fact xfs is the technically most
limited option here, as it cannot be shrunk at all).
* JSON user records managed by systemd-homed gained support for
"recovery keys". These are basically secondary passphrases that can
unlock user accounts/home directories. They are computer-generated
rather than user-chosen, and typically have greater entropy.
homectl's --recovery-key= option may be used to add a recovery key to
a user account. The generated recovery key is displayed as a QR code,
so that it can be scanned to be kept in a safe place. This feature is
particularly useful in combination with systemd-homed's support for
FIDO2 or PKCS#11 authentication, as a secure fallback in case the
security tokens are lost. Recovery keys may be entered wherever the
system asks for a password.
* systemd-homed now maintains a "dirty" flag for each LUKS encrypted
home directory which indicates that a home directory has not been
deactivated cleanly when offline. This flag is useful to identify
home directories for which the offline discard logic did not run when
offlining, and where it would be a good idea to log in again to catch
up.
* systemctl gained a new parameter --timestamp= which may be used to
change the style in which timestamps are output, i.e. whether to show
them in local timezone or UTC, or whether to show µs granularity.
* Alibaba's "pouch" container manager is now detected by
systemd-detect-virt, ConditionVirtualization= and similar
constructs. Similar, they now also recognize IBM PowerVM machine
virtualization.
* systemd-nspawn has been reworked to use the /run/host/incoming/ as
place to use for propagating external mounts into the
container. Similarly /run/host/notify is now used as the socket path
for container payloads to communicate with the container manager
using sd_notify(). The container manager now uses the
/run/host/inaccessible/ directory to place "inaccessible" file nodes
of all relevant types which may be used by the container payload as
bind mount source to over-mount inodes to make them inaccessible.
/run/host/container-manager will now be initialized with the same
string as the $container environment variable passed to the
container's PID 1. /run/host/container-uuid will be initialized with
the same string as $container_uuid. This means the /run/host/
hierarchy is now the primary way to make host resources available to
the container. The Container Interface documents these new files and
directories:
https://systemd.io/CONTAINER_INTERFACE
* Support for the "ConditionNull=" unit file condition has been
deprecated and undocumented for 6 years. systemd started to warn
about its use 1.5 years ago. It has now been removed entirely.
* sd-bus.h gained a new API call sd_bus_error_has_names(), which takes
a sd_bus_error struct and a list of error names, and checks if the
error matches one of these names. It's a convenience wrapper that is
useful in cases where multiple errors shall be handled the same way.
* A new system call filter list "@known" has been added, that contains
all system calls known at the time systemd was built.
* Behaviour of system call filter allow lists has changed slightly:
system calls that are contained in @known will result in EPERM by
default, while those not contained in it result in ENOSYS. This
should improve compatibility because known system calls will thus be
communicated as prohibited, while unknown (and thus newer ones) will
be communicated as not implemented, which hopefully has the greatest
chance of triggering the right fallback code paths in client
applications.
* "systemd-analyze syscall-filter" will now show two separate sections
at the bottom of the output: system calls known during systemd build
time but not included in any of the filter groups shown above, and
system calls defined on the local kernel but known during systemd
build time.
* If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
systemd-nspawn all system call filter violations will be logged by
the kernel (audit). This is useful for tracking down system calls
invoked by container payloads that are prohibited by the container's
system call filter policy.
* If the $SYSTEMD_SECCOMP=0 environment variable is set for
systemd-nspawn (and other programs that use seccomp) all seccomp
filtering is turned off.
* Two new unit file settings ProtectProc= and ProcSubset= have been
added that expose the hidepid= and subset= mount options of procfs.
All processes of the unit will only see processes in /proc that are
are owned by the unit's user. This is an important new sandboxing
option that is recommended to be set on all system services. All
long-running system services that are included in systemd itself set
this option now. This option is only supported on kernel 5.8 and
above, since the hidepid= option supported on older kernels was not a
per-mount option but actually applied to the whole PID namespace.
* Socket units gained a new boolean setting FlushPending=. If enabled
all pending socket data/connections are flushed whenever the socket
unit enters the "listening" state, i.e. after the associated service
exited.
* The unit file setting NUMAMask= gained a new "all" value: when used,
all existing NUMA nodes are added to the NUMA mask.
* A new "credentials" logic has been added to system services. This is
a simple mechanism to pass privileged data to services in a safe and
secure way. It's supposed to be used to pass per-service secret data
such as passwords or cryptographic keys but also associated less
private information such as user names, certificates, and similar to
system services. Each credential is identified by a short user-chosen
name and may contain arbitrary binary data. Two new unit file
settings have been added: SetCredential= and LoadCredential=. The
former allows setting a credential to a literal string, the latter
sets a credential to the contents of a file (or data read from a
user-chosen AF_UNIX stream socket). Credentials are passed to the
service via a special credentials directory, one file for each
credential. The path to the credentials directory is passed in a new
$CREDENTIALS_DIRECTORY environment variable. Since the credentials
are passed in the file system they may be easily referenced in
ExecStart= command lines too, thus no explicit support for the
credentials logic in daemons is required (though ideally daemons
would look for the bits they need in $CREDENTIALS_DIRECTORY
themselves automatically, if set). The $CREDENTIALS_DIRECTORY is
backed by unswappable memory if privileges allow it, immutable if
privileges allow it, is accessible only to the service's UID, and is
automatically destroyed when the service stops.
* systemd-nspawn supports the same credentials logic. It can both
consume credentials passed to it via the aforementioned
$CREDENTIALS_DIRECTORY protocol as well as pass these credentials on
to its payload. The service manager/PID 1 has been updated to match
this: it can also accept credentials from the container manager that
invokes it (in fact: any process that invokes it), and passes them on
to its services. Thus, credentials can be propagated recursively down
the tree: from a system's service manager to a systemd-nspawn
service, to the service manager that runs as container payload and to
the service it runs below. Credentials may also be added on the
systemd-nspawn command line, using new --set-credential= and
--load-credential= command line switches that match the
aforementioned service settings.
* systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in
the partition drop-ins which may be used to format/LUKS
encrypt/populate any created partitions. The partitions are
encrypted/formatted/populated before they are registered in the
partition table, so that they appear atomically: either the
partitions do not exist yet or they exist fully encrypted, formatted,
and populated — there is no time window where they are
"half-initialized". Thus the system is robust to abrupt shutdown: if
the tool is terminated half-way during its operations on next boot it
will start from the beginning.
* systemd-repart's --size= operation gained a new "auto" value. If
specified, and operating on a loopback file it is automatically sized
to the minimal size the size constraints permit. This is useful to
use "systemd-repart" as an image builder for minimally sized images.
* systemd-resolved now gained a third IPC interface for requesting name
resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink
interface is now supported. The nss-resolve NSS module has been
modified to use this new interface instead of D-Bus. Using Varlink
has a major benefit over D-Bus: it works without a broker service,
and thus already during earliest boot, before the dbus daemon has
been started. This means name resolution via systemd-resolved now
works at the same time systemd-networkd operates: from earliest boot
on, including in the initrd.
* systemd-resolved gained support for a new DNSStubListenerExtra=
configuration file setting which may be used to specify additional IP
addresses the built-in DNS stub shall listen on, in addition to the
main one on 127.0.0.53:53.
* Name lookups issued via systemd-resolved's D-Bus and Varlink
interfaces (and thus also via glibc NSS if nss-resolve is used) will
now honour a trailing dot in the hostname: if specified the search
path logic is turned off. Thus "resolvectl query foo." is now
equivalent to "resolvectl query --search=off foo.".
* systemd-resolved gained a new D-Bus property "ResolvConfMode" that
exposes how /etc/resolv.conf is currently managed: by resolved (and
in which mode if so) or another subsystem. "resolvctl" will display
this property in its status output.
* The resolv.conf snippets systemd-resolved provides will now set "."
as the search domain if no other search domain is known. This turns
off the derivation of an implicit search domain by nss-dns for the
hostname, when the hostname is set to an FQDN. This change is done to
make nss-dns using resolv.conf provided by systemd-resolved behave
more similarly to nss-resolve.
* systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of
/tmp/ and /var/tmp/ based on file timestamps) now looks at the
"birth" time (btime) of a file in addition to the atime, mtime, and
ctime.
* systemd-analyze gained a new verb "capability" that lists all known
capabilities by the systemd build and by the kernel.
* If a file /usr/lib/clock-epoch exists, PID 1 will read its mtime and
advance the system clock to it at boot if it is noticed to be before
that time. Previously, PID 1 would only advance the time to an epoch
time that is set during build-time. With this new file OS builders
can change this epoch timestamp on individual OS images without
having to rebuild systemd.
* systemd-logind will now listen to the KEY_RESTART key from the Linux
input layer and reboot the system if it is pressed, similarly to how
it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART
was originally defined in the Multimedia context (to restart playback
of a song or film), but is now primarily used in various embedded
devices for "Reboot" buttons. Accordingly, systemd-logind will now
honour it as such. This may configured in more detail via the new
HandleRebootKey= and RebootKeyIgnoreInhibited=.
* systemd-nspawn/systemd-machined will now reconstruct hardlinks when
copying OS trees, for example in "systemd-nspawn --ephemeral",
"systemd-nspawn --template=", "machinectl clone" and similar. This is
useful when operating with OSTree images, which use hardlinks heavily
throughout, and where such copies previously resulting in "exploding"
hardlinks.
* systemd-nspawn's --console= setting gained support for a new
"autopipe" value, which is identical to "interactive" when invoked on
a TTY, and "pipe" otherwise.
* systemd-networkd's .network files gained support for explicitly
configuring the multicast membership entries of bridge devices in the
[BridgeMDB] section. It also gained support for the PIE queuing
discipline in the [FlowQueuePIE] sections.
* systemd-networkd's .netdev files may now be used to create "BareUDP"
tunnels, configured in the new [BareUDP] setting.
* systemd-networkd's Gateway= setting in .network files now accepts the
special values "_dhcp4" and "_ipv6ra" to configure additional,
locally defined, explicit routes to the gateway acquired via DHCP or
IPv6 Router Advertisements. The old setting "_dhcp" is deprecated,
but still accepted for backwards compatibility.
* systemd-networkd's [IPv6PrefixDelegation] section and
IPv6PrefixDelegation= options have been renamed as [IPv6SendRA] and
IPv6SendRA= (the old names are still accepted for backwards
compatibility).
* systemd-networkd's .network files gained the DHCPv6PrefixDelegation=
boolean setting in [Network] section. If enabled, the delegated prefix
gained by another link will be configured, and an address within the
prefix will be assigned.
* systemd-networkd's .network files gained the Announce= boolean setting
in [DHCPv6PrefixDelegation] section. When enabled, the delegated
prefix will be announced through IPv6 router advertisement (IPv6 RA).
The setting is enabled by default.
* VXLAN tunnels may now be marked as independent of any underlying
network interface via the new Independent= boolean setting.
* systemctl gained support for two new verbs: "service-log-level" and
"service-log-target" may be used on services that implement the
generic org.freedesktop.LogControl1 D-Bus interface to dynamically
adjust the log level and target. All of systemd's long-running
services support this now, but ideally all system services would
implement this interface to make the system more uniformly
debuggable.
* The SystemCallErrorNumber= unit file setting now accepts the new
"kill" and "log" actions, in addition to arbitrary error number
specifications as before. If "kill" the processes are killed on the
event, if "log" the offending system call is audit logged.
* A new SystemCallLog= unit file setting has been added that accepts a
list of system calls that shall be logged about (audit).
* The OS image dissection logic (as used by RootImage= in unit files or
systemd-nspawn's --image= switch) has gained support for identifying
and mounting explicit /usr/ partitions, which are now defined in the
discoverable partition specification. This should be useful for
environments where the root file system is
generated/formatted/populated dynamically on first boot and combined
with an immutable /usr/ tree that is supplied by the vendor.
* In the final phase of shutdown, within the systemd-shutdown binary
we'll now try to detach MD devices (i.e software RAID) in addition to
loopback block devices and DM devices as before. This is supposed to
be a safety net only, in order to increase robustness if things go
wrong. Storage subsystems are expected to properly detach their
storage volumes during regular shutdown already (or in case of
storage backing the root file system: in the initrd hook we return to
later).
* If the SYSTEMD_LOG_TID environment variable is set all systemd tools
will now log the thread ID in their log output. This is useful when
working with heavily threaded programs.
* If the SYSTEMD_RDRAND environment variable is set to "0", systemd will
not use the RDRAND CPU instruction. This is useful in environments
such as replay debuggers where non-deterministic behaviour is not
desirable.
* The autopaging logic in systemd's various tools (such as systemctl)
has been updated to turn on "secure" mode in "less"
(i.e. $LESSECURE=1) if execution in a "sudo" environment is
detected. This disables invoking external programs from the pager,
via the pipe logic. This behaviour may be overridden via the new
$SYSTEMD_PAGERSECURE environment variable.
* Units which have resource limits (.service, .mount, .swap, .slice,
.socket, and .slice) gained new configuration settings
ManagedOOMSwap=, ManagedOOMMemoryPressure=, and
ManagedOOMMemoryPressureLimitPercent= that specify resource pressure
limits and optional action taken by systemd-oomd.
* A new service systemd-oomd has been added. It monitors resource
contention for selected parts of the unit hierarchy using the PSI
information reported by the kernel, and kills processes when memory
or swap pressure is above configured limits. This service is only
enabled by default in developer mode (see below) and should be
considered a preview in this release. Behaviour details and option
names are subject to change without the usual backwards-compatibility
promises.
* A new helper oomctl has been added to introspect systemd-oomd state.
It is only enabled by default in developer mode and should be
considered a preview without the usual backwards-compatibility
promises.
* New meson option -Dcompat-mutable-uid-boundaries= has been added. If
enabled, systemd reads the system UID boundaries from /etc/login.defs
at runtime, instead of using the built-in values selected during
build. This is an option to improve compatibility for upgrades from
old systems. It's strongly recommended not to make use of this
functionality on new systems (or even enable it during build), as it
makes something runtime-configurable that is mostly an implementation
detail of the OS, and permits avoidable differences in deployments
that create all kinds of problems in the long run.
* New meson option '-Dmode=developer|release' has been added. When
'developer', additional checks and features are enabled that are
relevant during upstream development, e.g. verification that
semi-automatically-generated documentation has been properly updated
following API changes. Those checks are considered hints for
developers and are not actionable in downstream builds. In addition,
extra features that are not ready for general consumption may be
enabled in developer mode. It is thus recommended to set
'-Dmode=release' in end-user and distro builds.
* systemd-cryptsetup gained support for processing detached LUKS
headers specified on the kernel command line via the header=
parameter of the luks.options= kernel command line option. The same
device/path syntax as for key files is supported for header files
like this.
* The "net_id" built-in of udev has been updated to ignore ACPI _SUN
slot index data for devices that are connected through a PCI bridge
where the _SUN index is associated with the bridge instead of the
network device itself. Previously this would create ambiguous device
naming if multiple network interfaces were connected to the same PCI
bridge. Since this is a naming scheme incompatibility on systems that
possess hardware like this it has been introduced as new naming
scheme "v247". The previous scheme can be selected via the
"net.naming_scheme=v245" kernel command line parameter.
* ConditionFirstBoot= semantics have been modified to be safe towards
abnormal system power-off during first boot. Specifically, the
"systemd-machine-id-commit.service" service now acts as boot
milestone indicating when the first boot process is sufficiently
complete in order to not consider the next following boot also a
first boot. If the system is reset before this unit is reached the
first time, the next boot will still be considered a first boot; once
it has been reached, no further boots will be considered a first
boot. The "first-boot-complete.target" unit now acts as official hook
point to order against this. If a service shall be run on every boot
until the first boot fully succeeds it may thus be ordered before
this target unit (and pull it in) and carry ConditionFirstBoot=
appropriately.
* bootctl's set-default and set-oneshot commands now accept the three
special strings "@default", "@oneshot", "@current" in place of a boot
entry id. These strings are resolved to the current default and
oneshot boot loader entry, as well as the currently booted one. Thus
a command "bootctl set-default @current" may be used to make the
currently boot menu item the new default for all subsequent boots.
* "systemctl edit" has been updated to show the original effective unit
contents in commented form in the text editor.
* Units in user mode are now segregated into three new slices:
session.slice (units that form the core of graphical session),
app.slice ("normal" user applications), and background.slice
(low-priority tasks). Unless otherwise configured, user units are
placed in app.slice. The plan is to add resource limits and
protections for the different slices in the future.
* New GPT partition types for RISCV32/64 for the root and /usr
partitions, and their associated Verity partitions have been defined,
and are now understood by systemd-gpt-auto-generator, and the OS
image dissection logic.
Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa
Ross, Amitanand Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar
Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1,
Beniamino Galvani, Benjamin Berg, Bjørn Mork, brainrom, Chandradeep
Dey, Charles Lee, Chris Down, Christian Göttsche, Christof Efkemann,
Christoph Ruegge, Clemens Gruber, Daan De Meyer, Daniele Medri, Daniel
Mack, Daniel Rusek, Dan Streetman, David Tardon, Dimitri John Ledkov,
Dmitry Borodaenko, Elias Probst, Elisei Roca, ErrantSpore, Etienne
Doms, Fabrice Fontaine, fangxiuning, Felix Riemann, Florian Klink,
Franck Bui, Frantisek Sumsal, fwSmit, George Rawlinson, germanztz,
Gibeom Gwon, Glen Whitney, Gogo Gogsi, Göran Uddeborg, Grant Mathews,
Hans de Goede, Hans Ulrich Niedermann, Haochen Tong, Harald Seiler,
huangyong, Hubert Kario, igo95862, Ikey Doherty, Insun Pyo, Jan Chren,
Jan Schlüter, Jérémy Nouhaud, Jian-Hong Pan, Joerg Behrmann, Jonathan
Lebon, Jörg Thalheim, Josh Brobst, Juergen Hoetzel, Julien Humbert,
Kai-Chuan Hsieh, Kairui Song, Kamil Dudka, Kir Kolyshkin, Kristijan
Gjoshev, Kyle Huey, Kyle Russell, Lee Whalen, Lennart Poettering,
lichangze, Luca Boccassi, Lucas Werkmeister, Luca Weiss, Marc
Kleine-Budde, Marco Wang, Martin Wilck, Marti Raudsepp, masmullin2000,
Máté Pozsgay, Matt Fenwick, Michael Biebl, Michael Scherer, Michal
Koutný, Michal Sekletár, Michal Suchanek, Mikael Szreder, Milo
Casagrande, mirabilos, Mitsuha_QuQ, mog422, Muhammet Kara, Nazar
Vinnichuk, Nicholas Narsing, Nicolas Fella, Njibhu, nl6720, Oğuz Ersen,
Olivier Le Moal, Ondrej Kozina, onlybugreports, Pass Automated Testing
Suite, Pat Coulthard, Pavel Sapezhko, Pedro Ruiz, perry_yuan, Peter
Hutterer, Phaedrus Leeds, PhoenixDiscord, Piotr Drąg, Plan C,
Purushottam choudhary, Rasmus Villemoes, Renaud Métrich, Robert Marko,
Roman Beranek, Ronan Pigott, Roy Chen (陳彥廷), RussianNeuroMancer,
Samanta Navarro, Samuel BF, scootergrisen, Sorin Ionescu, Steve Dodd,
Susant Sahani, Timo Rothenpieler, Tobias Hunger, Tobias Kaufmann, Topi
Miettinen, vanou, Vito Caputo, Weblate, Wen Yang, Whired Planck,
williamvds, Yu, Li-Yu, Yuri Chornoivan, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek, Zmicer Turok, Дамјан Георгиевски
Warsaw, 2020-11-26
CHANGES WITH 246:
* The service manager gained basic support for cgroup v2 freezer. Units
can now be suspended or resumed either using new systemctl verbs,
freeze and thaw respectively, or via D-Bus.
* PID 1 may now automatically load pre-compiled AppArmor policies from
/etc/apparmor/earlypolicy during early boot.
* The CPUAffinity= setting in service unit files now supports a new
special value "numa" that causes the CPU affinity masked to be set
based on the NUMA mask.
* systemd will now log about all left-over processes remaining in a
unit when the unit is stopped. It will now warn about services using
KillMode=none, as this is generally an unsafe thing to make use of.
* Two new unit file settings
ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been
added. They may be used to check whether a specific file system path
resides on a block device that is encrypted on the block level
(i.e. using dm-crypt/LUKS).
* Another pair of new settings ConditionEnvironment=/AssertEnvironment=
has been added that may be used for simple environment checks. This
is particularly useful when passing in environment variables from a
container manager (or from PAM in case of the systemd --user
instance).
* .service unit files now accept a new setting CoredumpFilter= which
allows configuration of the memory sections coredumps of the
service's processes shall include.
* .mount units gained a new ReadWriteOnly= boolean option. If set
it will not be attempted to mount a file system read-only if mounting
in read-write mode doesn't succeed. An option x-systemd.rw-only is
available in /etc/fstab to control the same.
* .socket units gained a new boolean setting PassPacketInfo=. If
enabled, the kernel will attach additional per-packet metadata to all
packets read from the socket, as an ancillary message. This controls
the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options,
depending on socket type.
* .service units gained a new setting RootHash= which may be used to
specify the root hash for verity enabled disk images which are
specified in RootImage=. RootVerity= may be used to specify a path to
the Verity data matching a RootImage= file system. (The latter is
only useful for images that do not contain the Verity data embedded
into the same image that carries a GPT partition table following the
Discoverable Partition Specification). Similarly, systemd-nspawn
gained a new switch --verity-data= that takes a path to a file with
the verity data of the disk image supplied in --image=, if the image
doesn't contain the verity data itself.
* .service units gained a new setting RootHashSignature= which takes
either a base64 encoded PKCS#7 signature of the root hash specified
with RootHash=, or a path to a file to read the signature from. This
allows validation of the root hash against public keys available in
the kernel keyring, and is only supported on recent kernels
(>= 5.4)/libcryptsetup (>= 2.30). A similar switch has been added to
systemd-nspawn and systemd-dissect (--root-hash-sig=). Support for
this mechanism has also been added to systemd-veritysetup.
* .service unit files gained two new options
TimeoutStartFailureMode=/TimeoutStopFailureMode= that may be used to
tune behaviour if a start or stop timeout is hit, i.e. whether to
terminate the service with SIGTERM, SIGABRT or SIGKILL.
* Most options in systemd that accept hexadecimal values prefixed with
0x in additional to the usual decimal notation now also support octal
notation when the 0o prefix is used and binary notation if the 0b
prefix is used.
* Various command line parameters and configuration file settings that
configure key or certificate files now optionally take paths to
AF_UNIX sockets in the file system. If configured that way a stream
connection is made to the socket and the required data read from
it. This is a simple and natural extension to the existing regular
file logic, and permits other software to provide keys or
certificates via simple IPC services, for example when unencrypted
storage on disk is not desired. Specifically, systemd-networkd's
Wireguard and MACSEC key file settings as well as
systemd-journal-gatewayd's and systemd-journal-remote's PEM
key/certificate parameters support this now.
* Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other
configuration files that support specifier expansion learnt six new
specifiers: %a resolves to the current architecture, %o/%w/%B/%W
resolve to the various ID fields from /etc/os-release, %l resolves to
the "short" hostname of the system, i.e. the hostname configured in
the kernel truncated at the first dot.
* Support for the .include syntax in unit files has been removed. The
concept has been obsolete for 6 years and we started warning about
its pending removal 2 years ago (also see NEWS file below). It's
finally gone now.
* StandardError= and StandardOutput= in unit files no longer support
the "syslog" and "syslog-console" switches. They were long removed
from the documentation, but will now result in warnings when used,
and be converted to "journal" and "journal+console" automatically.
* If the service setting User= is set to the "nobody" user, a warning
message is now written to the logs (but the value is nonetheless
accepted). Setting User=nobody is unsafe, since the primary purpose
of the "nobody" user is to own all files whose owner cannot be mapped
locally. It's in particular used by the NFS subsystem and in user
namespacing. By running a service under this user's UID it might get
read and even write access to all these otherwise unmappable files,
which is quite likely a major security problem.
* tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm,
and others) now have a size and inode limits applied (50% of RAM for
/tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note
that the implicit kernel default is 50% too, so there is no change
in the size limit for /tmp and /dev/shm.
* nss-mymachines lost support for resolution of users and groups, and
now only does resolution of hostnames. This functionality is now
provided by nss-systemd. Thus, the 'mymachines' entry should be
removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf
(and 'systemd' added if it is not already there).
* A new kernel command line option systemd.hostname= has been added
that allows controlling the hostname that is initialized early during
boot.
* A kernel command line option "udev.blockdev_read_only" has been
added. If specified all hardware block devices that show up are
immediately marked as read-only by udev. This option is useful for
making sure that a specific boot under no circumstances modifies data
on disk. Use "blockdev --setrw" to undo the effect of this, per
device.
* A new boolean kernel command line option systemd.swap= has been
added, which may be used to turn off automatic activation of swap
devices listed in /etc/fstab.
* New kernel command line options systemd.condition_needs_update= and
systemd.condition_first_boot= have been added, which override the
result of the ConditionNeedsUpdate= and ConditionFirstBoot=
conditions.
* A new kernel command line option systemd.clock_usec= has been added
that allows setting the system clock to the specified time in µs
since Jan 1st, 1970 early during boot. This is in particular useful
in order to make test cases more reliable.
* The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
systemd-coredump to save core files for suid processes. When saving
the core file, systemd-coredump will use the effective uid and gid of
the process that faulted.
* The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is
now automatically set to "Y" at boot, in order to enable pstore
generation for collection with systemd-pstore.
* We provide a set of udev rules to enable auto-suspend on PCI and USB
devices that were tested to correctly support it. Previously, this
was distributed as a set of udev rules, but has now been replaced by
by a set of hwdb entries (and a much shorter udev rule to take action
if the device modalias matches one of the new hwdb entries).
As before, entries are periodically imported from the database
maintained by the ChromiumOS project. If you have a device that
supports auto-suspend correctly and where it should be enabled by
default, please submit a patch that adds it to the database (see
/usr/lib/udev/hwdb.d/60-autosuspend.hwdb).
* systemd-udevd gained the new configuration option timeout_signal= as well
as a corresponding kernel command line option udev.timeout_signal=.
The option can be used to configure the UNIX signal that the main
daemon sends to the worker processes on timeout. Setting the signal
to SIGABRT is useful for debugging.
* .link files managed by systemd-udevd gained options RxFlowControl=,
TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in
order to configure various flow control parameters. They also gained
RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo
frame ring buffer sizes.
* networkd.conf gained a new boolean setting ManageForeignRoutes=. If
enabled systemd-networkd manages all routes configured by other tools.
* .network files managed by systemd-networkd gained a new section
[SR-IOV], in order to configure SR-IOV capable network devices.
* systemd-networkd's [IPv6Prefix] section in .network files gained a
new boolean setting Assign=. If enabled an address from the prefix is
automatically assigned to the interface.
* systemd-networkd gained a new section [DHCPv6PrefixDelegation] which
controls delegated prefixes assigned by DHCPv6 client. The section
has three settings: SubnetID=, Assign=, and Token=. The setting
SubnetID= allows explicit configuration of the preferred subnet that
systemd-networkd's Prefix Delegation logic assigns to interfaces. If
Assign= is enabled (which is the default) an address from any acquired
delegated prefix is automatically chosen and assigned to the
interface. The setting Token= specifies an optional address generation
mode for Assign=.
* systemd-networkd's [Network] section gained a new setting
IPv4AcceptLocal=. If enabled the interface accepts packets with local
source addresses.
* systemd-networkd gained support for configuring the HTB queuing
discipline in the [HierarchyTokenBucket] and
[HierarchyTokenBucketClass] sections. Similar the "pfifo" qdisc may
be configured in the [PFIFO] section, "GRED" in
[GenericRandomEarlyDetection], "SFB" in [StochasticFairBlue], "cake"
in [CAKE], "PIE" in [PIE], "DRR" in [DeficitRoundRobinScheduler] and
[DeficitRoundRobinSchedulerClass], "BFIFO" in [BFIFO],
"PFIFOHeadDrop" in [PFIFOHeadDrop], "PFIFOFast" in [PFIFOFast], "HHF"
in [HeavyHitterFilter], "ETS" in [EnhancedTransmissionSelection] and
"QFQ" in [QuickFairQueueing] and [QuickFairQueueingClass].
* systemd-networkd gained support for a new Termination= setting in the
[CAN] section for configuring the termination resistor. It also
gained a new ListenOnly= setting for controlling whether to only
listen on CAN interfaces, without interfering with traffic otherwise
(which is useful for debugging/monitoring CAN network
traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have
been added to configure various CAN-FD aspects.
* systemd-networkd's [DHCPv6] section gained a new option WithoutRA=.
When enabled, DHCPv6 will be attempted right-away without requiring an
Router Advertisement packet suggesting it first (i.e. without the 'M'
or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option
DHCPv6Client= that may be used to turn off the DHCPv6 client even if
the RA packets suggest it.
* systemd-networkd's [DHCPv4] section gained a new setting UseGateway=
which may be used to turn off use of the gateway information provided
by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be
used to configure how to process leases that lack a lifetime option.
* systemd-networkd's [DHCPv4] and [DHCPServer] sections gained a new
setting SendVendorOption= allowing configuration of additional vendor
options to send in the DHCP requests/responses. The [DHCPv6] section
gained a new SendOption= setting for sending arbitrary DHCP
options. RequestOptions= has been added to request arbitrary options
from the server. UserClass= has been added to set the DHCP user class
field.
* systemd-networkd's [DHCPServer] section gained a new set of options
EmitPOP3=/POP3=, EmitSMTP=/SMTP=, EmitLPR=/LPR= for including server
information about these three protocols in the DHCP lease. It also
gained support for including "MUD" URLs ("Manufacturer Usage
Description"). Support for "MUD" URLs was also added to the LLDP
stack, configurable in the [LLDP] section in .network files.
* The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source'
mode. Also, the sections now support a new setting SourceMACAddress=.
* systemd-networkd's .netdev files now support a new setting
VLANProtocol= in the [Bridge] section that allows configuration of
the VLAN protocol to use.
* systemd-networkd supports a new Group= setting in the [Link] section
of the .network files, to control the link group.
* systemd-networkd's [Network] section gained a new
IPv6LinkLocalAddressGenerationMode= setting, which specifies how IPv6
link local address is generated.
* A new default .network file is now shipped that matches TUN/TAP
devices that begin with "vt-" in their name. Such interfaces will
have IP routing onto the host links set up automatically. This is
supposed to be used by VM managers to trivially acquire a network
interface which is fully set up for host communication, simply by
carefully picking an interface name to use.
* systemd-networkd's [DHCPv6] section gained a new setting RouteMetric=
which sets the route priority for routes specified by the DHCP server.
* systemd-networkd's [DHCPv6] section gained a new setting VendorClass=
which configures the vendor class information sent to DHCP server.
* The BlackList= settings in .network files' [DHCPv4] and
[IPv6AcceptRA] sections have been renamed DenyList=. The old names
are still understood to provide compatibility.
* networkctl gained the new "forcerenew" command for forcing all DHCP
server clients to renew their lease. The interface "status" output
will now show numerous additional fields of information about an
interface. There are new "up" and "down" commands to bring specific
interfaces up or down.
* systemd-resolved's DNS= configuration option now optionally accepts a
port number (after ":") and a host name (after "#"). When the host
name is specified, the DNS-over-TLS certificate is validated to match
the specified hostname. Additionally, in case of IPv6 addresses, an
interface may be specified (after "%").
* systemd-resolved may be configured to forward single-label DNS names.
This is not standard-conformant, but may make sense in setups where
public DNS servers are not used.
* systemd-resolved's DNS-over-TLS support gained SNI validation.
* systemd-nspawn's --resolv-conf= switch gained a number of new
supported values. Specifically, options starting with "replace-" are
like those prefixed "copy-" but replace any existing resolv.conf
file. And options ending in "-uplink" and "-stub" can now be used to
propagate other flavours of resolv.conf into the container (as
defined by systemd-resolved).
* The various programs included in systemd can now optionally output
their log messages on stderr prefixed with a timestamp, controlled by
the $SYSTEMD_LOG_TIME environment variable.
* systemctl gained a new "-P" switch that is a shortcut for "--value
--property=…".
* "systemctl list-units" and "systemctl list-machines" no longer hide
their first output column with --no-legend. To hide the first column,
use --plain.
* "systemctl reboot" takes the option "--reboot-argument=".
The optional positional argument to "systemctl reboot" is now
being deprecated in favor of this option.
* systemd-run gained a new switch --slice-inherit. If specified the
unit it generates is placed in the same slice as the systemd-run
process itself.
* systemd-journald gained support for zstd compression of large fields
in journal files. The hash tables in journal files have been hardened
against hash collisions. This is an incompatible change and means
that journal files created with new systemd versions are not readable
with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean
environment variable for systemd-journald.service is set to 0 this
new hardening functionality may be turned off, so that generated
journal files remain compatible with older journalctl
implementations.
* journalctl will now include a clickable link in the default output for
each log message for which a URL with further documentation is
known. This is only supported on terminal emulators that support
clickable hyperlinks, and is turned off if a pager is used (since
"less" still doesn't support hyperlinks,
unfortunately). Documentation URLs may be included in log messages
either by including a DOCUMENTATION= journal field in it, or by
associating a journal message catalog entry with the log message's
MESSAGE_ID, which then carries a "Documentation:" tag.
* journald.conf gained a new boolean setting Audit= that may be used to
control whether systemd-journald will enable audit during
initialization.
* when systemd-journald's log stream is broken up into multiple lines
because the PID of the sender changed this is indicated in the
generated log records via the _LINE_BREAK=pid-change field.
* journalctl's "-o cat" output mode will now show one or more journal
fields specified with --output-fields= instead of unconditionally
MESSAGE=. This is useful to retrieve a very specific set of fields
without any decoration.
* The sd-journal.h API gained two new functions:
sd_journal_enumerate_available_unique() and
sd_journal_enumerate_available_data() that operate like their
counterparts that lack the _available_ in the name, but skip items
that cannot be read and processed by the local implementation
(i.e. are compressed in an unsupported format or such),
* coredumpctl gained a new --file= switch, matching the same one in
journalctl: a specific journal file may be specified to read the
coredump data from.
* coredumps collected by systemd-coredump may now be compressed using
the zstd algorithm.
* systemd-binfmt gained a new switch --unregister for unregistering all
registered entries at once. This is now invoked automatically at
shutdown, so that binary formats registered with the "F" flag will
not block clean file system unmounting.
* systemd-notify's --pid= switch gained new values: "parent", "self",
"auto" for controlling which PID to send to the service manager: the
systemd-notify process' PID, or the one of the process invoking it.
* systemd-logind's Session bus object learnt a new method call
SetType() for temporarily updating the session type of an already
allocated session. This is useful for upgrading tty sessions to
graphical ones once a compositor is invoked.
* systemd-socket-proxy gained a new switch --exit-idle-time= for
configuring an exit-on-idle time.
* systemd-repart's --empty= setting gained a new value "create". If
specified a new empty regular disk image file is created under the
specified name. Its size may be specified with the new --size=
option. The latter is also supported without the "create" mode, in
order to grow existing disk image files to the specified size. These
two new options are useful when creating or manipulating disk images
instead of operating on actual block devices.
* systemd-repart drop-ins now support a new UUID= setting to control
the UUID to assign to a newly created partition.
* systemd-repart's SizeMin= per-partition parameter now defaults to 10M
instead of 0.
* systemd-repart's Label= setting now support the usual, simple
specifier expansion.
* systemd-homed's LUKS backend gained the ability to discard empty file
system blocks automatically when the user logs out. This is enabled
by default to ensure that home directories take minimal space when
logged out but get full size guarantees when logged in. This may be
controlled with the new --luks-offline-discard= switch to homectl.
* If systemd-homed detects that /home/ is encrypted as a whole it will
now default to the directory or subvolume backends instead of the
LUKS backend, in order to avoid double encryption. The default
storage and file system may now be configured explicitly, too, via
the new /etc/systemd/homed.conf configuration file.
* systemd-homed now supports unlocking home directories with FIDO2
security tokens that support the 'hmac-secret' extension, in addition
to the existing support for PKCS#11 security token unlocking
support. Note that many recent hardware security tokens support both
interfaces. The FIDO2 support is accessible via homectl's
--fido2-device= option.
* homectl's --pkcs11-uri= setting now accepts two special parameters:
if "auto" is specified and only one suitable PKCS#11 security token
is plugged in, its URL is automatically determined and enrolled for
unlocking the home directory. If "list" is specified a brief table of
suitable PKCS#11 security tokens is shown. Similar, the new
--fido2-device= option also supports these two special values, for
automatically selecting and listing suitable FIDO2 devices.
* The /etc/crypttab tmp option now optionally takes an argument
selecting the file system to use. Moreover, the default is now
changed from ext2 to ext4.
* There's a new /etc/crypttab option "keyfile-erase". If specified the
key file listed in the same line is removed after use, regardless if
volume activation was successful or not. This is useful if the key
file is only acquired transiently at runtime and shall be erased
before the system continues to boot.
* There's also a new /etc/crypttab option "try-empty-password". If
specified, before asking the user for a password it is attempted to
unlock the volume with an empty password. This is useful for
installing encrypted images whose password shall be set on first boot
instead of at installation time.
* systemd-cryptsetup will now attempt to load the keys to unlock
volumes with automatically from files in
/etc/cryptsetup-keys.d/<volume>.key and
/run/cryptsetup-keys.d/<volume>.key, if any of these files exist.
* systemd-cryptsetup may now activate Microsoft BitLocker volumes via
/etc/crypttab, during boot.
* logind.conf gained a new RuntimeDirectoryInodesMax= setting to
control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs
instance.
* A new generator systemd-xdg-autostart-generator has been added. It
generates systemd unit files from XDG autostart .desktop files, and
may be used to let the systemd user instance manage services that are
started automatically as part of the desktop session.
* "bootctl" gained a new verb "reboot-to-firmware" that may be used
to query and change the firmware's 'Reboot Into Firmware Interface'
setup flag.
* systemd-firstboot gained a new switch --kernel-command-line= that may
be used to initialize the /etc/kernel/cmdline file of the image. It
also gained a new switch --root-password-hashed= which is like
--root-password= but accepts a pre-hashed UNIX password as
argument. The new option --delete-root-password may be used to unset
any password for the root user (dangerous!). The --root-shell= switch
may be used to control the shell to use for the root account. A new
--force option may be used to override any already set settings with
the parameters specified on the command line (by default, the tool
will not override what has already been set before, i.e. is purely
incremental).
* systemd-firstboot gained support for a new --image= switch, which is
similar to --root= but accepts the path to a disk image file, on
which it then operates.
* A new sd-path.h API has been added to libsystemd. It provides a
simple API for retrieving various search paths and primary
directories for various resources.
* A new call sd_notify_barrier() has been added to the sd-daemon.h
API. The call will block until all previously sent sd_notify()
messages have been processed by the service manager. This is useful
to remove races caused by a process already having disappeared at the
time a notification message is processed by the service manager,
making correct attribution impossible. The systemd-notify tool will
now make use of this call implicitly, but this can be turned off again
via the new --no-block switch.
* When sending a file descriptor (fd) to the service manager to keep
track of, using the sd_notify() mechanism, a new parameter FDPOLL=0
may be specified. If passed the service manager will refrain from
poll()ing on the file descriptor. Traditionally (and when the
parameter is not specified), the service manager will poll it for
POLLHUP or POLLERR events, and immediately close the fds in that
case.
* The service manager (PID1) gained a new D-Bus method call
SetShowStatus() which may be used to control whether it shall show
boot-time status output on the console. This method has a similar
effect to sending SIGRTMIN+20/SIGRTMIN+21 to PID 1.
* The sd-bus API gained a number of convenience functions that take
va_list arguments rather than "...". For example, there's now
sd_bus_call_methodv() to match sd_bus_call_method(). Those calls make
it easier to build wrappers that accept variadic arguments and want
to pass a ready va_list structure to sd-bus.
* sd-bus vtable entries can have a new SD_BUS_VTABLE_ABSOLUTE_OFFSET
flag which alters how the userdata pointer to pass to the callbacks
is determined. When the flag is set, the offset field is converted
as-is into a pointer, without adding it to the object pointer the
vtable is associated with.
* sd-bus now exposes four new functions:
sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() +
sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will
validate strings to check if they qualify as various D-Bus concepts.
* The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(),
SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros
that simplify adding argument names to D-Bus methods and signals.
* The man pages for the sd-bus and sd-hwdb APIs have been completed.
* Various D-Bus APIs of systemd daemons now have man pages that
document the methods, signals and properties.
* The expectations on user/group name syntax are now documented in
detail; documentation on how classic home directories may be
converted into home directories managed by homed has been added;
documentation regarding integration of homed/userdb functionality in
desktops has been added:
https://systemd.io/USER_NAMES
https://systemd.io/CONVERTING_TO_HOMED
https://systemd.io/USERDB_AND_DESKTOPS
* Documentation for the on-disk Journal file format has been updated
and has now moved to:
https://systemd.io/JOURNAL_FILE_FORMAT
* The interface for containers (https://systemd.io/CONTAINER_INTERFACE)
has been extended by a set of environment variables that expose
select fields from the host's os-release file to the container
payload. Similarly, host's os-release files can be mounted into the
container underneath /run/host. Together, those mechanisms provide a
standardized way to expose information about the host to the
container payload. Both interfaces are implemented in systemd-nspawn.
* All D-Bus services shipped in systemd now implement the generic
LogControl1 D-Bus API which allows clients to change log level +
target of the service during runtime.
* Only relevant for developers: the mkosi.default symlink has been
dropped from version control. Please create a symlink to one of the
distribution-specific defaults in .mkosi/ based on your preference.
Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander
Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird,
Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain,
antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji
Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg,
Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian
Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy,
codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan,
Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David
Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri
John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel
Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin,
ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger,
Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui,
Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius
Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de
Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan
Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy
Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg
Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin
Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard,
Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas
Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej
S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc
Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim
Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels,
Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár,
Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys,
nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert
Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter
Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross
Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian
Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas
Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes,
Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo,
Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal
Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб
Warsaw, 2020-07-30
CHANGES WITH 245:
* A new tool "systemd-repart" has been added, that operates as an
idempotent declarative repartitioner for GPT partition tables.
Specifically, a set of partitions that must or may exist can be
configured via drop-in files, and during every boot the partition
table on disk is compared with these files, creating missing
partitions or growing existing ones based on configurable relative
and absolute size constraints. The tool is strictly incremental,
i.e. does not delete, shrink or move partitions, but only adds and
grows them. The primary use-case is OS images that ship in minimized
form, that on first boot are grown to the size of the underlying
block device or augmented with additional partitions. For example,
the root partition could be extended to cover the whole disk, or a
swap or /home partitions could be added on first boot. It can also be
used for systems that use an A/B update scheme but ship images with
just the A partition, with B added on first boot. The tool is
primarily intended to be run in the initrd, shortly before
transitioning into the host OS, but can also be run after the
transition took place. It automatically discovers the disk backing
the root file system, and should hence not require any additional
configuration besides the partition definition drop-ins. If no
configuration drop-ins are present, no action is taken.
* A new component "userdb" has been added, along with a small daemon
"systemd-userdbd.service" and a client tool "userdbctl". The framework
allows defining rich user and group records in a JSON format,
extending on the classic "struct passwd" and "struct group"
structures. Various components in systemd have been updated to
process records in this format, including systemd-logind and
pam-systemd. The user records are intended to be extensible, and
allow setting various resource management, security and runtime
parameters that shall be applied to processes and sessions of the
user as they log in. This facility is intended to allow associating
such metadata directly with user/group records so that they can be
produced, extended and consumed in unified form. We hope that
eventually frameworks such as sssd will generate records this way, so
that for the first time resource management and various other
per-user settings can be configured in LDAP directories and then
provided to systemd (specifically to systemd-logind and pam-system)
to apply on login. For further details see:
https://systemd.io/USER_RECORD
https://systemd.io/GROUP_RECORD
https://systemd.io/USER_GROUP_API
* A small new service systemd-homed.service has been added, that may be
used to securely manage home directories with built-in encryption.
The complete user record data is unified with the home directory,
thus making home directories naturally migratable. Its primary
back-end is based on LUKS volumes, but fscrypt, plain directories,
and other storage schemes are also supported. This solves a couple of
problems we saw with traditional ways to manage home directories, in
particular when it comes to encryption. For further discussion of
this, see the video of Lennart's talk at AllSystemsGo! 2019:
https://media.ccc.de/v/ASG2019-164-reinventing-home-directories
For further details about the format and expectations on home
directories this new daemon makes, see:
https://systemd.io/HOME_DIRECTORY
* systemd-journald is now multi-instantiable. In addition to the main
instance systemd-journald.service there's now a template unit
systemd-journald@.service, with each instance defining a new named
log 'namespace' (whose name is specified via the instance part of the
unit name). A new unit file setting LogNamespace= has been added,
taking such a namespace name, that assigns services to the specified
log namespaces. As each log namespace is serviced by its own
independent journal daemon, this functionality may be used to improve
performance and increase isolation of applications, at the price of
losing global message ordering. Each instance of journald has a
separate set of configuration files, with possibly different disk
usage limitations and other settings.
journalctl now takes a new option --namespace= to show logs from a
specific log namespace. The sd-journal.h API gained
sd_journal_open_namespace() for opening the log stream of a specific
log namespace. systemd-journald also gained the ability to exit on
idle, which is useful in the context of log namespaces, as this means
log daemons for log namespaces can be activated automatically on
demand and will stop automatically when no longer used, minimizing
resource usage.
* When systemd-tmpfiles copies a file tree using the 'C' line type it
will now label every copied file according to the SELinux database.
* When systemd/PID 1 detects it is used in the initrd it will now boot
into initrd.target rather than default.target by default. This should
make it simpler to build initrds with systemd as for many cases the
only difference between a host OS image and an initrd image now is
the presence of the /etc/initrd-release file.
* A new kernel command line option systemd.cpu_affinity= is now
understood. It's equivalent to the CPUAffinity= option in
/etc/systemd/system.conf and allows setting the CPU mask for PID 1
itself and the default for all other processes.
* When systemd/PID 1 is reloaded (with systemctl daemon-reload or
equivalent), the SELinux database is now reloaded, ensuring that
sockets and other file system objects are generated taking the new
database into account.
* systemd/PID 1 accepts a new "systemd.show-status=error" setting, and
"quiet" has been changed to imply that instead of
"systemd.show-status=auto". In this mode, only messages about errors
and significant delays in boot are shown on the console.
* The sd-event.h API gained native support for the new Linux "pidfd"
concept. This permits watching processes using file descriptors
instead of PID numbers, which fixes a number of races and makes
process supervision more robust and efficient. All of systemd's
components will now use pidfds if the kernel supports it for process
watching, with the exception of PID 1 itself, unfortunately. We hope
to move PID 1 to exclusively using pidfds too eventually, but this
requires some more kernel work first. (Background: PID 1 watches
processes using waitid() with the P_ALL flag, and that does not play
together nicely with pidfds yet.)
* Closely related to this, the sd-event.h API gained two new calls
sd_event_source_send_child_signal() (for sending a signal to a
watched process) and sd_event_source_get_child_process_own() (for
marking a process so that it is killed automatically whenever the
event source watching it is freed).
* systemd-networkd gained support for configuring Token Bucket Filter
(TBF) parameters in its qdisc configuration support. Similarly,
support for Stochastic Fairness Queuing (SFQ), Controlled-Delay
Active Queue Management (CoDel), and Fair Queue (FQ) has been added.
* systemd-networkd gained support for Intermediate Functional Block
(IFB) network devices.
* systemd-networkd gained support for configuring multi-path IP routes,
using the new MultiPathRoute= setting in the [Route] section.
* systemd-networkd's DHCPv4 client has been updated to support a new
SendDecline= option. If enabled, duplicate address detection is done
after a DHCP offer is received from the server. If a conflict is
detected, the address is declined. The DHCPv4 client also gained
support for a new RouteMTUBytes= setting that allows to configure the
MTU size to be used for routes generated from DHCPv4 leases.
* The PrefixRoute= setting in systemd-networkd's [Address] section of
.network files has been deprecated, and replaced by AddPrefixRoute=,
with its sense inverted.
* The Gateway= setting of [Route] sections of .network files gained
support for a special new value "_dhcp". If set, the configured
static route uses the gateway host configured via DHCP.
* New User= and SuppressPrefixLength= settings have been implemented
for the [RoutingPolicyRule] section of .network files to configure
source routing based on UID ranges and prefix length, respectively.
* The Type= match property of .link files has been generalized to
always match the device type shown by 'networkctl status', even for
devices where udev does not set DEVTYPE=. This allows e.g. Type=ether
to be used.
* sd-bus gained a new API call sd_bus_message_sensitive() that marks a
D-Bus message object as "sensitive". Those objects are erased from
memory when they are freed. This concept is intended to be used for
messages that contain security sensitive data. A new flag
SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods
in sd-bus vtables, causing any incoming and outgoing messages of
those methods to be implicitly marked as "sensitive".
* sd-bus gained a new API call sd_bus_message_dump() for dumping the
contents of a message (or parts thereof) to standard output for
debugging purposes.
* systemd-sysusers gained support for creating users with the primary
group named differently than the user.
* systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
gained support for growing XFS partitions. Previously it supported
only ext4 and btrfs partitions.
* The support for /etc/crypttab gained a new x-initrd.attach option. If
set, the specified encrypted volume is unlocked already in the
initrd. This concept corresponds to the x-initrd.mount option in
/etc/fstab.
* systemd-cryptsetup gained native support for unlocking encrypted
volumes utilizing PKCS#11 smartcards, i.e. for example to bind
encryption of volumes to YubiKeys. This is exposed in the new
pkcs11-uri= option in /etc/crypttab.
* The /etc/fstab support in systemd now supports two new mount options
x-systemd.{required,wanted}-by=, for explicitly configuring the units
that the specified mount shall be pulled in by, in place of
the usual local-fs.target/remote-fs.target.
* The https://systemd.io/ web site has been relaunched, directly
populated with most of the documentation included in the systemd
repository. systemd also acquired a new logo, thanks to Tobias
Bernard.
* systemd-udevd gained support for managing "alternative" network
interface names, as supported by new Linux kernels. For the first
time this permits assigning multiple (and longer!) names to a network
interface. systemd-udevd will now by default assign the names
generated via all supported naming schemes to each interface. This
may be further tweaked with .link files and the AlternativeName= and
AlternativeNamesPolicy= settings. Other components of systemd have
been updated to support the new alternative names wherever
appropriate. For example, systemd-nspawn will now generate
alternative interface names for the host-facing side of container
veth links based on the full container name without truncation.
* systemd-nspawn interface naming logic has been updated in another way
too: if the main interface name (i.e. as opposed to new-style
"alternative" names) based on the container name is truncated, a
simple hashing scheme is used to give different interface names to
multiple containers whose names all begin with the same prefix. Since
this changes the primary interface names pointing to containers if
truncation happens, the old scheme may still be requested by
selecting an older naming scheme, via the net.naming_scheme= kernel
command line option.
* PrivateUsers= in service files now works in services run by the
systemd --user per-user instance of the service manager.
* A new per-service sandboxing option ProtectClock= has been added that
locks down write access to the system clock. It takes away device
node access to /dev/rtc as well as the system calls that set the
system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities.
Note that this option does not affect access to auxiliary services
that allow changing the clock, for example access to
systemd-timedated.
* The systemd-id128 tool gained a new "show" verb for listing or
resolving a number of well-known UUIDs/128-bit IDs, currently mostly
GPT partition table types.
* The Discoverable Partitions Specification has been updated to support
/var and /var/tmp partition discovery. Support for this has been
added to systemd-gpt-auto-generator. For details see:
https://systemd.io/DISCOVERABLE_PARTITIONS
* "systemctl list-unit-files" has been updated to show a new column
with the suggested enablement state based on the vendor preset files
for the respective units.
* "systemctl" gained a new option "--with-dependencies". If specified
commands such as "systemctl status" or "systemctl cat" will now show
all specified units along with all units they depend on.
* networkctl gained support for showing per-interface logs in its
"status" output.
* systemd-networkd-wait-online gained support for specifying the maximum
operational state to wait for, and to wait for interfaces to
disappear.
* The [Match] section of .link and .network files now supports a new
option PermanentMACAddress= which may be used to check against the
permanent MAC address of a network device even if a randomized MAC
address is used.
* The [TrafficControlQueueingDiscipline] section in .network files has
been renamed to [NetworkEmulator] with the "NetworkEmulator" prefix
dropped from the individual setting names.
* Any .link and .network files that have an empty [Match] section (this
also includes empty and commented-out files) will now be
rejected. systemd-udev and systemd-networkd started warning about
such files in version 243.
* systemd-logind will now validate access to the operation of changing
the virtual terminal via a polkit action. By default, only users
with at least one session on a local VT are granted permission.
* When systemd sets up PAM sessions that invoked service processes
shall run in, the pam_setcred() API is now invoked, thus permitting
PAM modules to set additional credentials for the processes.
* portablectl attach/detach verbs now accept --now and --enable options
to combine attachment with enablement and invocation, or detachment
with stopping and disablement.
* UPGRADE ISSUE: a bug where some jobs were trimmed as redundant was
fixed, which in turn exposed bugs in unit configuration of services
which have Type=oneshot and should only run once, but do not have
RemainAfterExit=yes set. Without RemainAfterExit=yes, a one-shot
service may be started again after exiting successfully, for example
as a dependency in another transaction. Affected services included
some internal systemd services (most notably
systemd-vconsole-setup.service, which was updated to have
RemainAfterExit=yes), and plymouth-start.service. Please ensure that
plymouth has been suitably updated or patched before upgrading to
this systemd release. See
https://bugzilla.redhat.com/show_bug.cgi?id=1807771 for some
additional discussion.
Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita
Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis,
Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles
(Chas) Williams, cheese1, Chris Down, Chris Murphy, Christian Ehrhardt,
Christian Göttsche, cvoinf, Daan De Meyer, Daniele Medri, Daniel Rusek,
Daniel Shahaf, Dann Frazier, Dan Streetman, Dariusz Gadomski, David
Michael, Dimitri John Ledkov, Emmanuel Bourg, Evgeny Vereshchagin,
ezst036, Felipe Sateler, Filipe Brandenburger, Florian Klink, Franck
Bui, Fran Dieguez, Frantisek Sumsal, Greg "GothAck" Miell, Guilhem
Lettron, Guillaume Douézan-Grard, Hans de Goede, HATAYAMA Daisuke, Iain
Lane, James Buren, Jan Alexander Steffens (heftig), Jérémy Rosen, Jin
Park, Jun'ichi Nomura, Kai Krakow, Kevin Kuehler, Kevin P. Fleming,
Lennart Poettering, Leonid Bloch, Leonid Evdokimov, lothrond, Luca
Boccassi, Lukas K, Lynn Kirby, Mario Limonciello, Mark Deneen, Matthew
Leeds, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Auty, Mike
Gilbert, mtron, nabijaczleweli, Naïm Favier, Nate Jones, Norbert Lange,
Oliver Giles, Paul Davey, Paul Menzel, Peter Hutterer, Piotr Drąg, Rafa
Couto, Raphael, rhn, Robert Scheck, Rocka, Romain Naour, Ryan Attard,
Sascha Dewald, Shengjing Zhu, Slava Kardakov, Spencer Michaels, Sylvain
Plantefeve, Stanislav Angelovič, Susant Sahani, Thomas Haller, Thomas
Schmitt, Timo Schlüßler, Timo Wilken, Tobias Bernard, Tobias Klauser,
Tobias Stoeckmann, Topi Miettinen, tsia, WataruMatsuoka, Wieland
Hoffmann, Wilhelm Schuster, Will Fleming, xduugu, Yong Cong Sin, Yuri
Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zeyu
DONG
Warsaw, 2020-03-06
CHANGES WITH 244:
* Support for the cpuset cgroups v2 controller has been added.
Processes may be restricted to specific CPUs using the new
AllowedCPUs= setting, and to specific memory NUMA nodes using the new
AllowedMemoryNodes= setting.
* The signal used in restart jobs (as opposed to e.g. stop jobs) may
now be configured using a new RestartKillSignal= setting. This
allows units which signals to request termination to implement
different behaviour when stopping in preparation for a restart.
* "systemctl clean" may now be used also for socket, mount, and swap
units.
* systemd will also read configuration options from the EFI variable
SystemdOptions. This may be used to configure systemd behaviour when
modifying the kernel command line is inconvenient, but configuration
on disk is read too late, for example for the options related to
cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
set the EFI variable.
