forked from systemd/systemd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
13801 lines (11278 loc) · 735 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
systemd System and Service Manager
CHANGES WITH 251:
* Incompatibility and Regression note:
In v250, the feature that automatically configures routes to addresses
specified in AllowedIPs= was added and enabled by default. However,
this feature causes network connectivity issues on many existing
setups. Hence, this is disabled by default since v250.3. The feature
can still be used by explicitly configuring RouteTable= setting in
.netdev files.
* Services with Restart=always and a failing ExecCondition= will no longer
be restarted, to bring ExecCondition= in line with Condition*= settings.
* Starting with v250 systemd-homed uses UID/GID mapping on the mounts
of activated home directories it manages (if the kernel and selected
file systems support it). So far it mapped three UID ranges: the
range from 0…60000, the user's own UID, and the range 60514…65534,
leaving everything else unmapped (in other words, the 16bit UID range
is mapped almost fully, with the exception of the UID subrange used
for systemd-homed users, with one exception from that: the user's own
UID). Unmapped UIDs may not be used for file ownership in the home
directory — any chown() attempts with them will fail. With this
release a fourth range is added to these mappings:
524288…1879048191. This range is the UID range intended for container
uses, see:
https://systemd.io/UIDS-GIDS
This range may be used for container managers that place container OS
trees in the home directory (which is a questionable approach, for
quota, permission, SUID handling and network file system
compatibility reasons, but nonetheless apparently commonplace). Note
that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
UID assignments from the range are not managed or mapped by
`systemd-homed`, and must be managed with other mechanisms, in the
context of the local system.
Typically, a better approach to user namespacing in relevant
container managers would be to leave container OS trees on disk at
UID offset 0, but then map them to a dynamically allocated runtime
UID range via another UID mount map at container invocation
time. That way user namespace UID ranges become strictly a runtime
concept, and do not leak into persistent file systems, persistent
user databases or persistent configuration, thus greatly simplifying
handling, and improving compatibility with home directories intended
to be portable like the ones managed by systemd-homed.
CHANGES WITH 250:
* Support for encrypted and authenticated credentials has been added.
This extends the credential logic introduced with v247 to support
non-interactive symmetric encryption and authentication, based on a
key that is stored on the /var/ file system or in the TPM2 chip (if
available), or the combination of both (by default if a TPM2 chip
exists the combination is used, otherwise the /var/ key only). The
credentials are automatically decrypted at the moment a service is
started, and are made accessible to the service itself in unencrypted
form. A new tool 'systemd-creds' encrypts credentials for this
purpose, and two new service file settings LoadCredentialEncrypted=
and SetCredentialEncrypted= configure such credentials.
This feature is useful to store sensitive material such as SSL
certificates, passwords and similar securely at rest and only decrypt
them when needed, and in a way that is tied to the local OS
installation or hardware.
* systemd-gpt-auto-generator can now automatically set up discoverable
LUKS2 encrypted swap partitions.
* The GPT Discoverable Partitions Specification has been substantially
extended with support for root and /usr/ partitions for the majority
of architectures systemd supports. This includes platforms that do
not natively support UEFI, because even though GPT is specified under
UEFI umbrella, it is useful on other systems too. Specifically,
systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
Portable Services use the concept without requiring UEFI.
* The GPT Discoverable Partitions Specifications has been extended with
a new set of partitions that may carry PKCS#7 signatures for Verity
partitions, encoded in a simple JSON format. This implements a simple
mechanism for building disk images that are fully authenticated and
can be tested against a set of cryptographic certificates. This is
now implemented for the various systemd tools that can operate with
disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers.
The PKCS#7 signatures are passed to the kernel (where they are
checked against certificates from the kernel keyring), or can be
verified against certificates provided in userspace (via a simple
drop-in file mechanism).
* systemd-dissect's inspection logic will now report for which uses a
disk image is intended. Specifically, it will display whether an
image is suitable for booting on UEFI or in a container (using
systemd-nspawn's --image= switch), whether it can be used as portable
service, or attached as system extension.
* The system-extension.d/ drop-in files now support a new field
SYSEXT_SCOPE= that may encode which purpose a system extension image
is for: one of "initrd", "system" or "portable". This is useful to
make images more self-descriptive, and to ensure system extensions
cannot be attached in the wrong contexts.
* The os-release file learnt a new PORTABLE_PREFIXES= field which may
be used in portable service images to indicate which unit prefixes
are supported.
* The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
now is able to decode images for non-native architectures as well.
This allows systemd-nspawn to boot images of non-native architectures
if the corresponding user mode emulator is installed and
systemd-binfmtd is running.
* systemd-logind gained new settings HandlePowerKeyLongPress=,
HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
HandleHibernateKeyLongPress= which may be used to configure actions
when the relevant keys are pressed for more than 5s. This is useful
on devices that only have hardware for a subset of these keys. By
default, if the reboot key is pressed long the poweroff operation is
now triggered, and when the suspend key is pressed long the hibernate
operation is triggered. Long pressing the other two keys currently
does not trigger any operation by default.