* systemd will now disable printk ratelimits in early boot. This should
allow us to capture more logs from the early boot phase where normal
storage is not available and the kernel ring buffer is used for
logging. Configuration on the kernel command line has higher priority
and overrides the systemd setting.
systemd programs which log to /dev/kmsg directly use internal
ratelimits to prevent runaway logging. (Normally this is only used
during early boot, so in practice this change has very little
effect.)
* Unit files now support top level dropin directories of the form
<unit_type>.d/ (e.g. service.d/) that may be used to add configuration
that affects all corresponding unit files.
* systemctl gained support for 'stop --job-mode=triggering' which will
stop the specified unit and any units which could trigger it.
* Unit status display now includes units triggering and triggered by
the unit being shown.
* The RuntimeMaxSec= setting is now supported by scopes, not just
.service units. This is particularly useful for PAM sessions which
create a scope unit for the user login. systemd.runtime_max_sec=
setting may used with the pam_systemd module to limit the duration
of the PAM session, for example for time-limited logins.
* A new @pkey system call group is now defined to make it easier to
allow-list memory protection syscalls for containers and services
which need to use them.
* systemd-udevd: removed the 30s timeout for killing stale workers on
exit. systemd-udevd now waits for workers to finish. The hard-coded
exit timeout of 30s was too short for some large installations, where
driver initialization could be prematurely interrupted during initrd
processing if the root file system had been mounted and init was
preparing to switch root. If udevd is run without systemd and workers
are hanging while udevd receives an exit signal, udevd will now exit
when udev.event_timeout is reached for the last hanging worker. With
systemd, the exit timeout can additionally be configured using
TimeoutStopSec= in systemd-udevd.service.
* udev now provides a program (fido_id) that identifies FIDO CTAP1
("U2F")/CTAP2 security tokens based on the usage declared in their
report and descriptor and outputs suitable environment variables.
This replaces the externally maintained allow lists of all known
security tokens that were used previously.
* Automatically generated autosuspend udev rules for allow-listed
devices have been imported from the Chromium OS project. This should
improve power saving with many more devices.
* udev gained a new "CONST{key}=value" setting that allows matching
against system-wide constants without forking a helper binary.
Currently "arch" and "virt" keys are supported.
* udev now opens CDROMs in non-exclusive mode when querying their
capabilities. This should fix issues where other programs trying to
use the CDROM cannot gain access to it, but carries a risk of
interfering with programs writing to the disk, if they did not open
the device in exclusive mode as they should.
* systemd-networkd does not create a default route for IPv4 link local
addressing anymore. The creation of the route was unexpected and was
breaking routing in various cases, but people who rely on it being
created implicitly will need to adjust. Such a route may be requested
with DefaultRouteOnDevice=yes.
Similarly, systemd-networkd will not assign a link-local IPv6 address
when IPv6 link-local routing is not enabled.
* Receive and transmit buffers may now be configured on links with
the new RxBufferSize= and TxBufferSize= settings.
* systemd-networkd may now advertise additional IPv6 routes. A new
[IPv6RoutePrefix] section with Route= and LifetimeSec= options is
now supported.
* systemd-networkd may now configure "next hop" routes using the
[NextHop] section and Gateway= and Id= settings.
* systemd-networkd will now retain DHCP config on restarts by default
(but this may be overridden using the KeepConfiguration= setting).
The default for SendRelease= has been changed to true.
* The DHCPv4 client now uses the OPTION_INFORMATION_REFRESH_TIME option
received from the server.
The client will use the received SIP server list if UseSIP=yes is
set.
The client may be configured to request specific options from the
server using a new RequestOptions= setting.
The client may be configured to send arbitrary options to the server
using a new SendOption= setting.
A new IPServiceType= setting has been added to configure the "IP
service type" value used by the client.
* The DHCPv6 client learnt a new PrefixDelegationHint= option to
request prefix hints in the DHCPv6 solicitation.
* The DHCPv4 server may be configured to send arbitrary options using
a new SendOption= setting.
* The DHCPv4 server may now be configured to emit SIP server list using
the new EmitSIP= and SIP= settings.
* systemd-networkd and networkctl may now renew DHCP leases on demand.
networkctl has a new 'networkctl renew' verb.
* systemd-networkd may now reconfigure links on demand. networkctl
gained two new verbs: "reload" will reload the configuration, and
"reconfigure DEVICE…" will reconfigure one or more devices.
* .network files may now match on SSID and BSSID of a wireless network,
i.e. the access point name and hardware address using the new SSID=
and BSSID= options. networkctl will display the current SSID and
BSSID for wireless links.
.network files may also match on the wireless network type using the
new WLANInterfaceType= option.
* systemd-networkd now includes default configuration that enables
link-local addressing when connected to an ad-hoc wireless network.
* systemd-networkd may configure the Traffic Control queueing
disciplines in the kernel using the new
[TrafficControlQueueingDiscipline] section and Parent=,
NetworkEmulatorDelaySec=, NetworkEmulatorDelayJitterSec=,
NetworkEmulatorPacketLimit=, NetworkEmulatorLossRate=,
NetworkEmulatorDuplicateRate= settings.
* systemd-tmpfiles gained a new w+ setting to append to files.
* systemd-analyze dump will now report when the memory configuration in
the kernel does not match what systemd has configured (usually,
because some external program has modified the kernel configuration
on its own).
* systemd-analyze gained a new --base-time= switch instructs the
'calendar' verb to resolve times relative to that timestamp instead
of the present time.
* journalctl --update-catalog now produces deterministic output (making
reproducible image builds easier).
* A new devicetree-overlay setting is now documented in the Boot Loader
Specification.
* The default value of the WatchdogSec= setting used in systemd
services (the ones bundled with the project itself) may be set at
configuration time using the -Dservice-watchdog= setting. If set to
empty, the watchdogs will be disabled.
* systemd-resolved validates IP addresses in certificates now when GnuTLS
is being used.
* libcryptsetup >= 2.0.1 is now required.
* A configuration option -Duser-path= may be used to override the $PATH
used by the user service manager. The default is again to use the same
path as the system manager.
* The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
outputting the 128-bit IDs in UUID format (i.e. in the "canonical
representation").
* Service units gained a new sandboxing option ProtectKernelLogs= which
makes sure the program cannot get direct access to the kernel log
buffer anymore, i.e. the syslog() system call (not to be confused
with the API of the same name in libc, which is not affected), the
/proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
inaccessible to the service. It's recommended to enable this setting
for all services that should not be able to read from or write to the
kernel log buffer, which are probably almost all.
Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey,
Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, Carlo
Teubner, cbzxt, Chen Qi, Chris Down, Christian Rebischke, Claudio
Zumbo, ClydeByrdIII, crashfistfight, Cyprien Laplace, Daniel Edgecumbe,
Daniel Gorbea, Daniel Rusek, Daniel Stuart, Dan Streetman, David
Pedersen, David Tardon, Dimitri John Ledkov, Dominique Martinet, Donald
A. Cupp Jr, Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger,
Franck Bui, Frantisek Sumsal, Georg Müller, Hans de Goede, Haochen
Tong, HATAYAMA Daisuke, Iwan Timmer, Jan Janssen, Jan Kundrát, Jan
Synacek, Jan Tojnar, Jay Strict, Jérémy Rosen, Jóhann B. Guðmundsson,
Jonas Jelten, Jonas Thelemann, Justin Trudell, J. Xing, Kai-Heng Feng,
Kenneth D'souza, Kevin Becker, Kevin Kuehler, Lennart Poettering,
Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej Stanczew, Mario
Limonciello, Marko Myllynen, Mark Stosberg, Martin Wilck, matthiasroos,
Michael Biebl, Michael Olbrich, Michael Tretter, Michal Sekletar,
Michal Sekletár, Michal Suchanek, Mike Gilbert, Mike Kazantsev, Nicolas
Douma, nikolas, Norbert Lange, pan93412, Pascal de Bruijn, Paul Menzel,
Pavel Hrdina, Peter Wu, Philip Withnall, Piotr Drąg, Rafael Fontenelle,
Renaud Métrich, Riccardo Schirone, RoadrunnerWMC, Ronan Pigott, Ryan
Attard, Sebastian Wick, Serge, Siddharth Chandrasekara, Steve Ramage,
Steve Traylen, Susant Sahani, Thibault Nélis, Tim Teichmann, Tom
Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo, ypf791, Yu Watanabe,
Zach Smith, Zbigniew Jędrzejewski-Szmek
Warsaw, 2019-11-29
CHANGES WITH 243:
* This release enables unprivileged programs (i.e. requiring neither
setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
kernel for the whole UNIX group range, i.e. all processes. This
change should be reasonably safe, as the kernel support for it was
specifically implemented to allow safe access to ICMP Echo for
processes lacking any privileges. If this is not desirable, it can be
disabled again by setting the parameter to "1 0".
* Previously, filters defined with SystemCallFilter= would have the
effect that any calling of an offending system call would terminate
the calling thread. This behaviour never made much sense, since
killing individual threads of unsuspecting processes is likely to
create more problems than it solves. With this release the default
action changed from killing the thread to killing the whole
process. For this to work correctly both a kernel version (>= 4.14)
and a libseccomp version (>= 2.4.0) supporting this new seccomp
action is required. If an older kernel or libseccomp is used the old
behaviour continues to be used. This change does not affect any
services that have no system call filters defined, or that use
SystemCallErrorNumber= (and thus see EPERM or another error instead
of being killed when calling an offending system call). Note that
systemd documentation always claimed that the whole process is
killed. With this change behaviour is thus adjusted to match the
documentation.
* On 64 bit systems, the "kernel.pid_max" sysctl is now bumped to
4194304 by default, i.e. the full 22bit range the kernel allows, up
from the old 16-bit range. This should improve security and
robustness, as PID collisions are made less likely (though certainly
still possible). There are rumours this might create compatibility
problems, though at this moment no practical ones are known to
us. Downstream distributions are hence advised to undo this change in
their builds if they are concerned about maximum compatibility, but
for everybody else we recommend leaving the value bumped. Besides
improving security and robustness this should also simplify things as
the maximum number of allowed concurrent tasks was previously bounded
by both "kernel.pid_max" and "kernel.threads-max" and now effectively
only a single knob is left ("kernel.threads-max"). There have been
concerns that usability is affected by this change because larger PID
numbers are harder to type, but we believe the change from 5 digits
to 7 digits doesn't hamper usability.
* MemoryLow= and MemoryMin= gained hierarchy-aware counterparts,
DefaultMemoryLow= and DefaultMemoryMin=, which can be used to
hierarchically set default memory protection values for a particular
subtree of the unit hierarchy.
* Memory protection directives can now take a value of zero, allowing
explicit opting out of a default value propagated by an ancestor.
* systemd now defaults to the "unified" cgroup hierarchy setup during
build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
default. Previously, -Ddefault-hierarchy=hybrid was the default. This
change reflects the fact that cgroupsv2 support has matured
substantially in both systemd and in the kernel, and is clearly the
way forward. Downstream production distributions might want to
continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for
their builds as unfortunately the popular container managers have not
caught up with the kernel API changes.
* Man pages are not built by default anymore (html pages were already
disabled by default), to make development builds quicker. When
building systemd for a full installation with documentation, meson
should be called with -Dman=true and/or -Dhtml=true as appropriate.
The default was changed based on the assumption that quick one-off or
repeated development builds are much more common than full optimized
builds for installation, and people need to pass various other
options to when doing "proper" builds anyway, so the gain from making
development builds quicker is bigger than the one time disruption for
packagers.
Two scripts are created in the *build* directory to generate and
preview man and html pages on demand, e.g.:
build/man/man systemctl
build/man/html systemd.index
* libidn2 is used by default if both libidn2 and libidn are installed.
Please use -Dlibidn=true if libidn is preferred.
* The D-Bus "wire format" of the CPUAffinity= attribute is changed on
big-endian machines. Before, bytes were written and read in native
machine order as exposed by the native libc __cpu_mask interface.
Now, little-endian order is always used (CPUs 07 are described by
bits 07 in byte 0, CPUs 815 are described by byte 1, and so on).
This change fixes D-Bus calls that cross endianness boundary.
The presentation format used for CPUAffinity= by "systemctl show" and
"systemd-analyze dump" is changed to present CPU indices instead of
the raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be
shown as CPUAffinity=03000000000000000000000000000… (on
little-endian) or CPUAffinity=00000000000000300000000000000… (on
64-bit big-endian), and is now shown as CPUAffinity=0-1, matching the
input format. The maximum integer that will be printed in the new
format is 8191 (four digits), while the old format always used a very
long number (with the length varying by architecture), so they can be
unambiguously distinguished.
* /usr/sbin/halt.local is no longer supported. Implementation in
distributions was inconsistent and it seems this functionality was
very rarely used.
To replace this functionality, users should:
- either define a new unit and make it a dependency of final.target
(systemctl add-wants final.target my-halt-local.service)
- or move the shutdown script to /usr/lib/systemd/system-shutdown/
and ensure that it accepts "halt", "poweroff", "reboot", and
"kexec" as an argument, see the description in systemd-shutdown(8).
* When a [Match] section in .link or .network file is empty (contains
no match patterns), a warning will be emitted. Please add any "match
all" pattern instead, e.g. OriginalName=* or Name=* in case all
interfaces should really be matched.
* A new setting NUMAPolicy= may be used to set process memory
allocation policy. This setting can be specified in
/etc/systemd/system.conf and hence will set the default policy for
PID1. The default policy can be overridden on a per-service
basis. The related setting NUMAMask= is used to specify NUMA node
mask that should be associated with the selected policy.
* PID 1 will now listen to Out-Of-Memory (OOM) events the kernel
generates when processes it manages are reaching their memory limits,
and will place their units in a special state, and optionally kill or
stop the whole unit.
* The service manager will now expose bus properties for the IO
resources used by units. This information is also shown in "systemctl
status" now (for services that have IOAccounting=yes set). Moreover,
the IO accounting data is included in the resource log message
generated whenever a unit stops.
* Units may now configure an explicit timeout to wait for when killed
with SIGABRT, for example when a service watchdog is hit. Previously,
the regular TimeoutStopSec= timeout was applied in this case too —
now a separate timeout may be set using TimeoutAbortSec=.
* Services may now send a special WATCHDOG=trigger message with
sd_notify() to trigger an immediate "watchdog missed" event, and thus
trigger service termination. This is useful both for testing watchdog
handling, but also for defining error paths in services, that shall
be handled the same way as watchdog events.
* There are two new per-unit settings IPIngressFilterPath= and
IPEgressFilterPath= which allow configuration of a BPF program
(usually by specifying a path to a program uploaded to /sys/fs/bpf/)
to apply to the IP packet ingress/egress path of all processes of a
unit. This is useful to allow running systemd services with BPF
programs set up externally.
* systemctl gained a new "clean" verb for removing the state, cache,
runtime or logs directories of a service while it is terminated. The
new verb may also be used to remove the state maintained on disk for
timer units that have Persistent= configured.
* During the last phase of shutdown systemd will now automatically
increase the log level configured in the "kernel.printk" sysctl so
that any relevant loggable events happening during late shutdown are
made visible. Previously, loggable events happening so late during
shutdown were generally lost if the "kernel.printk" sysctl was set to
high thresholds, as regular logging daemons are terminated at that
time and thus nothing is written to disk.
* If processes terminated during the last phase of shutdown do not exit
quickly systemd will now show their names after a short time, to make
debugging easier. After a longer timeout they are forcibly killed,
as before.
* journalctl (and the other tools that display logs) will now highlight
warnings in yellow (previously, both LOG_NOTICE and LOG_WARNING where
shown in bright bold, now only LOG_NOTICE is). Moreover, audit logs
are now shown in blue color, to separate them visually from regular
logs. References to configuration files are now turned into clickable
links on terminals that support that.
* systemd-journald will now stop logging to /var/log/journal during
shutdown when /var/ is on a separate mount, so that it can be
unmounted safely during shutdown.
* systemd-resolved gained support for a new 'strict' DNS-over-TLS mode.
* systemd-resolved "Cache=" configuration option in resolved.conf has
been extended to also accept the 'no-negative' value. Previously,
only a boolean option was allowed (yes/no), having yes as the
default. If this option is set to 'no-negative', negative answers are
not cached while the old cache heuristics are used positive answers.
The default remains unchanged.
* The predictable naming scheme for network devices now supports
generating predictable names for "netdevsim" devices.
Moreover, the "en" prefix was dropped from the ID_NET_NAME_ONBOARD
udev property.
Those two changes form a new net.naming_scheme= entry. Distributions
which want to preserve naming stability may want to set the
-Ddefault-net-naming-scheme= configuration option.
* systemd-networkd now supports MACsec, nlmon, IPVTAP and Xfrm
interfaces natively.
* systemd-networkd's bridge FDB support now allows configuration of a
destination address for each entry (Destination=), as well as the
VXLAN VNI (VNI=), as well as an option to declare what an entry is
associated with (AssociatedWith=).
* systemd-networkd's DHCPv4 support now understands a new MaxAttempts=
option for configuring the maximum number of DHCP lease requests. It
also learnt a new BlackList= option for deny-listing DHCP servers (a
similar setting has also been added to the IPv6 RA client), as well
as a SendRelease= option for configuring whether to send a DHCP
RELEASE message when terminating.
* systemd-networkd's DHCPv4 and DHCPv6 stacks can now be configured
separately in the [DHCPv4] and [DHCPv6] sections.
* systemd-networkd's DHCP support will now optionally create an
implicit host route to the DNS server specified in the DHCP lease, in
addition to the routes listed explicitly in the lease. This should
ensure that in multi-homed systems DNS traffic leaves the systems on
the interface that acquired the DNS server information even if other
routes such as default routes exist. This behaviour may be turned on
with the new RoutesToDNS= option.
* systemd-networkd's VXLAN support gained a new option
GenericProtocolExtension= for enabling VXLAN Generic Protocol
Extension support, as well as IPDoNotFragment= for setting the IP
"Don't fragment" bit on outgoing packets. A similar option has been
added to the GENEVE support.
* In systemd-networkd's [Route] section you may now configure
FastOpenNoCookie= for configuring per-route TCP fast-open support, as
well as TTLPropagate= for configuring Label Switched Path (LSP) TTL
propagation. The Type= setting now supports local, broadcast,
anycast, multicast, any, xresolve routes, too.
* systemd-networkd's [Network] section learnt a new option
DefaultRouteOnDevice= for automatically configuring a default route
onto the network device.
* systemd-networkd's bridging support gained two new options ProxyARP=
and ProxyARPWifi= for configuring proxy ARP behaviour as well as
MulticastRouter= for configuring multicast routing behaviour. A new
option MulticastIGMPVersion= may be used to change bridge's multicast
Internet Group Management Protocol (IGMP) version.
* systemd-networkd's FooOverUDP support gained the ability to configure
local and peer IP addresses via Local= and Peer=. A new option
PeerPort= may be used to configure the peer's IP port.
* systemd-networkd's TUN support gained a new setting VnetHeader= for
tweaking Generic Segment Offload support.
* The address family for policy rules may be specified using the new
Family= option in the [RoutingPolicyRule] section.
* networkctl gained a new "delete" command for removing virtual network
devices, as well as a new "--stats" switch for showing device
statistics.
* networkd.conf gained a new setting SpeedMeter= and
SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The
measured speed may be shown by 'networkctl status'.
* "networkctl status" now displays MTU and queue lengths, and more
detailed information about VXLAN and bridge devices.
* systemd-networkd's .network and .link files gained a new Property=
setting in the [Match] section, to match against devices with
specific udev properties.
* systemd-networkd's tunnel support gained a new option
AssignToLoopback= for selecting whether to use the loopback device
"lo" as underlying device.
* systemd-networkd's MACAddress= setting in the [Neighbor] section has
been renamed to LinkLayerAddress=, and it now allows configuration of
IP addresses, too.
* systemd-networkd's handling of the kernel's disable_ipv6 sysctl is
simplified: systemd-networkd will disable the sysctl (enable IPv6) if
IPv6 configuration (static or DHCPv6) was found for a given
interface. It will not touch the sysctl otherwise.
* The order of entries is $PATH used by the user manager instance was
changed to put bin/ entries before the corresponding sbin/ entries.
It is recommended to not rely on this order, and only ever have one
binary with a given name in the system paths under /usr.
* A new tool systemd-network-generator has been added that may generate
.network, .netdev and .link files from IP configuration specified on
the kernel command line in the format used by Dracut.
* The CriticalConnection= setting in .network files is now deprecated,
and replaced by a new KeepConfiguration= setting which allows more
detailed configuration of the IP configuration to keep in place.
* systemd-analyze gained a few new verbs:
- "systemd-analyze timestamp" parses and converts timestamps. This is
similar to the existing "systemd-analyze calendar" command which
does the same for recurring calendar events.
- "systemd-analyze timespan" parses and converts timespans (i.e.
durations as opposed to points in time).
- "systemd-analyze condition" will parse and test ConditionXYZ=
expressions.
- "systemd-analyze exit-status" will parse and convert exit status
codes to their names and back.
- "systemd-analyze unit-files" will print a list of all unit
file paths and unit aliases.
* SuccessExitStatus=, RestartPreventExitStatus=, and
RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
is equivalent to "65"). Those exit status name mappings may be
displayed with the systemd-analyze exit-status verb describe above.
* systemd-logind now exposes a per-session SetBrightness() bus call,
which may be used to securely change the brightness of a kernel
brightness device, if it belongs to the session's seat. By using this
call unprivileged clients can make changes to "backlight" and "leds"
devices securely with strict requirements on session membership.
Desktop environments may use this to generically make brightness
changes to such devices without shipping private SUID binaries or
udev rules for that purpose.
* "udevadm info" gained a --wait-for-initialization switch to wait for
a device to be initialized.
* systemd-hibernate-resume-generator will now look for resumeflags= on
the kernel command line, which is similar to rootflags= and may be
used to configure device timeout for the hibernation device.
* sd-event learnt a new API call sd_event_source_disable_unref() for
disabling and unref'ing an event source in a single function. A
related call sd_event_source_disable_unrefp() has been added for use
with gcc's cleanup extension.
* The sd-id128.h public API gained a new definition
SD_ID128_UUID_FORMAT_STR for formatting a 128-bit ID in UUID format
with printf().
* "busctl introspect" gained a new switch --xml-interface for dumping
XML introspection data unmodified.
* PID 1 may now show the unit name instead of the unit description
string in its status output during boot. This may be configured in
the StatusUnitFormat= setting in /etc/systemd/system.conf or the
kernel command line option systemd.status_unit_format=.
* PID 1 now understands a new option KExecWatchdogSec= in
/etc/systemd/system.conf to set a watchdog timeout for kexec reboots.
Previously watchdog functionality was only available for regular
reboots. The new setting defaults to off, because we don't know in
the general case if the watchdog will be reset after kexec (some
drivers do reset it, but not all), and the new userspace might not be
configured to handle the watchdog.
Moreover, the old ShutdownWatchdogSec= setting has been renamed to
RebootWatchdogSec= to more clearly communicate what it is about. The
old name is still accepted for compatibility.
* The systemd.debug_shell kernel command line option now optionally
takes a tty name to spawn the debug shell on, which allows a
different tty to be selected than the built-in default.
* Service units gained a new ExecCondition= setting which will run
before ExecStartPre= and either continue execution of the unit (for
clean exit codes), stop execution without marking the unit failed
(for exit codes 1 through 254), or stop execution and fail the unit
(for exit code 255 or abnormal termination).
* A new service systemd-pstore.service has been added that pulls data
from /sys/fs/pstore/ and saves it to /var/lib/pstore for later
review.
* timedatectl gained new verbs for configuring per-interface NTP
service configuration for systemd-timesyncd.
* "localectl list-locales" won't list non-UTF-8 locales anymore. It's
2019. (You can set non-UTF-8 locales though, if you know their name.)
* If variable assignments in sysctl.d/ files are prefixed with "-" any
failures to apply them are now ignored.
* systemd-random-seed.service now optionally credits entropy when
applying the seed to the system. Set $SYSTEMD_RANDOM_SEED_CREDIT to
true for the service to enable this behaviour, but please consult the
documentation first, since this comes with a couple of caveats.
* systemd-random-seed.service is now a synchronization point for full
initialization of the kernel's entropy pool. Services that require
/dev/urandom to be correctly initialized should be ordered after this
service.
* The systemd-boot boot loader has been updated to optionally maintain
a random seed file in the EFI System Partition (ESP). During the boot
phase, this random seed is read and updated with a new seed
cryptographically derived from it. Another derived seed is passed to
the OS. The latter seed is then credited to the kernel's entropy pool
very early during userspace initialization (from PID 1). This allows
systems to boot up with a fully initialized kernel entropy pool from
earliest boot on, and thus entirely removes all entropy pool
initialization delays from systems using systemd-boot. Special care
is taken to ensure different seeds are derived on system images
replicated to multiple systems. "bootctl status" will show whether
a seed was received from the boot loader.
* bootctl gained two new verbs:
- "bootctl random-seed" will generate the file in ESP and an EFI
variable to allow a random seed to be passed to the OS as described
above.
- "bootctl is-installed" checks whether systemd-boot is currently
installed.
* bootctl will warn if it detects that boot entries are misconfigured
(for example if the kernel image was removed without purging the
bootloader entry).
* A new document has been added describing systemd's use and support
for the kernel's entropy pool subsystem:
https://systemd.io/RANDOM_SEEDS
* When the system is hibernated the swap device to write the
hibernation image to is now automatically picked from all available
swap devices, preferring the swap device with the highest configured
priority over all others, and picking the device with the most free
space if there are multiple devices with the highest priority.
* /etc/crypttab support has learnt a new keyfile-timeout= per-device
option that permits selecting the timeout how long to wait for a
device with an encryption key before asking for the password.
* IOWeight= has learnt to properly set the IO weight when using the
BFQ scheduler officially found in kernels 5.0+.
* A new mailing list has been created for reporting of security issues:
systemd-security@redhat.com. For mode details, see
https://systemd.io/CONTRIBUTING#security-vulnerability-reports.
Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht
Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey,
Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris
Chiu, Chris Down, Christian Göttsche, Christian Kellner, Clinton Roy,
Connor Reeder, Daniel Black, Daniel Lublin, Daniele Medri, Dan
Streetman, Dave Reisner, Dave Ross, David Art, David Tardon, Debarshi
Ray, Dimitri John Ledkov, Dominick Grift, Donald Buczek, Douglas
Christman, Eric DeVolder, EtherGraf, Evgeny Vereshchagin, Feldwor,
Felix Riemann, Florian Dollinger, Francesco Pennica, Franck Bui,
Frantisek Sumsal, Franz Pletz, frederik, Hans de Goede, Iago López
Galeiras, Insun Pyo, Ivan Shapovalov, Iwan Timmer, Jack, Jakob
Unterwurzacher, Jan Chren, Jan Klötzke, Jan Losinski, Jan Pokorný, Jan
Synacek, Jan-Michael Brummer, Jeka Pats, Jeremy Soller, Jérémy Rosen,
Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann B. Guðmundsson,
Johannes Christ, Johannes Schmitz, Jonathan Rouleau, Jorge Niedbalski,
Jörg Thalheim, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy,
Krayushkin Konstantin, Lennart Poettering, Lubomir Rintel, Luca
Boccassi, Luís Ferreira, Marc-André Lureau, Markus Felten, Martin Pitt,
Matthew Leeds, Mattias Jernberg, Michael Biebl, Michael Olbrich,
Michael Prokop, Michael Stapelberg, Michael Zhivich, Michal Koutný,
Michal Sekletar, Mike Gilbert, Milan Broz, Miroslav Lichvar, mpe85,
Mr-Foo, Network Silence, Oliver Harley, pan93412, Paul Menzel, pEJipE,
Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Robert
Scheck, Roberto Santalla, Ronan Pigott, root, RussianNeuroMancer,
Sebastian Jennen, shinygold, Shreyas Behera, Simon Schricker, Susant
Sahani, Thadeu Lima de Souza Cascardo, Theo Ouzhinski, Thiebaud
Weksteen, Thomas Haller, Thomas Weißschuh, Tomas Mraz, Tommi Rantala,
Topi Miettinen, VD-Lycos, ven, Vladimir Yerilov, Wieland Hoffmann,
William A. Kennington III, William Wold, Xi Ruoyao, Yuri Chornoivan,
Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei
Camerino, 2019-09-03
CHANGES WITH 242:
* In .link files, MACAddressPolicy=persistent (the default) is changed
to cover more devices. For devices like bridges, tun, tap, bond, and
similar interfaces that do not have other identifying information,
the interface name is used as the basis for persistent seed for MAC
and IPv4LL addresses. The way that devices that were handled
previously is not changed, and this change is about covering more
devices then previously by the "persistent" policy.
MACAddressPolicy=random may be used to force randomized MACs and
IPv4LL addresses for a device if desired.
Hint: the log output from udev (at debug level) was enhanced to
clarify what policy is followed and which attributes are used.
`SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>`
may be used to view this.
Hint: if a bridge interface is created without any slaves, and gains
a slave later, then now the bridge does not inherit slave's MAC.
To inherit slave's MAC, for example, create the following file:
```
# /etc/systemd/network/98-bridge-inherit-mac.link
[Match]
Type=bridge
[Link]
MACAddressPolicy=none
```
* The .device units generated by systemd-fstab-generator and other
generators do not automatically pull in the corresponding .mount unit
as a Wants= dependency. This means that simply plugging in the device
will not cause the mount unit to be started automatically. But please
note that the mount unit may be started for other reasons, in
particular if it is part of local-fs.target, and any unit which
(transitively) depends on local-fs.target is started.
* networkctl list/status/lldp now accept globbing wildcards for network
interface names to match against all existing interfaces.
* The $PIDFILE environment variable is set to point the absolute path
configured with PIDFile= for processes of that service.
* The fallback DNS server list was augmented with Cloudflare public DNS
servers. Use `-Ddns-servers=` to set a different fallback.
* A new special target usb-gadget.target will be started automatically
when a USB Device Controller is detected (which means that the system
is a USB peripheral).
* A new unit setting CPUQuotaPeriodSec= assigns the time period
relatively to which the CPU time quota specified by CPUQuota= is
measured.
* A new unit setting ProtectHostname= may be used to prevent services
from modifying hostname information (even if they otherwise would
have privileges to do so).
* A new unit setting NetworkNamespacePath= may be used to specify a
namespace for service or socket units through a path referring to a
Linux network namespace pseudo-file.
* The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now
have an effect on .socket units: when used the listening socket is
created within the configured network namespace instead of the host
namespace.
* ExecStart= command lines in unit files may now be prefixed with ':'
in which case environment variable substitution is
disabled. (Supported for the other ExecXYZ= settings, too.)
* .timer units gained two new boolean settings OnClockChange= and
OnTimezoneChange= which may be used to also trigger a unit when the
system clock is changed or the local timezone is
modified. systemd-run has been updated to make these options easily
accessible from the command line for transient timers.
* Two new conditions for units have been added: ConditionMemory= may be
used to conditionalize a unit based on installed system
RAM. ConditionCPUs= may be used to conditionalize a unit based on
installed CPU cores.
* The @default system call filter group understood by SystemCallFilter=
has been updated to include the new rseq() system call introduced in
kernel 4.15.
* A new time-set.target has been added that indicates that the system
time has been set from a local source (possibly imprecise). The
existing time-sync.target is stronger and indicates that the time has
been synchronized with a precise external source. Services where
approximate time is sufficient should use the new target.
* "systemctl start" (and related commands) learnt a new
--show-transaction option. If specified brief information about all
jobs queued because of the requested operation is shown.
* systemd-networkd recognizes a new operation state 'enslaved', used
(instead of 'degraded' or 'carrier') for interfaces which form a
bridge, bond, or similar, and an new 'degraded-carrier' operational
state used for the bond or bridge master interface when one of the
enslaved devices is not operational.
* .network files learnt the new IgnoreCarrierLoss= option for leaving
networks configured even if the carrier is lost.
* The RequiredForOnline= setting in .network files may now specify a
minimum operational state required for the interface to be considered
"online" by systemd-networkd-wait-online. Related to this
systemd-networkd-wait-online gained a new option --operational-state=
to configure the same, and its --interface= option was updated to
optionally also take an operational state specific for an interface.
* systemd-networkd-wait-online gained a new setting --any for waiting
for only one of the requested interfaces instead of all of them.
* systemd-networkd now implements L2TP tunnels.
* Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix=
may be used to cause autonomous and onlink prefixes received in IPv6
Router Advertisements to be ignored.
* New MulticastFlood=, NeighborSuppression=, and Learning= .network
file settings may be used to tweak bridge behaviour.
* The new TripleSampling= option in .network files may be used to
configure CAN triple sampling.
* A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be
used to point to private or preshared key for a WireGuard interface.
* /etc/crypttab now supports the same-cpu-crypt and
submit-from-crypt-cpus options to tweak encryption work scheduling
details.
* systemd-tmpfiles will now take a BSD file lock before operating on a
contents of directory. This may be used to temporarily exclude
directories from aging by taking the same lock (useful for example
when extracting a tarball into /tmp or /var/tmp as a privileged user,
which might create files with really old timestamps, which
nevertheless should not be deleted). For further details, see:
https://systemd.io/TEMPORARY_DIRECTORIES
* systemd-tmpfiles' h line type gained support for the
FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5),
controlling project quota inheritance.
* sd-boot and bootctl now implement support for an Extended Boot Loader
(XBOOTLDR) partition, that is intended to be mounted to /boot, in
addition to the ESP partition mounted to /efi or /boot/efi.
Configuration file fragments, kernels, initrds and other EFI images
to boot will be loaded from both the ESP and XBOOTLDR partitions.
The XBOOTLDR partition was previously described by the Boot Loader
Specification, but implementation was missing in sd-boot. Support for
this concept allows using the sd-boot boot loader in more
conservative scenarios where the boot loader itself is placed in the
ESP but the kernels to boot (and their metadata) in a separate
partition.
* A system may now be booted with systemd.volatile=overlay on the
kernel command line, which causes the root file system to be set up
an overlayfs mount combining the root-only root directory with a
writable tmpfs. In this setup, the underlying root device is not
modified, and any changes are lost at reboot.
* Similar, systemd-nspawn can now boot containers with a volatile
overlayfs root with the new --volatile=overlay switch.
* systemd-nspawn can now consume OCI runtime bundles using a new
--oci-bundle= option. This implementation is fully usable, with most
features in the specification implemented, but since this a lot of
new code and functionality, this feature should most likely not
be used in production yet.
* systemd-nspawn now supports various options described by the OCI
runtime specification on the command-line and in .nspawn files:
--inaccessible=/Inaccessible= may be used to mask parts of the file
system tree, --console=/--pipe may be used to configure how standard
input, output, and error are set up.
* busctl learned the `emit` verb to generate D-Bus signals.
* systemd-analyze cat-config may be used to gather and display
configuration spread over multiple files, for example system and user
presets, tmpfiles.d, sysusers.d, udev rules, etc.
* systemd-analyze calendar now takes an optional new parameter
--iterations= which may be used to show a maximum number of iterations
the specified expression will elapse next.
* The sd-bus C API gained support for naming method parameters in the
introspection data.
* systemd-logind gained D-Bus APIs to specify the "reboot parameter"
the reboot() system call expects.
* journalctl learnt a new --cursor-file= option that points to a file
from which a cursor should be loaded in the beginning and to which
the updated cursor should be stored at the end.
* ACRN hypervisor and Windows Subsystem for Linux (WSL) are now
detected by systemd-detect-virt (and may also be used in
ConditionVirtualization=).
* The behaviour of systemd-logind may now be modified with environment
variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP,
$SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and
$SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either
skip the relevant operation completely (when set to false), or to
create a flag file in /run/systemd (when set to true), instead of
actually commencing the real operation when requested. The presence
of /run/systemd/reboot-to-firmware-setup,
/run/systemd/reboot-to-boot-loader-menu, and
/run/systemd/reboot-to-boot-loader-entry, may be used by alternative
boot loader implementations to replace some steps logind performs
during reboot with their own operations.
* systemctl can be used to request a reboot into the boot loader menu
or a specific boot loader entry with the new --boot-load-menu= and
--boot-loader-entry= options to a reboot command. (This requires a
boot loader that supports this, for example sd-boot.)
* kernel-install will no longer unconditionally create the output
directory (e.g. /efi/<machine-id>/<kernel-version>) for boot loader
snippets, but will do only if the machine-specific parent directory
(i.e. /efi/<machine-id>/) already exists. bootctl has been modified
to create this parent directory during sd-boot installation.
This makes it easier to use kernel-install with plugins which support
a different layout of the bootloader partitions (for example grub2).
* During package installation (with `ninja install`), we would create
symlinks for getty@tty1.service, systemd-networkd.service,
systemd-networkd.socket, systemd-resolved.service,
remote-cryptsetup.target, remote-fs.target,
systemd-networkd-wait-online.service, and systemd-timesyncd.service
in /etc, as if `systemctl enable` was called for those units, to make
the system usable immediately after installation. Now this is not
done anymore, and instead calling `systemctl preset-all` is
recommended after the first installation of systemd.
* A new boolean sandboxing option RestrictSUIDSGID= has been added that
is built on seccomp. When turned on creation of SUID/SGID files is
prohibited.
* The NoNewPrivileges= and the new RestrictSUIDSGID= options are now
implied if DynamicUser= is turned on for a service. This hardens
these services, so that they neither can benefit from nor create
SUID/SGID executables. This is a minor compatibility breakage, given
that when DynamicUser= was first introduced SUID/SGID behaviour was
unaffected. However, the security benefit of these two options is
substantial, and the setting is still relatively new, hence we opted
to make it mandatory for services with dynamic users.
Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin,
Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani,
Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin,
Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black,
Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny
Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal,
Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun
Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski,
Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart
Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias
Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal
Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone,
Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan
Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant
Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo
Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi
Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu,
Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Warsaw, 2019-04-11
CHANGES WITH 241:
* The default locale can now be configured at compile time. Otherwise,
a suitable default will be selected automatically (one of C.UTF-8,
en_US.UTF-8, and C).
* The version string shown by systemd and other tools now includes the
git commit hash when built from git. An override may be specified
during compilation, which is intended to be used by distributions to
include the package release information.
* systemd-cat can now filter standard input and standard error streams
for different syslog priorities using the new --stderr-priority=
option.
* systemd-journald and systemd-journal-remote reject entries which
contain too many fields (CVE-2018-16865) and set limits on the
process' command line length (CVE-2018-16864).
* $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd
again.
* A new network device NamePolicy "keep" is implemented for link files,
and used by default in 99-default.link (the fallback configuration
provided by systemd). With this policy, if the network device name
was already set by userspace, the device will not be renamed again.
This matches the naming scheme that was implemented before
systemd-240. If naming-scheme < 240 is specified, the "keep" policy
is also enabled by default, even if not specified. Effectively, this
means that if naming-scheme >= 240 is specified, network devices will
be renamed according to the configuration, even if they have been
renamed already, if "keep" is not specified as the naming policy in
the .link file. The 99-default.link file provided by systemd includes
"keep" for backwards compatibility, but it is recommended for user
installed .link files to *not* include it.
The "kernel" policy, which keeps kernel names declared to be
"persistent", now works again as documented.
* kernel-install script now optionally takes the paths to one or more
initrd files, and passes them to all plugins.
* The mincore() system call has been dropped from the @system-service
system call filter group, as it is pretty exotic and may potentially
used for side-channel attacks.
* -fPIE is dropped from compiler and linker options. Please specify
-Db_pie=true option to meson to build position-independent
executables. Note that the meson option is supported since meson-0.49.
* The fs.protected_regular and fs.protected_fifos sysctls, which were
added in Linux 4.19 to make some data spoofing attacks harder, are
now enabled by default. While this will hopefully improve the
security of most installations, it is technically a backwards
incompatible change; to disable these sysctls again, place the
following lines in /etc/sysctl.d/60-protected.conf or a similar file:
fs.protected_regular = 0
fs.protected_fifos = 0
Note that the similar hardlink and symlink protection has been
enabled since v199, and may be disabled likewise.
* The files read from the EnvironmentFile= setting in unit files now
parse backslashes inside quotes literally, matching the behaviour of
POSIX shells.
* udevadm trigger, udevadm control, udevadm settle and udevadm monitor
now automatically become NOPs when run in a chroot() environment.
* The tmpfiles.d/ "C" line type will now copy directory trees not only
when the destination is so far missing, but also if it already exists
as a directory and is empty. This is useful to cater for systems
where directory trees are put together from multiple separate mount
points but otherwise empty.
* A new function sd_bus_close_unref() (and the associated
sd_bus_close_unrefp()) has been added to libsystemd, that combines
sd_bus_close() and sd_bus_unref() in one.
* udevadm control learnt a new option for --ping for testing whether a
systemd-udevd instance is running and reacting.
* udevadm trigger learnt a new option for --wait-daemon for waiting
systemd-udevd daemon to be initialized.
Contributions from: Aaron Plattner, Alberts Muktupāvels, Alex Mayer,
Ayman Bagabas, Beniamino Galvani, Burt P, Chris Down, Chris Lamb, Chris
Morin, Christian Hesse, Claudius Ellsel, dana, Daniel Axtens, Daniele
Medri, Dave Reisner, David Santamaría Rogado, Diego Canuhe, Dimitri
John Ledkov, Evgeny Vereshchagin, Fabrice Fontaine, Filipe
Brandenburger, Franck Bui, Frantisek Sumsal, govwin, Hans de Goede,
James Hilliard, Jan Engelhardt, Jani Uusitalo, Jan Janssen, Jan
Synacek, Jonathan McDowell, Jonathan Roemer, Jonathon Kowalski, Joost
Heitbrink, Jörg Thalheim, Lance, Lennart Poettering, Louis Taylor,
Lucas Werkmeister, Mantas Mikulėnas, Marc-Antoine Perennou,
marvelousblack, Michael Biebl, Michael Sloan, Michal Sekletar, Mike
Auty, Mike Gilbert, Mikhail Kasimov, Neil Brown, Niklas Hambüchen,
Patrick Williams, Paul Seyfert, Peter Hutterer, Philip Withnall, Roger
James, Ronnie P. Thomas, Ryan Gonzalez, Sam Morris, Stephan Edel,
Stephan Gerhold, Susant Sahani, Taro Yamada, Thomas Haller, Topi
Miettinen, YiFei Zhu, YmrDtnJu, YunQiang Su, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek, zsergeant77, Дамјан Георгиевски
— Berlin, 2019-02-14
CHANGES WITH 240:
* NoNewPrivileges=yes has been set for all long-running services
implemented by systemd. Previously, this was problematic due to
SELinux (as this would also prohibit the transition from PID1's label
to the service's label). This restriction has since been lifted, but
an SELinux policy update is required.
(See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.)
* DynamicUser=yes is dropped from systemd-networkd.service,
systemd-resolved.service and systemd-timesyncd.service, which was
enabled in v239 for systemd-networkd.service and systemd-resolved.service,
and since v236 for systemd-timesyncd.service. The users and groups
systemd-network, systemd-resolve and systemd-timesync are created
by systemd-sysusers again. Distributors or system administrators
may need to create these users and groups if they not exist (or need
to re-enable DynamicUser= for those units) while upgrading systemd.
Also, the clock file for systemd-timesyncd may need to move from
/var/lib/private/systemd/timesync/clock to /var/lib/systemd/timesync/clock.
* When unit files are loaded from disk, previously systemd would
sometimes (depending on the unit loading order) load units from the
target path of symlinks in .wants/ or .requires/ directories of other
units. This meant that unit could be loaded from different paths
depending on whether the unit was requested explicitly or as a
dependency of another unit, not honouring the priority of directories
in search path. It also meant that it was possible to successfully
load and start units which are not found in the unit search path, as
long as they were requested as a dependency and linked to from
.wants/ or .requires/. The target paths of those symlinks are not
used for loading units anymore and the unit file must be found in
the search path.
* A new service type has been added: Type=exec. It's very similar to
Type=simple but ensures the service manager will wait for both fork()
and execve() of the main service binary to complete before proceeding
with follow-up units. This is primarily useful so that the manager
propagates any errors in the preparation phase of service execution
back to the job that requested the unit to be started. For example,
consider a service that has ExecStart= set to a file system binary
that doesn't exist. With Type=simple starting the unit would be
considered instantly successful, as only fork() has to complete
successfully and the manager does not wait for execve(), and hence
its failure is seen "too late". With the new Type=exec service type
starting the unit will fail, as the manager will wait for the
execve() and notice its failure, which is then propagated back to the
start job.
NOTE: with the next release 241 of systemd we intend to change the
systemd-run tool to default to Type=exec for transient services
started by it. This should be mostly safe, but in specific corner
cases might result in problems, as the systemd-run tool will then
block on NSS calls (such as user name look-ups due to User=) done
between the fork() and execve(), which under specific circumstances
might cause problems. It is recommended to specify "-p Type=simple"
explicitly in the few cases where this applies. For regular,
non-transient services (i.e. those defined with unit files on disk)
we will continue to default to Type=simple.
* The Linux kernel's current default RLIMIT_NOFILE resource limit for
userspace processes is set to 1024 (soft) and 4096
(hard). Previously, systemd passed this on unmodified to all
processes it forked off. With this systemd release the hard limit
systemd passes on is increased to 512K, overriding the kernel's
defaults and substantially increasing the number of simultaneous file
descriptors unprivileged userspace processes can allocate. Note that
the soft limit remains at 1024 for compatibility reasons: the
traditional UNIX select() call cannot deal with file descriptors >=
1024 and increasing the soft limit globally might thus result in
programs unexpectedly allocating a high file descriptor and thus
failing abnormally when attempting to use it with select() (of
course, programs shouldn't use select() anymore, and prefer
poll()/epoll, but the call unfortunately remains undeservedly popular
at this time). This change reflects the fact that file descriptor
handling in the Linux kernel has been optimized in more recent
kernels and allocating large numbers of them should be much cheaper
both in memory and in performance than it used to be. Programs that
want to take benefit of the increased limit have to "opt-in" into
high file descriptors explicitly by raising their soft limit. Of
course, when they do that they must acknowledge that they cannot use
select() anymore (and neither can any shared library they use — or
any shared library used by any shared library they use and so on).
Which default hard limit is most appropriate is of course hard to
decide. However, given reports that ~300K file descriptors are used
in real-life applications we believe 512K is sufficiently high as new
default for now. Note that there are also reports that using very
high hard limits (e.g. 1G) is problematic: some software allocates
large arrays with one element for each potential file descriptor
(Java, …) — a high hard limit thus triggers excessively large memory
allocations in these applications. Hopefully, the new default of 512K
is a good middle ground: higher than what real-life applications
currently need, and low enough for avoid triggering excessively large
allocations in problematic software. (And yes, somebody should fix
Java.)
* The fs.nr_open and fs.file-max sysctls are now automatically bumped
to the highest possible values, as separate accounting of file
descriptors is no longer necessary, as memcg tracks them correctly as
part of the memory accounting anyway. Thus, from the four limits on
file descriptors currently enforced (fs.file-max, fs.nr_open,
RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two,
and keep only the latter two. A set of build-time options
(-Dbump-proc-sys-fs-file-max=false and -Dbump-proc-sys-fs-nr-open=false)
has been added to revert this change in behaviour, which might be
an option for systems that turn off memcg in the kernel.
* When no /etc/locale.conf file exists (and hence no locale settings
are in place), systemd will now use the "C.UTF-8" locale by default,
and set LANG= to it. This locale is supported by various
distributions including Fedora, with clear indications that upstream
glibc is going to make it available too. This locale enables UTF-8
mode by default, which appears appropriate for 2018.
* The "net.ipv4.conf.all.rp_filter" sysctl will now be set to 2 by
default. This effectively switches the RFC3704 Reverse Path filtering
from Strict mode to Loose mode. This is more appropriate for hosts
that have multiple links with routes to the same networks (e.g.
a client with a Wi-Fi and Ethernet both connected to the internet).
Consult the kernel documentation for details on this sysctl:
https://docs.kernel.org/networking/ip-sysctl.html
* The v239 change to turn on "net.ipv4.tcp_ecn" by default has been
reverted.
* CPUAccounting=yes no longer enables the CPU controller when using
kernel 4.15+ and the unified cgroup hierarchy, as required accounting
statistics are now provided independently from the CPU controller.
* Support for disabling a particular cgroup controller within a sub-tree
has been added through the DisableControllers= directive.
* cgroup_no_v1=all on the kernel command line now also implies
using the unified cgroup hierarchy, unless one explicitly passes
systemd.unified_cgroup_hierarchy=0 on the kernel command line.
* The new "MemoryMin=" unit file property may now be used to set the
memory usage protection limit of processes invoked by the unit. This
controls the cgroup v2 memory.min attribute. Similarly, the new
"IODeviceLatencyTargetSec=" property has been added, wrapping the new
cgroup v2 io.latency cgroup property for configuring per-service I/O
latency.
* systemd now supports the cgroup v2 devices BPF logic, as counterpart
to the cgroup v1 "devices" cgroup controller.
* systemd-escape now is able to combine --unescape with --template. It
also learnt a new option --instance for extracting and unescaping the
instance part of a unit name.
* sd-bus now provides the sd_bus_message_readv() which is similar to
sd_bus_message_read() but takes a va_list object. The pair
sd_bus_set_method_call_timeout() and sd_bus_get_method_call_timeout()
has been added for configuring the default method call timeout to
use. sd_bus_error_move() may be used to efficiently move the contents
from one sd_bus_error structure to another, invalidating the
source. sd_bus_set_close_on_exit() and sd_bus_get_close_on_exit() may
be used to control whether a bus connection object is automatically
flushed when an sd-event loop is exited.
* When processing classic BSD syslog log messages, journald will now
save the original time-stamp string supplied in the new
SYSLOG_TIMESTAMP= journal field. This permits consumers to
reconstruct the original BSD syslog message more correctly.
* StandardOutput=/StandardError= in service files gained support for
new "append:…" parameters, for connecting STDOUT/STDERR of a service
to a file, and appending to it.
* The signal to use as last step of killing of unit processes is now
configurable. Previously it was hard-coded to SIGKILL, which may now
be overridden with the new KillSignal= setting. Note that this is the
signal used when regular termination (i.e. SIGTERM) does not suffice.
Similarly, the signal used when aborting a program in case of a
watchdog timeout may now be configured too (WatchdogSignal=).
* The XDG_SESSION_DESKTOP environment variable may now be configured in
the pam_systemd argument line, using the new desktop= switch. This is
useful to initialize it properly from a display manager without
having to touch C code.
* Most configuration options that previously accepted percentage values
now also accept permille values with the '‰' suffix (instead of '%').
* systemd-resolved may now optionally use OpenSSL instead of GnuTLS for
DNS-over-TLS.
* systemd-resolved's configuration file resolved.conf gained a new
option ReadEtcHosts= which may be used to turn off processing and
honoring /etc/hosts entries.
* The "--wait" switch may now be passed to "systemctl
is-system-running", in which case the tool will synchronously wait
until the system finished start-up.
* hostnamed gained a new bus call to determine the DMI product UUID.
* On x86-64 systemd will now prefer using the RDRAND processor
instruction over /dev/urandom whenever it requires randomness that
neither has to be crypto-grade nor should be reproducible. This
should substantially reduce the amount of entropy systemd requests
from the kernel during initialization on such systems, though not
reduce it to zero. (Why not zero? systemd still needs to allocate
UUIDs and such uniquely, which require high-quality randomness.)
* networkd gained support for Foo-Over-UDP, ERSPAN and ISATAP
tunnels. It also gained a new option ForceDHCPv6PDOtherInformation=
for forcing the "Other Information" bit in IPv6 RA messages. The
bonding logic gained four new options AdActorSystemPriority=,
AdUserPortKey=, AdActorSystem= for configuring various 802.3ad
aspects, and DynamicTransmitLoadBalancing= for enabling dynamic
shuffling of flows. The tunnel logic gained a new
IPv6RapidDeploymentPrefix= option for configuring IPv6 Rapid
Deployment. The policy rule logic gained four new options IPProtocol=,
SourcePort= and DestinationPort=, InvertRule=. The bridge logic gained
support for the MulticastToUnicast= option. networkd also gained
support for configuring static IPv4 ARP or IPv6 neighbor entries.
* .preset files (as read by 'systemctl preset') may now be used to
instantiate services.
* /etc/crypttab now understands the sector-size= option to configure
the sector size for an encrypted partition.
* Key material for encrypted disks may now be placed on a formatted
medium, and referenced from /etc/crypttab by the UUID of the file
system, followed by "=" suffixed by the path to the key file.
* The "collect" udev component has been removed without replacement, as
it is neither used nor maintained.
* When the RuntimeDirectory=, StateDirectory=, CacheDirectory=,
LogsDirectory=, ConfigurationDirectory= settings are used in a
service the executed processes will now receive a set of environment
variables containing the full paths of these directories.
Specifically, RUNTIME_DIRECTORY=, STATE_DIRECTORY, CACHE_DIRECTORY,
LOGS_DIRECTORY, CONFIGURATION_DIRECTORY are now set if these options
are used. Note that these options may be used multiple times per
service in which case the resulting paths will be concatenated and
separated by colons.
* Predictable interface naming has been extended to cover InfiniBand
NICs. They will be exposed with an "ib" prefix.
* tmpfiles.d/ line types may now be suffixed with a '-' character, in
which case the respective line failing is ignored.
* .link files may now be used to configure the equivalent to the
"ethtool advertise" commands.
* The sd-device.h and sd-hwdb.h APIs are now exported, as an
alternative to libudev.h. Previously, the latter was just an internal
wrapper around the former, but now these two APIs are exposed
directly.
* sd-id128.h gained a new function sd_id128_get_boot_app_specific()
which calculates an app-specific boot ID similar to how
sd_id128_get_machine_app_specific() generates an app-specific machine
ID.
* A new tool systemd-id128 has been added that can be used to determine
and generate various 128-bit IDs.
* /etc/os-release gained two new standardized fields DOCUMENTATION_URL=
and LOGO=.
* systemd-hibernate-resume-generator will now honor the "noresume"
kernel command line option, in which case it will bypass resuming
from any hibernated image.
* The systemd-sleep.conf configuration file gained new options
AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=,
AllowHybridSleep= for prohibiting specific sleep modes even if the
kernel exports them.
* portablectl is now officially supported and has thus moved to
/usr/bin/.
* bootctl learnt the two new commands "set-default" and "set-oneshot"
for setting the default boot loader item to boot to (either
persistently or only for the next boot). This is currently only
compatible with sd-boot, but may be implemented on other boot loaders
too, that follow the boot loader interface. The updated interface is
now documented here:
https://systemd.io/BOOT_LOADER_INTERFACE
* A new kernel command line option systemd.early_core_pattern= is now
understood which may be used to influence the core_pattern PID 1
installs during early boot.
* busctl learnt two new options -j and --json= for outputting method
call replies, properties and monitoring output in JSON.
* journalctl's JSON output now supports simple ANSI coloring as well as
a new "json-seq" mode for generating RFC7464 output.
* Unit files now support the %g/%G specifiers that resolve to the UNIX
group/GID of the service manager runs as, similar to the existing
%u/%U specifiers that resolve to the UNIX user/UID.
* systemd-logind learnt a new global configuration option
UserStopDelaySec= that may be set in logind.conf. It specifies how
long the systemd --user instance shall remain started after a user
logs out. This is useful to speed up repetitive re-connections of the
same user, as it means the user's service manager doesn't have to be
stopped/restarted on each iteration, but can be reused between
subsequent options. This setting defaults to 10s. systemd-logind also
exports two new properties on its Manager D-Bus objects indicating
whether the system's lid is currently closed, and whether the system
is on AC power.
* systemd gained support for a generic boot counting logic, which
generically permits automatic reverting to older boot loader entries
if newer updated ones don't work. The boot loader side is implemented
in sd-boot, but is kept open for other boot loaders too. For details
see:
https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT
* The SuccessAction=/FailureAction= unit file settings now learnt two
new parameters: "exit" and "exit-force", which result in immediate
exiting of the service manager, and are only useful in systemd --user
and container environments.
* Unit files gained support for a pair of options
FailureActionExitStatus=/SuccessActionExitStatus= for configuring the
exit status to use as service manager exit status when
SuccessAction=/FailureAction= is set to exit or exit-force.
* A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service
options may now be used to configure the log rate limiting applied by
journald per-service.
* systemd-analyze gained a new verb "timespan" for parsing and
normalizing time span values (i.e. strings like "5min 7s 8us").
* systemd-analyze also gained a new verb "security" for analyzing the
security and sand-boxing settings of services in order to determine an
"exposure level" for them, indicating whether a service would benefit
from more sand-boxing options turned on for them.
* "systemd-analyze syscall-filter" will now also show system calls
supported by the local kernel but not included in any of the defined
groups.
* .nspawn files now understand the Ephemeral= setting, matching the
--ephemeral command line switch.
* sd-event gained the new APIs sd_event_source_get_floating() and
sd_event_source_set_floating() for controlling whether a specific
event source is "floating", i.e. destroyed along with the even loop
object itself.
* Unit objects on D-Bus gained a new "Refs" property that lists all
clients that currently have a reference on the unit (to ensure it is
not unloaded).
* The JoinControllers= option in system.conf is no longer supported, as
it didn't work correctly, is hard to support properly, is legacy (as
the concept only exists on cgroup v1) and apparently wasn't used.
* Journal messages that are generated whenever a unit enters the failed
state are now tagged with a unique MESSAGE_ID. Similarly, messages
generated whenever a service process exits are now made recognizable,
too. A tagged message is also emitted whenever a unit enters the
"dead" state on success.
* systemd-run gained a new switch --working-directory= for configuring
the working directory of the service to start. A shortcut -d is
equivalent, setting the working directory of the service to the
current working directory of the invoking program. The new --shell
(or just -S) option has been added for invoking the $SHELL of the
caller as a service, and implies --pty --same-dir --wait --collect
--service-type=exec. Or in other words, "systemd-run -S" is now the
quickest way to quickly get an interactive in a fully clean and
well-defined system service context.
* machinectl gained a new verb "import-fs" for importing an OS tree
from a directory. Moreover, when a directory or tarball is imported
and single top-level directory found with the OS itself below the OS
tree is automatically mangled and moved one level up.
* systemd-importd will no longer set up an implicit btrfs loop-back
file system on /var/lib/machines. If one is already set up, it will
continue to be used.
* A new generator "systemd-run-generator" has been added. It will
synthesize a unit from one or more program command lines included in
the kernel command line. This is very useful in container managers
for example:
# systemd-nspawn -i someimage.raw -b systemd.run='"some command line"'
This will run "systemd-nspawn" on an image, invoke the specified
command line and immediately shut down the container again, returning
the command line's exit code.
* The block device locking logic is now documented:
https://systemd.io/BLOCK_DEVICE_LOCKING
* loginctl and machinectl now optionally output the various tables in
JSON using the --output= switch. It is our intention to add similar
support to systemctl and all other commands.
* udevadm's query and trigger verb now optionally take a .device unit
name as argument.
* systemd-udevd's network naming logic now understands a new
net.naming_scheme= kernel command line switch, which may be used to
pick a specific version of the naming scheme. This helps stabilizing
interface names even as systemd/udev are updated and the naming logic
is improved.
* sd-id128.h learnt two new auxiliary helpers: sd_id128_is_allf() and
SD_ID128_ALLF to test if a 128-bit ID is set to all 0xFF bytes, and to
initialize one to all 0xFF.
* After loading the SELinux policy systemd will now recursively relabel
all files and directories listed in
/run/systemd/relabel-extra.d/*.relabel (which should be simple
newline separated lists of paths) in addition to the ones it already
implicitly relabels in /run, /dev and /sys. After the relabelling is
completed the *.relabel files (and /run/systemd/relabel-extra.d/) are
removed. This is useful to permit initrds (i.e. code running before
the SELinux policy is in effect) to generate files in the host
filesystem safely and ensure that the correct label is applied during
the transition to the host OS.
* KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding
mknod() handling in user namespaces. Previously mknod() would always
fail with EPERM in user namespaces. Since 4.18 mknod() will succeed
but device nodes generated that way cannot be opened, and attempts to
open them result in EPERM. This breaks the "graceful fallback" logic
in systemd's PrivateDevices= sand-boxing option. This option is
implemented defensively, so that when systemd detects it runs in a
restricted environment (such as a user namespace, or an environment
where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD)
where device nodes cannot be created the effect of PrivateDevices= is
bypassed (following the logic that 2nd-level sand-boxing is not
essential if the system systemd runs in is itself already sand-boxed
as a whole). This logic breaks with 4.18 in container managers where
user namespacing is used: suddenly PrivateDevices= succeeds setting
up a private /dev/ file system containing devices nodes — but when
these are opened they don't work.
At this point it is recommended that container managers utilizing
user namespaces that intend to run systemd in the payload explicitly
block mknod() with seccomp or similar, so that the graceful fallback
logic works again.
We are very sorry for the breakage and the requirement to change
container configurations for newer kernels. It's purely caused by an
incompatible kernel change. The relevant kernel developers have been
notified about this userspace breakage quickly, but they chose to
ignore it.
* PermissionsStartOnly= setting is deprecated (but is still supported
for backwards compatibility). The same functionality is provided by
the more flexible "+", "!", and "!!" prefixes to ExecStart= and other
commands.
* $DBUS_SESSION_BUS_ADDRESS environment variable is not set by
pam_systemd anymore.
* The naming scheme for network devices was changed to always rename
devices, even if they were already renamed by userspace. The "kernel"
policy was changed to only apply as a fallback, if no other naming
policy took effect.
* The requirements to build systemd is bumped to meson-0.46 and
python-3.5.
Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander
Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson,
Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov,
asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt
Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen
Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius
Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn
Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner,
David Anderson, Davide Cavalca, David Leeds, David Malcolm, David
Strauss, David Tardon, Dimitri John Ledkov, Dmitry Torokhov, dj-kaktus,
Dongsu Park, Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters,
Evgeni Golov, Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad,
Faizal Luthfi, Felix Yan, Filipe Brandenburger, Franck Bui, Frank
Schaefer, Frantisek Sumsal, Gautier Husson, Gianluca Boiano, Giuseppe
Scrivano, glitsj16, Hans de Goede, Harald Hoyer, Harry Mallon, Harshit
Jain, Helmut Grohne, Henry Tung, Hui Yiqun, imayoda, Insun Pyo, Iwan
Timmer, Jan Janssen, Jan Pokorný, Jan Synacek, Jason A. Donenfeld,
javitoom, Jérémy Nouhaud, Jeremy Su, Jiuyang Liu, João Paulo Rechi
Vita, Joe Hershberger, Joe Rayhawk, Joerg Behrmann, Joerg Steffens,
Jonas Dorel, Jon Ringle, Josh Soref, Julian Andres Klode, Jun Bo Bi,
Jürg Billeter, Keith Busch, Khem Raj, Kirill Marinushkin, Larry
Bernstone, Lennart Poettering, Lion Yang, Li Song, Lorenz
Hübschle-Schneider, Lubomir Rintel, Lucas Werkmeister, Ludwin Janvier,
Lukáš Nykrýn, Luke Shumaker, mal, Marc-Antoine Perennou, Marcin
Skarbek, Marco Trevisan (Treviño), Marian Cepok, Mario Hros, Marko
Myllynen, Markus Grimm, Martin Pitt, Martin Sobotka, Martin Wilck,
Mathieu Trudel-Lapierre, Matthew Leeds, Michael Biebl, Michael Olbrich,
Michael 'pbone' Pobega, Michael Scherer, Michal Koutný, Michal
Sekletar, Michal Soltys, Mike Gilbert, Mike Palmer, Muhammet Kara, Neal
Gompa, Neil Brown, Network Silence, Niklas Tibbling, Nikolas Nyby,
Nogisaka Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, Paweł
Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, Reinhold Mueller,
Renaud Métrich, Roman Gushchin, Ronny Chevalier, Rubén Suárez Alvarez,
Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, Sam
Morris, Samuel Morris, Sandy Carter, scootergrisen, Sébastien Bacher,
Sergey Ptashnick, Shawn Landden, Shengyao Xue, Shih-Yuan Lee
(FourDollars), Silvio Knizek, Sjoerd Simons, Stasiek Michalski, Stephen
Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven Joachim,
Sylvain Plantefève, Tanu Kaskinen, Tejun Heo, Thiago Macieira, Thomas
Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, Tobias
Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, Tore
Anderson, Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech
Trefny, welaq, William A. Kennington III, William Douglas, Wyatt Ward,
Xiang Fan, Xi Ruoyao, Xuanwo, Yann E. Morin, YmrDtnJu, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein
— Warsaw, 2018-12-21
CHANGES WITH 239:
* NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id"
builtin will name network interfaces differently than in previous
versions for virtual network interfaces created with SR-IOV and NPAR
and for devices where the PCI network controller device does not have
a slot number associated.
SR-IOV virtual devices are now named based on the name of the parent
interface, with a suffix of "v<N>", where <N> is the virtual device
number. Previously those virtual devices were named as if completely
independent.
The ninth and later NPAR virtual devices will be named following the
scheme used for the first eight NPAR partitions. Previously those
devices were not renamed and the kernel default (eth<n>) was used.
"net_id" will also generate names for PCI devices where the PCI
network controller device does not have an associated slot number
itself, but one of its parents does. Previously those devices were
not renamed and the kernel default (eth<n>) was used.
* AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
systemd-logind.service. Since v235, IPAddressDeny=any has been set to
the unit. So, it is expected that the default behavior of
systemd-logind is not changed. However, if distribution packagers or
administrators disabled or modified IPAddressDeny= setting by a
drop-in config file, then it may be necessary to update the file to
re-enable AF_INET and AF_INET6 to support network user name services,
e.g. NIS.
* When the RestrictNamespaces= unit property is specified multiple
times, then the specified types are merged now. Previously, only the
last assignment was used. So, if distribution packagers or
administrators modified the setting by a drop-in config file, then it
may be necessary to update the file.
* When OnFailure= is used in combination with Restart= on a service
unit, then the specified units will no longer be triggered on
failures that result in restarting. Previously, the specified units
would be activated each time the unit failed, even when the unit was
going to be restarted automatically. This behaviour contradicted the
documentation. With this release the code is adjusted to match the
documentation.
* systemd-tmpfiles will now print a notice whenever it encounters
tmpfiles.d/ lines referencing the /var/run/ directory. It will
recommend reworking them to use the /run/ directory instead (for
which /var/run/ is simply a symlinked compatibility alias). This way
systemd-tmpfiles can properly detect line conflicts and merge lines
referencing the same file by two paths, without having to access
them.
* systemctl disable/unmask/preset/preset-all cannot be used with
--runtime. Previously this was allowed, but resulted in unintuitive
behaviour that wasn't useful. systemctl disable/unmask will now undo
both runtime and persistent enablement/masking, i.e. it will remove
any relevant symlinks both in /run and /etc.
* Note that all long-running system services shipped with systemd will
now default to a system call allow list (rather than a deny list, as
before). In particular, systemd-udevd will now enforce one too. For
most cases this should be safe, however downstream distributions
which disabled sandboxing of systemd-udevd (specifically the
MountFlags= setting), might want to disable this security feature
too, as the default allow-listing will prohibit all mount, swap,
reboot and clock changing operations from udev rules.
* sd-boot acquired new loader configuration settings to optionally turn
off Windows and MacOS boot partition discovery as well as
reboot-into-firmware menu items. It is also able to pick a better
screen resolution for HiDPI systems, and now provides loader
configuration settings to change the resolution explicitly.
* systemd-resolved now supports DNS-over-TLS. It's still
turned off by default, use DNSOverTLS=opportunistic to turn it on in
resolved.conf. We intend to make this the default as soon as couple
of additional techniques for optimizing the initial latency caused by
establishing a TLS/TCP connection are implemented.
* systemd-resolved.service and systemd-networkd.service now set
DynamicUser=yes. The users systemd-resolve and systemd-network are
not created by systemd-sysusers anymore.
NOTE: This has a chance of breaking nss-ldap and similar NSS modules
that embed a network facing module into any process using getpwuid()
or related call: the dynamic allocation of the user ID for
systemd-resolved.service means the service manager has to check NSS
if the user name is already taken when forking off the service. Since
the user in the common case won't be defined in /etc/passwd the
lookup is likely to trigger nss-ldap which in turn might use NSS to
ask systemd-resolved for hostname lookups. This will hence result in
a deadlock: a user name lookup in order to start
systemd-resolved.service will result in a hostname lookup for which
systemd-resolved.service needs to be started already. There are
multiple ways to work around this problem: pre-allocate the
"systemd-resolve" user on such systems, so that nss-ldap won't be
triggered; or use a different NSS package that doesn't do networking
in-process but provides a local asynchronous name cache; or configure
the NSS package to avoid lookups for UIDs in the range `pkg-config
systemd --variable=dynamicuidmin` … `pkg-config systemd
--variable=dynamicuidmax`, so that it does not consider itself
authoritative for the same UID range systemd allocates dynamic users
from.
* The systemd-resolve tool has been renamed to resolvectl (it also
remains available under the old name, for compatibility), and its
interface is now verb-based, similar in style to the other <xyz>ctl
tools, such as systemctl or loginctl.
* The resolvectl/systemd-resolve tool also provides 'resolvconf'
compatibility. It may be symlinked under the 'resolvconf' name, in
which case it will take arguments and input compatible with the
Debian and FreeBSD resolvconf tool.
* Support for suspend-then-hibernate has been added, i.e. a sleep mode
where the system initially suspends, and after a timeout resumes and
hibernates again.
* networkd's ClientIdentifier= now accepts a new option "duid-only". If
set the client will only send a DUID as client identifier. (EDIT: the
option was broken, and was dropped in v255.)
* The nss-systemd glibc NSS module will now enumerate dynamic users and
groups in effect. Previously, it could resolve UIDs/GIDs to user
names/groups and vice versa, but did not support enumeration.
* journald's Compress= configuration setting now optionally accepts a
byte threshold value. All journal objects larger than this threshold
will be compressed, smaller ones will not. Previously this threshold
was not configurable and set to 512.
* A new system.conf setting NoNewPrivileges= is now available which may
be used to turn off acquisition of new privileges system-wide
(i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also
for all its children). Note that turning this option on means setuid
binaries and file system capabilities lose their special powers.
While turning on this option is a big step towards a more secure
system, doing so is likely to break numerous pre-existing UNIX tools,
in particular su and sudo.
* A new service systemd-time-sync-wait.service has been added. If
enabled it will delay the time-sync.target unit at boot until time
synchronization has been received from the network. This
functionality is useful on systems lacking a local RTC or where it is
acceptable that the boot process shall be delayed by external network
services.
* When hibernating, systemd will now inform the kernel of the image
write offset, on kernels new enough to support this. This means swap
files should work for hibernation now.
* When loading unit files, systemd will now look for drop-in unit files
extensions in additional places. Previously, for a unit file name
"foo-bar-baz.service" it would look for dropin files in
"foo-bar-baz.service.d/*.conf". Now, it will also look in
"foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the
service name truncated after all inner dashes. This scheme allows
writing drop-ins easily that apply to a whole set of unit files at
once. It's particularly useful for mount and slice units (as their
naming is prefix based), but is also useful for service and other
units, for packages that install multiple unit files at once,
following a strict naming regime of beginning the unit file name with
the package's name. Two new specifiers are now supported in unit
files to match this: %j and %J are replaced by the part of the unit
name following the last dash.
* Unit files and other configuration files that support specifier
expansion now understand another three new specifiers: %T and %V will
resolve to /tmp and /var/tmp respectively, or whatever temporary
directory has been set for the calling user. %E will expand to either
/etc (for system units) or $XDG_CONFIG_HOME (for user units).
* The ExecStart= lines of unit files are no longer required to
reference absolute paths. If non-absolute paths are specified the
specified binary name is searched within the service manager's
built-in $PATH, which may be queried with 'systemd-path
search-binaries-default'. It's generally recommended to continue to
use absolute paths for all binaries specified in unit files.
* Units gained a new load state "bad-setting", which is used when a
unit file was loaded, but contained fatal errors which prevent it
from being started (for example, a service unit has been defined
lacking both ExecStart= and ExecStop= lines).
* coredumpctl's "gdb" verb has been renamed to "debug", in order to
support alternative debuggers, for example lldb. The old name
continues to be available however, for compatibility reasons. Use the
new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable
to pick an alternative debugger instead of the default gdb.
* systemctl and the other tools will now output escape sequences that
generate proper clickable hyperlinks in various terminal emulators
where useful (for example, in the "systemctl status" output you can
now click on the unit file name to quickly open it in the
editor/viewer of your choice). Note that not all terminal emulators
support this functionality yet, but many do. Unfortunately, the
"less" pager doesn't support this yet, hence this functionality is
currently automatically turned off when a pager is started (which
happens quite often due to auto-paging). We hope to remove this
limitation as soon as "less" learns these escape sequences. This new
behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY
environment variable. For details on these escape sequences see:
https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda
* networkd's .network files now support a new IPv6MTUBytes= option for
setting the MTU used by IPv6 explicitly as well as a new MTUBytes=
option in the [Route] section to configure the MTU to use for
specific routes. It also gained support for configuration of the DHCP
"UserClass" option through the new UserClass= setting. It gained
three new options in the new [CAN] section for configuring CAN
networks. The MULTICAST and ALLMULTI interface flags may now be
controlled explicitly with the new Multicast= and AllMulticast=
settings.
* networkd will now automatically make use of the kernel's route
expiration feature, if it is available.
* udevd's .link files now support setting the number of receive and
transmit channels, using the RxChannels=, TxChannels=,
OtherChannels=, CombinedChannels= settings.
* Support for UDPSegmentationOffload= has been removed, given its
limited support in hardware, and waning software support.
* networkd's .netdev files now support creating "netdevsim" interfaces.
* PID 1 learnt a new bus call GetUnitByControlGroup() which may be used
to query the unit belonging to a specific kernel control group.
* systemd-analyze gained a new verb "cat-config", which may be used to
dump the contents of any configuration file, with all its matching
drop-in files added in, and honouring the usual search and masking
logic applied to systemd configuration files. For example use
"systemd-analyze cat-config systemd/system.conf" to get the complete
system configuration file of systemd how it would be loaded by PID 1
itself. Similar to this, various tools such as systemd-tmpfiles or
systemd-sysusers, gained a new option "--cat-config", which does the
corresponding operation for their own configuration settings. For
example, "systemd-tmpfiles --cat-config" will now output the full
list of tmpfiles.d/ lines in place.
* timedatectl gained three new verbs: "show" shows bus properties of
systemd-timedated, "timesync-status" shows the current NTP
synchronization state of systemd-timesyncd, and "show-timesync"
shows bus properties of systemd-timesyncd.
* systemd-timesyncd gained a bus interface on which it exposes details
about its state.
* A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now
understood by systemd-timedated. It takes a colon-separated list of
unit names of NTP client services. The list is used by
"timedatectl set-ntp".
* systemd-nspawn gained a new --rlimit= switch for setting initial
resource limits for the container payload. There's a new switch
--hostname= to explicitly override the container's hostname. A new
--no-new-privileges= switch may be used to control the
PR_SET_NO_NEW_PRIVS flag for the container payload. A new
--oom-score-adjust= switch controls the OOM scoring adjustment value
for the payload. The new --cpu-affinity= switch controls the CPU
affinity of the container payload. The new --resolv-conf= switch
allows more detailed control of /etc/resolv.conf handling of the
container. Similarly, the new --timezone= switch allows more detailed
control of /etc/localtime handling of the container.
* systemd-detect-virt gained a new --list switch, which will print a
list of all currently known VM and container environments.
* Support for "Portable Services" has been added, see
doc/PORTABLE_SERVICES.md for details. Currently, the support is still
experimental, but this is expected to change soon. Reflecting this
experimental state, the "portablectl" binary is not installed into
/usr/bin yet. The binary has to be called with the full path
/usr/lib/systemd/portablectl instead.
* journalctl's and systemctl's -o switch now knows a new log output
mode "with-unit". The output it generates is very similar to the
regular "short" mode, but displays the unit name instead of the
syslog tag for each log line. Also, the date is shown with timezone
information. This mode is probably more useful than the classic
"short" output mode for most purposes, except where pixel-perfect
compatibility with classic /var/log/messages formatting is required.
* A new --dump-bus-properties switch has been added to the systemd
binary, which may be used to dump all supported D-Bus properties.
(Options which are still supported, but are deprecated, are *not*
shown.)
* sd-bus gained a set of new calls:
sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to
enable/disable the "floating" state of a bus slot object,
i.e. whether the slot object pins the bus it is allocated for into
memory or if the bus slot object gets disconnected when the bus goes
away. sd_bus_open_with_description(),
sd_bus_open_user_with_description(),
sd_bus_open_system_with_description() may be used to allocate bus
objects and set their description string already during allocation.
* sd-event gained support for watching inotify events from the event
loop, in an efficient way, sharing inotify handles between multiple
users. For this a new function sd_event_add_inotify() has been added.
* sd-event and sd-bus gained support for calling special user-supplied
destructor functions for userdata pointers associated with
sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new
functions sd_bus_slot_set_destroy_callback,
sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback,
sd_bus_track_get_destroy_callback,
sd_event_source_set_destroy_callback,
sd_event_source_get_destroy_callback have been added.
* The "net.ipv4.tcp_ecn" sysctl will now be turned on by default.
* PID 1 will now automatically reschedule .timer units whenever the
local timezone changes. (They previously got rescheduled
automatically when the system clock changed.)
* New documentation has been added to document cgroups delegation,
portable services and the various code quality tools we have set up:
https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md
https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md
https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md
* The Boot Loader Specification has been added to the source tree.
https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md
While moving it into our source tree we have updated it and further
changes are now accepted through the usual github PR workflow.
* pam_systemd will now look for PAM userdata fields systemd.memory_max,
systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by
earlier PAM modules. The data in these fields is used to initialize
the session scope's resource properties. Thus external PAM modules
may now configure per-session limits, for example sourced from
external user databases.
* socket units with Accept=yes will now maintain a "refused" counter in
addition to the existing "accepted" counter, counting connections
refused due to the enforced limits.
* The "systemd-path search-binaries-default" command may now be use to
query the default, built-in $PATH PID 1 will pass to the services it
manages.
* A new unit file setting PrivateMounts= has been added. It's a boolean
option. If enabled the unit's processes are invoked in their own file
system namespace. Note that this behaviour is also implied if any
other file system namespacing options (such as PrivateTmp=,
PrivateDevices=, ProtectSystem=, …) are used. This option is hence
primarily useful for services that do not use any of the other file
system namespacing options. One such service is systemd-udevd.service
where this is now used by default.
* ConditionSecurity= gained a new value "uefi-secureboot" that is true
when the system is booted in UEFI "secure mode".
* A new unit "system-update-pre.target" is added, which defines an
optional synchronization point for offline system updates, as
implemented by the pre-existing "system-update.target" unit. It
allows ordering services before the service that executes the actual
update process in a generic way.
* Systemd now emits warnings whenever .include syntax is used.
Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Berlin, 2018-06-22
CHANGES WITH 238:
* The MemoryAccounting= unit property now defaults to on. After
discussions with the upstream control group maintainers we learnt
that the negative impact of cgroup memory accounting on current
kernels is finally relatively minimal, so that it should be safe to
enable this by default without affecting system performance. Besides
memory accounting only task accounting is turned on by default, all
other forms of resource accounting (CPU, IO, IP) remain off for now,
because it's not clear yet that their impact is small enough to move
from opt-in to opt-out. We recommend downstreams to leave memory
accounting on by default if kernel 4.14 or higher is primarily
used. On very resource constrained systems or when support for old
kernels is a necessity, -Dmemory-accounting-default=false can be used
to revert this change.
* rpm scriptlets to update the udev hwdb and rules (%udev_hwdb_update,
%udev_rules_update) and the journal catalog (%journal_catalog_update)
from the upgrade scriptlets of individual packages now do nothing.
Transfiletriggers have been added which will perform those updates
once at the end of the transaction.
Similar transfiletriggers have been added to execute any sysctl.d
and binfmt.d rules. Thus, it should be unnecessary to provide any
scriptlets to execute this configuration from package installation
scripts.
* systemd-sysusers gained a mode where the configuration to execute is
specified on the command line, but this configuration is not executed
directly, but instead it is merged with the configuration on disk,
and the result is executed. This is useful for package installation
scripts which want to create the user before installing any files on
disk (in case some of those files are owned by that user), while
still allowing local admin overrides.
This functionality is exposed to rpm scriptlets through a new
%sysusers_create_package macro. Old %sysusers_create and
%sysusers_create_inline macros are deprecated.
A transfiletrigger for sysusers.d configuration is now installed,
which means that it should be unnecessary to call systemd-sysusers from
package installation scripts, unless the package installs any files
owned by those newly-created users, in which case
%sysusers_create_package should be used.
* Analogous change has been done for systemd-tmpfiles: it gained a mode
where the command-line configuration is merged with the configuration
on disk. This is exposed as the new %tmpfiles_create_package macro,
and %tmpfiles_create is deprecated. A transfiletrigger is installed
for tmpfiles.d, hence it should be unnecessary to call systemd-tmpfiles
from package installation scripts.
* sysusers.d configuration for a user may now also specify the group
number, in addition to the user number ("u username 123:456"), or
without the user number ("u username -:456").
* Configution items for systemd-sysusers can now be specified as
positional arguments when the new --inline switch is used.
* The login shell of users created through sysusers.d may now be
specified (previously, it was always /bin/sh for root and
/sbin/nologin for other users).
* systemd-analyze gained a new --global switch to look at global user
configuration. It also gained a unit-paths verb to list the unit load
paths that are compiled into systemd (which can be used with
--systemd, --user, or --global).
* udevadm trigger gained a new --settle/-w option to wait for any
triggered events to finish (but just those, and not any other events
which are triggered meanwhile).
* The action that systemd-logind takes when the lid is closed and the
machine is connected to external power can now be configured using
HandleLidSwitchExternalPower= in logind.conf. Previously, this action
was determined by HandleLidSwitch=, and, for backwards compatibility,
is still is, if HandleLidSwitchExternalPower= is not explicitly set.
* journalctl will periodically call sd_journal_process() to make it
resilient against inotify queue overruns when journal files are
rotated very quickly.
* Two new functions in libsystemd — sd_bus_get_n_queued_read and
sd_bus_get_n_queued_write — may be used to check the number of
pending bus messages.
* systemd gained a new
org.freedesktop.systemd1.Manager.AttachProcessesToUnit dbus call
which can be used to migrate foreign processes to scope and service
units. The primary user for this new API is systemd itself: the
systemd --user instance uses this call of the systemd --system
instance to migrate processes if it itself gets the request to
migrate processes and the kernel refuses this due to access
restrictions. Thanks to this "systemd-run --scope --user …" works
again in pure cgroup v2 environments when invoked from the user
session scope.
* A new TemporaryFileSystem= setting can be used to mask out part of
the real file system tree with tmpfs mounts. This may be combined
with BindPaths= and BindReadOnlyPaths= to hide files or directories
not relevant to the unit, while still allowing some paths lower in
the tree to be accessed.
ProtectHome=tmpfs may now be used to hide user home and runtime
directories from units, in a way that is mostly equivalent to
"TemporaryFileSystem=/home /run/user /root".
* Non-service units are now started with KeyringMode=shared by default.
This means that mount and swapon and other mount tools have access
to keys in the main keyring.
* /sys/fs/bpf is now mounted automatically.
* QNX virtualization is now detected by systemd-detect-virt and may
be used in ConditionVirtualization=.
* IPAccounting= may now be enabled also for slice units.
* A new -Dsplit-bin= build configuration switch may be used to specify
whether bin and sbin directories are merged, or if they should be
included separately in $PATH and various listings of executable
directories. The build configuration scripts will try to autodetect
the proper values of -Dsplit-usr= and -Dsplit-bin= based on build
system, but distributions are encouraged to configure this
explicitly.
* A new -Dok-color= build configuration switch may be used to change
the colour of "OK" status messages.
* UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with
PrivateNetwork=yes was buggy in previous versions of systemd. This
means that after the upgrade and daemon-reexec, any such units must
be restarted.
* INCOMPATIBILITY: as announced in the NEWS for 237, systemd-tmpfiles
will not exclude read-only files owned by root from cleanup.
Contributions from: Alan Jenkins, Alexander F Rødseth, Alexis Jeandet,
Andika Triwidada, Andrei Gherzan, Ansgar Burchardt, antizealot1337,
Batuhan Osman Taşkaya, Beniamino Galvani, Bill Yodlowsky, Caio Marcelo
de Oliveira Filho, CuBiC, Daniele Medri, Daniel Mouritzen, Daniel
Rusek, Davide Cavalca, Dimitri John Ledkov, Douglas Christman, Evgeny
Vereshchagin, Faalagorn, Filipe Brandenburger, Franck Bui, futpib,
Giacomo Longo, Gunnar Hjalmarsson, Hans de Goede, Hermann Gausterer,
Iago López Galeiras, Jakub Filak, Jan Synacek, Jason A. Donenfeld,
Javier Martinez Canillas, Jérémy Rosen, Lennart Poettering, Lucas
Werkmeister, Mao Huang, Marco Gulino, Michael Biebl, Michael Vogt,
MilhouseVH, Neal Gompa (ニール・ゴンパ), Oleander Reis, Olof Mogren,
Patrick Uiterwijk, Peter Hutterer, Peter Portante, Piotr Drąg, Robert
Antoni Buj Gelonch, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
Fowler, SjonHortensius, snorreflorre, Susant Sahani, Sylvain
Plantefève, Thomas Blume, Thomas Haller, Vito Caputo, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Марко М. Костић (Marko M. Kostić)
— Warsaw, 2018-03-05
CHANGES WITH 237:
* Some keyboards come with a zoom see-saw or rocker which until now got
mapped to the Linux "zoomin/out" keys in hwdb. However, these
keycodes are not recognized by any major desktop. They now produce
Up/Down key events so that they can be used for scrolling.
* INCOMPATIBILITY: systemd-tmpfiles' "f" lines changed behaviour
slightly: previously, if an argument was specified for lines of this
type (i.e. the right-most column was set) this string was appended to
existing files each time systemd-tmpfiles was run. This behaviour was
different from what the documentation said, and not particularly
useful, as repeated systemd-tmpfiles invocations would not be
idempotent and grow such files without bounds. With this release
behaviour has been altered to match what the documentation says:
lines of this type only have an effect if the indicated files don't
exist yet, and only then the argument string is written to the file.
* FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change
systemd-tmpfiles behaviour: previously, read-only files owned by root
were always excluded from the file "aging" algorithm (i.e. the
automatic clean-up of directories like /tmp based on
atime/mtime/ctime). We intend to drop this restriction, and age files
by default even when owned by root and read-only. This behaviour was
inherited from older tools, but there have been requests to remove
it, and it's not obvious why this restriction was made in the first
place. Please speak up now, if you are aware of software that requires
this behaviour, otherwise we'll remove the restriction in v238.
* A new environment variable $SYSTEMD_OFFLINE is now understood by
systemctl. It takes a boolean argument. If on, systemctl assumes it
operates on an "offline" OS tree, and will not attempt to talk to the
service manager. Previously, this mode was implicitly enabled if a
chroot() environment was detected, and this new environment variable
now provides explicit control.
* .path and .socket units may now be created transiently, too.
Previously only service, mount, automount and timer units were
supported as transient units. The systemd-run tool has been updated
to expose this new functionality, you may hence use it now to bind
arbitrary commands to path or socket activation on-the-fly from the
command line. Moreover, almost all properties are now exposed for the
unit types that already supported transient operation.
* The systemd-mount command gained support for a new --owner= parameter
which takes a user name, which is then resolved and included in uid=
and gid= mount options string of the file system to mount.
* A new unit condition ConditionControlGroupController= has been added
that checks whether a specific cgroup controller is available.
* Unit files, udev's .link files, and systemd-networkd's .netdev and
.network files all gained support for a new condition
ConditionKernelVersion= for checking against specific kernel
versions.
* In systemd-networkd, the [IPVLAN] section in .netdev files gained
support for configuring device flags in the Flags= setting. In the
same files, the [Tunnel] section gained support for configuring
AllowLocalRemote=. The [Route] section in .network files gained
support for configuring InitialCongestionWindow=,
InitialAdvertisedReceiveWindow= and QuickAck=. The [DHCP] section now
understands RapidCommit=.
* systemd-networkd's DHCPv6 support gained support for Prefix
Delegation.
* sd-bus gained support for a new "watch-bind" feature. When this
feature is enabled, an sd_bus connection may be set up to connect to
an AF_UNIX socket in the file system as soon as it is created. This
functionality is useful for writing early-boot services that
automatically connect to the system bus as soon as it is started,
without ugly time-based polling. systemd-networkd and
systemd-resolved have been updated to make use of this
functionality. busctl exposes this functionality in a new
--watch-bind= command line switch.
* sd-bus will now optionally synthesize a local "Connected" signal as
soon as a D-Bus connection is set up fully. This message mirrors the
already existing "Disconnected" signal which is synthesized when the
connection is terminated. This signal is generally useful but
particularly handy in combination with the "watch-bind" feature
described above. Synthesizing of this message has to be requested
explicitly through the new API call sd_bus_set_connected_signal(). In
addition a new call sd_bus_is_ready() has been added that checks
whether a connection is fully set up (i.e. between the "Connected" and
"Disconnected" signals).
* sd-bus gained two new calls sd_bus_request_name_async() and
sd_bus_release_name_async() for asynchronously registering bus
names. Similar, there is now sd_bus_add_match_async() for installing
a signal match asynchronously. All of systemd's own services have
been updated to make use of these calls. Doing these operations
asynchronously has two benefits: it reduces the risk of deadlocks in
case of cyclic dependencies between bus services, and it speeds up
service initialization since synchronization points for bus
round-trips are removed.
* sd-bus gained two new calls sd_bus_match_signal() and
sd_bus_match_signal_async(), which are similar to sd_bus_add_match()
and sd_bus_add_match_async() but instead of taking a D-Bus match
string take match fields as normal function parameters.
* sd-bus gained two new calls sd_bus_set_sender() and
sd_bus_message_set_sender() for setting the sender name of outgoing
messages (either for all outgoing messages or for just one specific
one). These calls are only useful in direct connections as on
brokered connections the broker fills in the sender anyway,
overwriting whatever the client filled in.
* sd-event gained a new pseudo-handle that may be specified on all API
calls where an "sd_event*" object is expected: SD_EVENT_DEFAULT. When
used this refers to the default event loop object of the calling
thread. Note however that this does not implicitly allocate one —
which has to be done prior by using sd_event_default(). Similarly
sd-bus gained three new pseudo-handles SD_BUS_DEFAULT,
SD_BUS_DEFAULT_USER, SD_BUS_DEFAULT_SYSTEM that may be used to refer
to the default bus of the specified type of the calling thread. Here
too this does not implicitly allocate bus connection objects, this
has to be done prior with sd_bus_default() and friends.
* sd-event gained a new call pair
sd_event_source_{get|set}_io_fd_own(). This may be used to request
automatic closure of the file descriptor an IO event source watches
when the event source is destroyed.
* systemd-networkd gained support for natively configuring WireGuard
connections.
* In previous versions systemd synthesized user records both for the
"nobody" (UID 65534) and "root" (UID 0) users in nss-systemd and
internally. In order to simplify distribution-wide renames of the
"nobody" user (like it is planned in Fedora: nfsnobody → nobody), a
new transitional flag file has been added: if
/etc/systemd/dont-synthesize-nobody exists synthesizing of the 65534
user and group record within the systemd codebase is disabled.
* systemd-notify gained a new --uid= option for selecting the source
user/UID to use for notification messages sent to the service
manager.
* journalctl gained a new --grep= option to list only entries in which
the message matches a certain pattern. By default matching is case
insensitive if the pattern is lowercase, and case sensitive
otherwise. Option --case-sensitive=yes|no can be used to override
this an specify case sensitivity or case insensitivity.
* There's now a "systemd-analyze service-watchdogs" command for printing
the current state of the service runtime watchdog, and optionally
enabling or disabling the per-service watchdogs system-wide if given a
boolean argument (i.e. the concept you configure in WatchdogSec=), for
debugging purposes. There's also a kernel command line option
systemd.service_watchdogs= for controlling the same.
* Two new "log-level" and "log-target" options for systemd-analyze were
added that merge the now deprecated get-log-level, set-log-level and
get-log-target, set-log-target pairs. The deprecated options are still
understood for backwards compatibility. The two new options print the
current value when no arguments are given, and set them when a
level/target is given as an argument.
* sysusers.d's "u" lines now optionally accept both a UID and a GID
specification, separated by a ":" character, in order to create users
where UID and GID do not match.
Contributions from: Adam Duskett, Alan Jenkins, Alexander Kuleshov,
Alexis Deruelle, Andrew Jeddeloh, Armin Widegreen, Batuhan Osman
Taşkaya, Björn Esser, bleep_blop, Bruce A. Johnson, Chris Down, Clinton
Roy, Colin Walters, Daniel Rusek, Dimitri John Ledkov, Dmitry Rozhkov,
Evgeny Vereshchagin, Ewout van Mansom, Felipe Sateler, Franck Bui,
Frantisek Sumsal, George Gaydarov, Gianluca Boiano, Hans-Christian
Noren Egtvedt, Hans de Goede, Henrik Grindal Bakken, Jan Alexander
Steffens, Jan Klötzke, Jason A. Donenfeld, jdkbx, Jérémy Rosen,
Jerónimo Borque, John Lin, John Paul Herold, Jonathan Rudenberg, Jörg
Thalheim, Ken (Bitsko) MacLeod, Larry Bernstone, Lennart Poettering,
Lucas Werkmeister, Maciej S. Szmigiero, Marek Čermák, Martin Pitt,
Mathieu Malaterre, Matthew Thode, Matthias-Christian Ott, Max Harmathy,
Michael Biebl, Michael Vogt, Michal Koutný, Michal Sekletar, Michał
Szczepański, Mike Gilbert, Nathaniel McCallum, Nicolas Chauvet, Olaf
Hering, Olivier Schwander, Patrik Flykt, Paul Cercueil, Peter Hutterer,
Piotr Drąg, Raphael Vogelgsang, Reverend Homer, Robert Kolchmeyer,
Samuel Dionne-Riel, Sergey Ptashnick, Shawn Landden, Susant Sahani,
Sylvain Plantefève, Thomas H. P. Andersen, Thomas Huth, Tomasz
Bachorski, Vladislav Vishnyakov, Wieland Hoffmann, Yu Watanabe, Zachary
Winnerman, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, Дилян
Палаузов
— Brno, 2018-01-28
CHANGES WITH 236:
* The modprobe.d/ drop-in for the bonding.ko kernel module introduced
in v235 has been extended to also set the dummy.ko module option
numdummies=0, preventing the kernel from automatically creating
dummy0. All dummy interfaces must now be explicitly created.
* Unknown '%' specifiers in configuration files are now rejected. This
applies to units and tmpfiles.d configuration. Any percent characters
that are followed by a letter or digit that are not supposed to be
interpreted as the beginning of a specifier should be escaped by
doubling ("%%"). (So "size=5%" is still accepted, as well as
"size=5%,foo=bar", but not "LABEL=x%y%z" since %y and %z are not
valid specifiers today.)
* systemd-resolved now maintains a new dynamic
/run/systemd/resolve/stub-resolv.conf compatibility file. It is
recommended to make /etc/resolv.conf a symlink to it. This file
points at the systemd-resolved stub DNS 127.0.0.53 resolver and
includes dynamically acquired search domains, achieving more correct
DNS resolution by software that bypasses local DNS APIs such as NSS.
* The "uaccess" udev tag has been dropped from /dev/kvm and
/dev/dri/renderD*. These devices now have the 0666 permissions by
default (but this may be changed at build-time). /dev/dri/renderD*
will now be owned by the "render" group along with /dev/kfd.
* "DynamicUser=yes" has been enabled for systemd-timesyncd.service,
systemd-journal-gatewayd.service and
systemd-journal-upload.service. This means "nss-systemd" must be
enabled in /etc/nsswitch.conf to ensure the UIDs assigned to these
services are resolved properly.
* In /etc/fstab two new mount options are now understood:
x-systemd.makefs and x-systemd.growfs. The former has the effect that
the configured file system is formatted before it is mounted, the
latter that the file system is resized to the full block device size
after it is mounted (i.e. if the file system is smaller than the
partition it resides on, it's grown). This is similar to the fsck
logic in /etc/fstab, and pulls in systemd-makefs@.service and
systemd-growfs@.service as necessary, similar to
systemd-fsck@.service. Resizing is currently only supported on ext4
and btrfs.
* In systemd-networkd, the IPv6 RA logic now optionally may announce
DNS server and domain information.
* Support for the LUKS2 on-disk format for encrypted partitions has
been added. This requires libcryptsetup2 during compilation and
runtime.
* The systemd --user instance will now signal "readiness" when its
basic.target unit has been reached, instead of when the run queue ran
empty for the first time.
* Tmpfiles.d with user configuration are now also supported.
systemd-tmpfiles gained a new --user switch, and snippets placed in
~/.config/user-tmpfiles.d/ and corresponding directories will be
executed by systemd-tmpfiles --user running in the new
systemd-tmpfiles-setup.service and systemd-tmpfiles-clean.service
running in the user session.
* Unit files and tmpfiles.d snippets learnt three new % specifiers:
%S resolves to the top-level state directory (/var/lib for the system
instance, $XDG_CONFIG_HOME for the user instance), %C resolves to the
top-level cache directory (/var/cache for the system instance,
$XDG_CACHE_HOME for the user instance), %L resolves to the top-level
logs directory (/var/log for the system instance,
$XDG_CONFIG_HOME/log/ for the user instance). This matches the
existing %t specifier, that resolves to the top-level runtime
directory (/run for the system instance, and $XDG_RUNTIME_DIR for the
user instance).
* journalctl learnt a new parameter --output-fields= for limiting the
set of journal fields to output in verbose and JSON output modes.
* systemd-timesyncd's configuration file gained a new option
RootDistanceMaxSec= for setting the maximum root distance of servers
it'll use, as well as the new options PollIntervalMinSec= and
PollIntervalMaxSec= to tweak the minimum and maximum poll interval.
* bootctl gained a new command "list" for listing all available boot
menu items on systems that follow the boot loader specification.
* systemctl gained a new --dry-run switch that shows what would be done
instead of doing it, and is currently supported by the shutdown and
sleep verbs.
* ConditionSecurity= can now detect the TOMOYO security module.
* Unit file [Install] sections are now also respected in unit drop-in
files. This is intended to be used by drop-ins under /usr/lib/.
* systemd-firstboot may now also set the initial keyboard mapping.
* Udev "changed" events for devices which are exposed as systemd
.device units are now propagated to units specified in
ReloadPropagatedFrom= as reload requests.
* If a udev device has a SYSTEMD_WANTS= property containing a systemd
unit template name (i.e. a name in the form of 'foobar@.service',
without the instance component between the '@' and - the '.'), then
the escaped sysfs path of the device is automatically used as the
instance.
* SystemCallFilter= in unit files has been extended so that an "errno"
can be specified individually for each system call. Example:
SystemCallFilter=~uname:EILSEQ.
* The cgroup delegation logic has been substantially updated. Delegate=
now optionally takes a list of controllers (instead of a boolean, as
before), which lists the controllers to delegate at least.
* The networkd DHCPv6 client now implements the FQDN option (RFC 4704).
* A new LogLevelMax= setting configures the maximum log level any
process of the service may log at (i.e. anything with a lesser
priority than what is specified is automatically dropped). A new
LogExtraFields= setting allows configuration of additional journal
fields to attach to all log records generated by any of the unit's
processes.
* New StandardInputData= and StandardInputText= settings along with the
new option StandardInput=data may be used to configure textual or
binary data that shall be passed to the executed service process via
standard input, encoded in-line in the unit file.
* StandardInput=, StandardOutput= and StandardError= may now be used to
connect stdin/stdout/stderr of executed processes directly with a
file or AF_UNIX socket in the file system, using the new "file:" option.
* A new unit file option CollectMode= has been added, that allows
tweaking the garbage collection logic for units. It may be used to
tell systemd to garbage collect units that have failed automatically
(normally it only GCs units that exited successfully). systemd-run
and systemd-mount expose this new functionality with a new -G option.
* "machinectl bind" may now be used to bind mount non-directories
(i.e. regularfiles, devices, fifos, sockets).
* systemd-analyze gained a new verb "calendar" for validating and
testing calendar time specifications to use for OnCalendar= in timer
units. Besides validating the expression it will calculate the next
time the specified expression would elapse.
* In addition to the pre-existing FailureAction= unit file setting
there's now SuccessAction=, for configuring a shutdown action to
execute when a unit completes successfully. This is useful in
particular inside containers that shall terminate after some workload
has been completed. Also, both options are now supported for all unit
types, not just services.
* networkds's IP rule support gained two new options
IncomingInterface= and OutgoingInterface= for configuring the incoming
and outgoing interfaces of configured rules. systemd-networkd also
gained support for "vxcan" network devices.
* networkd gained a new setting RequiredForOnline=, taking a
boolean. If set, systemd-wait-online will take it into consideration
when determining that the system is up, otherwise it will ignore the
interface for this purpose.
* The sd_notify() protocol gained support for a new operation: with
FDSTOREREMOVE=1 file descriptors may be removed from the per-service
store again, ahead of POLLHUP or POLLERR when they are removed
anyway.
* A new document doc/UIDS-GIDS.md has been added to the source tree,
that documents the UID/GID range and assignment assumptions and
requirements of systemd.
* The watchdog device PID 1 will ping may now be configured through the
WatchdogDevice= configuration file setting, or by setting the
systemd.watchdog_service= kernel command line option.
* systemd-resolved's gained support for registering DNS-SD services on
the local network using MulticastDNS. Services may either be
registered by dropping in a .dnssd file in /etc/systemd/dnssd/ (or
the same dir below /run, /usr/lib), or through its D-Bus API.
* The sd_notify() protocol can now with EXTEND_TIMEOUT_USEC=microsecond
extend the effective start, runtime, and stop time. The service must
continue to send EXTEND_TIMEOUT_USEC within the period specified to
prevent the service manager from making the service as timedout.
* systemd-resolved's DNSSEC support gained support for RFC 8080
(Ed25519 keys and signatures).
* The systemd-resolve command line tool gained a new set of options
--set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-dnssec=,
--set-nta= and --revert to configure per-interface DNS configuration
dynamically during runtime. It's useful for pushing DNS information
into systemd-resolved from DNS hook scripts that various interface
managing software supports (such as pppd).
* systemd-nspawn gained a new --network-namespace-path= command line
option, which may be used to make a container join an existing
network namespace, by specifying a path to a "netns" file.
Contributions from: Alan Jenkins, Alan Robertson, Alessandro Ghedini,
Andrew Jeddeloh, Antonio Rojas, Ari, asavah, bleep_blop, Carsten
Strotmann, Christian Brauner, Christian Hesse, Clinton Roy, Collin
Eggert, Cong Wang, Daniel Black, Daniel Lockyer, Daniel Rusek, Dimitri
John Ledkov, Dmitry Rozhkov, Dongsu Park, Edward A. James, Evgeny
Vereshchagin, Florian Klink, Franck Bui, Gwendal Grignou, Hans de
Goede, Harald Hoyer, Hristo Venev, Iago López Galeiras, Ikey Doherty,
Jakub Wilk, Jérémy Rosen, Jiahui Xie, John Lin, José Bollo, Josef
Andersson, juga0, Krzysztof Nowicki, Kyle Walker, Lars Karlitski, Lars
Kellogg-Stedman, Lauri Tirkkonen, Lennart Poettering, Lubomir Rintel,
Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn, Lukáš Říha, Lukasz
Rubaszewski, Maciej S. Szmigiero, Mantas Mikulėnas, Marcus Folkesson,
Martin Steuer, Mathieu Trudel-Lapierre, Matija Skala,
Matthias-Christian Ott, Max Resch, Michael Biebl, Michael Vogt, Michal
Koutný, Michal Sekletar, Mike Gilbert, Muhammet Kara, Neil Brown, Olaf
Hering, Ondrej Kozina, Patrik Flykt, Patryk Kocielnik, Peter Hutterer,
Piotr Drąg, Razvan Cojocaru, Robin McCorkell, Roland Hieber, Saran
Tunyasuvunakool, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
Arlott, Simon Peeters, Stanislav Angelovič, Stefan Agner, Susant
Sahani, Sylvain Plantefève, Thomas Blume, Thomas Haller, Tiago Salem
Herrmann, Tinu Weber, Tom Stellard, Topi Miettinen, Torsten Hilbrich,
Vito Caputo, Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek, Zeal Jagannatha
— Berlin, 2017-12-14
CHANGES WITH 235:
* INCOMPATIBILITY: systemd-logind.service and other long-running
services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
communication with the outside. This generally improves security of
the system, and is in almost all cases a safe and good choice, as
these services do not and should not provide any network-facing
functionality. However, systemd-logind uses the glibc NSS API to
query the user database. This creates problems on systems where NSS
is set up to directly consult network services for user database
lookups. In particular, this creates incompatibilities with the
"nss-nis" module, which attempts to directly contact the NIS/YP
network servers it is configured for, and will now consistently
fail. In such cases, it is possible to turn off IP sandboxing for
systemd-logind.service (set IPAddressDeny= in its [Service] section
to the empty string, via a .d/ unit file drop-in). Downstream
distributions might want to update their nss-nis packaging to include
such a drop-in snippet, accordingly, to hide this incompatibility
from the user. Another option is to make use of glibc's nscd service
to proxy such network requests through a privilege-separated, minimal
local caching daemon, or to switch to more modern technologies such
sssd, whose NSS hook-ups generally do not involve direct network
access. In general, we think it's definitely time to question the
implementation choices of nss-nis, i.e. whether it's a good idea
today to embed a network-facing loadable module into all local
processes that need to query the user database, including the most
trivial and benign ones, such as "ls". For more details about
IPAddressDeny= see below.
* A new modprobe.d drop-in is now shipped by default that sets the
bonding module option max_bonds=0. This overrides the kernel default,
to avoid conflicts and ambiguity as to whether or not bond0 should be
managed by systemd-networkd or not. This resolves multiple issues
with bond0 properties not being applied, when bond0 is configured
with systemd-networkd. Distributors may choose to not package this,
however in that case users will be prevented from correctly managing
bond0 interface using systemd-networkd.
* systemd-analyze gained new verbs "get-log-level" and "get-log-target"
which print the logging level and target of the system manager. They
complement the existing "set-log-level" and "set-log-target" verbs
used to change those values.
* journald.conf gained a new boolean setting ReadKMsg= which defaults
to on. If turned off kernel log messages will not be read by
systemd-journald or included in the logs. It also gained a new
setting LineMax= for configuring the maximum line length in
STDOUT/STDERR log streams. The new default for this value is 48K, up
from the previous hardcoded 2048.
* A new unit setting RuntimeDirectoryPreserve= has been added, which
allows more detailed control of what to do with a runtime directory
configured with RuntimeDirectory= (i.e. a directory below /run or
$XDG_RUNTIME_DIR) after a unit is stopped.
* The RuntimeDirectory= setting for units gained support for creating
deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just
one top-level directory.
* Units gained new options StateDirectory=, CacheDirectory=,
LogsDirectory= and ConfigurationDirectory= which are closely related
to RuntimeDirectory= but manage per-service directories below
/var/lib, /var/cache, /var/log and /etc. By making use of them it is
possible to write unit files which when activated automatically gain
properly owned service specific directories in these locations, thus
making unit files self-contained and increasing compatibility with
stateless systems and factory reset where /etc or /var are
unpopulated at boot. Matching these new settings there's also
StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=,
ConfigurationDirectoryMode= for configuring the access mode of these
directories. These settings are particularly useful in combination
with DynamicUser=yes as they provide secure, properly-owned,
writable, and stateful locations for storage, excluded from the
sandbox that such services live in otherwise.
* Automake support has been removed from this release. systemd is now
Meson-only.
* systemd-journald will now aggressively cache client metadata during
runtime, speeding up log write performance under pressure. This comes
at a small price though: as much of the metadata is read
asynchronously from /proc/ (and isn't implicitly attached to log
datagrams by the kernel, like UID/GID/PID/SELinux are) this means the
metadata stored alongside a log entry might be slightly
out-of-date. Previously it could only be slightly newer than the log
message. The time window is small however, and given that the kernel
is unlikely to be improved anytime soon in this regard, this appears
acceptable to us.
* nss-myhostname/systemd-resolved will now by default synthesize an
A/AAAA resource record for the "_gateway" hostname, pointing to the
current default IP gateway. Previously it did that for the "gateway"
name, hampering adoption, as some distributions wanted to leave that
hostname open for local use. The old behaviour may still be
requested at build time.
* systemd-networkd's [Address] section in .network files gained a new
Scope= setting for configuring the IP address scope. The [Network]
section gained a new boolean setting ConfigureWithoutCarrier= that
tells systemd-networkd to ignore link sensing when configuring the
device. The [DHCP] section gained a new Anonymize= boolean option for
turning on a number of options suggested in RFC 7844. A new
[RoutingPolicyRule] section has been added for configuring the IP
routing policy. The [Route] section has gained support for a new
Type= setting which permits configuring
blackhole/unreachable/prohibit routes.
* The [VRF] section in .netdev files gained a new Table= setting for
configuring the routing table to use. The [Tunnel] section gained a
new Independent= boolean field for configuring tunnels independent of
an underlying network interface. The [Bridge] section gained a new
GroupForwardMask= option for configuration of propagation of link
local frames between bridge ports.
* The WakeOnLan= setting in .link files gained support for a number of
new modes. A new TCP6SegmentationOffload= setting has been added for
configuring TCP/IPv6 hardware segmentation offload.
* The IPv6 RA sender implementation may now optionally send out RDNSS
and RDNSSL records to supply DNS configuration to peers.
* systemd-nspawn gained support for a new --system-call-filter= command
line option for adding and removing entries in the default system
call filter it applies. Moreover systemd-nspawn has been changed to
implement a system call allow list instead of a deny list.
* systemd-run gained support for a new --pipe command line option. If
used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
are directly passed on to the activated transient service
executable. This allows invoking arbitrary processes as systemd
services (for example to take benefit of dependency management,
accounting management, resource management or log management that is
done automatically for services) — while still allowing them to be
integrated in a classic UNIX shell pipeline.
* When a service sends RELOAD=1 via sd_notify() and reload propagation
using ReloadPropagationTo= is configured, a reload is now propagated
to configured units. (Previously this was only done on explicitly
requested reloads, using "systemctl reload" or an equivalent
command.)
* For each service unit a restart counter is now kept: it is increased
each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …".
* New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
@signal and @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above).
* ExecStart= lines in unit files gained two new modifiers: when a
command line is prefixed with "!" the command will be executed as
configured, except for the credentials applied by
setuid()/setgid()/setgroups(). It is very similar to the pre-existing
"+", but does still apply namespacing options unlike "+". There's
also "!!" now, which is mostly identical, but becomes a NOP on
systems that support ambient capabilities. This is useful to write
unit files that work with ambient capabilities where possible but
automatically fall back to traditional privilege dropping mechanisms
on systems where this is not supported.
* ListenNetlink= settings in socket units now support RDMA netlink
sockets.
* A new unit file setting LockPersonality= has been added which permits
locking down the chosen execution domain ("personality") of a service
during runtime.
* A new special target "getty-pre.target" has been added, which is
ordered before all text logins, and may be used to order services
before textual logins acquire access to the console.
* systemd will now attempt to load the virtio-rng.ko kernel module very
early on if a VM environment supporting this is detected. This should
improve entropy during early boot in virtualized environments.
* A _netdev option is now supported in /etc/crypttab that operates in a
similar way as the same option in /etc/fstab: it permits configuring
encrypted devices that need to be ordered after the network is up.
Following this logic, two new special targets
remote-cryptsetup-pre.target and remote-cryptsetup.target have been
added that are to cryptsetup.target what remote-fs.target and
remote-fs-pre.target are to local-fs.target.
* Service units gained a new UnsetEnvironment= setting which permits
unsetting specific environment variables for services that are
normally passed to it (for example in order to mask out locale
settings for specific services that can't deal with it).
* Units acquired a new boolean option IPAccounting=. When turned on, IP
traffic accounting (packet count as well as byte count) is done for
the service, and shown as part of "systemctl status" or "systemd-run
--wait".
* Service units acquired two new options IPAddressAllow= and
IPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks,
for configuring a simple IP access control list for all sockets of
the unit. These options are available also on .slice and .socket
units, permitting flexible access list configuration for individual
services as well as groups of services (as defined by a slice unit),
including system-wide. Note that IP ACLs configured this way are
enforced on every single IPv4 and IPv6 socket created by any process
of the service unit, and apply to ingress as well as egress traffic.
* If CPUAccounting= or IPAccounting= is turned on for a unit a new
structured log message is generated each time the unit is stopped,
containing information about the consumed resources of this
invocation.
* A new setting KeyringMode= has been added to unit files, which may be
used to control how the kernel keyring is set up for executed
processes.