* When showing unit status updates on the console during boot and
shutdown, and a service is slow to start so that the cylon animation
is shown, the most recent sd_notify() STATUS= text is now shown as
well. Services may use this to make the boot/shutdown output easier
to understand, and to indicate what precisely a service that is slow
to start or stop is waiting for. In particular, the per-user service
manager instance now reports what it is doing and which service it is
waiting for this way to the system service manager.
* The service manager will now re-execute on reception of the
SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
only when running as PID 1. There was no signal to request this when
running as per-user service manager, i.e. as any other PID than 1.
SIGRTMIN+25 works for both system and user managers.
* The hardware watchdog logic in PID 1 gained support for operating
with the default timeout configured in the hardware, instead of
insisting on re-configuring it. Set RuntimeWatchdogSec=default to
request this behavior.
* A new kernel command line option systemd.watchdog_sec= is now
understood which may be used to override the hardware watchdog
time-out for the boot.
* A new setting DefaultOOMScoreAdjust= is now supported in
/etc/systemd/system.conf + /etc/systemd/user.conf that may be used to
set the default process OOM score adjustment value for processes
forked off the service manager. For per-user service managers this
now defaults to 100, but for per-system service managers is left as
is. This means that by default now services forked off the user
service manager are more likely to be killed by the OOM killer than
system services or the managers themselves.
* A new per-service setting RestrictFileSystems= as been added that
restricts the file systems a service has access to by their type.
This is based on the new BPF LSM of the Linux kernel. It provides an
effective way to make certain API file systems unavailable to
services (and thus minimizing attack surface). A new command
"systemd-analyze filesystems" has been added that lists all known
file system types (and how they are grouped together under useful
group handles).
* Services now support a new setting RestrictNetworkInterfaces= for
restricting access to specific network interfaces.
* Service unit files gained new settings StartupAllowedCPUs= and
StartupAllowedMemoryNodes=. These are similar to their counterparts
without the "Startup" prefix and apply during the boot process
only. This is useful to improve boot-time behavior of the system and
assign resources differently during boot than during regular
runtime. This is similar to the preexisting StartupCPUWeight=
vs. CPUWeight.
* Related to this: the various StartupXYZ= settings
(i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied
during shutdown. The settings not prefixed with "Startup" hence apply
during regular runtime, and those that are prefixed like that apply
during boot and shutdown.
* A new per-unit set of conditions/asserts
[Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a
unit skip/fail activation if the system's (or a slice's) memory/cpu/io
pressure is above the configured threshold, using the kernel PSI
feature. For more details see systemd.unit(5) and
https://www.kernel.org/doc/html/latest/accounting/psi.html
* The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
ProtectKernelLogs=yes can now be used.
* The default maximum numbers of inodes have been raised from 64k to 1M
for /dev/, and from 400k to 1M for /tmp/.
* The per-user service manager learnt support for communicating with
systemd-oomd to acquire OOM kill information.
* A new service setting ExecSearchPath= has been added that allows
changing the search path for executables for services. It affects
where we look for the binaries specified in ExecStart= and similar,
and the specified directories are also added the $PATH environment
variable passed to invoked processes.
* A new setting RuntimeRandomizedExtraSec= has been added for service
and scope units that allows extending the runtime time-out as
configured by RuntimeMaxSec= with a randomized amount.
* The syntax of the service unit settings RuntimeDirectory=,
StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
if the specified value is now suffixed with a colon, followed by
another filename, the latter will be created as symbolic link to the
specified directory. This allows creating these service directories
together with alias symlinks to make them available under multiple
names.
* Service unit files gained two new settings TTYRows=/TTYColumns= for
configuring rows/columns of the TTY device passed to
stdin/stdout/stderr of the service. This is useful to propagate TTY
dimensions to a virtual machine.
* A new service unit file setting ExitType= has been added that
specifies when to assume a service has exited. By default systemd
only watches the main process of a service. By setting
ExitType=cgroup it can be told to wait for the last process in a
cgroup instead.
* Automount unit files gained a new setting ExtraOptions= that can be
used to configure additional mount options to pass to the kernel when
mounting the autofs instance.
* "Urlification" (generation of ESC sequences that generate clickable
hyperlinks in modern terminals) may now be turned off altogether
during build-time.
* Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec=
settings that default to 200 and 2 s respectively. The ratelimit
ensures that a path unit cannot cause PID1 to busy-loop when it is
trying to trigger a service that is skipped because of a Condition*=
not being satisfied. This matches the configuration and behaviour of
socket units.
* The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built
as a plug-in for cryptsetup. This means the plain cryptsetup command
may now be used to unlock volumes set up this way.
* The TPM2 logic in cryptsetup will now automatically detect systems
where the TPM2 chip advertises SHA256 PCR banks but the firmware only
updates the SHA1 banks. In such a case PCR policies will be
automatically bound to the latter, not the former. This makes the PCR
policies reliable, but of course do not provide the same level of
trust as SHA256 banks.