* "systemctl poweroff", "systemctl reboot", "systemctl halt",
"systemctl kexec" and "systemctl exit" are now always asynchronous in
behaviour (that is: these commands return immediately after the
operation was enqueued instead of waiting for the operation to
complete). Previously, "systemctl poweroff" and "systemctl reboot"
were asynchronous on systems using systemd-logind (i.e. almost
always, and like they were on sysvinit), and the other three commands
were unconditionally synchronous. With this release this is cleaned
up, and callers will see the same asynchronous behaviour on all
systems for all five operations.
* systemd-logind gained new Halt() and CanHalt() bus calls for halting
the system.
* .timer units now accept calendar specifications in other timezones
than UTC or the local timezone.
* The tmpfiles snippet var.conf has been changed to create
/var/log/btmp with access mode 0660 instead of 0600. It was owned by
the "utmp" group already, and it appears to be generally understood
that members of "utmp" can modify/flush the utmp/wtmp/lastlog/btmp
databases. Previously this was implemented correctly for all these
databases excepts btmp, which has been opened up like this now
too. Note that while the other databases are world-readable
(i.e. 0644), btmp is not and remains more restrictive.
* The systemd-resolve tool gained a new --reset-server-features
switch. When invoked like this systemd-resolved will forget
everything it learnt about the features supported by the configured
upstream DNS servers, and restarts the feature probing logic on the
next resolver look-up for them at the highest feature level
again.
* The status dump systemd-resolved sends to the logs upon receiving
SIGUSR1 now also includes information about all DNS servers it is
configured to use, and the features levels it probed for them.
Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander
Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar
Burchardt, Beniamino Galvani, Benjamin Berg, Benjamin Robin, Charles
Huber, Christian Hesse, Daniel Berrange, Daniel Kahn Gillmor, Daniel
Mack, Daniel Rusek, Daniel Șerbănescu, Davide Cavalca, Dimitri John
Ledkov, Diogo Pereira, Djalal Harouni, Dmitriy Geels, Dmitry Torokhov,
ettavolt, Evgeny Vereshchagin, Fabio Kung, Felipe Sateler, Franck Bui,
Hans de Goede, Harald Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov,
Jakub Wilk, Jan Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen,
John Lin, jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg
Thalheim, Jouke Witteveen, juga0, Justin Capella, Justin Michaud,
Kai-Heng Feng, Lennart Poettering, Lion Yang, Luca Bruno, Lucas
Werkmeister, Lukáš Nykrýn, Marcel Hollerbach, Marcus Lundblad, Martin
Pitt, Michael Biebl, Michael Grzeschik, Michal Sekletar, Mike Gilbert,
Neil Brown, Nicolas Iooss, Patrik Flykt, pEJipE, Piotr Drąg, Russell
Stuart, S. Fan, Shengyao Xue, Stefan Pietsch, Susant Sahani, Tejun Heo,
Thomas Miller, Thomas Sailer, Tobias Hunger, Tomasz Pala, Tom
Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø, userwithuid,
Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang
Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Berlin, 2017-10-06
CHANGES WITH 234:
* Meson is now supported as build system in addition to Automake. It is
our plan to remove Automake in one of our next releases, so that
Meson becomes our exclusive build system. Hence, please start using
the Meson build system in your downstream packaging. There's plenty
of documentation around how to use Meson, the extremely brief
summary:
./autogen.sh && ./configure && make && sudo make install
becomes:
meson build && ninja -C build && sudo ninja -C build install
* Unit files gained support for a new JobRunningTimeoutUSec= setting,
which permits configuring a timeout on the time a job is
running. This is particularly useful for setting timeouts on jobs for
.device units.
* Unit files gained two new options ConditionUser= and ConditionGroup=
for conditionalizing units based on the identity of the user/group
running a systemd user instance.
* systemd-networkd now understands a new FlowLabel= setting in the
[VXLAN] section of .network files, as well as a Priority= in
[Bridge], GVRP= + MVRP= + LooseBinding= + ReorderHeader= in [VLAN]
and GatewayOnlink= + IPv6Preference= + Protocol= in [Route]. It also
gained support for configuration of GENEVE links, and IPv6 address
labels. The [Network] section gained the new IPv6ProxyNDP= setting.
* .link files now understand a new Port= setting.
* systemd-networkd's DHCP support gained support for DHCP option 119
(domain search list).
* systemd-networkd gained support for serving IPv6 address ranges using
the Router Advertisement protocol. The new .network configuration
section [IPv6Prefix] may be used to configure the ranges to
serve. This is implemented based on a new, minimal, native server
implementation of RA.
* journalctl's --output= switch gained support for a new parameter
"short-iso-precise" for a mode where timestamps are shown as precise
ISO date values.
* systemd-udevd's "net_id" builtin may now generate stable network
interface names from IBM PowerVM VIO devices as well as ACPI platform
devices.
* MulticastDNS support in systemd-resolved may now be explicitly
enabled/disabled using the new MulticastDNS= configuration file
option.
* systemd-resolved may now optionally use libidn2 instead of the libidn
for processing internationalized domain names. Support for libidn2
should be considered experimental and should not be enabled by
default yet.
* "machinectl pull-tar" and related call may now do verification of
downloaded images using SUSE-style .sha256 checksum files in addition
to the already existing support for validating using Ubuntu-style
SHA256SUMS files.
* sd-bus gained support for a new sd_bus_message_appendv() call which
is va_list equivalent of sd_bus_message_append().
* sd-boot gained support for validating images using SHIM/MOK.
* The SMACK code learnt support for "onlycap".
* systemd-mount --umount is now much smarter in figuring out how to
properly unmount a device given its mount or device path.
* The code to call libnss_dns as a fallback from libnss_resolve when
the communication with systemd-resolved fails was removed. This
fallback was redundant and interfered with the [!UNAVAIL=return]
suffix. See nss-resolve(8) for the recommended configuration.
* systemd-logind may now be restarted without losing state. It stores
the file descriptors for devices it manages in the system manager
using the FDSTORE= mechanism. Please note that further changes in
other components may be required to make use of this (for example
Xorg has code to listen for stops of systemd-logind and terminate
itself when logind is stopped or restarted, in order to avoid using
stale file descriptors for graphical devices, which is now
counterproductive and must be reverted in order for restarts of
systemd-logind to be safe. See
https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101.)
* All kernel-install plugins are called with the environment variable
KERNEL_INSTALL_MACHINE_ID which is set to the machine ID given by
/etc/machine-id. If the machine ID could not be determined,
$KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put
anything in the entry directory (passed as the second argument) if
$KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a
temporary directory is passed as the entry directory and removed
after all the plugins exit.
* If KERNEL_INSTALL_MACHINE_ID is set in /etc/machine-info, kernel-install
will now use its value as the machine ID instead of the machine ID
from /etc/machine-id. If KERNEL_INSTALL_MACHINE_ID isn't set in
/etc/machine-info and no machine ID is set in /etc/machine-id,
kernel-install will try to store the current machine ID there as
KERNEL_INSTALL_MACHINE_ID. If there is no machine ID, kernel-install
will generate a new UUID, store it in /etc/machine-info as
KERNEL_INSTALL_MACHINE_ID and use it as the machine ID.
Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander
Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir
Yalon, Anchor Cat, Anthony Parsons, Bastien Nocera, Benjamin Gilbert,
Benjamin Robin, Boucman, Charles Plessy, Chris Chiu, Chris Lamb,
Christian Brauner, Christian Hesse, Colin Walters, Daniel Drake,
Danielle Church, Daniel Molkentin, Daniel Rusek, Daniel Wang, Davide
Cavalca, David Herrmann, David Michael, Dax Kelson, Dimitri John
Ledkov, Djalal Harouni, Dušan Kazik, Elias Probst, Evgeny Vereshchagin,
Federico Di Pierro, Felipe Sateler, Felix Zhang, Franck Bui, Gary
Tierney, George McCollister, Giedrius Statkevičius, Hans de Goede,
hecke, Hendrik Westerberg, Hristo Venev, Ian Wienand, Insun Pyo, Ivan
Shapovalov, James Cowgill, James Hemsing, Janne Heß, Jan Synacek, Jason
Reeder, João Paulo Rechi Vita, John Paul Adrian Glaubitz, Jörg
Thalheim, Josef Andersson, Josef Gajdusek, Julian Mehne, Kai Krakow,
Krzysztof Jackiewicz, Lars Karlitski, Lennart Poettering, Lluís Gili,
Lucas Werkmeister, Lukáš Nykrýn, Łukasz Stelmach, Mantas Mikulėnas,
Marcin Bachry, Marcus Cooper, Mark Stosberg, Martin Pitt, Matija Skala,
Matt Clarkson, Matthew Garrett, Matthias Greiner, Matthijs van Duin,
Max Resch, Michael Biebl, Michal Koutný, Michal Sekletar, Michal
Soltys, Michal Suchanek, Mike Gilbert, Nate Clark, Nathaniel R. Lewis,
Neil Brown, Nikolai Kondrashov, Pascal S. de Kloe, Pat Riehecky, Patrik
Flykt, Paul Kocialkowski, Peter Hutterer, Philip Withnall, Piotr
Szydełko, Rafael Fontenelle, Ray Strode, Richard Maw, Roelf Wichertjes,
Ronny Chevalier, Sarang S. Dalal, Sjoerd Simons, slodki, Stefan
Schweter, Susant Sahani, Ted Wood, Thomas Blume, Thomas Haller, Thomas
H. P. Andersen, Timothée Ravier, Tobias Jungel, Tobias Stoeckmann, Tom
Gundersen, Tom Yan, Torstein Husebø, Umut Tezduyar Lindskog,
userwithuid, Vito Caputo, Waldemar Brodkorb, WaLyong Cho, Yu, Li-Yu,
Yusuke Nojima, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Дамјан
Георгиевски
— Berlin, 2017-07-12
CHANGES WITH 233:
* The "hybrid" control group mode has been modified to improve
compatibility with "legacy" cgroups-v1 setups. Specifically, the
"hybrid" setup of /sys/fs/cgroup is now pretty much identical to
"legacy" (including /sys/fs/cgroup/systemd as "name=systemd" named
cgroups-v1 hierarchy), the only externally visible change being that
the cgroups-v2 hierarchy is also mounted, to
/sys/fs/cgroup/unified. This should provide a large degree of
compatibility with "legacy" cgroups-v1, while taking benefit of the
better management capabilities of cgroups-v2.
* The default control group setup mode may be selected both a boot-time
via a set of kernel command line parameters (specifically:
systemd.unified_cgroup_hierarchy= and
systemd.legacy_systemd_cgroup_controller=), as well as a compile-time
default selected on the configure command line
(--with-default-hierarchy=). The upstream default is "hybrid"
(i.e. the cgroups-v1 + cgroups-v2 mixture discussed above) now, but
this will change in a future systemd version to be "unified" (pure
cgroups-v2 mode). The third option for the compile time option is
"legacy", to enter pure cgroups-v1 mode. We recommend downstream
distributions to default to "hybrid" mode for release distributions,
starting with v233. We recommend "unified" for development
distributions (specifically: distributions such as Fedora's rawhide)
as that's where things are headed in the long run. Use "legacy" for
greatest stability and compatibility only.
* Note one current limitation of "unified" and "hybrid" control group
setup modes: the kernel currently does not permit the systemd --user
instance (i.e. unprivileged code) to migrate processes between two
disconnected cgroup subtrees, even if both are managed and owned by
the user. This effectively means "systemd-run --user --scope" doesn't
work when invoked from outside of any "systemd --user" service or
scope. Specifically, it is not supported from session scopes. We are
working on fixing this in a future systemd version. (See #3388 for
further details about this.)
* DBus policy files are now installed into /usr rather than /etc. Make
sure your system has dbus >= 1.9.18 running before upgrading to this
version, or override the install path with --with-dbuspolicydir= .
* All python scripts shipped with systemd (specifically: the various
tests written in Python) now require Python 3.
* systemd unit tests can now run standalone (without the source or
build directories), and can be installed into /usr/lib/systemd/tests/
with 'make install-tests'.
* Note that from this version on, CONFIG_CRYPTO_USER_API_HASH,
CONFIG_CRYPTO_HMAC and CONFIG_CRYPTO_SHA256 need to be enabled in the
kernel.
* Support for the %c, %r, %R specifiers in unit files has been
removed. Specifiers are not supposed to be dependent on configuration
in the unit file itself (so that they resolve the same regardless
where used in the unit files), but these specifiers were influenced
by the Slice= option.
* The shell invoked by debug-shell.service now defaults to /bin/sh in
all cases. If distributions want to use a different shell for this
purpose (for example Fedora's /sbin/sushell) they need to specify
this explicitly at configure time using --with-debug-shell=.
* The confirmation spawn prompt has been reworked to offer the
following choices:
(c)ontinue, proceed without asking anymore
(D)ump, show the state of the unit
(f)ail, don't execute the command and pretend it failed
(h)elp
(i)nfo, show a short summary of the unit
(j)obs, show jobs that are in progress
(s)kip, don't execute the command and pretend it succeeded
(y)es, execute the command
The 'n' choice for the confirmation spawn prompt has been removed,
because its meaning was confusing.
The prompt may now also be redirected to an alternative console by
specifying the console as parameter to systemd.confirm_spawn=.
* Services of Type=notify require a READY=1 notification to be sent
during startup. If no such message is sent, the service now fails,
even if the main process exited with a successful exit code.
* Services that fail to start up correctly now always have their
ExecStopPost= commands executed. Previously, they'd enter "failed"
state directly, without executing these commands.
* The option MulticastDNS= of network configuration files has acquired
an actual implementation. With MulticastDNS=yes a host can resolve
names of remote hosts and reply to mDNS A and AAAA requests.
* When units are about to be started an additional check is now done to
ensure that all dependencies of type BindsTo= (when used in
combination with After=) have been started.
* systemd-analyze gained a new verb "syscall-filter" which shows which
system call groups are defined for the SystemCallFilter= unit file
setting, and which system calls they contain.
* A new system call filter group "@filesystem" has been added,
consisting of various file system related system calls. Group
"@reboot" has been added, covering reboot, kexec and shutdown related
calls. Finally, group "@swap" has been added covering swap
configuration related calls.
* A new unit file option RestrictNamespaces= has been added that may be
used to restrict access to the various process namespace types the
Linux kernel provides. Specifically, it may be used to take away the
right for a service unit to create additional file system, network,
user, and other namespaces. This sandboxing option is particularly
relevant due to the high amount of recently discovered namespacing
related vulnerabilities in the kernel.
* systemd-udev's .link files gained support for a new AutoNegotiation=
setting for configuring Ethernet auto-negotiation.
* systemd-networkd's .network files gained support for a new
ListenPort= setting in the [DHCP] section to explicitly configure the
UDP client port the DHCP client shall listen on.
* .network files gained a new Unmanaged= boolean setting for explicitly
excluding one or more interfaces from management by systemd-networkd.
* The systemd-networkd ProxyARP= option has been renamed to
IPV4ProxyARP=. Similarly, VXLAN-specific option ARPProxy= has been
renamed to ReduceARPProxy=. The old names continue to be available
for compatibility.
* systemd-networkd gained support for configuring IPv6 Proxy NDP
addresses via the new IPv6ProxyNDPAddress= .network file setting.
* systemd-networkd's bonding device support gained support for two new
configuration options ActiveSlave= and PrimarySlave=.
* The various options in the [Match] section of .network files gained
support for negative matching.
* New systemd-specific mount options are now understood in /etc/fstab:
x-systemd.mount-timeout= may be used to configure the maximum
permitted runtime of the mount command.
x-systemd.device-bound may be set to bind a mount point to its
backing device unit, in order to automatically remove a mount point
if its backing device is unplugged. This option may also be
configured through the new SYSTEMD_MOUNT_DEVICE_BOUND udev property
on the block device, which is now automatically set for all CDROM
drives, so that mounted CDs are automatically unmounted when they are
removed from the drive.
x-systemd.after= and x-systemd.before= may be used to explicitly
order a mount after or before another unit or mount point.
* Enqueued start jobs for device units are now automatically garbage
collected if there are no jobs waiting for them anymore.
* systemctl list-jobs gained two new switches: with --after, for every
queued job the jobs it's waiting for are shown; with --before the
jobs which it's blocking are shown.
* systemd-nspawn gained support for ephemeral boots from disk images
(or in other words: --ephemeral and --image= may now be
combined). Moreover, ephemeral boots are now supported for normal
directories, even if the backing file system is not btrfs. Of course,
if the file system does not support file system snapshots or
reflinks, the initial copy operation will be relatively expensive, but
this should still be suitable for many use cases.
* Calendar time specifications in .timer units now support
specifications relative to the end of a month by using "~" instead of
"-" as separator between month and day. For example, "*-02~03" means
"the third last day in February". In addition a new syntax for
repeated events has been added using the "/" character. For example,
"9..17/2:00" means "every two hours from 9am to 5pm".
* systemd-socket-proxyd gained a new parameter --connections-max= for
configuring the maximum number of concurrent connections.
* sd-id128 gained a new API for generating unique IDs for the host in a
way that does not leak the machine ID. Specifically,
sd_id128_get_machine_app_specific() derives an ID based on the
machine ID in a well-defined, non-reversible, stable way. This is
useful whenever an identifier for the host is needed but where the
identifier shall not be useful to identify the system beyond the
scope of the application itself. (Internally this uses HMAC-SHA256 as
keyed hash function using the machine ID as input.)
* NotifyAccess= gained a new supported value "exec". When set
notifications are accepted from all processes systemd itself invoked,
including all control processes.
* .nspawn files gained support for defining overlay mounts using the
Overlay= and OverlayReadOnly= options. Previously this functionality
was only available on the systemd-nspawn command line.
* systemd-nspawn's --bind= and --overlay= options gained support for
bind/overlay mounts whose source lies within the container tree by
prefixing the source path with "+".
* systemd-nspawn's --bind= and --overlay= options gained support for
automatically allocating a temporary source directory in /var/tmp
that is removed when the container dies. Specifically, if the source
directory is specified as empty string this mechanism is selected. An
example usage is --overlay=+/var::/var, which creates an overlay
mount based on the original /var contained in the image, overlaid
with a temporary directory in the host's /var/tmp. This way changes
to /var are automatically flushed when the container shuts down.
* systemd-nspawn --image= option does now permit raw file system block
devices (in addition to images containing partition tables, as
before).
* The disk image dissection logic in systemd-nspawn gained support for
automatically setting up LUKS encrypted as well as Verity protected
partitions. When a container is booted from an encrypted image the
passphrase is queried at start-up time. When a container with Verity
data is started, the root hash is search in a ".roothash" file
accompanying the disk image (alternatively, pass the root hash via
the new --root-hash= command line option).
* A new tool /usr/lib/systemd/systemd-dissect has been added that may
be used to dissect disk images the same way as systemd-nspawn does
it, following the Bootable Partition Specification. It may even be
used to mount disk images with complex partition setups (including
LUKS and Verity partitions) to a local host directory, in order to
inspect them. This tool is not considered public API (yet), and is
thus not installed into /usr/bin. Please do not rely on its
existence, since it might go away or be changed in later systemd
versions.
* A new generator "systemd-verity-generator" has been added, similar in
style to "systemd-cryptsetup-generator", permitting automatic setup of
Verity root partitions when systemd boots up. In order to make use of
this your partition setup should follow the Discoverable Partitions
Specification, and the GPT partition ID of the root file system
partition should be identical to the upper 128-bit of the Verity root
hash. The GPT partition ID of the Verity partition protecting it
should be the lower 128-bit of the Verity root hash. If the partition
image follows this model it is sufficient to specify a single
"roothash=" kernel command line argument to both configure which root
image and verity partition to use as well as the root hash for
it. Note that systemd-nspawn's Verity support follows the same
semantics, meaning that disk images with proper Verity data in place
may be booted in containers with systemd-nspawn as well as on
physical systems via the verity generator. Also note that the "mkosi"
tool available at https://github.com/systemd/mkosi has been updated
to generate Verity protected disk images following this scheme. In
fact, it has been updated to generate disk images that optionally
implement a complete UEFI SecureBoot trust chain, involving a signed
kernel and initrd image that incorporates such a root hash as well as
a Verity-enabled root partition.
* The hardware database (hwdb) udev supports has been updated to carry
accelerometer quirks.
* All system services are now run with a fresh kernel keyring set up
for them. The invocation ID is stored by default in it, thus
providing a safe, non-overridable way to determine the invocation
ID of each service.
* Service unit files gained new BindPaths= and BindReadOnlyPaths=
options for bind mounting arbitrary paths in a service-specific
way. When these options are used, arbitrary host or service files and
directories may be mounted to arbitrary locations in the service's
view.
* Documentation has been added that lists all of systemd's low-level
environment variables:
https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md
* sd-daemon gained a new API sd_is_socket_sockaddr() for determining
whether a specific socket file descriptor matches a specified socket
address.
* systemd-firstboot has been updated to check for the
systemd.firstboot= kernel command line option. It accepts a boolean
and when set to false the first boot questions are skipped.
* systemd-fstab-generator has been updated to check for the
systemd.volatile= kernel command line option, which either takes an
optional boolean parameter or the special value "state". If used the
system may be booted in a "volatile" boot mode. Specifically,
"systemd.volatile" is used, the root directory will be mounted as
tmpfs, and only /usr is mounted from the actual root file system. If
"systemd.volatile=state" is used, the root directory will be mounted
as usual, but /var is mounted as tmpfs. This concept provides similar
functionality as systemd-nspawn's --volatile= option, but provides it
on physical boots. Use this option for implementing stateless
systems, or testing systems with all state and/or configuration reset
to the defaults. (Note though that many distributions are not
prepared to boot up without a populated /etc or /var, though.)
* systemd-gpt-auto-generator gained support for LUKS encrypted root
partitions. Previously it only supported LUKS encrypted partitions
for all other uses, except for the root partition itself.
* Socket units gained support for listening on AF_VSOCK sockets for
communication in virtualized QEMU environments.
* The "configure" script gained a new option --with-fallback-hostname=
for specifying the fallback hostname to use if none is configured in
/etc/hostname. For example, by specifying
--with-fallback-hostname=fedora it is possible to default to a
hostname of "fedora" on pristine installations.
* systemd-cgls gained support for a new --unit= switch for listing only
the control groups of a specific unit. Similar --user-unit= has been
added for listing only the control groups of a specific user unit.
* systemd-mount gained a new --umount switch for unmounting a mount or
automount point (and all mount/automount points below it).
* systemd will now refuse full configuration reloads (via systemctl
daemon-reload and related calls) unless at least 16MiB of free space
are available in /run. This is a safety precaution in order to ensure
that generators can safely operate after the reload completed.
* A new unit file option RootImage= has been added, which has a similar
effect as RootDirectory= but mounts the service's root directory from
a disk image instead of plain directory. This logic reuses the same
image dissection and mount logic that systemd-nspawn already uses,
and hence supports any disk images systemd-nspawn supports, including
those following the Discoverable Partition Specification, as well as
Verity enabled images. This option enables systemd to run system
services directly off disk images acting as resource bundles,
possibly even including full integrity data.
* A new MountAPIVFS= unit file option has been added, taking a boolean
argument. If enabled /proc, /sys and /dev (collectively called the
"API VFS") will be mounted for the service. This is only relevant if
RootDirectory= or RootImage= is used for the service, as these mounts
are of course in place in the host mount namespace anyway.
* systemd-nspawn gained support for a new --pivot-root= switch. If
specified the root directory within the container image is pivoted to
the specified mount point, while the original root disk is moved to a
different place. This option enables booting of ostree images
directly with systemd-nspawn.
* The systemd build scripts will no longer complain if the NTP server
addresses are not changed from the defaults. Google now supports
these NTP servers officially. We still recommend downstreams to
properly register an NTP pool with the NTP pool project though.
* coredumpctl gained a new "--reverse" option for printing the list
of coredumps in reverse order.
* coredumpctl will now show additional information about truncated and
inaccessible coredumps, as well as coredumps that are still being
processed. It also gained a new --quiet switch for suppressing
additional informational message in its output.
* coredumpctl gained support for only showing coredumps newer and/or
older than specific timestamps, using the new --since= and --until=
options, reminiscent of journalctl's options by the same name.
* The systemd-coredump logic has been improved so that it may be reused
to collect backtraces in non-compiled languages, for example in
scripting languages such as Python.
* machinectl will now show the UID shift of local containers, if user
namespacing is enabled for them.
* systemd will now optionally run "environment generator" binaries at
configuration load time. They may be used to add environment
variables to the environment block passed to services invoked. One
user environment generator is shipped by default that sets up
environment variables based on files dropped into /etc/environment.d
and ~/.config/environment.d/.
* systemd-resolved now includes the new, recently published 2017 DNSSEC
root key (KSK).
* hostnamed has been updated to report a new chassis type of
"convertible" to cover "foldable" laptops that can both act as a
tablet and as a laptop, such as various Lenovo Yoga devices.
Contributions from: Adrián López, Alexander Galanin, Alexander
Kochetkov, Alexandros Frantzis, Andrey Ulanov, Antoine Eiche, Baruch
Siach, Bastien Nocera, Benjamin Robin, Björn, Brandon Philips, Cédric
Schieli, Charles (Chas) Williams, Christian Hesse, Daniele Medri,
Daniel Drake, Daniel Rusek, Daniel Wagner, Dan Streetman, Dave Reisner,
David Glasser, David Herrmann, David Michael, Djalal Harouni, Dmitry
Khlebnikov, Dmitry Rozhkov, Dongsu Park, Douglas Christman, Earnestly,
Emil Soleyman, Eric Cook, Evgeny Vereshchagin, Felipe Sateler, Fionn
Cleary, Florian Klink, Francesco Brozzu, Franck Bui, Gabriel Rauter,
Gianluca Boiano, Giedrius Statkevičius, Graeme Lawes, Hans de Goede,
Harald Hoyer, Ian Kelling, Ivan Shapovalov, Jakub Wilk, Janne Heß, Jan
Synacek, Jason Reeder, Jonathan Boulle, Jörg Thalheim, Jouke Witteveen,
Karl Kraus, Kees Cook, Keith Busch, Kieran Colford, kilian-k, Lennart
Poettering, Lubomir Rintel, Lucas Werkmeister, Lukas Rusak, Maarten de
Vries, Maks Naumov, Mantas Mikulėnas, Marc-Andre Lureau, Marcin Bachry,
Mark Stosberg, Martin Ejdestig, Martin Pitt, Mauricio Faria de
Oliveira, micah, Michael Biebl, Michael Shields, Michal Schmidt, Michal
Sekletar, Michel Kraus, Mike Gilbert, Mikko Ylinen, Mirza Krak,
Namhyung Kim, nikolaof, peoronoob, Peter Hutterer, Peter Körner, Philip
Withnall, Piotr Drąg, Ray Strode, Reverend Homer, Rike-Benjamin
Schuppner, Robert Kreuzer, Ronny Chevalier, Ruslan Bilovol, sammynx,
Sergey Ptashnick, Sergiusz Urbaniak, Stefan Berger, Stefan Hajnoczi,
Stefan Schweter, Stuart McLaren, Susant Sahani, Sylvain Plantefève,
Taylor Smock, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tibor
Nagy, Tobias Stoeckmann, Tom Gundersen, Torstein Husebø, Viktar
Vaŭčkievič, Viktor Mihajlovski, Vitaly Sulimov, Waldemar Brodkorb,
Walter Garcia-Fontes, Wim de With, Yassine Imounachen, Yi EungJun,
YunQiang Su, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Александр
Тихонов
— Berlin, 2017-03-01
CHANGES WITH 232:
* udev now runs with MemoryDenyWriteExecute=, RestrictRealtime= and
RestrictAddressFamilies= enabled. These sandboxing options should
generally be compatible with the various external udev call-out
binaries we are aware of, however there may be exceptions, in
particular when exotic languages for these call-outs are used. In
this case, consider turning off these settings locally.
* The new RemoveIPC= option can be used to remove IPC objects owned by
the user or group of a service when that service exits.
* The new ProtectKernelModules= option can be used to disable explicit
load and unload operations of kernel modules by a service. In
addition access to /usr/lib/modules is removed if this option is set.
* ProtectSystem= option gained a new value "strict", which causes the
whole file system tree with the exception of /dev, /proc, and /sys,
to be remounted read-only for a service.
* The new ProtectKernelTunables= option can be used to disable
modification of configuration files in /sys and /proc by a service.
Various directories and files are remounted read-only, so access is
restricted even if the file permissions would allow it.
* The new ProtectControlGroups= option can be used to disable write
access by a service to /sys/fs/cgroup.
* Various systemd services have been hardened with
ProtectKernelTunables=yes, ProtectControlGroups=yes,
RestrictAddressFamilies=.
* Support for dynamically creating users for the lifetime of a service
has been added. If DynamicUser=yes is specified, user and group IDs
will be allocated from the range 61184…65519 for the lifetime of the
service. They can be resolved using the new nss-systemd.so NSS
module. The module must be enabled in /etc/nsswitch.conf. Services
started in this way have PrivateTmp= and RemoveIPC= enabled, so that
any resources allocated by the service will be cleaned up when the
service exits. They also have ProtectHome=read-only and
ProtectSystem=strict enabled, so they are not able to make any
permanent modifications to the system.
* The nss-systemd module also always resolves root and nobody, making
it possible to have no /etc/passwd or /etc/group files in minimal
container or chroot environments.
* Services may be started with their own user namespace using the new
boolean PrivateUsers= option. Only root, nobody, and the uid/gid
under which the service is running are mapped. All other users are
mapped to nobody.
* Support for the cgroup namespace has been added to systemd-nspawn. If
supported by kernel, the container system started by systemd-nspawn
will have its own view of the cgroup hierarchy. This new behaviour
can be disabled using $SYSTEMD_NSPAWN_USE_CGNS environment variable.
* The new MemorySwapMax= option can be used to limit the maximum swap
usage under the unified cgroup hierarchy.
* Support for the CPU controller in the unified cgroup hierarchy has
been added, via the CPUWeight=, CPUStartupWeight=, CPUAccounting=
options. This controller requires out-of-tree patches for the kernel
and the support is provisional.
* Mount and automount units may now be created transiently
(i.e. dynamically at runtime via the bus API, instead of requiring
unit files in the file system).
* systemd-mount is a new tool which may mount file systems much like
mount(8), optionally pulling in additional dependencies through
transient .mount and .automount units. For example, this tool
automatically runs fsck on a backing block device before mounting,
and allows the automount logic to be used dynamically from the
command line for establishing mount points. This tool is particularly
useful when dealing with removable media, as it will ensure fsck is
run if necessary before the first access and that the file system
is quickly unmounted after each access by utilizing the automount
logic. This maximizes the chance that the file system on the
removable media stays in a clean state, and if it isn't in a clean
state is fixed automatically.
* LazyUnmount=yes option for mount units has been added to expose the
umount --lazy option. Similarly, ForceUnmount=yes exposes the --force
option.
* /efi will be used as the mount point of the EFI boot partition, if
the directory is present, and the mount point was not configured
through other means (e.g. fstab). If /efi directory does not exist,
/boot will be used as before. This makes it easier to automatically
mount the EFI partition on systems where /boot is used for something
else.
* When operating on GPT disk images for containers, systemd-nspawn will
now mount the ESP to /boot or /efi according to the same rules as PID
1 running on a host. This allows tools like "bootctl" to operate
correctly within such containers, in order to make container images
bootable on physical systems.
* disk/by-id and disk/by-path symlinks are now created for NVMe drives.
* Two new user session targets have been added to support running
graphical sessions under the systemd --user instance:
graphical-session.target and graphical-session-pre.target. See
systemd.special(7) for a description of how those targets should be
used.
* The vconsole initialization code has been significantly reworked to
use KD_FONT_OP_GET/SET ioctls instead of KD_FONT_OP_COPY and better
support unicode keymaps. Font and keymap configuration will now be
copied to all allocated virtual consoles.
* FreeBSD's bhyve virtualization is now detected.
* Information recorded in the journal for core dumps now includes the
contents of /proc/mountinfo and the command line of the process at
the top of the process hierarchy (which is usually the init process
of the container).
* systemd-journal-gatewayd learned the --directory= option to serve
files from the specified location.
* journalctl --root=… can be used to peruse the journal in the
/var/log/ directories inside of a container tree. This is similar to
the existing --machine= option, but does not require the container to
be active.
* The hardware database has been extended to support
ID_INPUT_TRACKBALL, used in addition to ID_INPUT_MOUSE to identify
trackball devices.
MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL hwdb property has been added to
specify the click rate for mice which include a horizontal wheel with
a click rate that is different than the one for the vertical wheel.
* systemd-run gained a new --wait option that makes service execution
synchronous. (Specifically, the command will not return until the
specified service binary exited.)
* systemctl gained a new --wait option that causes the start command to
wait until the units being started have terminated again.
* A new journal output mode "short-full" has been added which displays
timestamps with abbreviated English day names and adds a timezone
suffix. Those timestamps include more information than the default
"short" output mode, and can be passed directly to journalctl's
--since= and --until= options.
* /etc/resolv.conf will be bind-mounted into containers started by
systemd-nspawn, if possible, so any changes to resolv.conf contents
are automatically propagated to the container.
* The number of instances for socket-activated services originating
from a single IP address can be limited with
MaxConnectionsPerSource=, extending the existing setting of
MaxConnections=.
* systemd-networkd gained support for vcan ("Virtual CAN") interface
configuration.
* .netdev and .network configuration can now be extended through
drop-ins.
* UDP Segmentation Offload, TCP Segmentation Offload, Generic
Segmentation Offload, Generic Receive Offload, Large Receive Offload
can be enabled and disabled using the new UDPSegmentationOffload=,
TCPSegmentationOffload=, GenericSegmentationOffload=,
GenericReceiveOffload=, LargeReceiveOffload= options in the
[Link] section of .link files.
* The Spanning Tree Protocol, Priority, Aging Time, and the Default
Port VLAN ID can be configured for bridge devices using the new STP=,
Priority=, AgeingTimeSec=, and DefaultPVID= settings in the [Bridge]
section of .netdev files.
* The route table to which routes received over DHCP or RA should be
added can be configured with the new RouteTable= option in the [DHCP]
and [IPv6AcceptRA] sections of .network files.
* The Address Resolution Protocol can be disabled on links managed by
systemd-networkd using the ARP=no setting in the [Link] section of
.network files.
* New environment variables $SERVICE_RESULT, $EXIT_CODE and
$EXIT_STATUS are set for ExecStop= and ExecStopPost= commands, and
encode information about the result and exit codes of the current
service runtime cycle.
* systemd-sysctl will now configure kernel parameters in the order
they occur in the configuration files. This matches what sysctl
has been traditionally doing.
* kernel-install "plugins" that are executed to perform various
tasks after a new kernel is added and before an old one is removed
can now return a special value to terminate the procedure and
prevent any later plugins from running.
* Journald's SplitMode=login setting has been deprecated. It has been
removed from documentation, and its use is discouraged. In a future
release it will be completely removed, and made equivalent to current
default of SplitMode=uid.
* Storage=both option setting in /etc/systemd/coredump.conf has been
removed. With fast LZ4 compression storing the core dump twice is not
useful.
* The --share-system systemd-nspawn option has been replaced with an
(undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of
this functionality is discouraged. In addition the variables
$SYSTEMD_NSPAWN_SHARE_NS_IPC, $SYSTEMD_NSPAWN_SHARE_NS_PID,
$SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
individual namespaces.
* "machinectl list" now shows the IP address of running containers in
the output, as well as OS release information.
* "loginctl list" now shows the TTY of each session in the output.
* sd-bus gained new API calls sd_bus_track_set_recursive(),
sd_bus_track_get_recursive(), sd_bus_track_count_name(),
sd_bus_track_count_sender(). They permit usage of sd_bus_track peer
tracking objects in a "recursive" mode, where a single client can be
counted multiple times, if it takes multiple references.
* sd-bus gained new API calls sd_bus_set_exit_on_disconnect() and
sd_bus_get_exit_on_disconnect(). They may be used to make a
process using sd-bus automatically exit if the bus connection is
severed.
* Bus clients of the service manager may now "pin" loaded units into
memory, by taking an explicit reference on them. This is useful to
ensure the client can retrieve runtime data about the service even
after the service completed execution. Taking such a reference is
available only for privileged clients and should be helpful to watch
running services in a race-free manner, and in particular collect
information about exit statuses and results.
* The nss-resolve module has been changed to strictly return UNAVAIL
when communication via D-Bus with resolved failed, and NOTFOUND when
a lookup completed but was negative. This means it is now possible to
neatly configure fallbacks using nsswitch.conf result checking
expressions. Taking benefit of this, the new recommended
configuration line for the "hosts" entry in /etc/nsswitch.conf is:
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
* A new setting CtrlAltDelBurstAction= has been added to
/etc/systemd/system.conf which may be used to configure the precise
behaviour if the user on the console presses Ctrl-Alt-Del more often
than 7 times in 2s. Previously this would unconditionally result in
an expedited, immediate reboot. With this new setting the precise
operation may be configured in more detail, and also turned off
entirely.
* In .netdev files two new settings RemoteChecksumTx= and
RemoteChecksumRx= are now understood that permit configuring the
remote checksumming logic for VXLAN networks.
* The service manager learnt a new "invocation ID" concept for invoked
services. Each runtime cycle of a service will get a new invocation
ID (a 128-bit random UUID) assigned that identifies the current
run of the service uniquely and globally. A new invocation ID
is generated each time a service starts up. The journal will store
the invocation ID of a service along with any logged messages, thus
making the invocation ID useful for matching the online runtime of a
service with the offline log data it generated in a safe way without
relying on synchronized timestamps. In many ways this new service
invocation ID concept is similar to the kernel's boot ID concept that
uniquely and globally identifies the runtime of each boot. The
invocation ID of a service is passed to the service itself via an
environment variable ($INVOCATION_ID). A new bus call
GetUnitByInvocationID() has been added that is similar to GetUnit()
but instead of retrieving the bus path for a unit by its name
retrieves it by its invocation ID. The returned path is valid only as
long as the passed invocation ID is current.
* systemd-resolved gained a new "DNSStubListener" setting in
resolved.conf. It either takes a boolean value or the special values
"udp" and "tcp", and configures whether to enable the stub DNS
listener on 127.0.0.53:53.
* IP addresses configured via networkd may now carry additional
configuration settings supported by the kernel. New options include:
HomeAddress=, DuplicateAddressDetection=, ManageTemporaryAddress=,
PrefixRoute=, AutoJoin=.
* The PAM configuration fragment file for "user@.service" shipped with
systemd (i.e. the --user instance of systemd) has been stripped to
the minimum necessary to make the system boot. Previously, it
contained Fedora-specific stanzas that did not apply to other
distributions. It is expected that downstream distributions add
additional configuration lines, matching their needs to this file,
using it only as rough template of what systemd itself needs. Note
that this reduced fragment does not even include an invocation of
pam_limits which most distributions probably want to add, even though
systemd itself does not need it. (There's also the new build time
option --with-pamconfdir=no to disable installation of the PAM
fragment entirely.)
* If PrivateDevices=yes is set for a service the CAP_SYS_RAWIO
capability is now also dropped from its set (in addition to
CAP_SYS_MKNOD as before).
* In service unit files it is now possible to connect a specific named
file descriptor with stdin/stdout/stdout of an executed service. The
name may be specified in matching .socket units using the
FileDescriptorName= setting.
* A number of journal settings may now be configured on the kernel
command line. Specifically, the following options are now understood:
systemd.journald.max_level_console=,
systemd.journald.max_level_store=,
systemd.journald.max_level_syslog=, systemd.journald.max_level_kmsg=,
systemd.journald.max_level_wall=.
* "systemctl is-enabled --full" will now show by which symlinks a unit
file is enabled in the unit dependency tree.
* Support for VeraCrypt encrypted partitions has been added to the
"cryptsetup" logic and /etc/crypttab.
* systemd-detect-virt gained support for a new --private-users switch
that checks whether the invoking processes are running inside a user
namespace. Similar, a new special value "private-users" for the
existing ConditionVirtualization= setting has been added, permitting
skipping of specific units in user namespace environments.
Contributions from: Alban Crequy, Alexander Kuleshov, Alfie John,
Andreas Henriksson, Andrew Jeddeloh, Balázs Úr, Bart Rulon, Benjamin
Richter, Ben Gamari, Ben Harris, Brian J. Murrell, Christian Brauner,
Christian Rebischke, Clinton Roy, Colin Walters, Cristian Rodríguez,
Daniel Hahler, Daniel Mack, Daniel Maixner, Daniel Rusek, Dan Dedrick,
Davide Cavalca, David Herrmann, David Michael, Dennis Wassenberg,
Djalal Harouni, Dongsu Park, Douglas Christman, Elias Probst, Eric
Cook, Erik Karlsson, Evgeny Vereshchagin, Felipe Sateler, Felix Zhang,
Franck Bui, George Hilliard, Giuseppe Scrivano, HATAYAMA Daisuke,
Heikki Kemppainen, Hendrik Brueckner, hi117, Ismo Puustinen, Ivan
Shapovalov, Jakub Filak, Jakub Wilk, Jan Synacek, Jason Kölker,
Jean-Sébastien Bour, Jiří Pírko, Jonathan Boulle, Jorge Niedbalski,
Keith Busch, kristbaum, Kyle Russell, Lans Zhang, Lennart Poettering,
Leonardo Brondani Schenkel, Lucas Werkmeister, Luca Bruno, Lukáš
Nykrýn, Maciek Borzecki, Mantas Mikulėnas, Marc-Antoine Perennou,
Marcel Holtmann, Marcos Mello, Martin Ejdestig, Martin Pitt, Matej
Habrnal, Maxime de Roucy, Michael Biebl, Michael Chapman, Michael Hoy,
Michael Olbrich, Michael Pope, Michal Sekletar, Michal Soltys, Mike
Gilbert, Nick Owens, Patrik Flykt, Paweł Szewczyk, Peter Hutterer,
Piotr Drąg, Reid Price, Richard W.M. Jones, Roman Stingler, Ronny
Chevalier, Seraphime Kirkovski, Stefan Schweter, Steve Muir, Susant
Sahani, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tiago Levit,
Tobias Jungel, Tomáš Janoušek, Topi Miettinen, Torstein Husebø, Umut
Tezduyar Lindskog, Vito Caputo, WaLyong Cho, Wilhelm Schuster, Yann
E. MORIN, Yi EungJun, Yuki Inoguchi, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek, Zeal Jagannatha
— Santa Fe, 2016-11-03
CHANGES WITH 231:
* In service units the various ExecXYZ= settings have been extended
with an additional special character as first argument of the
assigned value: if the character '+' is used the specified command
line it will be run with full privileges, regardless of User=,
Group=, CapabilityBoundingSet= and similar options. The effect is
similar to the existing PermissionsStartOnly= option, but allows
configuration of this concept for each executed command line
independently.
* Services may now alter the service watchdog timeout at runtime by
sending a WATCHDOG_USEC= message via sd_notify().
* MemoryLimit= and related unit settings now optionally take percentage
specifications. The percentage is taken relative to the amount of
physical memory in the system (or in case of containers, the assigned
amount of memory). This allows scaling service resources neatly with
the amount of RAM available on the system. Similarly, systemd-logind's
RuntimeDirectorySize= option now also optionally takes percentage
values.
* In similar fashion TasksMax= takes percentage values now, too. The
value is taken relative to the configured maximum number of processes
on the system. The per-service task maximum has been changed to 15%
using this functionality. (Effectively this is an increase of 512 →
4915 for service units, given the kernel's default pid_max setting.)
* Calendar time specifications in .timer units now understand a ".."
syntax for time ranges. Example: "4..7:10" may now be used for
defining a timer that is triggered at 4:10am, 5:10am, 6:10am and
7:10am every day.
* The InaccessableDirectories=, ReadOnlyDirectories= and
ReadWriteDirectories= unit file settings have been renamed to
InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may now be
applied to all kinds of file nodes, and not just directories, with
the exception of symlinks. Specifically these settings may now be
used on block and character device nodes, UNIX sockets and FIFOS as
well as regular files. The old names of these settings remain
available for compatibility.
* systemd will now log about all service processes it kills forcibly
(using SIGKILL) because they remained after the clean shutdown phase
of the service completed. This should help identifying services that
shut down uncleanly. Moreover if KillUserProcesses= is enabled in
systemd-logind's configuration a similar log message is generated for
processes killed at the end of each session due to this setting.
* systemd will now set the $JOURNAL_STREAM environment variable for all
services whose stdout/stderr are connected to the Journal (which
effectively means by default: all services). The variable contains
the device and inode number of the file descriptor used for
stdout/stderr. This may be used by invoked programs to detect whether
their stdout/stderr is connected to the Journal, in which case they
can switch over to direct Journal communication, thus being able to
pass extended, structured metadata along with their log messages. As
one example, this is now used by glib's logging primitives.
* When using systemd's default tmp.mount unit for /tmp, the mount point
will now be established with the "nosuid" and "nodev" options. This
avoids privilege escalation attacks that put traps and exploits into
/tmp. However, this might cause problems if you e.g. put container
images or overlays into /tmp; if you need this, override tmp.mount's
"Options=" with a drop-in, or mount /tmp from /etc/fstab with your
desired options.
* systemd now supports the "memory" cgroup controller also on
cgroup v2.
* The systemd-cgtop tool now optionally takes a control group path as
command line argument. If specified, the control group list shown is
limited to subgroups of that group.
* The SystemCallFilter= unit file setting gained support for
pre-defined, named system call filter sets. For example
SystemCallFilter=@clock is now an effective way to make all clock
changing-related system calls unavailable to a service. A number of
similar pre-defined groups are defined. Writing system call filters
for system services is simplified substantially with this new
concept. Accordingly, all of systemd's own, long-running services now
enable system call filtering based on this, by default.
* A new service setting MemoryDenyWriteExecute= has been added, taking
a boolean value. If turned on, a service may no longer create memory
mappings that are writable and executable at the same time. This
enhances security for services where this is enabled as it becomes
harder to dynamically write and then execute memory in exploited
service processes. This option has been enabled for all of systemd's
own long-running services.
* A new RestrictRealtime= service setting has been added, taking a
boolean argument. If set the service's processes may no longer
acquire realtime scheduling. This improves security as realtime
scheduling may otherwise be used to easily freeze the system.
* systemd-nspawn gained a new switch --notify-ready= taking a boolean
value. This may be used for requesting that the system manager inside
of the container reports start-up completion to nspawn which then
propagates this notification further to the service manager
supervising nspawn itself. A related option NotifyReady= in .nspawn
files has been added too. This functionality allows ordering of the
start-up of multiple containers using the usual systemd ordering
primitives.
* machinectl gained a new command "stop" that is an alias for
"terminate".
* systemd-resolved gained support for contacting DNS servers on
link-local IPv6 addresses.
* If systemd-resolved receives the SIGUSR2 signal it will now flush all
its caches. A method call for requesting the same operation has been
added to the bus API too, and is made available via "systemd-resolve
--flush-caches".
* systemd-resolve gained a new --status switch. If passed a brief
summary of the used DNS configuration with per-interface information
is shown.
* resolved.conf gained a new Cache= boolean option, defaulting to
on. If turned off local DNS caching is disabled. This comes with a
performance penalty in particular when DNSSEC is enabled. Note that
resolved disables its internal caching implicitly anyway, when the
configured DNS server is on a host-local IP address such as ::1 or
127.0.0.1, thus automatically avoiding double local caching.
* systemd-resolved now listens on the local IP address 127.0.0.53:53
for DNS requests. This improves compatibility with local programs
that do not use the libc NSS or systemd-resolved's bus APIs for name
resolution. This minimal DNS service is only available to local
programs and does not implement the full DNS protocol, but enough to
cover local DNS clients. A new, static resolv.conf file, listing just
this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is
now recommended to make /etc/resolv.conf a symlink to this file in
order to route all DNS lookups to systemd-resolved, regardless if
done via NSS, the bus API or raw DNS packets. Note that this local
DNS service is not as fully featured as the libc NSS or
systemd-resolved's bus APIs. For example, as unicast DNS cannot be
used to deliver link-local address information (as this implies
sending a local interface index along), LLMNR/mDNS support via this
interface is severely restricted. It is thus strongly recommended for
all applications to use the libc NSS API or native systemd-resolved
bus API instead.
* systemd-networkd's bridge support learned a new setting
VLANFiltering= for controlling VLAN filtering. Moreover a new section
in .network files has been added for configuring VLAN bridging in
more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN].
* systemd-networkd's IPv6 Router Advertisement code now makes use of
the DNSSL and RDNSS options. This means IPv6 DNS configuration may
now be acquired without relying on DHCPv6. Two new options
UseDomains= and UseDNS= have been added to configure this behaviour.
* systemd-networkd's IPv6AcceptRouterAdvertisements= option has been
renamed IPv6AcceptRA=, without altering its behaviour. The old
setting name remains available for compatibility reasons.
* The systemd-networkd VTI/VTI6 tunneling support gained new options
Key=, InputKey= and OutputKey=.
* systemd-networkd gained support for VRF ("Virtual Routing Function")
interface configuration.
* "systemctl edit" may now be used to create new unit files by
specifying the --force switch.
* sd-event gained a new function sd_event_get_iteration() for
requesting the current iteration counter of the event loop. It starts
at zero and is increased by one with each event loop iteration.
* A new rpm macro %systemd_ordering is provided by the macros.systemd
file. It can be used in lieu of %systemd_requires in packages which
don't use any systemd functionality and are intended to be installed
in minimal containers without systemd present. This macro provides
ordering dependencies to ensure that if the package is installed in
the same rpm transaction as systemd, systemd will be installed before
the scriptlets for the package are executed, allowing unit presets
to be handled.
New macros %_systemdgeneratordir and %_systemdusergeneratordir have
been added to simplify packaging of generators.
* The os-release file gained VERSION_CODENAME field for the
distribution nickname (e.g. VERSION_CODENAME=woody).
* New udev property UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG=1
can be set to disable parsing of metadata and the creation
of persistent symlinks for that device.
* The v230 change to tag framebuffer devices (/dev/fb*) with "uaccess"
to make them available to logged-in users has been reverted.
* Much of the common code of the various systemd components is now
built into an internal shared library libsystemd-shared-231.so
(incorporating the systemd version number in the name, to be updated
with future releases) that the components link to. This should
decrease systemd footprint both in memory during runtime and on
disk. Note that the shared library is not for public use, and is
neither API nor ABI stable, but is likely to change with every new
released update. Packagers need to make sure that binaries
linking to libsystemd-shared.so are updated in step with the
library.
* Configuration for "mkosi" is now part of the systemd
repository. mkosi is a tool to easily build legacy-free OS images,
and is available on github: https://github.com/systemd/mkosi. If
"mkosi" is invoked in the build tree a new raw OS image is generated
incorporating the systemd sources currently being worked on and a
clean, fresh distribution installation. The generated OS image may be
booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
UEFI PC. This functionality is particularly useful to easily test
local changes made to systemd in a pristine, defined environment. See
doc/HACKING for details.
* configure learned the --with-support-url= option to specify the
distribution's bugtracker.
Contributions from: Alban Crequy, Alessandro Puccetti, Alessio Igor
Bogani, Alexander Kuleshov, Alexander Kurtz, Alex Gaynor, Andika
Triwidada, Andreas Pokorny, Andreas Rammhold, Andrew Jeddeloh, Ansgar
Burchardt, Atrotors, Benjamin Drung, Brian Boylston, Christian Hesse,
Christian Rebischke, Daniele Medri, Daniel Mack, Dave Reisner, David
Herrmann, David Michael, Djalal Harouni, Douglas Christman, Elias
Probst, Evgeny Vereshchagin, Federico Mena Quintero, Felipe Sateler,
Franck Bui, Harald Hoyer, Ian Lee, Ivan Shapovalov, Jakub Wilk, Jan
Janssen, Jean-Sébastien Bour, John Paul Adrian Glaubitz, Jouke
Witteveen, Kai Ruhnau, kpengboy, Kyle Walker, Lénaïc Huard, Lennart
Poettering, Luca Bruno, Lukas Lösche, Lukáš Nykrýn, mahkoh, Marcel
Holtmann, Martin Pitt, Marty Plummer, Matthieu Codron, Max Prokhorov,
Michael Biebl, Michael Karcher, Michael Olbrich, Michał Bartoszkiewicz,
Michal Sekletar, Michal Soltys, Minkyung, Muhammet Kara, mulkieran,
Otto Wallenius, Pablo Lezaeta Reyes, Peter Hutterer, Ronny Chevalier,
Rusty Bird, Stef Walter, Susant Sahani, Tejun Heo, Thomas Blume, Thomas
Haller, Thomas H. P. Andersen, Tobias Jungel, Tom Gundersen, Tom Yan,
Topi Miettinen, Torstein Husebø, Valentin Vidić, Viktar Vaŭčkievič,
WaLyong Cho, Weng Xuetian, Werner Fink, Zbigniew Jędrzejewski-Szmek
— Berlin, 2016-07-25
CHANGES WITH 230:
* DNSSEC is now turned on by default in systemd-resolved (in
"allow-downgrade" mode), but may be turned off during compile time by
passing "--with-default-dnssec=no" to "configure" (and of course,
during runtime with DNSSEC= in resolved.conf). We recommend
downstreams to leave this on at least during development cycles and
report any issues with the DNSSEC logic upstream. We are very
interested in collecting feedback about the DNSSEC validator and its
limitations in the wild. Note however, that DNSSEC support is
probably nothing downstreams should turn on in stable distros just
yet, as it might create incompatibilities with a few DNS servers and
networks. We tried hard to make sure we downgrade to non-DNSSEC mode
automatically whenever we detect such incompatible setups, but there
might be systems we do not cover yet. Hence: please help us testing
the DNSSEC code, leave this on where you can, report back, but then
again don't consider turning this on in your stable, LTS or
production release just yet. (Note that you have to enable
nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved
and its DNSSEC mode for hostname resolution from local
applications.)
* systemd-resolve conveniently resolves DANE records with the --tlsa
option and OPENPGPKEY records with the --openpgp option. It also
supports dumping raw DNS record data via the new --raw= switch.
* systemd-logind will now by default terminate user processes that are
part of the user session scope unit (session-XX.scope) when the user
logs out. This behavior is controlled by the KillUserProcesses=
setting in logind.conf, and the previous default of "no" is now
changed to "yes". This means that user sessions will be properly
cleaned up after, but additional steps are necessary to allow
intentionally long-running processes to survive logout.
While the user is logged in at least once, user@.service is running,
and any service that should survive the end of any individual login
session can be started at a user service or scope using systemd-run.
systemd-run(1) man page has been extended with an example which shows
how to run screen in a scope unit underneath user@.service. The same
command works for tmux.
After the user logs out of all sessions, user@.service will be
terminated too, by default, unless the user has "lingering" enabled.
To effectively allow users to run long-term tasks even if they are
logged out, lingering must be enabled for them. See loginctl(1) for
details. The default polkit policy was modified to allow users to
set lingering for themselves without authentication.
Previous defaults can be restored at compile time by the
--without-kill-user-processes option to "configure".
* systemd-logind gained new configuration settings SessionsMax= and
InhibitorsMax=, both with a default of 8192. It will not register new
user sessions or inhibitors above this limit.
* systemd-logind will now reload configuration on SIGHUP.
* The unified cgroup hierarchy added in Linux 4.5 is now supported.
Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to
enable. Also, support for the "io" cgroup controller in the unified
hierarchy has been added, so that the "memory", "pids" and "io" are
now the controllers that are supported on the unified hierarchy.
WARNING: it is not possible to use previous systemd versions with
systemd.unified_cgroup_hierarchy=1 and the new kernel. Therefore it
is necessary to also update systemd in the initramfs if using the
unified hierarchy. An updated SELinux policy is also required.
* LLDP support has been extended, and both passive (receive-only) and
active (sender) modes are supported. Passive mode ("routers-only") is
enabled by default in systemd-networkd. Active LLDP mode is enabled
by default for containers on the internal network. The "networkctl
lldp" command may be used to list information gathered. "networkctl
status" will also show basic LLDP information on connected peers now.
* The IAID and DUID unique identifier sent in DHCP requests may now be
configured for the system and each .network file managed by
systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options.
* systemd-networkd gained support for configuring proxy ARP support for
each interface, via the ProxyArp= setting in .network files. It also
gained support for configuring the multicast querier feature of
bridge devices, via the new MulticastQuerier= setting in .netdev
files. Similarly, snooping on the IGMP traffic can be controlled
via the new setting MulticastSnooping=.
A new setting PreferredLifetime= has been added for addresses
configured in .network file to configure the lifetime intended for an
address.
The systemd-networkd DHCP server gained the option EmitRouter=, which
defaults to yes, to configure whether the DHCP Option 3 (Router)
should be emitted.
* The testing tool /usr/lib/systemd/systemd-activate is renamed to
systemd-socket-activate and installed into /usr/bin. It is now fully
supported.
* systemd-journald now uses separate threads to flush changes to disk
when closing journal files, thus reducing impact of slow disk I/O on
logging performance.
* The sd-journal API gained two new calls
sd_journal_open_directory_fd() and sd_journal_open_files_fd() which
can be used to open journal files using file descriptors instead of
file or directory paths. sd_journal_open_container() has been
deprecated, sd_journal_open_directory_fd() should be used instead
with the flag SD_JOURNAL_OS_ROOT.
* journalctl learned a new output mode "-o short-unix" that outputs log
lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970
UTC). It also gained support for a new --no-hostname setting to
suppress the hostname column in the family of "short" output modes.
* systemd-ask-password now optionally skips printing of the password to
stdout with --no-output which can be useful in scripts.
* Framebuffer devices (/dev/fb*) and 3D printers and scanners
(devices tagged with ID_MAKER_TOOL) are now tagged with
"uaccess" and are available to logged in users.
* The DeviceAllow= unit setting now supports specifiers (with "%").
* "systemctl show" gained a new --value switch, which allows print a
only the contents of a specific unit property, without also printing
the property's name. Similar support was added to "show*" verbs
of loginctl and machinectl that output "key=value" lists.
* A new unit type "generated" was added for files dynamically generated
by generator tools. Similarly, a new unit type "transient" is used
for unit files created using the runtime API. "systemctl enable" will
refuse to operate on such files.
* A new command "systemctl revert" has been added that may be used to
revert to the vendor version of a unit file, in case local changes
have been made by adding drop-ins or overriding the unit file.
* "machinectl clean" gained a new verb to automatically remove all or
just hidden container images.
* systemd-tmpfiles gained support for a new line type "e" for emptying
directories, if they exist, without creating them if they don't.
* systemd-nspawn gained support for automatically patching the UID/GIDs
of the owners and the ACLs of all files and directories in a
container tree to match the UID/GID user namespacing range selected
for the container invocation. This mode is enabled via the new
--private-users-chown switch. It also gained support for
automatically choosing a free, previously unused UID/GID range when
starting a container, via the new --private-users=pick setting (which
implies --private-users-chown). Together, these options for the first
time make user namespacing for nspawn containers fully automatic and
thus deployable. The systemd-nspawn@.service template unit file has
been changed to use this functionality by default.
* systemd-nspawn gained a new --network-zone= switch, that allows
creating ad-hoc virtual Ethernet links between multiple containers,
that only exist as long as at least one container referencing them is
running. This allows easy connecting of multiple containers with a
common link that implements an Ethernet broadcast domain. Each of
these network "zones" may be named relatively freely by the user, and
may be referenced by any number of containers, but each container may
only reference one of these "zones". On the lower level, this is
implemented by an automatically managed bridge network interface for
each zone, that is created when the first container referencing its
zone is created and removed when the last one referencing its zone
terminates.
* The default start timeout may now be configured on the kernel command
line via systemd.default_timeout_start_sec=. It was already
configurable via the DefaultTimeoutStartSec= option in
/etc/systemd/system.conf.
* Socket units gained a new TriggerLimitIntervalSec= and
TriggerLimitBurst= setting to configure a limit on the activation
rate of the socket unit.
* The LimitNICE= setting now optionally takes normal UNIX nice values
in addition to the raw integer limit value. If the specified
parameter is prefixed with "+" or "-" and is in the range -20…19 the
value is understood as UNIX nice value. If not prefixed like this it
is understood as raw RLIMIT_NICE limit.
* Note that the effect of the PrivateDevices= unit file setting changed
slightly with this release: the per-device /dev file system will be
mounted read-only from this version on, and will have "noexec"
set. This (minor) change of behavior might cause some (exceptional)
legacy software to break, when PrivateDevices=yes is set for its
service. Please leave PrivateDevices= off if you run into problems
with this.
* systemd-bootchart has been split out to a separate repository:
https://github.com/systemd/systemd-bootchart
* systemd-bus-proxyd has been removed, as kdbus is unlikely to still be
merged into the kernel in its current form.
* The compatibility libraries libsystemd-daemon.so,
libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so
which have been deprecated since systemd-209 have been removed along
with the corresponding pkg-config files. All symbols provided by
those libraries are provided by libsystemd.so.
* The Capabilities= unit file setting has been removed (it is ignored
for backwards compatibility). AmbientCapabilities= and
CapabilityBoundingSet= should be used instead.
* A new special target has been added, initrd-root-device.target,
which creates a synchronization point for dependencies of the root
device in early userspace. Initramfs builders must ensure that this
target is now included in early userspace.
Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov,
Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin
Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens
Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh,
Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David
R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny
Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck
Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik
Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo
Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth,
John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos
Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir
Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt,
Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný,
Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin,
mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween,
Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern,
Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert
Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan
Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain
Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller,
Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen,
Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso,
Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev,
Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek
— Fairfax, 2016-05-21
CHANGES WITH 229:
* The systemd-resolved DNS resolver service has gained a substantial
set of new features, most prominently it may now act as a DNSSEC
validating stub resolver. DNSSEC mode is currently turned off by
default, but is expected to be turned on by default in one of the
next releases. For now, we invite everybody to test the DNSSEC logic
by setting DNSSEC=allow-downgrade in /etc/systemd/resolved.conf. The
service also gained a full set of D-Bus interfaces, including calls
to configure DNS and DNSSEC settings per link (for use by external
network management software). systemd-resolved and systemd-networkd
now distinguish between "search" and "routing" domains. The former
are used to qualify single-label names, the latter are used purely
for routing lookups within certain domains to specific links.
resolved now also synthesizes RRs for all entries from /etc/hosts.
* The systemd-resolve tool (which is a client utility for
systemd-resolved) has been improved considerably and is now fully
supported and documented. Hence it has moved from /usr/lib/systemd to
/usr/bin.
* /dev/disk/by-path/ symlink support has been (re-)added for virtio
devices.
* The coredump collection logic has been reworked: when a coredump is
collected it is now written to disk, compressed and processed
(including stacktrace extraction) from a new instantiated service
systemd-coredump@.service, instead of directly from the
/proc/sys/kernel/core_pattern hook we provide. This is beneficial as
processing large coredumps can take up a substantial amount of
resources and time, and this previously happened entirely outside of
systemd's service supervision. With the new logic the core_pattern
hook only does minimal metadata collection before passing off control
to the new instantiated service, which is configured with a time
limit, a nice level and other settings to minimize negative impact on
the rest of the system. Also note that the new logic will honour the
RLIMIT_CORE setting of the crashed process, which now allows users
and processes to turn off coredumping for their processes by setting
this limit.
* The RLIMIT_CORE resource limit now defaults to "unlimited" for PID 1
and all forked processes by default. Previously, PID 1 would leave
the setting at "0" for all processes, as set by the kernel. Note that
the resource limit traditionally has no effect on the generated
coredumps on the system if the /proc/sys/kernel/core_pattern hook
logic is used. Since the limit is now honoured (see above) its
default has been changed so that the coredumping logic is enabled by
default for all processes, while allowing specific opt-out.
* When the stacktrace is extracted from processes of system users, this
is now done as "systemd-coredump" user, in order to sandbox this
potentially security sensitive parsing operation. (Note that when
processing coredumps of normal users this is done under the user ID
of process that crashed, as before.) Packagers should take notice
that it is now necessary to create the "systemd-coredump" system user
and group at package installation time.
* The systemd-activate socket activation testing tool gained support
for SOCK_DGRAM and SOCK_SEQPACKET sockets using the new --datagram
and --seqpacket switches. It also has been extended to support both
new-style and inetd-style file descriptor passing. Use the new
--inetd switch to request inetd-style file descriptor passing.
* Most systemd tools now honor a new $SYSTEMD_COLORS environment
variable, which takes a boolean value. If set to false, ANSI color
output is disabled in the tools even when run on a terminal that
supports it.
* The VXLAN support in networkd now supports two new settings
DestinationPort= and PortRange=.
* A new systemd.machine_id= kernel command line switch has been added,
that may be used to set the machine ID in /etc/machine-id if it is
not initialized yet. This command line option has no effect if the
file is already initialized.
* systemd-nspawn gained a new --as-pid2 switch that invokes any
specified command line as PID 2 rather than PID 1 in the
container. In this mode PID 1 is a minimal stub init process that
implements the special POSIX and Linux semantics of PID 1 regarding
signal and child process management. Note that this stub init process
is implemented in nspawn itself and requires no support from the
container image. This new logic is useful to support running
arbitrary commands in the container, as normal processes are
generally not prepared to run as PID 1.
* systemd-nspawn gained a new --chdir= switch for setting the current
working directory for the process started in the container.
* "journalctl /dev/sda" will now output all kernel log messages for
specified device from the current boot, in addition to all devices
that are parents of it. This should make log output about devices
pretty useful, as long as kernel drivers attach enough metadata to
the log messages. (The usual SATA drivers do.)
* The sd-journal API gained two new calls
sd_journal_has_runtime_files() and sd_journal_has_persistent_files()
that report whether log data from /run or /var has been found.
* journalctl gained a new switch "--fields" that prints all journal
record field names currently in use in the journal. This is backed
by two new sd-journal API calls sd_journal_enumerate_fields() and
sd_journal_restart_fields().
* Most configurable timeouts in systemd now expect an argument of
"infinity" to turn them off, instead of "0" as before. The semantics
from now on is that a timeout of "0" means "now", and "infinity"
means "never". To maintain backwards compatibility, "0" continues to
turn off previously existing timeout settings.
* "systemctl reload-or-try-restart" has been renamed to "systemctl
try-reload-or-restart" to clarify what it actually does: the "try"
logic applies to both reloading and restarting, not just restarting.
The old name continues to be accepted for compatibility.
* On boot-up, when PID 1 detects that the system clock is behind the
release date of the systemd version in use, the clock is now set
to the latter. Previously, this was already done in timesyncd, in order
to avoid running with clocks set to the various clock epochs such as
1902, 1938 or 1970. With this change the logic is now done in PID 1
in addition to timesyncd during early boot-up, so that it is enforced
before the first process is spawned by systemd. Note that the logic
in timesyncd remains, as it is more comprehensive and ensures
clock monotonicity by maintaining a persistent timestamp file in
/var. Since /var is generally not available in earliest boot or the
initrd, this part of the logic remains in timesyncd, and is not done
by PID 1.
* Support for tweaking details in net_cls.class_id through the
NetClass= configuration directive has been removed, as the kernel
people have decided to deprecate that controller in cgroup v2.
Userspace tools such as nftables are moving over to setting rules
that are specific to the full cgroup path of a task, which obsoletes
these controllers anyway. The NetClass= directive is kept around for
legacy compatibility reasons. For a more in-depth description of the
kernel change, please refer to the respective upstream commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d671
* A new service setting RuntimeMaxSec= has been added that may be used
to specify a maximum runtime for a service. If the timeout is hit, the
service is terminated and put into a failure state.
* A new service setting AmbientCapabilities= has been added. It allows
configuration of additional Linux process capabilities that are
passed to the activated processes. This is only available on very
recent kernels.
* The process resource limit settings in service units may now be used
to configure hard and soft limits individually.
* The various libsystemd APIs such as sd-bus or sd-event now publicly
expose support for gcc's __attribute__((cleanup())) C extension.
Specifically, for many object destructor functions alternative
versions have been added that have names suffixed with "p" and take a
pointer to a pointer to the object to destroy, instead of just a
pointer to the object itself. This is useful because these destructor
functions may be used directly as parameters to the cleanup
construct. Internally, systemd has been a heavy user of this GCC
extension for a long time, and with this change similar support is
now available to consumers of the library outside of systemd. Note
that by using this extension in your sources compatibility with old
and strictly ANSI compatible C compilers is lost. However, all gcc or
LLVM versions of recent years support this extension.
* Timer units gained support for a new setting RandomizedDelaySec= that
allows configuring some additional randomized delay to the configured
time. This is useful to spread out timer events to avoid load peaks in
clusters or larger setups.
* Calendar time specifications now support sub-second accuracy.
* Socket units now support listening on SCTP and UDP-lite protocol
sockets.
* The sd-event API now comes with a full set of man pages.
* Older versions of systemd contained experimental support for
compressing journal files and coredumps with the LZ4 compressor that
was not compatible with the lz4 binary (due to API limitations of the
lz4 library). This support has been removed; only support for files
compatible with the lz4 binary remains. This LZ4 logic is now
officially supported and no longer considered experimental.
* The dkr image import logic has been removed again from importd. dkr's
micro-services focus doesn't fit into the machine image focus of
importd, and quickly got out of date with the upstream dkr API.
* Creation of the /run/lock/lockdev/ directory was dropped from
tmpfiles.d/legacy.conf. Better locking mechanisms like flock() have
been available for many years. If you still need this, you need to
create your own tmpfiles.d config file with:
d /run/lock/lockdev 0775 root lock -
* The settings StartLimitBurst=, StartLimitInterval=, StartLimitAction=
and RebootArgument= have been moved from the [Service] section of
unit files to [Unit], and they are now supported on all unit types,
not just service units. Of course, systemd will continue to
understand these settings also at the old location, in order to
maintain compatibility.
Contributions from: Abdo Roig-Maranges, Alban Crequy, Aleksander
Adamowski, Alexander Kuleshov, Andreas Pokorny, Andrei Borzenkov,
Andrew Wilcox, Arthur Clement, Beniamino Galvani, Casey Schaufler,
Chris Atkinson, Chris Mayo, Christian Hesse, Damjan Georgievski, Dan
Dedrick, Daniele Medri, Daniel J Walsh, Daniel Korostil, Daniel Mack,
David Herrmann, Dimitri John Ledkov, Dominik Hannen, Douglas Christman,
Evgeny Vereshchagin, Filipe Brandenburger, Franck Bui, Gabor Kelemen,
Harald Hoyer, Hayden Walles, Helmut Grohne, Henrik Kaare Poulsen,
Hristo Venev, Hui Wang, Indrajit Raychaudhuri, Ismo Puustinen, Jakub
Wilk, Jan Alexander Steffens (heftig), Jan Engelhardt, Jan Synacek,
Joost Bremmer, Jorgen Schaefer, Karel Zak, Klearchos Chaloulos,
lc85446, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel
Holtmann, Martin Pitt, Michael Biebl, Michael Olbrich, Michael Scherer,
Michał Górny, Michal Sekletar, Nicolas Cornu, Nicolas Iooss, Nils
Carlson, nmartensen, nnz1024, Patrick Ohly, Peter Hutterer, Phillip Sz,
Ronny Chevalier, Samu Kallio, Shawn Landden, Stef Walter, Susant
Sahani, Sylvain Plantefève, Tadej Janež, Thomas Hindoe Paaboel
Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito
Caputo, WaLyong Cho, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Berlin, 2016-02-11
CHANGES WITH 228:
* A number of properties previously only settable in unit
files are now also available as properties to set when
creating transient units programmatically via the bus, as it
is exposed with systemd-run's --property=
setting. Specifically, these are: SyslogIdentifier=,
SyslogLevelPrefix=, TimerSlackNSec=, OOMScoreAdjust=,
EnvironmentFile=, ReadWriteDirectories=,
ReadOnlyDirectories=, InaccessibleDirectories=,
ProtectSystem=, ProtectHome=, RuntimeDirectory=.
* When creating transient services via the bus API it is now
possible to pass in a set of file descriptors to use as
STDIN/STDOUT/STDERR for the invoked process.
* Slice units may now be created transiently via the bus APIs,
similar to the way service and scope units may already be
created transiently.
* Wherever systemd expects a calendar timestamp specification
(like in journalctl's --since= and --until= switches) UTC
timestamps are now supported. Timestamps suffixed with "UTC"
are now considered to be in Universal Time Coordinated
instead of the local timezone. Also, timestamps may now
optionally be specified with sub-second accuracy. Both of
these additions also apply to recurring calendar event
specification, such as OnCalendar= in timer units.
* journalctl gained a new "--sync" switch that asks the
journal daemon to write all so far unwritten log messages to
disk and sync the files, before returning.
* systemd-tmpfiles learned two new line types "q" and "Q" that
operate like "v", but also set up a basic btrfs quota
hierarchy when used on a btrfs file system with quota
enabled.
* tmpfiles' "v", "q" and "Q" will now create a plain directory
instead of a subvolume (even on a btrfs file system) if the
root directory is a plain directory, and not a
subvolume. This should simplify things with certain chroot()
environments which are not aware of the concept of btrfs
subvolumes.
* systemd-detect-virt gained a new --chroot switch to detect
whether execution takes place in a chroot() environment.
* CPUAffinity= now takes CPU index ranges in addition to
individual indexes.
* The various memory-related resource limit settings (such as
LimitAS=) now understand the usual K, M, G, … suffixes to
the base of 1024 (IEC). Similar, the time-related resource
limit settings understand the usual min, h, day, … suffixes
now.
* There's a new system.conf setting DefaultTasksMax= to
control the default TasksMax= setting for services and
scopes running on the system. (TasksMax= is the primary
setting that exposes the "pids" cgroup controller on systemd
and was introduced in the previous systemd release.) The
setting now defaults to 512, which means services that are
not explicitly configured otherwise will only be able to
create 512 processes or threads at maximum, from this
version on. Note that this means that thread- or
process-heavy services might need to be reconfigured to set
TasksMax= to a higher value. It is sufficient to set
TasksMax= in these specific unit files to a higher value, or
even "infinity". Similar, there's now a logind.conf setting
UserTasksMax= that defaults to 4096 and limits the total
number of processes or tasks each user may own
concurrently. nspawn containers also have the TasksMax=
value set by default now, to 8192. Note that all of this
only has an effect if the "pids" cgroup controller is
enabled in the kernel. The general benefit of these changes
should be a more robust and safer system, that provides a
certain amount of per-service fork() bomb protection.
* systemd-nspawn gained the new --network-veth-extra= switch
to define additional and arbitrarily-named virtual Ethernet
links between the host and the container.
* A new service execution setting PassEnvironment= has been
added that allows importing select environment variables
from PID1's environment block into the environment block of
the service.
* Timer units gained support for a new RemainAfterElapse=
setting which takes a boolean argument. It defaults to on,
exposing behaviour unchanged to previous releases. If set to
off, timer units are unloaded after they elapsed if they
cannot elapse again. This is particularly useful for
transient timer units, which shall not stay around longer
than until they first elapse.
* systemd will now bump the net.unix.max_dgram_qlen to 512 by
default now (the kernel default is 16). This is beneficial
for avoiding blocking on AF_UNIX/SOCK_DGRAM sockets since it
allows substantially larger numbers of queued
datagrams. This should increase the capability of systemd to
parallelize boot-up, as logging and sd_notify() are unlikely
to stall execution anymore. If you need to change the value
from the new defaults, use the usual sysctl.d/ snippets.
* The compression framing format used by the journal or
coredump processing has changed to be in line with what the
official LZ4 tools generate. LZ4 compression support in
systemd was considered unsupported previously, as the format
was not compatible with the normal tools. With this release
this has changed now, and it is hence safe for downstream
distributions to turn it on. While not compressing as well
as the XZ, LZ4 is substantially faster, which makes
it a good default choice for the compression logic in the
journal and in coredump handling.
* Any reference to /etc/mtab has been dropped from
systemd. The file has been obsolete since a while, but
systemd refused to work on systems where it was incorrectly
set up (it should be a symlink or non-existent). Please make
sure to update to util-linux 2.27.1 or newer in conjunction
with this systemd release, which also drops any reference to
/etc/mtab. If you maintain a distribution make sure that no
software you package still references it, as this is a
likely source of bugs. There's also a glibc bug pending,
asking for removal of any reference to this obsolete file:
https://sourceware.org/bugzilla/show_bug.cgi?id=19108
Note that only util-linux versions built with
--enable-libmount-force-mountinfo are supported.
* Support for the ".snapshot" unit type has been removed. This
feature turned out to be little useful and little used, and
has now been removed from the core and from systemctl.
* The dependency types RequiresOverridable= and
RequisiteOverridable= have been removed from systemd. They
have been used only very sparingly to our knowledge and
other options that provide a similar effect (such as
systemctl --mode=ignore-dependencies) are much more useful
and commonly used. Moreover, they were only half-way
implemented as the option to control behaviour regarding
these dependencies was never added to systemctl. By removing
these dependency types the execution engine becomes a bit
simpler. Unit files that use these dependencies should be
changed to use the non-Overridable dependency types
instead. In fact, when parsing unit files with these
options, that's what systemd will automatically convert them
too, but it will also warn, asking users to fix the unit
files accordingly. Removal of these dependency types should
only affect a negligible number of unit files in the wild.
* Behaviour of networkd's IPForward= option changed
(again). It will no longer maintain a per-interface setting,
but propagate one way from interfaces where this is enabled
to the global kernel setting. The global setting will be
enabled when requested by a network that is set up, but
never be disabled again. This change was made to make sure
IPv4 and IPv6 behaviour regarding packet forwarding is
similar (as the Linux IPv6 stack does not support
per-interface control of this setting) and to minimize
surprises.
* In unit files the behaviour of %u, %U, %h, %s has
changed. These specifiers will now unconditionally resolve
to the various user database fields of the user that the
systemd instance is running as, instead of the user
configured in the specific unit via User=. Note that this
effectively doesn't change much, as resolving of these
specifiers was already turned off in the --system instance
of systemd, as we cannot do NSS lookups from PID 1. In the
--user instance of systemd these specifiers where correctly
resolved, but hardly made any sense, since the user instance
lacks privileges to do user switches anyway, and User= is
hence useless. Moreover, even in the --user instance of
systemd behaviour was awkward as it would only take settings
from User= assignment placed before the specifier into
account. In order to unify and simplify the logic around
this the specifiers will now always resolve to the
credentials of the user invoking the manager (which in case
of PID 1 is the root user).
Contributions from: Andrew Jones, Beniamino Galvani, Boyuan
Yang, Daniel Machon, Daniel Mack, David Herrmann, David
Reynolds, David Strauss, Dongsu Park, Evgeny Vereshchagin,
Felipe Sateler, Filipe Brandenburger, Franck Bui, Hristo
Venev, Iago López Galeiras, Jan Engelhardt, Jan Janssen, Jan
Synacek, Jesus Ornelas Aguayo, Karel Zak, kayrus, Kay Sievers,
Lennart Poettering, Liu Yuan Yuan, Mantas Mikulėnas, Marcel
Holtmann, Marcin Bachry, Marcos Alano, Marcos Mello, Mark
Theunissen, Martin Pitt, Michael Marineau, Michael Olbrich,
Michal Schmidt, Michal Sekletar, Mirco Tischler, Nick Owens,
Nicolas Cornu, Patrik Flykt, Peter Hutterer, reverendhomer,
Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Shawn Landden,
Susant Sahani, Thomas Haller, Thomas Hindoe Paaboel Andersen,
Tom Gundersen, Torstein Husebø, Vito Caputo, Zbigniew
Jędrzejewski-Szmek
— Berlin, 2015-11-18
CHANGES WITH 227:
* systemd now depends on util-linux v2.27. More specifically,
the newly added mount monitor feature in libmount now
replaces systemd's former own implementation.
* libmount mandates /etc/mtab not to be regular file, and
systemd now enforces this condition at early boot.
/etc/mtab has been deprecated and warned about for a very
long time, so systems running systemd should already have
stopped having this file around as anything else than a
symlink to /proc/self/mounts.
* Support for the "pids" cgroup controller has been added. It
allows accounting the number of tasks in a cgroup and
enforcing limits on it. This adds two new setting
TasksAccounting= and TasksMax= to each unit, as well as a
global option DefaultTasksAccounting=.
* Support for the "net_cls" cgroup controller has been added.
It allows assigning a net class ID to each task in the
cgroup, which can then be used in firewall rules and traffic
shaping configurations. Note that the kernel netfilter net
class code does not currently work reliably for ingress
packets on unestablished sockets.
This adds a new config directive called NetClass= to CGroup
enabled units. Allowed values are positive numbers for fixed
assignments and "auto" for picking a free value
automatically.
* 'systemctl is-system-running' now returns 'offline' if the
system is not booted with systemd. This command can now be
used as a substitute for 'systemd-notify --booted'.
* Watchdog timeouts have been increased to 3 minutes for all
in-tree service files. Apparently, disk IO issues are more
frequent than we hoped, and user reported >1 minute waiting
for disk IO.
* 'machine-id-commit' functionality has been merged into
'machine-id-setup --commit'. The separate binary has been
removed.
* The WorkingDirectory= directive in unit files may now be set
to the special value '~'. In this case, the working
directory is set to the home directory of the user
configured in User=.
* "machinectl shell" will now open the shell in the home
directory of the selected user by default.
* The CrashChVT= configuration file setting is renamed to
CrashChangeVT=, following our usual logic of not
abbreviating unnecessarily. The old directive is still
supported for compat reasons. Also, this directive now takes
an integer value between 1 and 63, or a boolean value. The
formerly supported '-1' value for disabling stays around for
compat reasons.
* The PrivateTmp=, PrivateDevices=, PrivateNetwork=,
NoNewPrivileges=, TTYPath=, WorkingDirectory= and
RootDirectory= properties can now be set for transient
units.
* The systemd-analyze tool gained a new "set-log-target" verb
to change the logging target the system manager logs to
dynamically during runtime. This is similar to how
"systemd-analyze set-log-level" already changes the log
level.
* In nspawn /sys is now mounted as tmpfs, with only a selected
set of subdirectories mounted in from the real sysfs. This
enhances security slightly, and is useful for ensuring user
namespaces work correctly.
* Support for USB FunctionFS activation has been added. This
allows implementation of USB gadget services that are
activated as soon as they are requested, so that they don't
have to run continuously, similar to classic socket
activation.
* The "systemctl exit" command now optionally takes an
additional parameter that sets the exit code to return from
the systemd manager when exiting. This is only relevant when
running the systemd user instance, or when running the
system instance in a container.
* sd-bus gained the new API calls sd_bus_path_encode_many()
and sd_bus_path_decode_many() that allow easy encoding and
decoding of multiple identifier strings inside a D-Bus
object path. Another new call sd_bus_default_flush_close()
has been added to flush and close per-thread default
connections.
* systemd-cgtop gained support for a -M/--machine= switch to
show the control groups within a certain container only.
* "systemctl kill" gained support for an optional --fail
switch. If specified the requested operation will fail of no
processes have been killed, because the unit had no
processes attached, or similar.
* A new systemd.crash_reboot=1 kernel command line option has
been added that triggers a reboot after crashing. This can
also be set through CrashReboot= in systemd.conf.
* The RuntimeDirectory= setting now understands unit
specifiers like %i or %f.
* A new (still internal) library API sd-ipv4acd has been added,
that implements address conflict detection for IPv4. It's
based on code from sd-ipv4ll, and will be useful for
detecting DHCP address conflicts.
* File descriptors passed during socket activation may now be
named. A new API sd_listen_fds_with_names() is added to
access the names. The default names may be overridden,
either in the .socket file using the FileDescriptorName=
parameter, or by passing FDNAME= when storing the file
descriptors using sd_notify().
* systemd-networkd gained support for:
- Setting the IPv6 Router Advertisement settings via
IPv6AcceptRouterAdvertisements= in .network files.
- Configuring the HelloTimeSec=, MaxAgeSec= and
ForwardDelaySec= bridge parameters in .netdev files.
- Configuring PreferredSource= for static routes in
.network files.
* The "ask-password" framework used to query for LUKS harddisk
passwords or SSL passwords during boot gained support for
caching passwords in the kernel keyring, if it is
available. This makes sure that the user only has to type in
a passphrase once if there are multiple objects to unlock
with the same one. Previously, such password caching was
available only when Plymouth was used; this moves the
caching logic into the systemd codebase itself. The
"systemd-ask-password" utility gained a new --keyname=
switch to control which kernel keyring key to use for
caching a password in. This functionality is also useful for
enabling display managers such as gdm to automatically
unlock the user's GNOME keyring if its passphrase, the
user's password and the harddisk password are the same, if
gdm-autologin is used.
* When downloading tar or raw images using "machinectl
pull-tar" or "machinectl pull-raw", a matching ".nspawn"
file is now also downloaded, if it is available and stored
next to the image file.
* Units of type ".socket" gained a new boolean setting
Writable= which is only useful in conjunction with
ListenSpecial=. If true, enables opening the specified
special file in O_RDWR mode rather than O_RDONLY mode.
* systemd-rfkill has been reworked to become a singleton
service that is activated through /dev/rfkill on each rfkill
state change and saves the settings to disk. This way,
systemd-rfkill is now compatible with devices that exist
only intermittendly, and even restores state if the previous
system shutdown was abrupt rather than clean.
* The journal daemon gained support for vacuuming old journal
files controlled by the number of files that shall remain,
in addition to the already existing control by size and by
date. This is useful as journal interleaving performance
degrades with too many separate journal files, and allows
putting an effective limit on them. The new setting defaults
to 100, but this may be changed by setting SystemMaxFiles=
and RuntimeMaxFiles= in journald.conf. Also, the
"journalctl" tool gained the new --vacuum-files= switch to
manually vacuum journal files to leave only the specified
number of files in place.
* udev will now create /dev/disk/by-path links for ATA devices
on kernels where that is supported.
* Galician, Serbian, Turkish and Korean translations were added.
Contributions from: Aaro Koskinen, Alban Crequy, Beniamino
Galvani, Benjamin Robin, Branislav Blaskovic, Chen-Han Hsiao
(Stanley), Daniel Buch, Daniel Machon, Daniel Mack, David
Herrmann, David Milburn, doubleodoug, Evgeny Vereshchagin,
Felipe Franciosi, Filipe Brandenburger, Fran Dieguez, Gabriel
de Perthuis, Georg Müller, Hans de Goede, Hendrik Brueckner,
Ivan Shapovalov, Jacob Keller, Jan Engelhardt, Jan Janssen,
Jan Synacek, Jens Kuske, Karel Zak, Kay Sievers, Krzesimir
Nowak, Krzysztof Kotlenga, Lars Uebernickel, Lennart
Poettering, Lukas Nykryn, Łukasz Stelmach, Maciej Wereski,
Marcel Holtmann, Marius Thesing, Martin Pitt, Michael Biebl,
Michael Gebetsroither, Michal Schmidt, Michal Sekletar, Mike
Gilbert, Muhammet Kara, nazgul77, Nicolas Cornu, NoXPhasma,
Olof Johansson, Patrik Flykt, Pawel Szewczyk, reverendhomer,
Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Susant Sahani,
Sylvain Plantefève, Thomas Haller, Thomas Hindoe Paaboel
Andersen, Tom Gundersen, Tom Lyon, Viktar Vauchkevich,
Zbigniew Jędrzejewski-Szmek, Марко М. Костић
— Berlin, 2015-10-07
CHANGES WITH 226:
* The DHCP implementation of systemd-networkd gained a set of
new features:
- The DHCP server now supports emitting DNS and NTP
information. It may be enabled and configured via
EmitDNS=, DNS=, EmitNTP=, and NTP=. If transmission of DNS
and NTP information is enabled, but no servers are
configured, the corresponding uplink information (if there
is any) is propagated.
- Server and client now support transmission and reception
of timezone information. It can be configured via the
newly introduced network options UseTimezone=,
EmitTimezone=, and Timezone=. Transmission of timezone
information is enabled between host and containers by
default now: the container will change its local timezone
to what the host has set.
- Lease timeouts can now be configured via
MaxLeaseTimeSec= and DefaultLeaseTimeSec=.
- The DHCP server improved on the stability of
leases. Clients are more likely to get the same lease
information back, even if the server loses state.
- The DHCP server supports two new configuration options to
control the lease address pool metrics, PoolOffset= and
PoolSize=.
* The encapsulation limit of tunnels in systemd-networkd may
now be configured via 'EncapsulationLimit='. It allows
modifying the maximum additional levels of encapsulation
that are permitted to be prepended to a packet.
* systemd now supports the concept of user buses replacing
session buses, if used with dbus-1.10 (and enabled via dbus
--enable-user-session). It previously only supported this on
kdbus-enabled systems, and this release expands this to
'dbus-daemon' systems.
* systemd-networkd now supports predictable interface names
for virtio devices.
* systemd now optionally supports the new Linux kernel
"unified" control group hierarchy. If enabled via the kernel
command-line option 'systemd.unified_cgroup_hierarchy=1',
systemd will try to mount the unified cgroup hierarchy
directly on /sys/fs/cgroup. If not enabled, or not
available, systemd will fall back to the legacy cgroup
hierarchy setup, as before. Host system and containers can
mix and match legacy and unified hierarchies as they
wish. nspawn understands the $UNIFIED_CGROUP_HIERARCHY
environment variable to individually select the hierarchy to
use for executed containers. By default, nspawn will use the
unified hierarchy for the containers if the host uses the
unified hierarchy, and the legacy hierarchy otherwise.
Please note that at this point the unified hierarchy is an
experimental kernel feature and is likely to change in one
of the next kernel releases. Therefore, it should not be
enabled by default in downstream distributions yet. The
minimum required kernel version for the unified hierarchy to
work is 4.2. Note that when the unified hierarchy is used
for the first time delegated access to controllers is
safe. Because of this systemd-nspawn containers will get
access to controllers now, as will systemd user
sessions. This means containers and user sessions may now
manage their own resources, partitioning up what the system
grants them.
* A new special scope unit "init.scope" has been introduced
that encapsulates PID 1 of the system. It may be used to
determine resource usage and enforce resource limits on PID
1 itself. PID 1 hence moved out of the root of the control
group tree.
* The cgtop tool gained support for filtering out kernel
threads when counting tasks in a control group. Also, the
count of processes is now recursively summed up by
default. Two options -k and --recursive= have been added to
revert to old behaviour. The tool has also been updated to
work correctly in containers now.
* systemd-nspawn's --bind= and --bind-ro= options have been
extended to allow creation of non-recursive bind mounts.
* libsystemd gained two new calls sd_pid_get_cgroup() and
sd_peer_get_cgroup() which return the control group path of
a process or peer of a connected AF_UNIX socket. This
function call is particularly useful when implementing
delegated subtrees support in the control group hierarchy.
* The "sd-event" event loop API of libsystemd now supports
correct dequeuing of real-time signals, without losing
signal events.
* When systemd requests a polkit decision when managing units it
will now add additional fields to the request, including unit
name and desired operation. This enables more powerful polkit
policies, that make decisions depending on these parameters.
* nspawn learnt support for .nspawn settings files, that may
accompany the image files or directories of containers, and
may contain additional settings for the container. This is
an alternative to configuring container parameters via the
nspawn command line.
Contributions from: Cristian Rodríguez, Daniel Mack, David
Herrmann, Eugene Yakubovich, Evgeny Vereshchagin, Filipe
Brandenburger, Hans de Goede, Jan Alexander Steffens, Jan
Synacek, Kay Sievers, Lennart Poettering, Mangix, Marcel
Holtmann, Martin Pitt, Michael Biebl, Michael Chapman, Michal
Sekletar, Peter Hutterer, Piotr Drąg, reverendhomer, Robin
Hack, Susant Sahani, Sylvain Pasche, Thomas Hindoe Paaboel
Andersen, Tom Gundersen, Torstein Husebø
— Berlin, 2015-09-08
CHANGES WITH 225:
* machinectl gained a new verb 'shell' which opens a fresh
shell on the target container or the host. It is similar to
the existing 'login' command of machinectl, but spawns the
shell directly without prompting for username or
password. The pseudo machine '.host' now refers to the local
host and is used by default. Hence, 'machinectl shell' can
be used as replacement for 'su -' which spawns a session as
a fresh systemd unit in a way that is fully isolated from
the originating session.
* systemd-networkd learned to cope with private-zone DHCP
options and allows other programs to query the values.
* SELinux access control when enabling/disabling units is no
longer enforced with this release. The previous implementation
was incorrect, and a new corrected implementation is not yet
available. As unit file operations are still protected via
polkit and D-Bus policy this is not a security problem. Yet,
distributions which care about optimal SELinux support should
probably not stabilize on this release.
* sd-bus gained support for matches of type "arg0has=", that
test for membership of strings in string arrays sent in bus
messages.
* systemd-resolved now dumps the contents of its DNS and LLMNR
caches to the logs on reception of the SIGUSR1 signal. This
is useful to debug DNS behaviour.
* The coredumpctl tool gained a new --directory= option to
operate on journal files in a specific directory.
* "systemctl reboot" and related commands gained a new
"--message=" option which may be used to set a free-text
wall message when shutting down or rebooting the
system. This message is also logged, which is useful for
figuring out the reason for a reboot or shutdown a
posteriori.
* The "systemd-resolve-host" tool's -i switch now takes
network interface numbers as alternative to interface names.
* A new unit file setting for services has been introduced:
UtmpMode= allows configuration of how precisely systemd
handles utmp and wtmp entries for the service if this is
enabled. This allows writing services that appear similar to
user sessions in the output of the "w", "who", "last" and
"lastlog" tools.
* systemd-resolved will now locally synthesize DNS resource
records for the "localhost" and "gateway" domains as well as
the local hostname. This should ensure that clients querying
RRs via resolved will get similar results as those going via
NSS, if nss-myhostname is enabled.
Contributions from: Alastair Hughes, Alex Crawford, Daniel
Mack, David Herrmann, Dimitri John Ledkov, Eric Kostrowski,
Evgeny Vereshchagin, Felipe Sateler, HATAYAMA Daisuke, Jan
Pokorný, Jan Synacek, Johnny Robeson, Karel Zak, Kay Sievers,
Kefeng Wang, Lennart Poettering, Major Hayden, Marcel
Holtmann, Markus Elfring, Martin Mikkelsen, Martin Pitt, Matt
Turner, Maxim Mikityanskiy, Michael Biebl, Namhyung Kim,
Nicolas Cornu, Owen W. Taylor, Patrik Flykt, Peter Hutterer,
reverendhomer, Richard Maw, Ronny Chevalier, Seth Jennings,
Stef Walter, Susant Sahani, Thomas Blume, Thomas Hindoe
Paaboel Andersen, Thomas Meyer, Tom Gundersen, Vincent Batts,
WaLyong Cho, Zbigniew Jędrzejewski-Szmek
— Berlin, 2015-08-27
CHANGES WITH 224:
* The systemd-efi-boot-generator functionality was merged into
systemd-gpt-auto-generator.
* systemd-networkd now supports Group Policy for vxlan
devices. It can be enabled via the new boolean configuration
option called 'GroupPolicyExtension='.
Contributions from: Andreas Kempf, Christian Hesse, Daniel Mack, David
Herrmann, Herman Fries, Johannes Nixdorf, Kay Sievers, Lennart
Poettering, Peter Hutterer, Susant Sahani, Tom Gundersen
— Berlin, 2015-07-31
CHANGES WITH 223:
* The python-systemd code has been removed from the systemd repository.
A new repository has been created which accommodates the code from
now on, and we kindly ask distributions to create a separate package
for this: https://github.com/systemd/python-systemd
* The systemd daemon will now reload its main configuration
(/etc/systemd/system.conf) on daemon-reload.
* sd-dhcp now exposes vendor specific extensions via
sd_dhcp_lease_get_vendor_specific().
* systemd-networkd gained a number of new configuration options.
- A new boolean configuration option for TAP devices called
'VNetHeader='. If set, the IFF_VNET_HDR flag is set for the
device, thus allowing to send and receive GSO packets.
- A new tunnel configuration option called 'CopyDSCP='.
If enabled, the DSCP field of ip6 tunnels is copied into the
decapsulated packet.
- A set of boolean bridge configuration options were added.
'UseBPDU=', 'HairPin=', 'FastLeave=', 'AllowPortToBeRoot=',
and 'UnicastFlood=' are now parsed by networkd and applied to the
respective bridge link device via the respective IFLA_BRPORT_*
netlink attribute.
- A new string configuration option to override the hostname sent
to a DHCP server, called 'Hostname='. If set and 'SendHostname='
is true, networkd will use the configured hostname instead of the
system hostname when sending DHCP requests.
- A new tunnel configuration option called 'IPv6FlowLabel='. If set,
networkd will configure the IPv6 flow-label of the tunnel device
according to RFC2460.
- The 'macvtap' virtual network devices are now supported, similar to
the already supported 'macvlan' devices.
* systemd-resolved now implements RFC5452 to improve resilience against
cache poisoning. Additionally, source port randomization is enabled
by default to further protect against DNS spoofing attacks.
* nss-mymachines now supports translating UIDs and GIDs of running
containers with user-namespaces enabled. If a container 'foo'
translates a host uid 'UID' to the container uid 'TUID', then
nss-mymachines will also map uid 'UID' to/from username 'vu-foo-TUID'
(with 'foo' and 'TUID' replaced accordingly). Similarly, groups are
mapped as 'vg-foo-TGID'.
Contributions from: Beniamino Galvani, cee1, Christian Hesse, Daniel
Buch, Daniel Mack, daurnimator, David Herrmann, Dimitri John Ledkov,
HATAYAMA Daisuke, Ivan Shapovalov, Jan Alexander Steffens (heftig),
Johan Ouwerkerk, Jose Carlos Venegas Munoz, Karel Zak, Kay Sievers,
Lennart Poettering, Lidong Zhong, Martin Pitt, Michael Biebl, Michael
Olbrich, Michal Schmidt, Michal Sekletar, Mike Gilbert, Namhyung Kim,
Nick Owens, Peter Hutterer, Richard Maw, Steven Allen, Sungbae Yoo,
Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel Andersen, Tom
Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito Caputo,
Vivenzio Pagliari, Zbigniew Jędrzejewski-Szmek
— Berlin, 2015-07-29
CHANGES WITH 222:
* udev does not longer support the WAIT_FOR_SYSFS= key in udev rules.
There are no known issues with current sysfs, and udev does not need
or should be used to work around such bugs.
* udev does no longer enable USB HID power management. Several reports
indicate, that some devices cannot handle that setting.
* The udev accelerometer helper was removed. The functionality
is now fully included in iio-sensor-proxy. But this means,
older iio-sensor-proxy versions will no longer provide
accelerometer/orientation data with this systemd version.
Please upgrade iio-sensor-proxy to version 1.0.
* networkd gained a new configuration option IPv6PrivacyExtensions=
which enables IPv6 privacy extensions (RFC 4941, "Privacy Extensions
for Stateless Address") on selected networks.
* For the sake of fewer build-time dependencies and less code in the
main repository, the python bindings are about to be removed in the
next release. A new repository has been created which accommodates
the code from now on, and we kindly ask distributions to create a
separate package for this. The removal will take place in v223.
https://github.com/systemd/python-systemd
Contributions from: Abdo Roig-Maranges, Andrew Eikum, Bastien Nocera,
Cédric Delmas, Christian Hesse, Christos Trochalakis, Daniel Mack,
daurnimator, David Herrmann, Dimitri John Ledkov, Eric Biggers, Eric
Cook, Felipe Sateler, Geert Jansen, Gerd Hoffmann, Gianpaolo Macario,
Greg Kroah-Hartman, Iago López Galeiras, Jan Alexander Steffens
(heftig), Jan Engelhardt, Jay Strict, Kay Sievers, Lennart Poettering,
Markus Knetschke, Martin Pitt, Michael Biebl, Michael Marineau, Michal
Sekletar, Miguel Bernal Marin, Peter Hutterer, Richard Maw, rinrinne,
Susant Sahani, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
Husebø, Vedran Miletić, WaLyong Cho, Zbigniew Jędrzejewski-Szmek
— Berlin, 2015-07-07
CHANGES WITH 221:
* The sd-bus.h and sd-event.h APIs have now been declared
stable and have been added to the official interface of
libsystemd.so. sd-bus implements an alternative D-Bus client
library, that is relatively easy to use, very efficient and
supports both classic D-Bus as well as kdbus as transport
backend. sd-event is a generic event loop abstraction that
is built around Linux epoll, but adds features such as event
prioritization or efficient timer handling. Both APIs are good
choices for C programs looking for a bus and/or event loop
implementation that is minimal and does not have to be
portable to other kernels.
* kdbus support is no longer compile-time optional. It is now
always built-in. However, it can still be disabled at
runtime using the kdbus=0 kernel command line setting, and
that setting may be changed to default to off, by specifying
--disable-kdbus at build-time. Note though that the kernel
command line setting has no effect if the kdbus.ko kernel
module is not installed, in which case kdbus is (obviously)
also disabled. We encourage all downstream distributions to
begin testing kdbus by adding it to the kernel images in the
development distributions, and leaving kdbus support in
systemd enabled.
* The minimal required util-linux version has been bumped to
2.26.
* Support for chkconfig (--enable-chkconfig) was removed in
favor of calling an abstraction tool
/lib/systemd/systemd-sysv-install. This needs to be
implemented for your distribution. See "SYSV INIT.D SCRIPTS"
in README for details.
* If there's a systemd unit and a SysV init script for the
same service name, and the user executes "systemctl enable"
for it (or a related call), then this will now enable both
(or execute the related operation on both), not just the
unit.
* The libudev API documentation has been converted from gtkdoc
into man pages.
* gudev has been removed from the systemd tree, it is now an
external project.
* The systemd-cgtop tool learnt a new --raw switch to generate
"raw" (machine parsable) output.
* networkd's IPForwarding= .network file setting learnt the
new setting "kernel", which ensures that networkd does not
change the IP forwarding sysctl from the default kernel
state.
* The systemd-logind bus API now exposes a new boolean
property "Docked" that reports whether logind considers the
system "docked", i.e. connected to a docking station or not.
Contributions from: Alex Crawford, Andreas Pokorny, Andrei
Borzenkov, Charles Duffy, Colin Guthrie, Cristian Rodríguez,
Daniele Medri, Daniel Hahler, Daniel Mack, David Herrmann,
David Mohr, Dimitri John Ledkov, Djalal Harouni, dslul, Ed
Swierk, Eric Cook, Filipe Brandenburger, Gianpaolo Macario,
Harald Hoyer, Iago López Galeiras, Igor Vuk, Jan Synacek,
Jason Pleau, Jason S. McMullan, Jean Delvare, Jeff Huang,
Jonathan Boulle, Karel Zak, Kay Sievers, kloun, Lennart
Poettering, Marc-Antoine Perennou, Marcel Holtmann, Mario
Limonciello, Martin Pitt, Michael Biebl, Michael Olbrich,
Michal Schmidt, Mike Gilbert, Nick Owens, Pablo Lezaeta Reyes,
Patrick Donnelly, Pavel Odvody, Peter Hutterer, Philip
Withnall, Ronny Chevalier, Simon McVittie, Susant Sahani,
Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
Husebø, Umut Tezduyar Lindskog, Viktar Vauchkevich, Werner
Fink, Zbigniew Jędrzejewski-Szmek
— Berlin, 2015-06-19
CHANGES WITH 220:
* The gudev library has been extracted into a separate repository
available at: https://git.gnome.org/browse/libgudev/
It is now managed as part of the Gnome project. Distributions
are recommended to pass --disable-gudev to systemd and use
gudev from the Gnome project instead. gudev is still included
in systemd, for now. It will be removed soon, though. Please
also see the announcement-thread on systemd-devel:
https://lists.freedesktop.org/archives/systemd-devel/2015-May/032070.html
* systemd now exposes a CPUUsageNSec= property for each
service unit on the bus, that contains the overall consumed
CPU time of a service (the sum of what each process of the
service consumed). This value is only available if
CPUAccounting= is turned on for a service, and is then shown
in the "systemctl status" output.
* Support for configuring alternative mappings of the old SysV
runlevels to systemd targets has been removed. They are now
hardcoded in a way that runlevels 2, 3, 4 all map to
multi-user.target and 5 to graphical.target (which
previously was already the default behaviour).
* The auto-mounter logic gained support for mount point
expiry, using a new TimeoutIdleSec= setting in .automount
units. (Also available as x-systemd.idle-timeout= in /etc/fstab).
* The EFI System Partition (ESP) as mounted to /boot by
systemd-efi-boot-generator will now be unmounted
automatically after 2 minutes of not being used. This should
minimize the risk of ESP corruptions.
* New /etc/fstab options x-systemd.requires= and
x-systemd.requires-mounts-for= are now supported to express
additional dependencies for mounts. This is useful for
journaling file systems that support external journal
devices or overlay file systems that require underlying file
systems to be mounted.
* systemd does not support direct live-upgrades (via systemctl
daemon-reexec) from versions older than v44 anymore. As no
distribution we are aware of shipped such old versions in a
stable release this should not be problematic.
* When systemd forks off a new per-connection service instance
it will now set the $REMOTE_ADDR environment variable to the
remote IP address, and $REMOTE_PORT environment variable to
the remote IP port. This behaviour is similar to the
corresponding environment variables defined by CGI.
* systemd-networkd gained support for uplink failure
detection. The BindCarrier= option allows binding interface
configuration dynamically to the link sense of other
interfaces. This is useful to achieve behaviour like in
network switches.
* systemd-networkd gained support for configuring the DHCP
client identifier to use when requesting leases.
* systemd-networkd now has a per-network UseNTP= option to
configure whether NTP server information acquired via DHCP
is passed on to services like systemd-timesyncd.
* systemd-networkd gained support for vti6 tunnels.
* Note that systemd-networkd manages the sysctl variable
/proc/sys/net/ipv[46]/conf/*/forwarding for each interface
it is configured for since v219. The variable controls IP
forwarding, and is a per-interface alternative to the global
/proc/sys/net/ipv[46]/ip_forward. This setting is
configurable in the IPForward= option, which defaults to
"no". This means if networkd is used for an interface it is
no longer sufficient to set the global sysctl option to turn
on IP forwarding! Instead, the .network file option
IPForward= needs to be turned on! Note that the
implementation of this behaviour was broken in v219 and has
been fixed in v220.
* Many bonding and vxlan options are now configurable in
systemd-networkd.
* systemd-nspawn gained a new --property= setting to set unit
properties for the container scope. This is useful for
setting resource parameters (e.g. "CPUShares=500") on
containers started from the command line.
* systemd-nspawn gained a new --private-users= switch to make
use of user namespacing available on recent Linux kernels.
* systemd-nspawn may now be called as part of a shell pipeline
in which case the pipes used for stdin and stdout are passed
directly to the process invoked in the container, without
indirection via a pseudo tty.
* systemd-nspawn gained a new switch to control the UNIX
signal to use when killing the init process of the container
when shutting down.
* systemd-nspawn gained a new --overlay= switch for mounting
overlay file systems into the container using the new kernel
overlayfs support.
* When a container image is imported via systemd-importd and
the host file system is not btrfs, a loopback block device
file is created in /var/lib/machines.raw with a btrfs file
system inside. It is then mounted to /var/lib/machines to
enable btrfs features for container management. The loopback
file and btrfs file system is grown as needed when container
images are imported via systemd-importd.
* systemd-machined/systemd-importd gained support for btrfs
quota, to enforce container disk space limits on disk. This
is exposed in "machinectl set-limit".
* systemd-importd now can import containers from local .tar,
.raw and .qcow2 images, and export them to .tar and .raw. It
can also import dkr v2 images now from the network (on top
of v1 as before).
* systemd-importd gained support for verifying downloaded
images with gpg2 (previously only gpg1 was supported).
* systemd-machined, systemd-logind, systemd: most bus calls are
now accessible to unprivileged processes via polkit. Also,
systemd-logind will now allow users to kill their own sessions
without further privileges or authorization.
* systemd-shutdownd has been removed. This service was
previously responsible for implementing scheduled shutdowns
as exposed in /usr/bin/shutdown's time parameter. This
functionality has now been moved into systemd-logind and is
accessible via a bus interface.
* "systemctl reboot" gained a new switch --firmware-setup that
can be used to reboot into the EFI firmware setup, if that
is available. systemd-logind now exposes an API on the bus
to trigger such reboots, in case graphical desktop UIs want
to cover this functionality.
* "systemctl enable", "systemctl disable" and "systemctl mask"
now support a new "--now" switch. If specified the units
that are enabled will also be started, and the ones
disabled/masked also stopped.
* The Gummiboot EFI boot loader tool has been merged into
systemd, and renamed to "systemd-boot". The bootctl tool has been
updated to support systemd-boot.
* An EFI kernel stub has been added that may be used to create
kernel EFI binaries that contain not only the actual kernel,
but also an initrd, boot splash, command line and OS release
information. This combined binary can then be signed as a
single image, so that the firmware can verify it all in one
step. systemd-boot has special support for EFI binaries created
like this and can extract OS release information from them
and show them in the boot menu. This functionality is useful
to implement cryptographically verified boot schemes.
* Optional support has been added to systemd-fsck to pass
fsck's progress report to an AF_UNIX socket in the file
system.
* udev will no longer create device symlinks for all block devices by
default. A deny list for excluding special block devices from this
logic has been turned into an allow list that requires picking block
devices explicitly that require device symlinks.
* A new (currently still internal) API sd-device.h has been
added to libsystemd. This modernized API is supposed to
replace libudev eventually. In fact, already much of libudev
is now just a wrapper around sd-device.h.
* A new hwdb database for storing metadata about pointing
stick devices has been added.
* systemd-tmpfiles gained support for setting file attributes
similar to the "chattr" tool with new 'h' and 'H' lines.
* systemd-journald will no longer unconditionally set the
btrfs NOCOW flag on new journal files. This is instead done
with tmpfiles snippet using the new 'h' line type. This
allows easy disabling of this logic, by masking the
journal-nocow.conf tmpfiles file.
* systemd-journald will now translate audit message types to
human readable identifiers when writing them to the
journal. This should improve readability of audit messages.
* The LUKS logic gained support for the offset= and skip=
options in /etc/crypttab, as previously implemented by
Debian.
* /usr/lib/os-release gained a new optional field VARIANT= for
distributions that support multiple variants (such as a
desktop edition, a server edition, …)
Contributions from: Aaro Koskinen, Adam Goode, Alban Crequy,
Alberto Fanjul Alonso, Alexander Sverdlin, Alex Puchades, Alin
Rauta, Alison Chaiken, Andrew Jones, Arend van Spriel,
Benedikt Morbach, Benjamin Franzke, Benjamin Tissoires, Blaž
Tomažič, Chris Morgan, Chris Morin, Colin Walters, Cristian
Rodríguez, Daniel Buch, Daniel Drake, Daniele Medri, Daniel
Mack, Daniel Mustieles, daurnimator, Davide Bettio, David
Herrmann, David Strauss, Didier Roche, Dimitri John Ledkov,
Eric Cook, Gavin Li, Goffredo Baroncelli, Hannes Reinecke,
Hans de Goede, Hans-Peter Deifel, Harald Hoyer, Iago López
Galeiras, Ivan Shapovalov, Jan Engelhardt, Jan Janssen, Jan
Pazdziora, Jan Synacek, Jasper St. Pierre, Jay Faulkner, John
Paul Adrian Glaubitz, Jonathon Gilbert, Karel Zak, Kay
Sievers, Koen Kooi, Lennart Poettering, Lubomir Rintel, Lucas
De Marchi, Lukas Nykryn, Lukas Rusak, Lukasz Skalski, Łukasz
Stelmach, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel
Holtmann, Martin Pitt, Mathieu Chevrier, Matthew Garrett,
Michael Biebl, Michael Marineau, Michael Olbrich, Michal
Schmidt, Michal Sekletar, Mirco Tischler, Nir Soffer, Patrik
Flykt, Pavel Odvody, Peter Hutterer, Peter Lemenkov, Peter
Waller, Piotr Drąg, Raul Gutierrez S, Richard Maw, Ronny
Chevalier, Ross Burton, Sebastian Rasmussen, Sergey Ptashnick,
Seth Jennings, Shawn Landden, Simon Farnsworth, Stefan Junker,
Stephen Gallagher, Susant Sahani, Sylvain Plantefève, Thomas
Haller, Thomas Hindoe Paaboel Andersen, Tobias Hunger, Tom
Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Will
Woods, Zachary Cook, Zbigniew Jędrzejewski-Szmek
— Berlin, 2015-05-22
CHANGES WITH 219:
* Introduce a new API "sd-hwdb.h" for querying the hardware
metadata database. With this minimal interface one can query
and enumerate the udev hwdb, decoupled from the old libudev
library. libudev's interface for this is now only a wrapper
around sd-hwdb. A new tool systemd-hwdb has been added to
interface with and update the database.
* When any of systemd's tools copies files (for example due to
tmpfiles' C lines) a btrfs reflink will attempted first,
before bytewise copying is done.
* systemd-nspawn gained a new --ephemeral switch. When
specified a btrfs snapshot is taken of the container's root
directory, and immediately removed when the container
terminates again. Thus, a container can be started whose
changes never alter the container's root directory, and are
lost on container termination. This switch can also be used
for starting a container off the root file system of the
host without affecting the host OS. This switch is only
available on btrfs file systems.