* The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports
RSA primary keys in addition to ECC, improving compatibility with
TPM2 chips that do not support ECC. RSA keys are much slower to use
than ECC, and hence are only used if ECC is not available.
* /etc/crypttab gained support for a new token-timeout= setting for
encrypted volumes that allows configuration of the maximum time to
wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses
the logic will query the user for a regular passphrase/recovery key
instead.
* Support for activating dm-integrity volumes at boot via a new file
/etc/integritytab and the tool systemd-integritysetup have been
added. This is similar to /etc/crypttab and /etc/veritytab, but deals
with dm-integrity instead of dm-crypt/dm-verity.
* The systemd-veritysetup-generator now understands a new usrhash=
kernel command line option for specifying the Verity root hash for
the partition backing the /usr/ file system. A matching set of
systemd.verity_usr_* kernel command line options has been added as
well. These all work similar to the corresponding options for the
root partition.
* The sd-device API gained a new API call sd_device_get_diskseq() to
return the DISKSEQ property of a device structure. The "disk
sequence" concept is a new feature recently introduced to the Linux
kernel that allows detecting reuse cycles of block devices, i.e. can
be used to recognize when loopback block devices are reused for a
different purpose or CD-ROM drives get their media changed.
* A new unit systemd-boot-update.service has been added. If enabled
(the default) and the sd-boot loader is detected to be installed, it
is automatically updated to the newest version when out of date. This
is useful to ensure the boot loader remains up-to-date, and updates
automatically propagate from the OS tree in /usr/.
* sd-boot will now build with SBAT by default in order to facilitate
working with recent versions of Shim that require it to be present.
* sd-boot can now parse Microsoft Windows' Boot Configuration Data.
This is used to robustly generate boot entry titles for Windows.
* A new generic target unit factory-reset.target has been added. It is
hooked into systemd-logind similar in fashion to
reboot/poweroff/suspend/hibernate, and is supposed to be used to
initiate a factory reset operation. What precisely this operation
entails is up for the implementer to decide, the primary goal of the
new unit is provide a framework where to plug in the implementation
and how to trigger it.
* A new meson build-time option 'clock-valid-range-usec-max' has been
added which takes a time in µs and defaults to 15 years. If the RTC
time is noticed to be more than the specified time ahead of the
built-in epoch of systemd (which by default is the release timestamp
of systemd) it is assumed that the RTC is not working correctly, and
the RTC is reset to the epoch. (It already is reset to the epoch when
noticed to be before it.) This should increase the chance that time
doesn't accidentally jump too far ahead due to faulty hardware or
batteries.
* A new setting SaveIntervalSec= has been added to systemd-timesyncd,
which may be used to automatically save the current system time to
disk in regular intervals. This is useful to maintain a roughly
monotonic clock even without RTC hardware and with some robustness
against abnormal system shutdown.
* systemd-analyze verify gained support for a pair of new --image= +
--root= switches for verifying units below a specific root
directory/image instead of on the host.
* systemd-analyze verify gained support for verifying unit files under
an explicitly specified unit name, independently of what the filename
actually is.
* systemd-analyze verify gained a new switch --recursive-errors= which
controls whether to only fail on errors found in the specified units
or recursively any dependent units.
* systemd-analyze security now supports a new --offline mode for
analyzing unit files stored on disk instead of loaded units. It may
be combined with --root=/--image to analyze unit files under a root
directory or disk image. It also learnt a new --threshold= parameter
for specifying an exposure level threshold: if the exposure level
exceeds the specified value the call will fail. It also gained a new
--security-policy= switch for configuring security policies to
enforce on the units. A policy is a JSON file that lists which tests
shall be weighted how much to determine the overall exposure
level. Altogether these new features are useful for fully automatic
analysis and enforcement of security policies on unit files.
* systemd-analyze security gain a new --json= switch for JSON output.
* systemd-analyze learnt a new --quiet switch for reducing
non-essential output. It's honored by the "dot", "syscall-filter",
"filesystems" commands.
* systemd-analyze security gained a --profile= option that can be used
to take into account a portable profile when analyzing portable
services, since a lot of the security-related settings are enabled
through them.
* systemd-analyze learnt a new inspect-elf verb that parses ELF core
files, binaries and executables and prints metadata information,
including the build-id and other info described on:
https://systemd.io/COREDUMP_PACKAGE_METADATA/
* .network files gained a new UplinkInterface= in the [IPv6SendRA]
section, for automatically propagating DNS settings from other
interfaces.
* The static lease DHCP server logic in systemd-networkd may now serve
IP addresses outside of the configured IP pool range for the server.
* CAN support in systemd-networkd gained four new settings Loopback=,
OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN
control modes. It gained a number of further settings for tweaking
CAN timing quanta.
* The [CAN] section in .network file gained new TimeQuantaNSec=,
PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=,
SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=,
DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and
DataSyncJumpWidth= settings to control bit-timing processed by the
CAN interface.
* DHCPv4 client support in systemd-networkd learnt a new Label= option
for configuring the address label to apply to configure IPv4
addresses.