* systemd-nspawn gained a new --template= switch. It takes the
path to a container tree to use as template for the tree
specified via --directory=, should that directory be
missing. This allows instantiating containers dynamically,
on first run. This switch is only available on btrfs file
systems.
* When a .mount unit refers to a mount point on which multiple
mounts are stacked, and the .mount unit is stopped all of
the stacked mount points will now be unmounted until no
mount point remains.
* systemd now has an explicit notion of supported and
unsupported unit types. Jobs enqueued for unsupported unit
types will now fail with an "unsupported" error code. More
specifically .swap, .automount and .device units are not
supported in containers, .busname units are not supported on
non-kdbus systems. .swap and .automount are also not
supported if their respective kernel compile time options
are disabled.
* machinectl gained support for two new "copy-from" and
"copy-to" commands for copying files from a running
container to the host or vice versa.
* machinectl gained support for a new "bind" command to bind
mount host directories into local containers. This is
currently only supported for nspawn containers.
* networkd gained support for configuring bridge forwarding
database entries (fdb) from .network files.
* A new tiny daemon "systemd-importd" has been added that can
download container images in tar, raw, qcow2 or dkr formats,
and make them available locally in /var/lib/machines, so
that they can run as nspawn containers. The daemon can GPG
verify the downloads (not supported for dkr, since it has no
provisions for verifying downloads). It will transparently
decompress bz2, xz, gzip compressed downloads if necessary,
and restore sparse files on disk. The daemon uses privilege
separation to ensure the actual download logic runs with
fewer privileges than the daemon itself. machinectl has
gained new commands "pull-tar", "pull-raw" and "pull-dkr" to
make the functionality of importd available to the
user. With this in place the Fedora and Ubuntu "Cloud"
images can be downloaded and booted as containers unmodified
(the Fedora images lack the appropriate GPG signature files
currently, so they cannot be verified, but this will change
soon, hopefully). Note that downloading images is currently
only fully supported on btrfs.
* machinectl is now able to list container images found in
/var/lib/machines, along with some metadata about sizes of
disk and similar. If the directory is located on btrfs and
quota is enabled, this includes quota display. A new command
"image-status" has been added that shows additional
information about images.
* machinectl is now able to clone container images
efficiently, if the underlying file system (btrfs) supports
it, with the new "machinectl clone" command. It also
gained commands for renaming and removing images, as well as
marking them read-only or read-write (supported also on
legacy file systems).
* networkd gained support for collecting LLDP network
announcements, from hardware that supports this. This is
shown in networkctl output.
* systemd-run gained support for a new -t (--pty) switch for
invoking a binary on a pty whose input and output is
connected to the invoking terminal. This allows executing
processes as system services while interactively
communicating with them via the terminal. Most interestingly
this is supported across container boundaries. Invoking
"systemd-run -t /bin/bash" is an alternative to running a
full login session, the difference being that the former
will not register a session, nor go through the PAM session
setup.
* tmpfiles gained support for a new "v" line type for creating
btrfs subvolumes. If the underlying file system is a legacy
file system, this automatically degrades to creating a
normal directory. Among others /var/lib/machines is now
created like this at boot, should it be missing.
* The directory /var/lib/containers/ has been deprecated and
been replaced by /var/lib/machines. The term "machines" has
been used in the systemd context as generic term for both
VMs and containers, and hence appears more appropriate for
this, as the directory can also contain raw images bootable
via qemu/kvm.
* systemd-nspawn when invoked with -M but without --directory=
or --image= is now capable of searching for the container
root directory, subvolume or disk image automatically, in
/var/lib/machines. systemd-nspawn@.service has been updated
to make use of this, thus allowing it to be used for raw
disk images, too.
* A new machines.target unit has been introduced that is
supposed to group all containers/VMs invoked as services on
the system. systemd-nspawn@.service has been updated to
integrate with that.
* machinectl gained a new "start" command, for invoking a
container as a service. "machinectl start foo" is mostly
equivalent to "systemctl start systemd-nspawn@foo.service",
but handles escaping in a nicer way.
* systemd-nspawn will now mount most of the cgroupfs tree
read-only into each container, with the exception of the
container's own subtree in the name=systemd hierarchy.
* journald now sets the special FS_NOCOW file flag for its
journal files. This should improve performance on btrfs, by
avoiding heavy fragmentation when journald's write-pattern
is used on COW file systems. It degrades btrfs' data
integrity guarantees for the files to the same levels as for
ext3/ext4 however. This should be OK though as journald does
its own data integrity checks and all its objects are
checksummed on disk. Also, journald should handle btrfs disk
full events a lot more gracefully now, by processing SIGBUS
errors, and not relying on fallocate() anymore.
* When journald detects that journal files it is writing to
have been deleted it will immediately start new journal
files.
* systemd now provides a way to store file descriptors
per-service in PID 1. This is useful for daemons to ensure
that fds they require are not lost during a daemon
restart. The fds are passed to the daemon on the next
invocation in the same way socket activation fds are
passed. This is now used by journald to ensure that the
various sockets connected to all the system's stdout/stderr
are not lost when journald is restarted. File descriptors
may be stored in PID 1 via the sd_pid_notify_with_fds() API,
an extension to sd_notify(). Note that a limit is enforced
on the number of fds a service can store in PID 1, and it
defaults to 0, so that no fds may be stored, unless this is
explicitly turned on.
* The default TERM variable to use for units connected to a
terminal, when no other value is explicitly is set is now
vt220 rather than vt102. This should be fairly safe still,
but allows PgUp/PgDn work.
* The /etc/crypttab option header= as known from Debian is now
supported.
* "loginctl user-status" and "loginctl session-status" will
now show the last 10 lines of log messages of the
user/session following the status output. Similar,
"machinectl status" will show the last 10 log lines
associated with a virtual machine or container
service. (Note that this is usually not the log messages
done in the VM/container itself, but simply what the
container manager logs. For nspawn this includes all console
output however.)
* "loginctl session-status" without further argument will now
show the status of the session of the caller. Similar,
"lock-session", "unlock-session", "activate",
"enable-linger", "disable-linger" may now be called without
session/user parameter in which case they apply to the
caller's session/user.
* An X11 session scriptlet is now shipped that uploads
$DISPLAY and $XAUTHORITY into the environment of the systemd
--user daemon if a session begins. This should improve
compatibility with X11 enabled applications run as systemd
user services.
* Generators are now subject to masking via /etc and /run, the
same way as unit files.
* networkd .network files gained support for configuring
per-link IPv4/IPv6 packet forwarding as well as IPv4
masquerading. This is by default turned on for veth links to
containers, as registered by systemd-nspawn. This means that
nspawn containers run with --network-veth will now get
automatic routed access to the host's networks without any
further configuration or setup, as long as networkd runs on
the host.
* systemd-nspawn gained the --port= (-p) switch to expose TCP
or UDP posts of a container on the host. With this in place
it is possible to run containers with private veth links
(--network-veth), and have their functionality exposed on
the host as if their services were running directly on the
host.
* systemd-nspawn's --network-veth switch now gained a short
version "-n", since with the changes above it is now truly
useful out-of-the-box. The systemd-nspawn@.service has been
updated to make use of it too by default.
* systemd-nspawn will now maintain a per-image R/W lock, to
ensure that the same image is not started more than once
writable. (It's OK to run an image multiple times
simultaneously in read-only mode.)
* systemd-nspawn's --image= option is now capable of
dissecting and booting MBR and GPT disk images that contain
only a single active Linux partition. Previously it
supported only GPT disk images with proper GPT type
IDs. This allows running cloud images from major
distributions directly with systemd-nspawn, without
modification.
* In addition to collecting mouse dpi data in the udev
hardware database, there's now support for collecting angle
information for mouse scroll wheels. The database is
supposed to guarantee similar scrolling behavior on mice
that it knows about. There's also support for collecting
information about Touchpad types.
* udev's input_id built-in will now also collect touch screen
dimension data and attach it to probed devices.
* /etc/os-release gained support for a Distribution Privacy
Policy link field.
* networkd gained support for creating "ipvlan", "gretap",
"ip6gre", "ip6gretap" and "ip6tnl" network devices.
* systemd-tmpfiles gained support for "a" lines for setting
ACLs on files.
* systemd-nspawn will now mount /tmp in the container to
tmpfs, automatically.
* systemd now exposes the memory.usage_in_bytes cgroup
attribute and shows it for each service in the "systemctl
status" output, if available.
* When the user presses Ctrl-Alt-Del more than 7x within 2s an
immediate reboot is triggered. This useful if shutdown is
hung and is unable to complete, to expedite the
operation. Note that this kind of reboot will still unmount
all file systems, and hence should not result in fsck being
run on next reboot.
* A .device unit for an optical block device will now be
considered active only when a medium is in the drive. Also,
mount units are now bound to their backing devices thus
triggering automatic unmounting when devices become
unavailable. With this in place systemd will now
automatically unmount left-over mounts when a CD-ROM is
ejected or a USB stick is yanked from the system.
* networkd-wait-online now has support for waiting for
specific interfaces only (with globbing), and for giving up
after a configurable timeout.
* networkd now exits when idle. It will be automatically
restarted as soon as interfaces show up, are removed or
change state. networkd will stay around as long as there is
at least one DHCP state machine or similar around, that keep
it non-idle.
* networkd may now configure IPv6 link-local addressing in
addition to IPv4 link-local addressing.
* The IPv6 "token" for use in SLAAC may now be configured for
each .network interface in networkd.
* Routes configured with networkd may now be assigned a scope
in .network files.
* networkd's [Match] sections now support globbing and lists
of multiple space-separated matches per item.
Contributions from: Alban Crequy, Alin Rauta, Andrey Chaser,
Bastien Nocera, Bruno Bottazzini, Carlos Garnacho, Carlos
Morata Castillo, Chris Atkinson, Chris J. Arges, Christian
Kirbach, Christian Seiler, Christoph Brill, Colin Guthrie,
Colin Walters, Cristian Rodríguez, Daniele Medri, Daniel Mack,
Dave Reisner, David Herrmann, Djalal Harouni, Erik Auerswald,
Filipe Brandenburger, Frank Theile, Gabor Kelemen, Gabriel de
Perthuis, Harald Hoyer, Hui Wang, Ivan Shapovalov, Jan
Engelhardt, Jan Synacek, Jay Faulkner, Johannes Hölzl, Jonas
Ådahl, Jonathan Boulle, Josef Andersson, Kay Sievers, Ken
Werner, Lennart Poettering, Lucas De Marchi, Lukas Märdian,
Lukas Nykryn, Lukasz Skalski, Luke Shumaker, Mantas Mikulėnas,
Manuel Mendez, Marcel Holtmann, Marc Schmitzer, Marko
Myllynen, Martin Pitt, Maxim Mikityanskiy, Michael Biebl,
Michael Marineau, Michael Olbrich, Michal Schmidt, Mindaugas
Baranauskas, Moez Bouhlel, Naveen Kumar, Patrik Flykt, Paul
Martin, Peter Hutterer, Peter Mattern, Philippe De Swert,
Piotr Drąg, Rafael Ferreira, Rami Rosen, Robert Milasan, Ronny
Chevalier, Sangjung Woo, Sebastien Bacher, Sergey Ptashnick,
Shawn Landden, Stéphane Graber, Susant Sahani, Sylvain
Plantefève, Thomas Hindoe Paaboel Andersen, Tim JP, Tom
Gundersen, Topi Miettinen, Torstein Husebø, Umut Tezduyar
Lindskog, Veres Lajos, Vincent Batts, WaLyong Cho, Wieland
Hoffmann, Zbigniew Jędrzejewski-Szmek
— Berlin, 2015-02-16
CHANGES WITH 218:
* When querying unit file enablement status (for example via
"systemctl is-enabled"), a new state "indirect" is now known
which indicates that a unit might not be enabled itself, but
another unit listed in its Also= setting might be.
* Similar to the various existing ConditionXYZ= settings for
units, there are now matching AssertXYZ= settings. While
failing conditions cause a unit to be skipped, but its job
to succeed, failing assertions declared like this will cause
a unit start operation and its job to fail.
* hostnamed now knows a new chassis type "embedded".
* systemctl gained a new "edit" command. When used on a unit
file, this allows extending unit files with .d/ drop-in
configuration snippets or editing the full file (after
copying it from /usr/lib to /etc). This will invoke the
user's editor (as configured with $EDITOR), and reload the
modified configuration after editing.
* "systemctl status" now shows the suggested enablement state
for a unit, as declared in the (usually vendor-supplied)
system preset files.
* nss-myhostname will now resolve the single-label hostname
"gateway" to the locally configured default IP routing
gateways, ordered by their metrics. This assigns a stable
name to the used gateways, regardless which ones are
currently configured. Note that the name will only be
resolved after all other name sources (if nss-myhostname is
configured properly) and should hence not negatively impact
systems that use the single-label hostname "gateway" in
other contexts.
* systemd-inhibit now allows filtering by mode when listing
inhibitors.
* Scope and service units gained a new "Delegate" boolean
property, which, when set, allows processes running inside the
unit to further partition resources. This is primarily
useful for systemd user instances as well as container
managers.
* journald will now pick up audit messages directly from
the kernel, and log them like any other log message. The
audit fields are split up and fully indexed. This means that
journalctl in many ways is now a (nicer!) alternative to
ausearch, the traditional audit client. Note that this
implements only a minimal audit client. If you want the
special audit modes like reboot-on-log-overflow, please use
the traditional auditd instead, which can be used in
parallel to journald.
* The ConditionSecurity= unit file option now understands the
special string "audit" to check whether auditing is
available.
* journalctl gained two new commands --vacuum-size= and
--vacuum-time= to delete old journal files until the
remaining ones take up no more than the specified size on disk,
or are not older than the specified time.
* A new, native PPPoE library has been added to sd-network,
systemd's library of light-weight networking protocols. This
library will be used in a future version of networkd to
enable PPPoE communication without an external pppd daemon.
* The busctl tool now understands a new "capture" verb that
works similar to "monitor", but writes a packet capture
trace to STDOUT that can be redirected to a file which is
compatible with libcap's capture file format. This can then
be loaded in Wireshark and similar tools to inspect bus
communication.
* The busctl tool now understands a new "tree" verb that shows
the object trees of a specific service on the bus, or of all
services.
* The busctl tool now understands a new "introspect" verb that
shows all interfaces and members of objects on the bus,
including their signature and values. This is particularly
useful to get more information about bus objects shown by
the new "busctl tree" command.
* The busctl tool now understands new verbs "call",
"set-property" and "get-property" for invoking bus method
calls, setting and getting bus object properties in a
friendly way.
* busctl gained a new --augment-creds= argument that controls
whether the tool shall augment credential information it
gets from the bus with data from /proc, in a possibly
race-ful way.
* nspawn's --link-journal= switch gained two new values
"try-guest" and "try-host" that work like "guest" and
"host", but do not fail if the host has no persistent
journaling enabled. -j is now equivalent to
--link-journal=try-guest.
* macvlan network devices created by nspawn will now have
stable MAC addresses.
* A new SmackProcessLabel= unit setting has been added, which
controls the SMACK security label processes forked off by
the respective unit shall use.
* If compiled with --enable-xkbcommon, systemd-localed will
verify x11 keymap settings by compiling the given keymap. It
will spew out warnings if the compilation fails. This
requires libxkbcommon to be installed.
* When a coredump is collected, a larger number of metadata
fields is now collected and included in the journal records
created for it. More specifically, control group membership,
environment variables, memory maps, working directory,
chroot directory, /proc/$PID/status, and a list of open file
descriptors is now stored in the log entry.
* The udev hwdb now contains DPI information for mice. For
details see:
http://who-t.blogspot.de/2014/12/building-a-dpi-database-for-mice.html
* All systemd programs that read standalone configuration
files in /etc now also support a corresponding series of
.conf.d configuration directories in /etc/, /run/,
/usr/local/lib/, /usr/lib/, and (if configured with
--enable-split-usr) /lib/. In particular, the following
configuration files now have corresponding configuration
directories: system.conf user.conf, logind.conf,
journald.conf, sleep.conf, bootchart.conf, coredump.conf,
resolved.conf, timesyncd.conf, journal-remote.conf, and
journal-upload.conf. Note that distributions should use the
configuration directories in /usr/lib/; the directories in
/etc/ are reserved for the system administrator.
* systemd-rfkill will no longer take the rfkill device name
into account when storing rfkill state on disk, as the name
might be dynamically assigned and not stable. Instead, the
ID_PATH udev variable combined with the rfkill type (wlan,
bluetooth, …) is used.
* A new service systemd-machine-id-commit.service has been
added. When used on systems where /etc is read-only during
boot, and /etc/machine-id is not initialized (but an empty
file), this service will copy the temporary machine ID
created as replacement into /etc after the system is fully
booted up. This is useful for systems that are freshly
installed with a non-initialized machine ID, but should get
a fixed machine ID for subsequent boots.
* networkd's .netdev files now provide a large set of
configuration parameters for VXLAN devices. Similarly, the
bridge port cost parameter is now configurable in .network
files. There's also new support for configuring IP source
routing. networkd .link files gained support for a new
OriginalName= match that is useful to match against the
original interface name the kernel assigned. .network files
may include MTU= and MACAddress= fields for altering the MTU
and MAC address while being connected to a specific network
interface.
* The LUKS logic gained supported for configuring
UUID-specific key files. There's also new support for naming
LUKS device from the kernel command line, using the new
luks.name= argument.
* Timer units may now be transiently created via the bus API
(this was previously already available for scope and service
units). In addition it is now possible to create multiple
transient units at the same time with a single bus call. The
"systemd-run" tool has been updated to make use of this for
running commands on a specified time, in at(1)-style.
* tmpfiles gained support for "t" lines, for assigning
extended attributes to files. Among other uses this may be
used to assign SMACK labels to files.
Contributions from: Alin Rauta, Alison Chaiken, Andrej
Manduch, Bastien Nocera, Chris Atkinson, Chris Leech, Chris
Mayo, Colin Guthrie, Colin Walters, Cristian Rodríguez,
Daniele Medri, Daniel Mack, Dan Williams, Dan Winship, Dave
Reisner, David Herrmann, Didier Roche, Felipe Sateler, Gavin
Li, Hans de Goede, Harald Hoyer, Iago López Galeiras, Ivan
Shapovalov, Jakub Filak, Jan Janssen, Jan Synacek, Joe
Lawrence, Josh Triplett, Kay Sievers, Lennart Poettering,
Lukas Nykryn, Łukasz Stelmach, Maciej Wereski, Mantas
Mikulėnas, Marcel Holtmann, Martin Pitt, Maurizio Lombardi,
Michael Biebl, Michael Chapman, Michael Marineau, Michal
Schmidt, Michal Sekletar, Olivier Brunel, Patrik Flykt, Peter
Hutterer, Przemyslaw Kedzierski, Rami Rosen, Ray Strode,
Richard Schütz, Richard W.M. Jones, Ronny Chevalier, Ross
Lagerwall, Sean Young, Stanisław Pitucha, Susant Sahani,
Thomas Haller, Thomas Hindoe Paaboel Andersen, Tom Gundersen,
Torstein Husebø, Umut Tezduyar Lindskog, Vicente Olivert
Riera, WaLyong Cho, Wesley Dawson, Zbigniew Jędrzejewski-Szmek
— Berlin, 2014-12-10
CHANGES WITH 217:
* journalctl gained the new options -t/--identifier= to match
on the syslog identifier (aka "tag"), as well as --utc to
show log timestamps in the UTC timezone. journalctl now also
accepts -n/--lines=all to disable line capping in a pager.
* journalctl gained a new switch, --flush, that synchronously
flushes logs from /run/log/journal to /var/log/journal if
persistent storage is enabled. systemd-journal-flush.service
now waits until the operation is complete.
* Services can notify the manager before they start a reload
(by sending RELOADING=1) or shutdown (by sending
STOPPING=1). This allows the manager to track and show the
internal state of daemons and closes a race condition when
the process is still running but has closed its D-Bus
connection.
* Services with Type=oneshot do not have to have any ExecStart
commands anymore.
* User units are now loaded also from
$XDG_RUNTIME_DIR/systemd/user/. This is similar to the
/run/systemd/user directory that was already previously
supported, but is under the control of the user.
* Job timeouts (i.e. timeouts on the time a job that is
queued stays in the run queue) can now optionally result in
immediate reboot or power-off actions (JobTimeoutAction= and
JobTimeoutRebootArgument=). This is useful on ".target"
units, to limit the maximum time a target remains
undispatched in the run queue, and to trigger an emergency
operation in such a case. This is now used by default to
turn off the system if boot-up (as defined by everything in
basic.target) hangs and does not complete for at least
15min. Also, if power-off or reboot hang for at least 30min
an immediate power-off/reboot operation is triggered. This
functionality is particularly useful to increase reliability
on embedded devices, but also on laptops which might
accidentally get powered on when carried in a backpack and
whose boot stays stuck in a hard disk encryption passphrase
question.
* systemd-logind can be configured to also handle lid switch
events even when the machine is docked or multiple displays
are attached (HandleLidSwitchDocked= option).
* A helper binary and a service have been added which can be
used to resume from hibernation in the initramfs. A
generator will parse the resume= option on the kernel
command line to trigger resume.
* A user console daemon systemd-consoled has been
added. Currently, it is a preview, and will so far open a
single terminal on each session of the user marked as
Desktop=systemd-console.
* Route metrics can be specified for DHCP routes added by
systemd-networkd.
* The SELinux context of socket-activated services can be set
from the information provided by the networking stack
(SELinuxContextFromNet= option).
* Userspace firmware loading support has been removed and
the minimum supported kernel version is thus bumped to 3.7.
* Timeout for udev workers has been increased from 1 to 3
minutes, but a warning will be printed after 1 minute to
help diagnose kernel modules that take a long time to load.
* Udev rules can now remove tags on devices with TAG-="foobar".
* systemd's readahead implementation has been removed. In many
circumstances it didn't give expected benefits even for
rotational disk drives and was becoming less relevant in the
age of SSDs. As none of the developers has been using
rotating media anymore, and nobody stepped up to actively
maintain this component of systemd it has now been removed.
* Swap units can use Options= to specify discard options.
Discard options specified for swaps in /etc/fstab are now
respected.
* Docker containers are now detected as a separate type of
virtualization.
* The Password Agent protocol gained support for queries where
the user input is shown, useful e.g. for user names.
systemd-ask-password gained a new --echo option to turn that
on.
* The default sysctl.d/ snippets will now set:
net.core.default_qdisc = fq_codel
This selects Fair Queuing Controlled Delay as the default
queuing discipline for network interfaces. fq_codel helps
fight the network bufferbloat problem. It is believed to be
a good default with no tuning required for most workloads.
Downstream distributions may override this choice. On 10Gbit
servers that do not do forwarding, "fq" may perform better.
Systems without a good clocksource should use "pfifo_fast".
* If kdbus is enabled during build a new option BusPolicy= is
available for service units, that allows locking all service
processes into a stricter bus policy, in order to limit
access to various bus services, or even hide most of them
from the service's view entirely.
* networkctl will now show the .network and .link file
networkd has applied to a specific interface.
* sd-login gained a new API call sd_session_get_desktop() to
query which desktop environment has been selected for a
session.
* UNIX utmp support is now compile-time optional to support
legacy-free systems.
* systemctl gained two new commands "add-wants" and
"add-requires" for pulling in units from specific targets
easily.
* If the word "rescue" is specified on the kernel command line
the system will now boot into rescue mode (aka
rescue.target), which was previously available only by
specifying "1" or "systemd.unit=rescue.target" on the kernel
command line. This new kernel command line option nicely
mirrors the already existing "emergency" kernel command line
option.
* New kernel command line options mount.usr=, mount.usrflags=,
mount.usrfstype= have been added that match root=, rootflags=,
rootfstype= but allow mounting a specific file system to
/usr.
* The $NOTIFY_SOCKET is now also passed to control processes of
services, not only the main process.
* This version reenables support for fsck's -l switch. This
means at least version v2.25 of util-linux is required for
operation, otherwise dead-locks on device nodes may
occur. Again: you need to update util-linux to at least
v2.25 when updating systemd to v217.
* The "multi-seat-x" tool has been removed from systemd, as
its functionality has been integrated into X servers 1.16,
and the tool is hence redundant. It is recommended to update
display managers invoking this tool to simply invoke X
directly from now on, again.
* Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus
message flag has been added for all of systemd's polkit
authenticated method calls has been added. In particular this
now allows optional interactive authorization via polkit for
many of PID1's privileged operations such as unit file
enabling and disabling.
* "udevadm hwdb --update" learnt a new switch "--usr" for
placing the rebuilt hardware database in /usr instead of
/etc. When used only hardware database entries stored in
/usr will be used, and any user database entries in /etc are
ignored. This functionality is useful for vendors to ship a
pre-built database on systems where local configuration is
unnecessary or unlikely.
* Calendar time specifications in .timer units now also
understand the strings "semi-annually", "quarterly" and
"minutely" as shortcuts (in addition to the preexisting
"annually", "hourly", …).
* systemd-tmpfiles will now correctly create files in /dev
at boot which are marked for creation only at boot. It is
recommended to always create static device nodes with 'c!'
and 'b!', so that they are created only at boot and not
overwritten at runtime.
* When the watchdog logic is used for a service (WatchdogSec=)
and the watchdog timeout is hit the service will now be
terminated with SIGABRT (instead of just SIGTERM), in order
to make sure a proper coredump and backtrace is
generated. This ensures that hanging services will result in
similar coredump/backtrace behaviour as services that hit a
segmentation fault.
Contributions from: Andreas Henriksson, Andrei Borzenkov,
Angus Gibson, Ansgar Burchardt, Ben Wolsieffer, Brandon L.
Black, Christian Hesse, Cristian Rodríguez, Daniel Buch,
Daniele Medri, Daniel Mack, Dan Williams, Dave Reisner, David
Herrmann, David Sommerseth, David Strauss, Emil Renner
Berthing, Eric Cook, Evangelos Foutras, Filipe Brandenburger,
Gustavo Sverzut Barbieri, Hans de Goede, Harald Hoyer, Hristo
Venev, Hugo Grostabussiat, Ivan Shapovalov, Jan Janssen, Jan
Synacek, Jonathan Liu, Juho Son, Karel Zak, Kay Sievers, Klaus
Purer, Koen Kooi, Lennart Poettering, Lukas Nykryn, Lukasz
Skalski, Łukasz Stelmach, Mantas Mikulėnas, Marcel Holtmann,
Marius Tessmann, Marko Myllynen, Martin Pitt, Michael Biebl,
Michael Marineau, Michael Olbrich, Michael Scherer, Michal
Schmidt, Michal Sekletar, Miroslav Lichvar, Patrik Flykt,
Philippe De Swert, Piotr Drąg, Rahul Sundaram, Richard
Weinberger, Robert Milasan, Ronny Chevalier, Ruben Kerkhof,
Santiago Vila, Sergey Ptashnick, Simon McVittie, Sjoerd
Simons, Stefan Brüns, Steven Allen, Steven Noonan, Susant
Sahani, Sylvain Plantefève, Thomas Hindoe Paaboel Andersen,
Timofey Titovets, Tobias Hunger, Tom Gundersen, Torstein
Husebø, Umut Tezduyar Lindskog, WaLyong Cho, Zbigniew
Jędrzejewski-Szmek
— Berlin, 2014-10-28
CHANGES WITH 216:
* timedated no longer reads NTP implementation unit names from
/usr/lib/systemd/ntp-units.d/*.list. Alternative NTP
implementations should add a
Conflicts=systemd-timesyncd.service
to their unit files to take over and replace systemd's NTP
default functionality.
* systemd-sysusers gained a new line type "r" for configuring
which UID/GID ranges to allocate system users/groups
from. Lines of type "u" may now add an additional column
that specifies the home directory for the system user to be
created. Also, systemd-sysusers may now optionally read user
information from STDIN instead of a file. This is useful for
invoking it from RPM preinst scriptlets that need to create
users before the first RPM file is installed since these
files might need to be owned by them. A new
%sysusers_create_inline RPM macro has been introduced to do
just that. systemd-sysusers now updates the shadow files as
well as the user/group databases, which should enhance
compatibility with certain tools like grpck.
* A number of bus APIs of PID 1 now optionally consult polkit to
permit access for otherwise unprivileged clients under certain
conditions. Note that this currently doesn't support
interactive authentication yet, but this is expected to be
added eventually, too.
* /etc/machine-info now has new fields for configuring the
deployment environment of the machine, as well as the
location of the machine. hostnamectl has been updated with
new command to update these fields.
* systemd-timesyncd has been updated to automatically acquire
NTP server information from systemd-networkd, which might
have been discovered via DHCP.
* systemd-resolved now includes a caching DNS stub resolver
and a complete LLMNR name resolution implementation. A new
NSS module "nss-resolve" has been added which can be used
instead of glibc's own "nss-dns" to resolve hostnames via
systemd-resolved. Hostnames, addresses and arbitrary RRs may
be resolved via systemd-resolved D-Bus APIs. In contrast to
the glibc internal resolver systemd-resolved is aware of
multi-homed system, and keeps DNS server and caches separate
and per-interface. Queries are sent simultaneously on all
interfaces that have DNS servers configured, in order to
properly handle VPNs and local LANs which might resolve
separate sets of domain names. systemd-resolved may acquire
DNS server information from systemd-networkd automatically,
which in turn might have discovered them via DHCP. A tool
"systemd-resolve-host" has been added that may be used to
query the DNS logic in resolved. systemd-resolved implements
IDNA and automatically uses IDNA or UTF-8 encoding depending
on whether classic DNS or LLMNR is used as transport. In the
next releases we intend to add a DNSSEC and mDNS/DNS-SD
implementation to systemd-resolved.
* A new NSS module nss-mymachines has been added, that
automatically resolves the names of all local registered
containers to their respective IP addresses.
* A new client tool "networkctl" for systemd-networkd has been
added. It currently is entirely passive and will query
networking configuration from udev, rtnetlink and networkd,
and present it to the user in a very friendly
way. Eventually, we hope to extend it to become a full
control utility for networkd.
* .socket units gained a new DeferAcceptSec= setting that
controls the kernels' TCP_DEFER_ACCEPT sockopt for
TCP. Similarly, support for controlling TCP keep-alive
settings has been added (KeepAliveTimeSec=,
KeepAliveIntervalSec=, KeepAliveProbes=). Also, support for
turning off Nagle's algorithm on TCP has been added
(NoDelay=).
* logind learned a new session type "web", for use in projects
like Cockpit which register web clients as PAM sessions.
* timer units with at least one OnCalendar= setting will now
be started only after time-sync.target has been
reached. This way they will not elapse before the system
clock has been corrected by a local NTP client or
similar. This is particular useful on RTC-less embedded
machines, that come up with an invalid system clock.
* systemd-nspawn's --network-veth= switch should now result in
stable MAC addresses for both the outer and the inner side
of the link.
* systemd-nspawn gained a new --volatile= switch for running
container instances with /etc or /var unpopulated.
* The kdbus client code has been updated to use the new Linux
3.17 memfd subsystem instead of the old kdbus-specific one.
* systemd-networkd's DHCP client and server now support
FORCERENEW. There are also new configuration options to
configure the vendor client identifier and broadcast mode
for DHCP.
* systemd will no longer inform the kernel about the current
timezone, as this is necessarily incorrect and racy as the
kernel has no understanding of DST and similar
concepts. This hence means FAT timestamps will be always
considered UTC, similar to what Android is already
doing. Also, when the RTC is configured to the local time
(rather than UTC) systemd will never synchronize back to it,
as this might confuse Windows at a later boot.
* systemd-analyze gained a new command "verify" for offline
validation of unit files.
* systemd-networkd gained support for a couple of additional
settings for bonding networking setups. Also, the metric for
statically configured routes may now be configured. For
network interfaces where this is appropriate the peer IP
address may now be configured.
* systemd-networkd's DHCP client will no longer request
broadcasting by default, as this tripped up some networks.
For hardware where broadcast is required the feature should
be switched back on using RequestBroadcast=yes.
* systemd-networkd will now set up IPv4LL addresses (when
enabled) even if DHCP is configured successfully.
* udev will now default to respect network device names given
by the kernel when the kernel indicates that these are
predictable. This behavior can be tweaked by changing
NamePolicy= in the relevant .link file.
* A new library systemd-terminal has been added that
implements full TTY stream parsing and rendering. This
library is supposed to be used later on for implementing a
full userspace VT subsystem, replacing the current kernel
implementation.
* A new tool systemd-journal-upload has been added to push
journal data to a remote system running
systemd-journal-remote.
* journald will no longer forward all local data to another
running syslog daemon. This change has been made because
rsyslog (which appears to be the most commonly used syslog
implementation these days) no longer makes use of this, and
instead pulls the data out of the journal on its own. Since
forwarding the messages to a non-existent syslog server is
more expensive than we assumed we have now turned this
off. If you run a syslog server that is not a recent rsyslog
version, you have to turn this option on again
(ForwardToSyslog= in journald.conf).
* journald now optionally supports the LZ4 compressor for
larger journal fields. This compressor should perform much
better than XZ which was the previous default.
* machinectl now shows the IP addresses of local containers,
if it knows them, plus the interface name of the container.
* A new tool "systemd-escape" has been added that makes it
easy to escape strings to build unit names and similar.
* sd_notify() messages may now include a new ERRNO= field
which is parsed and collected by systemd and shown among the
"systemctl status" output for a service.
* A new component "systemd-firstboot" has been added that
queries the most basic systemd information (timezone,
hostname, root password) interactively on first
boot. Alternatively it may also be used to provision these
things offline on OS images installed into directories.
* The default sysctl.d/ snippets will now set
net.ipv4.conf.default.promote_secondaries=1
This has the benefit of no flushing secondary IP addresses
when primary addresses are removed.
Contributions from: Ansgar Burchardt, Bastien Nocera, Colin
Walters, Dan Dedrick, Daniel Buch, Daniel Korostil, Daniel
Mack, Dan Williams, Dave Reisner, David Herrmann, Denis
Kenzior, Eelco Dolstra, Eric Cook, Hannes Reinecke, Harald
Hoyer, Hong Shick Pak, Hui Wang, Jean-André Santoni, Jóhann
B. Guðmundsson, Jon Severinsson, Karel Zak, Kay Sievers, Kevin
Wells, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas,
Marc-Antoine Perennou, Martin Pitt, Michael Biebl, Michael
Marineau, Michael Olbrich, Michal Schmidt, Michal Sekletar,
Miguel Angel Ajo, Mike Gilbert, Olivier Brunel, Robert
Schiele, Ronny Chevalier, Simon McVittie, Sjoerd Simons, Stef
Walter, Steven Noonan, Susant Sahani, Tanu Kaskinen, Thomas
Blume, Thomas Hindoe Paaboel Andersen, Timofey Titovets,
Tobias Geerinckx-Rice, Tomasz Torcz, Tom Gundersen, Umut
Tezduyar Lindskog, Zbigniew Jędrzejewski-Szmek
— Berlin, 2014-08-19
CHANGES WITH 215:
* A new tool systemd-sysusers has been added. This tool
creates system users and groups in /etc/passwd and
/etc/group, based on static declarative system user/group
definitions in /usr/lib/sysusers.d/. This is useful to
enable factory resets and volatile systems that boot up with
an empty /etc directory, and thus need system users and
groups created during early boot. systemd now also ships
with two default sysusers.d/ files for the most basic
users and groups systemd and the core operating system
require.
* A new tmpfiles snippet has been added that rebuilds the
essential files in /etc on boot, should they be missing.
* A directive for ensuring automatic clean-up of
/var/cache/man/ has been removed from the default
configuration. This line should now be shipped by the man
implementation. The necessary change has been made to the
man-db implementation. Note that you need to update your man
implementation to one that ships this line, otherwise no
automatic clean-up of /var/cache/man will take place.
* A new condition ConditionNeedsUpdate= has been added that
may conditionalize services to only run when /etc or /var
are "older" than the vendor operating system resources in
/usr. This is useful for reconstructing or updating /etc
after an offline update of /usr or a factory reset, on the
next reboot. Services that want to run once after such an
update or reset should use this condition and order
themselves before the new systemd-update-done.service, which
will mark the two directories as fully updated. A number of
service files have been added making use of this, to rebuild
the udev hardware database, the journald message catalog and
dynamic loader cache (ldconfig). The systemd-sysusers tool
described above also makes use of this now. With this in
place it is now possible to start up a minimal operating
system with /etc empty cleanly. For more information on the
concepts involved see this recent blog story:
https://0pointer.de/blog/projects/stateless.html
* A new system group "input" has been introduced, and all
input device nodes get this group assigned. This is useful
for system-level software to get access to input devices. It
complements what is already done for "audio" and "video".
* systemd-networkd learnt minimal DHCPv4 server support in
addition to the existing DHCPv4 client support. It also
learnt DHCPv6 client and IPv6 Router Solicitation client
support. The DHCPv4 client gained support for static routes
passed in from the server. Note that the [DHCPv4] section
known in older systemd-networkd versions has been renamed to
[DHCP] and is now also used by the DHCPv6 client. Existing
.network files using settings of this section should be
updated, though compatibility is maintained. Optionally, the
client hostname may now be sent to the DHCP server.
* networkd gained support for vxlan virtual networks as well
as tun/tap and dummy devices.
* networkd gained support for automatic allocation of address
ranges for interfaces from a system-wide pool of
addresses. This is useful for dynamically managing a large
number of interfaces with a single network configuration
file. In particular this is useful to easily assign
appropriate IP addresses to the veth links of a large number
of nspawn instances.
* RPM macros for processing sysusers, sysctl and binfmt
drop-in snippets at package installation time have been
added.
* The /etc/os-release file should now be placed in
/usr/lib/os-release. The old location is automatically
created as symlink. /usr/lib is the more appropriate
location of this file, since it shall actually describe the
vendor operating system shipped in /usr, and not the
configuration stored in /etc.
* .mount units gained a new boolean SloppyOptions= setting
that maps to mount(8)'s -s option which enables permissive
parsing of unknown mount options.
* tmpfiles learnt a new "L+" directive which creates a symlink
but (unlike "L") deletes a pre-existing file first, should
it already exist and not already be the correct
symlink. Similarly, "b+", "c+" and "p+" directives have been
added as well, which create block and character devices, as
well as fifos in the filesystem, possibly removing any
pre-existing files of different types.
* For tmpfiles' "L", "L+", "C" and "C+" directives the final
'argument' field (which so far specified the source to
symlink/copy the files from) is now optional. If omitted the
same file os copied from /usr/share/factory/ suffixed by the
full destination path. This is useful for populating /etc
with essential files, by copying them from vendor defaults
shipped in /usr/share/factory/etc.
* A new command "systemctl preset-all" has been added that
applies the service preset settings to all installed unit
files. A new switch --preset-mode= has been added that
controls whether only enable or only disable operations
shall be executed.
* A new command "systemctl is-system-running" has been added
that allows checking the overall state of the system, for
example whether it is fully up and running.
* When the system boots up with an empty /etc, the equivalent
to "systemctl preset-all" is executed during early boot, to
make sure all default services are enabled after a factory
reset.
* systemd now contains a minimal preset file that enables the
most basic services systemd ships by default.
* Unit files' [Install] section gained a new DefaultInstance=
field for defining the default instance to create if a
template unit is enabled with no instance specified.
* A new passive target cryptsetup-pre.target has been added
that may be used by services that need to make they run and
finish before the first LUKS cryptographic device is set up.
* The /dev/loop-control and /dev/btrfs-control device nodes
are now owned by the "disk" group by default, opening up
access to this group.
* systemd-coredump will now automatically generate a
stack trace of all core dumps taking place on the system,
based on elfutils' libdw library. This stack trace is logged
to the journal.
* systemd-coredump may now optionally store coredumps directly
on disk (in /var/lib/systemd/coredump, possibly compressed),
instead of storing them unconditionally in the journal. This
mode is the new default. A new configuration file
/etc/systemd/coredump.conf has been added to configure this
and other parameters of systemd-coredump.
* coredumpctl gained a new "info" verb to show details about a
specific coredump. A new switch "-1" has also been added
that makes sure to only show information about the most
recent entry instead of all entries. Also, as the tool is
generally useful now the "systemd-" prefix of the binary
name has been removed. Distributions that want to maintain
compatibility with the old name should add a symlink from
the old name to the new name.
* journald's SplitMode= now defaults to "uid". This makes sure
that unprivileged users can access their own coredumps with
coredumpctl without restrictions.
* New kernel command line options "systemd.wants=" (for
pulling an additional unit during boot), "systemd.mask="
(for masking a specific unit for the boot), and
"systemd.debug-shell" (for enabling the debug shell on tty9)
have been added. This is implemented in the new generator
"systemd-debug-generator".
* systemd-nspawn will now by default filter a couple of
syscalls for containers, among them those required for
kernel module loading, direct x86 IO port access, swap
management, and kexec. Most importantly though
open_by_handle_at() is now prohibited for containers,
closing a hole similar to a recently discussed vulnerability
in docker regarding access to files on file hierarchies the
container should normally not have access to. Note that, for
nspawn, we generally make no security claims anyway (and
this is explicitly documented in the man page), so this is
just a fix for one of the most obvious problems.
* A new man page file-hierarchy(7) has been added that
contains a minimized, modernized version of the file system
layout systemd expects, similar in style to the FHS
specification or hier(5). A new tool systemd-path(1) has
been added to query many of these paths for the local
machine and user.
* Automatic time-based clean-up of $XDG_RUNTIME_DIR is no
longer done. Since the directory now has a per-user size
limit, and is cleaned on logout this appears unnecessary,
in particular since this now brings the lifecycle of this
directory closer in line with how IPC objects are handled.
* systemd.pc now exports a number of additional directories,
including $libdir (which is useful to identify the library
path for the primary architecture of the system), and a
couple of drop-in directories.
* udev's predictable network interface names now use the dev_port
sysfs attribute, introduced in linux 3.15 instead of dev_id to
distinguish between ports of the same PCI function. dev_id should
only be used for ports using the same HW address, hence the need
for dev_port.
* machined has been updated to export the OS version of a
container (read from /etc/os-release and
/usr/lib/os-release) on the bus. This is now shown in
"machinectl status" for a machine.
* A new service setting RestartForceExitStatus= has been
added. If configured to a set of exit signals or process
return values, the service will be restarted when the main
daemon process exits with any of them, regardless of the
Restart= setting.
* systemctl's -H switch for connecting to remote systemd
machines has been extended so that it may be used to
directly connect to a specific container on the
host. "systemctl -H root@foobar:waldi" will now connect as
user "root" to host "foobar", and then proceed directly to
the container named "waldi". Note that currently you have to
authenticate as user "root" for this to work, as entering
containers is a privileged operation.
Contributions from: Andreas Henriksson, Benjamin Steinwender,
Carl Schaefer, Christian Hesse, Colin Ian King, Cristian
Rodríguez, Daniel Mack, Dave Reisner, David Herrmann, Eugene
Yakubovich, Filipe Brandenburger, Frederic Crozat, Hristo
Venev, Jan Engelhardt, Jonathan Boulle, Kay Sievers, Lennart
Poettering, Luke Shumaker, Mantas Mikulėnas, Marc-Antoine
Perennou, Marcel Holtmann, Michael Marineau, Michael Olbrich,
Michał Bartoszkiewicz, Michal Sekletar, Patrik Flykt, Ronan Le
Martret, Ronny Chevalier, Ruediger Oertel, Steven Noonan,
Susant Sahani, Thadeu Lima de Souza Cascardo, Thomas Hindoe
Paaboel Andersen, Tom Gundersen, Tom Hirst, Umut Tezduyar
Lindskog, Uoti Urpala, Zbigniew Jędrzejewski-Szmek
— Berlin, 2014-07-03
CHANGES WITH 214:
* As an experimental feature, udev now tries to lock the
disk device node (flock(LOCK_SH|LOCK_NB)) while it
executes events for the disk or any of its partitions.
Applications like partitioning programs can lock the
disk device node (flock(LOCK_EX)) and claim temporary
device ownership that way; udev will entirely skip all event
handling for this disk and its partitions. If the disk
was opened for writing, the close will trigger a partition
table rescan in udev's "watch" facility, and if needed
synthesize "change" events for the disk and all its partitions.
This is now unconditionally enabled, and if it turns out to
cause major problems, we might turn it on only for specific
devices, or might need to disable it entirely. Device Mapper
devices are excluded from this logic.
* We temporarily dropped the "-l" switch for fsck invocations,
since they collide with the flock() logic above. util-linux
upstream has been changed already to avoid this conflict,
and we will re-add "-l" as soon as util-linux with this
change has been released.
* The dependency on libattr has been removed. Since a long
time, the extended attribute calls have moved to glibc, and
libattr is thus unnecessary.
* Virtualization detection works without privileges now. This
means the systemd-detect-virt binary no longer requires
CAP_SYS_PTRACE file capabilities, and our daemons can run
with fewer privileges.
* systemd-networkd now runs under its own "systemd-network"
user. It retains the CAP_NET_ADMIN, CAP_NET_BIND_SERVICE,
CAP_NET_BROADCAST, CAP_NET_RAW capabilities though, but
loses the ability to write to files owned by root this way.
* Similarly, systemd-resolved now runs under its own
"systemd-resolve" user with no capabilities remaining.
* Similarly, systemd-bus-proxyd now runs under its own
"systemd-bus-proxy" user with only CAP_IPC_OWNER remaining.
* systemd-networkd gained support for setting up "veth"
virtual Ethernet devices for container connectivity, as well
as GRE and VTI tunnels.
* systemd-networkd will no longer automatically attempt to
manually load kernel modules necessary for certain tunnel
transports. Instead, it is assumed the kernel loads them
automatically when required. This only works correctly on
very new kernels. On older kernels, please consider adding
the kernel modules to /etc/modules-load.d/ as a work-around.
* The resolv.conf file systemd-resolved generates has been
moved to /run/systemd/resolve/. If you have a symlink from
/etc/resolv.conf, it might be necessary to correct it.
* Two new service settings, ProtectHome= and ProtectSystem=,
have been added. When enabled, they will make the user data
(such as /home) inaccessible or read-only and the system
(such as /usr) read-only, for specific services. This allows
very light-weight per-service sandboxing to avoid
modifications of user data or system files from
services. These two new switches have been enabled for all
of systemd's long-running services, where appropriate.
* Socket units gained new SocketUser= and SocketGroup=
settings to set the owner user and group of AF_UNIX sockets
and FIFOs in the file system.
* Socket units gained a new RemoveOnStop= setting. If enabled,
all FIFOS and sockets in the file system will be removed
when the specific socket unit is stopped.
* Socket units gained a new Symlinks= setting. It takes a list
of symlinks to create to file system sockets or FIFOs
created by the specific Unix sockets. This is useful to
manage symlinks to socket nodes with the same lifecycle as
the socket itself.
* The /dev/log socket and /dev/initctl FIFO have been moved to
/run, and have been replaced by symlinks. This allows
connecting to these facilities even if PrivateDevices=yes is
used for a service (which makes /dev/log itself unavailable,
but /run is left). This also has the benefit of ensuring
that /dev only contains device nodes, directories and
symlinks, and nothing else.
* sd-daemon gained two new calls sd_pid_notify() and
sd_pid_notifyf(). They are similar to sd_notify() and
sd_notifyf(), but allow overriding of the source PID of
notification messages if permissions permit this. This is
useful to send notify messages on behalf of a different
process (for example, the parent process). The
systemd-notify tool has been updated to make use of this
when sending messages (so that notification messages now
originate from the shell script invoking systemd-notify and
not the systemd-notify process itself. This should minimize
a race where systemd fails to associate notification
messages to services when the originating process already
vanished.
* A new "on-abnormal" setting for Restart= has been added. If
set, it will result in automatic restarts on all "abnormal"
reasons for a process to exit, which includes unclean
signals, core dumps, timeouts and watchdog timeouts, but
does not include clean and unclean exit codes or clean
signals. Restart=on-abnormal is an alternative for
Restart=on-failure for services that shall be able to
terminate and avoid restarts on certain errors, by
indicating so with an unclean exit code. Restart=on-failure
or Restart=on-abnormal is now the recommended setting for
all long-running services.
* If the InaccessibleDirectories= service setting points to a
mount point (or if there are any submounts contained within
it), it is now attempted to completely unmount it, to make
the file systems truly unavailable for the respective
service.
* The ReadOnlyDirectories= service setting and
systemd-nspawn's --read-only parameter are now recursively
applied to all submounts, too.
* Mount units may now be created transiently via the bus APIs.
* The support for SysV and LSB init scripts has been removed
from the systemd daemon itself. Instead, it is now
implemented as a generator that creates native systemd units
from these scripts when needed. This enables us to remove a
substantial amount of legacy code from PID 1, following the
fact that many distributions only ship a very small number
of LSB/SysV init scripts nowadays.
* Privileged Xen (dom0) domains are not considered
virtualization anymore by the virtualization detection
logic. After all, they generally have unrestricted access to
the hardware and usually are used to manage the unprivileged
(domU) domains.
* systemd-tmpfiles gained a new "C" line type, for copying
files or entire directories.
* systemd-tmpfiles "m" lines are now fully equivalent to "z"
lines. So far, they have been non-globbing versions of the
latter, and have thus been redundant. In future, it is
recommended to only use "z". "m" has hence been removed
from the documentation, even though it stays supported.
* A tmpfiles snippet to recreate the most basic structure in
/var has been added. This is enough to create the /var/run →
/run symlink and create a couple of structural
directories. This allows systems to boot up with an empty or
volatile /var. Of course, while with this change, the core OS
now is capable with dealing with a volatile /var, not all
user services are ready for it. However, we hope that sooner
or later, many service daemons will be changed upstream so
that they are able to automatically create their necessary
directories in /var at boot, should they be missing. This is
the first step to allow state-less systems that only require
the vendor image for /usr to boot.
* systemd-nspawn has gained a new --tmpfs= switch to mount an
empty tmpfs instance to a specific directory. This is
particularly useful for making use of the automatic
reconstruction of /var (see above), by passing --tmpfs=/var.
* Access modes specified in tmpfiles snippets may now be
prefixed with "~", which indicates that they shall be masked
by whether the existing file or directory is currently
writable, readable or executable at all. Also, if specified,
the sgid/suid/sticky bits will be masked for all
non-directories.
* A new passive target unit "network-pre.target" has been
added which is useful for services that shall run before any
network is configured, for example firewall scripts.
* The "floppy" group that previously owned the /dev/fd*
devices is no longer used. The "disk" group is now used
instead. Distributions should probably deprecate usage of
this group.
Contributions from: Camilo Aguilar, Christian Hesse, Colin Ian
King, Cristian Rodríguez, Daniel Buch, Dave Reisner, David
Strauss, Denis Tikhomirov, John, Jonathan Liu, Kay Sievers,
Lennart Poettering, Mantas Mikulėnas, Mark Eichin, Ronny
Chevalier, Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel
Andersen, Tom Gundersen, Umut Tezduyar Lindskog, Zbigniew
Jędrzejewski-Szmek
— Berlin, 2014-06-11
CHANGES WITH 213:
* A new "systemd-timesyncd" daemon has been added for
synchronizing the system clock across the network. It
implements an SNTP client. In contrast to NTP
implementations such as chrony or the NTP reference server,
this only implements a client side, and does not bother with
the full NTP complexity, focusing only on querying time from
one remote server and synchronizing the local clock to
it. Unless you intend to serve NTP to networked clients or
want to connect to local hardware clocks, this simple NTP
client should be more than appropriate for most
installations. The daemon runs with minimal privileges, and
has been hooked up with networkd to only operate when
network connectivity is available. The daemon saves the
current clock to disk every time a new NTP sync has been
acquired, and uses this to possibly correct the system clock
early at bootup, in order to accommodate for systems that
lack an RTC such as the Raspberry Pi and embedded devices,
and to make sure that time monotonically progresses on these
systems, even if it is not always correct. To make use of
this daemon, a new system user and group "systemd-timesync"
needs to be created on installation of systemd.
* The queue "seqnum" interface of libudev has been disabled, as
it was generally incompatible with device namespacing as
sequence numbers of devices go "missing" if the devices are
part of a different namespace.
* "systemctl list-timers" and "systemctl list-sockets" gained
a --recursive switch for showing units of these types also
for all local containers, similar in style to the already
supported --recursive switch for "systemctl list-units".
* A new RebootArgument= setting has been added for service
units, which may be used to specify a kernel reboot argument
to use when triggering reboots with StartLimitAction=.
* A new FailureAction= setting has been added for service
units which may be used to specify an operation to trigger
when a service fails. This works similarly to
StartLimitAction=, but unlike it, controls what is done
immediately rather than only after several attempts to
restart the service in question.
* hostnamed got updated to also expose the kernel name,
release, and version on the bus. This is useful for
executing commands like hostnamectl with the -H switch.
systemd-analyze makes use of this to properly display
details when running non-locally.
* The bootchart tool can now show cgroup information in the
graphs it generates.
* The CFS CPU quota cgroup attribute is now exposed for
services. The new CPUQuota= switch has been added for this
which takes a percentage value. Setting this will have the
result that a service may never get more CPU time than the
specified percentage, even if the machine is otherwise idle.
* systemd-networkd learned IPIP and SIT tunnel support.
* LSB init scripts exposing a dependency on $network will now
get a dependency on network-online.target rather than simply
network.target. This should bring LSB handling closer to
what it was on SysV systems.
* A new fsck.repair= kernel option has been added to control
how fsck shall deal with unclean file systems at boot.
* The (.ini) configuration file parser will now silently ignore
sections whose names begin with "X-". This may be used to maintain
application-specific extension sections in unit files.
* machined gained a new API to query the IP addresses of
registered containers. "machinectl status" has been updated
to show these addresses in its output.
* A new call sd_uid_get_display() has been added to the
sd-login APIs for querying the "primary" session of a
user. The "primary" session of the user is elected from the
user's sessions and generally a graphical session is
preferred over a text one.
* A minimal systemd-resolved daemon has been added. It
currently simply acts as a companion to systemd-networkd and
manages resolv.conf based on per-interface DNS
configuration, possibly supplied via DHCP. In the long run
we hope to extend this into a local DNSSEC enabled DNS and
mDNS cache.
* The systemd-networkd-wait-online tool is now enabled by
default. It will delay network-online.target until a network
connection has been configured. The tool primarily integrates
with networkd, but will also make a best effort to make sense
of network configuration performed in some other way.
* Two new service options StartupCPUShares= and
StartupBlockIOWeight= have been added that work similarly to
CPUShares= and BlockIOWeight= however only apply during
system startup. This is useful to prioritize certain services
differently during bootup than during normal runtime.
* hostnamed has been changed to prefer the statically
configured hostname in /etc/hostname (unless set to
'localhost' or empty) over any dynamic one supplied by
dhcp. With this change, the rules for picking the hostname
match more closely the rules of other configuration settings
where the local administrator's configuration in /etc always
overrides any other settings.
Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van
den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch,
Dan Kilman, Dave Reisner, David Härdeman, David Herrmann,
David Strauss, Dimitris Spingos, Djalal Harouni, Eelco
Dolstra, Evan Nemerson, Florian Albrechtskirchinger, Greg
Kroah-Hartman, Harald Hoyer, Holger Hans Peter Freyther, Jan
Engelhardt, Jani Nikula, Jason St. John, Jeffrey Clark,
Jonathan Boulle, Kay Sievers, Lennart Poettering, Lukas
Nykryn, Lukasz Skalski, Łukasz Stelmach, Mantas Mikulėnas,
Marcel Holtmann, Martin Pitt, Matthew Monaco, Michael
Marineau, Michael Olbrich, Michal Sekletar, Mike Gilbert, Nis
Martensen, Patrik Flykt, Philip Lorenz, poma, Ray Strode,
Reyad Attiyat, Robert Milasan, Scott Thrasher, Stef Walter,
Steven Siloti, Susant Sahani, Tanu Kaskinen, Thomas Bächler,
Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar
Lindskog, WaLyong Cho, Will Woods, Zbigniew
Jędrzejewski-Szmek
— Beijing, 2014-05-28
CHANGES WITH 212:
* When restoring the screen brightness at boot, stay away from
the darkest setting or from the lowest 5% of the available
range, depending on which is the larger value of both. This
should effectively protect the user from rebooting into a
black screen, should the brightness have been set to minimum
by accident.
* sd-login gained a new sd_machine_get_class() call to
determine the class ("vm" or "container") of a machine
registered with machined.
* sd-login gained new calls
sd_peer_get_{session,owner_uid,unit,user_unit,slice,machine_name}(),
to query the identity of the peer of a local AF_UNIX
connection. They operate similarly to their sd_pid_get_xyz()
counterparts.
* PID 1 will now maintain a system-wide system state engine
with the states "starting", "running", "degraded",
"maintenance", "stopping". These states are bound to system
startup, normal runtime, runtime with at least one failed
service, rescue/emergency mode and system shutdown. This
state is shown in the "systemctl status" output when no unit
name is passed. It is useful to determine system state, in
particularly when doing so for many systems or containers at
once.
* A new command "list-machines" has been added to "systemctl"
that lists all local OS containers and shows their system
state (see above), if systemd runs inside of them.
* systemctl gained a new "-r" switch to recursively enumerate
units on all local containers, when used with the
"list-unit" command (which is the default one that is
executed when no parameters are specified).
* The GPT automatic partition discovery logic will now honour
two GPT partition flags: one may be set on a partition to
cause it to be mounted read-only, and the other may be set
on a partition to ignore it during automatic discovery.
* Two new GPT type UUIDs have been added for automatic root
partition discovery, for 32-bit and 64-bit ARM. This is not
particularly useful for discovering the root directory on
these architectures during bare-metal boots (since UEFI is
not common there), but still very useful to allow booting of
ARM disk images in nspawn with the -i option.
* MAC addresses of interfaces created with nspawn's
--network-interface= switch will now be generated from the
machine name, and thus be stable between multiple invocations
of the container.
* logind will now automatically remove all IPC objects owned
by a user if she or he fully logs out. This makes sure that
users who are logged out cannot continue to consume IPC
resources. This covers SysV memory, semaphores and message
queues as well as POSIX shared memory and message
queues. Traditionally, SysV and POSIX IPC had no lifecycle
limits. With this functionality, that is corrected. This may
be turned off by using the RemoveIPC= switch of logind.conf.
* The systemd-machine-id-setup and tmpfiles tools gained a
--root= switch to operate on a specific root directory,
instead of /.
* journald can now forward logged messages to the TTYs of all
logged in users ("wall"). This is the default for all
emergency messages now.
* A new tool systemd-journal-remote has been added to stream
journal log messages across the network.
* /sys/fs/cgroup/ is now mounted read-only after all cgroup
controller trees are mounted into it. Note that the
directories mounted beneath it are not read-only. This is a
security measure and is particularly useful because glibc
actually includes a search logic to pick any tmpfs it can
find to implement shm_open() if /dev/shm is not available
(which it might very well be in namespaced setups).
* machinectl gained a new "poweroff" command to cleanly power
down a local OS container.
* The PrivateDevices= unit file setting will now also drop the
CAP_MKNOD capability from the capability bound set, and
imply DevicePolicy=closed.
* PrivateDevices=, PrivateNetwork= and PrivateTmp= is now used
comprehensively on all long-running systemd services where
this is appropriate.
* systemd-udevd will now run in a disassociated mount
namespace. To mount directories from udev rules, make sure to
pull in mount units via SYSTEMD_WANTS properties.
* The kdbus support gained support for uploading policy into
the kernel. sd-bus gained support for creating "monitoring"
connections that can eavesdrop into all bus communication
for debugging purposes.
* Timestamps may now be specified in seconds since the UNIX
epoch Jan 1st, 1970 by specifying "@" followed by the value
in seconds.
* Native tcpwrap support in systemd has been removed. tcpwrap
is old code, not really maintained anymore and has serious
shortcomings, and better options such as firewalls
exist. For setups that require tcpwrap usage, please
consider invoking your socket-activated service via tcpd,
like on traditional inetd.
* A new system.conf configuration option
DefaultTimerAccuracySec= has been added that controls the
default AccuracySec= setting of .timer units.
* Timer units gained a new WakeSystem= switch. If enabled,
timers configured this way will cause the system to resume
from system suspend (if the system supports that, which most
do these days).
* Timer units gained a new Persistent= switch. If enabled,
timers configured this way will save to disk when they have
been last triggered. This information is then used on next
reboot to possible execute overdue timer events, that
could not take place because the system was powered off.
This enables simple anacron-like behaviour for timer units.
* systemctl's "list-timers" will now also list the time a
timer unit was last triggered in addition to the next time
it will be triggered.
* systemd-networkd will now assign predictable IPv4LL
addresses to its local interfaces.
Contributions from: Brandon Philips, Daniel Buch, Daniel Mack,
Dave Reisner, David Herrmann, Gerd Hoffmann, Greg
Kroah-Hartman, Hendrik Brueckner, Jason St. John, Josh
Triplett, Kay Sievers, Lennart Poettering, Marc-Antoine
Perennou, Michael Marineau, Michael Olbrich, Miklos Vajna,
Patrik Flykt, poma, Sebastian Thorarensen, Thomas Bächler,
Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom Gundersen,
Umut Tezduyar Lindskog, Wieland Hoffmann, Zbigniew
Jędrzejewski-Szmek
— Berlin, 2014-03-25
CHANGES WITH 211:
* A new unit file setting RestrictAddressFamilies= has been
added to restrict which socket address families unit
processes gain access to. This takes address family names
like "AF_INET" or "AF_UNIX", and is useful to minimize the
attack surface of services via exotic protocol stacks. This
is built on seccomp system call filters.
* Two new unit file settings RuntimeDirectory= and
RuntimeDirectoryMode= have been added that may be used to
manage a per-daemon runtime directories below /run. This is
an alternative for setting up directory permissions with
tmpfiles snippets, and has the advantage that the runtime
directory's lifetime is bound to the daemon runtime and that
the daemon starts up with an empty directory each time. This
is particularly useful when writing services that drop
privileges using the User= or Group= setting.
* The DeviceAllow= unit setting now supports globbing for
matching against device group names.
* The systemd configuration file system.conf gained new
settings DefaultCPUAccounting=, DefaultBlockIOAccounting=,
DefaultMemoryAccounting= to globally turn on/off accounting
for specific resources (cgroups) for all units. These
settings may still be overridden individually in each unit
though.
* systemd-gpt-auto-generator is now able to discover /srv and
root partitions in addition to /home and swap partitions. It
also supports LUKS-encrypted partitions now. With this in
place, automatic discovery of partitions to mount following
the Discoverable Partitions Specification
(https://systemd.io/DISCOVERABLE_PARTITIONS/)
is now a lot more complete. This allows booting without
/etc/fstab and without root= on the kernel command line on
systems prepared appropriately.
* systemd-nspawn gained a new --image= switch which allows
booting up disk images and Linux installations on any block
device that follow the Discoverable Partitions Specification
(see above). This means that installations made with
appropriately updated installers may now be started and
deployed using container managers, completely
unmodified. (We hope that libvirt-lxc will add support for
this feature soon, too.)
* systemd-nspawn gained a new --network-macvlan= setting to
set up a private macvlan interface for the
container. Similarly, systemd-networkd gained a new
Kind=macvlan setting in .netdev files.
* systemd-networkd now supports configuring local addresses
using IPv4LL.
* A new tool systemd-network-wait-online has been added to
synchronously wait for network connectivity using
systemd-networkd.
* The sd-bus.h bus API gained a new sd_bus_track object for
tracking the lifecycle of bus peers. Note that sd-bus.h is
still not a public API though (unless you specify
--enable-kdbus on the configure command line, which however
voids your warranty and you get no API stability guarantee).
* The $XDG_RUNTIME_DIR runtime directories for each user are
now individual tmpfs instances, which has the benefit of
introducing separate pools for each user, with individual
size limits, and thus making sure that unprivileged clients
can no longer negatively impact the system or other users by
filling up their $XDG_RUNTIME_DIR. A new logind.conf setting
RuntimeDirectorySize= has been introduced that allows
controlling the default size limit for all users. It
defaults to 10% of the available physical memory. This is no
replacement for quotas on tmpfs though (which the kernel
still does not support), as /dev/shm and /tmp are still
shared resources used by both the system and unprivileged
users.
* logind will now automatically turn off automatic suspending
on laptop lid close when more than one display is
connected. This was previously expected to be implemented
individually in desktop environments (such as GNOME),
however has been added to logind now, in order to fix a
boot-time race where a desktop environment might not have
been started yet and thus not been able to take an inhibitor
lock at the time where logind already suspends the system
due to a closed lid.
* logind will now wait at least 30s after each system
suspend/resume cycle, and 3min after system boot before
suspending the system due to a closed laptop lid. This
should give USB docking stations and similar enough time to
be probed and configured after system resume and boot in
order to then act as suspend blocker.
* systemd-run gained a new --property= setting which allows
initialization of resource control properties (and others)
for the created scope or service unit. Example: "systemd-run
--property=BlockIOWeight=10 updatedb" may be used to run
updatedb at a low block IO scheduling weight.
* systemd-run's --uid=, --gid=, --setenv=, --setenv= switches
now also work in --scope mode.
* When systemd is compiled with kdbus support, basic support
for enforced policies is now in place. (Note that enabling
kdbus still voids your warranty and no API compatibility
promises are made.)
Contributions from: Andrey Borzenkov, Ansgar Burchardt, Armin
K., Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni,
Harald Hoyer, Henrik Grindal Bakken, Jasper St. Pierre, Kay
Sievers, Kieran Clancy, Lennart Poettering, Lukas Nykryn,
Mantas Mikulėnas, Marcel Holtmann, Mark Oteiza, Martin Pitt,
Mike Gilbert, Peter Rajnoha, poma, Samuli Suominen, Stef
Walter, Susant Sahani, Tero Roponen, Thomas Andersen, Thomas
Bächler, Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom
Gundersen, Umut Tezduyar Lindskog, Uoti Urpala, Zachary Cook,
Zbigniew Jędrzejewski-Szmek
— Berlin, 2014-03-12
CHANGES WITH 210:
* systemd will now relabel /dev after loading the SMACK policy
according to SMACK rules.
* A new unit file option AppArmorProfile= has been added to
set the AppArmor profile for the processes of a unit.
* A new condition check ConditionArchitecture= has been added
to conditionalize units based on the system architecture, as
reported by uname()'s "machine" field.
* systemd-networkd now supports matching on the system
virtualization, architecture, kernel command line, hostname
and machine ID.
* logind is now a lot more aggressive when suspending the
machine due to a closed laptop lid. Instead of acting only
on the lid close action, it will continuously watch the lid
status and act on it. This is useful for laptops where the
power button is on the outside of the chassis so that it can
be reached without opening the lid (such as the Lenovo
Yoga). On those machines, logind will now immediately
re-suspend the machine if the power button has been
accidentally pressed while the laptop was suspended and in a
backpack or similar.
* logind will now watch SW_DOCK switches and inhibit reaction
to the lid switch if it is pressed. This means that logind
will not suspend the machine anymore if the lid is closed
and the system is docked, if the laptop supports SW_DOCK
notifications via the input layer. Note that ACPI docking
stations do not generate this currently. Also note that this
logic is usually not fully sufficient and Desktop
Environments should take a lid switch inhibitor lock when an
external display is connected, as systemd will not watch
this on its own.
* nspawn will now make use of the devices cgroup controller by
default, and only permit creation of and access to the usual
API device nodes like /dev/null or /dev/random, as well as
access to (but not creation of) the pty devices.
* We will now ship a default .network file for
systemd-networkd that automatically configures DHCP for
network interfaces created by nspawn's --network-veth or
--network-bridge= switches.
* systemd will now understand the usual M, K, G, T suffixes
according to SI conventions (i.e. to the base 1000) when
referring to throughput and hardware metrics. It will stay
with IEC conventions (i.e. to the base 1024) for software
metrics, according to what is customary according to
Wikipedia. We explicitly document which base applies for
each configuration option.
* The DeviceAllow= setting in unit files now supports a syntax to
allow-list an entire group of devices node majors at once, based on
the /proc/devices listing. For example, with the string "char-pts",
it is now possible to allow-list all current and future pseudo-TTYs
at once.
* sd-event learned a new "post" event source. Event sources of
this type are triggered by the dispatching of any event
source of a type that is not "post". This is useful for
implementing clean-up and check event sources that are
triggered by other work being done in the program.
* systemd-networkd is no longer statically enabled, but uses
the usual [Install] sections so that it can be
enabled/disabled using systemctl. It still is enabled by
default however.
* When creating a veth interface pair with systemd-nspawn, the
host side will now be prefixed with "vb-" if
--network-bridge= is used, and with "ve-" if --network-veth
is used. This way, it is easy to distinguish these cases on
the host, for example to apply different configuration to
them with systemd-networkd.
* The compatibility libraries for libsystemd-journal.so,
libsystem-id128.so, libsystemd-login.so and
libsystemd-daemon.so do not make use of IFUNC
anymore. Instead, we now build libsystemd.so multiple times
under these alternative names. This means that the footprint
is drastically increased, but given that these are
transitional compatibility libraries, this should not matter
much. This change has been made necessary to support the ARM
platform for these compatibility libraries, as the ARM
toolchain is not really at the same level as the toolchain
for other architectures like x86 and does not support
IFUNC. Please make sure to use --enable-compat-libs only
during a transitional period!
* The .include syntax has been deprecated and is not documented
anymore. Drop-in files in .d directories should be used instead.
Contributions from: Andreas Fuchs, Armin K., Colin Walters,
Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni,
Holger Schurig, Jason A. Donenfeld, Jason St. John, Jasper
St. Pierre, Kay Sievers, Lennart Poettering, Łukasz Stelmach,
Marcel Holtmann, Michael Scherer, Michal Sekletar, Mike
Gilbert, Samuli Suominen, Thomas Bächler, Thomas Hindoe
Paaboel Andersen, Tom Gundersen, Umut Tezduyar Lindskog,
Zbigniew Jędrzejewski-Szmek
— Berlin, 2014-02-24
CHANGES WITH 209:
* A new component "systemd-networkd" has been added that can
be used to configure local network interfaces statically or
via DHCP. It is capable of bringing up bridges, VLANs, and
bonding. Currently, no hook-ups for interactive network
configuration are provided. Use this for your initrd,
container, embedded, or server setup if you need a simple,
yet powerful, network configuration solution. This
configuration subsystem is quite nifty, as it allows wildcard
hotplug matching in interfaces. For example, with a single
configuration snippet, you can configure that all Ethernet
interfaces showing up are automatically added to a bridge,
or similar. It supports link-sensing and more.
* A new tool "systemd-socket-proxyd" has been added which can
act as a bidirectional proxy for TCP sockets. This is
useful for adding socket activation support to services that
do not actually support socket activation, including virtual
machines and the like.
* Add a new tool to save/restore rfkill state on
shutdown/boot.
* Save/restore state of keyboard backlights in addition to
display backlights on shutdown/boot.
* udev learned a new SECLABEL{} construct to label device
nodes with a specific security label when they appear. For
now, only SECLABEL{selinux} is supported, but the syntax is
prepared for additional security frameworks.
* udev gained a new scheme to configure link-level attributes
from files in /etc/systemd/network/*.link. These files can
match against MAC address, device path, driver name and type,
and will apply attributes like the naming policy, link speed,
MTU, duplex settings, Wake-on-LAN settings, MAC address, MAC
address assignment policy (randomized, …).
* The configuration of network interface naming rules for
"permanent interface names" has changed: a new NamePolicy=
setting in the [Link] section of .link files determines the
priority of possible naming schemes (onboard, slot, MAC,
path). The default value of this setting is determined by
/usr/lib/net/links/99-default.link. Old
80-net-name-slot.rules udev configuration file has been
removed, so local configuration overriding this file should
be adapted to override 99-default.link instead.
* When the User= switch is used in a unit file, also
initialize $SHELL= based on the user database entry.
* systemd no longer depends on libdbus. All communication is
now done with sd-bus, systemd's low-level bus library
implementation.
* kdbus support has been added to PID 1 itself. When kdbus is
enabled, this causes PID 1 to set up the system bus and
enable support for a new ".busname" unit type that
encapsulates bus name activation on kdbus. It works a little
bit like ".socket" units, except for bus names. A new
generator has been added that converts classic dbus1 service
activation files automatically into native systemd .busname
and .service units.
* sd-bus: add a light-weight vtable implementation that allows
defining objects on the bus with a simple static const
vtable array of its methods, signals and properties.
* systemd will not generate or install static dbus
introspection data anymore to /usr/share/dbus-1/interfaces,
as the precise format of these files is unclear, and
nothing makes use of it.
* A proxy daemon is now provided to proxy clients connecting
via classic D-Bus AF_UNIX sockets to kdbus, to provide full
compatibility with classic D-Bus.
* A bus driver implementation has been added that supports the
classic D-Bus bus driver calls on kdbus, also for
compatibility purposes.
* A new API "sd-event.h" has been added that implements a
minimal event loop API built around epoll. It provides a
couple of features that direct epoll usage is lacking:
prioritization of events, scales to large numbers of timer
events, per-event timer slack (accuracy), system-wide
coalescing of timer events, exit handlers, watchdog
supervision support using systemd's sd_notify() API, child
process handling.
* A new API "sd-rntl.h" has been added that provides an API
around the route netlink interface of the kernel, similar in
style to "sd-bus.h".
* A new API "sd-dhcp-client.h" has been added that provides a
small DHCPv4 client-side implementation. This is used by
"systemd-networkd".
* There is a new kernel command line option
"systemd.restore_state=0|1". When set to "0", none of the
systemd tools will restore saved runtime state to hardware
devices. More specifically, the rfkill and backlight states
are not restored.
* The FsckPassNo= compatibility option in mount/service units
has been removed. The fstab generator will now add the
necessary dependencies automatically, and does not require
PID1's support for that anymore.
* journalctl gained a new switch, --list-boots, that lists
recent boots with their times and boot IDs.
* The various tools like systemctl, loginctl, timedatectl,
busctl, systemd-run, … have gained a new switch "-M" to
connect to a specific, local OS container (as direct
connection, without requiring SSH). This works on any
container that is registered with machined, such as those
created by libvirt-lxc or nspawn.
* systemd-run and systemd-analyze also gained support for "-H"
to connect to remote hosts via SSH. This is particularly
useful for systemd-run because it enables queuing of jobs
onto remote systems.
* machinectl gained a new command "login" to open a getty
login in any local container. This works with any container
that is registered with machined (such as those created by
libvirt-lxc or nspawn), and which runs systemd inside.
* machinectl gained a new "reboot" command that may be used to
trigger a reboot on a specific container that is registered
with machined. This works on any container that runs an init
system of some kind.
* systemctl gained a new "list-timers" command to print a nice
listing of installed timer units with the times they elapse
next.
* Alternative reboot() parameters may now be specified on the
"systemctl reboot" command line and are passed to the
reboot() system call.
* systemctl gained a new --job-mode= switch to configure the
mode to queue a job with. This is a more generic version of
--fail, --irreversible, and --ignore-dependencies, which are
still available but not advertised anymore.
* /etc/systemd/system.conf gained new settings to configure
various default timeouts of units, as well as the default
start limit interval and burst. These may still be overridden
within each Unit.
* PID1 will now export on the bus profile data of the security
policy upload process (such as the SELinux policy upload to
the kernel).
* journald: when forwarding logs to the console, include
timestamps (following the setting in
/sys/module/printk/parameters/time).
* OnCalendar= in timer units now understands the special
strings "yearly" and "annually". (Both are equivalent)
* The accuracy of timer units is now configurable with the new
AccuracySec= setting. It defaults to 1min.
* A new dependency type JoinsNamespaceOf= has been added that
allows running two services within the same /tmp and network
namespace, if PrivateNetwork= or PrivateTmp= are used.
* A new command "cat" has been added to systemctl. It outputs
the original unit file of a unit, and concatenates the
contents of additional "drop-in" unit file snippets, so that
the full configuration is shown.
* systemctl now supports globbing on the various "list-xyz"
commands, like "list-units" or "list-sockets", as well as on
those commands which take multiple unit names.
* journalctl's --unit= switch gained support for globbing.
* All systemd daemons now make use of the watchdog logic so
that systemd automatically notices when they hang.
* If the $container_ttys environment variable is set,
getty-generator will automatically spawn a getty for each
listed tty. This is useful for container managers to request
login gettys to be spawned on as many ttys as needed.
* %h, %s, %U specifier support is not available anymore when
used in unit files for PID 1. This is because NSS calls are
not safe from PID 1. They stay available for --user
instances of systemd, and as special case for the root user.
* loginctl gained a new "--no-legend" switch to turn off output
of the legend text.
* The "sd-login.h" API gained three new calls:
sd_session_is_remote(), sd_session_get_remote_user(),
sd_session_get_remote_host() to query information about
remote sessions.
* The udev hardware database now also carries vendor/product
information of SDIO devices.
* The "sd-daemon.h" API gained a new sd_watchdog_enabled() to
determine whether watchdog notifications are requested by
the system manager.
* Socket-activated per-connection services now include a
short description of the connection parameters in the
description.
* tmpfiles gained a new "--boot" option. When this is not used,
only lines where the command character is not suffixed with
"!" are executed. When this option is specified, those
options are executed too. This partitions tmpfiles
directives into those that can be safely executed at any
time, and those which should be run only at boot (for
example, a line that creates /run/nologin).
* A new API "sd-resolve.h" has been added which provides a simple
asynchronous wrapper around glibc NSS hostname resolution
calls, such as getaddrinfo(). In contrast to glibc's
getaddrinfo_a(), it does not use signals. In contrast to most
other asynchronous name resolution libraries, this one does
not reimplement DNS, but reuses NSS, so that alternate
hostname resolution systems continue to work, such as mDNS,
LDAP, etc. This API is based on libasyncns, but it has been
cleaned up for inclusion in systemd.
* The APIs "sd-journal.h", "sd-login.h", "sd-id128.h",
"sd-daemon.h" are no longer found in individual libraries
libsystemd-journal.so, libsystemd-login.so,
libsystemd-id128.so, libsystemd-daemon.so. Instead, we have
merged them into a single library, libsystemd.so, which
provides all symbols. The reason for this is cyclic
dependencies, as these libraries tend to use each other's
symbols. So far, we have managed to workaround that by linking
a copy of a good part of our code into each of these
libraries again and again, which, however, makes certain
things hard to do, like sharing static variables. Also, it
substantially increases footprint. With this change, there
is only one library for the basic APIs systemd
provides. Also, "sd-bus.h", "sd-memfd.h", "sd-event.h",
"sd-rtnl.h", "sd-resolve.h", "sd-utf8.h" are found in this
library as well, however are subject to the --enable-kdbus
switch (see below). Note that "sd-dhcp-client.h" is not part
of this library (this is because it only consumes, never
provides, services of/to other APIs). To make the transition
easy from the separate libraries to the unified one, we
provide the --enable-compat-libs compile-time switch which
will generate stub libraries that are compatible with the
old ones but redirect all calls to the new one.
* All of the kdbus logic and the new APIs "sd-bus.h",
"sd-memfd.h", "sd-event.h", "sd-rtnl.h", "sd-resolve.h",
and "sd-utf8.h" are compile-time optional via the
"--enable-kdbus" switch, and they are not compiled in by
default. To make use of kdbus, you have to explicitly enable
the switch. Note however, that neither the kernel nor the
userspace API for all of this is considered stable yet. We
want to maintain the freedom to still change the APIs for
now. By specifying this build-time switch, you acknowledge
that you are aware of the instability of the current
APIs.
* Also, note that while kdbus is pretty much complete,
it lacks one thing: proper policy support. This means you
can build a fully working system with all features; however,
it will be highly insecure. Policy support will be added in
one of the next releases, at the same time that we will
declare the APIs stable.
* When the kernel command line argument "kdbus" is specified,
systemd will automatically load the kdbus.ko kernel module. At
this stage of development, it is only useful for testing kdbus
and should not be used in production. Note: if "--enable-kdbus"
is specified, and the kdbus.ko kernel module is available, and
"kdbus" is added to the kernel command line, the entire system
runs with kdbus instead of dbus-daemon, with the above mentioned
problem of missing the system policy enforcement. Also a future
version of kdbus.ko or a newer systemd will not be compatible with
each other, and will unlikely be able to boot the machine if only
one of them is updated.
* systemctl gained a new "import-environment" command which
uploads the caller's environment (or parts thereof) into the
service manager so that it is inherited by services started
by the manager. This is useful to upload variables like
$DISPLAY into the user service manager.
* A new PrivateDevices= switch has been added to service units
which allows running a service with a namespaced /dev
directory that does not contain any device nodes for
physical devices. More specifically, it only includes devices
such as /dev/null, /dev/urandom, and /dev/zero which are API
entry points.
* logind has been extended to support behaviour like VT
switching on seats that do not support a VT. This makes
multi-session available on seats that are not the first seat
(seat0), and on systems where kernel support for VTs has
been disabled at compile-time.
* If a process holds a delay lock for system sleep or shutdown
and fails to release it in time, we will now log its
identity. This makes it easier to identify processes that
cause slow suspends or power-offs.
* When parsing /etc/crypttab, support for a new key-slot=
option as supported by Debian is added. It allows indicating
which LUKS slot to use on disk, speeding up key loading.
* The sd_journal_sendv() API call has been checked and
officially declared to be async-signal-safe so that it may
be invoked from signal handlers for logging purposes.
* Boot-time status output is now enabled automatically after a
short timeout if boot does not progress, in order to give
the user an indication what she or he is waiting for.
* The boot-time output has been improved to show how much time
remains until jobs expire.
* The KillMode= switch in service units gained a new possible
value "mixed". If set, and the unit is shut down, then the
initial SIGTERM signal is sent only to the main daemon
process, while the following SIGKILL signal is sent to
all remaining processes of the service.
* When a scope unit is registered, a new property "Controller"
may be set. If set to a valid bus name, systemd will send a
RequestStop() signal to this name when it would like to shut
down the scope. This may be used to hook manager logic into
the shutdown logic of scope units. Also, scope units may now
be put in a special "abandoned" state, in which case the
manager process which created them takes no further
responsibilities for it.
* When reading unit files, systemd will now verify
the access mode of these files, and warn about certain
suspicious combinations. This has been added to make it
easier to track down packaging bugs where unit files are
marked executable or world-writable.
* systemd-nspawn gained a new "--setenv=" switch to set
container-wide environment variables. The similar option in
systemd-activate was renamed from "--environment=" to
"--setenv=" for consistency.
* systemd-nspawn has been updated to create a new kdbus domain
for each container that is invoked, thus allowing each
container to have its own set of system and user buses,
independent of the host.
* systemd-nspawn gained a new --drop-capability= switch to run
the container with less capabilities than the default. Both
--drop-capability= and --capability= now take the special
string "all" for dropping or keeping all capabilities.
* systemd-nspawn gained new switches for executing containers
with specific SELinux labels set.
* systemd-nspawn gained a new --quiet switch to not generate
any additional output but the container's own console
output.
* systemd-nspawn gained a new --share-system switch to run a
container without PID namespacing enabled.
* systemd-nspawn gained a new --register= switch to control
whether the container is registered with systemd-machined or
not. This is useful for containers that do not run full
OS images, but only specific apps.
* systemd-nspawn gained a new --keep-unit which may be used
when invoked as the only program from a service unit, and
results in registration of the unit service itself in
systemd-machined, instead of a newly opened scope unit.
* systemd-nspawn gained a new --network-interface= switch for
moving arbitrary interfaces to the container. The new
--network-veth switch creates a virtual Ethernet connection
between host and container. The new --network-bridge=
switch then allows assigning the host side of this virtual
Ethernet connection to a bridge device.
* systemd-nspawn gained a new --personality= switch for
setting the kernel personality for the container. This is
useful when running a 32-bit container on a 64-bit host. A
similar option Personality= is now also available for service
units to use.
* logind will now also track a "Desktop" identifier for each
session which encodes the desktop environment of it. This is
useful for desktop environments that want to identify
multiple running sessions of itself easily.
* A new SELinuxContext= setting for service units has been
added that allows setting a specific SELinux execution
context for a service.
* Most systemd client tools will now honour $SYSTEMD_LESS for
settings of the "less" pager. By default, these tools will
override $LESS to allow certain operations to work, such as
jump-to-the-end. With $SYSTEMD_LESS, it is possible to
influence this logic.
* systemd's "seccomp" hook-up has been changed to make use of
the libseccomp library instead of using its own
implementation. This has benefits for portability among
other things.
* For usage together with SystemCallFilter=, a new
SystemCallErrorNumber= setting has been introduced that
allows configuration of a system error number to be returned
on filtered system calls, instead of immediately killing the
process. Also, SystemCallArchitectures= has been added to
limit access to system calls of a particular architecture
(in order to turn off support for unused secondary
architectures). There is also a global
SystemCallArchitectures= setting in system.conf now to turn
off support for non-native system calls system-wide.
* systemd requires a kernel with a working name_to_handle_at(),
please see the kernel config requirements in the README file.
Contributions from: Adam Williamson, Alex Jia, Anatol Pomozov,
Ansgar Burchardt, AppleBloom, Auke Kok, Bastien Nocera,
Chengwei Yang, Christian Seiler, Colin Guthrie, Colin Walters,
Cristian Rodríguez, Daniel Buch, Daniele Medri, Daniel J
Walsh, Daniel Mack, Dan McGee, Dave Reisner, David Coppa,
David Herrmann, David Strauss, Djalal Harouni, Dmitry Pisklov,
Elia Pinto, Florian Weimer, George McCollister, Goffredo
Baroncelli, Greg Kroah-Hartman, Hendrik Brueckner, Igor
Zhbanov, Jan Engelhardt, Jan Janssen, Jason A. Donenfeld,
Jason St. John, Jasper St. Pierre, Jóhann B. Guðmundsson, Jose
Ignacio Naranjo, Karel Zak, Kay Sievers, Kristian Høgsberg,
Lennart Poettering, Lubomir Rintel, Lukas Nykryn, Lukasz
Skalski, Łukasz Stelmach, Luke Shumaker, Mantas Mikulėnas,
Marc-Antoine Perennou, Marcel Holtmann, Marcos Felipe Rasia de
Mello, Marko Myllynen, Martin Pitt, Matthew Monaco, Michael
Marineau, Michael Scherer, Michał Górny, Michal Sekletar,
Michele Curti, Oleksii Shevchuk, Olivier Brunel, Patrik Flykt,
Pavel Holica, Raudi, Richard Marko, Ronny Chevalier, Sébastien
Luttringer, Sergey Ptashnick, Shawn Landden, Simon Peeters,
Stefan Beller, Susant Sahani, Sylvain Plantefeve, Sylvia Else,
Tero Roponen, Thomas Bächler, Thomas Hindoe Paaboel Andersen,
Tom Gundersen, Umut Tezduyar Lindskog, Unai Uribarri, Václav
Pavlín, Vincent Batts, WaLyong Cho, William Giokas, Yang
Zhiyong, Yin Kangkai, Yuxuan Shui, Zbigniew Jędrzejewski-Szmek
— Berlin, 2014-02-20
CHANGES WITH 208:
* logind has gained support for facilitating privileged input
and drm device access for unprivileged clients. This work is
useful to allow Wayland display servers (and similar
programs, such as kmscon) to run under the user's ID and
access input and drm devices which are normally
protected. When this is used (and the kernel is new enough)
logind will "mute" IO on the file descriptors passed to
Wayland as long as it is in the background and "unmute" it
if it returns into the foreground. This allows secure
session switching without allowing background sessions to
eavesdrop on input and display data. This also introduces
session switching support if VT support is turned off in the
kernel, and on seats that are not seat0.
* A new kernel command line option luks.options= is understood
now which allows specifying LUKS options for usage for LUKS
encrypted partitions specified with luks.uuid=.
* tmpfiles.d(5) snippets may now use specifier expansion in
path names. More specifically %m, %b, %H, %v, are now
replaced by the local machine id, boot id, hostname, and
kernel version number.
* A new tmpfiles.d(5) command "m" has been introduced which
may be used to change the owner/group/access mode of a file
or directory if it exists, but do nothing if it does not.
* This release removes high-level support for the
MemorySoftLimit= cgroup setting. The underlying kernel
cgroup attribute memory.soft_limit= is currently badly
designed and likely to be removed from the kernel API in its
current form, hence we should not expose it for now.
* The memory.use_hierarchy cgroup attribute is now enabled for
all cgroups systemd creates in the memory cgroup
hierarchy. This option is likely to be come the built-in
default in the kernel anyway, and the non-hierarchical mode
never made much sense in the intrinsically hierarchical
cgroup system.
* A new field _SYSTEMD_SLICE= is logged along with all journal
messages containing the slice a message was generated
from. This is useful to allow easy per-customer filtering of
logs among other things.
* systemd-journald will no longer adjust the group of journal
files it creates to the "systemd-journal" group. Instead we
rely on the journal directory to be owned by the
"systemd-journal" group, and its setgid bit set, so that the
kernel file system layer will automatically enforce that
journal files inherit this group assignment. The reason for
this change is that we cannot allow NSS look-ups from
journald which would be necessary to resolve
"systemd-journal" to a numeric GID, because this might
create deadlocks if NSS involves synchronous queries to
other daemons (such as nscd, or sssd) which in turn are
logging clients of journald and might block on it, which
would then dead lock. A tmpfiles.d(5) snippet included in
systemd will make sure the setgid bit and group are
properly set on the journal directory if it exists on every
boot. However, we recommend adjusting it manually after
upgrades too (or from RPM scriptlets), so that the change is
not delayed until next reboot.
* Backlight and random seed files in /var/lib/ have moved into
the /var/lib/systemd/ directory, in order to centralize all
systemd generated files in one directory.
* Boot time performance measurements (as displayed by
"systemd-analyze" for example) will now read ACPI 5.0 FPDT
performance information if that's available to determine how
much time BIOS and boot loader initialization required. With
a sufficiently new BIOS you hence no longer need to boot
with Gummiboot to get access to such information.
Contributions from: Andrey Borzenkov, Chen Jie, Colin Walters,
Cristian Rodríguez, Dave Reisner, David Herrmann, David
Mackey, David Strauss, Eelco Dolstra, Evan Callicoat, Gao
feng, Harald Hoyer, Jimmie Tauriainen, Kay Sievers, Lennart
Poettering, Lukas Nykryn, Mantas Mikulėnas, Martin Pitt,
Michael Scherer, Michał Górny, Mike Gilbert, Patrick McCarty,
Sebastian Ott, Tom Gundersen, Zbigniew Jędrzejewski-Szmek
— Berlin, 2013-10-02
CHANGES WITH 207:
* The Restart= option for services now understands a new
on-watchdog setting, which will restart the service
automatically if the service stops sending out watchdog keep
alive messages (as configured with WatchdogSec=).
* The getty generator (which is responsible for bringing up a
getty on configured serial consoles) will no longer only
start a getty on the primary kernel console but on all
others, too. This makes the order in which console= is
specified on the kernel command line less important.
* libsystemd-logind gained a new sd_session_get_vt() call to
retrieve the VT number of a session.
* If the option "tries=0" is set for an entry of /etc/crypttab
its passphrase is queried indefinitely instead of any
maximum number of tries.
* If a service with a configure PID file terminates its PID
file will now be removed automatically if it still exists
afterwards. This should put an end to stale PID files.
* systemd-run will now also take relative binary path names
for execution and no longer insists on absolute paths.
* InaccessibleDirectories= and ReadOnlyDirectories= now take
paths that are optionally prefixed with "-" to indicate that
it should not be considered a failure if they do not exist.
* journalctl -o (and similar commands) now understands a new
output mode "short-precise", it is similar to "short" but
shows timestamps with usec accuracy.
* The option "discard" (as known from Debian) is now
synonymous to "allow-discards" in /etc/crypttab. In fact,
"discard" is preferred now (since it is easier to remember
and type).
* Some licensing clean-ups were made, so that more code is now
LGPL-2.1 licensed than before.
* A minimal tool to save/restore the display backlight
brightness across reboots has been added. It will store the
backlight setting as late as possible at shutdown, and
restore it as early as possible during reboot.
* A logic to automatically discover and enable home and swap
partitions on GPT disks has been added. With this in place
/etc/fstab becomes optional for many setups as systemd can
discover certain partitions located on the root disk
automatically. Home partitions are recognized under their
GPT type ID 933ac7e12eb44f13b8440e14e2aef915. Swap
partitions are recognized under their GPT type ID
0657fd6da4ab43c484e50933c84b4f4f.
* systemd will no longer pass any environment from the kernel
or initrd to system services. If you want to set an
environment for all services, do so via the kernel command
line systemd.setenv= assignment.
* The systemd-sysctl tool no longer natively reads the file
/etc/sysctl.conf. If desired, the file should be symlinked
from /etc/sysctl.d/99-sysctl.conf. Apart from providing
legacy support by a symlink rather than built-in code, it
also makes the otherwise hidden order of application of the
different files visible. (Note that this partly reverts to a
pre-198 application order of sysctl knobs!)
* The "systemctl set-log-level" and "systemctl dump" commands
have been moved to systemd-analyze.
* systemd-run learned the new --remain-after-exit switch,
which causes the scope unit not to be cleaned up
automatically after the process terminated.
* tmpfiles learned a new --exclude-prefix= switch to exclude
certain paths from operation.
* journald will now automatically flush all messages to disk
as soon as a message at the log level CRIT, ALERT or EMERG
is received.
Contributions from: Andrew Cook, Brandon Philips, Christian
Hesse, Christoph Junghans, Colin Walters, Daniel Schaal,
Daniel Wallace, Dave Reisner, David Herrmann, Gao feng, George
McCollister, Giovanni Campagna, Hannes Reinecke, Harald Hoyer,
Herczeg Zsolt, Holger Hans Peter Freyther, Jan Engelhardt,
Jesper Larsen, Kay Sievers, Khem Raj, Lennart Poettering,
Lukas Nykryn, Maciej Wereski, Mantas Mikulėnas, Marcel
Holtmann, Martin Pitt, Michael Biebl, Michael Marineau,
Michael Scherer, Michael Stapelberg, Michal Sekletar, Michał
Górny, Olivier Brunel, Ondrej Balaz, Ronny Chevalier, Shawn
Landden, Steven Hiscocks, Thomas Bächler, Thomas Hindoe
Paaboel Andersen, Tom Gundersen, Umut Tezduyar, WANG Chao,
William Giokas, Zbigniew Jędrzejewski-Szmek
— Berlin, 2013-09-13
CHANGES WITH 206:
* The documentation has been updated to cover the various new
concepts introduced with 205.
* Unit files now understand the new %v specifier which
resolves to the kernel version string as returned by "uname
-r".
* systemctl now supports filtering the unit list output by
load state, active state and sub state, using the new
--state= parameter.
* "systemctl status" will now show the results of the
condition checks (like ConditionPathExists= and similar) of
the last start attempts of the unit. They are also logged to
the journal.
* "journalctl -b" may now be used to look for boot output of a
specific boot. Try "journalctl -b -1" for the previous boot,
but the syntax is substantially more powerful.
* "journalctl --show-cursor" has been added which prints the
cursor string the last shown log line. This may then be used
with the new "journalctl --after-cursor=" switch to continue
browsing logs from that point on.
* "journalctl --force" may now be used to force regeneration
of an FSS key.
* Creation of "dead" device nodes has been moved from udev
into kmod and tmpfiles. Previously, udev would read the kmod
databases to pre-generate dead device nodes based on meta
information contained in kernel modules, so that these would
be auto-loaded on access rather then at boot. As this
does not really have much to do with the exposing actual
kernel devices to userspace this has always been slightly
alien in the udev codebase. Following the new scheme kmod
will now generate a runtime snippet for tmpfiles from the
module meta information and it now is tmpfiles' job to the
create the nodes. This also allows overriding access and
other parameters for the nodes using the usual tmpfiles
facilities. As side effect this allows us to remove the
CAP_SYS_MKNOD capability bit from udevd entirely.
* logind's device ACLs may now be applied to these "dead"
devices nodes too, thus finally allowing managed access to
devices such as /dev/snd/sequencer without loading the
backing module right-away.
* A new RPM macro has been added that may be used to apply
tmpfiles configuration during package installation.
* systemd-detect-virt and ConditionVirtualization= now can
detect User-Mode-Linux machines (UML).
* journald will now implicitly log the effective capabilities
set of processes in the message metadata.
* systemd-cryptsetup has gained support for TrueCrypt volumes.
* The initrd interface has been simplified (more specifically,
support for passing performance data via environment
variables and fsck results via files in /run has been
removed). These features were non-essential, and are
nowadays available in a much nicer way by having systemd in
the initrd serialize its state and have the hosts systemd
deserialize it again.
* The udev "keymap" data files and tools to apply keyboard
specific mappings of scan to key codes, and force-release
scan code lists have been entirely replaced by a udev
"keyboard" builtin and a hwdb data file.
* systemd will now honour the kernel's "quiet" command line
argument also during late shutdown, resulting in a
completely silent shutdown when used.
* There's now an option to control the SO_REUSEPORT socket
option in .socket units.
* Instance units will now automatically get a per-template
subslice of system.slice unless something else is explicitly
configured. For example, instances of sshd@.service will now
implicitly be placed in system-sshd.slice rather than
system.slice as before.
* Test coverage support may now be enabled at build time.
Contributions from: Dave Reisner, Frederic Crozat, Harald
Hoyer, Holger Hans Peter Freyther, Jan Engelhardt, Jan
Janssen, Jason St. John, Jesper Larsen, Kay Sievers, Lennart
Poettering, Lukas Nykryn, Maciej Wereski, Martin Pitt, Michael
Olbrich, Ramkumar Ramachandra, Ross Lagerwall, Shawn Landden,
Thomas H.P. Andersen, Tom Gundersen, Tomasz Torcz, William
Giokas, Zbigniew Jędrzejewski-Szmek
— Berlin, 2013-07-23
CHANGES WITH 205:
* Two new unit types have been introduced:
Scope units are very similar to service units, however, are
created out of pre-existing processes — instead of PID 1
forking off the processes. By using scope units it is
possible for system services and applications to group their
own child processes (worker processes) in a powerful way
which then maybe used to organize them, or kill them
together, or apply resource limits on them.
Slice units may be used to partition system resources in an
hierarchical fashion and then assign other units to them. By
default there are now three slices: system.slice (for all
system services), user.slice (for all user sessions),
machine.slice (for VMs and containers).
Slices and scopes have been introduced primarily in
context of the work to move cgroup handling to a
single-writer scheme, where only PID 1
creates/removes/manages cgroups.
* There's a new concept of "transient" units. In contrast to
normal units these units are created via an API at runtime,
not from configuration from disk. More specifically this
means it is now possible to run arbitrary programs as
independent services, with all execution parameters passed
in via bus APIs rather than read from disk. Transient units
make systemd substantially more dynamic then it ever was,
and useful as a general batch manager.
* logind has been updated to make use of scope and slice units
for managing user sessions. As a user logs in he will get
his own private slice unit, to which all sessions are added
as scope units. We also added support for automatically
adding an instance of user@.service for the user into the
slice. Effectively logind will no longer create cgroup
hierarchies on its own now, it will defer entirely to PID 1
for this by means of scope, service and slice units. Since
user sessions this way become entities managed by PID 1
the output of "systemctl" is now a lot more comprehensive.
* A new mini-daemon "systemd-machined" has been added which
may be used by virtualization managers to register local
VMs/containers. nspawn has been updated accordingly, and
libvirt will be updated shortly. machined will collect a bit
of meta information about the VMs/containers, and assign
them their own scope unit (see above). The collected
meta-data is then made available via the "machinectl" tool,
and exposed in "ps" and similar tools. machined/machinectl
is compile-time optional.
* As discussed earlier, the low-level cgroup configuration
options ControlGroup=, ControlGroupModify=,
ControlGroupPersistent=, ControlGroupAttribute= have been
removed. Please use high-level attribute settings instead as
well as slice units.
* A new bus call SetUnitProperties() has been added to alter
various runtime parameters of a unit. This is primarily
useful to alter cgroup parameters dynamically in a nice way,
but will be extended later on to make more properties
modifiable at runtime. systemctl gained a new set-properties
command that wraps this call.
* A new tool "systemd-run" has been added which can be used to
run arbitrary command lines as transient services or scopes,
while configuring a number of settings via the command
line. This tool is currently very basic, however already
very useful. We plan to extend this tool to even allow
queuing of execution jobs with time triggers from the
command line, similar in fashion to "at".
* nspawn will now inform the user explicitly that kernels with
audit enabled break containers, and suggest the user to turn
off audit.
* Support for detecting the IMA and AppArmor security
frameworks with ConditionSecurity= has been added.
* journalctl gained a new "-k" switch for showing only kernel
messages, mimicking dmesg output; in addition to "--user"
and "--system" switches for showing only user's own logs
and system logs.
* systemd-delta can now show information about drop-in
snippets extending unit files.
* libsystemd-bus has been substantially updated but is still
not available as public API.
* systemd will now look for the "debug" argument on the kernel
command line and enable debug logging, similar to what
"systemd.log_level=debug" already did before.
* "systemctl set-default", "systemctl get-default" has been
added to configure the default.target symlink, which
controls what to boot into by default.
* "systemctl set-log-level" has been added as a convenient
way to raise and lower systemd logging threshold.
* "systemd-analyze plot" will now show the time the various
generators needed for execution, as well as information
about the unit file loading.
* libsystemd-journal gained a new sd_journal_open_files() call
for opening specific journal files. journactl also gained a
new switch to expose this new functionality. Previously we
only supported opening all files from a directory, or all
files from the system, as opening individual files only is
racy due to journal file rotation.
* systemd gained the new DefaultEnvironment= setting in
/etc/systemd/system.conf to set environment variables for
all services.
* If a privileged process logs a journal message with the
OBJECT_PID= field set, then journald will automatically
augment this with additional OBJECT_UID=, OBJECT_GID=,
OBJECT_COMM=, OBJECT_EXE=, … fields. This is useful if
system services want to log events about specific client
processes. journactl/systemctl has been updated to make use
of this information if all log messages regarding a specific
unit is requested.
Contributions from: Auke Kok, Chengwei Yang, Colin Walters,
Cristian Rodríguez, Daniel Albers, Daniel Wallace, Dave
Reisner, David Coppa, David King, David Strauss, Eelco
Dolstra, Gabriel de Perthuis, Harald Hoyer, Jan Alexander
Steffens, Jan Engelhardt, Jan Janssen, Jason St. John, Johan
Heikkilä, Karel Zak, Karol Lewandowski, Kay Sievers, Lennart
Poettering, Lukas Nykryn, Mantas Mikulėnas, Marius Vollmer,
Martin Pitt, Michael Biebl, Michael Olbrich, Michael Tremer,
Michal Schmidt, Michał Bartoszkiewicz, Nirbheek Chauhan,
Pierre Neidhardt, Ross Burton, Ross Lagerwall, Sean McGovern,
Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar,
Václav Pavlín, Zachary Cook, Zbigniew Jędrzejewski-Szmek,
Łukasz Stelmach, 장동준
CHANGES WITH 204:
* The Python bindings gained some minimal support for the APIs
exposed by libsystemd-logind.
* ConditionSecurity= gained support for detecting SMACK. Since
this condition already supports SELinux and AppArmor we only
miss IMA for this. Patches welcome!
Contributions from: Karol Lewandowski, Lennart Poettering,
Zbigniew Jędrzejewski-Szmek
CHANGES WITH 203:
* systemd-nspawn will now create /etc/resolv.conf if
necessary, before bind-mounting the host's file onto it.
* systemd-nspawn will now store meta information about a
container on the container's cgroup as extended attribute
fields, including the root directory.
* The cgroup hierarchy has been reworked in many ways. All
objects any of the components systemd creates in the cgroup
tree are now suffixed. More specifically, user sessions are
now placed in cgroups suffixed with ".session", users in
cgroups suffixed with ".user", and nspawn containers in
cgroups suffixed with ".nspawn". Furthermore, all cgroup
names are now escaped in a simple scheme to avoid collision
of userspace object names with kernel filenames. This work
is preparation for making these objects relocatable in the
cgroup tree, in order to allow easy resource partitioning of
these objects without causing naming conflicts.
* systemctl list-dependencies gained the new switches
--plain, --reverse, --after and --before.
* systemd-inhibit now shows the process name of processes that
have taken an inhibitor lock.
* nss-myhostname will now also resolve "localhost"
implicitly. This makes /etc/hosts an optional file and
nicely handles that on IPv6 ::1 maps to both "localhost" and
the local hostname.
* libsystemd-logind.so gained a new call
sd_get_machine_names() to enumerate running containers and
VMs (currently only supported by very new libvirt and
nspawn). sd_login_monitor can now be used to watch
VMs/containers coming and going.
* .include is not allowed recursively anymore, and only in
unit files. Usually it is better to use drop-in snippets in
.d/*.conf anyway, as introduced with systemd 198.
* systemd-analyze gained a new "critical-chain" command that
determines the slowest chain of units run during system
boot-up. It is very useful for tracking down where
optimizing boot time is the most beneficial.
* systemd will no longer allow manipulating service paths in
the name=systemd:/system cgroup tree using ControlGroup= in
units. (But is still fine with it in all other dirs.)
* There's a new systemd-nspawn@.service service file that may
be used to easily run nspawn containers as system
services. With the container's root directory in
/var/lib/container/foobar it is now sufficient to run
"systemctl start systemd-nspawn@foobar.service" to boot it.
* systemd-cgls gained a new parameter "--machine" to list only
the processes within a certain container.
* ConditionSecurity= now can check for "apparmor". We still
are lacking checks for SMACK and IMA for this condition
check though. Patches welcome!
* A new configuration file /etc/systemd/sleep.conf has been
added that may be used to configure which kernel operation
systemd is supposed to execute when "suspend", "hibernate"
or "hybrid-sleep" is requested. This makes the new kernel
"freeze" state accessible to the user.
* ENV{SYSTEMD_WANTS} in udev rules will now implicitly escape
the passed argument if applicable.
Contributions from: Auke Kok, Colin Guthrie, Colin Walters,
Cristian Rodríguez, Daniel Buch, Daniel Wallace, Dave Reisner,
Evangelos Foutras, Greg Kroah-Hartman, Harald Hoyer, Josh
Triplett, Kay Sievers, Lennart Poettering, Lukas Nykryn,
MUNEDA Takahiro, Mantas Mikulėnas, Mirco Tischler, Nathaniel
Chen, Nirbheek Chauhan, Ronny Chevalier, Ross Lagerwall, Tom
Gundersen, Umut Tezduyar, Ville Skyttä, Zbigniew
Jędrzejewski-Szmek
CHANGES WITH 202:
* The output of 'systemctl list-jobs' got some polishing. The
'--type=' argument may now be passed more than once. A new
command 'systemctl list-sockets' has been added which shows
a list of kernel sockets systemd is listening on with the
socket units they belong to, plus the units these socket
units activate.
* The experimental libsystemd-bus library got substantial
updates to work in conjunction with the (also experimental)
kdbus kernel project. It works well enough to exchange
messages with some sophistication. Note that kdbus is not
ready yet, and the library is mostly an elaborate test case
for now, and not installable.
* systemd gained a new unit 'systemd-static-nodes.service'
that generates static device nodes earlier during boot, and
can run in conjunction with udev.
* libsystemd-login gained a new call sd_pid_get_user_unit()
to retrieve the user systemd unit a process is running
in. This is useful for systems where systemd is used as
session manager.
* systemd-nspawn now places all containers in the new /machine
top-level cgroup directory in the name=systemd
hierarchy. libvirt will soon do the same, so that we get a
uniform separation of /system, /user and /machine for system
services, user processes and containers/virtual
machines. This new cgroup hierarchy is also useful to stick
stable names to specific container instances, which can be
recognized later this way (this name may be controlled
via systemd-nspawn's new -M switch). libsystemd-login also
gained a new call sd_pid_get_machine_name() to retrieve the
name of the container/VM a specific process belongs to.
* bootchart can now store its data in the journal.
* libsystemd-journal gained a new call
sd_journal_add_conjunction() for AND expressions to the
matching logic. This can be used to express more complex
logical expressions.
* journactl can now take multiple --unit= and --user-unit=
switches.
* The cryptsetup logic now understands the "luks.key=" kernel
command line switch for specifying a file to read the
decryption key from. Also, if a configured key file is not
found the tool will now automatically fall back to prompting
the user.
* Python systemd.journal module was updated to wrap recently
added functions from libsystemd-journal. The interface was
changed to bring the low level interface in s.j._Reader
closer to the C API, and the high level interface in
s.j.Reader was updated to wrap and convert all data about
an entry.
Contributions from: Anatol Pomozov, Auke Kok, Harald Hoyer,
Henrik Grindal Bakken, Josh Triplett, Kay Sievers, Lennart
Poettering, Lukas Nykryn, Mantas Mikulėnas Marius Vollmer,
Martin Jansa, Martin Pitt, Michael Biebl, Michal Schmidt,
Mirco Tischler, Pali Rohar, Simon Peeters, Steven Hiscocks,
Tom Gundersen, Zbigniew Jędrzejewski-Szmek
CHANGES WITH 201:
* journalctl --update-catalog now understands a new --root=
option to operate on catalogs found in a different root
directory.
* During shutdown after systemd has terminated all running
services a final killing loop kills all remaining left-over
processes. We will now print the name of these processes
when we send SIGKILL to them, since this usually indicates a
problem.
* If /etc/crypttab refers to password files stored on
configured mount points automatic dependencies will now be
generated to ensure the specific mount is established first
before the key file is attempted to be read.
* 'systemctl status' will now show information about the
network sockets a socket unit is listening on.
* 'systemctl status' will also shown information about any
drop-in configuration file for units. (Drop-In configuration
files in this context are files such as
/etc/systemd/system/foobar.service.d/*.conf)
* systemd-cgtop now optionally shows summed up CPU times of
cgroups. Press '%' while running cgtop to switch between
percentage and absolute mode. This is useful to determine
which cgroups use up the most CPU time over the entire
runtime of the system. systemd-cgtop has also been updated
to be 'pipeable' for processing with further shell tools.
* 'hostnamectl set-hostname' will now allow setting of FQDN
hostnames.
* The formatting and parsing of time span values has been
changed. The parser now understands fractional expressions
such as "5.5h". The formatter will now output fractional
expressions for all time spans under 1min, i.e. "5.123456s"
rather than "5s 123ms 456us". For time spans under 1s
millisecond values are shown, for those under 1ms
microsecond values are shown. This should greatly improve
all time-related output of systemd.
* libsystemd-login and libsystemd-journal gained new
functions for querying the poll() events mask and poll()
timeout value for integration into arbitrary event
loops.
* localectl gained the ability to list available X11 keymaps
(models, layouts, variants, options).
* 'systemd-analyze dot' gained the ability to filter for
specific units via shell-style globs, to create smaller,
more useful graphs. I.e. it is now possible to create simple
graphs of all the dependencies between only target units, or
of all units that Avahi has dependencies with.
Contributions from: Cristian Rodríguez, Dr. Tilmann Bubeck,
Harald Hoyer, Holger Hans Peter Freyther, Kay Sievers, Kelly
Anderson, Koen Kooi, Lennart Poettering, Maksim Melnikau,
Marc-Antoine Perennou, Marius Vollmer, Martin Pitt, Michal
Schmidt, Oleksii Shevchuk, Ronny Chevalier, Simon McVittie,
Steven Hiscocks, Thomas Weißschuh, Umut Tezduyar, Václav
Pavlín, Zbigniew Jędrzejewski-Szmek, Łukasz Stelmach
CHANGES WITH 200:
* The boot-time readahead implementation for rotating media
will now read the read-ahead data in multiple passes which
consist of all read requests made in equidistant time
intervals. This means instead of strictly reading read-ahead
data in its physical order on disk we now try to find a
middle ground between physical and access time order.
* /etc/os-release files gained a new BUILD_ID= field for usage
on operating systems that provide continuous builds of OS
images.
Contributions from: Auke Kok, Eelco Dolstra, Kay Sievers,
Lennart Poettering, Lukas Nykryn, Martin Pitt, Václav Pavlín
William Douglas, Zbigniew Jędrzejewski-Szmek
CHANGES WITH 199:
* systemd-python gained an API exposing libsystemd-daemon.
* The SMACK setup logic gained support for uploading CIPSO
security policy.
* Behaviour of PrivateTmp=, ReadWriteDirectories=,
ReadOnlyDirectories= and InaccessibleDirectories= has
changed. The private /tmp and /var/tmp directories are now
shared by all processes of a service (which means
ExecStartPre= may now leave data in /tmp that ExecStart= of
the same service can still access). When a service is
stopped its temporary directories are immediately deleted
(normal clean-up with tmpfiles is still done in addition to
this though).
* By default, systemd will now set a couple of sysctl
variables in the kernel: the safe sysrq options are turned
on, IP route verification is turned on, and source routing
disabled. The recently added hardlink and softlink
protection of the kernel is turned on. These settings should
be reasonably safe, and good defaults for all new systems.
* The predictable network naming logic may now be turned off
with a new kernel command line switch: net.ifnames=0.