* The [IPv6AcceptRA] section of .network files gained support for a new
UseMTU= setting that may be used to control whether to apply the
announced MTU settings to the local interface.
* The [DHCPv4] section in .network file gained a new Use6RD= boolean
setting to control whether the DHCPv4 client request and process the
DHCP 6RD option.
* The [DHCPv6PrefixDelegation] section in .network file is renamed to
[DHCPPrefixDelegation], as now the prefix delegation is also supported
with DHCPv4 protocol by enabling the Use6RD= setting.
* The [DHCPPrefixDelegation] section in .network file gained a new
setting UplinkInterface= to specify the upstream interface.
* The [DHCPv6] section in .network file gained a new setting
UseDelegatedPrefix= to control whether the delegated prefixes will be
propagated to the downstream interfaces.
* The [IPv6AcceptRA] section of .network files now understands two new
settings UseGateway=/UseRoutePrefix= for explicitly configuring
whether to use the relevant fields from the IPv6 Router Advertisement
records.
* The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
settings in the [DHCPv6] section and the DHCPv6Client= setting in the
[IPv6AcceptRA] section to control when the DHCPv6 client is started
and how the delegated prefixes are handled by the DHCPv6 client.
* The IPv6Token= section in the [Network] section is deprecated, and
the [IPv6AcceptRA] section gained the Token= setting for its
replacement. The [IPv6Prefix] section also gained the Token= setting.
The Token= setting gained 'eui64' mode to explicitly configure an
address with the EUI64 algorithm based on the interface MAC address.
The 'prefixstable' mode can now optionally take a secret key. The
Token= setting in the [DHCPPrefixDelegation] section now supports all
algorithms supported by the same settings in the other sections.
* The [RoutingPolicyRule] section of .network file gained a new
SuppressInterfaceGroup= setting.
* The IgnoreCarrierLoss= setting in the [Network] section of .network
files now allows a duration to be specified, controlling how long to
wait before reacting to carrier loss.
* The [DHCPServer] section of .network file gained a new Router=
setting to specify the router address.
* The [CAKE] section of .network files gained various new settings
AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=,
MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=,
and UseRawPacketSize= for configuring CAKE.
* systemd-networkd now ships with new default .network files:
80-container-vb.network which matches host-side network bridge device
created by systemd-nspawn's --network-bridge or --network-zone
switch, and 80-6rd-tunnel.network which matches automatically created
sit tunnel with 6rd prefix when the DHCP 6RD option is received.
* systemd-networkd's handling of Endpoint= resolution for WireGuard
interfaces has been improved.
* systemd-networkd will now automatically configure routes to addresses
specified in AllowedIPs=. This feature can be controlled via
RouteTable= and RouteMetric= settings in [WireGuard] or
[WireGuardPeer] sections.
* systemd-networkd will now once again automatically generate persistent
MAC addresses for batadv and bridge interfaces. Users can disable this
by using MACAddress=none in .netdev files.
* systemd-networkd and systemd-udevd now support IP over InfiniBand
interfaces. The Kind= setting in .netdev file accepts "ipoib". And
systemd.netdev files gained the [IPoIB] section.
* systemd-networkd and systemd-udevd now support net.ifname-policy=
option on the kernel command-line. This is implemented through the
systemd-network-generator service that automatically generates
appropriate .link, .network, and .netdev files.
* The various systemd-udevd "ethtool" buffer settings now understand
the special value "max" to configure the buffers to the maximum the
hardware supports.
* systemd-udevd's .link files may now configure a large variety of
NIC coalescing settings, plus more hardware offload settings.
* .link files gained a new WakeOnLanPassword= setting in the [Link]
section that allows to specify a WoL "SecureOn" password on hardware
that supports this.
* systemd-nspawn's --setenv= switch now supports an additional syntax:
if only a variable name is specified (i.e. without being suffixed by
a '=' character and a value) the current value of the environment
variable is propagated to the container. e.g. --setenv=FOO will
lookup the current value of $FOO in the environment, and pass it down
to the container. Similar behavior has been added to homectl's,
machinectl's and systemd-run's --setenv= switch.
* systemd-nspawn gained a new switch --suppress-sync= which may be used
to optionally suppress the effect of the sync()/fsync()/fdatasync()
system calls for the container payload. This is useful for build
system environments where safety against abnormal system shutdown is
not essential as all build artifacts can be regenerated any time, but
the performance win is beneficial.
* systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the
same value that PID 1 uses for most forked off processes.
* systemd-nspawn's --bind=/--bind-ro= switches now optionally take
uidmap/nouidmap options as last parameter. If "uidmap" is used the
bind mounts are created with UID mapping taking place that ensures
the host's file ownerships are mapped 1:1 to container file
ownerships, even if user namespacing is used. This way
files/directories bound into containers will no longer show up as
owned by the nobody user as they typically did if no special care was
taken to shift them manually.
* When discovering Windows installations sd-boot will now attempt to
show the Windows version.
* The color scheme to use in sd-boot may now be configured at
build-time.
* sd-boot gained the ability to change screen resolution during
boot-time, by hitting the "r" key. This will cycle through available
resolutions and save the last selection.
* sd-boot learnt a new hotkey "f". When pressed the system will enter
firmware setup. This is useful in environments where it is difficult
to hit the right keys early enough to enter the firmware, and works
on any firmware regardless which key it natively uses.
* sd-boot gained support for automatically booting into the menu item
selected on the last boot (using the "@saved" identifier for menu
items).
* sd-boot gained support for automatically loading all EFI drivers
placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
Partition (ESP). These drivers are loaded before the menu entries are
loaded. This is useful e.g. to load additional file system drivers
for the XBOOTLDR partition.
* systemd-boot will now paint the input cursor on its own instead of
relying on the firmware to do so, increasing compatibility with broken
firmware that doesn't make the cursor reasonably visible.
* sd-boot now embeds a .osrel PE section like we expect from Boot
Loader Specification Type #2 Unified Kernels. This means sd-boot
itself may be used in place of a Type #2 Unified Kernel. This is
useful for debugging purposes as it allows chain-loading one a
(development) sd-boot instance from another.
* sd-boot now supports a new "devicetree" field in Boot Loader
Specification Type #1 entries: if configured the specified device
tree file is installed before the kernel is invoked. This is useful
for installing/applying new devicetree files without updating the
kernel image.
* Similarly, sd-stub now can read devicetree data from a PE section
".dtb" and apply it before invoking the kernel.
* sd-stub (the EFI stub that can be glued in front of a Linux kernel)
gained the ability to pick up credentials and sysext files, wrap them
in a cpio archive, and pass as an additional initrd to the invoked
Linux kernel, in effect placing those files in the /.extra/ directory
of the initrd environment. This is useful to implement trusted initrd
environments which are fully authenticated but still can be extended
(via sysexts) and parameterized (via encrypted/authenticated
credentials, see above).
Credentials can be located next to the kernel image file (credentials
specific to a single boot entry), or in one of the shared directories
(credentials applicable to multiple boot entries).
* sd-stub now comes with a full man page, that explains its feature set
and how to combine a kernel image, an initrd and the stub to build a
complete EFI unified kernel image, implementing Boot Loader
Specification Type #2.
* sd-stub may now provide the initrd to the executed kernel via the
LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
non-x86 architectures.
* bootctl learnt new set-timeout and set-timeout-oneshot commands that
may be used to set the boot menu time-out of the boot loader (for all
or just the subsequent boot).
* bootctl and kernel-install will now read KERNEL_INSTALL_MACHINE_ID
and KERNEL_INSTALL_LAYOUT from kernel/install.conf. The first
variable specifies the machine-id to use for installation. It would
previously be used if set in the environment, and now it'll also be
read automatically from the config file. The second variable is new.
When set, it specifies the layout to use for installation directories
on the boot partition, so that tools don't need to guess it based on
the already-existing directories. The only value that is defined
natively is "bls", corresponding to the layout specified in
https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for
kernel-install that implement a different layout can declare other
values for this variable.
'bootctl install' will now write KERNEL_INSTALL_LAYOUT=bls, on the
assumption that if the user installed sd-boot to the ESP, they intend
to use the entry layout understood by sd-boot. It'll also write
KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID
(and it wasn't specified in the config file yet). Similarly,
kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it
wasn't specified in the config file yet). Effectively, those changes
mean that the machine-id used for boot loader entry installation is
"frozen" upon first use and becomes independent of the actual
machine-id.
Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem:
images created for distribution ("golden images") are built with no
machine-id, so that a unique machine-id can be created on the first
boot. But those images may contain boot loader entries with the
machine-id used during build included in paths. Using a "frozen"
value allows unambiguously identifying entries that match the
specific installation, while still permitting parallel installations
without conflict.
Configuring KERNEL_INSTALL_LAYOUT obviates the need for
kernel-install to guess the installation layout. This fixes the
problem where a (possibly empty) directory in the boot partition is
created from a different layout causing kernel-install plugins to
assume the wrong layout. A particular example of how this may happen
is the grub2 package in Fedora which includes directories under /boot
directly in its file list. Various other packages pull in grub2 as a
dependency, so it may be installed even if unused, breaking
installations that use the bls layout.
* bootctl and systemd-bless-boot can now be linked statically.
* systemd-sysext now optionally doesn't insist on extension-release.d/
files being placed in the image under the image's file name. If the
file system xattr user.extension-release.strict is set on the
extension release file, it is accepted regardless of its name. This
relaxes security restrictions a bit, as system extension may be
attached under a wrong name this way.
* udevadm's test-builtin command learnt a new --action= switch for
testing the built-in with the specified action (in place of the
default 'add').
* udevadm info gained new switches --property=/--value for showing only
specific udev properties/values instead of all.
* A new hwdb database has been added that contains matches for various
types of signal analyzers (protocol analyzers, logic analyzers,
oscilloscopes, multimeters, bench power supplies, etc.) that should
be accessible to regular users.
* A new hwdb database entry has been added that carries information
about types of cameras (regular or infrared), and in which direction
they point (front or back).
* A new rule to allow console users access to rfkill by default has been
added to hwdb.
* Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are
now also owned by the system group "sgx".
* A new build-time meson option "extra-net-naming-schemes=" has been
added to define additional naming schemes schemes for udev's network
interface naming logic. This is useful for enterprise distributions
and similar which want to pin the schemes of certain distribution
releases under a specific name and previously had to patch the
sources to introduce new named schemes.
* The predictable naming logic for network interfaces has been extended
to generate stable names from Xen netfront device information.
* hostnamed's chassis property can now be sourced from chassis-type
field encoded in devicetree (in addition to the existing DMI
support).
* systemd-cgls now optionally displays cgroup IDs and extended
attributes for each cgroup. (Controllable via the new --xattr= +
--cgroup-id= switches.)
* coredumpctl gained a new --all switch for operating on all
Journal files instead of just the local ones.
* systemd-coredump will now use libdw/libelf via dlopen() rather than
directly linking, allowing users to easily opt-out of backtrace/metadata
analysis of core files, and reduce image sizes when this is not needed.
* systemd-coredump will now analyze core files with libdw/libelf in a
forked, sandboxed process.
* systemd-homed will now try to unmount an activate home area in
regular intervals once the user logged out fully. Previously this was
attempted exactly once but if the home directory was busy for some
reason it was not tried again.
* systemd-homed's LUKS2 home area backend will now create a BSD file
system lock on the image file while the home area is active
(i.e. mounted). If a home area is found to be locked, logins are
politely refused. This should improve behavior when using home areas
images that are accessible via the network from multiple clients, and
reduce the chance of accidental file system corruption in that case.
* Optionally, systemd-homed will now drop the kernel buffer cache once
a user has fully logged out, configurable via the new --drop-caches=
homectl switch.
* systemd-homed now makes use of UID mapped mounts for the home areas.
If the kernel and used file system support it, files are now
internally owned by the "nobody" user (i.e. the user typically used
for indicating "this ownership is not mapped"), and dynamically
mapped to the UID used locally on the system via the UID mapping
mount logic of recent kernels. This makes migrating home areas
between different systems cheaper because recursively chown()ing file
system trees is no longer necessary.
* systemd-homed's CIFS backend now optionally supports CIFS service
names with a directory suffix, in order to place home directories in
a subdirectory of a CIFS share, instead of the top-level directory.
* systemd-homed's CIFS backend gained support for specifying additional
mount options in the JSON user record (cifsExtraMountOptions field,
and --cifs-extra-mount-options= homectl switch). This is for example
useful for configuring mount options such as "noserverino" that some
SMB3 services require (use that to run a homed home directory from a
FritzBox SMB3 share this way).
* systemd-homed will now default to btrfs' zstd compression for home
areas. This is inspired by Fedora's recent decision to switch to zstd
by default.
* Additional mount options to use when mounting the file system of
LUKS2 volumes in systemd-homed has been added. Via the
$SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4,
$SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to
systemd-homed or via the luksExtraMountOptions user record JSON
property. (Exposed via homectl --luks-extra-mount-options)
* homectl's resize command now takes the special size specifications
"min" and "max" to shrink/grow the home area to the minimum/maximum
size possible, taking disk usage/space constraints and file system
limitations into account. Resizing is now generally graceful: the
logic will try to get as close to the specified size as possible, but
not consider it a failure if the request couldn't be fulfilled
precisely.
* systemd-homed gained the ability to automatically shrink home areas
on logout to their minimal size and grow them again on next
login. This ensures that while inactive, a home area only takes up
the minimal space necessary, but once activated, it provides
sufficient space for the user's needs. This behavior is only
supported if btrfs is used as file system inside the home area
(because only for btrfs online growing/shrinking is implemented in
the kernel). This behavior is now enabled by default, but may be
controlled via the new --auto-resize-mode= setting of homectl.
* systemd-homed gained support for automatically re-balancing free disk
space among active home areas, in case the LUKS2 backends are used,
and no explicit disk size was requested. This way disk space is
automatically managed and home areas resized in regular intervals and
manual resizing when disk space becomes scarce should not be
necessary anymore. This behavior is only supported if btrfs is used
within the home areas (as only then online shrinking and growing is
supported), and may be configured via the new rebalanceWeight JSON
user record field (as exposed via the new --rebalance-weight= homectl
setting). Re-balancing is mostly automatic, but can also be requested
explicitly via "homectl rebalance", which is synchronous, and thus
may be used to wait until the rebalance run is complete.
* userdbctl gained a --json= switch for configured the JSON formatting
to use when outputting user or group records.
* userdbctl gained a new --multiplexer= switch for explicitly
configuring whether to use the systemd-userdbd server side user
record resolution logic.
* userdbctl's ssh-authorized-keys command learnt a new --chain switch,
for chaining up another command to execute after completing the
look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
configuration of a single command to invoke, this maybe used to
invoke multiple: first userdbctl's own implementation, and then any
other also configured in the command line.
* The sd-event API gained a new function sd_event_add_inotify_fd() that
is similar to sd_event_add_inotify() but accepts a file descriptor
instead of a path in the file system for referencing the inode to
watch.
* The sd-event API gained a new function
sd_event_source_set_ratelimit_expire_callback() that may be used to
define a callback function that is called whenever an event source
leaves the rate limiting phase.
* New documentation has been added explaining which steps are necessary
to port systemd to a new architecture:
https://systemd.io/PORTING_TO_NEW_ARCHITECTURES
* The x-systemd.makefs option in /etc/fstab now explicitly supports
ext2, ext3, and f2fs file systems.
* Mount units and units generated from /etc/fstab entries with 'noauto'
are now ordered the same as other units. Effectively, they will be
started earlier (if something actually pulled them in) and stopped
later, similarly to normal mount units that are part of
fs-local.target. This change should be invisible to users, but
should prevent those units from being stopped too early during
shutdown.
* The systemd-getty-generator now honors a new kernel command line
argument systemd.getty_auto= and a new environment variable
$SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
example useful to turn off gettys inside of containers or similar
environments.
* systemd-resolved now listens on a second DNS stub address: 127.0.0.54
(in addition to 127.0.0.53, as before). If DNS requests are sent to
this address they are propagated in "bypass" mode only, i.e. are
almost not processed locally, but mostly forwarded as-is to the
current upstream DNS servers. This provides a stable DNS server
address that proxies all requests dynamically to the right upstream
DNS servers even if these dynamically change. This stub does not do
mDNS/LLMNR resolution. However, it will translate look-ups to
DNS-over-TLS if necessary. This new stub is particularly useful in
container/VM environments, or for tethering setups: use DNAT to
redirect traffic to any IP address to this stub.
* systemd-importd now honors new environment variables
$SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA,
$SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume
generation, btrfs quota setup and disk synchronization.
* systemd-importd and systemd-resolved can now be optionally built with
OpenSSL instead of libgcrypt.
* systemd-repart no longer requires OpenSSL.
* systemd-sysusers will no longer create the redundant 'nobody' group
by default, as the 'nobody' user is already created with an
appropriate primary group.
* If a unit uses RuntimeMaxSec, systemctl show will now display it.
* systemctl show-environment gained support for --output=json.
* pam_systemd will now first try to use the X11 abstract socket, and
fallback to the socket file in /tmp/.X11-unix/ only if that does not
work.
* systemd-journald will no longer go back to volatile storage
regardless of configuration when its unit is restarted.
* Initial support for the LoongArch architecture has been added (system
call lists, GPT partition table UUIDs, etc).
* systemd-journald's own logging messages are now also logged to the
journal itself when systemd-journald logs to /dev/kmsg.
* systemd-journald now re-enables COW for archived journal files on
filesystems that support COW. One benefit of this change is that
archived journal files will now get compressed on btrfs filesystems
that have compression enabled.
* systemd-journald now deduplicates fields in a single log message
before adding it to the journal. In archived journal files, it will
also punch holes for unused parts and truncate the file as
appropriate, leading to reductions in disk usage.
* journalctl --verify was extended with more informative error
messages.
* More of sd-journal's functions are now resistant against journal file
corruption.
* The shutdown command learnt a new option --show, to display the
scheduled shutdown.
* A LICENSES/ directory is now included in the git tree. It contains a
README.md file that explains the licenses used by source files in
this repository. It also contains the text of all applicable
licenses as they appear on spdx.org.
Contributions from: Aakash Singh, acsfer, Adolfo Jayme Barrientos,
Adrian Vovk, Albert Brox, Alberto Mardegan, Alexander Kanavin,
alexlzhu, Alfonso Sánchez-Beato, Alvin Šipraga, Alyssa Ross,
Amir Omidi, Anatol Pomozov, Andika Triwidada, Andreas Rammhold,
Andreas Valder, Andrej Lajovic, Andrew Soutar, Andrew Stone, Andy Chi,
Anita Zhang, Anssi Hannula, Antonio Alvarez Feijoo,
Antony Deepak Thomas, Arnaud Ferraris, Arvid E. Picciani,
Bastien Nocera, Benjamin Berg, Benjamin Herrenschmidt, Ben Stockett,
Bogdan Seniuc, Boqun Feng, Carl Lei, chlorophyll-zz, Chris Packham,
Christian Brauner, Christian Göttsche, Christian Wehrli,
Christoph Anton Mitterer, Cristian Rodríguez, Daan De Meyer,
Daniel Maixner, Dann Frazier, Dan Streetman, Davide Cavalca,
David Seifert, David Tardon, dependabot[bot], Dimitri John Ledkov,
Dimitri Papadopoulos, Dimitry Ishenko, Dmitry Khlebnikov,
Dominique Martinet, duament, Egor, Egor Ignatov, Emil Renner Berthing,
Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin, Florian Klink,
Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon, GnunuX,
Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede,
Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho,
Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras,
I-dont-need-name, igo95862, Jack Dähn, James Hilliard, Jan Janssen,
Jan Kuparinen, Jan Macku, Jan Palus, Jarkko Sakkinen, Jayce Fayne,
jiangchuangang, jlempen, John Lindgren, Jonas Dreßler, Jonas Jelten,
Jonas Witschel, Joris Hartog, José Expósito, Julia Kartseva,
Kai-Heng Feng, Kai Wohlfahrt, Kay Siver Bø, KennthStailey,
Kevin Kuehler, Kevin Orr, Khem Raj, Kristian Klausen, Kyle Laker,
lainahai, LaserEyess, Lennart Poettering, Lia Lenckowski, longpanda,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Lukas Senionis,
Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi,
Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez,
Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro,
Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert,
Milo Turner, ml, monosans, Nacho Barrientos, nassir90, Nishal Kulkarni,
nl6720, Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto,
Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas,
Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Robert Scheck,
Ross Jennings, saikat0511, Scott Lamb, Scott Worley,
Sergei Trofimovich, Sho Iizuka, Slava Bacherikov, Slimane Selyan Amiri,
StefanBruens, Steven Siloti, svonohr, Taiki Sugawara, Takashi Sakamoto,
Takuro Onoue, Thomas Blume, Thomas Haller, Thomas Mühlbacher,
Tianlu Shao, Toke Høiland-Jørgensen, Tom Yan, Tony Asleson,
Topi Miettinen, Ulrich Ölmann, Urs Ritzmann, Vincent Bernat,
Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ, Wu Xiaotian,
xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei, Yao Wei (魏銘廷),
Yegor Alexeyev, Yu Watanabe, Zbigniew Jędrzejewski-Szmek,
Дамјан Георгиевски, наб
— Warsaw, 2021-12-23
CHANGES WITH 249:
* When operating on disk images via the --image= switch of various
tools (such as systemd-nspawn or systemd-dissect), or when udev finds
no 'root=' parameter on the kernel command line, and multiple
suitable root or /usr/ partitions exist in the image, then a simple
comparison inspired by strverscmp() is done on the GPT partition
label, and the newest partition is picked. This permits a simple and
generic whole-file-system A/B update logic where new operating system
versions are dropped into partitions whose label is then updated with
a matching version identifier.
* systemd-sysusers now supports querying the passwords to set for the
users it creates via the "credentials" logic introduced in v247: the
passwd.hashed-password.<user> and passwd.plaintext-password.<user>
credentials are consulted for the password to use (either in UNIX
hashed form, or literally). By default these credentials are inherited
down from PID1 (which in turn imports it from a container manager if
there is one). This permits easy configuration of user passwords
during first boot. Example:
# systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo
Note that systemd-sysusers operates in purely additive mode: it
executes no operation if the declared users already exist, and hence
doesn't set any passwords as effect of the command line above if the
specified root user exists already in the image. (Note that
--volatile=yes ensures it doesn't, though.)
* systemd-firstboot now also supports querying various system
parameters via the credential subsystems. Thus, as above this may be
used to initialize important system parameters on first boot of
previously unprovisioned images (i.e. images with a mostly empty
/etc/).
* PID 1 may now show both the unit name and the unit description
strings in its status output during boot. This may be configured with
StatusUnitFormat=combined in system.conf or
systemd.status-unit-format=combined on the kernel command line.
* The systemd-machine-id-setup tool now supports a --image= switch for
provisioning a machine ID file into an OS disk image, similar to how
--root= operates on an OS file tree. This matches the existing switch
of the same name for systemd-tmpfiles, systemd-firstboot, and
systemd-sysusers tools.
* Similarly, systemd-repart gained support for the --image= switch too.
In combination with the existing --size= option, this makes the tool
particularly useful for easily growing disk images in a single
invocation, following the declarative rules included in the image
itself.
* systemd-repart's partition configuration files gained support for a
new switch MakeDirectories= which may be used to create arbitrary
directories inside file systems that are created, before registering
them in the partition table. This is useful in particular for root
partitions to create mount point directories for other partitions
included in the image. For example, a disk image that contains a
root, /home/, and /var/ partitions, may set MakeDirectories=yes to
create /home/ and /var/ as empty directories in the root file system
on its creation, so that the resulting image can be mounted
immediately, even in read-only mode.
* systemd-repart's CopyBlocks= setting gained support for the special
value "auto". If used, a suitable matching partition on the booted OS
is found as source to copy blocks from. This is useful when
implementing replicating installers, that are booted from one medium
and then stream their own root partition onto the target medium.
* systemd-repart's partition configuration files gained support for a
Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these
GPT partition flags for the created partitions: this is useful for
marking newly created partitions as read-only, or as not being
subject for automatic mounting from creation on.
* The /etc/os-release file has been extended with two new (optional)
variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version
information for OS images that are updated comprehensively and
atomically as one image. Two new specifiers %M, %A now resolve to
these two fields in the various configuration options that resolve
specifiers.
* portablectl gained a new switch --extension= for enabling portable
service images with extensions that follow the extension image
concept introduced with v248, and thus allows layering multiple
images when setting up the root filesystem of the service.