* A new libsystemd-bus module has been added that implements a
pretty complete D-Bus client library. For details see:
https://lists.freedesktop.org/archives/systemd-devel/2013-March/009797.html
* journald will now explicitly flush the journal files to disk
at the latest 5min after each write. The file will then also
be marked offline until the next write. This should increase
reliability in case of a crash. The synchronization delay
can be configured via SyncIntervalSec= in journald.conf.
* There's a new remote-fs-setup.target unit that can be used
to pull in specific services when at least one remote file
system is to be mounted.
* There are new targets timers.target and paths.target as
canonical targets to pull user timer and path units in
from. This complements sockets.target with a similar
purpose for socket units.
* libudev gained a new call udev_device_set_attribute_value()
to set sysfs attributes of a device.
* The udev daemon now sets the default number of worker
processes executed in parallel based on the number of available
CPUs instead of the amount of available RAM. This is supposed
to provide a more reliable default and limit a too aggressive
parallelism for setups with 1000s of devices connected.
Contributions from: Auke Kok, Colin Walters, Cristian
Rodríguez, Daniel Buch, Dave Reisner, Frederic Crozat, Hannes
Reinecke, Harald Hoyer, Jan Alexander Steffens, Jan
Engelhardt, Josh Triplett, Kay Sievers, Lennart Poettering,
Mantas Mikulėnas, Martin Pitt, Mathieu Bridon, Michael Biebl,
Michal Schmidt, Michal Sekletar, Miklos Vajna, Nathaniel Chen,
Oleksii Shevchuk, Ozan Çağlayan, Thomas Hindoe Paaboel
Andersen, Tollef Fog Heen, Tom Gundersen, Umut Tezduyar,
Zbigniew Jędrzejewski-Szmek
CHANGES WITH 198:
* Configuration of unit files may now be extended via drop-in
files without having to edit/override the unit files
themselves. More specifically, if the administrator wants to
change one value for a service file foobar.service he can
now do so by dropping in a configuration snippet into
/etc/systemd/system/foobar.service.d/*.conf. The unit logic
will load all these snippets and apply them on top of the
main unit configuration file, possibly extending or
overriding its settings. Using these drop-in snippets is
generally nicer than the two earlier options for changing
unit files locally: copying the files from
/usr/lib/systemd/system/ to /etc/systemd/system/ and editing
them there; or creating a new file in /etc/systemd/system/
that incorporates the original one via ".include". Drop-in
snippets into these .d/ directories can be placed in any
directory systemd looks for units in, and the usual
overriding semantics between /usr/lib, /etc and /run apply
for them too.
* Most unit file settings which take lists of items can now be
reset by assigning the empty string to them. For example,
normally, settings such as Environment=FOO=BAR append a new
environment variable assignment to the environment block,
each time they are used. By assigning Environment= the empty
string the environment block can be reset to empty. This is
particularly useful with the .d/*.conf drop-in snippets
mentioned above, since this adds the ability to reset list
settings from vendor unit files via these drop-ins.
* systemctl gained a new "list-dependencies" command for
listing the dependencies of a unit recursively.
* Inhibitors are now honored and listed by "systemctl
suspend", "systemctl poweroff" (and similar) too, not only
GNOME. These commands will also list active sessions by
other users.
* Resource limits (as exposed by the various control group
controllers) can now be controlled dynamically at runtime
for all units. More specifically, you can now use a command
like "systemctl set-cgroup-attr foobar.service cpu.shares
2000" to alter the CPU shares a specific service gets. These
settings are stored persistently on disk, and thus allow the
administrator to easily adjust the resource usage of
services with a few simple commands. This dynamic resource
management logic is also available to other programs via the
bus. Almost any kernel cgroup attribute and controller is
supported.
* systemd-vconsole-setup will now copy all font settings to
all allocated VTs, where it previously applied them only to
the foreground VT.
* libsystemd-login gained the new sd_session_get_tty() API
call.
* This release drops support for a few legacy or
distribution-specific LSB facility names when parsing init
scripts: $x-display-manager, $mail-transfer-agent,
$mail-transport-agent, $mail-transfer-agent, $smtp,
$null. Also, the mail-transfer-agent.target unit backing
this has been removed. Distributions which want to retain
compatibility with this should carry the burden for
supporting this themselves and patch support for these back
in, if they really need to. Also, the facilities $syslog and
$local_fs are now ignored, since systemd does not support
early-boot LSB init scripts anymore, and these facilities
are implied anyway for normal services. syslog.target has
also been removed.
* There are new bus calls on PID1's Manager object for
cancelling jobs, and removing snapshot units. Previously,
both calls were only available on the Job and Snapshot
objects themselves.
* systemd-journal-gatewayd gained SSL support.
* The various "environment" files, such as /etc/locale.conf
now support continuation lines with a backslash ("\") as
last character in the line, similarly in style (but different)
to how this is supported in shells.
* For normal user processes the _SYSTEMD_USER_UNIT= field is
now implicitly appended to every log entry logged. systemctl
has been updated to filter by this field when operating on a
user systemd instance.
* nspawn will now implicitly add the CAP_AUDIT_WRITE and
CAP_AUDIT_CONTROL capabilities to the capabilities set for
the container. This makes it easier to boot unmodified
Fedora systems in a container, which however still requires
audit=0 to be passed on the kernel command line. Auditing in
kernel and userspace is unfortunately still too broken in
context of containers, hence we recommend compiling it out
of the kernel or using audit=0. Hopefully this will be fixed
one day for good in the kernel.
* nspawn gained the new --bind= and --bind-ro= parameters to
bind mount specific directories from the host into the
container.
* nspawn will now mount its own devpts file system instance
into the container, in order not to leak pty devices from
the host into the container.
* systemd will now read the firmware boot time performance
information from the EFI variables, if the used boot loader
supports this, and takes it into account for boot performance
analysis via "systemd-analyze". This is currently supported
only in conjunction with Gummiboot, but could be supported
by other boot loaders too. For details see:
https://systemd.io/BOOT_LOADER_INTERFACE
* A new generator has been added that automatically mounts the
EFI System Partition (ESP) to /boot, if that directory
exists, is empty, and no other file system has been
configured to be mounted there.
* logind will now send out PrepareForSleep(false) out
unconditionally, after coming back from suspend. This may be
used by applications as asynchronous notification for
system resume events.
* "systemctl unlock-sessions" has been added, that allows
unlocking the screens of all user sessions at once, similar
to how "systemctl lock-sessions" already locked all users
sessions. This is backed by a new D-Bus call UnlockSessions().
* "loginctl seat-status" will now show the master device of a
seat. (i.e. the device of a seat that needs to be around for
the seat to be considered available, usually the graphics
card).
* tmpfiles gained a new "X" line type, that allows
configuration of files and directories (with wildcards) that
shall be excluded from automatic cleanup ("aging").
* udev default rules set the device node permissions now only
at "add" events, and do not change them any longer with a
later "change" event.
* The log messages for lid events and power/sleep keypresses
now carry a message ID.
* We now have a substantially larger unit test suite, but this
continues to be work in progress.
* udevadm hwdb gained a new --root= parameter to change the
root directory to operate relative to.
* logind will now issue a background sync() request to the kernel
early at shutdown, so that dirty buffers are flushed to disk early
instead of at the last moment, in order to optimize shutdown
times a little.
* A new bootctl tool has been added that is an interface for
certain boot loader operations. This is currently a preview
and is likely to be extended into a small mechanism daemon
like timedated, localed, hostnamed, and can be used by
graphical UIs to enumerate available boot options, and
request boot into firmware operations.
* systemd-bootchart has been relicensed to LGPLv2.1+ to match
the rest of the package. It also has been updated to work
correctly in initrds.
* polkit previously has been runtime optional, and is now also
compile time optional via a configure switch.
* systemd-analyze has been reimplemented in C. Also "systemctl
dot" has moved into systemd-analyze.
* "systemctl status" with no further parameters will now print
the status of all active or failed units.
* Operations such as "systemctl start" can now be executed
with a new mode "--irreversible" which may be used to queue
operations that cannot accidentally be reversed by a later
job queuing. This is by default used to make shutdown
requests more robust.
* The Python API of systemd now gained a new module for
reading journal files.
* A new tool kernel-install has been added that can install
kernel images according to the Boot Loader Specification:
https://systemd.io/BOOT_LOADER_SPECIFICATION
* Boot time console output has been improved to provide
animated boot time output for hanging jobs.
* A new tool systemd-activate has been added which can be used
to test socket activation with, directly from the command
line. This should make it much easier to test and debug
socket activation in daemons.
* journalctl gained a new "--reverse" (or -r) option to show
journal output in reverse order (i.e. newest line first).
* journalctl gained a new "--pager-end" (or -e) option to jump
to immediately jump to the end of the journal in the
pager. This is only supported in conjunction with "less".
* journalctl gained a new "--user-unit=" option, that works
similarly to "--unit=" but filters for user units rather than
system units.
* A number of unit files to ease adoption of systemd in
initrds has been added. This moves some minimal logic from
the various initrd implementations into systemd proper.
* The journal files are now owned by a new group
"systemd-journal", which exists specifically to allow access
to the journal, and nothing else. Previously, we used the
"adm" group for that, which however possibly covers more
than just journal/log file access. This new group is now
already used by systemd-journal-gatewayd to ensure this
daemon gets access to the journal files and as little else
as possible. Note that "make install" will also set FS ACLs
up for /var/log/journal to give "adm" and "wheel" read
access to it, in addition to "systemd-journal" which owns
the journal files. We recommend that packaging scripts also
add read access to "adm" + "wheel" to /var/log/journal, and
all existing/future journal files. To normal users and
administrators little changes, however packagers need to
ensure to create the "systemd-journal" system group at
package installation time.
* The systemd-journal-gatewayd now runs as unprivileged user
systemd-journal-gateway:systemd-journal-gateway. Packaging
scripts need to create these system user/group at
installation time.
* timedated now exposes a new boolean property CanNTP that
indicates whether a local NTP service is available or not.
* systemd-detect-virt will now also detect xen PVs
* The pstore file system is now mounted by default, if it is
available.
* In addition to the SELinux and IMA policies we will now also
load SMACK policies at early boot.
Contributions from: Adel Gadllah, Aleksander Morgado, Auke
Kok, Ayan George, Bastien Nocera, Colin Walters, Daniel Buch,
Daniel Wallace, Dave Reisner, David Herrmann, David Strauss,
Eelco Dolstra, Enrico Scholz, Frederic Crozat, Harald Hoyer,
Jan Janssen, Jonathan Callen, Kay Sievers, Lennart Poettering,
Lukas Nykryn, Mantas Mikulėnas, Marc-Antoine Perennou, Martin
Pitt, Mauro Dreissig, Max F. Albrecht, Michael Biebl, Michael
Olbrich, Michal Schmidt, Michal Sekletar, Michal Vyskocil,
Michał Bartoszkiewicz, Mirco Tischler, Nathaniel Chen, Nestor
Ovroy, Oleksii Shevchuk, Paul W. Frields, Piotr Drąg, Rob
Clark, Ryan Lortie, Simon McVittie, Simon Peeters, Steven
Hiscocks, Thomas Hindoe Paaboel Andersen, Tollef Fog Heen, Tom
Gundersen, Umut Tezduyar, William Giokas, Zbigniew
Jędrzejewski-Szmek, Zeeshan Ali (Khattak)
CHANGES WITH 197:
* Timer units now support calendar time events in addition to
monotonic time events. That means you can now trigger a unit
based on a calendar time specification such as "Thu,Fri
2013-*-1,5 11:12:13" which refers to 11:12:13 of the first
or fifth day of any month of the year 2013, given that it is
a Thursday or a Friday. This brings timer event support
considerably closer to cron's capabilities. For details on
the supported calendar time specification language see
systemd.time(7).
* udev now supports a number of different naming policies for
network interfaces for predictable names, and a combination
of these policies is now the default. Please see this wiki
document for details:
https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html
* Auke Kok's bootchart implementation has been added to the
systemd tree. It is an optional component that can graph the
boot in quite some detail. It is one of the best bootchart
implementations around and minimal in its code and
dependencies.
* nss-myhostname has been integrated into the systemd source
tree. nss-myhostname guarantees that the local hostname
always stays resolvable via NSS. It has been a weak
requirement of systemd-hostnamed since a long time, and
since its code is actually trivial we decided to just
include it in systemd's source tree. It can be turned off
with a configure switch.
* The read-ahead logic is now capable of properly detecting
whether a btrfs file system is on SSD or rotating media, in
order to optimize the read-ahead scheme. Previously, it was
only capable of detecting this on traditional file systems
such as ext4.
* In udev, additional device properties are now read from the
IAB in addition to the OUI database. Also, Bluetooth company
identities are attached to the devices as well.
* In service files %U may be used as specifier that is
replaced by the configured user name of the service.
* nspawn may now be invoked without a controlling TTY. This
makes it suitable for invocation as its own service. This
may be used to set up a simple containerized server system
using only core OS tools.
* systemd and nspawn can now accept socket file descriptors
when they are started for socket activation. This enables
implementation of socket activated nspawn
containers. i.e. think about autospawning an entire OS image
when the first SSH or HTTP connection is received. We expect
that similar functionality will also be added to libvirt-lxc
eventually.
* journalctl will now suppress ANSI color codes when
presenting log data.
* systemctl will no longer show control group information for
a unit if the control group is empty anyway.
* logind can now automatically suspend/hibernate/shutdown the
system on idle.
* /etc/machine-info and hostnamed now also expose the chassis
type of the system. This can be used to determine whether
the local system is a laptop, desktop, handset or
tablet. This information may either be configured by the
user/vendor or is automatically determined from ACPI and DMI
information if possible.
* A number of polkit actions are now bound together with "imply"
rules. This should simplify creating UIs because many actions
will now authenticate similar ones as well.
* Unit files learnt a new condition ConditionACPower= which
may be used to conditionalize a unit depending on whether an
AC power source is connected or not, of whether the system
is running on battery power.
* systemctl gained a new "is-failed" verb that may be used in
shell scripts and suchlike to check whether a specific unit
is in the "failed" state.
* The EnvironmentFile= setting in unit files now supports file
globbing, and can hence be used to easily read a number of
environment files at once.
* systemd will no longer detect and recognize specific
distributions. All distribution-specific #ifdeffery has been
removed, systemd is now fully generic and
distribution-agnostic. Effectively, not too much is lost as
a lot of the code is still accessible via explicit configure
switches. However, support for some distribution specific
legacy configuration file formats has been dropped. We
recommend distributions to simply adopt the configuration
files everybody else uses now and convert the old
configuration from packaging scripts. Most distributions
already did that. If that's not possible or desirable,
distributions are welcome to forward port the specific
pieces of code locally from the git history.
* When logging a message about a unit systemd will now always
log the unit name in the message meta data.
* localectl will now also discover system locale data that is
not stored in locale archives, but directly unpacked.
* logind will no longer unconditionally use framebuffer
devices as seat masters, i.e. as devices that are required
to be existing before a seat is considered preset. Instead,
it will now look for all devices that are tagged as
"seat-master" in udev. By default, framebuffer devices will
be marked as such, but depending on local systems, other
devices might be marked as well. This may be used to
integrate graphics cards using closed source drivers (such
as NVidia ones) more nicely into logind. Note however, that
we recommend using the open source NVidia drivers instead,
and no udev rules for the closed-source drivers will be
shipped from us upstream.
Contributions from: Adam Williamson, Alessandro Crismani, Auke
Kok, Colin Walters, Daniel Wallace, Dave Reisner, David
Herrmann, David Strauss, Dimitrios Apostolou, Eelco Dolstra,
Eric Benoit, Giovanni Campagna, Hannes Reinecke, Henrik
Grindal Bakken, Hermann Gausterer, Kay Sievers, Lennart
Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel Holtmann,
Martin Pitt, Matthew Monaco, Michael Biebl, Michael Terry,
Michal Schmidt, Michal Sekletar, Michał Bartoszkiewicz, Oleg
Samarin, Pekka Lundstrom, Philip Nilsson, Ramkumar
Ramachandra, Richard Yao, Robert Millan, Sami Kerola, Shawn
Landden, Thomas Hindoe Paaboel Andersen, Thomas Jarosch,
Tollef Fog Heen, Tom Gundersen, Umut Tezduyar, Zbigniew
Jędrzejewski-Szmek
CHANGES WITH 196:
* udev gained support for loading additional device properties
from an indexed database that is keyed by vendor/product IDs
and similar device identifiers. For the beginning this
"hwdb" is populated with data from the well-known PCI and
USB database, but also includes PNP, ACPI and OID data. In
the longer run this indexed database shall grow into
becoming the one central database for non-essential
userspace device metadata. Previously, data from the PCI/USB
database was only attached to select devices, since the
lookup was a relatively expensive operation due to O(n) time
complexity (with n being the number of entries in the
database). Since this is now O(1), we decided to add in this
data for all devices where this is available, by
default. Note that the indexed database needs to be rebuilt
when new data files are installed. To achieve this you need
to update your packaging scripts to invoke "udevadm hwdb
--update" after installation of hwdb data files. For
RPM-based distributions we introduced the new
%udev_hwdb_update macro for this purpose.
* The Journal gained support for the "Message Catalog", an
indexed database to link up additional information with
journal entries. For further details please check:
https://www.freedesktop.org/wiki/Software/systemd/catalog
The indexed message catalog database also needs to be
rebuilt after installation of message catalog files. Use
"journalctl --update-catalog" for this. For RPM-based
distributions we introduced the %journal_catalog_update
macro for this purpose.
* The Python Journal bindings gained support for the standard
Python logging framework.
* The Journal API gained new functions for checking whether
the underlying file system of a journal file is capable of
properly reporting file change notifications, or whether
applications that want to reflect journal changes "live"
need to recheck journal files continuously in appropriate
time intervals.
* It is now possible to set the "age" field for tmpfiles
entries to 0, indicating that files matching this entry
shall always be removed when the directories are cleaned up.
* coredumpctl gained a new "gdb" verb which invokes gdb
right-away on the selected coredump.
* There's now support for "hybrid sleep" on kernels that
support this, in addition to "suspend" and "hibernate". Use
"systemctl hybrid-sleep" to make use of this.
* logind's HandleSuspendKey= setting (and related settings)
now gained support for a new "lock" setting to simply
request the screen lock on all local sessions, instead of
actually executing a suspend or hibernation.
* systemd will now mount the EFI variables file system by
default.
* Socket units now gained support for configuration of the
SMACK security label.
* timedatectl will now output the time of the last and next
daylight saving change.
* We dropped support for various legacy and distro-specific
concepts, such as insserv, early-boot SysV services
(i.e. those for non-standard runlevels such as 'b' or 'S')
or ArchLinux /etc/rc.conf support. We recommend the
distributions who still need support this to either continue
to maintain the necessary patches downstream, or find a
different solution. (Talk to us if you have questions!)
* Various systemd components will now bypass polkit checks for
root and otherwise handle properly if polkit is not found to
be around. This should fix most issues for polkit-less
systems. Quite frankly this should have been this way since
day one. It is absolutely our intention to make systemd work
fine on polkit-less systems, and we consider it a bug if
something does not work as it should if polkit is not around.
* For embedded systems it is now possible to build udev and
systemd without blkid and/or kmod support.
* "systemctl switch-root" is now capable of switching root
more than once. I.e. in addition to transitions from the
initrd to the host OS it is now possible to transition to
further OS images from the host. This is useful to implement
offline updating tools.
* Various other additions have been made to the RPM macros
shipped with systemd. Use %udev_rules_update() after
installing new udev rules files. %_udevhwdbdir,
%_udevrulesdir, %_journalcatalogdir, %_tmpfilesdir,
%_sysctldir are now available which resolve to the right
directories for packages to place various data files in.
* journalctl gained the new --full switch (in addition to
--all, to disable ellipsation for long messages.
Contributions from: Anders Olofsson, Auke Kok, Ben Boeckel,
Colin Walters, Cosimo Cecchi, Daniel Wallace, Dave Reisner,
Eelco Dolstra, Holger Hans Peter Freyther, Kay Sievers,
Chun-Yi Lee, Lekensteyn, Lennart Poettering, Mantas Mikulėnas,
Marti Raudsepp, Martin Pitt, Mauro Dreissig, Michael Biebl,
Michal Schmidt, Michal Sekletar, Miklos Vajna, Nis Martensen,
Oleksii Shevchuk, Olivier Brunel, Ramkumar Ramachandra, Thomas
Bächler, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Tony
Camuso, Umut Tezduyar, Zbigniew Jędrzejewski-Szmek
CHANGES WITH 195:
* journalctl gained new --since= and --until= switches to
filter by time. It also now supports nice filtering for
units via --unit=/-u.
* Type=oneshot services may use ExecReload= and do the
right thing.
* The journal daemon now supports time-based rotation and
vacuuming, in addition to the usual disk-space based
rotation.
* The journal will now index the available field values for
each field name. This enables clients to show pretty drop
downs of available match values when filtering. The bash
completion of journalctl has been updated
accordingly. journalctl gained a new switch -F to list all
values a certain field takes in the journal database.
* More service events are now written as structured messages
to the journal, and made recognizable via message IDs.
* The timedated, localed and hostnamed mini-services which
previously only provided support for changing time, locale
and hostname settings from graphical DEs such as GNOME now
also have a minimal (but very useful) text-based client
utility each. This is probably the nicest way to changing
these settings from the command line now, especially since
it lists available options and is fully integrated with bash
completion.
* There's now a new tool "systemd-coredumpctl" to list and
extract coredumps from the journal.
* We now install a README each in /var/log/ and
/etc/rc.d/init.d explaining where the system logs and init
scripts went. This hopefully should help folks who go to
that dirs and look into the otherwise now empty void and
scratch their heads.
* When user-services are invoked (by systemd --user) the
$MANAGERPID env var is set to the PID of systemd.
* SIGRTMIN+24 when sent to a --user instance will now result
in immediate termination of systemd.
* gatewayd received numerous feature additions such as a
"follow" mode, for live syncing and filtering.
* browse.html now allows filtering and showing detailed
information on specific entries. Keyboard navigation and
mouse screen support has been added.
* gatewayd/journalctl now supports HTML5/JSON
Server-Sent-Events as output.
* The SysV init script compatibility logic will now
heuristically determine whether a script supports the
"reload" verb, and only then make this available as
"systemctl reload".
* "systemctl status --follow" has been removed, use "journalctl
-u" instead.
* journald.conf's RuntimeMinSize=, PersistentMinSize= settings
have been removed since they are hardly useful to be
configured.
* And I'd like to take the opportunity to specifically mention
Zbigniew for his great contributions. Zbigniew, you rock!
Contributions from: Andrew Eikum, Christian Hesse, Colin
Guthrie, Daniel J Walsh, Dave Reisner, Eelco Dolstra, Ferenc
Wágner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas
Mikulėnas, Martin Mikkelsen, Martin Pitt, Michael Olbrich,
Michael Stapelberg, Michal Schmidt, Sebastian Ott, Thomas
Bächler, Umut Tezduyar, Will Woods, Wulf C. Krueger, Zbigniew
Jędrzejewski-Szmek, Сковорода Никита Андреевич
CHANGES WITH 194:
* If /etc/vconsole.conf is non-existent or empty we will no
longer load any console font or key map at boot by
default. Instead the kernel defaults will be left
intact. This is definitely the right thing to do, as no
configuration should mean no configuration, and hard-coding
font names that are different on all archs is probably a bad
idea. Also, the kernel default key map and font should be
good enough for most cases anyway, and mostly identical to
the userspace fonts/key maps we previously overloaded them
with. If distributions want to continue to default to a
non-kernel font or key map they should ship a default
/etc/vconsole.conf with the appropriate contents.
Contributions from: Colin Walters, Daniel J Walsh, Dave
Reisner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Tollef
Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek
CHANGES WITH 193:
* journalctl gained a new --cursor= switch to show entries
starting from the specified location in the journal.
* We now enforce a size limit on journal entry fields exported
with "-o json" in journalctl. Fields larger than 4K will be
assigned null. This can be turned off with --all.
* An (optional) journal gateway daemon is now available as
"systemd-journal-gatewayd.service". This service provides
access to the journal via HTTP and JSON. This functionality
will be used to implement live log synchronization in both
pull and push modes, but has various other users too, such
as easy log access for debugging of embedded devices. Right
now it is already useful to retrieve the journal via HTTP:
# systemctl start systemd-journal-gatewayd.service
# wget http://localhost:19531/entries
This will download the journal contents in a
/var/log/messages compatible format. The same as JSON:
# curl -H"Accept: application/json" http://localhost:19531/entries
This service is also accessible via a web browser where a
single static HTML5 app is served that uses the JSON logic
to enable the user to do some basic browsing of the
journal. This will be extended later on. Here's an example
screenshot of this app in its current state:
https://0pointer.de/public/journal-gatewayd
Contributions from: Kay Sievers, Lennart Poettering, Robert
Milasan, Tom Gundersen
CHANGES WITH 192:
* The bash completion logic is now available for journalctl
too.
* We do not mount the "cpuset" controller anymore together with
"cpu" and "cpuacct", as "cpuset" groups generally cannot be
started if no parameters are assigned to it. "cpuset" hence
broke code that assumed it could create "cpu" groups and
just start them.
* journalctl -f will now subscribe to terminal size changes,
and line break accordingly.
Contributions from: Dave Reisner, Kay Sievers, Lennart
Poettering, Lukas Nykrynm, Mirco Tischler, Václav Pavlín
CHANGES WITH 191:
* nspawn will now create a symlink /etc/localtime in the
container environment, copying the host's timezone
setting. Previously this has been done via a bind mount, but
since symlinks cannot be bind mounted this has now been
changed to create/update the appropriate symlink.
* journalctl -n's line number argument is now optional, and
will default to 10 if omitted.
* journald will now log the maximum size the journal files may
take up on disk. This is particularly useful if the default
built-in logic of determining this parameter from the file
system size is used. Use "systemctl status
systemd-journald.service" to see this information.
* The multi-seat X wrapper tool has been stripped down. As X
is now capable of enumerating graphics devices via udev in a
seat-aware way the wrapper is not strictly necessary
anymore. A stripped down temporary stop-gap is still shipped
until the upstream display managers have been updated to
fully support the new X logic. Expect this wrapper to be
removed entirely in one of the next releases.
* HandleSleepKey= in logind.conf has been split up into
HandleSuspendKey= and HandleHibernateKey=. The old setting
is not available anymore. X11 and the kernel are
distinguishing between these keys and we should too. This
also means the inhibition lock for these keys has been split
into two.
Contributions from: Dave Airlie, Eelco Dolstra, Lennart
Poettering, Lukas Nykryn, Václav Pavlín
CHANGES WITH 190:
* Whenever a unit changes state we will now log this to the
journal and show along the unit's own log output in
"systemctl status".
* ConditionPathIsMountPoint= can now properly detect bind
mount points too. (Previously, a bind mount of one file
system to another place in the same file system could not be
detected as mount, since they shared struct stat's st_dev
field.)
* We will now mount the cgroup controllers cpu, cpuacct,
cpuset and the controllers net_cls, net_prio together by
default.
* nspawn containers will now have a virtualized boot
ID. (i.e. /proc/sys/kernel/random/boot_id is now mounted
over with a randomized ID at container initialization). This
has the effect of making "journalctl -b" do the right thing
in a container.
* The JSON output journal serialization has been updated not
to generate "endless" list objects anymore, but rather one
JSON object per line. This is more in line how most JSON
parsers expect JSON objects. The new output mode
"json-pretty" has been added to provide similar output, but
neatly aligned for readability by humans.
* We dropped all explicit sync() invocations in the shutdown
code. The kernel does this implicitly anyway in the kernel
reboot() syscall. halt(8)'s -n option is now a compatibility
no-op.
* We now support virtualized reboot() in containers, as
supported by newer kernels. We will fall back to exit() if
CAP_SYS_REBOOT is not available to the container. Also,
nspawn makes use of this now and will actually reboot the
container if the containerized OS asks for that.
* journalctl will only show local log output by default
now. Use --merge (-m) to show remote log output, too.
* libsystemd-journal gained the new sd_journal_get_usage()
call to determine the current disk usage of all journal
files. This is exposed in the new "journalctl --disk-usage"
command.
* journald gained a new configuration setting SplitMode= in
journald.conf which may be used to control how user journals
are split off. See journald.conf(5) for details.
* A new condition type ConditionFileNotEmpty= has been added.
* tmpfiles' "w" lines now support file globbing, to write
multiple files at once.
* We added Python bindings for the journal submission
APIs. More Python APIs for a number of selected APIs will
likely follow. Note that we intend to add native bindings
only for the Python language, as we consider it common
enough to deserve bindings shipped within systemd. There are
various projects outside of systemd that provide bindings
for languages such as PHP or Lua.
* Many conditions will now resolve specifiers such as %i. In
addition, PathChanged= and related directives of .path units
now support specifiers as well.
* There's now a new RPM macro definition for the system preset
dir: %_presetdir.
* journald will now warn if it ca not forward a message to the
syslog daemon because its socket is full.
* timedated will no longer write or process /etc/timezone,
except on Debian. As we do not support late mounted /usr
anymore /etc/localtime always being a symlink is now safe,
and hence the information in /etc/timezone is not necessary
anymore.
* logind will now always reserve one VT for a text getty (VT6
by default). Previously if more than 6 X sessions where
started they took up all the VTs with auto-spawned gettys,
so that no text gettys were available anymore.
* udev will now automatically inform the btrfs kernel logic
about btrfs RAID components showing up. This should make
simple hotplug based btrfs RAID assembly work.
* PID 1 will now increase its RLIMIT_NOFILE to 64K by default
(but not for its children which will stay at the kernel
default). This should allow setups with a lot more listening
sockets.
* systemd will now always pass the configured timezone to the
kernel at boot. timedated will do the same when the timezone
is changed.
* logind's inhibition logic has been updated. By default,
logind will now handle the lid switch, the power and sleep
keys all the time, even in graphical sessions. If DEs want
to handle these events on their own they should take the new
handle-power-key, handle-sleep-key and handle-lid-switch
inhibitors during their runtime. A simple way to achieve
that is to invoke the DE wrapped in an invocation of:
systemd-inhibit --what=handle-power-key:handle-sleep-key:handle-lid-switch …
* Access to unit operations is now checked via SELinux taking
the unit file label and client process label into account.
* systemd will now notify the administrator in the journal
when he over-mounts a non-empty directory.
* There are new specifiers that are resolved in unit files,
for the hostname (%H), the machine ID (%m) and the boot ID
(%b).
Contributions from: Allin Cottrell, Auke Kok, Brandon Philips,
Colin Guthrie, Colin Walters, Daniel J Walsh, Dave Reisner,
Eelco Dolstra, Jan Engelhardt, Kay Sievers, Lennart
Poettering, Lucas De Marchi, Lukas Nykryn, Mantas Mikulėnas,
Martin Pitt, Matthias Clasen, Michael Olbrich, Pierre Schmitz,
Shawn Landden, Thomas Hindoe Paaboel Andersen, Tom Gundersen,
Václav Pavlín, Yin Kangkai, Zbigniew Jędrzejewski-Szmek
CHANGES WITH 189:
* Support for reading structured kernel messages from
/dev/kmsg has now been added and is enabled by default.
* Support for reading kernel messages from /proc/kmsg has now
been removed. If you want kernel messages in the journal
make sure to run a recent kernel (>= 3.5) that supports
reading structured messages from /dev/kmsg (see
above). /proc/kmsg is now exclusive property of classic
syslog daemons again.
* The libudev API gained the new
udev_device_new_from_device_id() call.
* The logic for file system namespace (ReadOnlyDirectory=,
ReadWriteDirectoy=, PrivateTmp=) has been reworked not to
require pivot_root() anymore. This means fewer temporary
directories are created below /tmp for this feature.
* nspawn containers will now see and receive all submounts
made on the host OS below the root file system of the
container.
* Forward Secure Sealing is now supported for Journal files,
which provide cryptographical sealing of journal files so
that attackers cannot alter log history anymore without this
being detectable. Lennart will soon post a blog story about
this explaining it in more detail.
* There are two new service settings RestartPreventExitStatus=
and SuccessExitStatus= which allow configuration of exit
status (exit code or signal) which will be excepted from the
restart logic, resp. consider successful.
* journalctl gained the new --verify switch that can be used
to check the integrity of the structure of journal files and
(if Forward Secure Sealing is enabled) the contents of
journal files.
* nspawn containers will now be run with /dev/stdin, /dev/fd/
and similar symlinks pre-created. This makes running shells
as container init process a lot more fun.
* The fstab support can now handle PARTUUID= and PARTLABEL=
entries.
* A new ConditionHost= condition has been added to match
against the hostname (with globs) and machine ID. This is
useful for clusters where a single OS image is used to
provision a large number of hosts which shall run slightly
different sets of services.
* Services which hit the restart limit will now be placed in a
failure state.
Contributions from: Bertram Poettering, Dave Reisner, Huang
Hang, Kay Sievers, Lennart Poettering, Lukas Nykryn, Martin
Pitt, Simon Peeters, Zbigniew Jędrzejewski-Szmek
CHANGES WITH 188:
* When running in --user mode systemd will now become a
subreaper (PR_SET_CHILD_SUBREAPER). This should make the ps
tree a lot more organized.
* A new PartOf= unit dependency type has been introduced that
may be used to group services in a natural way.
* "systemctl enable" may now be used to enable instances of
services.
* journalctl now prints error log levels in red, and
warning/notice log levels in bright white. It also supports
filtering by log level now.
* cgtop gained a new -n switch (similar to top), to configure
the maximum number of iterations to run for. It also gained
-b, to run in batch mode (accepting no input).
* The suffix ".service" may now be omitted on most systemctl
command lines involving service unit names.
* There's a new bus call in logind to lock all sessions, as
well as a loginctl verb for it "lock-sessions".
* libsystemd-logind.so gained a new call sd_journal_perror()
that works similar to libc perror() but logs to the journal
and encodes structured information about the error number.
* /etc/crypttab entries now understand the new keyfile-size=
option.
* shutdown(8) now can send a (configurable) wall message when
a shutdown is cancelled.
* The mount propagation mode for the root file system will now
default to "shared", which is useful to make containers work
nicely out-of-the-box so that they receive new mounts from
the host. This can be undone locally by running "mount
--make-rprivate /" if needed.
* The prefdm.service file has been removed. Distributions
should maintain this unit downstream if they intend to keep
it around. However, we recommend writing normal unit files
for display managers instead.
* Since systemd is a crucial part of the OS we will now
default to a number of compiler switches that improve
security (hardening) such as read-only relocations, stack
protection, and suchlike.
* The TimeoutSec= setting for services is now split into
TimeoutStartSec= and TimeoutStopSec= to allow configuration
of individual time outs for the start and the stop phase of
the service.
Contributions from: Artur Zaprzala, Arvydas Sidorenko, Auke
Kok, Bryan Kadzban, Dave Reisner, David Strauss, Harald Hoyer,
Jim Meyering, Kay Sievers, Lennart Poettering, Mantas
Mikulėnas, Martin Pitt, Michal Schmidt, Michal Sekletar, Peter
Alfredsen, Shawn Landden, Simon Peeters, Terence Honles, Tom
Gundersen, Zbigniew Jędrzejewski-Szmek
CHANGES WITH 187:
* The journal and id128 C APIs are now fully documented as man
pages.
* Extra safety checks have been added when transitioning from
the initial RAM disk to the main system to avoid accidental
data loss.
* /etc/crypttab entries now understand the new keyfile-offset=
option.
* systemctl -t can now be used to filter by unit load state.
* The journal C API gained the new sd_journal_wait() call to
make writing synchronous journal clients easier.
* journalctl gained the new -D switch to show journals from a
specific directory.
* journalctl now displays a special marker between log
messages of two different boots.
* The journal is now explicitly flushed to /var via a service
systemd-journal-flush.service, rather than implicitly simply
by seeing /var/log/journal to be writable.
* journalctl (and the journal C APIs) can now match for much
more complex expressions, with alternatives and
disjunctions.
* When transitioning from the initial RAM disk to the main
system we will now kill all processes in a killing spree to
ensure no processes stay around by accident.
* Three new specifiers may be used in unit files: %u, %h, %s
resolve to the user name, user home directory resp. user
shell. This is useful for running systemd user instances.
* We now automatically rotate journal files if their data
object hash table gets a fill level > 75%. We also size the
hash table based on the configured maximum file size. This
together should lower hash collisions drastically and thus
speed things up a bit.
* journalctl gained the new "--header" switch to introspect
header data of journal files.
* A new setting SystemCallFilters= has been added to services which may
be used to apply deny lists or allow lists to system calls. This is
based on SECCOMP Mode 2 of Linux 3.5.
* nspawn gained a new --link-journal= switch (and quicker: -j)
to link the container journal with the host. This makes it
very easy to centralize log viewing on the host for all
guests while still keeping the journal files separated.
* Many bugfixes and optimizations
Contributions from: Auke Kok, Eelco Dolstra, Harald Hoyer, Kay
Sievers, Lennart Poettering, Malte Starostik, Paul Menzel, Rex
Tsai, Shawn Landden, Tom Gundersen, Ville Skyttä, Zbigniew
Jędrzejewski-Szmek
CHANGES WITH 186:
* Several tools now understand kernel command line arguments,
which are only read when run in an initial RAM disk. They
usually follow closely their normal counterparts, but are
prefixed with rd.
* There's a new tool to analyze the readahead files that are
automatically generated at boot. Use:
/usr/lib/systemd/systemd-readahead analyze /.readahead
* We now provide an early debug shell on tty9 if this enabled. Use:
systemctl enable debug-shell.service
* All plymouth related units have been moved into the Plymouth
package. Please make sure to upgrade your Plymouth version
as well.
* systemd-tmpfiles now supports getting passed the basename of
a configuration file only, in which case it will look for it
in all appropriate directories automatically.
* udevadm info now takes a /dev or /sys path as argument, and
does the right thing. Example:
udevadm info /dev/sda
udevadm info /sys/class/block/sda
* systemctl now prints a warning if a unit is stopped but a
unit that might trigger it continues to run. Example: a
service is stopped but the socket that activates it is left
running.
* "systemctl status" will now mention if the log output was
shortened due to rotation since a service has been started.
* The journal API now exposes functions to determine the
"cutoff" times due to rotation.
* journald now understands SIGUSR1 and SIGUSR2 for triggering
immediately flushing of runtime logs to /var if possible,
resp. for triggering immediate rotation of the journal
files.
* It is now considered an error if a service is attempted to
be stopped that is not loaded.
* XDG_RUNTIME_DIR now uses numeric UIDs instead of usernames.
* systemd-analyze now supports Python 3
* tmpfiles now supports cleaning up directories via aging
where the first level dirs are always kept around but
directories beneath it automatically aged. This is enabled
by prefixing the age field with '~'.
* Seat objects now expose CanGraphical, CanTTY properties
which is required to deal with very fast bootups where the
display manager might be running before the graphics drivers
completed initialization.
* Seat objects now expose a State property.
* We now include RPM macros for service enabling/disabling
based on the preset logic. We recommend RPM based
distributions to make use of these macros if possible. This
makes it simpler to reuse RPM spec files across
distributions.
* We now make sure that the collected systemd unit name is
always valid when services log to the journal via
STDOUT/STDERR.
* There's a new man page kernel-command-line(7) detailing all
command line options we understand.
* The fstab generator may now be disabled at boot by passing
fstab=0 on the kernel command line.
* A new kernel command line option modules-load= is now understood
to load a specific kernel module statically, early at boot.
* Unit names specified on the systemctl command line are now
automatically escaped as needed. Also, if file system or
device paths are specified they are automatically turned
into the appropriate mount or device unit names. Example:
systemctl status /home
systemctl status /dev/sda
* The SysVConsole= configuration option has been removed from
system.conf parsing.
* The SysV search path is no longer exported on the D-Bus
Manager object.
* The Names= option has been removed from unit file parsing.
* There's a new man page bootup(7) detailing the boot process.
* Every unit and every generator we ship with systemd now
comes with full documentation. The self-explanatory boot is
complete.
* A couple of services gained "systemd-" prefixes in their
name if they wrap systemd code, rather than only external
code. Among them fsck@.service which is now
systemd-fsck@.service.
* The HaveWatchdog property has been removed from the D-Bus
Manager object.
* systemd.confirm_spawn= on the kernel command line should now
work sensibly.
* There's a new man page crypttab(5) which details all options
we actually understand.
* systemd-nspawn gained a new --capability= switch to pass
additional capabilities to the container.
* timedated will now read known NTP implementation unit names
from /usr/lib/systemd/ntp-units.d/*.list,
systemd-timedated-ntp.target has been removed.
* journalctl gained a new switch "-b" that lists log data of
the current boot only.
* The notify socket is in the abstract namespace again, in
order to support daemons which chroot() at start-up.
* There is a new Storage= configuration option for journald
which allows configuration of where log data should go. This
also provides a way to disable journal logging entirely, so
that data collected is only forwarded to the console, the
kernel log buffer or another syslog implementation.
* Many bugfixes and optimizations
Contributions from: Auke Kok, Colin Guthrie, Dave Reisner,
David Strauss, Eelco Dolstra, Kay Sievers, Lennart Poettering,
Lukas Nykryn, Michal Schmidt, Michal Sekletar, Paul Menzel,
Shawn Landden, Tom Gundersen
CHANGES WITH 185:
* "systemctl help <unit>" now shows the man page if one is
available.
* Several new man pages have been added.
* MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=,
MaxLevelConsole= can now be specified in
journald.conf. These options allow reducing the amount of
data stored on disk or forwarded by the log level.
* TimerSlackNSec= can now be specified in system.conf for
PID1. This allows system-wide power savings.
Contributions from: Dave Reisner, Kay Sievers, Lauri Kasanen,
Lennart Poettering, Malte Starostik, Marc-Antoine Perennou,
Matthias Clasen
CHANGES WITH 184:
* logind is now capable of (optionally) handling power and
sleep keys as well as the lid switch.
* journalctl now understands the syntax "journalctl
/usr/bin/avahi-daemon" to get all log output of a specific
daemon.
* CapabilityBoundingSet= in system.conf now also influences
the capability bound set of usermode helpers of the kernel.
Contributions from: Daniel Drake, Daniel J. Walsh, Gert
Michael Kulyk, Harald Hoyer, Jean Delvare, Kay Sievers,
Lennart Poettering, Matthew Garrett, Matthias Clasen, Paul
Menzel, Shawn Landden, Tero Roponen, Tom Gundersen
CHANGES WITH 183:
* Note that we skipped 139 releases here in order to set the
new version to something that is greater than both udev's
and systemd's most recent version number.
* udev: all udev sources are merged into the systemd source tree now.
All future udev development will happen in the systemd tree. It
is still fully supported to use the udev daemon and tools without
systemd running, like in initramfs or other init systems. Building
udev though, will require the *build* of the systemd tree, but
udev can be properly *run* without systemd.
* udev: /lib/udev/devices/ are not read anymore; systemd-tmpfiles
should be used to create dead device nodes as workarounds for broken
subsystems.
* udev: RUN+="socket:…" and udev_monitor_new_from_socket() is
no longer supported. udev_monitor_new_from_netlink() needs to be
used to subscribe to events.
* udev: when udevd is started by systemd, processes which are left
behind by forking them off of udev rules, are unconditionally cleaned
up and killed now after the event handling has finished. Services or
daemons must be started as systemd services. Services can be
pulled-in by udev to get started, but they can no longer be directly
forked by udev rules.
* udev: the daemon binary is called systemd-udevd now and installed
in /usr/lib/systemd/. Standalone builds or non-systemd systems need
to adapt to that, create symlink, or rename the binary after building
it.
* libudev no longer provides these symbols:
udev_monitor_from_socket()
udev_queue_get_failed_list_entry()
udev_get_{dev,sys,run}_path()
The versions number was bumped and symbol versioning introduced.
* systemd-loginctl and systemd-journalctl have been renamed
to loginctl and journalctl to match systemctl.
* The config files: /etc/systemd/systemd-logind.conf and
/etc/systemd/systemd-journald.conf have been renamed to
logind.conf and journald.conf. Package updates should rename
the files to the new names on upgrade.
* For almost all files the license is now LGPL2.1+, changed
from the previous GPL2.0+. Exceptions are some minor stuff
of udev (which will be changed to LGPL2.1 eventually, too),
and the MIT licensed sd-daemon.[ch] library that is suitable
to be used as drop-in files.
* systemd and logind now handle system sleep states, in
particular suspending and hibernating.
* logind now implements a sleep/shutdown/idle inhibiting logic
suitable for a variety of uses. Soonishly Lennart will blog
about this in more detail.
* var-run.mount and var-lock.mount are no longer provided
(which previously bind mounted these directories to their new
places). Distributions which have not converted these
directories to symlinks should consider stealing these files
from git history and add them downstream.
* We introduced the Documentation= field for units and added
this to all our shipped units. This is useful to make it
easier to explore the boot and the purpose of the various
units.
* All smaller setup units (such as
systemd-vconsole-setup.service) now detect properly if they
are run in a container and are skipped when
appropriate. This guarantees an entirely noise-free boot in
Linux container environments such as systemd-nspawn.
* A framework for implementing offline system updates is now
integrated, for details see:
https://www.freedesktop.org/software/systemd/man/systemd.offline-updates.html
* A new service type Type=idle is available now which helps us
avoiding ugly interleaving of getty output and boot status
messages.
* There's now a system-wide CapabilityBoundingSet= option to
globally reduce the set of capabilities for the
system. This is useful to drop CAP_SYS_MKNOD, CAP_SYS_RAWIO,
CAP_NET_RAW, CAP_SYS_MODULE, CAP_SYS_TIME, CAP_SYS_PTRACE or
even CAP_NET_ADMIN system-wide for secure systems.
* There are now system-wide DefaultLimitXXX= options to
globally change the defaults of the various resource limits
for all units started by PID 1.
* Harald Hoyer's systemd test suite has been integrated into
systemd which allows easy testing of systemd builds in qemu
and nspawn. (This is really awesome! Ask us for details!)
* The fstab parser is now implemented as generator, not inside
of PID 1 anymore.
* systemctl will now warn you if .mount units generated from
/etc/fstab are out of date due to changes in fstab that
have not been read by systemd yet.
* systemd is now suitable for usage in initrds. Dracut has
already been updated to make use of this. With this in place
initrds get a slight bit faster but primarily are much
easier to introspect and debug since "systemctl status" in
the host system can be used to introspect initrd services,
and the journal from the initrd is kept around too.
* systemd-delta has been added, a tool to explore differences
between user/admin configuration and vendor defaults.
* PrivateTmp= now affects both /tmp and /var/tmp.
* Boot time status messages are now much prettier and feature
proper english language. Booting up systemd has never been
so sexy.
* Read-ahead pack files now include the inode number of all
files to pre-cache. When the inode changes the pre-caching
is not attempted. This should be nicer to deal with updated
packages which might result in changes of read-ahead
patterns.
* We now temporaritly lower the kernel's read_ahead_kb variable
when collecting read-ahead data to ensure the kernel's
built-in read-ahead does not add noise to our measurements
of necessary blocks to pre-cache.
* There's now RequiresMountsFor= to add automatic dependencies
for all mounts necessary for a specific file system path.
* MountAuto= and SwapAuto= have been removed from
system.conf. Mounting file systems at boot has to take place
in systemd now.
* nspawn now learned a new switch --uuid= to set the machine
ID on the command line.
* nspawn now learned the -b switch to automatically search
for an init system.
* vt102 is now the default TERM for serial TTYs, upgraded from
vt100.
* systemd-logind now works on VT-less systems.
* The build tree has been reorganized. The individual
components now have directories of their own.
* A new condition type ConditionPathIsReadWrite= is now available.
* nspawn learned the new -C switch to create cgroups for the
container in other hierarchies.
* We now have support for hardware watchdogs, configurable in
system.conf.
* The scheduled shutdown logic now has a public API.
* We now mount /tmp as tmpfs by default, but this can be
masked and /etc/fstab can override it.
* Since udisks does not make use of /media anymore we are not
mounting a tmpfs on it anymore.
* journalctl gained a new --local switch to only interleave
locally generated journal files.
* We can now load the IMA policy at boot automatically.
* The GTK tools have been split off into a systemd-ui.
Contributions from: Andreas Schwab, Auke Kok, Ayan George,
Colin Guthrie, Daniel Mack, Dave Reisner, David Ward, Elan
Ruusamäe, Frederic Crozat, Gergely Nagy, Guillermo Vidal,
Hannes Reinecke, Harald Hoyer, Javier Jardón, Kay Sievers,
Lennart Poettering, Lucas De Marchi, Léo Gillot-Lamure,
Marc-Antoine Perennou, Martin Pitt, Matthew Monaco, Maxim
A. Mikityanskiy, Michael Biebl, Michael Olbrich, Michal
Schmidt, Nis Martensen, Patrick McCarty, Roberto Sassu, Shawn
Landden, Sjoerd Simons, Sven Anders, Tollef Fog Heen, Tom
Gundersen
CHANGES WITH 44:
* This is mostly a bugfix release
* Support optional initialization of the machine ID from the
KVM or container configured UUID.
* Support immediate reboots with "systemctl reboot -ff"
* Show /etc/os-release data in systemd-analyze output
* Many bugfixes for the journal, including endianness fixes and
ensuring that disk space enforcement works
* sd-login.h is C++ compatible again
* Extend the /etc/os-release format on request of the Debian
folks
* We now refuse non-UTF8 strings used in various configuration
and unit files. This is done to ensure we do not pass invalid
data over D-Bus or expose it elsewhere.
* Register Mimo USB Screens as suitable for automatic seat
configuration
* Read SELinux client context from journal clients in a race
free fashion
* Reorder configuration file lookup order. /etc now always
overrides /run in order to allow the administrator to always
and unconditionally override vendor-supplied or
automatically generated data.
* The various user visible bits of the journal now have man
pages. We still lack man pages for the journal API calls
however.
* We now ship all man pages in HTML format again in the
tarball.
Contributions from: Dave Reisner, Dirk Eibach, Frederic
Crozat, Harald Hoyer, Kay Sievers, Lennart Poettering, Marti
Raudsepp, Michal Schmidt, Shawn Landden, Tero Roponen, Thierry
Reding
CHANGES WITH 43:
* This is mostly a bugfix release
* systems lacking /etc/os-release are no longer supported.
* Various functionality updates to libsystemd-login.so
* Track class of PAM logins to distinguish greeters from
normal user logins.
Contributions from: Kay Sievers, Lennart Poettering, Michael
Biebl
CHANGES WITH 42:
* This is an important bugfix release for v41.
* Building man pages is now optional which should be useful
for those building systemd from git but unwilling to install
xsltproc.
* Watchdog support for supervising services is now usable. In
a future release support for hardware watchdogs
(i.e. /dev/watchdog) will be added building on this.
* Service start rate limiting is now configurable and can be
turned off per service. When a start rate limit is hit a
reboot can automatically be triggered.
* New CanReboot(), CanPowerOff() bus calls in systemd-logind.
Contributions from: Benjamin Franzke, Bill Nottingham,
Frederic Crozat, Lennart Poettering, Michael Olbrich, Michal
Schmidt, Michał Górny, Piotr Drąg
CHANGES WITH 41:
* The systemd binary is installed /usr/lib/systemd/systemd now;
An existing /sbin/init symlink needs to be adapted with the
package update.
* The code that loads kernel modules has been ported to invoke
libkmod directly, instead of modprobe. This means we do not
support systems with module-init-tools anymore.
* Watchdog support is now already useful, but still not
complete.
* A new kernel command line option systemd.setenv= is
understood to set system wide environment variables
dynamically at boot.
* We now limit the set of capabilities of systemd-journald.
* We now set SIGPIPE to ignore by default, since it only is
useful in shell pipelines, and has little use in general
code. This can be disabled with IgnoreSIPIPE=no in unit
files.
Contributions from: Benjamin Franzke, Kay Sievers, Lennart
Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen,
William Douglas
CHANGES WITH 40:
* This is mostly a bugfix release
* We now expose the reason why a service failed in the
"Result" D-Bus property.
* Rudimentary service watchdog support (will be completed over
the next few releases.)
* When systemd forks off in order execute some service we will
now immediately changes its argv[0] to reflect which process
it will execute. This is useful to minimize the time window
with a generic argv[0], which makes bootcharts more useful
Contributions from: Alvaro Soliverez, Chris Paulson-Ellis, Kay
Sievers, Lennart Poettering, Michael Olbrich, Michal Schmidt,
Mike Kazantsev, Ray Strode
CHANGES WITH 39:
* This is mostly a test release, but incorporates many
bugfixes.
* New systemd-cgtop tool to show control groups by their
resource usage.
* Linking against libacl for ACLs is optional again. If
disabled, support tracking device access for active logins
goes becomes unavailable, and so does access to the user
journals by the respective users.
* If a group "adm" exists, journal files are automatically
owned by them, thus allow members of this group full access
to the system journal as well as all user journals.
* The journal now stores the SELinux context of the logging
client for all entries.
* Add C++ inclusion guards to all public headers
* New output mode "cat" in the journal to print only text
messages, without any meta data like date or time.
* Include tiny X server wrapper as a temporary stop-gap to
teach XOrg udev display enumeration. This is used by display
managers such as gdm, and will go away as soon as XOrg
learned native udev hotplugging for display devices.
* Add new systemd-cat tool for executing arbitrary programs
with STDERR/STDOUT connected to the journal. Can also act as
BSD logger replacement, and does so by default.
* Optionally store all locally generated coredumps in the
journal along with meta data.
* systemd-tmpfiles learnt four new commands: n, L, c, b, for
writing short strings to files (for usage for /sys), and for
creating symlinks, character and block device nodes.
* New unit file option ControlGroupPersistent= to make cgroups
persistent, following the mechanisms outlined in
https://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups
* Support multiple local RTCs in a sane way
* No longer monopolize IO when replaying readahead data on
rotating disks, since we might starve non-file-system IO to
death, since fanotify() will not see accesses done by blkid,
or fsck.
* Do not show kernel threads in systemd-cgls anymore, unless
requested with new -k switch.
Contributions from: Dan Horák, Kay Sievers, Lennart
Poettering, Michal Schmidt
CHANGES WITH 38:
* This is mostly a test release, but incorporates many
bugfixes.
* The git repository moved to:
git://anongit.freedesktop.org/systemd/systemd
ssh://git.freedesktop.org/git/systemd/systemd
* First release with the journal
https://0pointer.de/blog/projects/the-journal.html
* The journal replaces both systemd-kmsg-syslogd and
systemd-stdout-bridge.
* New sd_pid_get_unit() API call in libsystemd-logind
* Many systemadm clean-ups
* Introduce remote-fs-pre.target which is ordered before all
remote mounts and may be used to start services before all
remote mounts.
* Added Mageia support
* Add bash completion for systemd-loginctl
* Actively monitor PID file creation for daemons which exit in
the parent process before having finished writing the PID
file in the daemon process. Daemons which do this need to be
fixed (i.e. PID file creation must have finished before the
parent exits), but we now react a bit more gracefully to them.
* Add colourful boot output, mimicking the well-known output
of existing distributions.
* New option PassCredentials= for socket units, for
compatibility with a recent kernel ABI breakage.
* /etc/rc.local is now hooked in via a generator binary, and
thus will no longer act as synchronization point during
boot.
* systemctl list-unit-files now supports --root=.
* systemd-tmpfiles now understands two new commands: z, Z for
relabelling files according to the SELinux database. This is
useful to apply SELinux labels to specific files in /sys,
among other things.
* Output of SysV services is now forwarded to both the console
and the journal by default, not only just the console.
* New man pages for all APIs from libsystemd-login.
* The build tree got reorganized and the build system is a
lot more modular allowing embedded setups to specifically
select the components of systemd they are interested in.
* Support for Linux systems lacking the kernel VT subsystem is
restored.
* configure's --with-rootdir= got renamed to
--with-rootprefix= to follow the naming used by udev and
kmod
* Unless specified otherwise we will now install to /usr instead
of /usr/local by default.
* Processes with '@' in argv[0][0] are now excluded from the
final shut-down killing spree, following the logic explained
in:
https://systemd.io/ROOT_STORAGE_DAEMONS/
* All processes remaining in a service cgroup when we enter
the START or START_PRE states are now killed with
SIGKILL. That means it is no longer possible to spawn
background processes from ExecStart= lines (which was never
supported anyway, and bad style).
* New PropagateReloadTo=/PropagateReloadFrom= options to bind
reloading of units together.
Contributions from: Bill Nottingham, Daniel J. Walsh, Dave
Reisner, Dexter Morgan, Gregs Gregs, Jonathan Nieder, Kay
Sievers, Lennart Poettering, Michael Biebl, Michal Schmidt,
Michał Górny, Ran Benita, Thomas Jarosch, Tim Waugh, Tollef
Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek