Bot releases are hidden (Show)
Published by bluca 12 months ago
* Support for split-usr (/usr/ mounted separately during late boot,
instead of being mounted by the initrd before switching to the rootfs)
and unmerged-usr (parallel directories /bin/ and /usr/bin/, /lib/ and
/usr/lib/, …) has been removed. For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* We intend to remove cgroup v1 support from a systemd release after
the end of 2023. If you run services that make explicit use of
cgroup v1 features (i.e. the "legacy hierarchy" with separate
hierarchies for each controller), please implement compatibility with
cgroup v2 (i.e. the "unified hierarchy") sooner rather than later.
Most of Linux userspace has been ported over already.
* Support for System V service scripts is now deprecated and will be
removed in a future release. Please make sure to update your software
*now* to include a native systemd unit file instead of a legacy
System V script to retain compatibility with future systemd releases.
* Support for the SystemdOptions EFI variable is deprecated.
'bootctl systemd-efi-options' will emit a warning when used. It seems
that this feature is little-used and it is better to use alternative
approaches like credentials and confexts. The plan is to drop support
altogether at a later point, but this might be revisited based on
user feedback.
* systemd-run's switch --expand-environment= which currently is disabled
by default when combined with --scope, will be changed in a future
release to be enabled by default.
* "systemctl switch-root" is now restricted to initrd transitions only.
Transitions between real systems should be done with
"systemctl soft-reboot" instead.
* The "ip=off" and "ip=none" kernel command line options interpreted by
systemd-network-generator will now result in IPv6RA + link-local
addressing being disabled, too. Previously DHCP was turned off, but
IPv6RA and IPv6 link-local addressing was left enabled.
* The NAMING_BRIDGE_MULTIFUNCTION_SLOT naming scheme has been deprecated
and is now disabled.
* SuspendMode=, HibernateState= and HybridSleepState= in the [Sleep]
section of systemd-sleep.conf are now deprecated and have no effect.
They did not (and could not) take any value other than the respective
default. HybridSleepMode= is also deprecated, and will now always use
the 'suspend' disk mode.
* The way services are spawned has been overhauled. Previously, a
process was forked that shared all of the manager's memory (via
copy-on-write) while doing all the required setup (e.g.: mount
namespaces, CGroup configuration, etc.) before exec'ing the target
executable. This was problematic for various reasons: several glibc
APIs were called that are not supposed to be used after a fork but
before an exec, copy-on-write meant that if either process (the
manager or the child) touched a memory page a copy was triggered, and
also the memory footprint of the child process was that of the
manager, but with the memory limits of the service. From this version
onward, the new process is spawned using CLONE_VM and CLONE_VFORK
semantics via posix_spawn(3), and it immediately execs a new internal
binary, systemd-executor, that receives the configuration to apply
via memfd, and sets up the process before exec'ing the target
executable.
* Most of the internal process tracking is being changed to use PIDFDs
instead of PIDs when the kernel supports it, to improve robustness
and reliability.
* A new option SurviveFinalKillSignal= can be used to configure the
unit to be skipped in the final SIGTERM/SIGKILL spree on shutdown.
This is part of the required configuration to let a unit's processes
survive a soft-reboot operation.
* System extension images (sysext) can now set
EXTENSION_RELOAD_MANAGER=1 in their extension-release files to
automatically reload the service manager (PID 1) when
merging/refreshing/unmerging on boot. Generally, while this can be
used to ship services in system extension images it's recommended to
do that via portable services instead.
* The ExtensionImages= and ExtensionDirectories= options now support
confexts images/directories.
* A new option NFTSet= provides a method for integrating dynamic cgroup
IDs into firewall rules with NFT sets. The benefit of using this
setting is to be able to use control group as a selector in firewall
rules easily and this in turn allows more fine grained filtering.
Also, NFT rules for cgroup matching use numeric cgroup IDs, which
change every time a service is restarted, making them hard to use in
systemd environment.
* A new option CoredumpReceive= can be set for service and scope units,
together with Delegate=yes, to make systemd-coredump on the host
forward core files from processes crashing inside the delegated
CGroup subtree to systemd-coredump running in the container. This new
option is by default used by systemd-nspawn containers that use the
"--boot" switch.
* A new ConditionSecurity=measured-uki option is now available, to ensure
a unit can only run when the system has been booted from a measured UKI.
* MemoryAvailable= now considers physical memory if there are no CGroup
memory limits set anywhere in the tree.
* The $USER environment variable is now always set for services, while
previously it was only set if User= was specified. A new option
SetLoginEnvironment= is now supported to determine whether to also set
$HOME, $LOGNAME, and $SHELL.
* Socket units now support a new pair of
PollLimitBurst=/PollLimitInterval= options to configure a limit on
how often polling events on the file descriptors backing this unit
will be considered within a time window.
* Scope units can now be created using PIDFDs instead of PIDs to select
the processes they should include.
* Sending SIGRTMIN+18 with 0x500 as sigqueue() value will now cause the
manager to dump the list of currently pending jobs.
* If the kernel supports MOVE_MOUNT_BENEATH, the systemctl and
machinectl bind and mount-image verbs will now cause the new mount to
replace the old mount (if any), instead of overmounting it.
* systemd-cryptenroll now allows specifying a PCR bank and explicit hash
value in the --tpm2-pcrs= option.
* systemd-cryptenroll now allows specifying a TPM2 key handle to be used
instead of the default SRK via the new --tpm2-seal-key-handle= option.
* systemd-cryptsetup is now installed in /usr/bin/ and is no longer an
internal-only executable.
* The TPM2 Storage Root Key will now be set up, if not already present,
by a new systemd-tpm2-setup.service early boot service.
* The internal systemd-pcrphase executable has been renamed to
systemd-pcrextend.
* The systemd-pcrextend tool gained a new --pcr= switch to override
which PCR to measure into.
* systemd-pcrextend now exposes a Varlink interface at
io.systemd.PCRExtend that can be used to do measurements and event
logging on demand.
* TPM measurements are now also written to an event log at
/run/log/systemd/tpm2-measure.log, using a derivative of the TCG
Canonical Event Log format. Previously we'd only log them to the
journal, where they however were subject to rotation and similar.
* A new component "systemd-pcrlock" has been added that allows managing
local TPM2 PCR policies for PCRs 0-7 and similar, which are hard to
predict by the OS vendor because of the inherently local nature of
what measurements they contain, such as firmware versions of the
system and extension cards and suchlike. pcrlock can predict PCR
measurements ahead of time based on various inputs, such as the local
TPM2 event log, GPT partition tables, PE binaries, UKI kernels, and
various other things. It can then pre-calculate a TPM2 policy from
this, which it stores in an TPM2 NV index. TPM2 objects (such as disk
encryption keys) can be locked against this NV index, so that they
are locked against a specific combination of system firmware and
state. Alternatives for each component are supported to allowlist
multiple kernel versions or boot loader version simultaneously
without losing access to the disk encryption keys. The tool can also
be used to analyze and validate the local TPM2 event
log. systemd-cryptsetup, systemd-cryptenroll, systemd-repart have all
been updated to support such policies. There's currently no support
for locking the system's root disk against a pcrlock policy, this
will be added soon. Moreover, it is currently not possible to combine
a pcrlock policy with a signed PCR policy. This component is
experimental and its public interface is subject to change.
* bootctl will now show whether the system was booted from a UKI in its
status output.
* systemd-boot and systemd-stub now use different project keys in their
respective SBAT sections, so that they can be revoked individually if
needed.
* systemd-boot will no longer load unverified Devicetree blobs when UEFI
SecureBoot is enabled. For more details see:
https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c
* systemd-boot gained new hotkeys to reboot and power off the system
from the boot menu ("B" and "O"). If the "auto-poweroff" and
"auto-reboot" options in loader.conf are set these entries are also
shown as menu items (which is useful on devices lacking a regular
keyboard).
* systemd-boot gained a new configuration value "menu-disabled" for the
set-timeout option, to allow completely disabling the boot menu,
including the hotkey.
* systemd-boot will now measure the content of loader.conf in TPM2 PCR
5.
* systemd-stub will now concatenate the content of all kernel
command-line addons before measuring them in TPM2 PCR 12, in a single
measurement, instead of measuring them individually.
* systemd-stub will now measure and load Devicetree Blob addons, which
are searched and loaded following the same model as the existing
kernel command-line addons.
* systemd-stub will now ignore unauthenticated kernel command line options
passed from systemd-boot when running inside Confidential VMs with UEFI
SecureBoot enabled.
* ukify is no longer considered experimental, and now ships in /usr/bin/.
* ukify gained a new verb inspect to describe the sections of a UKI and
print the contents of the well-known sections.
* ukify gained a new verb genkey to generate a set of of key pairs for
signing UKIs and their PCR data.
* The 90-loaderentry kernel-install hook now supports installing device
trees.
* A new option --copy-from= has been added that synthesizes partition
definitions from the given image, which are then applied by the
systemd-repart algorithm.
* A new option --copy-source= has been added, which can be used to specify
a directory to which CopyFiles= is considered relative to.
* New --make-ddi=confext, --make-ddi=sysext, and --make-ddi=portable
options have been added to make it easier to generate these types of
DDIs, without having to provide repart.d definitions for them.
* The dm-verity salt and UUID will now be derived from the specified
seed value.
* New VerityDataBlockSizeBytes= and VerityHashBlockSizeBytes= can now be
configured in repart.d/ configuration files.
* A new Subvolumes= setting is now supported in repart.d/ configuration
files, to indicate which directories in the target partition should be
btrfs subvolumes.
* The journalctl --lines= parameter now accepts +N to show the oldest N
entries instead of the newest.
* udev will now create symlinks to loopback block devices in the
/dev/disk/by-loop-ref/ directory that are based on the .lo_file_name
string field selected during allocation. The systemd-dissect tool and
the util-linux losetup command now supports a complementing new switch
--loop-ref= for selecting the string. This means a loopback block
device may now be allocated under a caller-chosen reference and can
subsequently be referenced without first having to look up the block
device name the caller ended up with.
* udev also creates symlinks to loopback block devices in the
/dev/disk/by-loop-inode/ directory based on the .st_dev/st_ino fields
of the inode attached to the loopback block device. This means that
attaching a file to a loopback device will implicitly make a handle
available to be found via that file's inode information.
* udevadm info gained support for JSON output via a new --json= flag, and
for filtering output using the same mechanism that udevadm trigger
already implements.
* The predictable network interface naming logic is extended to include
the SR-IOV-R "representor" information in network interface names.
This feature was intended for v254, but even though the code was
merged, the part that actually enabled the feature was forgotten.
It is now enabled by default and is part of the new "v255" naming
scheme.
* A new hwdb/rules file has been added that sets the
ID_NET_AUTO_LINK_LOCAL_ONLY=1 udev property on all network interfaces
that should usually only be configured with link-local addressing
(IPv4LL + IPv6LL), i.e. for PC-to-PC cables ("laplink") or
Thunderbolt networking. systemd-networkd and NetworkManager (soon)
will make use of this information to apply an appropriate network
configuration by default.
* The ID_NET_DRIVER property on network interfaces is now set
relatively early in the udev rule set so that other rules may rely on
its use. This is implemented in a new "net-driver" udev built-in.
* The "duid-only" option for DHCPv4 client's ClientIdentifier= setting
is now dropped, as it never worked, hence it should not be used by
anyone.
* The 'prefixstable' ipv6 address generation mode now considers the SSID
when generating stable addresses, so that a different stable address
is used when roaming between wireless networks. If you already use
'prefixstable' addresses with wireless networks, the stable address
will be changed by the update.
* The DHCPv4 client gained a RapidCommit option, true by default, which
enables RFC4039 Rapid Commit behavior to obtain a lease in a
simplified 2-message exchange instead of the typical 4-message
exchange, if also supported by the DHCP server.
* The DHCPv4 client gained new InitialCongestionWindow= and
InitialAdvertisedReceiveWindow= options for route configurations.
* The DHCPv4 client gained a new RequestAddress= option that allows
to send a preferred IP address in the initial DHCPDISCOVER message.
* The DHCPv4 server and client gained support for IPv6-only mode
(RFC8925).
* The SendHostname= and Hostname= options are now available for the
DHCPv6 client, independently of the DHCPv4= option, so that these
configuration values can be set independently for each client.
* The DHCPv4 and DHCPv6 client state can now be queried via D-Bus,
including lease information.
* The DHCPv6 client can now be configured to use a custom DUID type.
* .network files gained a new IPv4ReversePathFilter= setting in the
[Network] section, to control sysctl's rp_filter setting.
* .network files gaiend a new HopLimit= setting in the [Route] section,
to configure a per-route hop limit.
* .network files gained a new TCPRetransmissionTimeoutSec= setting in
the [Route] section, to configure a per-route TCP retransmission
timeout.
* A new directive NFTSet= provides a method for integrating network
configuration into firewall rules with NFT sets. The benefit of using
this setting is that static network configuration or dynamically
obtained network addresses can be used in firewall rules with the
indirection of NFT set types.
* The [IPv6AcceptRA] section supports the following new options:
UsePREF64=, UseHopLimit=, UseICMP6RateLimit=, and NFTSet=.
* The [IPv6SendRA] section supports the following new options:
RetransmitSec=, HopLimit=, HomeAgent=, HomeAgentLifetimeSec=, and
HomeAgentPreference=.
* A new [IPv6PREF64Prefix] set of options, containing Prefix= and
LifetimeSec=, has been introduced to append pref64 options in router
advertisements (RFC8781).
* The network generator now configures the interfaces with only
link-local addressing if "ip=link-local" is specified on the kernel
command line.
* The prefix of the configuration files generated by the network
generator from the kernel command line is now prefixed with '70-',
to make them have higher precedence over the default configuration
files.
* Added a new -Ddefault-network=BOOL meson option, that causes more
.network files to be installed as enabled by default. These configuration
files will which match generic setups, e.g. 89-ethernet.network matches
all Ethernet interfaces and enables both DHCPv4 and DHCPv6 clients.
* If a ID_NET_MANAGED_BY= udev property is set on a network device and
it is any other string than "io.systemd.Network" then networkd will
not manage this device. This may be used to allow multiple network
management services to run in parallel and assign ownership of
specific devices explicitly. NetworkManager will soon implement a
similar logic.
* systemctl is-failed now checks the system state if no unit is
specified.
* systemctl will now automatically soft-reboot if a new root file system
is found under /run/nextroot/ when a reboot operation is invoked.
* Wall messages now work even when utmp support is disabled, using
systemd-logind to query the necessary information.
* systemd-logind now sends a new PrepareForShutdownWithMetadata D-Bus
signal before shutdown/reboot/soft-reboot that includes additional
information compared to the PrepareForShutdown signal. Currently the
additional information is the type of operation that is about to be
executed.
* The kernel and OS versions will no longer be checked on resume from
hibernation.
* Hibernation into swap files backed by btrfs are now
supported. (Previously this was supported only for other file
systems.)
* A new systemd-vmspawn tool has been added, that aims to provide for VMs
the same interfaces and functionality that systemd-nspawn provides for
containers. For now it supports QEMU as a backend, and exposes some of
its options to the user. This component is experimental and its public
interface is subject to change.
* "systemd-analyze plot" has gained tooltips on each unit name with
related-unit information in its svg output, such as Before=,
Requires=, and similar properties.
* A new varlinkctl tool has been added to allow interfacing with
Varlink services, and introspection has been added to all such
services.
* systemd-sysext and systemd-confext now expose a Varlink service
at io.systemd.sysext.
* portable services now accept confexts as extensions.
* systemd-sysupdate now accepts directories in the MatchPattern= option.
* systemd-run will now output the invocation ID of the launched
transient unit.
* systemd-analyze, systemd-tmpfiles, systemd-sysusers, systemd-sysctl,
and systemd-binfmt gained a new --tldr option that can be used instead
of --cat-config to suppress uninteresting configuration lines, such as
comments and whitespace.
* resolvectl gained a new "show-server-state" command that shows
current statistics of the resolver. This is backed by a new
DumpStatistics() Varlink method provided by systemd-resolved.
* systemd-timesyncd will now emit a D-Bus signal when the LinkNTPServers
property changes.
* vconsole now supports KEYMAP=@kernel for preserving the kernel keymap
as-is.
* seccomp now supports the LoongArch64 architecture.
* systemd-id128 now supports a new -P option to show only values. The
combination of -P and --app options is also supported.
* A new pam_systemd_loadkey.so PAM module is now available, which will
automatically fetch the passphrase used by cryptsetup to unlock the
root file system and set it as the PAM authtok. This enables, among
other things, configuring auto-unlock of the GNOME Keyring / KDE
Wallet when autologin is configured.
* Many meson options now use the 'feature' type, which means they
take enabled/disabled/auto as values.
* A new meson option -Dconfigfiledir= can be used to change where
configuration files with default values are installed to.
* Options and verbs in man pages are now tagged with the version they
were first introduced in.
* A new component "systemd-storagetm" has been added, which exposes all
local block devices as NVMe-TCP devices, fully automatically. It's
hooked into a new target unit storage-target-mode.target that is
suppsoed to be booted into via
rd.systemd.unit=storage-target-mode.target on the kernel command
line. This is intended to be used for installers and debugging to
quickly get access to the local disk. It's inspired by MacOS "target
disk mode".
* A new component "systemd-bsod" has been added, which can show logged
error messages full screen, if they have a log level of LOG_EMERG log
level.
* The systemd-dissect tool's --with command will now set the
$SYSTEMD_DISSECT_DEVICE environment variable to the block device it
operates on for the invoked process.
* The systemd-mount tool gained a new --tmpfs switch for mounting a new
'tmpfs' instance. This is useful since it does so via .mount units
and thus can be executed remotely or in containers.
* The various tools in systemd that take "verbs" (such as systemctl,
loginctl, machinectl, …) now will suggest a close verb name in case
the user specified an unrecognized one.
* libsystemd now exports a new function sd_id128_get_app_specific()
that generates "app-specific" 128bit IDs from any ID. It's similar to
sd_id128_get_machine_app_specific() and
sd_id128_get_boot_app_specific() but takes the ID to base calculation
on as input. This new functionality is also exposed in the
"systemd-id128" tool where you can now combine --app= with `show`.
* All tools that parse timestamps now can also parse RFC3339 style
timestamps that include the "T" and Z" characters.
* New documentation has been added:
https://systemd.io/FILE_DESCRIPTOR_STORE
https://systemd.io/TPM2_PCR_MEASUREMENTS
https://systemd.io/MOUNT_REQUIREMENTS.md
* The codebase now recognizes the suffix .confext.raw and .sysext.raw
as alternative to the .raw suffix generally accepted for DDIs. It is
recommended to name configuration extensions and system extensions
with such suffixes, to indicate their purpose in the name.
* The sd-device API gained a new function
sd_device_enumerator_add_match_property_required() which allows
configuring matches on properties that are strictly required. This is
different from the existing sd_device_enumerator_add_match_property()
matches of which one one needs to apply.
* The MAC address the veth side of an nspawn container shall get
assigned may now be controlled via the $SYSTEMD_NSPAWN_NETWORK_MAC
environment variable.
* The libiptc dependency is now implemented via dlopen(), so that tools
such as networkd and nspawn no longer have a hard dependency on the
shared library when compiled with support for libiptc.
* New rpm macros have been added: %systemd_user_daemon_reexec does
daemon-reexec for all user managers, and %systemd_postun_with_reload
and %systemd_user_postun_with_reload do a reload for system and user
units on upgrades.
Contributions from: 김인수, Abderrahim Kitouni, Adam Williamson,
Alexandre Peixoto Ferreira, Alex Hudspith, Alvin Alvarado,
André Paiusco, Antonio Alvarez Feijoo, Anton Lundin,
Arseny Maslennikov, Arthur Shau, Balázs Úr, beh_10257,
Benjamin Peterson, Bertrand Jacquin, Brian Norris, Chris Patterson,
Christian Hergert, Christian Hesse, Christian Kirbach,
commondservice, Curtis Klein, cvlc12, Daan De Meyer,
Daniel P. Berrangé, Daniel Rusek, Dan Streetman,
David Rheinsberg, David Santamaría Rogado, David Tardon,
dependabot[bot], Dmitry V. Levin, Emanuele Giuseppe Esposito,
Emil Renner Berthing, Emil Velikov, Etienne Dechamps, Fabian Vogt,
felixdoerre, Franck Bui, Frantisek Sumsal, G2-Games,
Gioele Barabucci, Hugo Carvalho, huyubiao, IllusionMan1212,
Jade Lovelace, janana, Jan Janssen, Jan Kuparinen, Jan Macku,
Jin Liu, Joerg Behrmann, Johannes Segitz, Jordan Rome,
Jordan Williams, Julien Malka, Juno Computers, Khem Raj, khm,
Kingbom Dou, Kiran Vemula, Laszlo Gombos, Lennart Poettering,
Luca Boccassi, Lucas Adriano Salles, Lukas, Lukáš Nykrýn,
Maanya Goenka, Maarten, Malte Poll, Marc Pervaz Boocha,
Martin Beneš, Martin Wilck, Mathieu Tortuyaux, Matthias Schiffer,
Maxim Mikityanskiy, Max Kellermann, Michael A Cassaniti,
Michael Biebl, Michael Kuhn, Michael Vasseur, Michal Koutný,
Michal Sekletár, Mike Yuan, Milton D. Miller II, mordner,
msizanoen, NAHO, Nandakumar Raghavan, Nick Rosbrook, NRK,
Oğuz Ersen, Omojola Joshua, pelaufer, Peter Hutterer, PhylLu,
Pierre GRASSER, Piotr Drąg, Priit Laes, Rahil Bhimjiani,
Raito Bezarius, Raul Cheleguini, Reto Schneider, Richard Maw,
Robby Red, RoepLuke, Roland Hieber, Ronan Pigott, Sam James,
Sam Leonard, Sergey A, Susant Sahani, Sven Joachim,
Takashi Sakamoto, Thorsten Kukuk, Tj, Tomasz Świątek,
Topi Miettinen, Valentin David, Valentin Lefebvre,
Victor Westerhuis, Vincent Haupert, Vishal Chillara Srinivas,
Warren, Xiaotian Wu, xinpeng wang, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, наб
— Edinburgh, 2023-11-06
Published by bluca about 1 year ago
* The next release (v255) will remove support for split-usr (/usr/
mounted separately during late boot, instead of being mounted by the
initrd before switching to the rootfs) and unmerged-usr (parallel
directories /bin/ and /usr/bin/, /lib/ and /usr/lib/, …). For more
details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* We intend to remove cgroup v1 support from a systemd release after
the end of 2023. If you run services that make explicit use of
cgroup v1 features (i.e. the "legacy hierarchy" with separate
hierarchies for each controller), please implement compatibility with
cgroup v2 (i.e. the "unified hierarchy") sooner rather than later.
Most of Linux userspace has been ported over already.
* Support for System V service scripts is now deprecated and will be
removed in a future release. Please make sure to update your software
*now* to include a native systemd unit file instead of a legacy
System V script to retain compatibility with future systemd releases.
* Support for the SystemdOptions EFI variable is deprecated.
'bootctl systemd-efi-options' will emit a warning when used. It seems
that this feature is little-used and it is better to use alternative
approaches like credentials and confexts. The plan is to drop support
altogether at a later point, but this might be revisited based on
user feedback.
* EnvironmentFile= now treats the line following a comment line
trailing with escape as a non comment line. For details, see:
https://github.com/systemd/systemd/issues/27975
* Behaviour of sandboxing options for the per-user service manager
units has changed. They now imply PrivateUsers=yes, which means user
namespaces will be implicitly enabled when a sandboxing option is
enabled in a user unit. Enabling user namespaces has the drawback
that system users will no longer be visible (and processes/files will
appear as owned by 'nobody') in the user unit.
By definition a sandboxed user unit should run with reduced
privileges, so impact should be small. This will remove a great
source of confusion that has been reported by users over the years,
due to how these options require an extra setting to be manually
enabled when used in the per-user service manager, which is not
needed in the system service manager. For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html
* systemd-run's switch --expand-environment= which currently is disabled
by default when combined with --scope, will be changed in a future
release to be enabled by default.
* pam_systemd will now by default pass the CAP_WAKE_ALARM ambient
process capability to invoked session processes of regular users on
local seats (as well as to systemd --user), unless configured
otherwise via data from JSON user records, or via the PAM module's
parameter list. This is useful in order allow desktop tools such as
GNOME's Alarm Clock application to set a timer for
CLOCK_REALTIME_ALARM that wakes up the system when it elapses. A
per-user service unit file may thus use AmbientCapability= to pass
the capability to invoked processes. Note that this capability is
relatively narrow in focus (in particular compared to other process
capabilities such as CAP_SYS_ADMIN) and we already — by default —
permit more impactful operations such as system suspend to local
users.
* "Startup" memory settings are now supported. Previously IO and CPU
settings were already supported via StartupCPUWeight= and similar.
The same logic has been added for the various per-unit memory
settings StartupMemoryMax= and related.
* The service manager gained support for enqueuing POSIX signals to
services that carry an additional integer value, exposing the
sigqueue() system call. This is accessible via new D-Bus calls
org.freedesktop.systemd1.Manager.QueueSignalUnit() and
org.freedesktop.systemd1.Unit.QueueSignal(), as well as in systemctl
via the new --kill-value= option.
* systemctl gained a new "list-paths" verb, which shows all currently
active .path units, similarly to how "systemctl list-timers" shows
active timers, and "systemctl list-sockets" shows active sockets.
* systemctl gained a new --when= switch which is honoured by the various
forms of shutdown (i.e. reboot, kexec, poweroff, halt) and allows
scheduling these operations by time, similar in fashion to how this
has been supported by SysV shutdown.
* If MemoryDenyWriteExecute= is enabled for a service and the kernel
supports the new PR_SET_MDWE prctl() call, it is used instead of the
seccomp()-based system call filter to achieve the same effect.
* A new set of kernel command line options is now understood:
systemd.tty.term.<name>=, systemd.tty.rows.<name>=,
systemd.tty.columns.<name>= allow configuring the TTY type and
dimensions for the tty specified via <name>. When systemd invokes a
service on a tty (via TTYName=) it will look for these and configure
the TTY accordingly. This is particularly useful in VM environments
to propagate host terminal settings into the appropriate TTYs of the
guest.
* A new RootEphemeral= setting is now understood in service units. It
takes a boolean argument. If enabled for services that use RootImage=
or RootDirectory= an ephemeral copy of the disk image or directory
tree is made when the service is started. It is removed automatically
when the service is stopped. That ephemeral copy is made using
btrfs/xfs reflinks or btrfs snapshots, if available.
* The service activation logic gained new settings RestartSteps= and
RestartMaxDelaySec= which allow exponentially-growing restart
intervals for Restart=.
* The service activation logic gained a new setting RestartMode= which
can be set to 'direct' to skip the inactive/failed states when
restarting, so that dependent units are not notified until the service
converges to a final (successful or failed) state. For example, this
means that OnSuccess=/OnFailure= units will not be triggered until the
service state has converged.
* PID 1 will now automatically load the virtio_console kernel module
during early initialization if running in a suitable VM. This is done
so that early-boot logging can be written to the console if available.
* Similarly, virtio-vsock support is loaded early in suitable VM
environments. PID 1 will send sd_notify() notifications via AF_VSOCK
to the VMM if configured, thus loading this early is beneficial.
* A new verb "fdstore" has been added to systemd-analyze to show the
current contents of the file descriptor store of a unit. This is
backed by a new D-Bus call DumpUnitFileDescriptorStore() provided by
the service manager.
* The service manager will now set a new $FDSTORE environment variable
when invoking processes for services that have the file descriptor
store enabled.
* A new service option FileDescriptorStorePreserve= has been added that
allows tuning the life-cycle of the per-service file descriptor
store. If set to "yes", the entries in the fd store are retained even
after the service has been fully stopped.
* The "systemctl clean" command may now be used to clear the fdstore of
a service.
* Unit *.preset files gained a new directive "ignore", in addition to
the existing "enable" and "disable". As the name suggests, matching
units are left unchanged, i.e. neither enabled nor disabled.
* Service units gained a new setting DelegateSubgroup=. It takes the
name of a sub-cgroup to place any processes the service manager forks
off in. Previously, the service manager would place all service
processes directly in the top-level cgroup it created for the
service. This usually meant that main process in a service with
delegation enabled would first have to create a subgroup and move
itself down into it, in order to not conflict with the "no processes
in inner cgroups" rule of cgroup v2. With this option, this step is
now handled by PID 1.
* The service manager will now look for .upholds/ directories,
similarly to the existing support for .wants/ and .requires/
directories. Symlinks in this directory result in Upholds=
dependencies.
The [Install] section of unit files gained support for a new
UpheldBy= directive to generate .upholds/ symlinks automatically when
a unit is enabled.
* The service manager now supports a new kernel command line option
systemd.default_device_timeout_sec=, which may be used to override
the default timeout for .device units.
* A new "soft-reboot" mechanism has been added to the service manager.
A "soft reboot" is similar to a regular reboot, except that it
affects userspace only: the service manager shuts down any running
services and other units, then optionally switches into a new root
file system (mounted to /run/nextroot/), and then passes control to a
systemd instance in the new file system which then starts the system
up again. The kernel is not rebooted and neither is the hardware,
firmware or boot loader. This provides a fast, lightweight mechanism
to quickly reset or update userspace, without the latency that a full
system reset involves. Moreover, open file descriptors may be passed
across the soft reboot into the new system where they will be passed
back to the originating services. This allows pinning resources
across the reboot, thus minimizing grey-out time further. This new
reboot mechanism is accessible via the new "systemctl soft-reboot"
command.
* Services using RootDirectory= or RootImage= will now have read-only
access to a copy of the host's os-release file under
/run/host/os-release, which will be kept up-to-date on 'soft-reboot'.
This was already the case for Portable Services, and the feature has
now been extended to all services that do not run off the host's
root filesystem.
* A new service setting MemoryKSM= has been added to enable kernel
same-page merging individually for services.
* A new service setting ImportCredentials= has been added that augments
LoadCredential= and LoadCredentialEncrypted= and searches for
credentials to import from the system, and supports globbing.
* A new job mode "restart-dependencies" has been added to the service
manager (exposed via systemctl --job-mode=). It is only valid when
used with "start" jobs, and has the effect that the "start" job will
be propagated as "restart" jobs to currently running units that have
a BindsTo= or Requires= dependency on the started unit.
* A new verb "whoami" has been added to "systemctl" which determines as
part of which unit the command is being invoked. It writes the unit
name to standard output. If one or more PIDs are specified reports
the unit names the processes referenced by the PIDs belong to.
* The system and service credential logic has been improved: there's
now a clearly defined place where system provisioning tools running
in the initrd can place credentials that will be imported into the
system's set of credentials during the initrd → host transition: the
/run/credentials/@initrd/ directory. Once the credentials placed
there are imported into the system credential set they are deleted
from this directory, and the directory itself is deleted afterwards
too.
* A new kernel command line option systemd.set_credential_binary= has
been added, that is similar to the pre-existing
systemd.set_credential= but accepts arbitrary binary credential data,
encoded in Base64. Note that the kernel command line is not a
recommend way to transfer credentials into a system, since it is
world-readable from userspace.
* The default machine ID to use may now be configured via the
system.machine_id system credential. It will only be used if no
machine ID was set yet on the host.
* On Linux kernel 6.4 and newer system and service credentials will now
be placed in a tmpfs instance that has the "noswap" mount option
set. Previously, a "ramfs" instance was used. By switching to tmpfs
ACL support and overall size limits can now be enforced, without
compromising on security, as the memory is never paged out either
way.
* The service manager now can detect when it is running in a
'Confidential Virtual Machine', and a corresponding 'cvm' value is now
accepted by ConditionSecurity= for units that want to conditionalize
themselves on this. systemd-detect-virt gained new 'cvm' and
'--list-cvm' switches to respectively perform the detection or list
all known flavours of confidential VM, depending on the vendor. The
manager will publish a 'ConfidentialVirtualization' D-Bus property,
and will also set a SYSTEMD_CONFIDENTIAL_VIRTUALIZATION= environment
variable for unit generators. Finally, udev rules can match on a new
'cvm' key that will be set when in a confidential VM.
Additionally, when running in a 'Confidential Virtual Machine', SMBIOS
strings and QEMU's fw_cfg protocol will not be used to import
credentials and kernel command line parameters by the system manager,
systemd-boot and systemd-stub, because the hypervisor is considered
untrusted in this particular setting.
* The sd-journal API gained a new call sd_journal_get_seqnum() to
retrieve the current log record's sequence number and sequence number
ID, which allows applications to order records the same way as
journal does internally. The sequence number is now also exported in
the JSON and "export" output of the journal.
* journalctl gained a new switch --truncate-newline. If specified
multi-line log records will be truncated at the first newline,
i.e. only the first line of each log message will be shown.
* systemd-journal-upload gained support for --namespace=, similar to
the switch of the same name of journalctl.
* systemd-repart's drop-in files gained a new ExcludeFiles= option which
may be used to exclude certain files from the effect of CopyFiles=.
* systemd-repart's Verity support now implements the Minimize= setting
to minimize the size of the resulting partition.
* systemd-repart gained a new --offline= switch, which may be used to
control whether images shall be built "online" or "offline",
i.e. whether to make use of kernel facilities such as loopback block
devices and device mapper or not.
* If systemd-repart is told to populate a newly created ESP or XBOOTLDR
partition with some files, it will now default to VFAT rather than
ext4.
* systemd-repart gained a new --architecture= switch. If specified, the
per-architecture GPT partition types (i.e. the root and /usr/
partitions) configured in the partition drop-in files are
automatically adjusted to match the specified CPU architecture, in
order to simplify cross-architecture DDI building.
* systemd-repart will now default to a minimum size of 300MB for XFS
filesystems if no size parameter is specified. This matches what the
XFS tools (xfsprogs) can support.
* gnu-efi is no longer required to build systemd-boot and systemd-stub.
Instead, pyelftools is now needed, and it will be used to perform the
ELF -> PE relocations at build time.
* bootctl gained a new switch --print-root-device/-R that prints the
block device the root file system is backed by. If specified twice,
it returns the whole disk block device (as opposed to partition block
device) the root file system is on. It's useful for invocations such
as "cfdisk $(bootctl -RR)" to quickly show the partition table of the
running OS.
* systemd-stub will now look for the SMBIOS Type 1 field
"io.systemd.stub.kernel-cmdline-extra" and append its value to the
kernel command line it invokes. This is useful for VMMs such as qemu
to pass additional kernel command lines into the system even when
booting via full UEFI. The contents of the field are measured into
TPM PCR 12.
* The KERNEL_INSTALL_LAYOUT= setting for kernel-install gained a new
value "auto". With this value, a kernel will be automatically
analyzed, and if it qualifies as UKI, it will be installed as if the
setting was to set to "uki", otherwise as "bls".
* systemd-stub can now optionally load UEFI PE "add-on" images that may
contain additional kernel command line information. These "add-ons"
superficially look like a regular UEFI executable, and are expected
to be signed via SecureBoot/shim. However, they do not actually
contain code, but instead a subset of the PE sections that UKIs
support. They are supposed to provide a way to extend UKIs with
additional resources in a secure and authenticated way. Currently,
only the .cmdline PE section may be used in add-ons, in which case
any specified string is appended to the command line embedded into
the UKI itself. A new 'addon<EFI-ARCH>.efi.stub' is now provided that
can be used to trivially create addons, via 'ukify' or 'objcopy'. In
the future we expect other sections to be made extensible like this as
well.
* ukify has been updated to allow building these UEFI PE "add-on"
images, using the new 'addon<EFI-ARCH>.efi.stub'.
* ukify gained a new "genkey" verb for generating a set of of key pairs
to sign UKIs and their PCR data with.
* ukify now accepts SBAT information to place in the .sbat PE section
of UKIs and addons. If a UKI is built the SBAT information from the
inner kernel is merged with any SBAT information associated with
systemd-stub and the SBAT data specified on the ukify command line.
* The kernel-install script has been rewritten in C, and reuses much of
the infrastructure of existing tools such as bootctl. It also gained
--esp-path= and --boot-path= options to override the path to the ESP,
and the $BOOT partition. Options --make-entry-directory= and
--entry-token= have been added as well, similar to bootctl's options
of the same name.
* A new kernel-install plugin 60-ukify has been added which will
combine kernel/initrd locally into a UKI and optionally sign them
with a local key. This may be used to switch to UKI mode even on
systems where a local kernel or initrd is used. (Typically UKIs are
built and signed by the vendor.)
* The ukify tool now supports "pesign" in addition to the pre-existing
"sbsign" for signing UKIs.
* systemd-measure and systemd-stub now look for the .uname PE section
that should contain the kernel's "uname -r" string.
* systemd-measure and ukify now calculate expected PCR hashes for a UKI
"offline", i.e. without access to a TPM (physical or
software-emulated).
* The sd-event API gained new calls sd_event_add_memory_pressure(),
sd_event_source_set_memory_pressure_type(),
sd_event_source_set_memory_pressure_period() to create and configure
an event source that is called whenever the OS signals memory
pressure. Another call sd_event_trim_memory() is provided that
compacts the process' memory use by releasing allocated but unused
malloc() memory back to the kernel. Services can also provide their
own custom callback to do memory trimming. This should improve system
behaviour under memory pressure, as on Linux traditionally provided
no mechanism to return process memory back to the kernel if the
kernel was under memory pressure. This makes use of the kernel's PSI
interface. Most long-running services in systemd have been hooked up
with this, and in particular systems with low memory should benefit
from this.
* Service units gained new settings MemoryPressureWatch= and
MemoryPressureThresholdSec= to configure the PSI memory pressure
logic individually. If these options are used, the
$MEMORY_PRESSURE_WATCH and $MEMORY_PRESSURE_WRITE environment
variables will be set for the invoked processes to inform them about
the requested memory pressure behaviour. (This is used by the
aforementioned sd-events API additions, if set.)
* systemd-analyze gained a new "malloc" verb that shows the output
generated by glibc's malloc_info() on services that support it. Right
now, only the service manager has been updated accordingly. This
call requires privileges.
* The sd-login API gained a new call sd_session_get_username() to
return the user name of the owner of a login session. It also gained
a new call sd_session_get_start_time() to retrieve the time the login
session started. A new call sd_session_get_leader() has been added to
return the PID of the "leader" process of a session. A new call
sd_uid_get_login_time() returns the time since the specified user has
most recently been continuously logged in with at least one session.
* JSON user records gained a new set of fields capabilityAmbientSet and
capabilityBoundingSet which contain a list of POSIX capabilities to
set for the logged in users in the ambient and bounding sets,
respectively. homectl gained the ability to configure these two sets
for users via --capability-bounding-set=/--capability-ambient-set=.
* pam_systemd learnt two new module options
default-capability-bounding-set= and default-capability-ambient-set=,
which configure the default bounding sets for users as they are
logging in, if the JSON user record doesn't specify this explicitly
(see above). The built-in default for the ambient set now contains
the CAP_WAKE_ALARM, thus allowing regular users who may log in
locally to resume from a system suspend via a timer.
* The Session D-Bus objects systemd-logind gained a new SetTTY() method
call to update the TTY of a session after it has been allocated. This
is useful for SSH sessions which are typically allocated first, and
for which a TTY is added later.
* The sd-login API gained a new call sd_pid_notifyf_with_fds() which
combines the various other sd_pid_notify() flavours into one: takes a
format string, an overriding PID, and a set of file descriptors to
send. It also gained a new call sd_pid_notify_barrier() call which is
equivalent to sd_notify_barrier() but allows the originating PID to
be specified.
* "loginctl list-users" and "loginctl list-sessions" will now show the
state of each logged in user/session in their tabular output. It will
also show the current idle state of sessions.
* systemd-dissect will now show the intended CPU architecture of an
inspected DDI.
* systemd-dissect will now install itself as mount helper for the "ddi"
pseudo-file system type. This means you may now mount DDIs directly
via /bin/mount or /etc/fstab, making full use of embedded Verity
information and all other DDI features.
Example: mount -t ddi myimage.raw /some/where
* The systemd-dissect tool gained the new switches --attach/--detach to
attach/detach a DDI to a loopback block device without mounting it.
It will automatically derive the right sector size from the image
and set up Verity and similar, but not mount the file systems in it.
* When systemd-gpt-auto-generator or the DDI mounting logic mount an
ESP or XBOOTLDR partition the MS_NOSYMFOLLOW mount option is now
implied. Given that these file systems are typically untrusted, this
should make mounting them automatically have less of a security
impact.
* All tools that parse DDIs (such as systemd-nspawn, systemd-dissect,
systemd-tmpfiles, …) now understand a new switch --image-policy= which
takes a string encoding image dissection policy. With this mechanism
automatic discovery and use of specific partition types and the
cryptographic requirements on the partitions (Verity, LUKS, …) can be
restricted, permitting better control of the exposed attack surfaces
when mounting disk images. systemd-gpt-auto-generator will honour such
an image policy too, configurable via the systemd.image_policy= kernel
command line option. Unit files gained the RootImagePolicy=,
MountImagePolicy= and ExtensionImagePolicy= to configure the same for
disk images a service runs off.
* systemd-analyze gained a new verb "image-policy" to validate and
parse image policy strings.
* systemd-dissect gained support for a new --validate switch to
superficially validate DDI structure, and check whether a specific
image policy allows the DDI.
* systemd-dissect gained support for a new --mtree-hash switch to
optionally disable calculating mtree hashes, which can be slow on
large images.
* systemd-dissect --copy-to, --copy-from, --list and --mtree switches
are now able to operate on directories too, other than images.
* networkd's GENEVE support as gained a new .network option
InheritInnerProtocol=.
* The [Tunnel] section in .netdev files has gained a new setting
IgnoreDontFragment for controlling the IPv4 "DF" flag of datagrams.
* A new global IPv6PrivacyExtensions= setting has been added that
selects the default value of the per-network setting of the same
name.
* The predictable network interface naming logic will now include
SR-IOV-R "representor" information in network interface names.
* The DHCPv4 + DHCPv6 + IPv6 RA logic in networkd gained support for
the RFC8910 captive portal option.
* udevadm gained the new "verify" verb for validating udev rules files
offline.
* udev gained a new tool "iocost" that can be used to configure QoS IO
cost data based on hwdb information onto suitable block devices. Also
see https://github.com/iocost-benchmark/iocost-benchmarks.
* systemd-cryptenroll/systemd-cryptsetup will now install a TPM2 SRK
("Storage Root Key") as first step in the TPM2, and then use that
for binding FDE to, if TPM2 support is used. This matches
recommendations of TCG (see
https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf)
* systemd-cryptenroll and other tools that take TPM2 PCR parameters now
understand textual identifiers for these PCRs.
* systemd-veritysetup + /etc/veritytab gained support for a series of
new options: hash-offset=, superblock=, format=, data-block-size=,
hash-block-size=, data-blocks=, salt=, uuid=, hash=, fec-device=,
fec-offset=, fec-roots= to configure various aspects of a Verity
volume.
* systemd-cryptsetup + /etc/crypttab gained support for a new
veracrypt-pim= option for setting the Personal Iteration Multiplier
of veracrypt volumes.
* systemd-integritysetup + /etc/integritytab gained support for a new
mode= setting for controlling the dm-integrity mode (journal, bitmap,
direct) for the volume.
* systemd-analyze gained a new verb "pcrs" that shows the known TPM PCR
registers, their symbolic names and current values.
* The ACL support in tmpfiles.d/ has been updated: if an uppercase "X"
access right is specified this is equivalent to "x" but only if the
inode in question already has the executable bit set for at least
some user/group. Otherwise the "x" bit will be turned off.
* tmpfiles.d/'s C line type now understands a new modifier "+": a line
with C+ will result in a "merge" copy, i.e. all files of the source
tree are copied into the target tree, even if that tree already
exists, resulting in a combined tree of files already present in the
target tree and those copied in.
* systemd-tmpfiles gained a new --graceful switch. If specified lines
with unknown users/groups will silently be skipped.
* systemd-notify gained two new options --fd= and --fdname= for sending
arbitrary file descriptors to the service manager (while specifying an
explicit name for it).
* systemd-notify gained a new --exec switch, which makes it execute the
specified command line after sending the requested messages. This is
useful for sending out READY=1 first, and then continuing invocation
without changing process ID, so that the tool can be nicely used
within an ExecStart= line of a unit file that uses Type=ready.
* The sd-event API gained a new call sd_event_source_leave_ratelimit()
which may be used to explicitly end a rate-limit state an event
source might be in, resetting all rate limiting counters.
* When the sd-bus library is used to make connections to AF_UNIX D-Bus
sockets, it will now encode the "description" set via
sd_bus_set_description() into the source socket address. It will also
look for this information when accepting a connection. This is useful
to track individual D-Bus connections on a D-Bus broker for debug
purposes.
* systemd-resolved gained a new resolved.conf setting
StateRetentionSec= which may be used to retain cached DNS records
even after their nominal TTL, and use them in case upstream DNS
servers cannot be reached. This can be sued to make name resolution
more resilient in case of network problems.
* resolvectl gained a new verb "show-cache" to show the current cache
contents of systemd-resolved. This verb communicates with the
systemd-resolved daemon and requires privileges.
* Meson >= 0.60.0 is now required to build systemd.
* The default keymap to apply may now be chosen at build-time via the
new -Ddefault-keymap= meson option.
* Most of systemd's long-running services now have a generic handler of
the SIGRTMIN+18 signal handler which executes various operations
depending on the sigqueue() parameter sent along. For example, values
0x100…0x107 allow changing the maximum log level of such
services. 0x200…0x203 allow changing the log target of such
services. 0x300 make the services trim their memory similarly to the
automatic PSI-triggered action, see above. 0x301 make the services
output their malloc_info() data to the logs.
* machinectl gained new "edit" and "cat" verbs for editing .nspawn
files, inspired by systemctl's verbs of the same name which edit unit
files. Similarly, networkctl gained the same verbs for editing
.network, .netdev, .link files.
* A new syscall filter group "@sandbox" has been added that contains
syscalls for sandboxing system calls such as those for seccomp and
Landlock.
* New documentation has been added:
https://systemd.io/COREDUMP
https://systemd.io/MEMORY_PRESSURE
smbios-type-11(7)
* systemd-firstboot gained a new --reset option. If specified, the
settings in /etc/ it knows how to initialize are reset.
* systemd-sysext is now a multi-call binary and is also installed under
the systemd-confext alias name (via a symlink). When invoked that way
it will operate on /etc/ instead of /usr/ + /opt/. It thus becomes a
powerful, atomic, secure configuration management of sorts, that
locally can merge configuration from multiple confext configuration
images into a single immutable tree.
* The --network-macvlan=, --network-ipvlan=, --network-interface=
switches of systemd-nspawn may now optionally take the intended
network interface inside the container.
* All our programs will now send an sd_notify() message with their exit
status in the EXIT_STATUS= field when exiting, using the usual
protocol, including PID 1. This is useful for VMMs and container
managers to collect an exit status from a system as it shuts down, as
set via "systemctl exit …". This is particularly useful in test cases
and similar, as invocations via a VM can now nicely propagate an exit
status to the host, similar to local processes.
* systemd-run gained a new switch --expand-environment=no to disable
server-side environment variable expansion in specified command
lines. Expansion defaults to enabled for all execution types except
--scope, where it defaults to off (and prints a warning) for backward
compatibility reasons. --scope will be flipped to default enabled too
in a future release, so if you are using --scope and passing a '$'
character in the payload you should start explicitly using
--expand-environment=yes/no according to the use case.
* The systemd-system-update-generator has been updated to also look for
the special flag file /etc/system-update in addition to the existing
support for /system-update to decide whether to enter system update
mode.
* The /dev/hugepages/ file system is now mounted with nosuid + nodev
mount options by default.
* systemd-fstab-generator now understands two new kernel command line
options systemd.mount-extra= and systemd.swap-extra=, which configure
additional mounts or swaps in a format similar to /etc/fstab. 'fsck'
will be ran on these block devices, like it already happens for
'root='. It also now supports the new fstab.extra and
fstab.extra.initrd credentials that may contain additional /etc/fstab
lines to apply at boot.
* systemd-getty-generator now understands two new credentials
getty.ttys.container and getty.ttys.serial. These credentials may
contain a list of TTY devices – one per line – to instantiate
[email protected] and [email protected] on.
* The getty/serial-getty/container-getty units now import the 'agetty.*'
and 'login.*' credentials, which are consumed by the 'login' and
'agetty' programs starting from util-linux v2.40.
* systemd-sysupdate's sysupdate.d/ drop-ins gained a new setting
PathRelativeTo=, which can be set to "esp", "xbootldr", "boot", in
which case the Path= setting is taken relative to the ESP or XBOOTLDR
partitions, rather than the system's root directory /. The relevant
directories are automatically discovered.
* The systemd-ac-power tool gained a new switch --low, which reports
whether the battery charge is considered "low", similar to how the
s2h suspend logic checks this state to decide whether to enter system
suspend or hibernation.
* The /etc/os-release file can now have two new optional fields
VENDOR_NAME= and VENDOR_URL= to carry information about the vendor of
the OS.
* When the system hibernates, information about the device and offset
used is now written to a non-volatile EFI variable. On next boot the
system will attempt to resume from the location indicated in this EFI
variable. This should make hibernation a lot more robust, while
requiring no manual configuration of the resume location.
* The $XDG_STATE_HOME environment variable (added in more recent
versions of the XDG basedir specification) is now honoured to
implement the StateDirectory= setting in user services.
* A new component "systemd-battery-check" has been added. It may run
during early boot (usually in the initrd), and checks the battery
charge level of the system. In case the charge level is very low the
user is notified (graphically via Plymouth – if available – as well
as in text form on the console), and the system is turned off after a
10s delay. The feature can be disabled by passing
systemd.battery-check=0 through the kernel command line.
* The 'passwdqc' library is now supported as an alternative to the
'pwquality' library and it can be selected at build time.
Contributions from: 김인수, 07416, Addison Snelling, Adrian Vovk,
Aidan Dang, Alexander Krabler, Alfred Klomp, Anatoli Babenia,
Andrei Stepanov, Andrew Baxter, Antonio Alvarez Feijoo,
Arian van Putten, Arthur Shau, A S Alam,
Asier Sarasua Garmendia, Balló György, Bastien Nocera,
Benjamin Herrenschmidt, Benjamin Raison, Bill Peterson,
Brad Fitzpatrick, Brett Holman, bri, Chen Qi, Chitoku,
Christian Hesse, Christoph Anton Mitterer, Christopher Gurnee,
Colin Walters, Cornelius Hoffmann, Cristian Rodríguez, cunshunxia,
cvlc12, Cyril Roelandt, Daan De Meyer, Daniele Medri,
Daniel P. Berrangé, Daniel Rusek, Dan Streetman, David Edmundson,
David Schroeder, David Tardon, dependabot[bot],
Dimitri John Ledkov, Dmitrii Fomchenkov, Dmitry V. Levin, dmkUK,
Dominique Martinet, don bright, drosdeck, Edson Juliano Drosdeck,
Egor Ignatov, EinBaum, Emanuele Giuseppe Esposito, Eric Curtin,
Erik Sjölund, Evgeny Vereshchagin, Florian Klink, Franck Bui,
François Rigault, Fran Diéguez, Franklin Yu, Frantisek Sumsal,
Fuminobu TAKEYAMA, Gaël PORTAY, Gerd Hoffmann, Gertalitec,
Gibeom Gwon, Gustavo Noronha Silva, Hannu Lounento,
Hans de Goede, Haochen Tong, HATAYAMA Daisuke, Henrik Holst,
Hoe Hao Cheng, Igor Tsiglyar, Ivan Vecera, James Hilliard,
Jan Engelhardt, Jan Janssen, Jan Luebbe, Jan Macku, Janne Sirén,
jcg, Jeidnx, Joan Bruguera, Joerg Behrmann, jonathanmetzman,
Jordan Rome, Josef Miegl, Joshua Goins, Joyce, Joyce Brum,
Juno Computers, Kai Lueke, Kevin P. Fleming, Kiran Vemula, Klaus,
Klaus Zipfel, Lawrence Thorpe, Lennart Poettering, licunlong,
Lily Foster, Luca Boccassi, Ludwig Nussel, Luna Jernberg,
maanyagoenka, Maanya Goenka, Maksim Kliazovich, Malte Poll,
Marko Korhonen, Masatake YAMATO, Mateusz Poliwczak, Matt Johnston,
Miao Wang, Micah Abbott, Michael A Cassaniti, Michal Koutný,
Michal Sekletár, Mike Yuan, mooo, Morten Linderud, msizanoen,
Nick Rosbrook, nikstur, Olivier Gayot, Omojola Joshua,
Paolo Velati, Paul Barker, Pavel Borecki, Petr Menšík,
Philipp Kern, Philip Withnall, Piotr Drąg, Quintin Hill,
Rene Hollander, Richard Phibel, Robert Meijers, Robert Scheck,
Roger Gammans, Romain Geissler, Ronan Pigott, Russell Harmon,
saikat0511, Samanta Navarro, Sam James, Sam Morris,
Simon Braunschmidt, Sjoerd Simons, Sorah Fukumori,
Stanislaw Gruszka, Stefan Roesch, Steven Luo, Steve Ramage,
Susant Sahani, taniishkaaa, Tanishka, Temuri Doghonadze,
Thierry Martin, Thomas Blume, Thomas Genty, Thomas Weißschuh,
Thorsten Kukuk, Times-Z, Tobias Powalowski, tofylion,
Topi Miettinen, Uwe Kleine-König, Velislav Ivanov,
Vitaly Kuznetsov, Vít Zikmund, Weblate, Will Fancher,
William Roberts, Winterhuman, Wolfgang Müller, Xeonacid,
Xiaotian Wu, Xi Ruoyao, Yuri Chornoivan, Yu Watanabe, Yuxiang Zhu,
Zbigniew Jędrzejewski-Szmek, zhmylove, ZjYwMj,
Дамјан Георгиевски, наб
— Edinburgh, 2023-07-28
Published by bluca over 1 year ago
* We intend to remove cgroup v1 support from systemd release after the
end of 2023. If you run services that make explicit use of cgroup v1
features (i.e. the "legacy hierarchy" with separate hierarchies for
each controller), please implement compatibility with cgroup v2 (i.e.
the "unified hierarchy") sooner rather than later. Most of Linux
userspace has been ported over already.
* We intend to remove support for split-usr (/usr mounted separately
during boot) and unmerged-usr (parallel directories /bin and
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
half of 2023, in the first release that falls into that time window.
For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* We intend to change behaviour w.r.t. units of the per-user service
manager and sandboxing options, so that they work without having to
manually enable PrivateUsers= as well, which is not required for
system units. To make this work, we will implicitly enable user
namespaces (PrivateUsers=yes) when a sandboxing option is enabled in a
user unit. The drawback is that system users will no longer be visible
(and appear as 'nobody') to the user unit when a sandboxing option is
enabled. By definition a sandboxed user unit should run with reduced
privileges, so impact should be small. This will remove a great source
of confusion that has been reported by users over the years, due to
how these options require an extra setting to be manually enabled when
used in the per-user service manager, as opposed as to the system
service manager. We plan to enable this change in the next release
later this year. For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html
* systemctl will now warn when invoked without /proc/ mounted
(e.g. when invoked after chroot() into an directory tree without the
API mount points like /proc/ being set up.) Operation in such an
environment is not fully supported.
* The return value of 'systemctl is-active|is-enabled|is-failed' for
unknown units is changed: previously 1 or 3 were returned, but now 4
(EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented.
* 'udevadm hwdb' subcommand is deprecated and will emit a warning.
systemd-hwdb (added in 2014) should be used instead.
* 'bootctl --json' now outputs a single JSON array, instead of a stream
of newline-separated JSON objects.
* Udev rules in 60-evdev.rules have been changed to load hwdb
properties for all modalias patterns. Previously only the first
matching pattern was used. This could change what properties are
assigned if the user has more and less specific patterns that could
match the same device, but it is expected that the change will have
no effect for most users.
* systemd-networkd-wait-online exits successfully when all interfaces
are ready or unmanaged. Previously, if neither '--any' nor
'--interface=' options were used, at least one interface had to be in
configured state. This change allows the case where systemd-networkd
is enabled, but no interfaces are configured, to be handled
gracefully. It may occur in particular when a different network
manager is also enabled and used.
* Some compatibility helpers were dropped: EmergencyAction= in the user
manager, as well as measuring kernel command line into PCR 8 in
systemd-stub, along with the -Defi-tpm-pcr-compat compile-time
option.
* The '-Dupdate-helper-user-timeout=' build-time option has been
renamed to '-Dupdate-helper-user-timeout-sec=', and now takes an
integer as parameter instead of a string.
* The DDI image dissection logic (which backs RootImage= in service
unit files, the --image= switch in various tools such as
systemd-nspawn, as well as systemd-dissect) will now only mount file
systems of types btrfs, ext4, xfs, erofs, squashfs, vfat. This list
can be overridden via the $SYSTEMD_DISSECT_FILE_SYSTEMS environment
variable. These file systems are fairly well supported and maintained
in current kernels, while others are usually more niche, exotic or
legacy and thus typically do not receive the same level of security
support and fixes.
* The default per-link multicast DNS mode is changed to "yes"
(that was previously "no"). As the default global multicast DNS mode
has been "yes" (but can be changed by the build option), now the
multicast DNS is enabled on all links by default. You can disable the
multicast DNS on all links by setting MulticastDNS= in resolved.conf,
or on an interface by calling "resolvectl mdns INTERFACE no".
* A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
(UKIs) has been added. This replaces functionality provided by
'dracut --uefi' and extends it with automatic calculation of PE file
offsets, insertion of signed PCR policies generated by
systemd-measure, support for initrd concatenation, signing of the
embedded Linux image and the combined image with sbsign, and
heuristics to autodetect the kernel uname and verify the splash
image.
* A new service type Type=notify-reload is defined. When such a unit is
reloaded a UNIX process signal (typically SIGHUP) is sent to the main
service process. The manager will then wait until it receives a
"RELOADING=1" followed by a "READY=1" notification from the unit as
response (via sd_notify()). Otherwise, this type is the same as
Type=notify. A new setting ReloadSignal= may be used to change the
signal to send from the default of SIGHUP.
[email protected], systemd-networkd.service, systemd-udevd.service, and
systemd-logind have been updated to this type.
* Initrd environments which are not on a pure memory file system (e.g.
overlayfs combination as opposed to tmpfs) are now supported. With
this change, during the initrd → host transition ("switch root")
systemd will erase all files of the initrd only when the initrd is
backed by a memory file system such as tmpfs.
* New per-unit MemoryZSwapMax= option has been added to configure
memory.zswap.max cgroup properties (the maximum amount of zswap
used).
* A new LogFilterPatterns= option has been added for units. It may be
used to specify accept/deny regular expressions for log messages
generated by the unit, that shall be enforced by systemd-journald.
Rejected messages are neither stored in the journal nor forwarded.
This option may be used to suppress noisy or uninteresting messages
from units.
* The manager has a new
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() D-Bus method to
query process ownership via a PIDFD, which is more resilient against
PID recycling issues.
* Scope units now support OOMPolicy=. Login session scopes default to
OOMPolicy=continue, allowing login scopes to survive the OOM killer
terminating some processes in the scope.
* systemd-fstab-generator now supports x-systemd.makefs option for
/sysroot/ (in the initrd).
* The maximum rate at which daemon reloads are executed can now be
limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
options. (Or the equivalent on the kernel command line:
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=). In
addition, systemd now logs the originating unit and PID when a reload
request is received over D-Bus.
* When enabling a swap device systemd will now reinitialize the device
when the page size of the swap space does not match the page size of
the running kernel. Note that this requires the 'swapon' utility to
provide the '--fixpgsz' option, as implemented by util-linux, and it
is not supported by busybox at the time of writing.
* systemd now executes generator programs in a mount namespace
"sandbox" with most of the file system read-only and write access
restricted to the output directories, and with a temporary /tmp/
mount provided. This provides a safeguard against programming errors
in the generators, but also fixes here-docs in shells, which
previously didn't work in early boot when /tmp/ wasn't available
yet. (This feature has no security implications, because the code is
still privileged and can trivially exit the sandbox.)
* The system manager will now parse a new "vmm.notify_socket"
system credential, which may be supplied to a VM via SMBIOS. If
found, the manager will send a "READY=1" notification on the
specified socket after boot is complete. This allows readiness
notification to be sent from a VM guest to the VM host over a VSOCK
socket.
* The sample PAM configuration file for [email protected] now
includes a call to pam_namespace. This puts children of [email protected]
in the expected namespace. (Many distributions replace their file
with something custom, so this change has limited effect.)
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST
can be used to override the mount units burst late limit for
parsing '/proc/self/mountinfo', which was introduced in v249.
Defaults to 5.
* Drop-ins for init.scope changing control group resource limits are
now applied, while they were previously ignored.
* New build-time configuration options '-Ddefault-timeout-sec=' and
'-Ddefault-user-timeout-sec=' have been added, to let distributions
choose the default timeout for starting/stopping/aborting system and
user units respectively.
* Service units gained a new setting OpenFile= which may be used to
open arbitrary files in the file system (or connect to arbitrary
AF_UNIX sockets in the file system), and pass the open file
descriptor to the invoked process via the usual file descriptor
passing protocol. This is useful to give unprivileged services access
to select files which have restrictive access modes that would
normally not allow this. It's also useful in case RootDirectory= or
RootImage= is used to allow access to files from the host environment
(which is after all not visible from the service if these two options
are used.)
* The new net naming scheme "v253" has been introduced. In the new
scheme, ID_NET_NAME_PATH is also set for USB devices not connected via
a PCI bus. This extends the coverage of predictable interface names
in some embedded systems.
The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
a more informative path on some embedded systems.
* Partition block devices will now also get symlinks in
/dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
block device nodes via the kernel's "diskseq" value. Previously those
symlinks were only created for the main block device.
* A new operator '-=' is supported for SYMLINK variables. This allows
symlinks to be unconfigured even if an earlier rule added them.
* 'udevadm --trigger --settle' now also works for network devices
that are being renamed.
* systemd-boot now passes its random seed directly to the kernel's RNG
via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which
means the RNG gets seeded very early in boot before userspace has
started.
* systemd-boot will pass a disk-backed random seed – even when secure
boot is enabled – if it can additionally get a random seed from EFI
itself (via EFI's RNG protocol), or a prior seed in
LINUX_EFI_RANDOM_SEED_TABLE_GUID from a preceding bootloader.
* systemd-boot-system-token.service was renamed to
systemd-boot-random-seed.service and extended to always save a random
seed to ESP on every boot when a compatible boot loader is used. This
allows a refreshed random seed to be used in the boot loader.
* systemd-boot handles various seed inputs using a domain- and
field-separated hashing scheme.
* systemd-boot's 'random-seed-mode' option has been removed. A system
token is now always required to be present for random seeds to be
used.
* systemd-boot now supports being loaded from other locations than the
ESP, for example for direct kernel boot under QEMU or when embedded
into the firmware.
* systemd-boot now parses SMBIOS information to detect
virtualization. This information is used to skip some warnings which
are not useful in a VM and to conditionalize other aspects of
behaviour.
* systemd-boot now supports a new 'if-safe' mode that will perform UEFI
Secure Boot automated certificate enrollment from the ESP only if it
is considered 'safe' to do so. At the moment 'safe' means running in
a virtual machine.
* systemd-stub now processes random seeds in the same way as
systemd-boot already does, in case a unified kernel image is being
used from a different bootloader than systemd-boot, or without any
boot load at all.
* bootctl will now generate a system token on all EFI systems, even
virtualized ones, and is activated in the case that the system token
is missing from either sd-boot and sd-stub booted systems.
* bootctl now implements two new verbs: 'kernel-identify' prints the
type of a kernel image file, and 'kernel-inspect' provides
information about the embedded command line and kernel version of
UKIs.
* bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
as for kernel-install.
* The JSON output of "bootctl list" will now contain two more fields:
isDefault and isSelected are boolean fields set to true on the
default and currently booted boot menu entries.
* bootctl gained a new verb "unlink" for removing a boot loader entry
type #1 file from disk in a safe and robust way.
* bootctl also gained a new verb "cleanup" that automatically removes
all files from the ESP's and XBOOTLDR's "entry-token" directory, that
is not referenced anymore by any installed Type #1 boot loader
specification entry. This is particularly useful in environments where
a large number of entries reference the same or partly the same
resources (for example, for snapshot-based setups).
* A new "installation layout" can be configured as layout=uki. With
this setting, a Boot Loader Specification Type#1 entry will not be
created. Instead, a new kernel-install plugin 90-uki-copy.install
will copy any .efi files from the staging area into the boot
partition. A plugin to generate the UKI .efi file must be provided
separately.
* 'systemctl reboot' has dropped support for accepting a positional
argument as the argument to the reboot(2) syscall. Please use the
--reboot-argument= option instead.
* 'systemctl disable' will now warn when called on units without
install information. A new --no-warn option has been added that
silences this warning.
* New option '--drop-in=' can be used to tell 'systemctl edit' the name
of the drop-in to edit. (Previously, 'override.conf' was always
used.)
* 'systemctl list-dependencies' now respects --type= and --state=.
* 'systemctl kexec' now supports XEN VMM environments.
* 'systemctl edit' will now tell the invoked editor to jump into the
first line with actual unit file data, skipping over synthesized
comments.
* The [DHCPv4] section in .network file gained new SocketPriority=
setting that assigns the Linux socket priority used by the DHCPv4 raw
socket. This may be used in conjunction with the
EgressQOSMaps=setting in [VLAN] section of .netdev file to send the
desired ethernet 802.1Q frame priority for DHCPv4 initial
packets. This cannot be achieved with netfilter mangle tables because
of the raw socket bypass.
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained a
new QuickAck= boolean setting that enables the TCP quick ACK mode for
the routes configured by the acquired DHCPv4 lease or received router
advertisements (RAs).
* The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
routes) now accepts three values, for high, medium, and low preference
of the router (which can be set with the RouterPreference=) setting.
* systemd-networkd-wait-online now supports matching via alternative
interface names.
* The [DHCPv6] section in .network file gained new SendRelease=
setting which enables the DHCPv6 client to send release when
it stops. This is the analog of the [DHCPv4] SendRelease= setting.
It is enabled by default.
* If the Address= setting in [Network] or [Address] sections in .network
specified without its prefix length, then now systemd-networkd assumes
/32 for IPv4 or /128 for IPv6 addresses.
* networkctl shows network and link file dropins in status output.
* systemd-dissect gained a new option --list, to print the paths of
all files and directories in a DDI.
* systemd-dissect gained a new option --mtree, to generate a file
manifest compatible with BSD mtree(5) of a DDI
* systemd-dissect gained a new option --with, to execute a command with
the specified DDI temporarily mounted and used as working
directory. This is for example useful to convert a DDI to "tar"
simply by running it within a "systemd-dissect --with" invocation.
* systemd-dissect gained a new option --discover, to search for
Discoverable Disk Images (DDIs) in well-known directories of the
system. This will list machine, portable service and system extension
disk images.
* systemd-dissect now understands 2nd stage initrd images stored as a
Discoverable Disk Image (DDI).
* systemd-dissect will now display the main UUID of GPT DDIs (i.e. the
disk UUID stored in the GPT header) among the other data it can show.
* systemd-dissect gained a new --in-memory switch to operate on an
in-memory copy of the specified DDI file. This is useful to access a
DDI with write access without persisting any changes. It's also
useful for accessing a DDI without keeping the originating file
system busy.
* The DDI dissection logic will now automatically detect the intended
sector size of disk images stored in files, based on the GPT
partition table arrangement. Loopback block devices for such DDIs
will then be configured automatically for the right sector size. This
is useful to make dealing with modern 4K sector size DDIs fully
automatic. The systemd-dissect tool will now show the detected sector
size among the other DDI information in its output.
* systemd-repart gained new options --include-partitions= and
--exclude-partitions= to filter operation on partitions by type UUID.
This allows systemd-repart to be used to build images in which the
type of one partition is set based on the contents of another
partition (for example when the boot partition shall include a verity
hash of the root partition).
* systemd-repart also gained a --defer-partitions= option that is
similar to --exclude-partitions=, but the size of the partition is
still taken into account when sizing partitions, but without
populating it.
* systemd-repart gained a new --sector-size= option to specify what
sector size should be used when an image is created.
* systemd-repart now supports generating erofs file systems via
CopyFiles= (a read-only file system similar to squashfs).
* The Minimize= option was extended to accept "best" (which means the
most minimal image possible, but may require multiple attempts) and
"guess" (which means a reasonably small image).
* The systemd-growfs binary now comes with a regular unit file template
[email protected] which can be instantiated directly for any
desired file system. (Previously, the unit was generated dynamically
by various generators, but no regular unit file template was
available.)
* Various systemd tools will append extra fields to log messages when
in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently
this includes information about D-Bus messages when sd-bus is used,
e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information
about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
Details of what is logged and when are subject to change.
* The systemd-journald-audit.socket can now be disabled via the usual
"systemctl disable" mechanism to stop collection of audit
messages. Please note that it is not enabled statically anymore and
must be handled by the preset/enablement logic in package
installation scripts.
* New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
be used to curtail disk use by systemd-journal-remote. This is
similar to the options supported by systemd-journald.
* When enrolling new keys systemd-cryptenroll now supports unlocking
via FIDO2 tokens (option --unlock-fido2-device=). Previously, a
password was strictly required to be specified.
* systemd-cryptsetup now supports pre-flight requests for FIDO2 tokens
(except for tokens with user verification, UV) to identify tokens
before authentication. Multiple FIDO2 tokens can now be enrolled at
the same time, and systemd-cryptsetup will automatically select one
that corresponds to one of the available LUKS key slots.
* systemd-cryptsetup now supports new options tpm2-measure-bank= and
tpm2-measure-pcr= in crypttab(5). These allow specifying the TPM2 PCR
bank and number into which the volume key should be measured. This is
automatically enabled for the encrypted root volume discovered and
activated by systemd-gpt-auto-generator.
* systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partitions with
"noexec,nosuid,nodev".
* systemd-gpt-auto-generator will now honour the rootfstype= and
rootflags= kernel command line switches for root file systems it
discovers, to match behaviour in case an explicit root fs is
specified via root=.
* systemd-pcrphase gained new options --machine-id and --file-system=
to measure the machine-id and mount point information into PCR 15. New
service unit files systemd-pcrmachine.service and
[email protected] have been added that invoke the tool with
these switches during early boot.
* systemd-pcrphase gained a --graceful switch will make it exit cleanly
with a success exit code even if no TPM device is detected.
* systemd-cryptenroll now stores the user-supplied PIN with a salt,
making it harder to brute-force.
* systemd-homed gained support for luksPbkdfForceIterations (the
intended number of iterations for the PBKDF operation on LUKS).
* Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
$SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
may now be used to specify additional arguments for mkfs when
systemd-homed formats a file system.
* systemd-hostnamed now exports the contents of
/sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two
new D-Bus properties: FirmwareVendor and FirmwareDate. This allows
unprivileged code to access those values.
systemd-hostnamed also exports the SUPPORT_END= field from
os-release(5) as OperatingSystemSupportEnd. hostnamectl make uses of
this to show the status of the installed system.
* systemd-measure gained an --append= option to sign multiple phase
paths with different signing keys. This allows secrets to be
accessible only in certain parts of the boot sequence. Note that
'ukify' provides similar functionality in a more accessible form.
* systemd-timesyncd will now write a structured log message with
MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
on a on-disk timestamp, similarly to what it did when reaching
synchronization via NTP.
* systemd-timesyncd will now update the on-disk timestamp file on each
boot at least once, making it more likely that the system time
increases in subsequent boots.
* systemd-vconsole-setup gained support for system/service credentials:
vconsole.keymap/vconsole.keymap_toggle and
vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
the similarly-named options in vconsole.conf.
* systemd-localed will now save the XKB keyboard configuration to
/etc/vconsole.conf, and also read it from there with a higher
preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config
file. Previously, this information was stored in the former file in
converted form, and only in latter file in the original form. Tools
which want to access keyboard configuration can now do so from a
standard location.
* systemd-resolved gained support for configuring the nameservers and
search domains via kernel command line (nameserver=, domain=) and
credentials (network.dns, network.search_domains).
* systemd-resolved will now synthesize host names for the DNS stub
addresses it supports. Specifically when "_localdnsstub" is resolved,
127.0.0.53 is returned, and if "_localdnsproxy" is resolved
127.0.0.54 is returned.
* systemd-notify will now send a "RELOADING=1" notification when called
with --reloading, and "STOPPING=1" when called with --stopping. This
can be used to implement notifications from units where it's easier
to call a program than to use the sd-daemon library.
* systemd-analyze's 'plot' command can now output its information in
JSON, controlled via the --json= switch. Also, new --table, and
--no-legend options have been added.
* 'machinectl enable' will now automatically enable machines.target
unit in addition to adding the machine unit to the target.
Similarly, 'machinectl start|stop' gained a --now option to enable or
disable the machine unit when starting or stopping it.
* systemd-sysusers will now create /etc/ if it is missing.
* systemd-sleep 'HibernateDelaySec=' setting is changed back to
pre-v252's behaviour, and a new 'SuspendEstimationSec=' setting is
added to provide the new initial value for the new automated battery
estimation functionality. If 'HibernateDelaySec=' is set to any value,
the automated estimate (and thus the automated hibernation on low
battery to avoid data loss) functionality will be disabled.
* Default tmpfiles.d/ configuration will now automatically create
credentials storage directory '/etc/credstore/' with the appropriate,
secure permissions. If '/run/credstore/' exists, its permissions will
be fixed too in case they are not correct.
* sd-bus gained new convenience functions sd_bus_emit_signal_to(),
sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().
* sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
128bit ID in files such as /etc/machine-id has an invalid
format. They also accept NULL as output parameter in more places,
which is useful when the caller only wants to validate the inputs and
does not need the output value.
* sd-login gained new functions sd_pidfd_get_session(),
sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
sd_pidfd_get_user_unit(), sd_pidfd_get_slice(),
sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and
sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(),
but accept a PIDFD instead of a PID.
* sd-path (and systemd-path) now export four new paths:
SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and
SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,
* sd_notify() now supports AF_VSOCK as transport for notification
messages (in addition to the existing AF_UNIX support). This is
enabled if $NOTIFY_SOCKET is set in a "vsock:CID:port" format.
* Detection of chroot() environments now works if /proc/ is not
mounted. This affects systemd-detect-virt --chroot, but also means
that systemd tools will silently skip various operations in such an
environment.
* "Lockheed Martin Hardened Security for Intel Processors" (HS SRE)
virtualization is now detected.
* Standalone variants of systemd-repart and systemd-shutdown may now be
built (if -Dstandalone=true).
* systemd-ac-power has been moved from /usr/lib/ to /usr/bin/, to, for
example, allow scripts to conditionalize execution on AC power
supply.
* The libp11kit library is now loaded through dlopen(3).
* Specifications that are not closely tied to systemd have moved to
https://uapi-group.org/specifications/: the Boot Loader Specification
and the Discoverable Partitions Specification.
Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas,
Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang,
Antonio Alvarez Feijoo, Arsen Arsenović, asavah, Benjamin Fogle,
Benjamin Tissoires, berenddeschouwer, BerndAdameit,
Bernd Steinhauser, blutch112, cake03, Callum Farmer, Carlo Teubner,
Charles Hardin, chris, Christian Brauner, Christian Göttsche,
Cristian Rodríguez, Daan De Meyer, Dan Streetman, DaPigGuy,
Darrell Kavanagh, David Tardon, dependabot[bot], Dirk Su,
Dmitry V. Levin, drosdeck, Edson Juliano Drosdeck, edupont,
Eric DeVolder, Erik Moqvist, Evgeny Vereshchagin, Fabian Gurtner,
Felix Riemann, Franck Bui, Frantisek Sumsal, Geert Lorang,
Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho,
igo95862, Ilya Leoshkevich, Ivan Shapovalov, Jacek Migacz,
Jade Lovelace, Jan Engelhardt, Jan Janssen, Jan Macku, January,
Jason A. Donenfeld, jcg, Jean-Tiare Le Bigot, Jelle van der Waa,
Jeremy Linton, Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann,
Jörg Thalheim, Joshua Goins, joshuazivkovic, Joshua Zivkovic,
Kai-Chuan Hsieh, Khem Raj, Koba Ko, Lennart Poettering, lichao,
Li kunyu, Luca Boccassi, Luca BRUNO, Ludwig Nussel,
Łukasz Stelmach, Lycowolf, marcel151, Marcus Schäfer, Marek Vasut,
Mark Laws, Michael Biebl, Michał Kotyla, Michal Koutný,
Michal Sekletár, Mike Gilbert, Mike Yuan, MkfsSion, ml,
msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore, Nick Rosbrook,
noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv, Phaedrus Leeds,
Philipp Jungkamp, Quentin Deslandes, Raul Tambre, Ray Strode,
reuben olinsky, Richard E. van der Luit, Richard Phibel,
Ricky Tigg, Robin Humble, rogg, Rudi Heitbaum, Sam James,
Samuel Cabrero, Samuel Thibault, Siddhesh Poyarekar, Simon Brand,
Space Meyer, Spindle Security, Steve Ramage, Takashi Sakamoto,
Thomas Haller, Tonći Galić, Topi Miettinen, Torsten Hilbrich,
Tuetuopay, uerdogan, Ulrich Ölmann, Valentin David,
Vitaly Kuznetsov, Vito Caputo, Waltibaba, Will Fancher,
William Roberts, wouter bolsterlee, Youfu Zhang, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски,
наб
— Warsaw, 2023-02-15
Published by bluca over 1 year ago
* We intend to remove cgroup v1 support from systemd release after the
end of 2023. If you run services that make explicit use of cgroup v1
features (i.e. the "legacy hierarchy" with separate hierarchies for
each controller), please implement compatibility with cgroup v2 (i.e.
the "unified hierarchy") sooner rather than later. Most of Linux
userspace has been ported over already.
* We intend to remove support for split-usr (/usr mounted separately
during boot) and unmerged-usr (parallel directories /bin and
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
half of 2023, in the first release that falls into that time window.
For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* We intend to change behaviour w.r.t. units of the per-user service
manager and sandboxing options, so that they work without having to
manually enable PrivateUsers= as well, which is not required for
system units. To make this work, we will implicitly enable user
namespaces (PrivateUsers=yes) when a sandboxing option is enabled in a
user unit. The drawback is that system users will no longer be visible
(and appear as 'nobody') to the user unit when a sandboxing option is
enabled. By definition a sandboxed user unit should run with reduced
privileges, so impact should be small. This will remove a great source
of confusion that has been reported by users over the years, due to
how these options require an extra setting to be manually enabled when
used in the per-user service manager, as opposed as to the system
service manager. We plan to enable this change in the next release
later this year. For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html
* systemctl will now warn when invoked without /proc/ mounted
(e.g. when invoked after chroot() into an directory tree without the
API mount points like /proc/ being set up.) Operation in such an
environment is not fully supported.
* The return value of 'systemctl is-active|is-enabled|is-failed' for
unknown units is changed: previously 1 or 3 were returned, but now 4
(EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented.
* 'udevadm hwdb' subcommand is deprecated and will emit a warning.
systemd-hwdb (added in 2014) should be used instead.
* 'bootctl --json' now outputs a single JSON array, instead of a stream
of newline-separated JSON objects.
* Udev rules in 60-evdev.rules have been changed to load hwdb
properties for all modalias patterns. Previously only the first
matching pattern was used. This could change what properties are
assigned if the user has more and less specific patterns that could
match the same device, but it is expected that the change will have
no effect for most users.
* systemd-networkd-wait-online exits successfully when all interfaces
are ready or unmanaged. Previously, if neither '--any' nor
'--interface=' options were used, at least one interface had to be in
configured state. This change allows the case where systemd-networkd
is enabled, but no interfaces are configured, to be handled
gracefully. It may occur in particular when a different network
manager is also enabled and used.
* Some compatibility helpers were dropped: EmergencyAction= in the user
manager, as well as measuring kernel command line into PCR 8 in
systemd-stub, along with the -Defi-tpm-pcr-compat compile-time
option.
* The '-Dupdate-helper-user-timeout=' build-time option has been
renamed to '-Dupdate-helper-user-timeout-sec=', and now takes an
integer as parameter instead of a string.
* The DDI image dissection logic (which backs RootImage= in service
unit files, the --image= switch in various tools such as
systemd-nspawn, as well as systemd-dissect) will now only mount file
systems of types btrfs, ext4, xfs, erofs, squashfs, vfat. This list
can be overridden via the $SYSTEMD_DISSECT_FILE_SYSTEMS environment
variable. These file systems are fairly well supported and maintained
in current kernels, while others are usually more niche, exotic or
legacy and thus typically do not receive the same level of security
support and fixes.
* A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
(UKIs) has been added. This replaces functionality provided by
'dracut --uefi' and extends it with automatic calculation of PE file
offsets, insertion of signed PCR policies generated by
systemd-measure, support for initrd concatenation, signing of the
embedded Linux image and the combined image with sbsign, and
heuristics to autodetect the kernel uname and verify the splash
image.
* A new service type Type=notify-reload is defined. When such a unit is
reloaded a UNIX process signal (typically SIGHUP) is sent to the main
service process. The manager will then wait until it receives a
"RELOADING=1" followed by a "READY=1" notification from the unit as
response (via sd_notify()). Otherwise, this type is the same as
Type=notify. A new setting ReloadSignal= may be used to change the
signal to send from the default of SIGHUP.
[email protected], systemd-networkd.service, systemd-udevd.service, and
systemd-logind have been updated to this type.
* Initrd environments which are not on a pure memory file system (e.g.
overlayfs combination as opposed to tmpfs) are now supported. With
this change, during the initrd → host transition ("switch root")
systemd will erase all files of the initrd only when the initrd is
backed by a memory file system such as tmpfs.
* New per-unit MemoryZSwapMax= option has been added to configure
memory.zswap.max cgroup properties (the maximum amount of zswap
used).
* A new LogFilterPatterns= option has been added for units. It may be
used to specify accept/deny regular expressions for log messages
generated by the unit, that shall be enforced by systemd-journald.
Rejected messages are neither stored in the journal nor forwarded.
This option may be used to suppress noisy or uninteresting messages
from units.
* The manager has a new
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() D-Bus method to
query process ownership via a PIDFD, which is more resilient against
PID recycling issues.
* Scope units now support OOMPolicy=. Login session scopes default to
OOMPolicy=continue, allowing login scopes to survive the OOM killer
terminating some processes in the scope.
* systemd-fstab-generator now supports x-systemd.makefs option for
/sysroot/ (in the initrd).
* The maximum rate at which daemon reloads are executed can now be
limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
options. (Or the equivalent on the kernel command line:
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=). In
addition, systemd now logs the originating unit and PID when a reload
request is received over D-Bus.
* When enabling a swap device systemd will now reinitialize the device
when the page size of the swap space does not match the page size of
the running kernel. Note that this requires the 'swapon' utility to
provide the '--fixpgsz' option, as implemented by util-linux, and it
is not supported by busybox at the time of writing.
* systemd now executes generator programs in a mount namespace
"sandbox" with most of the file system read-only and write access
restricted to the output directories, and with a temporary /tmp/
mount provided. This provides a safeguard against programming errors
in the generators, but also fixes here-docs in shells, which
previously didn't work in early boot when /tmp/ wasn't available
yet. (This feature has no security implications, because the code is
still privileged and can trivially exit the sandbox.)
* The system manager manager will now parse a new "vmm.notify_socket"
system credential, which may be supplied to a VM via SMBIOS. If
found, the manager will send a "READY=1" notification on the
specified socket after boot is complete. This allows readiness
notification to be sent from a VM guest to the VM host over a VSOCK
socket.
* The sample PAM configuration file for [email protected] now
includes a call to pam_namespace. This puts children of [email protected]
in the expected namespace. (Many distributions replace their file
with something custom, so this change has limited effect.)
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST
can can be used to override the mount units burst late limit for
parsing '/proc/self/mountinfo', which was introduced in v249.
Defaults to 5.
* Drop-ins for init.scope changing control group resource limits are
now applied, while they were previously ignored.
* New build-time configuration options '-Ddefault-timeout-sec=' and
'-Ddefault-user-timeout-sec=' have been added, to let distributions
choose the default timeout for starting/stopping/aborting system and
user units respectively.
* Service units gained a new setting OpenFile= which may be used to
open arbitrary files in the file system (or connect to arbitrary
AF_UNIX sockets in the file system), and pass the open file
descriptor to the invoked process via the usual file descriptor
passing protocol. This is useful to give unprivileged services access
to select files which have restrictive access modes that would
normally not allow this. It's also useful in case RootDirectory= or
RootImage= is used to allow access to files from the host environment
(which is after all not visible from the service if these two options
are used.)
* The new net naming scheme "v253" has been introduced. In the new
scheme, ID_NET_NAME_PATH is also set for USB devices not connected via
a PCI bus. This extends the coverage of predictable interface names
in some embedded systems.
The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
a more informative path on some embedded systems.
* Partition block devices will now also get symlinks in
/dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
block device nodes via the kernel's "diskseq" value. Previously those
symlinks were only created for the main block device.
* A new operator '-=' is supported for SYMLINK variables. This allows
symlinks to be unconfigured even if an earlier rule added them.
* 'udevadm --trigger --settle' now also works for network devices
that are being renamed.
* systemd-boot now passes its random seed directly to the kernel's RNG
via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which
means the RNG gets seeded very early in boot before userspace has
started.
* systemd-boot will pass a disk-backed random seed – even when secure
boot is enabled – if it can additionally get a random seed from EFI
itself (via EFI's RNG protocol), or a prior seed in
LINUX_EFI_RANDOM_SEED_TABLE_GUID from a preceding bootloader.
* systemd-boot-system-token.service was renamed to
systemd-boot-random-seed.service and extended to always save a random
seed to ESP on every boot when a compatible boot loader is used. This
allows a refreshed random seed to be used in the boot loader.
* systemd-boot handles various seed inputs using a domain- and
field-separated hashing scheme.
* systemd-boot's 'random-seed-mode' option has been removed. A system
token is now always required to be present for random seeds to be
used.
* systemd-boot now supports being loaded from other locations than the
ESP, for example for direct kernel boot under QEMU or when embedded
into the firmware.
* systemd-boot now parses SMBIOS information to detect
virtualization. This information is used to skip some warnings which
are not useful in a VM and to conditionalize other aspects of
behaviour.
* systemd-boot now supports a new 'if-safe' mode that will perform UEFI
Secure Boot automated certificate enrollment from the ESP only if it
is considered 'safe' to do so. At the moment 'safe' means running in
a virtual machine.
* systemd-stub now processes random seeds in the same way as
systemd-boot already does, in case a unified kernel image is being
used from a different bootloader than systemd-boot, or without any
boot load at all.
* bootctl will now generate a system token on all EFI systems, even
virtualized ones, and is activated in the case that the system token
is missing from either sd-boot and sd-stub booted systems.
* bootctl now implements two new verbs: 'kernel-identify' prints the
type of a kernel image file, and 'kernel-inspect' provides
information about the embedded command line and kernel version of
UKIs.
* bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
as for kernel-install.
* The JSON output of "bootctl list" will now contain two more fields:
isDefault and isSelected are boolean fields set to true on the
default and currently booted boot menu entries.
* bootctl gained a new verb "unlink" for removing a boot loader entry
type #1 file from disk in a safe and robust way.
* bootctl also gained a new verb "cleanup" that automatically removes
all files from the ESP's and XBOOTLDR's "entry-token" directory, that
is not referenced anymore by any installed Type #1 boot loader
specification entry. This is particularly useful in environments where
a large number of entries reference the same or partly the same
resources (for example, for snapshot-based setups).
* A new "installation layout" can be configured as layout=uki. With
this setting, a Boot Loader Specification Type#1 entry will not be
created. Instead, a new kernel-install plugin 90-uki-copy.install
will copy any .efi files from the staging area into the boot
partition. A plugin to generate the UKI .efi file must be provided
separately.
* 'systemctl reboot' has dropped support for accepting a positional
argument as the argument to the reboot(2) syscall. Please use the
--reboot-argument= option instead.
* 'systemctl disable' will now warn when called on units without
install information. A new --no-warn option has been added that
silences this warning.
* New option '--drop-in=' can be used to tell 'systemctl edit' the name
of the drop-in to edit. (Previously, 'override.conf' was always
used.)
* 'systemctl list-dependencies' now respects --type= and --state=.
* 'systemctl kexec' now supports XEN VMM environments.
* 'systemctl edit' will now tell the invoked editor to jump into the
first line with actual unit file data, skipping over synthesized
comments.
* The [DHCPv4] section in .network file gained new SocketPriority=
setting that assigns the Linux socket priority used by the DHCPv4 raw
socket. This may be used in conjunction with the
EgressQOSMaps=setting in [VLAN] section of .netdev file to send the
desired ethernet 802.1Q frame priority for DHCPv4 initial
packets. This cannot be achieved with netfilter mangle tables because
of the raw socket bypass.
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained a
new QuickAck= boolean setting that enables the TCP quick ACK mode for
the routes configured by the acquired DHCPv4 lease or received router
advertisements (RAs).
* The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
routes) now accepts three values, for high, medium, and low preference
of the router (which can be set with the RouterPreference=) setting.
* systemd-networkd-wait-online now supports matching via alternative
interface names.
* The [DHCPv6] section in .network file gained new SendRelease=
setting which enables the DHCPv6 client to send release when
it stops. This is the analog of the [DHCPv4] SendRelease= setting.
It is enabled by default.
* If the Address= setting in [Network] or [Address] sections in .network
specified without its prefix length, then now systemd-networkd assumes
/32 for IPv4 or /128 for IPv6 addresses.
* networkctl shows network and link file dropins in status output.
* systemd-dissect gained a new option --list, to print the paths of
all files and directories in a DDI.
* systemd-dissect gained a new option --mtree, to generate a file
manifest compatible with BSD mtree(5) of a DDI
* systemd-dissect gained a new option --with, to execute a command with
the specified DDI temporarily mounted and used as working
directory. This is for example useful to convert a DDI to "tar"
simply by running it within a "systemd-dissect --with" invocation.
* systemd-dissect gained a new option --discover, to search for
Discoverable Disk Images (DDIs) in well-known directories of the
system. This will list machine, portable service and system extension
disk images.
* systemd-dissect now understands 2nd stage initrd images stored as a
Discoverable Disk Image (DDI).
* systemd-dissect will now display the main UUID of GPT DDIs (i.e. the
disk UUID stored in the GPT header) among the other data it can show.
* systemd-dissect gained a new --in-memory switch to operate on an
in-memory copy of the specified DDI file. This is useful to access a
DDI with write access without persisting any changes. It's also
useful for accessing a DDI without keeping the originating file
system busy.
* The DDI dissection logic will now automatically detect the intended
sector size of disk images stored in files, based on the GPT
partition table arrangement. Loopback block devices for such DDIs
will then be configured automatically for the right sector size. This
is useful to make dealing with modern 4K sector size DDIs fully
automatic. The systemd-dissect tool will now show the detected sector
size among the other DDI information in its output.
* systemd-repart gained new options --include-partitions= and
--exclude-partitions= to filter operation on partitions by type UUID.
This allows systemd-repart to be used to build images in which the
type of one partition is set based on the contents of another
partition (for example when the boot partition shall include a verity
hash of the root partition).
* systemd-repart also gained a --defer-partitions= option that is
similar to --exclude-partitions=, but the size of the partition is
still taken into account when sizing partitions, but without
populating it.
* systemd-repart gained a new --sector-size= option to specify what
sector size should be used when an image is created.
* systemd-repart now supports generating erofs file systems via
CopyFiles= (a read-only file system similar to squashfs).
* The Minimize= option was extended to accept "best" (which means the
most minimal image possible, but may require multiple attempts) and
"guess" (which means a reasonably small image).
* The systemd-growfs binary now comes with a regular unit file template
[email protected] which can be instantiated directly for any
desired file system. (Previously, the unit was generated dynamically
by various generators, but no regular unit file template was
available.)
* Various systemd tools will append extra fields to log messages when
in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently
this includes information about D-Bus messages when sd-bus is used,
e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information
about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
Details of what is logged and when are subject to change.
* The systemd-journald-audit.socket can now be disabled via the usual
"systemctl disable" mechanism to stop collection of audit
messages. Please note that it is not enabled statically anymore and
must be handled by the preset/enablement logic in package
installation scripts.
* New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
be used to curtail disk use by systemd-journal-remote. This is
similar to the options supported by systemd-journald.
* When enrolling new keys systemd-cryptenroll now supports unlocking
via FIDO2 tokens (option --unlock-fido2-device=). Previously, a
password was strictly required to be specified.
* systemd-cryptsetup now supports pre-flight requests for FIDO2 tokens
(except for tokens with user verification, UV) to identify tokens
before authentication. Multiple FIDO2 tokens can now be enrolled at
the same time, and systemd-cryptsetup will automatically select one
that corresponds to one of the available LUKS key slots.
* systemd-cryptsetup now supports new options tpm2-measure-bank= and
tpm2-measure-pcr= in crypttab(5). These allow specifying the TPM2 PCR
bank and number into which the volume key should be measured. This is
automatically enabled for the encrypted root volume discovered and
activated by systemd-gpt-auto-generator.
* systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partitions with
"noexec,nosuid,nodev".
* systemd-gpt-auto-generator will now honour the rootfstype= and
rootflags= kernel command line switches for root file systems it
discovers, to match behaviour in case an explicit root fs is
specified via root=.
* systemd-pcrphase gained new options --machine-id and --file-system=
to measure the machine-id and mount point information into PCR 15. New
service unit files systemd-pcrmachine.service and
[email protected] have been added that invoke the tool with
these switches during early boot.
* systemd-pcrphase gained a --graceful switch will make it exit cleanly
with a success exit code even if no TPM device is detected.
* systemd-cryptenroll now stores the user-supplied PIN with a salt,
making it harder to brute-force.
* systemd-homed gained support for luksPbkdfForceIterations (the
intended number of iterations for the PBKDF operation on LUKS).
* Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
$SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
may now be used to specify additional arguments for mkfs when
systemd-homed formats a file system.
* systemd-hostnamed now exports the contents of
/sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two
new D-Bus properties: FirmwareVendor and FirmwareDate. This allows
unprivileged code to access those values.
systemd-hostnamed also exports the SUPPORT_END= field from
os-release(5) as OperatingSystemSupportEnd. hostnamectl make uses of
this to show the status of the installed system.
* systemd-measure gained an --append= option to sign multiple phase
paths with different signing keys. This allows secrets to be
accessible only in certain parts of the boot sequence. Note that
'ukify' provides similar functionality in a more accessible form.
* systemd-timesyncd will now write a structured log message with
MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
on a on-disk timestamp, similarly to what it did when reaching
synchronization via NTP.
* systemd-timesyncd will now update the on-disk timestamp file on each
boot at least once, making it more likely that the system time
increases in subsequent boots.
* systemd-vconsole-setup gained support for system/service credentials:
vconsole.keymap/vconsole.keymap_toggle and
vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
the similarly-named options in vconsole.conf.
* systemd-localed will now save the XKB keyboard configuration to
/etc/vconsole.conf, and also read it from there with a higher
preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config
file. Previously, this information was stored in the former file in
converted form, and only in latter file in the original form. Tools
which want to access keyboard configuration can now do so from a
standard location.
* systemd-resolved gained support for configuring the nameservers and
search domains via kernel command line (nameserver=, domain=) and
credentials (network.dns, network.search_domains).
* systemd-resolved will now synthesize host names for the DNS stub
addresses it supports. Specifically when "_localdnsstub" is resolved,
127.0.0.53 is returned, and if "_localdnsproxy" is resolved
127.0.0.54 is returned.
* systemd-notify will now send a "RELOADING=1" notification when called
with --reloading, and "STOPPING=1" when called with --stopping. This
can be used to implement notifications from units where it's easier
to call a program than to use the sd-daemon library.
* systemd-analyze's 'plot' command can now output its information in
JSON, controlled via the --json= switch. Also, new --table, and
--no-legend options have been added.
* 'machinectl enable' will now automatically enable machines.target
unit in addition to adding the machine unit to the target.
Similarly, 'machinectl start|stop' gained a --now option to enable or
disable the machine unit when starting or stopping it.
* systemd-sysusers will now create /etc/ if it is missing.
* systemd-sleep 'HibernateDelaySec=' setting is changed back to
pre-v252's behaviour, and a new 'SuspendEstimationSec=' setting is
added to provide the new initial value for the new automated battery
estimation functionality. If 'HibernateDelaySec=' is set to any value,
the automated estimate (and thus the automated hibernation on low
battery to avoid data loss) functionality will be disabled.
* Default tmpfiles.d/ configuration will now automatically create
credentials storage directory '/etc/credstore/' with the appropriate,
secure permissions. If '/run/credstore/' exists, its permissions will
be fixed too in case they are not correct.
* sd-bus gained new convenience functions sd_bus_emit_signal_to(),
sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().
* sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
128bit ID in files such as /etc/machine-id has an invalid
format. They also accept NULL as output parameter in more places,
which is useful when the caller only wants to validate the inputs and
does not need the output value.
* sd-login gained new functions sd_pidfd_get_session(),
sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
sd_pidfd_get_user_unit(), sd_pidfd_get_slice(),
sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and
sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(),
but accept a PIDFD instead of a PID.
* sd-path (and systemd-path) now export four new paths:
SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and
SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,
* sd_notify() now supports AF_VSOCK as transport for notification
messages (in addition to the existing AF_UNIX support). This is
enabled if $NOTIFY_SOCKET is set in a "vsock:CID:port" format.
* Detection of chroot() environments now works if /proc/ is not
mounted. This affects systemd-detect-virt --chroot, but also means
that systemd tools will silently skip various operations in such an
environment.
* "Lockheed Martin Hardened Security for Intel Processors" (HS SRE)
virtualization is now detected.
* Standalone variants of systemd-repart and systemd-shutdown may now be
built (if -Dstandalone=true).
* systemd-ac-power has been moved from /usr/lib/ to /usr/bin/, to, for
example, allow scripts to conditionalize execution on AC power
supply.
* The libp11kit library is now loaded through dlopen(3).
* Specifications that are not closely tied to systemd have moved to
https://uapi-group.org/specifications/: the Boot Loader Specification
and the Discoverable Partitions Specification.
Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas,
Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang,
Antonio Alvarez Feijoo, Arsen Arsenović, asavah, Benjamin Fogle,
Benjamin Tissoires, berenddeschouwer, BerndAdameit,
Bernd Steinhauser, blutch112, cake03, Callum Farmer, Carlo Teubner,
Charles Hardin, chris, Christian Brauner, Christian Göttsche,
Cristian Rodríguez, Daan De Meyer, Dan Streetman, DaPigGuy,
Darrell Kavanagh, David Tardon, dependabot[bot], Dirk Su,
Dmitry V. Levin, drosdeck, Edson Juliano Drosdeck, edupont,
Eric DeVolder, Erik Moqvist, Evgeny Vereshchagin, Fabian Gurtner,
Felix Riemann, Franck Bui, Frantisek Sumsal, Geert Lorang,
Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho,
igo95862, Ilya Leoshkevich, Ivan Shapovalov, Jacek Migacz,
Jade Lovelace, Jan Engelhardt, Jan Janssen, Jan Macku, January,
Jason A. Donenfeld, jcg, Jelle van der Waa, Jeremy Linton,
Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann, Jörg Thalheim,
Joshua Goins, joshuazivkovic, Joshua Zivkovic, Kai-Chuan Hsieh,
Khem Raj, Koba Ko, Lennart Poettering, lichao, Li kunyu,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach,
Lycowolf, marcel151, Marcus Schäfer, Marek Vasut, Mark Laws,
Michael Biebl, Michał Kotyla, Michal Koutný, Michal Sekletár,
Mike Yuan, MkfsSion, msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore,
Nick Rosbrook, noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv,
Phaedrus Leeds, Philipp Jungkamp, Quentin Deslandes, Ray Strode,
reuben olinsky, Richard E. van der Luit, Richard Phibel,
Ricky Tigg, Robin Humble, rogg, Rudi Heitbaum, Sam James,
Samuel Cabrero, Samuel Thibault, Siddhesh Poyarekar, Simon Brand,
Space Meyer, Spindle Security, Steve Ramage, Takashi Sakamoto,
Thomas Haller, Tonći Galić, Topi Miettinen, Torsten Hilbrich,
Tuetuopay, uerdogan, Ulrich Ölmann, Valentin David,
Vitaly Kuznetsov, Vito Caputo, Waltibaba, Will Fancher,
William Roberts, wouter bolsterlee, Youfu Zhang, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски,
наб
— Warsaw, 2023-02-10
Published by bluca over 1 year ago
* systemctl will now warn when invoked without /proc/ mounted
(e.g. when invoked after chroot() into an directory tree without the
API mount points like /proc/ being set up.) Operation in such an
environment is not fully supported.
* The return value of 'systemctl is-active|is-enabled|is-failed' for
unknown units is changed: previously 1 or 3 were returned, but now 4
(EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented.
* 'udevadm hwdb' subcommand is deprecated and will emit a warning.
systemd-hwdb (added in 2014) should be used instead.
* 'bootctl --json' now outputs a single JSON array, instead of a stream
of newline-separated JSON objects.
* Udev rules in 60-evdev.rules have been changed to load hwdb
properties for all modalias patterns. Previously only the first
matching pattern was used. This could change what properties are
assigned if the user has more and less specific patterns that could
match the same device, but it is expected that the change will have
no effect for most users.
* systemd-networkd-wait-online exits successfully when all interfaces
are ready or unmanaged. Previously, if neither '--any' nor
'--interface=' options were used, at least one interface had to be in
configured state. This change allows the case, where systemd-networkd
is enabled but no interfaces are configured, to be handled
gracefully. It may occur in particular when a different network
manager is also enabled and used.
* Some compatibility helpers were dropped: EmergencyAction= in the user
manager, as well as measuring kernel command line into PCR 8 in
systemd-stub, along with the -Defi-tpm-pcr-compat compile-time
option.
* The '-Dupdate-helper-user-timeout=' build-time option has been
renamed to '-Dupdate-helper-user-timeout-sec=', and now takes an
integer as parameter instead of a string.
* The DDI image dissection logic (which backs RootImage= in service
unit files, the --image= switch in various tools such as
systemd-nspawn, as well as systemd-dissect) will now only mount file
systems of types btrfs, ext4, xfs, erofs, squashfs, vfat. This list
can be overridden via the $SYSTEMD_DISSECT_FILE_SYSTEMS environment
variable. These file systems are fairly well supported and maintained
in current kernels, while others are usually more niche, exotic or
legacy and thus typically do not receive the same level of security
support and fixes.
* A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
(UKIs) has been added. This replaces functionality provided by
'dracut --uefi' and extends it with automatic calculation of PE file
offsets, insertion of signed PCR policies generated by
systemd-measure, support for initrd concatenation, signing of the
embedded Linux image and the combined image with sbsign, and
heuristics to autodetect the kernel uname and verify the splash
image.
* A new service type Type=notify-reload is defined. When such a unit is
reloaded a UNIX process signal (typically SIGHUP) is sent to the main
service process. The manager will then wait until it receives a
"RELOADING=1" followed by a "READY=1" notification from the unit as
response (via sd_notify()). Otherwise, this type is the same as
Type=notify. A new setting ReloadSignal= may be used to change the
signal to send from the default of SIGHUP.
[email protected], systemd-networkd.service, systemd-udevd.service, and
systemd-logind have been updated to this type.
* Initrd environments which are not on a pure memory file system (e.g.
overlayfs combination as opposed to tmpfs) are now supported. With
this change, during the initrd → host transition ("switch root")
systemd will no longer erase all files of the initrd unless it's
backed by a memory file system such as tmpfs.
* New per-unit MemoryZSwapMax= option has been added to configure
memory.zswap.max cgroup properties (the maximum amount of zswap
used).
* A new LogFilterPatterns= option has been added for units. It may be
used to specify accept/deny regular expressions for log messages
generated by the unit, that shall be enforced by systemd-journald.
Rejected messages are neither stored in the journal nor forwarded.
This option may be used to suppress noisy or uninteresting messages
from units.
* The manager has a new
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() D-Bus method to
query process ownership via a PIDFD, which is more resilient against
PID recycling issues.
* Scope units now support OOMPolicy=. Login session scopes default to
OOMPolicy=continue, allowing login scopes to survive the OOM killer
terminating some processes in the scope.
* systemd-fstab-generator now supports x-systemd.makefs option for
/sysroot/ (in the initrd).
* The maximum rate at which daemon reloads are executed can now be
limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
options. (Or the equivalent on the kernel command line:
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=). In
addition, systemd now logs the originating unit and PID when a reload
request is received over D-Bus.
* When enabling a swap device systemd will now reinitialize the device
when the page size of the swap space does not match the page size of
the running kernel.
* systemd now executes generator programs in a mount namespace
"sandbox" with most of the file system read-only and write access
restricted to the output directories, and with a temporary /tmp/
mount provided. This provides a safeguard against programming errors
in the generators, but also fixes here-docs in shells, which
previously didn't work in early boot when /tmp/ wasn't available
yet. (This feature has no security implications, because the code is
still privileged and can trivially exit the sandbox.)
* The system manager manager will now parse a new "vmm.notify_socket"
system credential, which may be supplied to a VM via SMBIOS. If
found, it will send a "READY=1" notification on the specified socket
after boot is complete. This allows readiness notification to be sent
from a VM guest to the VM host over a VSOCK socket.
* The sample PAM configuration file for [email protected] now
includes a call to pam_namespace. This puts children of [email protected]
in the expected namespace. (Many distributions replace their file
with something custom, so this change has limited effect.)
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST
can can be used to override the mount units burst late limit for
parsing '/proc/self/mountinfo', which was introduced in
v249. Defaults to 5.
* Drop-ins for init.scope changing control group resource limits are
now applied, while they were previously ignored.
* New build-time configuration options '-Ddefault-timeout-sec=' and
'-Ddefault-user-timeout-sec=' have been added, to let distributions
choose the default timeout for starting/stopping/aborting system and
user units respectively.
* Service units gained a new setting OpenFile= which may be used to
open arbitrary files in the file system (or connect to arbitrary
AF_UNIX sockets in the file system), and pass the open file
descriptor to the invoked process via the usual file descriptor
passing protocol. This is useful to give unprivileged services access
to select files which have restrictive access modes that would
normally not allow this. It's also useful in case RootDirectory= or
RootImage= is used to allow access to files from the host environment
(which is after all not visible from the service if these two options
are used.)
* The new net naming scheme "v253" has been introduced. In the new
scheme, ID_NET_NAME_PATH is also set for USB devices not connected via
a PCI bus. This extends the coverage of predictable interface names
in some embedded systems.
The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
a more informative path on some embedded systems.
* Partition block devices will now also get symlinks in
/dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
block device nodes via the kernel's "diskseq" value. Previously those
symlinks were only created for the main block device.
* A new operator '-=' is supported for SYMLINK variables. This allows
symlinks to be unconfigured even if an earlier rule added them.
* 'udevadm --trigger --settle' now also works for network devices
that are being renamed.
* systemd-boot now passes its random seed directly to the kernel's RNG
via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which
means the RNG gets seeded very early in boot before userspace has
started.
* systemd-boot will pass a disk-backed random seed – even when secure
boot is enabled – if it can additionally get a random seed from EFI
itself (via EFI's RNG protocol), or a prior seed in
LINUX_EFI_RANDOM_SEED_TABLE_GUID from a preceding bootloader.
* systemd-boot-system-token.service was renamed to
systemd-boot-random-seed.service and extended to always save a random
seed to ESP on every boot when a compatible boot loader is used. This
allows a refreshed random seed to be used in the boot loader.
* systemd-boot handles various seed inputs using a domain- and
field-separated hashing scheme.
* systemd-boot's 'random-seed-mode' option has been removed. A system
token is now always required to be present for random seeds to be
used.
* systemd-boot now supports being loaded from other locations than the
ESP, for example for direct kernel boot under QEMU or when embedded
into the firmware.
* systemd-boot now parses SMBIOS information to detect
virtualization. This information is used to skip some warnings which
are not useful in a VM and to conditionalize other aspects of
behaviour.
* systemd-boot now supports a new 'if-safe' mode that will perform UEFI
Secure Boot automated certificate enrollment from the ESP only if it
is considered 'safe' to do so. At the moment 'safe' means running in
a virtual machine.
* systemd-stub now processes random seeds in the same way as
systemd-boot already does, in case a unified kernel image is being
used from a different bootloader than systemd-boot, or without any
boot load at all.
* bootctl will now generate a system token on all EFI systems, even
virtualized ones, and is activated in the case that the system token
is missing from either sd-boot and sd-stub booted systems.
* bootctl now implements two new verbs: 'kernel-identify' prints the
type of a kernel image file, and 'kernel-inspect' provides
information about the embedded command line and kernel version of
UKIs.
* bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
as for kernel-install.
* The JSON output of "bootctl list" will now contain two more fields:
isDefault and isSelected are boolean fields set to true on the
default and currently booted boot menu entries.
* bootctl gained a new verb "unlink" for removing a boot loader entry
type #1 file from disk in a safe and robust way.
* bootctl also gained a new verb "cleanup" that automatically removes
all files from the ESP's and XBOOTLDR's "entry-token" directory, that
is not referenced anymore by any installed Type #1 boot loader
specification entry. This is particularly useful in environments where
a large number of entries reference the same or partly the same
resources (for example, for snapshot-based setups).
* A new "installation layout" can be configured as layout=uki. With
this setting, a Boot Loader Specification Type#1 entry will not be
created. Instead, a new kernel-install plugin 90-uki-copy.install
will copy any .efi files from the staging area into the boot
partition. A plugin to generate the UKI .efi file must be provided
separately.
* 'systemctl reboot' has dropped support for accepting a positional
argument as the argument to the reboot(2) syscall. Please use the
--reboot-argument= option instead.
* 'systemctl disable' will now warn when called on units without
install information. A new --no-warn option has been added that
silences this warning.
* New option '--drop-in=' can be used to tell 'systemctl edit' the name
of the drop-in to edit. (Previously, 'override.conf' was always
used.)
* 'systemctl list-dependencies' now respects --type= and --state=.
* 'systemctl kexec' now supports XEN VMM environments.
* 'systemctl edit' will now tell the invoked editor to jump into the
first line with actual unit file data, skipping over synthesized
comments.
* The [DHCPv4] section in .network file gained new SocketPriority=
setting that assigns the Linux socket priority used by the DHCPv4 raw
socket. This may be used in conjunction with the
EgressQOSMaps=setting in [VLAN] section of .netdev file to send the
desired ethernet 802.1Q frame priority for DHCPv4 initial
packets. This cannot be achieved with netfilter mangle tables because
of the raw socket bypass.
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained a
new QuickAck= boolean setting that enables the TCP quick ACK mode for
the routes configured by the acquired DHCPv4 lease or received router
advertisements (RAs).
* The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
routes) now accepts three values, for high, medium, and low preference
of the router (which can be set with the RouterPreference=) setting.
* systemd-networkd-wait-online now supports matching via alternative
interface names.
* The [DHCPv6] section in .network file gained new SendRelease=
setting which enables the DHCPv6 client to send release when
it stops. This is the analog of the [DHCPv4] SendRelease= setting.
It is enabled by default.
* If the Address= setting in [Network] or [Address] sections in .network
specified without its prefix length, then now systemd-networkd assumes
/32 for IPv4 or /128 for IPv6 addresses.
* networkctl shows network and link file dropins in status output.
* systemd-dissect gained a new option --list, to print the paths of
all files and directories in a DDI.
* systemd-dissect gained a new option --mtree, to generate a file
manifest compatible with BSD mtree(5) of a DDI
* systemd-dissect gained a new option --with, to execute a command with
the specified DDI temporarily mounted and used as working
directory. This is for example useful to convert a DDI to "tar"
simply by running it within a "systemd-dissect --with" invocation.
* systemd-dissect gained a new option --discover, to search for
Discoverable Disk Images (DDIs) in well-known directories of the
system. This will list machine, portable service and system extension
disk images.
* systemd-dissect now understands 2nd stage initrd images stored as a
Discoverable Disk Image (DDI).
* systemd-dissect will now display the main UUID of GPT DDIs (i.e. the
disk UUID stored in the GPT header) among the other data it can show.
* systemd-dissect gained a new --in-memory switch to operate on an
in-memory copy of the specified DDI file. This is useful to access a
DDI with write access without persisting any changes. It's also
useful for accessing a DDI without keeping the originating file
system busy.
* The DDI dissection logic will now automatically detect the intended
sector size of disk images stored in files, based on the GPT
partition table arrangement. Loopback block devices for such DDIs
will then be configured automatically for the right sector size. This
is useful to make dealing with modern 4K sector size DDIs fully
automatic. The systemd-dissect tool will now show the detected sector
size among the other DDI information in its output.
* systemd-repart gained new options --include-partitions= and
--exclude-partitions= to filter operation on partitions by type UUID.
This allows systemd-repart to be used to build images in which the
type of one partition is set based on the contents of another
partition (for example when the boot partition shall include a verity
hash of the root partition).
* systemd-repart also gained a --defer-partitions= option that is
similar to --exclude-partitions=, but the size of the partition is
still taken into account when sizing partitions, but without
populating it.
* systemd-repart gained a new --sector-size= option to specify what
sector size should be used when an image is created.
* systemd-repart now supports generating erofs file systems via
CopyFiles= (a read-only file system similar to squashfs).
* The Minimize= option was extended to accept "best" (which means the
most minimal image possible, but may require multiple attempts) and
"guess" (which means a reasonably small image).
* The systemd-growfs binary now comes with a regular unit file template
[email protected] which can be instantiated directly for any
desired file system. (Previously, the unit was generated dynamically
by various generators, but no regular unit file template was
available.)
* Various systemd tools will append extra fields to log messages when
in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently
this includes information about D-Bus messages when sd-bus is used,
e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information
about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
Details of what is logged and when are subject to change.
* The systemd-journald-audit.socket can now be disabled via the usual
"systemctl disable" mechanism to stop collection of audit
messages. Please note that it is not enabled statically anymore and
must be handled by the preset/enablement logic in package
installation scripts.
* New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
be used to curtail disk use by systemd-journal-remote. This is
similar to the options supported by systemd-journald.
* When enrolling new keys systemd-cryptenroll now supports unlocking
via FIDO2 tokens (option --unlock-fido2-device=). Previously, a
password was strictly required to be specified.
* systemd-cryptsetup now supports pre-flight requests for FIDO2 tokens
(except for tokens with user verification, UV) to identify tokens
before authentication. Multiple FIDO2 tokens can now be enrolled at
the same time, and systemd-cryptsetup will automatically select one
that corresponds to one of the available LUKS key slots.
* systemd-cryptsetup now supports new options tpm2-measure-bank= and
tpm2-measure-pcr= in crypttab(5). These allow specifying the TPM2 PCR
bank and number into which the volume key should be measured. This is
automatically enabled for the encrypted root volume discovered and
activated by systemd-gpt-auto-generator.
* systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partitions with
"noexec,nosuid,nodev".
* systemd-gpt-auto-generator will now honour the rootfstype= and
rootflags= kernel command line switches for root file systems it
discovers, to match behaviour in case an explicit root fs is
specified via root=.
* systemd-pcrphase gained new options --machine-id and --file-system=
to measure the machine-id and mount point information into PCR 15. New
service unit files systemd-pcrmachine.service and
[email protected] have been added that invoke the tool with
these switches during early boot.
* systemd-pcrphase gained a --graceful switch will make it exit cleanly
with a success exit code even if no TPM device is detected.
* systemd-cryptenroll now stores the user-supplied PIN with a salt,
making it harder to brute-force.
* systemd-homed gained support for luksPbkdfForceIterations (the
intended number of iterations for the PBKDF operation on LUKS).
* Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
$SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
may now be used to specify additional arguments for mkfs when
systemd-homed formats a file system.
* systemd-hostnamed now exports the contents of
/sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two
new D-Bus properties: FirmwareVendor and FirmwareDate. This allows
unprivileged code to access those values.
systemd-hostnamed also exports the SUPPORT_END= field from
os-release(5) as OperatingSystemSupportEnd. hostnamectl make uses of
this to show the status of the installed system.
* systemd-measure gained an --append= option to sign multiple phase
paths with different signing keys. This allows secrets to be
accessible only in certain parts of the boot sequence. Note that
'ukify' provides similar functionality in a more accessible form.
* systemd-timesyncd will now write a structured log message with
MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
on a on-disk timestamp, similarly to what it did when reaching
synchronization via NTP.
* systemd-timesyncd will now update the on-disk timestamp file on each
boot at least once, making it more likely that the system time
increases in subsequent boots.
* systemd-vconsole-setup gained support for system/service credentials:
vconsole.keymap/vconsole.keymap_toggle and
vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
the similarly-named options in vconsole.conf.
* systemd-localed will now save the XKB keyboard configuration to
/etc/vconsole.conf, and also read it from there with a higher
preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config
file. Previously, this information was stored in the former file in
converted form, and only in latter file in the original form. Tools
which want to access keyboard configuration can now do so from a
standard location.
* systemd-resolved gained support for configuring the nameservers and
search domains via kernel command line (nameserver=, domain=) and
credentials (network.dns, network.search_domains).
* systemd-resolved will now synthesize host names for the DNS stub
addresses it supports. Specifically when "_localdnsstub" is resolved,
127.0.0.53 is returned, and if "_localdnsproxy" is resolved
127.0.0.54 is returned.
* systemd-notify will now send a "RELOADING=1" notification when called
with --reloading, and "STOPPING=1" when called with --stopping. This
can be used to implement notifications from units where it's easier
to call a program than to use the sd-daemon library.
* systemd-analyze's 'plot' command can now output its information in
JSON, controlled via the --json= switch. Also, new --table, and
--no-legend options have been added.
* 'machinectl enable' will now automatically enable machines.target
unit in addition to adding the machine unit to the target.
Similarly, 'machinectl start|stop' gained a --now option to enable or
disable the machine unit when starting or stopping it.
* systemd-sysusers will now create /etc/ if it is missing.
* systemd-sleep 'HibernateDelaySec=' setting is changed back to
pre-v252's behaviour, and a new 'SuspendEstimationSec=' setting is
added to provide the new initial value for the new automated battery
estimation functionality. If 'HibernateDelaySec=' is set to any value,
the automated estimate (and thus the automated hibernation on low
battery to avoid data loss) functionality will be disabled.
* Default tmpfiles.d/ configuration will now automatically create
credentials storage directory '/etc/credstore/' with the appropriate,
secure permissions. If '/run/credstore/' exists, its permissions will
be fixed too in case they are not correct.
* sd-bus gained new convenience functions sd_bus_emit_signal_to(),
sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().
* sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
128bit ID in files such as /etc/machine-id has an invalid
format. They also accept NULL as output parameter in more places,
which is useful when the caller only wants to validate the inputs and
does not need the output value.
* sd-login gained new functions sd_pidfd_get_session(),
sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
sd_pidfd_get_user_unit(), sd_pidfd_get_slice(),
sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and
sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(),
but accept a PIDFD instead of a PID.
* sd-path (and systemd-path) now export four new paths:
SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and
SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,
* sd_notify() now supports AF_VSOCK as transport for notification
messages (in addition to the existing AF_UNIX support). This is
enabled if $NOTIFY_SOCKET is set in a "vsock:CID:port" format.
* Detection of chroot() environments now works if /proc/ is not
mounted. This affects systemd-detect-virt --chroot, but also means
that systemd tools will silently skip various operations in such an
environment.
* "Lockheed Matrin Hardened Security for Intel Processors" (HS SRE)
virtualization is now detected.
* Standalone variants of systemd-repart and systemd-shutdown may now be
built (if -Dstandalone=true).
* systemd-ac-power has been moved from /usr/lib/ to /usr/bin/, to, for
example, allow scripts to conditionalize execution on AC power
supply.
* The libp11kit library is now loaded through dlopen(3).
* Specifications that are not closely tied to systemd have moved to
https://uapi-group.org/specifications/: the Boot Loader Specification
and the Discoverable Partitions Specification.
Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas,
Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang,
Antonio Alvarez Feijoo, Arsen Arsenović, asavah, Benjamin Fogle,
Benjamin Tissoires, berenddeschouwer, BerndAdameit,
Bernd Steinhauser, blutch112, cake03, Callum Farmer, Carlo Teubner,
Charles Hardin, chris, Christian Brauner, Christian Göttsche,
Cristian Rodríguez, Daan De Meyer, Dan Streetman, DaPigGuy,
David Tardon, dependabot[bot], Dirk Su, Dmitry V. Levin, drosdeck,
Edson Juliano Drosdeck, edupont, Eric DeVolder, Erik Moqvist,
Evgeny Vereshchagin, Felix Riemann, Franck Bui, Frantisek Sumsal,
Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho,
igo95862, Ilya Leoshkevich, Ivan Shapovalov, Jacek Migacz,
Jade Lovelace, Jan Engelhardt, Jan Janssen, Jan Macku, January,
Jason A. Donenfeld, jcg, Jelle van der Waa, Jeremy Linton,
Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann, Jörg Thalheim,
Joshua Goins, joshuazivkovic, Joshua Zivkovic, Kai-Chuan Hsieh,
Khem Raj, Koba Ko, Lennart Poettering, lichao, Li kunyu,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach,
Lycowolf, marcel151, Marcus Schäfer, Marek Vasut, Mark Laws,
Michael Biebl, Michał Kotyla, Michal Koutný, Michal Sekletár,
Mike Yuan, MkfsSion, msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore,
Nick Rosbrook, noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv,
Phaedrus Leeds, Philipp Jungkamp, Quentin Deslandes, Ray Strode,
reuben olinsky, Richard E. van der Luit, Richard Phibel,
Ricky Tigg, Robin Humble, rogg, Rudi Heitbaum, Sam James,
Samuel Thibault, Siddhesh Poyarekar, Space Meyer, Spindle Security,
Steve Ramage, Thomas Haller, Tonći Galić, Torsten Hilbrich,
Tuetuopay, uerdogan, Ulrich Ölmann, Valentin David,
Vitaly Kuznetsov, Vito Caputo, Waltibaba, Will Fancher,
William Roberts, wouter bolsterlee, Youfu Zhang, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски,
наб
— Warsaw, 2023-02-02
Published by bluca over 1 year ago
* systemctl will now warn when invoked without /proc mounted (e.g. when
invoked after chroot into an image without the API mount points like
/proc being set up.) Operation in such an environment is not fully
supported.
* The return value of 'systemctl is-active|is-enabled|is-failed' for
unknown units is changed: previously 1 or 3 were returned, but now 4
(EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented.
* 'udevadm hwdb' subcommand is deprecated and will emit a warning.
systemd-hwdb (added in 2014) should be used instead.
* 'bootctl --json' now outputs well-formed JSON, instead of a stream
of newline-separated JSON objects.
* Udev rules in 60-evdev.rules have been changed to load hwdb properties
for all modalias patterns. Previously only the first matching pattern
was used. This could change what properties are assigned if the user
has more and less specific patterns that could match the same device,
but it is expected that the change will have no effect for most users.
* systemd-networkd-wait-online exits successfully when all interfaces
are ready or unmanaged. Previously, if neither '--any' nor
'--interface=' options were used, at least one interface had to be in
configured state. This change allows the case, where systemd-networkd
is enabled but no interfaces are configured, to be handled
gracefully. It may occur in particular when a different network
manager is also enabled and used.
* Some compatibility helpers were dropped: EmergencyAction= in the user
manager, measuring kernel command line into PCR 8 along with the
-Defi-tpm-pcr-compat compile-time option.
* A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
(UKIs) has been added. This replaces functionality provided by
'dracut --uefi' and extends it with automatic calculation of offsets,
insertion of signed PCR policies generated by systemd-measure,
support for initrd concatenation, signing of the embedded Linux image
and the combined image with sbsign, and heuristics to autodetect the
kernel uname and verify the splash image.
* A new unit type Type=notify-reload is defined. When such a unit is
reloaded via a signal, the manager will wait until it receives a
"READY=1" notification from the unit. Otherwise, this type is the
same as Type=notify.
[email protected], systemd-networkd.service, systemd-udevd.service, and
systemd-logind have been updated to this type; their reloads are now
synchronuous.
* Initrd environments which are not on a temporary file system (for
example an overlayfs combination) are now supported. Systemd will only
skip removal of the files in the initrd if it doesn't detect a
temporary file system.
* New MemoryZSwapMax= option has been added to configure
memory.zswap.max cgroup properties (the maximum amount of zswap used).
* New LogFilterPatterns= option can be used to specify regexp
accept/deny patterns for log entries generated by the unit. Based on
the option value, the manager sets the
user.journald_log_filter_patterns extended attribute on the unit
cgroup. systemd-journald checks for this attribute when receiving
messages, and will filter messages by matching the MESSAGE= part.
Rejected messages are neither stored in the journal nor forwarded.
This option can be used to filter noisy or uninteresting messages
from units.
* The manager has a new
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() method to query
process ownership via a PIDFD, which is more resilient against PID
recycling issues.
* Scope units now support OOMPolicy=. Login session scopes default to
OOMPolicy=continue, allowing login scopes to survive the OOM killer
terminating some processes in the scope.
* systemd-fstab-generator now supports x-systemd.makefs option for
/sysroot (in the initrd).
* The maximum rate at which daemon reloads are executed can now be
limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
options. (Or the equivalent on the kernel command line:
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=).
In addition, systemd now logs the originating unit and PID when
a reload request is received over D-Bus.
* When enabling a swap device, instead of failing, systemd will now
reinitialize the device when the page size of the swap space does not
match the page size of the running kernel.
* Systemd now executes generators in a mount namespace "sandbox" with
most of the file system read-only, but with write access to the
output directories, and with a temporary /tmp/ mount provided. This
provides a safeguard against programming errors in the generators,
but also fixes here-docs in shells, which previously didn't work in
early boot when /tmp/ wasn't available yet. (This feature has no
security implications, because the code is still privileged and can
trivially exit the sandbox.)
* The manager will load the vmm.notify_socket credential. If found,
it will send a "READY=1" notification on the specified socket after
boot is complete. This allows readiness notification to be sent
from a VM guest to the host over a VSOCK socket.
* The sample PAM configuration file for [email protected] now
includes a call to pam_namespace. This puts children of [email protected]
in the expected namespace. (Many distributions replace their file
with something custom, so this change has limited effect.)
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST can
can be used to override the mount units burst late limit for parsing
'/proc/self/mountinfo', which was introduced in v249. Defaults to 5.
* Drop-ins for init.scope changing control cgroup resource limits are
now applied, while they were previously ignored.
* The new net naming scheme "v253" has been introduced. In the new
scheme, ID_NET_NAME_PATH is also set for USB devices not connected via
a PCI bus. This extends the coverage of predictable interface names
in some embedded systems.
The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
a more informative path on some embedded systems.
* Block partitions will now also get symlinks in
/dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
block device nodes via the kernel's "diskseq" value. Previously those
symlinks were only created for the main block device.
* A new operator '-=' is supported for SYMLINK variables. This allows
symlinks to be unconfigured even if an earlier rule added them.
* 'udevadm --trigger --settle' now also works for network devices
that are being renamed.
* systemd-boot now passes its random seed directly to the kernel's RNG
via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which
means the RNG gets seeded very early in boot before userspace has
started.
* systemd-boot will pass a random seed when secure boot is enabled if
it can additionally get a random seed from EFI itself, via EFI's RNG
protocol or a prior seed in LINUX_EFI_RANDOM_SEED_TABLE_GUID from a
preceding bootloader.
* systemd-boot-system-token.service was renamed to
systemd-boot-random-seed.service and extended to always save the
random seed to ESP on every boot when a compatible boot loader is
used. This allows a refreshed random seed to be used in the boot
loader.
* systemd-boot handles various seed inputs using a domain- and
field-separated hashing scheme.
* systemd-boot's 'random-seed-mode' option has been removed. A system
token is now always required to be present for random seeds to be
used.
* systemd-boot now supports being loaded not from the ESP, for example
for direct kernel boot under QEMU or when embedded into the firmware.
* systemd-boot now parses SMBIOS info to detect virtualization. This
information is used to skip some warnings which are not useful in a
VM and to conditionalize other aspects of behaviour.
* systemd-stub now processes random seeds in the same way as
systemd-boot, in case a unified kernel image is being used from a
different bootloader than systemd-boot.
* bootctl will now generate a system token on all EFI systems, even
virtualized ones, and is activated in the case that the system token
is missing from either sd-boot and sd-stub booted systems.
* bootctl now implements two new verbs: 'kernel-identify' prints the
type of a kernel image, and 'kernel-inspect' provides information
about the embedded command line and kernel version.
* bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
as for kernel-install.
* A new "installation layout" can be configured as layout=uki. With this
setting, a Boot Loader Specification Type#1 entry will not be created.
Instead, a new kernel-install plugin 90-uki-copy.install will copy any
.efi files from the staging area into the boot partition. A plugin to
generate the UKI .efi file must be provided separately.
* 'systemctl reboot' has dropped support for accepting a positional
argument as the argument to the reboot(2) syscall. Please use the
--reboot-argument option instead.
* 'systemctl disable' will now warn when called on units without install
information. A new --no-warn option has been added that silences this
warning.
* New option '--drop-in=' can be used to tell 'systemctl edit' the name
of the drop-in to edit. (Previously, 'override.conf' was always used.
* 'systemctl list-dependencies' now respects --type= and --state=.
* 'systemctl kexec' now supports XEN.
* The [DHCPv4] section in .network file gained new SocketPriority=
setting that assigns the Linux socket priority used by the DHCPv4
raw socket. Can be used in conjunction with the EgressQOSMaps=setting
in [VLAN] section of .netdev file to send the desired ethernet 802.1Q
frame priority for DHCPv4 initial packets. This cannot be achieved
with netfilter mangle tables because of the raw socket bypass.
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained new
QuickAck= boolean setting that enables the TCP quick ACK mode for the
routes configured by the acquired DHCPv4 lease or received router
advertisements (RAs).
* The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
routes) now accepts three values, for high, medium, and low preference
of the router (which can be set with the RouterPreference=) setting.
* systemd-networkd-wait-online now supports alternative interface names.
* The [DHCPv6] section in .network file gained new SendRelease=
setting which enables the DHCPv6 client to send release when
it stops. This is the analog of the [DHCPv4] SendRelease= setting.
It is enabled by default.
* If the Address= setting in [Network] or [Address] sections in .network
specified without its prefix length, then now systemd-networkd assumes
/32 for IPv4 or /128 for IPv6 addresses.
* networkctl shows network and link file dropins in status output.
* systemd-dissect gained a new option --list, to print the paths fo the
files and directories in the image.
* systemd-dissect gained a new option --mtree, to generate output
compatible with BSD mtree(5).
* systemd-dissect gained a new option --with, to execute a command in
the image temporarily mounted.
* systemd-dissect gained a new option --discover, to search for
Discoverable Disk Images (DDIs) in well-known directories. This will
list machine, portable service and system extension disk images.
* systemd-dissect now understands 2nd stage initrd images stored as a
Discoverable Disk Image (DDI).
* systemd-repart gained new options --include-partitions= and
--exclude-partitions= to filter operation on partitions by type UUID.
This allows systemd-repart to be used to build images in which the
type of one partition is set based on the contents of another
partition (for example when the boot partition shall include a verity
hash of the root partition).
* systemd-repart also gained a --defer-partitions= option that is
similar to --exclude-partitions=, but the size of the partition is
taken into account without populating it.
* systemd-repart gained a new --sector-size= option to specify what
sector size should be used when an image is created.
* systemd-repart now supports erofs (a read-only file system similar to
squashfs).
* The Minimize= option was extended to accept "best" (which means the
most minimal image possible, but may require multiple attempts) and
"guess" (which means a reasonably small image).
* Various systemd tools will append extra fields to log messages when
in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently
this includes information about D-Bus messages when sd-bus is used,
e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information
about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
Details of what is logged and when are subject to change.
* The systemd-journald-audit.socket can now be normally disabled
to stop collection of audit messages.
* New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
be used to curtail disk use by systemd-journal-remote. This is
similar to the options supported by systemd-journald.
components
* systemd-cryptenroll now supports unlocking via FIDO2 tokens (option
--unlock-fido2-device=).
* systemd-cryptsetup now supports new options tpm2-measure-pcr= and
tpm2-measure-bank= in crypttab(5). These allow specifying the
PCR bank and number into which the volume key should be measured.
* When measuring data into a PCR, an authenticated hash (HMAC) is used
on the CPU, to further protect the data before it leaves the CPU.
* systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partions with
"noexec,nosuid,nodev".
* systemd-pcrphase gained new options --machine-id and --file-system=
to measure the machine-id and mount point information into a PCR.
* The machine-id is measured into PCR 15 during early boot.
* For the root and /var/ volumes, the mount point information and
options, and volume encryption keys in case encryption is used, will
be measured into PCR 15.
* systemd-cryptenroll now stores the user-supplied PIN with a salt,
making it harder to brute-force.
* systemd-homed gained support for luksPbkdfForceIterations (the
intended number of iterations for the PBKDF operation on LUKS).
* Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
$SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
can be used to specify additional arguments for mkfs when
systemd-homed formats a file system.
* systemd-hostnamed now exports the contents of
/sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two
new D-Bus properties: FirmwareVendor and FirmwareDate. This allows
unprivileged code to access those values.
systemd-hostnamed also exports the SUPPORT_END= field from
os-release(5) as OperatingSystemSupportEnd. timedatectl make uses of
this to show the status of the installed system.
* systemd-measure gained an --append= option to sign multiple phase
paths with different signing keys. This allows secrets to be
accessible only in certain parts of the boot sequence. Note that
'ukify' provides similar functionality in a more accessible form.
* systemd-timesyncd will now write a structured log message with
MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
on a disk timestamp, similarly to what it did when reaching
synchronization via NTP.
systemd-timesyncd will now also update the timestamp file on each
boot, making it more likely that the system time increases in
subsequent boots.
* systemd-vconsole-setup gained support for credentials:
vconsole.keymap/vconsole.keymap_toggle and
vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
the similarly-named options in vconsole.conf.
* systemd-localed will now save the XKB keyboard configuration to
/etc/vconsole.conf, and also read it from there with a higher
preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config
file. Previously, this information was stored in the former file in
converted form, and only in latter file in the original form. Tools
which want to access keyboard configuration can now do so from a
standard location.
* systemd-resolved gained support for configuring the nameservers and
search domains via kernel command line (nameserver=, domain=) and
credentials (network.dns, network.search_domains).
* systemd-notify will now send a "RELOADING=1" notification when called
with --reloading, and "STOPPING=1" when called with --stopping. This
can be used to implement notifications from units where it's easier
to call a program than to use the sd-daemon library.
* systemd-analyze gained new --json=, --table, and --no-legend options
that affect the output of 'plot'.
* 'machinectl enable' will now automatically enable machines.target
unit in addition to adding the machine unit to the target.
Similarly, 'machinectl start|stop' gained a --now option to enable or
disable the machine unit when starting or stopping it.
* sd-bus gained new convenience functions sd_bus_emit_signal_to(),
sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().
* sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
id128_t parameter has an invalid format. They also accept NULL as
output parameter in more places, which is useful when the caller only
wants to check the inputs and does not need the output value.
* sd-login gained new functions sd_pidfd_get_session(),
sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
sd_pidfd_get_user_unit(), sd_pidfd_get_slice(),
sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and
sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(),
but accept a PIDFD instead of a PID.
* sd-path (and systemd-path) now export four new paths:
SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and
SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,
* sd-notify now supports AF_VSOCK, in the "vsock:CID:port" format, for
the notify_socket parameter/environment variable/credential.
* Detection of chroot environments now works if /proc/ is not mounted.
This affects systemd-detect-virt --chroot, but also means that systemd
tools will silently skip various operations in such an environment.
* "Lockheed Matrin Hardened Security for Intel Processors" (HS SRE)
virtualization is now detected.
* Standalone variant of systemd-repart is built (if -Dstandalone=true).
* systemd-ac-power has been moved to /usr/bin/, to, for example, allow
scripts to conditionalize execution on AC power supply.
* The libp11kit library is now loaded through dlopen(3).
* Specifications that are not closely tied to systemd have moved to
https://uapi-group.org/specifications/: the Boot Loader Specification
and the Discoverable Partitions Specification.
Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas,
Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang,
Antonio Alvarez Feijoo, asavah, Benjamin Fogle, Benjamin Tissoires,
berenddeschouwer, BerndAdameit, Bernd Steinhauser, blutch112,
Callum Farmer, Carlo Teubner, Charles Hardin, chris,
Christian Brauner, Christian Göttsche, Cristian Rodríguez,
Daan De Meyer, Dan Streetman, DaPigGuy, David Tardon,
dependabot[bot], Dirk Su, Dmitry V. Levin, drosdeck,
Edson Juliano Drosdeck, edupont, Eric DeVolder, Erik Moqvist,
Evgeny Vereshchagin, Felix Riemann, Franck Bui, Frantisek Sumsal,
Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho,
igo95862, Ivan Shapovalov, Jacek Migacz, Jade Lovelace,
Jan Engelhardt, Jan Janssen, Jan Macku, January,
Jason A. Donenfeld, jcg, Jelle van der Waa, Jeremy Linton,
Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann, Jörg Thalheim,
Joshua Goins, joshuazivkovic, Joshua Zivkovic, Kai-Chuan Hsieh,
Khem Raj, Koba Ko, Lennart Poettering, lichao, Li kunyu,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach,
Lycowolf, marcel151, Marcus Schäfer, Marek Vasut, Mark Laws,
Michael Biebl, Michał Kotyla, Michal Koutný, Michal Sekletár,
Mike Yuan, MkfsSion, msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore,
Nick Rosbrook, noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv,
Phaedrus Leeds, Philipp Jungkamp, Quentin Deslandes, Ray Strode,
reuben olinsky, Richard E. van der Luit, Richard Phibel,
Ricky Tigg, rogg, Sam James, Samuel Thibault, Siddhesh Poyarekar,
Space Meyer, Spindle Security, Steve Ramage, Thomas Haller,
Tonći Galić, Torsten Hilbrich, uerdogan, Ulrich Ölmann,
Valentin David, Vitaly Kuznetsov, Vito Caputo, Waltibaba,
Will Fancher, William Roberts, Youfu Zhang, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски,
наб
— Warsaw, 2023-01-25
Published by bluca almost 2 years ago
* We intend to remove cgroup v1 support from systemd release after the
end of 2023. If you run services that make explicit use of cgroup v1
features (i.e. the "legacy hierarchy" with separate hierarchies for
each controller), please implement compatibility with cgroup v2 (i.e.
the "unified hierarchy") sooner rather than later. Most of Linux
userspace has been ported over already.
* We intend to remove support for split-usr (/usr mounted separately
during boot) and unmerged-usr (parallel directories /bin and
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
half of 2023, in the first release that falls into that time window.
For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* ConditionKernelVersion= checks that use the '=' or '!=' operators
will now do simple string comparisons (instead of version comparisons
á la stverscmp()). Version comparisons are still done for the
ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
specified, a shell-style glob match is now done. This creates a minor
incompatibility compared to older systemd versions when the '*', '?',
'[', ']' characters are used, as these will now match as shell globs
instead of literally. Given that kernel version strings typically do
not include these characters we expect little breakage through this
change.
* The service manager will now read the SELinux label used for SELinux
access checks from the unit file at the time it loads the file.
Previously, the label would be read at the moment of the access
check, which was problematic since at that time the unit file might
already have been updated or removed.
* systemd-measure is a new tool for calculating and signing expected
TPM2 PCR values for a given unified kernel image (UKI) booted via
sd-stub. The public key used for the signature and the signed
expected PCR information can be embedded inside the UKI. This
information can be extracted from the UKI by external tools and code
in the image itself and is made available to userspace in the booted
kernel.
systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been
updated to make use of this information if available in the booted
kernel: when locking an encrypted volume/credential to the TPM
systemd-cryptenroll/systemd-creds will use the public key to bind the
volume/credential to any kernel that carries PCR information signed
by the same key pair. When unlocking such volumes/credentials
systemd-cryptsetup/systemd-creds will use the signature embedded in
the booted UKI to gain access.
Binding TPM-based disk encryption to public keys/signatures of PCR
values — instead of literal PCR values — addresses the inherent
"brittleness" of traditional PCR-bound TPM disk encryption schemes:
disks remain accessible even if the UKI is updated, without any TPM
specific preparation during the OS update — as long as each UKI
carries the necessary PCR signature information.
Net effect: if you boot a properly prepared kernel, TPM-bound disk
encryption now defaults to be locked to kernels which carry PCR
signatures from the same key pair. Example: if a hypothetical distro
FooOS prepares its UKIs like this, TPM-based disk encryption is now –
by default – bound to only FooOS kernels, and encrypted volumes bound
to the TPM cannot be unlocked on kernels from other sources. (But do
note this behaviour requires preparation/enabling in the UKI, and of
course users can always enroll non-TPM ways to unlock the volume.)
* systemd-pcrphase is a new tool that is invoked at six places during
system runtime, and measures additional words into TPM2 PCR 11, to
mark milestones of the boot process. This allows binding access to
specific TPM2-encrypted secrets to specific phases of the boot
process. (Example: LUKS2 disk encryption key only accessible in the
initrd, but not later.)
* The cpu controller is delegated to user manager units by default, and
CPUWeight= settings are applied to the top-level user slice units
(app.slice, background.slice, session.slice). This provides a degree
of resource isolation between different user services competing for
the CPU.
* Systemd can optionally do a full preset in the "first boot" condition
(instead of just enable-only). This behaviour is controlled by the
compile-time option -Dfirst-boot-full-preset. Right now it defaults
to 'false', but the plan is to switch it to 'true' for the subsequent
release.
* Drop-ins are now allowed for transient units too.
* Systemd will set the taint flag 'support-ended' if it detects that
the OS image is past its end-of-support date. This date is declared
in a new /etc/os-release field SUPPORT_END= described below.
* Two new settings ConditionCredential= and AssertCredential= can be
used to skip or fail units if a certain system credential is not
provided.
* ConditionMemory= accepts size suffixes (K, M, G, T, …).
* DefaultSmackProcessLabel= can be used in system.conf and user.conf to
specify the SMACK security label to use when not specified in a unit
file.
* DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
specify the default timeout when waiting for device units to
activate.
* C.UTF-8 is used as the default locale if nothing else has been
configured.
* [Condition|Assert]Firmware= have been extended to support certain
SMBIOS fields. For example
ConditionFirmware=smbios-field(board_name = "Custom Board")
conditionalizes the unit to run only when
/sys/class/dmi/id/board_name contains "Custom Board" (without the
quotes).
* ConditionFirstBoot= now correctly evaluates as true only during the
boot phase of the first boot. A unit executed later, after booting
has completed, will no longer evaluate this condition as true.
* Socket units will now create sockets in the SELinuxContext= of the
associated service unit, if any.
* Boot phase transitions (start initrd → exit initrd → boot complete →
shutdown) will be measured into TPM2 PCR 11, so that secrets can be
bound to a specific runtime phase. E.g.: a LUKS encryption key can be
unsealed only in the initrd.
* Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
also be provided to ExecStartPre= processes.
* Various units are now correctly ordered against
initrd-switch-root.target where previously a conflict without
ordering was configured. A stop job for those units would be queued,
but without the ordering it could be executed only after
initrd-switch-root.service, leading to units not being restarted in
the host system as expected.
* In order to fully support the IPMI watchdog driver, which has not yet
been ported to the new common watchdog device interface,
/dev/watchdog0 will be tried first and systemd will silently fallback
to /dev/watchdog if it is not found.
* New watchdog-related D-Bus properties are now published by systemd:
WatchdogDevice, WatchdogLastPingTimestamp,
WatchdogLastPingTimestampMonotonic.
* At shutdown, API virtual files systems (proc, sys, etc.) will be
unmounted lazily.
* At shutdown, systemd will now log about processes blocking unmounting
of file systems.
* A new meson build option 'clock-valid-range-usec-max' was added to
allow disabling system time correction if RTC returns a timestamp far
in the future.
* Propagated restart jobs will no longer be discarded while a unit is
activating.
* PID 1 will now import system credentials from SMBIOS Type 11 fields
("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
simple, fast and generic path for supplying credentials to a VM,
without involving external tools such as cloud-init/ignition.
* The CPUWeight= setting of unit files now accepts a new special value
"idle", which configures "idle" level scheduling for the unit.
* Service processes that are activated due to a .timer or .path unit
triggering will now receive information about this via environment
variables. Note that this is information is lossy, as activation
might be coalesced and only one of the activating triggers will be
reported. This is hence more suited for debugging or tracing rather
than for behaviour decisions.
* The riscv_flush_icache(2) system call has been added to the list of
system calls allowed by default when SystemCallFilter= is used.
* The selinux context derived from the target executable, instead of
'init_t' used for the manager itself, is now used when creating
listening sockets for units that specify SELinuxContextFromNet=yes.
* The Boot Loader Specification has been cleaned up and clarified.
Various corner cases in version string comparisons have been fixed
(e.g. comparisons for empty strings). Boot counting is now part of
the main specification.
* New PCRs measurements are performed during boot: PCR 11 for the the
kernel+initrd combo, PCR 13 for any sysext images. If a measurement
took place this is now reported to userspace via the new
StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
* As before, systemd-stub will measure kernel parameters and system
credentials into PCR 12. It will now report this fact via the
StubPcrKernelParameters EFI variable to userspace.
* The UEFI monotonic boot counter is now included in the updated random
seed file maintained by sd-boot, providing some additional entropy.
* sd-stub will use LoadImage/StartImage to execute the kernel, instead
of arranging the image manually and jumping to the kernel entry
point. sd-stub also installs a temporary UEFI SecurityOverride to
allow the (unsigned) nested image to be booted. This is safe because
the outer (signed) stub+kernel binary must have been verified before
the stub was executed.
* Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
is now supported by sd-boot.
* bootctl gained a bunch of new options: --all-architectures to install
binaries for all supported EFI architectures, --root= and --image=
options to operate on a directory or disk image, and
--install-source= to specify the source for binaries to install,
--efi-boot-option-description= to control the name of the boot entry.
* The sd-boot stub exports a StubFeatures flag, which is used by
bootctl to show features supported by the stub that was used to boot.
* The PE section offsets that are used by tools that assemble unified
kernel images have historically been hard-coded. This may lead to
overlapping PE sections which may break on boot. The UKI will now try
to detect and warn about this.
Any tools that assemble UKIs must update to calculate these offsets
dynamically. Future sd-stub versions may use offsets that will not
work with the currently used set of hard-coded offsets!
* sd-stub now accepts (and passes to the initrd and then to the full
OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
signatures of expected PCR values, to allow sealing secrets via the
TPM2 against pre-calculated PCR measurements.
* 'systemd-hwdb query' now supports the --root= option.
* systemctl now supports --state= and --type= options for the 'show'
and 'status' verbs.
* systemctl gained a new verb 'list-automounts' to list automount
points.
* systemctl gained support for a new --image= switch to be able to
operate on the specified disk image (similar to the existing --root=
which operates relative to some directory).
* networkd can set Linux NetLabel labels for integration with the
network control in security modules via a new NetLabel= option.
* The RapidCommit= is (re-)introduced to enable faster configuration
via DHCPv6 (RFC 3315).
* networkd gained a new option TCPCongestionControlAlgorithm= that
allows setting a per-route TCP algorithm.
* networkd gained a new option KeepFileDescriptor= to allow keeping a
reference (file descriptor) open on TUN/TAP interfaces, which is
useful to avoid link flaps while the underlying service providing the
interface is being serviced.
* RouteTable= now also accepts route table names.
* The --bind= and --overlay= options now support relative paths.
* The --bind= option now supports a 'rootidmap' value, which will
use id-mapped mounts to map the root user inside the container to the
owner of the mounted directory on the host.
* systemd-resolved now persists DNSOverTLS in its state file too. This
fixes a problem when used in combination with NetworkManager, which
sends the setting only once, causing it to be lost if resolved was
restarted at any point.
* systemd-resolved now exposes a varlink socket at
/run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
root. Processed DNS requests in a JSON format will be published to
any clients connected to this socket.
resolvectl gained a 'monitor' verb to make use of this.
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
instead of returning SERVFAIL, as per RFC:
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
* OpenSSL is the default crypto backend for systemd-resolved. (gnutls
is still supported.)
* libsystemd now exports sd_bus_error_setfv() (a convenience function
for setting bus errors), sd_id128_string_equal (a convenience
function for 128bit ID string comparisons), and
sd_bus_message_read_strv_extend() (a function to incrementally read
string arrays).
* libsystemd now exports sd_device_get_child_first()/_next() as a
high-level interface for enumerating child devices. It also supports
sd_device_new_child() for opening a child device given a device
object.
* libsystemd now exports sd_device_monitor_set()/get_description()
which allow setting a custom description that will be used in log
messages by sd_device_monitor*.
* Private shared libraries (libsystemd-shared-nnn.so,
libsystemd-core-nnn.so) are now installed into arch-specific
directories to allow multi-arch installs.
* A new sd-gpt.h header is now published, listing GUIDs from the
Discoverable Partitions specification. For more details see:
https://systemd.io/DISCOVERABLE_PARTITIONS/
* A new function sd_hwdb_new_from_path() has been added to open a hwdb
database given an explicit path to the file.
* The signal number argument to sd_event_add_signal() now can now be
ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
be automatically invoked to block the specified signal. This is
useful to simplify invocations as the caller doesn't have to do this
manually.
* A new convenience call sd_event_set_signal_exit() has been added to
sd-event to set up signal handling so that the event loop
automatically terminates cleanly on SIGTERM/SIGINT.
* systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
can now be provided via the credential mechanism.
* systemd-analyze gained a new verb 'compare-versions' that implements
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
'dpkg --compare-versions').
* 'systemd-analyze dump' is extended to accept glob patterns for unit
names to limit the output to matching units.
* tmpfiles.d/ lines can read file contents to write from a credential.
The new modifier char '^' is used to specify that the argument is a
credential name. This mechanism is used to automatically populate
/etc/motd, /etc/issue, and /etc/hosts from credentials.
* tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
an inode if the specification is prefixed with ':' and the inode
already exists.
* Default tmpfiles.d/ configuration now carries a line to automatically
use an 'ssh.authorized_keys.root' credential if provided to set up
the SSH authorized_keys file for the root user.
* systemd-tmpfiles will now gracefully handle absent source of "C" copy
lines.
* tmpfiles.d/ F/w lines now optionally permit encoding of the payload
in base64. This is useful to write arbitrary binary data into files.
* The pkgconfig and rpm macros files now export the directory for user
units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.
* Detection of Apple Virtualization and detection of Parallels and
KubeVirt virtualization on non-x86 archs have been added.
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
user when their system will become unsupported.
* When performing suspend-then-hibernate, the system will estimate the
discharge rate and use that to set the delay until hibernation and
hibernate immediately instead of suspending when running from a
battery and the capacity is below 5%.
* systemd-sysctl gained a --strict option to fail when a sysctl
setting is unknown to the kernel.
* machinectl supports --force for the 'copy-to' and 'copy-from'
verbs.
* coredumpctl gained the --root and --image options to look for journal
files under the specified root directory, image, or block device.
* 'journalctl -o' and similar commands now implement a new output mode
"short-delta". It is similar to "short-monotonic", but also shows the
time delta between subsequent messages.
* journalctl now respects the --quiet flag when verifying consistency
of journal files.
* Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
will indicate whether a message was logged in the 'initrd' phase or
in the 'system' phase of the boot process.
* Journal files gained a new compatibility flag
'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
to the storage format that allow reducing size on disk. As with other
compatibility flags, older journalctl versions will not be able to
read journal files using this new format. The environment variable
'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
disable this functionality. It is enabled by default.
* systemd-run's --working-directory= switch now works when used in
combination with --scope.
* portablectl gained a --force flag to skip certain sanity checks. This
is implemented using new flags accepted by systemd-portabled for the
*WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH
flag now means that the attach/detach checks whether the units are
already present and running will be skipped. Similarly,
SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether
image name matches the name declared inside of the image will be
skipped. Callers must be sure to do those checks themselves if
appropriate.
* systemd-portabled will now use the original filename to check
extension-release.NAME for correctness, in case it is passed a
symlink.
* systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
too.
* sysext's extension-release files now support '_any' as a special
value for the ID= field, to allow distribution-independent extensions
(e.g.: fully statically compiled binaries, scripts). It also gained
support for a new ARCHITECTURE= field that may be used to explicitly
restrict an image to hosts of a specific architecture.
* systemd-repart now supports creating squashfs partitions. This
requires mksquashfs from squashfs-tools.
* systemd-repart gained a --split flag to also generate split
artifacts, i.e. a separate file for each partition. This is useful in
conjunction with systemd-sysupdate or other tools, or to generate
split dm-verity artifacts.
* systemd-repart is now able to generate dm-verity partitions, including
signatures.
* systemd-repart can now set a partition UUID to zero, allowing it to
be filled in later, such as when using verity partitions.
* systemd-repart now supports drop-ins for its configuration files.
* Package metadata logged by systemd-coredump in the system journal is
now more compact.
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
* systemd-oomd now automatically links against libatomic, if available.
* systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
killed.
* scope units now also provide oom-kill status.
* systemd-pstore will now try to load only the efi_pstore kernel module
before running, ensuring that pstore can be used.
* systemd-logind gained a new StopIdleSessionSec= option to stop an idle
session after a preconfigure timeout.
* systemd-homed will now wait up to 30 seconds for workers to terminate,
rather than indefinitely.
* homectl gained a new '--luks-sector-size=' flag that allows users to
select the preferred LUKS sector size. Must be a power of 2 between 512
and 4096. systemd-userdbd records gained a corresponding field.
* systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
variable when generating the 'sp_lstchg' field, to ensure an image
build can be reproducible.
* 'udevadm wait' will now listen to kernel uevents too when called with
--initialized=no.
* When naming network devices udev will now consult the Devicetree
"alias" fields for the device.
* systemd-udev will now create infiniband/by-path and
infiniband/by-ibdev links for Infiniband verbs devices.
* systemd-udev-trigger.service will now also prioritize input devices.
* ConditionACPower= and systemd-ac-power will now assume the system is
running on AC power if no battery can be found.
* All features and tools using the TPM2 will now communicate with it
using a bind key. Beforehand, the tpm2 support used encrypted sessions
by creating a primary key that was used to encrypt traffic. This
creates a problem as the key created for encrypting the traffic could
be faked by an active interposer on the bus. In cases when a pin is
used, a bind key will be used. The pin is used as the auth value for
the seal key, aka the disk encryption key, and that auth value will be
used in the session establishment. An attacker would need the pin
value to create the secure session and thus an active interposer
without the pin cannot interpose on TPM2 traffic.
* systemd-growfs no longer requires udev to run.
* systemd-backlight now will better support systems with multiple
graphic cards.
* systemd-cryptsetup's keyfile-timeout= option now also works when a
device is used as a keyfile.
* systemd-cryptenroll gained a new --unlock-key-file= option to get the
unlocking key from a key file (instead of prompting the user). Note
that this is the key for unlocking the volume in order to be able to
enroll a new key, but it is not the key that is enrolled.
* systemd-dissect gained a new --umount switch that will safely and
synchronously unmount all partitions of an image previously mounted
with 'systemd-dissect --mount'.
* When using gcrypt, all systemd tools and services will now configure
it to prefer the OS random number generator if present.
* All example code shipped with documentation has been relicensed from CC0
to MIT-0.
* Unit tests will no longer fail when running on a system without
/etc/machine-id.
* BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
and bpftool >= 7.0).
* sd-boot can automatically enroll SecureBoot keys from files found on
the ESP. This enrollment can be either automatic ('force' mode) or
controlled by the user ('manual' mode). It is sufficient to place the
SecureBoot keys in the right place in the ESP and they will be picked
up by sd-boot and shown in the boot menu.
* The mkosi config in systemd gained support for automatically
compiling a kernel with the configuration appropriate for testing
systemd. This may be useful when developing or testing systemd in
tandem with the kernel.
Contributions from: 김인수, Adam Williamson, adrian5, Aidan Dang,
Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev,
Alexander Graf, Alexander Shopov, Alexander Wilson,
Alper Nebi Yasak, anarcat, Anders Jonsson, Andre Kalb,
Andrew Stone, Andrey Albershteyn, Anita Zhang, Ansgar Burchardt,
Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah,
Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera,
Benjamin Franzke, BerndAdameit, bin456789, Celeste Liu,
Chih-Hsuan Yen, Christian Brauner, Christian Göttsche,
Christian Hesse, Clyde Byrd III, codefiles, Colin Walters,
Cristian Rodríguez, Daan De Meyer, Daniel Braunwarth,
Daniel Rusek, Dan Streetman, Darsey Litzenberger, David Edmundson,
David Jaša, David Rheinsberg, David Seifert, David Tardon,
dependabot[bot], Devendra Tewari, Dominique Martinet, drosdeck,
Edson Juliano Drosdeck, Eduard Tolosa, eggfly, Einsler Lee,
Elias Probst, Eli Schwartz, Evgeny Vereshchagin, exploide, Fei Li,
Foster Snowhill, Franck Bui, Frank Dana, Frantisek Sumsal,
Gerd Hoffmann, Gio, Goffredo Baroncelli, gtwang01,
Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt,
Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz,
Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt,
Jan Janssen, Jan Kuparinen, Jan Luebbe, Jan Macku,
Jason A. Donenfeld, Javkhlanbayar Khongorzul, Jeremy Soller,
JeroenHD, jiangchuangang, João Loureiro,
Joaquín Ignacio Aramendía, Jochen Sprickerhof,
Johannes Schauer Marin Rodrigues, Jonas Kümmerlin,
Jonas Witschel, Jonathan Kang, Jonathan Lebon, Joost Heitbrink,
Jörg Thalheim, josh-gordon-fb, Joyce, Kai Lueke, lastkrick,
Lennart Poettering, Leon M. George, licunlong, Li kunyu,
LockBlock-dev, Loïc Collignon, Lubomir Rintel, Luca Boccassi,
Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oğuz Ersen,
Oleg Solovyov, Olga Smirnova, Pablo Ceballos, Pavel Zhukov,
Phaedrus Leeds, Philipp Gortan, Piotr Drąg, Pyfisch,
Quentin Deslandes, Rahil Bhimjiani, Rene Hollander, Richard Huang,
Richard Phibel, Rudi Heitbaum, Sam James, Sarah Brofeldt,
Sean Anderson, Sebastian Scheibner, Shreenidhi Shedi,
Sonali Srivastava, Steve Ramage, Suraj Krishnan, Swapnil Devesh,
Takashi Sakamoto, Ted X. Toth, Temuri Doghonadze, Thomas Blume,
Thomas Haller, Thomas Hebb, Tomáš Hnyk, Tomasz Paweł Gajc,
Topi Miettinen, Ulrich Ölmann, undef, Uriel Corfa,
Victor Westerhuis, Vincent Dagonneau, Vishal Chillara Srinivas,
Vito Caputo, Weblate, Wenchao Hao, William Roberts, williamsumendap,
wineway, xiaoyang, Yuri Chornoivan, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб
– The Great Beyond, 2022-10-31 👻
Published by bluca almost 2 years ago
* We intend to remove cgroup v1 support from systemd release after the
end of 2023. If you run services that make explicit use of cgroup v1
features (i.e. the "legacy hierarchy" with separate hierarchies for
each controller), please implement compatibility with cgroup v2 (i.e.
the "unified hierarchy") sooner rather than later. Most of Linux
userspace has been ported over already.
* We intend to remove support for split-usr (/usr mounted separately
during boot) and unmerged-usr (parallel directories /bin and
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
half of 2023, in the first release that falls into that time window.
For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* ConditionKernelVersion= checks that use the '=' or '!=' operators
will now do simple string comparisons (instead of version comparisons
á la stverscmp()). Version comparisons are still done for the
ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
specified, a shell-style glob match is now done. This creates a minor
incompatibility compared to older systemd versions when the '*', '?',
'[', ']' characters are used, as these will now match as shell globs
instead of literally. Given that kernel version strings typically do
not include these characters we expect little breakage through this
change.
* The service manager will now read the SELinux label used for SELinux
access checks from the unit file at the time it loads the file.
Previously, the label would be read at the moment of the access
check, which was problematic since at that time the unit file might
already have been updated or removed.
* systemd-measure is a new tool for calculating and signing expected
TPM2 PCR values for a given unified kernel image (UKI) booted via
sd-stub. The public key used for the signature and the signed
expected PCR information can be embedded inside the UKI. This
information can be extracted from the UKI by external tools and code
in the image itself and is made available to userspace in the booted
kernel.
systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been
updated to make use of this information if available in the booted
kernel: when locking an encrypted volume/credential to the TPM
systemd-cryptenroll/systemd-creds will use the public key to bind the
volume/credential to any kernel that carries PCR information signed
by the same key pair. When unlocking such volumes/credentials
systemd-cryptsetup/systemd-creds will use the signature embedded in
the booted UKI to gain access.
Binding TPM-based disk encryption to public keys/signatures of PCR
values — instead of literal PCR values — addresses the inherent
"brittleness" of traditional PCR-bound TPM disk encryption schemes:
disks remain accessible even if the UKI is updated, without any TPM
specific preparation during the OS update — as long as each UKI
carries the necessary PCR signature information.
Net effect: if you boot a properly prepared kernel, TPM-bound disk
encryption now defaults to be locked to kernels which carry PCR
signatures from the same key pair. Example: if a hypothetical distro
FooOS prepares its UKIs like this, TPM-based disk encryption is now –
by default – bound to only FooOS kernels, and encrypted volumes bound
to the TPM cannot be unlocked on kernels from other sources. (But do
note this behaviour requires preparation/enabling in the UKI, and of
course users can always enroll non-TPM ways to unlock the volume.)
* systemd-pcrphase is a new tool that is invoked at six places during
system runtime, and measures additional words into TPM2 PCR 11, to
mark milestones of the boot process. This allows binding access to
specific TPM2-encrypted secrets to specific phases of the boot
process. (Example: LUKS2 disk encryption key only accessible in the
initrd, but not later.)
* The cpu controller is delegated to user manager units by default, and
CPUWeight= settings are applied to the top-level user slice units
(app.slice, background.slice, session.slice). This provides a degree
of resource isolation between different user services competing for
the CPU.
* Systemd can optionally do a full preset in the "first boot" condition
(instead of just enable-only). This behaviour is controlled by the
compile-time option -Dfirst-boot-full-preset. Right now it defaults
to 'false', but the plan is to switch it to 'true' for the subsequent
release.
* Drop-ins are now allowed for transient units too.
* Systemd will set the taint flag 'support-ended' if it detects that
the OS image is past its end-of-support date. This date is declared
in a new /etc/os-release field SUPPORT_END= described below.
* Two new settings ConditionCredential= and AssertCredential= can be
used to skip or fail units if a certain system credential is not
provided.
* ConditionMemory= accepts size suffixes (K, M, G, T, …).
* DefaultSmackProcessLabel= can be used in system.conf and user.conf to
specify the SMACK security label to use when not specified in a unit
file.
* DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
specify the default timeout when waiting for device units to
activate.
* C.UTF-8 is used as the default locale if nothing else has been
configured.
* [Condition|Assert]Firmware= have been extended to support certain
SMBIOS fields. For example
ConditionFirmware=smbios-field(board_name = "Custom Board")
conditionalizes the unit to run only when
/sys/class/dmi/id/board_name contains "Custom Board" (without the
quotes).
* ConditionFirstBoot= now correctly evaluates as true only during the
boot phase of the first boot. A unit executed later, after booting
has completed, will no longer evaluate this condition as true.
* Socket units will now create sockets in the SELinuxContext= of the
associated service unit, if any.
* Boot phase transitions (start initrd → exit initrd → boot complete →
shutdown) will be measured into TPM2 PCR 11, so that secrets can be
bound to a specific runtime phase. E.g.: a LUKS encryption key can be
unsealed only in the initrd.
* Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
also be provided to ExecStartPre= processes.
* Various units are now correctly ordered against
initrd-switch-root.target where previously a conflict without
ordering was configured. A stop job for those units would be queued,
but without the ordering it could be executed only after
initrd-switch-root.service, leading to units not being restarted in
the host system as expected.
* In order to fully support the IPMI watchdog driver, which has not yet
been ported to the new common watchdog device interface,
/dev/watchdog0 will be tried first and systemd will silently fallback
to /dev/watchdog if it is not found.
* New watchdog-related D-Bus properties are now published by systemd:
WatchdogDevice, WatchdogLastPingTimestamp,
WatchdogLastPingTimestampMonotonic.
* At shutdown, API virtual files systems (proc, sys, etc.) will be
unmounted lazily.
* At shutdown, systemd will now log about processes blocking unmounting
of file systems.
* A new meson build option 'clock-valid-range-usec-max' was added to
allow disabling system time correction if RTC returns a timestamp far
in the future.
* Propagated restart jobs will no longer be discarded while a unit is
activating.
* PID 1 will now import system credentials from SMBIOS Type 11 fields
("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
simple, fast and generic path for supplying credentials to a VM,
without involving external tools such as cloud-init/ignition.
* The CPUWeight= setting of unit files now accepts a new special value
"idle", which configures "idle" level scheduling for the unit.
* Service processes that are activated due to a .timer or .path unit
triggering will now receive information about this via environment
variables. Note that this is information is lossy, as activation
might be coalesced and only one of the activating triggers will be
reported. This is hence more suited for debugging or tracing rather
than for behaviour decisions.
* The riscv_flush_icache(2) system call has been added to the list of
system calls allowed by default when SystemCallFilter= is used.
* The selinux context derived from the target executable, instead of
'init_t' used for the manager itself, is now used when creating
listening sockets for units that specify SELinuxContextFromNet=yes.
* The Boot Loader Specification has been cleaned up and clarified.
Various corner cases in version string comparisons have been fixed
(e.g. comparisons for empty strings). Boot counting is now part of
the main specification.
* New PCRs measurements are performed during boot: PCR 11 for the the
kernel+initrd combo, PCR 13 for any sysext images. If a measurement
took place this is now reported to userspace via the new
StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
* As before, systemd-stub will measure kernel parameters and system
credentials into PCR 12. It will now report this fact via the
StubPcrKernelParameters EFI variable to userspace.
* The UEFI monotonic boot counter is now included in the updated random
seed file maintained by sd-boot, providing some additional entropy.
* sd-stub will use LoadImage/StartImage to execute the kernel, instead
of arranging the image manually and jumping to the kernel entry
point. sd-stub also installs a temporary UEFI SecurityOverride to
allow the (unsigned) nested image to be booted. This is safe because
the outer (signed) stub+kernel binary must have been verified before
the stub was executed.
* Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
is now supported by sd-boot.
* bootctl gained a bunch of new options: --all-architectures to install
binaries for all supported EFI architectures, --root= and --image=
options to operate on a directory or disk image, and
--install-source= to specify the source for binaries to install,
--efi-boot-option-description= to control the name of the boot entry.
* The sd-boot stub exports a StubFeatures flag, which is used by
bootctl to show features supported by the stub that was used to boot.
* sd-boot will now try to detect and warn about overlapping PE sections
in the UKI.
* sd-stub now accepts (and passes to the initrd and then to the full
OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
signatures of expected PCR values, to allow sealing secrets via the
TPM2 against pre-calculated PCR measurements.
* 'systemd-hwdb query' now supports the --root= option.
* systemctl now supports --state= and --type= options for the 'show'
and 'status' verbs.
* systemctl gained a new verb 'list-automounts' to list automount
points.
* systemctl gained support for a new --image= switch to be able to
operate on the specified disk image (similar to the existing --root=
which operates relative to some directory).
* networkd can set Linux NetLabel labels for integration with the
network control in security modules via a new NetLabel= option.
* The RapidCommit= is (re-)introduced to enable faster configuration
via DHCPv6 (RFC 3315).
* networkd gained a new option TCPCongestionControlAlgorithm= that
allows setting a per-route TCP algorithm.
* networkd gained a new option KeepFileDescriptor= to allow keeping a
reference (file descriptor) open on TUN/TAP interfaces, which is
useful to avoid link flaps while the underlying service providing the
interface is being serviced.
* The --bind= and --overlay= options now support relative paths.
* The --bind= option now supports a 'rootidmap' value, which will
use id-mapped mounts to map the root user inside the container to the
owner of the mounted directory on the host.
* systemd-resolved now persists DNSOverTLS in its state file too. This
fixes a problem when used in combination with NetworkManager, which
sends the setting only once, causing it to be lost if resolved was
restarted at any point.
* systemd-resolved now exposes a varlink socket at
/run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
root. Processed DNS requests in a JSON format will be published to
any clients connected to this socket.
resolvectl gained a 'monitor' verb to make use of this.
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
instead of returning SERVFAIL, as per RFC:
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
* OpenSSL is the default crypto backend for systemd-resolved. (gnutls
is still supported.)
* libsystemd now exports sd_bus_error_setfv() (a convenience function
for setting bus errors), sd_id128_string_equal (a convenience
function for 128bit ID string comparisons), and
sd_bus_message_read_strv_extend() (a function to incrementally read
string arrays).
* libsystemd now exports sd_device_get_child_first()/_next() as a
high-level interface for enumerating child devices. It also supports
sd_device_new_child() for opening a child device given a device
object.
* libsystemd now exports sd_device_monitor_set()/get_description()
which allow setting a custom description that will be used in log
messages by sd_device_monitor*.
* Private shared libraries (libsystemd-shared-nnn.so,
libsystemd-core-nnn.so) are now installed into arch-specific
directories to allow multi-arch installs.
* A new sd-gpt.h header is now published, listing GUIDs from the
Discoverable Partitions specification. For more details see:
https://systemd.io/DISCOVERABLE_PARTITIONS/
* A new function sd_hwdb_new_from_path() has been added to open a hwdb
database given an explicit path to the file.
* The signal number argument to sd_event_add_signal() now can now be
ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
be automatically invoked to block the specified signal. This is
useful to simplify invocations as the caller doesn't have to do this
manually.
* A new convenience call sd_event_set_signal_exit() has been added to
sd-event to set up signal handling so that the event loop
automatically terminates cleanly on SIGTERM/SIGINT.
* systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
can now be provided via the credential mechanism.
* systemd-analyze gained a new verb 'compare-versions' that implements
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
'dpkg --compare-versions').
* 'systemd-analyze dump' is extended to accept glob patterns for unit
names to limit the output to matching units.
* tmpfiles.d/ lines can read file contents to write from a credential.
The new modifier char '^' is used to specify that the argument is a
credential name. This mechanism is used to automatically populate
/etc/motd, /etc/issue, and /etc/hosts from credentials.
* tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
an inode if the specification is prefixed with ':' and the inode
already exists.
* Default tmpfiles.d/ configuration now carries a line to automatically
use an 'ssh.authorized_keys.root' credential if provided to set up
the SSH authorized_keys file for the root user.
* systemd-tmpfiles will now gracefully handle absent source of "C" copy
lines.
* tmpfiles.d/ F/w lines now optionally permit encoding of the payload
in base64. This is useful to write arbitrary binary data into files.
* The pkgconfig and rpm macros files now export the directory for user
units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.
* Detection of Apple Virtualization and detection of Parallels and
KubeVirt virtualization on non-x86 archs have been added.
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
user when their system will become unsupported.
* When performing suspend-then-hibernate, the system will estimate the
discharge rate and use that to set the delay until hibernation and
hibernate immediately instead of suspending when running from a
battery and the capacity is below 5%.
* systemd-sysctl gained a --strict option to fail when a sysctl
setting is unknown to the kernel.
* machinectl supports --force for the 'copy-to' and 'copy-from'
verbs.
* coredumpctl gained the --root and --image options to look for journal
files under the specified root directory, image, or block device.
* 'journalctl -o' and similar commands now implement a new output mode
"short-delta". It is similar to "short-monotonic", but also shows the
time delta between subsequent messages.
* journalctl now respects the --quiet flag when verifying consistency
of journal files.
* Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
will indicate whether a message was logged in the 'initrd' phase or
in the 'system' phase of the boot process.
* Journal files gained a new compatibility flag
'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
to the storage format that allow reducing size on disk. As with other
compatibility flags, older journalctl versions will not be able to
read journal files using this new format. The environment variable
'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
disable this functionality. It is enabled by default.
* systemd-run's --working-directory= switch now works when used in
combination with --scope.
* portablectl gained a --force flag to skip certain sanity checks. This
is implemented using new flags accepted by systemd-portabled for the
*WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH
flag now means that the attach/detach checks whether the units are
already present and running will be skipped. Similarly,
SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether
image name matches the name declared inside of the image will be
skipped. Callers must be sure to do those checks themselves if
appropriate.
* systemd-portabled will now use the original filename to check
extension-release.NAME for correctness, in case it is passed a
symlink.
* systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
too.
* sysext's extension-release files now support '_any' as a special
value for the ID= field, to allow distribution-independent extensions
(e.g.: fully statically compiled binaries, scripts). It also gained
support for a new ARCHITECTURE= field that may be used to explicitly
restrict an image to hosts of a specific architecture.
* systemd-repart now supports creating squashfs partitions. This
requires mksquashfs from squashfs-tools.
* systemd-repart gained a --split flag to also generate split
artifacts, i.e. a separate file for each partition. This is useful in
conjunction with systemd-sysupdate or other tools, or to generate
split dm-verity artifacts.
* systemd-repart is now able to generate dm-verity partitions, including
signatures.
* systemd-repart can now set a partition UUID to zero, allowing it to
be filled in later, such as when using verity partitions.
* systemd-repart now supports drop-ins for its configuration files.
* Package metadata logged by systemd-coredump in the system journal is
now more compact.
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
* systemd-oomd now automatically links against libatomic, if available.
* systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
killed.
* scope units now also provide oom-kill status.
* systemd-pstore will now try to load only the efi_pstore kernel module
before running, ensuring that pstore can be used.
* systemd-logind gained a new StopIdleSessionSec= option to stop an idle
session after a preconfigure timeout.
* systemd-homed will now wait up to 30 seconds for workers to terminate,
rather than indefinitely.
* homectl gained a new '--luks-sector-size=' flag that allows users to
select the preferred LUKS sector size. Must be a power of 2 between 512
and 4096. systemd-userdbd records gained a corresponding field.
* systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
variable when generating the 'sp_lstchg' field, to ensure an image
build can be reproducible.
* 'udevadm wait' will now listen to kernel uevents too when called with
--initialized=no.
* When naming network devices udev will now consult the Devicetree
"alias" fields for the device.
* systemd-udev will now create infiniband/by-path and
infiniband/by-ibdev links for Infiniband verbs devices.
* ConditionACPower= and systemd-ac-power will now assume the system is
running on AC power if no battery can be found.
* All features and tools using the TPM2 will now communicate with it
using a bind key. Beforehand, the tpm2 support used encrypted sessions
by creating a primary key that was used to encrypt traffic. This
creates a problem as the key created for encrypting the traffic could
be faked by an active interposer on the bus. In cases when a pin is
used, a bind key will be used. The pin is used as the auth value for
the seal key, aka the disk encryption key, and that auth value will be
used in the session establishment. An attacker would need the pin
value to create the secure session and thus an active interposer
without the pin cannot interpose on TPM2 traffic.
* systemd-growfs no longer requires udev to run.
* systemd-backlight now will better support systems with multiple
graphic cards.
* systemd-cryptsetup's keyfile-timeout= option now also works when a
device is used as a keyfile.
* systemd-cryptenroll gained a new --unlock-key-file= option to get the
unlocking key from a key file (instead of prompting the user). Note
that this is the key for unlocking the volume in order to be able to
enroll a new key, but it is not the key that is enrolled.
* systemd-dissect gained a new --umount switch that will safely and
synchronously unmount all partitions of an image previously mounted
with 'systemd-dissect --mount'.
* When using gcrypt, all systemd tools and services will now configure
it to prefer the OS random number generator if present.
Experimental features:
* BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
and bpftool >= 7.0).
* sd-boot can automatically enroll SecureBoot keys from files found on
the ESP. This enrollment can be either automatic ('force' mode) or
controlled by the user ('manual' mode). It is sufficient to place the
SecureBoot keys in the right place in the ESP and they will be picked
up by sd-boot and shown in the boot menu.
* The mkosi config in systemd gained support for automatically
compiling a kernel with the configuration appropriate for testing
systemd. This may be useful when developing or testing systemd in
tandem with the kernel.
Contributions from: 김인수, Adam Williamson, adrian5, Aidan Dang,
Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev,
Alexander Graf, Alexander Shopov, Alexander Wilson,
Alper Nebi Yasak, anarcat, Andre Kalb, Andrew Stone,
Andrey Albershteyn, Anita Zhang, Ansgar Burchardt,
Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah,
Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera,
Benjamin Franzke, BerndAdameit, bin456789, Celeste Liu,
Chih-Hsuan Yen, Christian Brauner, Christian Göttsche,
Christian Hesse, Clyde Byrd III, codefiles, Colin Walters,
Cristian Rodríguez, Daan De Meyer, Daniel Braunwarth,
Daniel Rusek, Dan Streetman, Darsey Litzenberger, David Edmundson,
David Jaša, David Rheinsberg, David Seifert, David Tardon,
dependabot[bot], Devendra Tewari, Dominique Martinet, drosdeck,
Edson Juliano Drosdeck, Eduard Tolosa, eggfly, Einsler Lee,
Elias Probst, Eli Schwartz, Evgeny Vereshchagin, exploide, Fei Li,
Foster Snowhill, Franck Bui, Frank Dana, Frantisek Sumsal,
Gerd Hoffmann, Gio, Goffredo Baroncelli, gtwang01,
Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt,
Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz,
Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt,
Jan Janssen, Jan Kuparinen, Jan Luebbe, Jan Macku,
Jason A. Donenfeld, Javkhlanbayar Khongorzul, Jeremy Soller,
JeroenHD, jiangchuangang, João Loureiro,
Joaquín Ignacio Aramendía, Johannes Schauer Marin Rodrigues,
Jonas Kümmerlin, Jonas Witschel, Jonathan Kang, Jonathan Lebon,
Joost Heitbrink, Jörg Thalheim, josh-gordon-fb, Joyce, Kai Lueke,
lastkrick, Lennart Poettering, Leon M. George, licunlong, Li kunyu,
LockBlock-dev, Loïc Collignon, Lubomir Rintel, Luca Boccassi,
Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oğuz Ersen,
Oleg Solovyov, Pablo Ceballos, Pavel Zhukov, Phaedrus Leeds,
Philipp Gortan, Piotr Drąg, Pyfisch, Quentin Deslandes,
Rahil Bhimjiani, Rene Hollander, Richard Huang, Richard Phibel,
Rudi Heitbaum, Sam James, Sarah Brofeldt, Sean Anderson,
Sebastian Scheibner, Shreenidhi Shedi, Sonali Srivastava,
Steve Ramage, Suraj Krishnan, Swapnil Devesh, Ted X. Toth,
Thomas Blume, Thomas Haller, Thomas Hebb, Tomáš Hnyk,
Tomasz Paweł Gajc, Topi Miettinen, Ulrich Ölmann, undef,
Uriel Corfa, Victor Westerhuis, Vincent Dagonneau,
Vishal Chillara Srinivas, Vito Caputo, Weblate, Wenchao Hao,
William Roberts, williamsumendap, wineway, Yuri Chornoivan,
Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб
– Under the Sea, 2022-10-07
Published by bluca almost 2 years ago
* We intend to remove cgroup v1 support from systemd release after the
end of 2023. If you run services that make explicit use of cgroup v1
features (i.e. the "legacy hierarchy" with separate hierarchies for
each controller), please implement compatibility with cgroup v2 (i.e.
the "unified hierarchy") sooner rather than later. Most of Linux
userspace has been ported over already.
* We intend to remove support for split-usr (/usr mounted separately
during boot) and unmerged-usr (parallel directories /bin and
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
half of 2023, in the first release that falls into that time window.
For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* ConditionKernelVersion= checks that use the '=' or '!=' operators
will now do simple string comparisons (instead of version comparisons
á la stverscmp()). Version comparisons are still done for the
ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
specified, a shell-style glob match is now done. This creates a minor
incompatibility compared to older systemd versions when the '*', '?',
'[', ']' characters are used, as these will now match as shell globs
instead of literally. Given that kernel version strings typically do
not include these characters we expect little breakage through this
change.
* The service manager will now read the SELinux label used for SELinux
access checks from the unit file at the time it loads the file.
Previously, the label would be read at the moment of the access
check, which was problematic since at that time the unit file might
already have been updated or removed.
* systemd-measure is a new tool for calculating and signing expected
TPM2 PCR values for a given unified kernel image (UKI) booted via
sd-stub. The public key used for the signature and the signed
expected PCR information can be embedded inside the UKI. This
information can be extracted from the UKI by external tools and code
in the image itself and is made available to userspace in the booted
kernel.
systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been
updated to make use of this information if available in the booted
kernel: when locking an encrypted volume/credential to the TPM
systemd-cryptenroll/systemd-creds will use the public key to bind the
volume/credential to any kernel that carries PCR information signed
by the same key pair. When unlocking such volumes/credentials
systemd-cryptsetup/systemd-creds will use the signature embedded in
the booted UKI to gain access.
Binding TPM-based disk encryption to public keys/signatures of PCR
values — instead of literal PCR values — addresses the inherent
"brittleness" of traditional PCR-bound TPM disk encryption schemes:
disks remain accessible even if the UKI is updated, without any TPM
specific preparation during the OS update — as long as each UKI
carries the necessary PCR signature information.
Net effect: if you boot a properly prepared kernel, TPM-bound disk
encryption now defaults to be locked to kernels which carry PCR
signatures from the same key pair. Example: if a hypothetical distro
FooOS prepares its UKIs like this, TPM-based disk encryption is now –
by default – bound to only FooOS kernels, and encrypted volumes bound
to the TPM cannot be unlocked on kernels from other sources. (But do
note this behaviour requires preparation/enabling in the UKI, and of
course users can always enroll non-TPM ways to unlock the volume.)
* systemd-pcrphase is a new tool that is invoked at six places during
system runtime, and measures additional words into TPM2 PCR 11, to
mark milestones of the boot process. This allows binding access to
specific TPM2-encrypted secrets to specific phases of the boot
process. (Example: LUKS2 disk encryption key only accessible in the
initrd, but not later.)
Changes in systemd itself, i.e. the manager and units
* The cpu controller is delegated to user manager units by default, and
CPUWeight= settings are applied to the top-level user slice units
(app.slice, background.slice, session.slice). This provides a degree
of resource isolation between different user services competing for
the CPU.
* Systemd can optionally do a full preset in the "first boot" condition
(instead of just enable-only). This behaviour is controlled by the
compile-time option -Dfirst-boot-full-preset. Right now it defaults
to 'false', but the plan is to switch it to 'true' for the subsequent
release.
* Drop-ins are now allowed for transient units too.
* Systemd will set the taint flag 'support-ended' if it detects that
the OS image is past its end-of-support date. This date is declared
in a new /etc/os-release field SUPPORT_END= described below.
* Two new settings ConditionCredential= and AssertCredential= can be
used to skip or fail units if a certain system credential is not
provided.
* ConditionMemory= accepts size suffixes (K, M, G, T, …).
* DefaultSmackProcessLabel= can be used in system.conf and user.conf to
specify the SMACK security label to use when not specified in a unit
file.
* DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
specify the default timeout when waiting for device units to
activate.
* C.UTF-8 is used as the default locale if nothing else has been
configured.
* [Condition|Assert]Firmware= have been extended to support certain
SMBIOS fields. For example
ConditionFirmware=smbios-field(board_name = "Custom Board")
conditionalizes the unit to run only when
/sys/class/dmi/id/board_name contains "Custom Board" (without the
quotes).
* ConditionFirstBoot= now correctly evaluates as true only during the
boot phase of the first boot. A unit executed later, after booting
has completed, will no longer evaluate this condition as true.
* Socket units will now create sockets in the SELinuxContext= of the
associated service unit, if any.
* Boot phase transitions (start initrd → exit initrd → boot complete →
shutdown) will be measured into TPM2 PCR 11, so that secrets can be
bound to a specific runtime phase. E.g.: a LUKS encryption key can be
unsealed only in the initrd.
* Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
also be provided to ExecStartPre= processes.
* Various units are now correctly ordered against
initrd-switch-root.target where previously a conflict without
ordering was configured. A stop job for those units would be queued,
but without the ordering it could be executed only after
initrd-switch-root.service, leading to units not being restarted in
the host system as expected.
* In order to fully support the IPMI watchdog driver, which has not yet
been ported to the new common watchdog device interface,
/dev/watchdog0 will be tried first and systemd will silently fallback
to /dev/watchdog if it is not found.
* New watchdog-related D-Bus properties are now published by systemd:
WatchdogDevice, WatchdogLastPingTimestamp,
WatchdogLastPingTimestampMonotonic.
* At shutdown, API virtual files systems (proc, sys, etc.) will be
unmounted lazily.
* At shutdown, systemd will now log about processes blocking unmounting
of file systems.
* A new meson build option 'clock-valid-range-usec-max' was added to
allow disabling system time correction if RTC returns a timestamp far
in the future.
* Propagated restart jobs will no longer be discarded while a unit is
activating.
* PID 1 will now import system credentials from SMBIOS Type 11 fields
("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
simple, fast and generic path for supplying credentials to a VM,
without involving external tools such as cloud-init/ignition.
* The CPUWeight= setting of unit files now accepts a new special value
"idle", which configures "idle" level scheduling for the unit.
* Service processes that are activated due to a .timer or .path unit
triggering will now receive information about this via environment
variables. Note that this is information is lossy, as activation
might be coalesced and only one of the activating triggers will be
reported. This is hence more suited for debugging or tracing rather
than for behaviour decisions.
* The riscv_flush_icache(2) system call has been added to the list of
system calls allowed by default when SystemCallFilter= is used.
* The selinux context derived from the target executable, instead of
'init_t' used for the manager itself, is now used when creating
listening sockets for units that specify SELinuxContextFromNet=yes.
* The Boot Loader Specification has been cleaned up and clarified.
Various corner cases in version string comparisons have been fixed
(e.g. comparisons for empty strings). Boot counting is now part of
the main specification.
* New PCRs measurements are performed during boot: PCR 11 for the the
kernel+initrd combo, PCR 13 for any sysext images. If a measurement
took place this is now reported to userspace via the new
StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
* As before, systemd-stub will measure kernel parameters and system
credentials into PCR 12. It will now report this fact via the
StubPcrKernelParameters EFI variable to userspace.
* The UEFI monotonic boot counter is now included in the updated random
seed file maintained by sd-boot, providing some additional entropy.
* sd-stub will use LoadImage/StartImage to execute the kernel, instead
of arranging the image manually and jumping to the kernel entry
point. sd-stub also installs a temporary UEFI SecurityOverride to
allow the (unsigned) nested image to be booted. This is safe because
the outer (signed) stub+kernel binary must have been verified before
the stub was executed.
* Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
is now supported by sd-boot.
* bootctl gained a bunch of new options: --all-architectures to install
binaries for all supported EFI architectures, --root= and --image=
options to operate on a directory or disk image, and
--install-source= to specify the source for binaries to install,
--efi-boot-option-description= to control the name of the boot entry.
* The sd-boot stub exports a StubFeatures flag, which is used by
bootctl to show features supported by the stub that was used to boot.
* sd-boot will now try to detect and warn about overlapping PE sections
in the UKI.
* sd-stub now accepts (and passes to the initrd and then to the full
OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
signatures of expected PCR values, to allow sealing secrets via the
TPM2 against pre-calculated PCR measurements.
* 'systemd-hwdb query' now supports the --root= option.
* systemctl now supports --state= and --type= options for the 'show'
and 'status' verbs.
* systemctl gained a new verb 'list-automounts' to list automount
points.
* systemctl gained support for a new --image= switch to be able to
operate on the specified disk image (similar to the existing --root=
which operates relative to some directory).
* networkd can set Linux NetLabel labels for integration with the
network control in security modules via a new NetLabel= option.
* The RapidCommit= is (re-)introduced to enable faster configuration
via DHCPv6 (RFC 3315).
* networkd gained a new option TCPCongestionControlAlgorithm= that
allows setting a per-route TCP algorithm.
* networkd gained a new option KeepFileDescriptor= to allow keeping a
reference (file descriptor) open on TUN/TAP interfaces, which is
useful to avoid link flaps while the underlying service providing the
interface is being serviced.
* The --bind= and --overlay= options now support relative paths.
* The --bind= option now supports a 'rootidmap' value, which will
use id-mapped mounts to map the root user inside the container to the
owner of the mounted directory on the host.
* systemd-resolved now persists DNSOverTLS in its state file too. This
fixes a problem when used in combination with NetworkManager, which
sends the setting only once, causing it to be lost if resolved was
restarted at any point.
* systemd-resolved now exposes a varlink socket at
/run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
root. Processed DNS requests in a JSON format will be published to
any clients connected to this socket.
resolvectl gained a 'monitor' verb to make use of this.
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
instead of returning SERVFAIL, as per RFC:
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
* OpenSSL is the default crypto backend for systemd-resolved. (gnutls
is still supported.)
* libsystemd now exports sd_bus_error_setfv() (a convenience function
for setting bus errors), sd_id128_string_equal (a convenience
function for 128bit ID string comparisons), and
sd_bus_message_read_strv_extend() (a function to incrementally read
string arrays).
* libsystemd now exports sd_device_get_child_first()/_next() as a
high-level interface for enumerating child devices. It also supports
sd_device_new_child() for opening a child device given a device
object.
* libsystemd now exports sd_device_monitor_set()/get_description()
which allow setting a custom description that will be used in log
messages by sd_device_monitor*.
* Private shared libraries (libsystemd-shared-nnn.so,
libsystemd-core-nnn.so) are now installed into arch-specific
directories to allow multi-arch installs.
* A new sd-gpt.h header is now published, listing GUIDs from the
Discoverable Partitions specification. For more details see:
https://systemd.io/DISCOVERABLE_PARTITIONS/
* A new function sd_hwdb_new_from_path() has been added to open a hwdb
database given an explicit path to the file.
* The signal number argument to sd_event_add_signal() now can now be
ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
be automatically invoked to block the specified signal. This is
useful to simplify invocations as the caller doesn't have to do this
manually.
* A new convenience call sd_event_set_signal_exit() has been added to
sd-event to set up signal handling so that the event loop
automatically terminates cleanly on SIGTERM/SIGINT.
* systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
can now be provided via the credential mechanism.
* systemd-analyze gained a new verb 'compare-versions' that implements
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
'dpkg --compare-versions').
* 'systemd-analyze dump' is extended to accept glob patterns for unit
names to limit the output to matching units.
* tmpfiles.d/ lines can read file contents to write from a credential.
The new modifier char '^' is used to specify that the argument is a
credential name. This mechanism is used to automatically populate
/etc/motd, /etc/issue, and /etc/hosts from credentials.
* tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
an inode if the specification is prefixed with ':' and the inode
already exists.
* Default tmpfiles.d/ configuration now carries a line to automatically
use an 'ssh.authorized_keys.root' credential if provided to set up
the SSH authorized_keys file for the root user.
* systemd-tmpfiles will now gracefully handle absent source of "C" copy
lines.
* tmpfiles.d/ F/w lines now optionally permit encoding of the payload
in base64. This is useful to write arbitrary binary data into files.
* The pkgconfig and rpm macros files now export the directory for user
units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.
* Detection of Apple Virtualization and detection of Parallels and
KubeVirt virtualization on non-x86 archs have been added.
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
user when their system will become unsupported.
* When performing suspend-then-hibernate, the system will estimate the
discharge rate and use that to set the delay until hibernation and
hibernate immediately instead of suspending when running from a
battery and the capacity is below 5%.
* systemd-sysctl gained a --strict option to fail when a sysctl
setting is unknown to the kernel.
* machinectl supports --force for the 'copy-to' and 'copy-from'
verbs.
* coredumpctl gained the --root and --image options to look for journal
files under the specified root directory, image, or block device.
* 'journalctl -o' and similar commands now implement a new output mode
"short-delta". It is similar to "short-monotonic", but also shows the
time delta between subsequent messages.
* journalctl now respects the --quiet flag when verifying consistency
of journal files.
* Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
will indicate whether a message was logged in the 'initrd' phase or
in the 'system' phase of the boot process.
* Journal files gained a new compatibility flag
'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
to the storage format that allow reducing size on disk. As with other
compatibility flags, older journalctl versions will not be able to
read journal files using this new format. The environment variable
'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
disable this functionality. It is enabled by default.
* systemd-run's --working-directory= switch now works when used in
combination with --scope.
* portablectl gained a --force flag to skip certain sanity checks. This
is implemented using new flags accepted by systemd-portabled for the
*WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH
flag now means that the attach/detach checks whether the units are
already present and running will be skipped. Similarly,
SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether
image name matches the name declared inside of the image will be
skipped. Callers must be sure to do those checks themselves if
appropriate.
* systemd-portabled will now use the original filename to check
extension-release.NAME for correctness, in case it is passed a
symlink.
* systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
too.
* sysext's extension-release files now support '_any' as a special
value for the ID= field, to allow distribution-independent extensions
(e.g.: fully statically compiled binaries, scripts). It also gained
support for a new ARCHITECTURE= field that may be used to explicitly
restrict an image to hosts of a specific architecture.
* systemd-repart now supports creating squashfs partitions. This
requires mksquashfs from squashfs-tools.
* systemd-repart gained a --split flag to also generate split
artifacts, i.e. a separate file for each partition. This is useful in
conjunction with systemd-sysupdate or other tools, or to generate
split dm-verity artifacts.
* systemd-repart is now able to generate dm-verity partitions, including
signatures.
* systemd-repart can now set a partition UUID to zero, allowing it to
be filled in later, such as when using verity partitions.
* systemd-repart now supports drop-ins for its configuration files.
* Package metadata logged by systemd-coredump in the system journal is
now more compact.
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
* systemd-oomd now automatically links against libatomic, if available.
* systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
killed.
* scope units now also provide oom-kill status.
* systemd-pstore will now try to load only the efi_pstore kernel module
before running, ensuring that pstore can be used.
* systemd-logind gained a new StopIdleSessionSec= option to stop an idle
session after a preconfigure timeout.
* systemd-homed will now wait up to 30 seconds for workers to terminate,
rather than indefinitely.
* homectl gained a new '--luks-sector-size=' flag that allows users to
select the preferred LUKS sector size. Must be a power of 2 between 512
and 4096. systemd-userdbd records gained a corresponding field.
* systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
variable when generating the 'sp_lstchg' field, to ensure an image
build can be reproducible.
* 'udevadm wait' will now listen to kernel uevents too when called with
--initialized=no.
* When naming network devices udev will now consult the Devicetree
"alias" fields for the device.
* systemd-udev will now create infiniband/by-path and
infiniband/by-ibdev links for Infiniband verbs devices.
* ConditionACPower= and systemd-ac-power will now assume the system is
running on AC power if no battery can be found.
* All features and tools using the TPM2 will now communicate with it
using a bind key. Beforehand, the tpm2 support used encrypted sessions
by creating a primary key that was used to encrypt traffic. This
creates a problem as the key created for encrypting the traffic could
be faked by an active interposer on the bus. In cases when a pin is
used, a bind key will be used. The pin is used as the auth value for
the seal key, aka the disk encryption key, and that auth value will be
used in the session establishment. An attacker would need the pin
value to create the secure session and thus an active interposer
without the pin cannot interpose on TPM2 traffic.
* systemd-growfs no longer requires udev to run.
* systemd-backlight now will better support systems with multiple
graphic cards.
* systemd-cryptsetup's keyfile-timeout= option now also works when a
device is used as a keyfile.
* systemd-cryptenroll gained a new --unlock-key-file= option to get the
unlocking key from a key file (instead of prompting the user). Note
that this is the key for unlocking the volume in order to be able to
enroll a new key, but it is not the key that is enrolled.
* systemd-dissect gained a new --umount switch that will safely and
synchronously unmount all partitions of an image previously mounted
with 'systemd-dissect --mount'.
* When using gcrypt, all systemd tools and services will now configure
it to prefer the OS random number generator if present.
* BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
and bpftool >= 7.0).
* sd-boot can automatically enroll SecureBoot keys from files found on
the ESP. This enrollment can be either automatic ('force' mode) or
controlled by the user ('manual' mode). It is sufficient to place the
SecureBoot keys in the right place in the ESP and they will be picked
up by sd-boot and shown in the boot menu.
* The mkosi config in systemd gained support for automatically
compiling a kernel with the configuration appropriate for testing
systemd. This may be useful when developing or testing systemd in
tandem with the kernel.
Contributions from: 김인수, Adam Williamson, adrian5, Akihiko Odaki,
Alban Bedel, Albert Mikaelyan, Aleksey Vasenev, Alexander Graf,
Alexander Shopov, Alexander Wilson, Alper Nebi Yasak, Andre Kalb,
Andrew Stone, Andrey Albershteyn, Anita Zhang, Ansgar Burchardt,
Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah,
Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera,
Benjamin Franzke, BerndAdameit, bin456789, Chih-Hsuan Yen,
Christian Brauner, Christian Göttsche, Christian Hesse, Clyde Byrd III,
codefiles, Colin Walters, Cristian Rodríguez, Daan De Meyer,
Daniel Braunwarth, Dan Streetman, Darsey Litzenberger, David Edmundson,
David Jaša, David Rheinsberg, David Tardon, dependabot[bot],
Devendra Tewari, Dominique Martinet, drosdeck, Edson Juliano Drosdeck,
Eduard Tolosa, eggfly, Einsler Lee, Elias Probst, Eli Schwartz,
Evgeny Vereshchagin, exploide, Fei Li, Foster Snowhill, Franck Bui,
Frank Dana, Frantisek Sumsal, Gio, Goffredo Baroncelli, gtwang01,
Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt,
Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz,
Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt, Jan Janssen,
Jan Luebbe, Jan Macku, Jason A. Donenfeld, Javkhlanbayar Khongorzul,
Jeremy Soller, JeroenHD, jiangchuangang, João Loureiro,
Joaquín Ignacio Aramendía, Johannes Schauer Marin Rodrigues,
Jonas Kümmerlin, Jonas Witschel, Jonathan Lebon, Joost Heitbrink,
Jörg Thalheim, josh-gordon-fb, Kai Lueke, lastkrick,
Lennart Poettering, licunlong, Li kunyu, LockBlock-dev, Loïc Collignon,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oleg Solovyov,
Contributions from: 김인수, Adam Williamson, adrian5, Aidan Dang,
Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev,
Alexander Graf, Alexander Shopov, Alexander Wilson, Alper Nebi Yasak,
anarcat, Andre Kalb, Andrew Stone, Andrey Albershteyn, Anita Zhang,
Ansgar Burchardt, Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh,
asavah, Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera,
Benjamin Franzke, BerndAdameit, bin456789, Celeste Liu, Chih-Hsuan Yen,
Christian Brauner, Christian Göttsche, Christian Hesse, Clyde Byrd III,
codefiles, Colin Walters, Cristian Rodríguez, Daan De Meyer,
Daniel Braunwarth, Dan Streetman, Darsey Litzenberger, David Edmundson,
David Jaša, David Rheinsberg, David Seifert, David Tardon,
dependabot[bot], Devendra Tewari, Dominique Martinet, drosdeck,
Edson Juliano Drosdeck, Eduard Tolosa, eggfly, Einsler Lee,
Elias Probst, Eli Schwartz, Evgeny Vereshchagin, exploide, Fei Li,
Foster Snowhill, Franck Bui, Frank Dana, Frantisek Sumsal,
Gerd Hoffmann, Gio, Goffredo Baroncelli, gtwang01, Guillaume W. Bres,
H A, Hans de Goede, Heinrich Schuchardt, Hugo Carvalho, i-do-cpp,
igo95862, j00512545, Jacek Migacz, Jade Bilkey, James Hilliard, Jan B,
Janis Goldschmidt, Jan Janssen, Jan Luebbe, Jan Macku,
Jason A. Donenfeld, Javkhlanbayar Khongorzul, Jeremy Soller, JeroenHD,
jiangchuangang, João Loureiro, Joaquín Ignacio Aramendía,
Johannes Schauer Marin Rodrigues, Jonas Kümmerlin, Jonas Witschel,
Jonathan Lebon, Joost Heitbrink, Jörg Thalheim, josh-gordon-fb,
Kai Lueke, lastkrick, Lennart Poettering, licunlong, Li kunyu,
LockBlock-dev, Loïc Collignon, Lubomir Rintel, Luca Boccassi,
Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oleg Solovyov,
Pablo Ceballos, Pavel Zhukov, Phaedrus Leeds, Philipp Gortan,
Piotr Drąg, Pyfisch, Quentin Deslandes, Rahil Bhimjiani,
Rene Hollander, Richard Huang, Richard Phibel, Rudi Heitbaum,
Sam James, Sarah Brofeldt, Sean Anderson, Sebastian Scheibner,
Shreenidhi Shedi, Sonali Srivastava, Steve Ramage, Suraj Krishnan,
Swapnil Devesh, Ted X. Toth, Thomas Blume, Thomas Haller, Thomas Hebb,
Tomáš Hnyk, Tomasz Paweł Gajc, Topi Miettinen, Ulrich Ölmann, undef,
Uriel Corfa, Victor Westerhuis, Vincent Dagonneau,
Vishal Chillara Srinivas, Vito Caputo, Wenchao Hao, William Roberts,
williamsumendap, wineway, Yu Watanabe, Zbigniew Jędrzejewski-Szmek,
Zhaofeng Li, наб
– Under the Sea, 2022-10-07
Published by bluca about 2 years ago
* We intend to remove cgroup v1 support from systemd release after the
end of 2023. If you run services that make explicit use of cgroup v1
features (i.e. the "legacy hierarchy" with separate hierarchies for
each controller), please implement compatibility with cgroup v2 (i.e.
the "unified hierarchy") sooner rather than later. Most of Linux
userspace has been ported over already.
* We intend to remove support for split-usr (/usr mounted separately
during boot) and unmerged-usr (parallel directories /bin and
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
half of 2023, in the first release that falls into that time window.
For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
* ConditionKernelVersion= checks that use the '=' or '!=' operators
will now do simple string comparisons (instead of version comparisons
á la stverscmp()). Version comparisons are still done for the
ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
specified, a shell-style glob match is now done. This creates a minor
incompatibility compared to older systemd versions when the '*', '?',
'[', ']' characters are used, as these will now match as shell globs
instead of literally. Given that kernel version strings typically do
not include these characters we expect little breakage through this
change.
* The service manager will now read the SELinux label used for SELinux
access checks from the unit file at the time it loads the file.
Previously, the label would be read at the moment of the access
check, which was problematic since at that time the unit file might
already have been updated or removed.
* systemd-measure is a new tool for precalculating and signing expected
TPM2 PCR values seen once a given unified kernel image (UKI) with
systemd-stub is booted. This is useful for implementing TPM2 policies
for LUKS encrypted volumes and encrypted system/service credentials,
that robustly bind to kernels carrying appropriate PCR signature
information. The signed expected PCR information may be embedded
inside UKI images for this purpose so that it is automatically
available in userspace, once the UKI is booted.
systemd-cryptsetup, systemd-cryptenroll and systemd-creds have been
updated to make use of this information if available in the booted
kernel.
Net effect: if you boot a properly prepared kernel, TPM-bound disk
encryption now defaults to be locked to kernels which carry PCR
signatures from the same signature key pair. Example: if a
hypothetical distro FooOS prepares its UKI kernels like this,
TPM-based disk encryption is now – by default – bound to only FooOS
kernels, and encrypted volumes bound to the TPM cannot be unlocked on
other kernels from other sources. (But do note this behaviour
requires preparation/enabling in the UKI, and of course users can
always enroll non-TPM ways to unlock the volume.)
Binding TPM-based disk encryption to public keys/signatures of PCR
values — instead of literal PCR values — addresses the inherent
"brittleness" of traditional PCR-bound TPM disk encryption schemes:
disks remain accessible even if the UKI image is updated, without any
prepartion during the update scheme — as long as each UKI carries the
necessary PCR signature information.
* systemd-pcrphase is a new tool that is invoked at 4 places during
system runtime, and measures additional words into TPM2 PCR 11, to
mark milestones of the boot process. This allows binding access to
specific TPM2-encrypted secrets to specific phases of the boot
process. (Think: LUKS2 disk encryption key only accessible in the
initrd, but not later.)
* The cpu controller is delegated to user manager units by default, and
CPUWeight= settings are applied to the top-level user slice units
(app.slice, background.slice, session.slice). This provides a degree
of resource isolation between different user services competing for
the CPU.
* Systemd can optionally do a full preset in the "first boot" condition
(instead of just enable-only). This behaviour is controlled by the
compile-time option -Dfirst-boot-full-preset. Right now it defaults
to 'false', but the plan is to switch it to 'true' for the subsequent
release.
* Systemd will set the taint flag 'support-ended' if it detects that
the OS image is past its end-of-support date. This date is declared
in a new /etc/os-release field SUPPORT_END= described below.
* Two new settings ConditionCredential= and AssertCredential= can be
used to skip or fail units if a certain system credential is not
provided.
* ConditionMemory= accepts size suffixes (K, M, G, T, …).
* DefaultSmackProcessLabel= can be used in system.conf and user.conf to
specify the SMACK security label to use when not specified in a unit
file.
* DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
specify the default timeout when waiting for device units to
activate.
* C.UTF-8 is used as the default locale if nothing else has been
configured.
* [Condition|Assert]Firmware= have been extended to support certain
SMBIOS fields. For example
ConditionFirmware=smbios-field(board_name = "Custom Board")
conditionalizes the unit to run only when
/sys/class/dmi/id/board_name contains "Custom Board" (without the
quotes).
* ConditionFirstBoot= now correctly evaluates as true only during the
boot phase of the first boot. A unit executed later, after booting
has completed, will no longer evaluate this condition as true.
* Socket units will now create sockets in the SELinuxContext= of the
associated service unit, if any.
* Boot phase transitions (start initrd → exit initrd → boot complete →
shutdown) will be measured into TPM2 PCR 11, so that secrets can be
bound to a specific runtime phase. E.g.: a LUKS encryption key can be
unsealed only in the initrd.
* Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
also be provided to ExecStartPre= processes.
* Various units are now correctly ordered against
initrd-switch-root.target where previously a conflict without
ordering was configured. A stop job for those units would be queued,
but without the ordering it could be executed only after
initrd-switch-root.service, leading to units not being restarted in
the host system as expected.
* In order to fully support the IPMI watchdog driver, which has not yet
been ported to the new common watchdog device interface,
/dev/watchdog0 will be tried first and systemd will silently fallback
to /dev/watchdog if it is not found.
* New watchdog-related D-Bus properties are now published by systemd:
WatchdogDevice, WatchdogLastPingTimestamp,
WatchdogLastPingTimestampMonotonic.
* At shutdown, API virtual files systems (proc, sys, etc.) will be
unmounted lazily.
* At shutdown, systemd will now log about processes blocking unmounting
of file systems.
* A new meson build option 'clock-valid-range-usec-max' was added to
allow disabling system time correction if RTC returns a timestamp far
in the future.
* Propagated restart jobs will no longer be discarded while a unit is
activating.
* PID 1 will now import system credentials from SMBIOS Type 11 fields
("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
simple, fast and generic path for supplying credentials to a VM,
without involving external tools such as cloud-init/ignition.
* The CPUWeight= setting of unit files now accepts a new special value
"idle", which configures "idle" level scheduling for the unit.
* Service processes that are activated due to a .timer or .path unit
triggering will now receive information about this via environment
variables. Note that this is information is lossy, as activation
might be coalesced and only one of the activating triggers will be
reported. This is hence more suited for debugging or tracing rather
than for behaviour decisions.
* The Boot Loader Specification has been cleaned up and clarified.
Various corner cases in version string comparisons have been fixed
(e.g. comparisons for empty strings). Boot counting is now part of
the main specification.
* New PCRs measurements are performed during boot: PCR 11 for the the
kernel+initrd combo, PCR 13 for any sysext images. If a measurement
took place this is now reported to userspace via the new
StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
* As before, systemd-stub will measure kernel parameters and system
credentials into PCR 12. It will now report this fact via the
StubPcrKernelParameters EFI variable to userspace.
* The UEFI monotonic boot counter is now included in the updated random
seed file maintained by sd-boot, providing some additional entropy.
* Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
is now supported by sd-boot.
* bootctl gained a bunch of new options: --all-architectures to install
binaries for all supported EFI architectures, --root= and --image=
options to operate on a directory or disk image, and
--install-source= to specify the source for binaries to install,
--efi-boot-option-description= to control the name of the boot entry.
* The sd-boot stub exports a StubFeatures flag, which is used by
bootctl to show features supported by the stub that was used to boot.
* sd-boot will now try to detect and warn about overlapping PE sections
in the UKI.
* sd-stub now accepts (and passes to the initrd and then to the full
OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
signatures of expected PCR values, to allow sealing secrets via the
TPM2 against pre-calculated PCR measurements.
* 'systemd-hwdb query' now supports the --root= option.
* systemctl now supports --state= and --type= options for the 'show'
and 'status' verbs.
* systemctl gained a new verb 'list-automounts' to list automount
points.
* systemctl gained support for a new --image= switch to be able to
operate on the specified disk image (similar to the existing --root=
which operates relative to some directory).
* networkd can set Linux NetLabel labels for integration with the
network control in security modules via a new NetLabel= option.
* The RapidCommit= is (re-)introduced to enable faster configuration
via DHCPv6 (RFC 3315).
* networkd gained a new option TCPCongestionControlAlgorithm= that
allows setting a per-route TCP algorithm.
* networkd gained a new option KeepFileDescriptor= to allow keeping a
reference (file descriptor) open on TUN/TAP interfaces, which is
useful to avoid link flaps while the underlying service providing the
interface is being serviced.
* The --bind= and --overlay= options now support relative paths.
* The --bind= option now supports a 'rootidmap' value, which will
use id-mapped mounts to map the root user inside the container to the
owner of the mounted directory on the host.
* libsystemd now exports sd_bus_error_setfv() (a convenience function
for setting bus errors), sd_id128_string_equal (a convenience
function for 128bit ID string comparisons), and
sd_bus_message_read_strv_extend() (a function to incrementally read
string arrays).
* libsystemd now exports sd_device_get_child_first()/_next() as a
high-level interface for enumerating child devices. It also supports
sd_device_new_child() for opening a child device given a device
object.
* libsystemd now exports sd_device_monitor_set()/get_description()
which allow to set a custom description that will be used in log
messages by sd_device_monitor*.
* Private shared libraries (libsystemd-shared-nnn.so,
libsystemd-core-nnn.so) are now installed into arch-specific
directories to allow multi-arch installs.
* A new sd-gpt.h header is now published, listing GUIDs from the
Discoverable Partitions specification. For more details see:
https://systemd.io/DISCOVERABLE_PARTITIONS/
* A new function sd_hwdb_new_from_path() has been added to open a hwdb
database given an explicit path to the file.
* The signal number argument to sd_event_add_signal() now can now be
ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
be automatically invoked to block the specified signal. This is
useful to simplify invocations as the caller doesn't have to do this
manually.
* A new convenience call sd_event_set_signal_exit() has been added to
sd-event to set up signal handling so that the event loop
automatically terminates cleanly on SIGTERM/SIGINT.
* systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
can now be provided via the credential mechanism.
* tmpfiles.d/ lines can read file contents to write from a credential.
The new modifier char '^' is used to specify that the argument is a
credential name. This mechanism is used to automatically populate
/etc/motd, /etc/issue, and /etc/hosts from credentials.
* tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
an inode if the specification is prefixed with ':' and the inode
already exists.
* Default tmpfiles.d/ configuration now carries a line to automatically
use an 'ssh.authorized_keys.root' credential if provided to set up
the SSH authorized_keys file for the root user.
* systemd-tmpfiles will now gracefully handle absent source of "C" copy
lines.
* tmpfiles.d/ F/w lines now optionally permit encoding of the payload
in base64. This is useful to write arbitrary binary data into files.
* systemd-analyze gained a new verb 'compare-versions' that implements
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
'dpkg --compare-versions').
* The pkgconfig and rpm macros files now export the directory for user
units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.
* Detection of Apple Virtualization and detection of Parallels and
KubeVirt virtualization on non-x86 archs have been added.
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
user when their system will become unsupported.
* When performing suspend-then-hibernate, the system will estimate the
discharge rate and use that to set the delay until hibernation and
hibernate immediately instead of suspending when running from a
battery and the capacity is below 5%.
* systemd-sysctl gained a --strict option to fail when a sysctl
setting is unknown to the kernel.
* machinectl supports --force for the 'copy-to' and 'copy-from'
verbs.
* OpenSSL is the default crypto backend for systemd-resolved. (gnutls
is still supported.)
* 'journalctl -o' and similar commands now implement a new output mode
"short-delta". It is similar to "short-monotonic", but also shows the
time delta between subsequent messages.
* journalctl now respects the --quiet flag when verifying consistency
of journal files.
* Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
will indicate whether a message was logged in the 'initrd' phase or
in the 'system' phase of the boot process.
* Journal files gained a new compatibility flag
'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
to the storage format that allow reducing size on disk. As with other
compatibility flags, older journalctl versions will not be able to
read journal files using this new format. The environment variable
'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
disable this functionality. It is enabled by default.
* systemd-run's --working-directory= switch now works when used in
combination with --scope.
* portablectl gained a --force flag to skip certain sanity checks. The
corresponding 0x2 flag is now accepted by the *WithExtensions() D-Bus
methods of systemd-portabled. For now, this flag means that on
attach/detach the checks whether the units are already present and
running will be skipped. Callers must be sure to do those checks
themselves.
* systemd-portabled will now use the original filename to check
extension-release.NAME for correctness, in case it is passed a
symlink.
* systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
too.
* sysext's extension-release files now support '_any' as a special
value for the ID= field, to allow distribution-independent extensions
(e.g.: fully statically compiled binaries, scripts). It also gained
support for a new ARCHITECTURE= field that may be used to explicitly
restrict an image to hosts of a specific architecture.
* systemd-resolved now persists DNSOverTLS in its state file too. This
fixes a problem when used in combination with NetworkManager, which
sends the setting only once, causing it to be lost if resolved was
restarted at any point.
* systemd-resolved now exposes a varlink socket at
/run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
root. Processed DNS requests in a JSON format will be published to
any clients connected to this socket. resolvectl gained a 'monitor'
verb to make use of this.
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
instead of returning SERVFAIL, as per RFC:
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
* systemd-repart now supports creating squashfs partitions. This
requires mksquashfs from squashfs-tools.
* systemd-repart gained a --split flag to also generate split
artifacts, i.e. a separate file for each partition. This is useful in
conjunction with systemd-sysupdate or other tools, or to generate
split dm-verity artifacts.
* systemd-repart is now able to generate dm-verity partitions, including
signatures.
* systemd-repart can now set a partition UUID to zero, allowing it to
be filled in later, such as when using verity partitions.
* systemd-repart now supports drop-ins for its configuration files.
* Package metadata logged by systemd-coredump in the system journal is
now more compact.
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
* systemd-oomd now automatically links against libatomic, if available.
* systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
killed.
* scope units now also provide oom-kill status.
* systemd-pstore will now try to load only the efi_pstore kernel module
before running, ensuring that pstore can be used.
* systemd-logind gained a new StopIdleSessionSec= option to stop an idle
session after a preconfigure timeout.
* systemd-homed will now wait up to 30 seconds for workers to terminate,
rather than indefinitely.
* homectl gained a new '--luks-sector-size=' flag that allows users to
select the preferred LUKS sector size. Must be a power of 2 between 512
and 4096. systemd-userdbd records gained a corresponding field.
* systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
variable when generating the 'sp_lstchg' field, to ensure an image
build can be reproducible.
* 'udevadm wait' will now listen to kernel uevents too when called with
--initialized=no.
* When naming network devices udev will now consult the Devicetree
"alias" fields for the device.
* ConditionACPower= and systemd-ac-power will now assume the system is
running on AC power if no battery can be found.
* All features and tools using the TPM2 will now communicate with it
using a bind key. Beforehand, the tpm2 support used encrypted sessions
by creating a primary key that was used to encrypt traffic. This
creates a problem as the key created for encrypting the traffic could
be faked by an active interposer on the bus. In cases when a pin is
used, a bind key will be used. The pin is used as the auth value for
the seal key, aka the disk encryption key, and that auth value will be
used in the session establishment. An attacker would need the pin
value to create the secure session and thus an active interposer
without the pin cannot interpose on TPM2 traffic.
* systemd-growfs no longer requires udev to run.
* systemd-backlight now will better support systems with multiple
graphic cards.
* systemd-cryptsetup's keyfile-timeout= option now also works when a
device is used as a keyfile.
* systemd-cryptenroll gained a new --unlock-key-file= option to get the
unlocking key from a key file (instead of prompting the user). Note
that this is the key for unlocking the volume in order to be able to
enroll a new key, but it is not the key that is enrolled.
* systemd-dissect gained a new --umount switch that will safely and
synchronously unmount all partitions of an image previously mounted
with 'systemd-dissect --mount'.
* When using gcrypt, all systemd tools and services will now configure
it to prefer the OS random number generator if present.
* BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
and bpftool >= 7.0).
* sd-boot can automatically enroll SecureBoot keys from files found on
the ESP. This enrollment can be either automatic ('force' mode) or
controlled by the user ('manual' mode). It is sufficient to place the
SecureBoot keys in the right place in the ESP and they will be picked
up by sd-boot and shown in the boot menu.
Contributions from: 김인수, Adam Williamson, adrian5, Akihiko Odaki,
Alban Bedel, Albert Mikaelyan, Aleksey Vasenev, Alexander Graf,
Alexander Shopov, Alexander Wilson, Alper Nebi Yasak, Andre Kalb,
Andrew Stone, Andrey Albershteyn, Anita Zhang, Ansgar Burchardt,
Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah,
Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera,
Benjamin Franzke, BerndAdameit, bin456789, Chih-Hsuan Yen,
Christian Brauner, Christian Göttsche, Christian Hesse, Clyde Byrd III,
codefiles, Colin Walters, Cristian Rodríguez, Daan De Meyer,
Daniel Braunwarth, Dan Streetman, Darsey Litzenberger, David Edmundson,
David Jaša, David Rheinsberg, David Tardon, dependabot[bot],
Devendra Tewari, Dominique Martinet, drosdeck, Edson Juliano Drosdeck,
Eduard Tolosa, eggfly, Einsler Lee, Elias Probst, Eli Schwartz,
Evgeny Vereshchagin, exploide, Fei Li, Foster Snowhill, Franck Bui,
Frank Dana, Frantisek Sumsal, Gio, Goffredo Baroncelli, gtwang01,
Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt,
Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz,
Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt, Jan Janssen,
Jan Luebbe, Jan Macku, Jason A. Donenfeld, Javkhlanbayar Khongorzul,
Jeremy Soller, JeroenHD, jiangchuangang, João Loureiro,
Joaquín Ignacio Aramendía, Johannes Schauer Marin Rodrigues,
Jonas Kümmerlin, Jonas Witschel, Jonathan Lebon, Joost Heitbrink,
Jörg Thalheim, josh-gordon-fb, Kai Lueke, lastkrick,
Lennart Poettering, licunlong, Li kunyu, LockBlock-dev, Loïc Collignon,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oleg Solovyov,
Pablo Ceballos, Pavel Zhukov, Phaedrus Leeds, Philipp Gortan,
Piotr Drąg, Quentin Deslandes, Rahil Bhimjiani, Rene Hollander,
Richard Huang, Richard Phibel, Rudi Heitbaum, Sam James,
Sarah Brofeldt, Sean Anderson, Sebastian Scheibner, Shreenidhi Shedi,
Sonali Srivastava, Steve Ramage, Suraj Krishnan, Swapnil Devesh,
Thomas Haller, Thomas Hebb, Tomáš Hnyk, Tomasz Paweł Gajc,
Topi Miettinen, Ulrich Ölmann, undef, Uriel Corfa, Victor Westerhuis,
Vincent Dagonneau, Vishal Chillara Srinivas, Vito Caputo, Wenchao Hao,
William Roberts, williamsumendap, wineway, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб
– Under the Sea, 2022-10-07
Published by bluca over 2 years ago
Backwards-incompatible changes:
* The minimum kernel version required has been bumped from 3.13 to 4.15,
and CLOCK_BOOTTIME is now assumed to always exist.
* C11 with GNU extensions (aka "gnu11") is now used to build our
components. Public API headers are still restricted to ISO C89.
* In v250, a systemd-networkd feature that automatically configures
routes to addresses specified in AllowedIPs= was added and enabled by
default. However, this causes network connectivity issues in many
existing setups. Hence, it has been disabled by default since
systemd-stable 250.3. The feature can still be used by explicitly
configuring RouteTable= setting in .netdev files.
* Jobs started via StartUnitWithFlags() will no longer return 'skipped'
when a Condition*= check does not succeed, restoring the JobRemoved
signal to the behaviour it had before v250.
* The org.freedesktop.portable1 methods GetMetadataWithExtensions() and
GetImageMetadataWithExtensions() have been fixed to provide an extra
return parameter, containing the actual extension release metadata.
The current implementation was judged to be broken and unusable, and
thus the usual procedure of adding a new set of methods was skipped,
and backward compatibility broken instead on the assumption that
nobody can be affected given the current state of this interface.
* All kernels supported by systemd mix RDRAND (or similar) into the
entropy pool at early boot. This means that on those systems, even if
/dev/urandom is not yet initialized, it still returns bytes that that
are at least as high quality as RDRAND. For that reason, we no longer
have reason to invoke RDRAND from systemd itself, which has
historically been a source of bugs. Furthermore, kernels ≥5.6 provide
the getrandom(GRND_INSECURE) interface for returning random bytes
before the entropy pool is initialized without warning into kmsg,
which is what we attempt to use if available. systemd's direct usage
of RDRAND has been removed. x86 systems ≥Broadwell that are running
an older kernel may experience kmsg warnings that were not seen with
250. For newer kernels, non-x86 systems, or older x86 systems, there
should be no visible changes.
* sd-boot will now measure the kernel command line into TPM PCR 12
rather than PCR 8. This improves usefulness of the measurements on
systems where sd-boot is chainloaded from Grub. Grub measures all
commands its executes into PCR 8, which makes it very hard to use
reasonably, hence separate ourselves from that and use PCR 12
instead, which is what certain Ubuntu editions already do. To retain
compatibility with systems running older systemd systems a new meson
option 'efi-tpm-pcr-compat' has been added (which defaults to false).
If enabled, the measurement is done twice: into the new-style PCR 12
*and* the old-style PCR 8. It's strongly advised to migrate all users
to PCR 12 for this purpose in the long run, as we intend to remove
this compatibility feature in two year's time.
* busctl capture now writes output in the newer pcapng format instead
of pcap.
* An udev rule that imported hwdb matches for USB devices with
lowercase hexadecimal vendor/product ID digits was added in systemd
250. This has been reverted, since uppercase hexadecimal digits are
supposed to be used, and we already had a rule that with the
appropriate match.
Users might need to adjust their local hwdb entries.
* arch_prctl(2) has been moved to the @default set in the syscall filters
(as exposed via the SystemCallFilter= setting in service unit files).
It is apparently used by the linker now.
* The tmpfiles entries that create the /run/systemd/netif directory and
its subdirectories were moved from tmpfiles.d/systemd.conf to
tmpfiles.d/systemd-network.conf.
Users might need to adjust their files that override tmpfiles.d/systemd.conf
to account for this change.
* The requirement for Portable Services images to contain a well-formed
os-release file (i.e.: contain at least an ID field) is now enforced.
This applies to base images and extensions, and also to systemd-sysext.
Changes in the Boot Loader Specification, kernel-install and sd-boot:
* kernel-install's and bootctl's Boot Loader Specification Type #1
entry generation logic has been reworked. The user may now pick
explicitly by which "token" string to name the installation's boot
entries, via the new /etc/kernel/entry-token file or the new
--entry-token= switch to bootctl. By default — as before — the
entries are named after the local machine ID. However, in "golden
image" environments, where the machine ID shall be initialized on
first boot (as opposed to at installation time before first boot) the
machine ID will not be available at build time. In this case the
--entry-token= switch to bootctl (or the /etc/kernel/entry-token
file) may be used to override the "token" for the entries, for
example the IMAGE_ID= or ID= fields from /etc/os-release. This will
make the OS images independent of any machine ID, and ensure that the
images will not carry any identifiable information before first boot,
but on the other hand means that multiple parallel installations of
the very same image on the same disk cannot be supported.
Summary: if you are building golden images that shall acquire
identity information exclusively on first boot, make sure to both
remove /etc/machine-id *and* to write /etc/kernel/entry-token to the
value of the IMAGE_ID= or ID= field of /etc/os-release or another
suitable identifier before deploying the image.
* The Boot Loader Specification has been extended with
/loader/entries.srel file located in the EFI System Partition (ESP)
that disambiguates the format of the entries in the /loader/entries/
directory (in order to discern them from incompatible uses of this
directory by other projects). For entries that follow the
Specification, the string "type1" is stored in this file.
bootctl will now write this file automatically when installing the
systemd-boot boot loader.
* kernel-install supports a new initrd_generator= setting in
/etc/kernel/install.conf, that is exported as
$KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This
allows choosing different initrd generators.
* kernel-install will now create a "staging area" (an initially-empty
directory to gather files for a Boot Loader Specification Type #1
entry). The path to this directory is exported as
$KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should
drop files there instead of writing them directly to the final
location. kernel-install will move them when all files have been
prepared successfully.
* New option sort-key= has been added to the Boot Loader Specification
to override the sorting order of the entries in the boot menu. It is
read by sd-boot and bootctl, and will be written by kernel-install,
with the default value of IMAGE_ID= or ID= fields from
os-release. Together, this means that on multiboot installations,
entries should be grouped and sorted in a predictable way.
* The sort order of boot entries has been updated: entries which have
the new field sort-key= are sorted by it first, and all entries
without it are ordered later. After that, entries are sorted by
version so that newest entries are towards the beginning of the list.
* The kernel-install tool gained a new 'inspect' verb which shows the
paths and other settings used.
* sd-boot can now optionally beep when the menu is shown and menu
entries are selected, which can be useful on machines without a
working display. (Controllable via a loader.conf setting.)
* The --make-machine-id-directory= switch to bootctl has been replaced
by --make-entry-directory=, given that the entry directory is not
necessarily named after the machine ID, but after some other suitable
ID as selected via --entry-token= described above. The old name of
the option is still understood to maximize compatibility.
* 'bootctl list' gained support for a new --json= switch to output boot
menu entries in JSON format.
* 'bootctl is-installed' now supports the --graceful, and various verbs
omit output with the new option --quiet.
Changes in systemd-homed:
* Starting with v250 systemd-homed uses UID/GID mapping on the mounts
of activated home directories it manages (if the kernel and selected
file systems support it). So far it mapped three UID ranges: the
range from 0…60000, the user's own UID, and the range 60514…65534,
leaving everything else unmapped (in other words, the 16bit UID range
is mapped almost fully, with the exception of the UID subrange used
for systemd-homed users, with one exception: the user's own UID).
Unmapped UIDs may not be used for file ownership in the home
directory — any chown() attempts with them will fail. With this
release a fourth range is added to these mappings:
524288…1879048191. This range is the UID range intended for container
uses, see:
https://systemd.io/UIDS-GIDS
This range may be used for container managers that place container OS
trees in the home directory (which is a questionable approach, for
quota, permission, SUID handling and network file system
compatibility reasons, but nonetheless apparently commonplace). Note
that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
UID assignments from the range are not managed or mapped by
`systemd-homed`, and must be managed with other mechanisms, in the
context of the local system.
Typically, a better approach to user namespacing in relevant
container managers would be to leave container OS trees on disk at
UID offset 0, but then map them to a dynamically allocated runtime
UID range via another UID mount map at container invocation
time. That way user namespace UID ranges become strictly a runtime
concept, and do not leak into persistent file systems, persistent
user databases or persistent configuration, thus greatly simplifying
handling, and improving compatibility with home directories intended
to be portable like the ones managed by systemd-homed.
Changes in shared libraries:
* A new libsystemd-core-<version>.so private shared library is
installed under /usr/lib/systemd/system, mirroring the existing
libsystemd-shared-<version>.so library. This allows the total
installation size to be reduced by binary code reuse.
* The <version> tag used in the name of libsystemd-shared.so and
libsystemd-core.so can be configured via the meson option
'shared-lib-tag'. Distributions may build subsequent versions of the
systemd package with unique tags (e.g. the full package version),
thus allowing multiple installations of those shared libraries to be
available at the same time. This is intended to fix an issue where
programs that link to those libraries would fail to execute because
they were installed earlier or later than the appropriate version of
the library.
* The sd-id128 API gained a new call sd_id128_to_uuid_string() that is
similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID
format instead of simple series of hex characters.
* The sd-device API gained two new calls sd_device_new_from_devname()
and sd_device_new_from_path() which permit allocating an sd_device
object from a device node name or file system path.
* sd-device also gained a new call sd_device_open() which will open the
device node associated with a device for which an sd_device object
has been allocated. The call is supposed to address races around
device nodes being removed/recycled due to hotplug events, or media
change events: the call checks internally whether the major/minor of
the device node and the "diskseq" (in case of block devices) match
with the metadata loaded in the sd_device object, thus ensuring that
the device once opened really matches the provided sd_device object.
Changes in PID1, systemctl, and systemd-oomd:
* A new set of service monitor environment variables will be passed to
OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the
handler unit as OnFailure=/OnSuccess=. The variables are:
$MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
$MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single
handler needs to watch multiple units, use a templated handler.
* A new ExtensionDirectories= setting in service unit files allows
system extensions to be loaded from a directory. (It is similar to
ExtensionImages=, but takes paths to directories, instead of
disk image files.)
'portablectl attach --extension=' now also accepts directory paths.
* The user.delegate and user.invocation_id extended attributes on
cgroups are used in addition to trusted.delegate and
trusted.invocation_id. The latter pair requires privileges to set,
but the former doesn't and can be also set by the unprivileged user
manager.
(Only supported on kernels ≥5.6.)
* Units that were killed by systemd-oomd will now have a service result
of 'oom-kill'. The number of times a service was killed is tallied
in the 'user.oomd_ooms' extended attribute.
The OOMPolicy= unit file setting is now also honoured by
systemd-oomd.
* In unit files the new %y/%Y specifiers can be used to refer to
normalized unit file path, which is particularly useful for symlinked
unit files.
The new %q specifier resolves to the pretty hostname
(i.e. PRETTY_HOSTNAME= from /etc/machine-info).
The new %d specifier resolves to the credentials directory of a
service (same as $CREDENTIALS_DIRECTORY).
* The RootDirectory=, MountAPIVFS=, ExtensionDirectories=,
*Capabilities*=, ProtectHome=, *Directory=, TemporaryFileSystem=,
PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=,
PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=,
ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=,
MountFlags= service settings now also work in unprivileged user
services, i.e. those run by the user's --user service manager, as long
as user namespaces are enabled on the system.
* Services with Restart=always and a failing ExecCondition= will no
longer be restarted, to bring ExecCondition= behaviour in line with
Condition*= settings.
* LoadCredential= now accepts a directory as the argument; all files
from the directory will be loaded as credentials.
* A new D-Bus property ControlGroupId is now exposed on service units,
that encapsulates the service's numeric cgroup ID that newer kernels
assign to each cgroup.
* PID 1 gained support for configuring the "pre-timeout" of watchdog
devices and the associated governor, via the new
RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration
options in /etc/systemd/system.conf.
* systemctl's --timestamp= option gained a new choice "unix", to show
timestamp as unix times, i.e. seconds since 1970, Jan 1st.
* A new "taint" flag named "old-kernel" is introduced which is set when
the kernel systemd runs on is older then the current baseline version
(see above). The flag is shown in "systemctl status" output.
* Two additional taint flags "short-uid-range" and "short-gid-range"
have been added as well, which are set when systemd notices it is run
within a userns namespace that does not define the full 0…65535 UID
range
* A new "unmerged-usr" taint flag has been added that is set whenever
running on systems where /bin/ + /sbin/ are *not* symlinks to their
counterparts in /usr/, i.e. on systems where the /usr/-merge has been
completed.
* Generators invoked by PID 1 will now have a couple of useful
environment variables set describing the execution context a
bit. $SYSTEMD_SCOPE encodes whether the generator is called from the
system service manager, or from the per-user service
manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked
in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether
systemd considers the current boot to be a "first"
boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is
detected and which type of hypervisor/container
manager. $SYSTEMD_ARCHITECTURE indicates which architecture the
kernel is built for.
* PID 1 will now automatically pick up system credentials from qemu's
fw_cfg interface, thus allowing passing arbitrary data into VM
systems similar to how this is already supported for passing them
into `systemd-nspawn` containers. Credentials may now also be passed
in via the new kernel command line option `systemd.set_credential=`
(note that kernel command line options are world-readable during
runtime, and only useful for credentials that require no
confidentiality). The credentials that can be passed to unified
kernels that use the `systemd-stub` UEFI stub are now similarly
picked up automatically. Automatic importing of system credentials
this way can be turned off via the new
`systemd.import_credentials=no` kernel command line option.
* LoadCredential= will now automatically look for credentials in the
/etc/credstore/, /run/credstore/, /usr/lib/credstore/ directories if
the argument is not an absolute path. Similarly,
LoadCredentialEncrypted= will check the same directories plus
/etc/credstore.encrypted/, /run/credstore.encrypted/ and
/usr/lib/credstore.encrypted/. The idea is to use those directories
as the system-wide location for credentials that services should pick
up automatically.
* System and service credentials are described in great detail in a new
document:
https://systemd.io/CREDENTIALS
Changes in systemd-journald:
* The journal JSON export format has been added to listed of stable
interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/).
* journalctl --list-boots now supports JSON output and the --reverse option.
* Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and
updated, BUILDING_IMAGES is new:
https://systemd.io/JOURNAL_EXPORT_FORMATS
https://systemd.io/BUILDING_IMAGES
Changes in udev:
* Two new hwdb files have been added. One lists "handhelds" (PDAs,
calculators, etc.), the other AV production devices (DJ tables,
keypads, etc.) that should accessible to the seat owner user by
default.
* udevadm trigger gained a new --prioritized-subsystem= option to
process certain subsystems (and all their parent devices) earlier.
systemd-udev-trigger.service now uses this new option to trigger
block and TPM devices first, hopefully making the boot a bit faster.
* udevadm trigger now implements --type=all, --initialized-match,
--initialized-nomatch to trigger both subsystems and devices, only
already-initialized devices, and only devices which haven't been
initialized yet, respectively.
* udevadm gained a new "wait" command for safely waiting for a specific
device to show up in the udev device database. This is useful in
scripts that asynchronously allocate a block device (e.g. through
repartitioning, or allocating a loopback device or similar) and need
to synchronize on the creation to complete.
* udevadm gained a new "lock" command for locking one or more block
devices while formatting it or writing a partition table to it. It is
an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and
usable in scripts dealing with block devices.
* udevadm info will show a couple of additional device fields in its
output, and will not apply a limited set of coloring to line types.
* udevadm info --tree will now show a tree of objects (i.e. devices and
suchlike) in the /sys/ hierarchy.
* Block devices will now get a new set of device symlinks in
/dev/disk/by-diskseq/<nr>, which may be used to reference block
device nodes via the kernel's "diskseq" value. Note that this does
not guarantee that opening a device by a symlink like this will
guarantee that the opened device actually matches the specified
diskseq value. To be safe against races, the actual diskseq value of
the opened device (BLKGETDISKSEQ ioctl()) must still be compred with
the one in the symlink path.
* .link files gained support for setting MDI/MID-X on a link.
* .link files gained support for [Match] Firmware= setting to match on
the device firmware description string. By mistake, it was previously
only supported in .network files.
* .link files gained support for [Link] SR-IOVVirtualFunctions= setting
and [SR-IOV] section to configure SR-IOV virtual functions.
Changes in systemd-networkd:
* The default scope for unicast routes configured through [Route]
section is changed to "link", to make the behavior consistent with
"ip route" command. The manual configuration of [Route] Scope= is
still honored.
* A new unit systemd-networkd-wait-online@<interface>.service has been
added that can be used to wait for a specific network interface to be
up.
* systemd-networkd gained a new [Bridge] Isolated=true|false setting
that configures the eponymous kernel attribute on the bridge.
* .netdev files now can be used to create virtual WLAN devices, and
configure various settings on them, via the [WLAN] section.
* .link/.network files gained support for [Match] Kind= setting to match
on device kind ("bond", "bridge", "gre", "tun", "veth", etc.)
This value is also shown by 'networkctl status'.
* The Local= setting in .netdev files for various virtual network
devices gained support for specifying, in addition to the network
address, the name of a local interface which must have the specified
address.
* systemd-networkd gained a new [Tunnel] External= setting in .netdev
files, to configure tunnels in external mode (a.k.a. collect metadata
mode).
* [Network] L2TP= setting was removed. Please use interface specifier in
Local= setting in .netdev files of corresponding L2TP interface.
* New [DHCPServer] BootServerName=, BootServerAddress=, and
BootFilename= settings can be used to configure the server address,
server name, and file name sent in the DHCP packet (e.g. to configure
PXE boot).
Changes in systemd-resolved:
* systemd-resolved is started earlier (in sysinit.target), so it
available earlier and will also be started in the initrd if installed
there.
Changes in disk encryption:
* systemd-cryptenroll can now control whether to require the user to
enter a PIN when using TPM-based unlocking of a volume via the new
--tpm2-with-pin= option.
Option tpm2-pin= can be used in /etc/crypttab.
* When unlocking devices via TPM, TPM2 parameter encryption is now
used, to ensure that communication between CPU and discrete TPM chips
cannot be eavesdropped to acquire disk encryption keys.
* A new switch --fido2-credential-algorithm= has been added to
systemd-cryptenroll allowing selection of the credential algorithm to
use when binding encryption to FIDO2 tokens.
Changes in systemd-hostnamed:
* HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info
to override the values gleaned from the hwdb.
* A ID_CHASSIS property can be set in the hwdb (for the DMI device
/sys/class/dmi/id) to override the chassis that is reported by
hostnamed.
* hostnamed's D-Bus interface gained a new method GetHardwareSerial()
for reading the hardware serial number, as reportd by DMI. It also
exposes a new method D-Bus property FirmwareVersion that encode the
firmware version of the system.
Changes in other components:
* /etc/locale.conf is now populated through tmpfiles.d factory /etc/
handling with the values that were configured during systemd build
(if /etc/locale.conf has not been created through some other
mechanism). This means that /etc/locale.conf should always have
reasonable contents and we avoid a potential mismatch in defaults.
* The userdbctl tool will now show UID range information as part of the
list of known users.
* A new build-time configuration setting default-user-shell= can be
used to set the default shell for user records and nspawn shell
invocations (instead of of the default /bin/bash).
* systemd-timesyncd now provides a D-Bus API for receiving NTP server
information dynamically at runtime via IPC.
* The systemd-creds tool gained a new "has-tpm2" verb, which reports
whether a functioning TPM2 infrastructure is available, i.e. if
firmware, kernel driver and systemd all have TPM2 support enabled and
a device found.
* The systemd-creds tool gained support for generating encrypted
credentials that are using an empty encryption key. While this
provides no integrity nor confidentiality it's useful to implement
codeflows that work the same on TPM-ful and TPM2-less systems. The
service manager will only accept credentials "encrypted" that way if
a TPM2 device cannot be detected, to ensure that credentials
"encrypted" like that cannot be used to trick TPM2 systems.
* When deciding whether to colorize output, all systemd programs now
also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and
$TERM).
* Meson's new install_tag feature is now in use for several components,
allowing to build and install select binaries only: pam, nss, devel
(pkg-config files), systemd-boot, libsystemd, libudev. Example:
$ meson build systemd-boot
$ meson install --tags systemd-boot --no-rebuild
https://mesonbuild.com/Installing.html#installation-tags
* A new build configuration option has been added, to allow selecting the
default compression algorithm used by systemd-journald and systemd-coredump.
This allows to build-in support for decompressing all supported formats,
but choose a specific one for compression. E.g.:
$ meson -Ddefault-compression=xz
Experimental features:
* sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
loader.conf that implements booting Microsoft Windows from the
sd-boot in a way that first reboots the system, to reset the TPM
PCRs. This improves compatibility with BitLocker's TPM use, as the
PCRs will only record the Windows boot process, and not sd-boot
itself, thus retaining the PCR measurements not involving sd-boot.
Note that this feature is experimental for now, and is likely going
to be generalized and renamed in a future release, without retaining
compatibility with the current implementation.
* A new systemd-sysupdate component has been added that automatically
discovers, downloads, and installs A/B-style updates for the host
installation itself, or container images, portable service images,
and other assets. See the new systemd-sysupdate man page for updates.
Contributions from: 4piu, Adam Williamson, adrian5, Albert Brox,
AlexCatze, Alex Henrie, Alfonso Sánchez-Beato, Alice S,
Alvin Šipraga, amarjargal, Amarjargal, Andrea Pappacoda,
Andreas Rammhold, Andy Chi, Anita Zhang, Antonio Alvarez Feijoo,
Arfrever Frehtes Taifersar Arahesis, ash, Bastien Nocera, Be,
bearhoney, Ben Efros, Benjamin Berg, Benjamin Franzke,
Brett Holman, Christian Brauner, Clyde Byrd III, Curtis Klein,
Daan De Meyer, Daniele Medri, Daniel Mack, Danilo Krummrich,
David, David Bond, Davide Cavalca, David Tardon, davijosw,
dependabot[bot], Donald Chan, Dorian Clay, Eduard Tolosa,
Elias Probst, Eli Schwartz, Erik Sjölund, Evgeny Vereshchagin,
Federico Ceratto, Franck Bui, Frantisek Sumsal, Gaël PORTAY,
Georges Basile Stavracas Neto, Gibeom Gwon, Goffredo Baroncelli,
Grigori Goronzy, Hans de Goede, Heiko Becker, Hugo Carvalho,
Jakob Lell, James Hilliard, Jan Janssen, Jason A. Donenfeld,
Joan Bruguera, Joerie de Gram, Josh Triplett, Julia Kartseva,
Kazuo Moriwaka, Khem Raj, ksa678491784, Lance, Lan Tian,
Laura Barcziova, Lennart Poettering, Leviticoh, licunlong,
Lidong Zhong, lincoln auster, Lubomir Rintel, Luca Boccassi,
Luca BRUNO, lucagoc, Ludwig Nussel, Marcel Hellwig, march1993,
Marco Scardovi, Mario Limonciello, Mariusz Tkaczyk,
Markus Weippert, Martin, Martin Liska, Martin Wilck, Matija Skala,
Matthew Blythe, Matthias Lisin, Matthijs van Duin, Matt Walton,
Max Gautier, Michael Biebl, Michael Olbrich, Michal Koutný,
Michal Sekletár, Mike Gilbert, MkfsSion, Morten Linderud,
Nick Rosbrook, Nikolai Grigoriev, Nikolai Kostrigin,
Nishal Kulkarni, Noel Kuntze, Pablo Ceballos, Peter Hutterer,
Peter Morrow, Pigmy-penguin, Piotr Drąg, prumian, Richard Neill,
Rike-Benjamin Schuppner, rodin-ia, Romain Naour, Ruben Kerkhof,
Ryan Hendrickson, Santa Wiryaman, Sebastian Pucilowski, Seth Falco,
Simon Ellmann, Sonali Srivastava, Stefan Seering,
Stephen Hemminger, tawefogo, techtino, Temuri Doghonadze,
Thomas Batten, Thomas Haller, Thomas Weißschuh, Tobias Stoeckmann,
Tomasz Pala, Tyson Whitehead, Vishal Chillara Srinivas,
Vivien Didelot, w30023233, wangyuhang, Weblate, Xiaotian Wu,
yangmingtai, YmrDtnJu, Yonathan Randolph, Yutsuten, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, наб
— Edinburgh, 2022-05-21
Published by yuwata over 2 years ago
Backwards-incompatible changes:
* The minimum kernel version required has been bumped from 3.13 to 4.15,
and CLOCK_BOOTTIME is now assumed to always exist.
* C11 with GNU extensions (aka "gnu11") is now used to build our
components. Public API headers are still restricted to ISO C89.
* In v250, a systemd-networkd feature that automatically configures
routes to addresses specified in AllowedIPs= was added and enabled by
default. However, this causes network connectivity issues in many
existing setups. Hence, it has been disabled by default since
systemd-stable 250.3. The feature can still be used by explicitly
configuring RouteTable= setting in .netdev files.
* Jobs started via StartUnitWithFlags() will no longer return 'skipped'
when a Condition*= check does not succeed, restoring the JobRemoved
signal to the behaviour it had before v250.
* The org.freedesktop.portable1 methods GetMetadataWithExtensions() and
GetImageMetadataWithExtensions() have been fixed to provide an extra
return parameter, containing the actual extension release metadata.
The current implementation was judged to be broken and unusable, and
thus the usual procedure of adding a new set of methods was skipped,
and backward compatibility broken instead on the assumption that
nobody can be affected given the current state of this interface.
* All kernels supported by systemd mix RDRAND (or similar) into the
entropy pool at early boot. This means that on those systems, even if
/dev/urandom is not yet initialized, it still returns bytes that that
are at least as high quality as RDRAND. For that reason, we no longer
have reason to invoke RDRAND from systemd itself, which has
historically been a source of bugs. Furthermore, kernels ≥5.6 provide
the getrandom(GRND_INSECURE) interface for returning random bytes
before the entropy pool is initialized without warning into kmsg,
which is what we attempt to use if available. systemd's direct usage
of RDRAND has been removed. x86 systems ≥Broadwell that are running
an older kernel may experience kmsg warnings that were not seen with
250. For newer kernels, non-x86 systems, or older x86 systems, there
should be no visible changes.
* sd-boot will now measure the kernel command line into TPM PCR 12
rather than PCR 8. This improves usefulness of the measurements on
systems where sd-boot is chainloaded from Grub. Grub measures all
commands its executes into PCR 8, which makes it very hard to use
reasonably, hence separate ourselves from that and use PCR 12
instead, which is what certain Ubuntu editions already do. To retain
compatibility with systems running older systemd systems a new meson
option 'efi-tpm-pcr-compat' has been added (which defaults to false).
If enabled, the measurement is done twice: into the new-style PCR 12
*and* the old-style PCR 8. It's strongly advised to migrate all users
to PCR 12 for this purpose in the long run, as we intend to remove
this compatibility feature in two year's time.
* busctl capture now writes output in the newer pcapng format instead
of pcap.
* An udev rule that imported hwdb matches for USB devices with
lowercase hexadecimal vendor/product ID digits was added in systemd
250. This has been reverted, since uppercase hexadecimal digits are
supposed to be used, and we already had a rule that with the
appropriate match.
Users might need to adjust their local hwdb entries.
* arch_prctl(2) has been moved to the @default set in the syscall filters
(as exposed via the SystemCallFilter= setting in service unit files).
It is apparently used by the linker now.
* The tmpfiles entries that create the /run/systemd/netif directory and
its subdirectories were moved from tmpfiles.d/systemd.conf to
tmpfiles.d/systemd-network.conf.
Users might need to adjust their files that override tmpfiles.d/systemd.conf
to account for this change.
Changes in the Boot Loader Specification, kernel-install and sd-boot:
* kernel-install's and bootctl's Boot Loader Specification Type #1
entry generation logic has been reworked. The user may now pick
explicitly by which "token" string to name the installation's boot
entries, via the new /etc/kernel/entry-token file or the new
--entry-token= switch to bootctl. By default — as before — the
entries are named after the local machine ID. However, in "golden
image" environments, where the machine ID shall be initialized on
first boot (as opposed to at installation time before first boot) the
machine ID will not be available at build time. In this case the
--entry-token= switch to bootctl (or the /etc/kernel/entry-token
file) may be used to override the "token" for the entries, for
example the IMAGE_ID= or ID= fields from /etc/os-release. This will
make the OS images independent of any machine ID, and ensure that the
images will not carry any identifiable information before first boot,
but on the other hand means that multiple parallel installations of
the very same image on the same disk cannot be supported.
Summary: if you are building golden images that shall acquire
identity information exclusively on first boot, make sure to both
remove /etc/machine-id *and* to write /etc/kernel/entry-token to the
value of the IMAGE_ID= or ID= field of /etc/os-release or another
suitable identifier before deploying the image.
* The Boot Loader Specification has been extended with
/loader/entries.srel file located in the EFI System Partition (ESP)
that disambiguates the format of the entries in the /loader/entries/
directory (in order to discern them from incompatible uses of this
directory by other projects). For entries that follow the
Specification, the string "type1" is stored in this file.
bootctl will now write this file automatically when installing the
systemd-boot boot loader.
* kernel-install supports a new initrd_generator= setting in
/etc/kernel/install.conf, that is exported as
$KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This
allows choosing different initrd generators.
* kernel-install will now create a "staging area" (an initially-empty
directory to gather files for a Boot Loader Specification Type #1
entry). The path to this directory is exported as
$KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should
drop files there instead of writing them directly to the final
location. kernel-install will move them when all files have been
prepared successfully.
* New option sort-key= has been added to the Boot Loader Specification
to override the sorting order of the entries in the boot menu. It is
read by sd-boot and bootctl, and will be written by kernel-install,
with the default value of IMAGE_ID= or ID= fields from
os-release. Together, this means that on multiboot installations,
entries should be grouped and sorted in a predictable way.
* The sort order of boot entries has been updated: entries which have
the new field sort-key= are sorted by it first, and all entries
without it are ordered later. After that, entries are sorted by
version so that newest entries are towards the beginning of the list.
* The kernel-install tool gained a new 'inspect' verb which shows the
paths and other settings used.
* sd-boot can now optionally beep when the menu is shown and menu
entries are selected, which can be useful on machines without a
working display. (Controllable via a loader.conf setting.)
* The --make-machine-id-directory= switch to bootctl has been replaced
by --make-entry-directory=, given that the entry directory is not
necessarily named after the machine ID, but after some other suitable
ID as selected via --entry-token= described above. The old name of
the option is still understood to maximize compatibility.
* 'bootctl list' gained support for a new --json= switch to output boot
menu entries in JSON format.
* 'bootctl is-installed' now supports the --graceful, and various verbs
omit output with the new option --quiet.
Changes in systemd-homed:
* Starting with v250 systemd-homed uses UID/GID mapping on the mounts
of activated home directories it manages (if the kernel and selected
file systems support it). So far it mapped three UID ranges: the
range from 0…60000, the user's own UID, and the range 60514…65534,
leaving everything else unmapped (in other words, the 16bit UID range
is mapped almost fully, with the exception of the UID subrange used
for systemd-homed users, with one exception: the user's own UID).
Unmapped UIDs may not be used for file ownership in the home
directory — any chown() attempts with them will fail. With this
release a fourth range is added to these mappings:
524288…1879048191. This range is the UID range intended for container
uses, see:
https://systemd.io/UIDS-GIDS
This range may be used for container managers that place container OS
trees in the home directory (which is a questionable approach, for
quota, permission, SUID handling and network file system
compatibility reasons, but nonetheless apparently commonplace). Note
that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
UID assignments from the range are not managed or mapped by
`systemd-homed`, and must be managed with other mechanisms, in the
context of the local system.
Typically, a better approach to user namespacing in relevant
container managers would be to leave container OS trees on disk at
UID offset 0, but then map them to a dynamically allocated runtime
UID range via another UID mount map at container invocation
time. That way user namespace UID ranges become strictly a runtime
concept, and do not leak into persistent file systems, persistent
user databases or persistent configuration, thus greatly simplifying
handling, and improving compatibility with home directories intended
to be portable like the ones managed by systemd-homed.
Changes in shared libraries:
* A new libsystemd-core-<version>.so private shared library is
installed under /usr/lib/systemd/system, mirroring the existing
libsystemd-shared-<version>.so library. This allows the total
installation size to be reduced by binary code reuse.
* The <version> tag used in the name of libsystemd-shared.so and
libsystemd-core.so can be configured via the meson option
'shared-lib-tag'. Distributions may build subsequent versions of the
systemd package with unique tags (e.g. the full package version),
thus allowing multiple installations of those shared libraries to be
available at the same time. This is intended to fix an issue where
programs that link to those libraries would fail to execute because
they were installed earlier or later than the appropriate version of
the library.
* The sd-id128 API gained a new call sd_id128_to_uuid_string() that is
similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID
format instead of simple series of hex characters.
* The sd-device API gained two new calls sd_device_new_from_devname()
and sd_device_new_from_path() which permit allocating an sd_device
object from a device node name or file system path.
* sd-device also gained a new call sd_device_open() which will open the
device node associated with a device for which an sd_device object
has been allocated. The call is supposed to address races around
device nodes being removed/recycled due to hotplug events, or media
change events: the call checks internally whether the major/minor of
the device node and the "diskseq" (in case of block devices) match
with the metadata loaded in the sd_device object, thus ensuring that
the device once opened really matches the provided sd_device object.
Changes in PID1, systemctl, and systemd-oomd:
* A new set of service monitor environment variables will be passed to
OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the
handler unit as OnFailure=/OnSuccess=. The variables are:
$MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
$MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single
handler needs to watch multiple units, use a templated handler.
* A new ExtensionDirectories= setting in service unit files allows
system extensions to be loaded from a directory. (It is similar to
ExtensionImages=, but takes paths to directories, instead of
disk image files.)
'portablectl attach --extension=' now also accepts directory paths.
* The user.delegate and user.invocation_id extended attributes on
cgroups are used in addition to trusted.delegate and
trusted.invocation_id. The latter pair requires privileges to set,
but the former doesn't and can be also set by the unprivileged user
manager.
(Only supported on kernels ≥5.6.)
* Units that were killed by systemd-oomd will now have a service result
of 'oom-kill'. The number of times a service was killed is tallied
in the 'user.oomd_ooms' extended attribute.
The OOMPolicy= unit file setting is now also honoured by
systemd-oomd.
* In unit files the new %y/%Y specifiers can be used to refer to
normalized unit file path, which is particularly useful for symlinked
unit files.
The new %q specifier resolves to the pretty hostname
(i.e. PRETTY_HOSTNAME= from /etc/machine-info).
The new %d specifier resolves to the credentials directory of a
service (same as $CREDENTIALS_DIRECTORY).
* The RootDirectory=, MountAPIVFS=, ExtensionDirectories=,
*Capabilities*=, ProtectHome=, *Directory=, TemporaryFileSystem=,
PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=,
PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=,
ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=,
MountFlags= service settings now also work in unprivileged user
services, i.e. those run by the user's --user service manager, as long
as user namespaces are enabled on the system.
* Services with Restart=always and a failing ExecCondition= will no
longer be restarted, to bring ExecCondition= behaviour in line with
Condition*= settings.
* LoadCredential= now accepts a directory as the argument; all files
from the directory will be loaded as credentials.
* A new D-Bus property ControlGroupId is now exposed on service units,
that encapsulates the service's numeric cgroup ID that newer kernels
assign to each cgroup.
* PID 1 gained support for configuring the "pre-timeout" of watchdog
devices and the associated governor, via the new
RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration
options in /etc/systemd/system.conf.
* systemctl's --timestamp= option gained a new choice "unix", to show
timestamp as unix times, i.e. seconds since 1970, Jan 1st.
* A new "taint" flag named "old-kernel" is introduced which is set when
the kernel systemd runs on is older then the current baseline version
(see above). The flag is shown in "systemctl status" output.
* Two additional taint flags "short-uid-range" and "short-gid-range"
have been added as well, which are set when systemd notices it is run
within a userns namespace that does not define the full 0…65535 UID
range
* A new "unmerged-usr" taint flag has been added that is set whenever
running on systems where /bin/ + /sbin/ are *not* symlinks to their
counterparts in /usr/, i.e. on systems where the /usr/-merge has been
completed.
* Generators invoked by PID 1 will now have a couple of useful
environment variables set describing the execution context a
bit. $SYSTEMD_SCOPE encodes whether the generator is called from the
system service manager, or from the per-user service
manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked
in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether
systemd considers the current boot to be a "first"
boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is
detected and which type of hypervisor/container
manager. $SYSTEMD_ARCHITECTURE indicates which architecture the
kernel is built for.
* PID 1 will now automatically pick up system credentials from qemu's
fw_cfg interface, thus allowing passing arbitrary data into VM
systems similar to how this is already supported for passing them
into `systemd-nspawn` containers. Credentials may now also be passed
in via the new kernel command line option `systemd.set_credential=`
(note that kernel command line options are world-readable during
runtime, and only useful for credentials that require no
confidentiality). The credentials that can be passed to unified
kernels that use the `systemd-stub` UEFI stub are now similarly
picked up automatically. Automatic importing of system credentials
this way can be turned off via the new
`systemd.import_credentials=no` kernel command line option.
* LoadCredential= will now automatically search for credentials to
import in the /etc/credstore/, /run/credstore/, /usr/lib/credstore/
directories if no or a relative source filename is passed. Similar
LoadCredentialEncrypted= will search in these same directories, plus
/etc/credstore.encrypted/, /run/credstore.encrypted/ and
/usr/lib/credstore.encrypted/. The idea is that these directories are
now the recommended system-wide location to place credentials for
automatic pick-up by services in.
* System and service credentials are described in great detail in a new
document:
https://systemd.io/CREDENTIALS
Changes in systemd-journald:
* The journal JSON export format has been added to listed of stable
interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/).
* journalctl --list-boots now supports JSON output and the --reverse option.
* Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and
updated, BUILDING_IMAGES is new:
https://systemd.io/JOURNAL_EXPORT_FORMATS
https://systemd.io/BUILDING_IMAGES
Changes in udev:
* Two new hwdb files have been added. One lists "handhelds" (PDAs,
calculators, etc.), the other AV production devices (DJ tables,
keypads, etc.) that should accessible to the seat owner user by
default.
* udevadm trigger gained a new --prioritized-subsystem= option to
process certain subsystems (and all their parent devices) earlier.
systemd-udev-trigger.service now uses this new option to trigger
block and TPM devices first, hopefully making the boot a bit faster.
* udevadm trigger now implements --type=all, --initialized-match,
--initialized-nomatch to trigger both subsystems and devices, only
already-initialized devices, and only devices which haven't been
initialized yet, respectively.
* udevadm gained a new "wait" command for safely waiting for a specific
device to show up in the udev device database. This is useful in
scripts that asynchronously allocate a block device (e.g. through
repartitioning, or allocating a loopback device or similar) and need
to synchronize on the creation to complete.
* udevadm gained a new "lock" command for locking one or more block
devices while formatting it or writing a partition table to it. It is
an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and
usable in scripts dealing with block devices.
* udevadm info will show a couple of additional device fields in its
output, and will not apply a limited set of coloring to line types.
* udevadm info --tree will now show a tree of objects (i.e. devices and
suchlike) in the /sys/ hierarchy.
* Block devices will now get a new set of device symlinks in
/dev/disk/by-diskseq/<nr>, which may be used to reference block
device nodes via the kernel's "diskseq" value. Note that this does
not guarantee that opening a device by a symlink like this will
guarantee that the opened device actually matches the specified
diskseq value. To be safe against races, the actual diskseq value of
the opened device (BLKGETDISKSEQ ioctl()) must still be compred with
the one in the symlink path.
* .link files gained support for setting MDI/MID-X on a link.
* .link files gained support for [Match] Firmware= setting to match on
the device firmware description string. By mistake, it was previously
only supported in .network files.
* .link files gained support for [Link] SR-IOVVirtualFunctions= setting
and [SR-IOV] section to configure SR-IOV virtual functions.
Changes in systemd-networkd:
* The default scope for unicast routes configured through [Route]
section is changed to "link", to make the behavior consistent with
"ip route" command. The manual configuration of [Route] Scope= is
still honored.
* A new unit systemd-networkd-wait-online@<interface>.service has been
added that can be used to wait for a specific network interface to be
up.
* systemd-networkd gained a new [Bridge] Isolated=true|false setting
that configures the eponymous kernel attribute on the bridge.
* .netdev files now can be used to create virtual WLAN devices, and
configure various settings on them, via the [WLAN] section.
* .link/.network files gained support for [Match] Kind= setting to match
on device kind ("bond", "bridge", "gre", "tun", "veth", etc.)
This value is also shown by 'networkctl status'.
* The Local= setting in .netdev files for various virtual network
devices gained support for specifying, in addition to the network
address, the name of a local interface which must have the specified
address.
* systemd-networkd gained a new [Tunnel] External= setting in .netdev
files, to configure tunnels in external mode (a.k.a. collect metadata
mode).
* [Network] L2TP= setting was removed. Please use interface specifier in
Local= setting in .netdev files of corresponding L2TP interface.
* New [DHCPServer] BootServerName=, BootServerAddress=, and
BootFilename= settings can be used to configure the server address,
server name, and file name sent in the DHCP packet (e.g. to configure
PXE boot).
Changes in systemd-resolved:
* systemd-resolved is started earlier (in sysinit.target), so it
available earlier and will also be started in the initrd if installed
there.
Changes in disk encryption:
* systemd-cryptenroll can now control whether to require the user to
enter a PIN when using TPM-based unlocking of a volume via the new
--tpm2-with-pin= option.
Option tpm2-pin= can be used in /etc/crypttab.
* When unlocking devices via TPM, TPM2 parameter encryption is now
used, to ensure that communication between CPU and discrete TPM chips
cannot be eavesdropped to acquire disk encryption keys.
* A new switch --fido2-credential-algorithm= has been added to
systemd-cryptenroll allowing selection of the credential algorithm to
use when binding encryption to FIDO2 tokens.
Changes in systemd-hostnamed:
* HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info
to override the values gleaned from the hwdb.
* A ID_CHASSIS property can be set in the hwdb (for the DMI device
/sys/class/dmi/id) to override the chassis that is reported by
hostnamed.
* hostnamed's D-Bus interface gained a new method GetHardwareSerial()
for reading the hardware serial number, as reportd by DMI. It also
exposes a new method D-Bus property FirmwareVersion that encode the
firmware version of the system.
Changes in other components:
* /etc/locale.conf is now populated through tmpfiles.d factory /etc/
handling with the values that were configured during systemd build
(if /etc/locale.conf has not been created through some other
mechanism). This means that /etc/locale.conf should always have
reasonable contents and we avoid a potential mismatch in defaults.
* The userdbctl tool will now show UID range information as part of the
list of known users.
* A new build-time configuration setting default-user-shell= can be
used to set the default shell for user records and nspawn shell
invocations (instead of of the default /bin/bash).
* systemd-timesyncd now provides a D-Bus API for receiving NTP server
information dynamically at runtime via IPC.
* The systemd-creds tool gained a new "has-tpm2" verb, which reports
whether a functioning TPM2 infrastructure is available, i.e. if
firmware, kernel driver and systemd all have TPM2 support enabled and
a device found.
* The systemd-creds tool gained support for generating encrypted
credentials that are using an empty encryption key. While this
provides no integrity nor confidentiality it's useful to implement
codeflows that work the same on TPM-ful and TPM2-less systems. The
service manager will only accept credentials "encrypted" that way if
a TPM2 device cannot be detected, to ensure that credentials
"encrypted" like that cannot be used to trick TPM2 systems.
* When deciding whether to colorize output, all systemd programs now
also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and
$TERM).
Experimental features:
* sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
loader.conf that implements booting Microsoft Windows from the
sd-boot in a way that first reboots the system, to reset the TPM
PCRs. This improves compatibility with BitLocker's TPM use, as the
PCRs will only record the Windows boot process, and not sd-boot
itself, thus retaining the PCR measurements not involving sd-boot.
Note that this feature is experimental for now, and is likely going
to be generalized and renamed in a future release, without retaining
compatibility with the current implementation.
* A new systemd-sysupdate component has been added that automatically
discovers, downloads, and installs A/B-style updates for the host
installation itself, or container images, portable service images,
and other assets. See the new systemd-sysupdate man page for updates.
Contributions from: 4piu, Adam Williamson, adrian5, Albert Brox,
AlexCatze, Alex Henrie, Alfonso Sánchez-Beato, Alice S,
Alvin Šipraga, amarjargal, Amarjargal, Andrea Pappacoda,
Andreas Rammhold, Andy Chi, Anita Zhang, Antonio Alvarez Feijoo,
Arfrever Frehtes Taifersar Arahesis, ash, Bastien Nocera, Be,
bearhoney, Ben Efros, Benjamin Berg, Brett Holman,
Christian Brauner, Clyde Byrd III, Curtis Klein, Daan De Meyer,
Daniele Medri, Daniel Mack, Danilo Krummrich, David, David Bond,
Davide Cavalca, David Tardon, davijosw, dependabot[bot],
Donald Chan, Dorian Clay, Eduard Tolosa, Elias Probst,
Erik Sjölund, Evgeny Vereshchagin, Federico Ceratto, Franck Bui,
Frantisek Sumsal, Gaël PORTAY, Georges Basile Stavracas Neto,
Gibeom Gwon, Goffredo Baroncelli, Grigori Goronzy, Hans de Goede,
Heiko Becker, Hugo Carvalho, Jakob Lell, James Hilliard,
Jan Janssen, Jason A. Donenfeld, Joan Bruguera, Joerie de Gram,
Josh Triplett, Julia Kartseva, Kazuo Moriwaka, Khem Raj,
ksa678491784, Lance, Lan Tian, Laura Barcziova, Lennart Poettering,
Leviticoh, licunlong, Lidong Zhong, lincoln auster, Lubomir Rintel,
Luca Boccassi, Luca BRUNO, lucagoc, Ludwig Nussel, Marcel Hellwig,
march1993, Marco Scardovi, Mario Limonciello, Mariusz Tkaczyk,
Markus Weippert, Martin Liska, Martin Wilck, Matija Skala,
Matthew Blythe, Matthias Lisin, Matthijs van Duin, Matt Walton,
Max Gautier, Michael Biebl, Michael Olbrich, Michal Koutný,
Michal Sekletár, Mike Gilbert, MkfsSion, Morten Linderud,
Nick Rosbrook, Nishal Kulkarni, Noel Kuntze, Peter Hutterer,
Peter Morrow, Pigmy-penguin, prumian, Richard Neill,
Rike-Benjamin Schuppner, rodin-ia, Romain Naour, Ruben Kerkhof,
Ryan Hendrickson, Santa Wiryaman, Sebastian Pucilowski, Seth Falco,
Simon Ellmann, Sonali Srivastava, Stefan Seering,
Stephen Hemminger, tawefogo, techtino, Temuri Doghonadze,
Thomas Batten, Thomas Haller, Thomas Weißschuh, Tobias Stoeckmann,
Tyson Whitehead, Vishal Chillara Srinivas, Vivien Didelot,
w30023233, wangyuhang, Weblate, Xiaotian Wu, yangmingtai, YmrDtnJu,
Yonathan Randolph, Yutsuten, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, наб
Backwards-incompatible changes:
The minimum kernel version required has been bumped from 3.13 to 4.15,
and CLOCK_BOOTTIME is now assumed to always exist.
C11 with GNU extensions (aka "gnu11") is now used to build our
components. Public API headers are still restricted to ISO C89.
In v250, a systemd-networkd feature that automatically configures
routes to addresses specified in AllowedIPs= was added and enabled by
default. However, this causes network connectivity issues in many
existing setups. Hence, it has been disabled by default since
systemd-stable 250.3. The feature can still be used by explicitly
configuring RouteTable= setting in .netdev files.
Jobs started via StartUnitWithFlags() will no longer return 'skipped'
when a Condition*= check does not succeed, restoring the JobRemoved
signal to the behaviour it had before v250.
The org.freedesktop.portable1 methods GetMetadataWithExtensions() and
GetImageMetadataWithExtensions() have been fixed to provide an extra
return parameter, containing the actual extension release metadata.
The current implementation was judged to be broken and unusable, and
thus the usual procedure of adding a new set of methods was skipped,
and backward compatibility broken instead on the assumption that
nobody can be affected given the current state of this interface.
All kernels supported by systemd mix RDRAND (or similar) into the
entropy pool at early boot. This means that on those systems, even if
/dev/urandom is not yet initialized, it still returns bytes that that
are at least as high quality as RDRAND. For that reason, we no longer
have reason to invoke RDRAND from systemd itself, which has
historically been a source of bugs. Furthermore, kernels ≥5.6 provide
the getrandom(GRND_INSECURE) interface for returning random bytes
before the entropy pool is initialized without warning into kmsg,
which is what we attempt to use if available. systemd's direct usage
of RDRAND has been removed. x86 systems ≥Broadwell that are running
an older kernel may experience kmsg warnings that were not seen with
250. For newer kernels, non-x86 systems, or older x86 systems, there
should be no visible changes.
sd-boot will now measure the kernel command line into TPM PCR 12
rather than PCR 8. This improves usefulness of the measurements on
systems where sd-boot is chainloaded from Grub. Grub measures all
commands its executes into PCR 8, which makes it very hard to use
reasonably, hence separate ourselves from that and use PCR 12
instead, which is what certain Ubuntu editions already do. To retain
compatibility with systems running older systemd systems a new meson
option 'efi-tpm-pcr-compat' has been added (which defaults to false).
If enabled, the measurement is done twice: into the new-style PCR 12
and the old-style PCR 8. It's strongly advised to migrate all users
to PCR 12 for this purpose in the long run, as we intend to remove
this compatibility feature in two year's time.
busctl capture now writes output in the newer pcapng format instead
of pcap.
An udev rule that imported hwdb matches for USB devices with
lowercase hexadecimal vendor/product ID digits was added in systemd
250. This has been reverted, since uppercase hexadecimal digits are
supposed to be used, and we already had a rule that with the
appropriate match.
Users might need to adjust their local hwdb entries.
arch_prctl(2) has been moved to the @default set in the syscall filters
(as exposed via the SystemCallFilter= setting in service unit files).
It is apparently used by the linker now.
The tmpfiles entries that create the /run/systemd/netif directory and
its subdirectories were moved from tmpfiles.d/systemd.conf to
tmpfiles.d/systemd-network.conf.
Users might need to adjust their files that override tmpfiles.d/systemd.conf
to account for this change.
Changes in the Boot Loader Specification, kernel-install and sd-boot:
kernel-install's and bootctl's Boot Loader Specification Type #1
entry generation logic has been reworked. The user may now pick
explicitly by which "token" string to name the installation's boot
entries, via the new /etc/kernel/entry-token file or the new
--entry-token= switch to bootctl. By default — as before — the
entries are named after the local machine ID. However, in "golden
image" environments, where the machine ID shall be initialized on
first boot (as opposed to at installation time before first boot) the
machine ID will not be available at build time. In this case the
--entry-token= switch to bootctl (or the /etc/kernel/entry-token
file) may be used to override the "token" for the entries, for
example the IMAGE_ID= or ID= fields from /etc/os-release. This will
make the OS images independent of any machine ID, and ensure that the
images will not carry any identifiable information before first boot,
but on the other hand means that multiple parallel installations of
the very same image on the same disk cannot be supported.
Summary: if you are building golden images that shall acquire
identity information exclusively on first boot, make sure to both
remove /etc/machine-id and to write /etc/kernel/entry-token to the
value of the IMAGE_ID= or ID= field of /etc/os-release or another
suitable identifier before deploying the image.
The Boot Loader Specification has been extended with
/loader/entries.srel file located in the EFI System Partition (ESP)
that disambiguates the format of the entries in the /loader/entries/
directory (in order to discern them from incompatible uses of this
directory by other projects). For entries that follow the
Specification, the string "type1" is stored in this file.
bootctl will now write this file automatically when installing the
systemd-boot boot loader.
kernel-install supports a new initrd_generator= setting in
/etc/kernel/install.conf, that is exported as
$KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This
allows choosing different initrd generators.
kernel-install will now create a "staging area" (an initially-empty
directory to gather files for a Boot Loader Specification Type #1
entry). The path to this directory is exported as
$KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should
drop files there instead of writing them directly to the final
location. kernel-install will move them when all files have been
prepared successfully.
New option sort-key= has been added to the Boot Loader Specification
to override the sorting order of the entries in the boot menu. It is
read by sd-boot and bootctl, and will be written by kernel-install,
with the default value of IMAGE_ID= or ID= fields from
os-release. Together, this means that on multiboot installations,
entries should be grouped and sorted in a predictable way.
The sort order of boot entries has been updated: entries which have
the new field sort-key= are sorted by it first, and all entries
without it are ordered later. After that, entries are sorted by
version so that newest entries are towards the beginning of the list.
The kernel-install tool gained a new 'inspect' verb which shows the
paths and other settings used.
sd-boot can now optionally beep when the menu is shown and menu
entries are selected, which can be useful on machines without a
working display. (Controllable via a loader.conf setting.)
The --make-machine-id-directory= switch to bootctl has been replaced
by --make-entry-directory=, given that the entry directory is not
necessarily named after the machine ID, but after some other suitable
ID as selected via --entry-token= described above. The old name of
the option is still understood to maximize compatibility.
'bootctl list' gained support for a new --json= switch to output boot
menu entries in JSON format.
'bootctl is-installed' now supports the --graceful, and various verbs
omit output with the new option --quiet.
Changes in systemd-homed:
Starting with v250 systemd-homed uses UID/GID mapping on the mounts
of activated home directories it manages (if the kernel and selected
file systems support it). So far it mapped three UID ranges: the
range from 0…60000, the user's own UID, and the range 60514…65534,
leaving everything else unmapped (in other words, the 16bit UID range
is mapped almost fully, with the exception of the UID subrange used
for systemd-homed users, with one exception: the user's own UID).
Unmapped UIDs may not be used for file ownership in the home
directory — any chown() attempts with them will fail. With this
release a fourth range is added to these mappings:
524288…1879048191. This range is the UID range intended for container
uses, see:
https://systemd.io/UIDS-GIDS
This range may be used for container managers that place container OS
trees in the home directory (which is a questionable approach, for
quota, permission, SUID handling and network file system
compatibility reasons, but nonetheless apparently commonplace). Note
that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
UID assignments from the range are not managed or mapped by
systemd-homed
, and must be managed with other mechanisms, in the
context of the local system.
Typically, a better approach to user namespacing in relevant
container managers would be to leave container OS trees on disk at
UID offset 0, but then map them to a dynamically allocated runtime
UID range via another UID mount map at container invocation
time. That way user namespace UID ranges become strictly a runtime
concept, and do not leak into persistent file systems, persistent
user databases or persistent configuration, thus greatly simplifying
handling, and improving compatibility with home directories intended
to be portable like the ones managed by systemd-homed.
Changes in shared libraries:
A new libsystemd-core-.so private shared library is
installed under /usr/lib/systemd/system, mirroring the existing
libsystemd-shared-.so library. This allows the total
installation size to be reduced by binary code reuse.
The tag used in the name of libsystemd-shared.so and
libsystemd-core.so can be configured via the meson option
'shared-lib-tag'. Distributions may build subsequent versions of the
systemd package with unique tags (e.g. the full package version),
thus allowing multiple installations of those shared libraries to be
available at the same time. This is intended to fix an issue where
programs that link to those libraries would fail to execute because
they were installed earlier or later than the appropriate version of
the library.
The sd-id128 API gained a new call sd_id128_to_uuid_string() that is
similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID
format instead of simple series of hex characters.
The sd-device API gained two new calls sd_device_new_from_devname()
and sd_device_new_from_path() which permit allocating an sd_device
object from a device node name or file system path.
sd-device also gained a new call sd_device_open() which will open the
device node associated with a device for which an sd_device object
has been allocated. The call is supposed to address races around
device nodes being removed/recycled due to hotplug events, or media
change events: the call checks internally whether the major/minor of
the device node and the "diskseq" (in case of block devices) match
with the metadata loaded in the sd_device object, thus ensuring that
the device once opened really matches the provided sd_device object.
Changes in PID1, systemctl, and systemd-oomd:
A new set of service monitor environment variables will be passed to
OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the
handler unit as OnFailure=/OnSuccess=. The variables are:
$MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
$MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single
handler needs to watch multiple units, use a templated handler.
A new ExtensionDirectories= setting in service unit files allows
system extensions to be loaded from a directory. (It is similar to
ExtensionImages=, but takes paths to directories, instead of
disk image files.)
'portablectl attach --extension=' now also accepts directory paths.
The user.delegate and user.invocation_id extended attributes on
cgroups are used in addition to trusted.delegate and
trusted.invocation_id. The latter pair requires privileges to set,
but the former doesn't and can be also set by the unprivileged user
manager.
(Only supported on kernels ≥5.6.)
Units that were killed by systemd-oomd will now have a service result
of 'oom-kill'. The number of times a service was killed is tallied
in the 'user.oomd_ooms' extended attribute.
The OOMPolicy= unit file setting is now also honoured by
systemd-oomd.
In unit files the new %y/%Y specifiers can be used to refer to
normalized unit file path, which is particularly useful for symlinked
unit files.
The new %q specifier resolves to the pretty hostname
(i.e. PRETTY_HOSTNAME= from /etc/machine-info).
The new %d specifier resolves to the credentials directory of a
service (same as $CREDENTIALS_DIRECTORY).
The RootDirectory=, MountAPIVFS=, ExtensionDirectories=,
Capabilities=, ProtectHome=, *Directory=, TemporaryFileSystem=,
PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=,
PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=,
ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=,
MountFlags= service settings now also work in unprivileged user
services, i.e. those run by the user's --user service manager, as long
as user namespaces are enabled on the system.
Services with Restart=always and a failing ExecCondition= will no
longer be restarted, to bring ExecCondition= behaviour in line with
Condition*= settings.
LoadCredential= now accepts a directory as the argument; all files
from the directory will be loaded as credentials.
A new D-Bus property ControlGroupId is now exposed on service units,
that encapsulates the service's numeric cgroup ID that newer kernels
assign to each cgroup.
PID 1 gained support for configuring the "pre-timeout" of watchdog
devices and the associated governor, via the new
RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration
options in /etc/systemd/system.conf.
systemctl's --timestamp= option gained a new choice "unix", to show
timestamp as unix times, i.e. seconds since 1970, Jan 1st.
A new "taint" flag named "old-kernel" is introduced which is set when
the kernel systemd runs on is older then the current baseline version
(see above). The flag is shown in "systemctl status" output.
Two additional taint flags "short-uid-range" and "short-gid-range"
have been added as well, which are set when systemd notices it is run
within a userns namespace that does not define the full 0…65535 UID
range
A new "unmerged-usr" taint flag has been added that is set whenever
running on systems where /bin/ + /sbin/ are not symlinks to their
counterparts in /usr/, i.e. on systems where the /usr/-merge has been
completed.
Generators invoked by PID 1 will now have a couple of useful
environment variables set describing the execution context a
bit. $SYSTEMD_SCOPE encodes whether the generator is called from the
system service manager, or from the per-user service
manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked
in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether
systemd considers the current boot to be a "first"
boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is
detected and which type of hypervisor/container
manager. $SYSTEMD_ARCHITECTURE indicates which architecture the
kernel is built for.
PID 1 will now automatically pick up system credentials from qemu's
fw_cfg interface, thus allowing passing arbitrary data into VM
systems similar to how this is already supported for passing them
into systemd-nspawn
containers. Credentials may now also be passed
in via the new kernel command line option systemd.set_credential=
(note that kernel command line options are world-readable during
runtime, and only useful for credentials that require no
confidentiality). The credentials that can be passed to unified
kernels that use the systemd-stub
UEFI stub are now similarly
picked up automatically. Automatic importing of system credentials
this way can be turned off via the new
systemd.import_credentials=no
kernel command line option.
LoadCredential= will now automatically search for credentials to
import in the /etc/credstore/, /run/credstore/, /usr/lib/credstore/
directories if no or a relative source filename is passed. Similar
LoadCredentialEncrypted= will search in these same directories, plus
/etc/credstore.encrypted/, /run/credstore.encrypted/ and
/usr/lib/credstore.encrypted/. The idea is that these directories are
now the recommended system-wide location to place credentials for
automatic pick-up by services in.
System and service credentials are described in great detail in a new
document:
Changes in systemd-journald:
The journal JSON export format has been added to listed of stable
interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/).
journalctl --list-boots now supports JSON output and the --reverse option.
Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and
updated, BUILDING_IMAGES is new:
https://systemd.io/JOURNAL_EXPORT_FORMATS
https://systemd.io/BUILDING_IMAGES
Changes in udev:
Two new hwdb files have been added. One lists "handhelds" (PDAs,
calculators, etc.), the other AV production devices (DJ tables,
keypads, etc.) that should accessible to the seat owner user by
default.
udevadm trigger gained a new --prioritized-subsystem= option to
process certain subsystems (and all their parent devices) earlier.
systemd-udev-trigger.service now uses this new option to trigger
block and TPM devices first, hopefully making the boot a bit faster.
udevadm trigger now implements --type=all, --initialized-match,
--initialized-nomatch to trigger both subsystems and devices, only
already-initialized devices, and only devices which haven't been
initialized yet, respectively.
udevadm gained a new "wait" command for safely waiting for a specific
device to show up in the udev device database. This is useful in
scripts that asynchronously allocate a block device (e.g. through
repartitioning, or allocating a loopback device or similar) and need
to synchronize on the creation to complete.
udevadm gained a new "lock" command for locking one or more block
devices while formatting it or writing a partition table to it. It is
an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and
usable in scripts dealing with block devices.
udevadm info will show a couple of additional device fields in its
output, and will not apply a limited set of coloring to line types.
udevadm info --tree will now show a tree of objects (i.e. devices and
suchlike) in the /sys/ hierarchy.
Block devices will now get a new set of device symlinks in
/dev/disk/by-diskseq/, which may be used to reference block
device nodes via the kernel's "diskseq" value. Note that this does
not guarantee that opening a device by a symlink like this will
guarantee that the opened device actually matches the specified
diskseq value. To be safe against races, the actual diskseq value of
the opened device (BLKGETDISKSEQ ioctl()) must still be compred with
the one in the symlink path.
.link files gained support for setting MDI/MID-X on a link.
.link files gained support for [Match] Firmware= setting to match on
the device firmware description string. By mistake, it was previously
only supported in .network files.
.link files gained support for [Link] SR-IOVVirtualFunctions= setting
and [SR-IOV] section to configure SR-IOV virtual functions.
Changes in systemd-networkd:
The default scope for unicast routes configured through [Route]
section is changed to "link", to make the behavior consistent with
"ip route" command. The manual configuration of [Route] Scope= is
still honored.
A new unit systemd-networkd-wait-online@.service has been
added that can be used to wait for a specific network interface to be
up.
systemd-networkd gained a new [Bridge] Isolated=true|false setting
that configures the eponymous kernel attribute on the bridge.
.netdev files now can be used to create virtual WLAN devices, and
configure various settings on them, via the [WLAN] section.
.link/.network files gained support for [Match] Kind= setting to match
on device kind ("bond", "bridge", "gre", "tun", "veth", etc.)
This value is also shown by 'networkctl status'.
The Local= setting in .netdev files for various virtual network
devices gained support for specifying, in addition to the network
address, the name of a local interface which must have the specified
address.
systemd-networkd gained a new [Tunnel] External= setting in .netdev
files, to configure tunnels in external mode (a.k.a. collect metadata
mode).
[Network] L2TP= setting was removed. Please use interface specifier in
Local= setting in .netdev files of corresponding L2TP interface.
New [DHCPServer] BootServerName=, BootServerAddress=, and
BootFilename= settings can be used to configure the server address,
server name, and file name sent in the DHCP packet (e.g. to configure
PXE boot).
Changes in systemd-resolved:
Changes in disk encryption:
systemd-cryptenroll can now control whether to require the user to
enter a PIN when using TPM-based unlocking of a volume via the new
--tpm2-with-pin= option.
Option tpm2-pin= can be used in /etc/crypttab.
When unlocking devices via TPM, TPM2 parameter encryption is now
used, to ensure that communication between CPU and discrete TPM chips
cannot be eavesdropped to acquire disk encryption keys.
A new switch --fido2-credential-algorithm= has been added to
systemd-cryptenroll allowing selection of the credential algorithm to
use when binding encryption to FIDO2 tokens.
Changes in systemd-hostnamed:
HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info
to override the values gleaned from the hwdb.
A ID_CHASSIS property can be set in the hwdb (for the DMI device
/sys/class/dmi/id) to override the chassis that is reported by
hostnamed.
hostnamed's D-Bus interface gained a new method GetHardwareSerial()
for reading the hardware serial number, as reportd by DMI. It also
exposes a new method D-Bus property FirmwareVersion that encode the
firmware version of the system.
Changes in other components:
/etc/locale.conf is now populated through tmpfiles.d factory /etc/
handling with the values that were configured during systemd build
(if /etc/locale.conf has not been created through some other
mechanism). This means that /etc/locale.conf should always have
reasonable contents and we avoid a potential mismatch in defaults.
The userdbctl tool will now show UID range information as part of the
list of known users.
A new build-time configuration setting default-user-shell= can be
used to set the default shell for user records and nspawn shell
invocations (instead of of the default /bin/bash).
systemd-timesyncd now provides a D-Bus API for receiving NTP server
information dynamically at runtime via IPC.
The systemd-creds tool gained a new "has-tpm2" verb, which reports
whether a functioning TPM2 infrastructure is available, i.e. if
firmware, kernel driver and systemd all have TPM2 support enabled and
a device found.
The systemd-creds tool gained support for generating encrypted
credentials that are using an empty encryption key. While this
provides no integrity nor confidentiality it's useful to implement
codeflows that work the same on TPM-ful and TPM2-less systems. The
service manager will only accept credentials "encrypted" that way if
a TPM2 device cannot be detected, to ensure that credentials
"encrypted" like that cannot be used to trick TPM2 systems.
When deciding whether to colorize output, all systemd programs now
also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and
$TERM).
Experimental features:
sd-boot gained a new experimental setting "reboot-for-bitlocker" in
loader.conf that implements booting Microsoft Windows from the
sd-boot in a way that first reboots the system, to reset the TPM
PCRs. This improves compatibility with BitLocker's TPM use, as the
PCRs will only record the Windows boot process, and not sd-boot
itself, thus retaining the PCR measurements not involving sd-boot.
Note that this feature is experimental for now, and is likely going
to be generalized and renamed in a future release, without retaining
compatibility with the current implementation.
A new systemd-sysupdate component has been added that automatically
discovers, downloads, and installs A/B-style updates for the host
installation itself, or container images, portable service images,
and other assets. See the new systemd-sysupdate man page for updates.
Backwards-incompatible changes:
The minimum kernel version required has been bumped from 3.13 to 3.15,
and CLOCK_BOOTTIME is now assumed to always exist.
C11 with GNU extensions (aka "gnu11") is now used to build our
components. Public API headers are still restricted to ISO C89.
In v250, a systemd-networkd feature that automatically configures
routes to addresses specified in AllowedIPs= was added and enabled by
default. However, this causes network connectivity issues in many
existing setups. Hence, it has been disabled by default since
systemd-stable 250.3. The feature can still be used by explicitly
configuring RouteTable= setting in .netdev files.
Jobs started via StartUnitWithFlags() will no longer return 'skipped'
when a Condition*= check does not succeed, restoring the JobRemoved
signal to the behaviour it had before v250.
The org.freedesktop.portable1 methods GetMetadataWithExtensions() and
GetImageMetadataWithExtensions() have been fixed to provide an extra
return parameter, containing the actual extension release metadata.
The current implementation was judged to be broken and unusable, and
thus the usual procedure of adding a new set of methods was skipped,
and backward compatibility broken instead on the assumption that
nobody can be affected given the current state of this interface.
All kernels supported by systemd mix RDRAND (or similar) into the
entropy pool at early boot. This means that on those systems, even if
/dev/urandom is not yet initialized, it still returns bytes that that
are at least as high quality as RDRAND. For that reason, we no longer
have reason to invoke RDRAND from systemd itself, which has
historically been a source of bugs. Furthermore, kernels ≥5.6 provide
the getrandom(GRND_INSECURE) interface for returning random bytes
before the entropy pool is initialized without warning into kmsg,
which is what we attempt to use if available. systemd's direct usage
of RDRAND has been removed. x86 systems ≥Broadwell that are running
an older kernel may experience kmsg warnings that were not seen with
250. For newer kernels, non-x86 systems, or older x86 systems, there
should be no visible changes.
sd-boot will now measure the kernel command line into TPM PCR 12
rather than PCR 8. This improves usefulness of the measurements on
systems where sd-boot is chainloaded from Grub. Grub measures all
commands its executes into PCR 8, which makes it very hard to use
reasonably, hence separate ourselves from that and use PCR 12
instead, which is what certain Ubuntu editions already do. To retain
compatibility with systems running older systemd systems a new meson
option 'efi-tpm-pcr-compat' has been added (which defaults to false).
If enabled, the measurement is done twice: into the new-style PCR 12
and the old-style PCR 8. It's strongly advised to migrate all users
to PCR 12 for this purpose in the long run, as we intend to remove
this compatibility feature in two year's time.
busctl capture now writes output in the newer pcapng format instead
of pcap.
An udev rule that imported hwdb matches for USB devices with
lowercase hexadecimal vendor/product ID digits was added in systemd
250. This has been reverted, since uppercase hexadecimal digits are
supposed to be used, and we already had a rule that with the
appropriate match.
Users might need to adjust their local hwdb entries.
arch_prctl(2) has been moved to the @default set in the syscall filters
(as exposed via the SystemCallFilter= setting in service unit files).
It is apparently used by the linker now.
Changes in the Boot Loader Specification, kernel-install and sd-boot:
kernel-install's and bootctl's Boot Loader Specification Type #1
entry generation logic has been reworked. The user may now pick
explicitly by which "token" string to name the installation's boot
entries, via the new /etc/kernel/entry-token file or the new
--entry-token= switch to bootctl. By default — as before — the
entries are named after the local machine ID. However, in "golden
image" environments, where the machine ID shall be initialized on
first boot (as opposed to at installation time before first boot) the
machine ID will not be available at build time. In this case the
--entry-token= switch to bootctl (or the /etc/kernel/entry-token
file) may be used to override the "token" for the entries, for
example the IMAGE_ID= or ID= fields from /etc/os-release. This will
make the OS images independent of any machine ID, and ensure that the
images will not carry any identifiable information before first boot,
but on the other hand means that multiple parallel installations of
the very same image on the same disk cannot be supported.
Summary: if you are building golden images that shall acquire
identity information exclusively on first boot, make sure to both
remove /etc/machine-id and to write /etc/kernel/entry-token to the
value of the IMAGE_ID= or ID= field of /etc/os-release or another
suitable identifier before deploying the image.
The Boot Loader Specification has been extended with
/loader/entries.srel file located in the EFI System Partition (ESP)
that disambiguates the format of the entries in the /loader/entries/
directory (in order to discern them from incompatible uses of this
directory by other projects). For entries that follow the
Specification, the string "type1" is stored in this file.
bootctl will now write this file automatically when installing the
systemd-boot boot loader.
kernel-install supports a new initrd_generator= setting in
/etc/kernel/install.conf, that is exported as
$KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This
allows choosing different initrd generators.
kernel-install will now create a "staging area" (an initially-empty
directory to gather files for a Boot Loader Specification Type #1
entry). The path to this directory is exported as
$KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should
drop files there instead of writing them directly to the final
location. kernel-install will move them when all files have been
prepared successfully.
New option sort-key= has been added to the Boot Loader Specification
to override the sorting order of the entries in the boot menu. It is
read by sd-boot and bootctl, and will be written by kernel-install,
with the default value of IMAGE_ID= or ID= fields from
os-release. Together, this means that on multiboot installations,
entries should be grouped and sorted in a predictable way.
The sort order of boot entries has been updated: entries which have
the new field sort-key= are sorted by it first, and all entries
without it are ordered later. After that, entries are sorted by
version so that newest entries are towards the beginning of the list.
The kernel-install tool gained a new 'inspect' verb which shows the
paths and other settings used.
sd-boot can now optionally beep when the menu is shown and menu
entries are selected, which can be useful on machines without a
working display. (Controllable via a loader.conf setting.)
The --make-machine-id-directory= switch to bootctl has been replaced
by --make-entry-directory=, given that the entry directory is not
necessarily named after the machine ID, but after some other suitable
ID as selected via --entry-token= described above. The old name of
the option is still understood to maximize compatibility.
'bootctl list' gained support for a new --json= switch to output boot
menu entries in JSON format.
Changes in systemd-homed:
Starting with v250 systemd-homed uses UID/GID mapping on the mounts
of activated home directories it manages (if the kernel and selected
file systems support it). So far it mapped three UID ranges: the
range from 0…60000, the user's own UID, and the range 60514…65534,
leaving everything else unmapped (in other words, the 16bit UID range
is mapped almost fully, with the exception of the UID subrange used
for systemd-homed users, with one exception: the user's own UID).
Unmapped UIDs may not be used for file ownership in the home
directory — any chown() attempts with them will fail. With this
release a fourth range is added to these mappings:
524288…1879048191. This range is the UID range intended for container
uses, see https://systemd.io/UIDS-GIDS.
This range may be used for container managers that place container OS
trees in the home directory (which is a questionable approach, for
quota, permission, SUID handling and network file system
compatibility reasons, but nonetheless apparently commonplace). Note
that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
UID assignments from the range are not managed or mapped by
systemd-homed
, and must be managed with other mechanisms, in the
context of the local system.
Typically, a better approach to user namespacing in relevant
container managers would be to leave container OS trees on disk at
UID offset 0, but then map them to a dynamically allocated runtime
UID range via another UID mount map at container invocation
time. That way user namespace UID ranges become strictly a runtime
concept, and do not leak into persistent file systems, persistent
user databases or persistent configuration, thus greatly simplifying
handling, and improving compatibility with home directories intended
to be portable like the ones managed by systemd-homed.
Changes in shared libraries:
A new libsystemd-core-.so private shared library is
installed under /usr/lib/systemd/system, mirroring the existing
libsystemd-shared-.so library. This allows the total
installation size to be reduced by binary code reuse.
The tag used in the name of libsystemd-shared.so and
libsystemd-core.so can be configured via the meson option
'shared-lib-tag'. Distributions may build subsequent versions of the
systemd package with unique tags (e.g. the full package version),
thus allowing multiple installations of those shared libraries to be
available at the same time. This is intended to fix an issue where
programs that link to those libraries would fail to execute because
they were installed earlier or later than the appropriate version of
the library.
The sd-id128 API gained a new call sd_id128_to_uuid_string() that is
similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID
format instead of simple series of hex characters.
Changes in PID1, systemctl, and systemd-oomd:
A new set of service monitor environment variables will be passed to
OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the
handler unit as OnFailure=/OnSuccess=. The variables are:
$MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
$MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single
handler needs to watch multiple units, use a templated handler.
A new ExtensionDirectories= setting in service unit files allows
system extensions to be loaded from a directory. (It is similar to
ExtensionImages=, but takes paths to directories, instead of
disk image files.)
'portablectl attach --extension=' now also accepts directory paths.
The user.delegate and user.invocation_id extended attributes on
cgroups are used in addition to trusted.delegate and
trusted.invocation_id. The latter pair requires privileges to set,
but the former doesn't and can be also set by the unprivileged user
manager.
(Only supported on kernels ≥5.6.)
Units that were killed by systemd-oomd will now have a service result
of 'oom-kill'. The number of times a service was killed is tallied
in the 'user.oomd_ooms' extended attribute.
The OOMPolicy= unit file setting is now also honoured by
systemd-oomd.
In unit files the new %y/%Y specifiers can be used to refer to
normalized unit file path, which is particularly useful for symlinked
unit files.
The new %R specifier resolves to the pretty hostname
(i.e. PRETTY_HOSTNAME= from /etc/machine-info).
The new %d specifier resolves to the credentials directory of a
service (same as $CREDENTIALS_DIRECTORY).
The RootDirectory=, MountAPIVFS=, ExtensionDirectories=,
Capabilities=, ProtectHome=, *Directory=, TemporaryFileSystem=,
PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=,
PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=,
ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=,
MountFlags= service settings now also work in unprivileged user
services, i.e. those run by the user's --user service manager, as long
as user namespaces are enabled on the system.
Services with Restart=always and a failing ExecCondition= will no
longer be restarted, to bring ExecCondition= behaviour in line with
Condition*= settings.
LoadCredential= now accepts a directory as the argument; all files
from the directory will be loaded as credentials.
A new D-Bus property ControlGroupId is now exposed on service units,
that encapsulates the service's numeric cgroup ID that newer kernels
assign to each cgroup.
PID 1 gained support for configuring the "pre-timeout" of watchdog
devices and the associated governor, via the new
RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration
options in /etc/systemd/system.conf.
systemctl's --timestamp= option gained a new choice "unix", to show
timestamp as unix times, i.e. seconds since 1970, Jan 1st.
'systemctl enable' and similar commands will now create relative
symlinks in .wants/ and .requires/ and for aliases. Most of the time
systemd itself doesn't care, but absolute symlinks were causing wrong
behaviour in case of aliases to linked unit files. The change was
necessary to fix this aspect. Absolute links are interpreted as
before, and it is still possible to create them via other means.
Changes in systemd-journald:
The journal JSON export format has been added to listed of stable
interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/).
journalctl --list-boots now supports JSON output and the --reverse option.
Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and
updated, BUILDING_IMAGES is new:
https://systemd.io/JOURNAL_EXPORT_FORMATS
https://systemd.io/BUILDING_IMAGES
Changes in udev:
Two new hwdb files have been added. One lists "handhelds" (PDAs,
calculators, etc.), the other AV production devices (DJ tables,
keypads, etc.) that should accessible to the seat owner user by
default.
udevadm trigger gained a new --prioritized-subsystem= option to
process certain subsystems (and all their parent devices) earlier.
systemd-udev-trigger.service now uses this new option to trigger
block and TPM devices first, hopefully making the boot a bit faster.
udevadm trigger now implements --type=all, --initialized-match,
--initialized-nomatch to trigger both subsystems and devices, only
already-initialized devices, and only devices which haven't been
initialized yet, respectively.
.link files gained support for setting MDI/MID-X on a link.
.link files gained support for [Match] Firmware= setting to match on
the device firmware description string. By mistake, it was previously
only supported in .network files.
.link files gained support for [Link] SR-IOVVirtualFunctions= setting
and [SR-IOV] section to configure SR-IOV virtual functions.
Changes in systemd-networkd:
The default scope for unicast routes configured through [Route]
section is changed to "link", to make the behavior consistent with
"ip route" command. The manual configuration of [Route] Scope= is
still honored.
A new unit systemd-networkd-wait-online@.service has been
added that can be used to wait for a specific network interface to be
up.
systemd-networkd gained a new [Bridge] Isolated=true|false setting
that configures the eponymous kernel attribute on the bridge.
.netdev files now can be used to create virtual WLAN devices, and
configure various settings on them, via the [WLAN] section.
.link/.network files gained support for [Match] Kind= setting to match
on device kind ("bond", "bridge", "gre", "tun", "veth", etc.)
This value is also shown by 'networkctl status'.
The Local= setting in .netdev files for various virtual network
devices gained support for specifying, in addition to the network
address, the name of a local interface which must have the specified
address.
systemd-networkd gained a new [Tunnel] External= setting in .netdev
files, to configure tunnels in external mode (a.k.a. collect metadata
mode).
[Network] L2TP= setting was removed. Please use interface specifier in
Local= setting in .netdev files of corresponding L2TP interface.
New [DHCPServer] BootServerName=, BootServerAddress=, and
BootFilename= settings can be used to configure the server address,
server name, and file name sent in the DHCP packet (e.g. to configure
PXE boot).
Changes in systemd-resolved:
Changes in disk encryption:
systemd-cryptenroll can now control whether to require the user to
enter a PIN when using TPM-based unlocking of a volume via the new
--tpm2-with-pin= option.
Option tpm2-pin= can be used in /etc/crypttab.
When unlocking devices via TPM, TPM2 parameter encryption is now
used, to ensure that communication between CPU and discrete TPM chips
cannot be eavesdropped to acquire disk encryption keys.
Changes in systemd-hostnamed:
HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info
to override the values gleaned from the hwdb.
A ID_CHASSIS property can be set in the hwdb (for the DMI device
/sys/class/dmi/id) to override the chassis that is reported by
hostnamed.
hostnamed's D-Bus interface gained a new method GetHardwareSerial()
for reading the hardware serial number, as reportd by DMI.
Changes in other components:
/etc/locale.conf is now populated through tmpfiles.d factory /etc/
handling with the values that were configured during systemd build
(if /etc/locale.conf has not been created through some other
mechanism). This means that /etc/locale.conf should always have
reasonable contents and we avoid a potential mismatch in defaults.
The userdbctl tool will now show UID range information as part of the
list of known users.
A new build-time configuration setting default-user-shell= can be
used to set the default shell for user records and nspawn shell
invocations (instead of of the default /bin/bash).
Experimental features:
sd-boot gained a new experimental setting "reboot-for-bitlocker" in
loader.conf that implements booting Microsoft Windows from the
sd-boot in a way that first reboots the system, to reset the TPM
PCRs. This improves compatibility with BitLocker's TPM use, as the
PCRs will only record the Windows boot process, and not sd-boot
itself, thus retaining the PCR measurements not involving sd-boot.
Note that this feature is experimental for now, and is likely going
to be generalized and renamed in a future release, without retaining
compatibility with the current implementation.
A new systemd-sysupdate component has been added that automatically
discovers, downloads, and installs A/B-style updates for the host
installation itself, or container images, portable service images,
and other assets. See the new systemd-sysupdate man page for updates.
Published by keszybz almost 3 years ago
CHANGES WITH 250:
* Support for encrypted and authenticated credentials has been added.
This extends the credential logic introduced with v247 to support
non-interactive symmetric encryption and authentication, based on a
key that is stored on the /var/ file system or in the TPM2 chip (if
available), or the combination of both (by default if a TPM2 chip
exists the combination is used, otherwise the /var/ key only). The
credentials are automatically decrypted at the moment a service is
started, and are made accessible to the service itself in unencrypted
form. A new tool 'systemd-creds' encrypts credentials for this
purpose, and two new service file settings LoadCredentialEncrypted=
and SetCredentialEncrypted= configure such credentials.
This feature is useful to store sensitive material such as SSL
certificates, passwords and similar securely at rest and only decrypt
them when needed, and in a way that is tied to the local OS
installation or hardware.
* systemd-gpt-auto-generator can now automatically set up discoverable
LUKS2 encrypted swap partitions.
* The GPT Discoverable Partitions Specification has been substantially
extended with support for root and /usr/ partitions for the majority
of architectures systemd supports. This includes platforms that do
not natively support UEFI, because even though GPT is specified under
UEFI umbrella, it is useful on other systems too. Specifically,
systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
Portable Services use the concept without requiring UEFI.
* The GPT Discoverable Partitions Specifications has been extended with
a new set of partitions that may carry PKCS#7 signatures for Verity
partitions, encoded in a simple JSON format. This implements a simple
mechanism for building disk images that are fully authenticated and
can be tested against a set of cryptographic certificates. This is
now implemented for the various systemd tools that can operate with
disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers.
The PKCS#7 signatures are passed to the kernel (where they are
checked against certificates from the kernel keyring), or can be
verified against certificates provided in userspace (via a simple
drop-in file mechanism).
* systemd-dissect's inspection logic will now report for which uses a
disk image is intended. Specifically, it will display whether an
image is suitable for booting on UEFI or in a container (using
systemd-nspawn's --image= switch), whether it can be used as portable
service, or attached as system extension.
* The system-extension.d/ drop-in files now support a new field
SYSEXT_SCOPE= that may encode which purpose a system extension image
is for: one of "initrd", "system" or "portable". This is useful to
make images more self-descriptive, and to ensure system extensions
cannot be attached in the wrong contexts.
* The os-release file learnt a new PORTABLE_PREFIXES= field which may
be used in portable service images to indicate which unit prefixes
are supported.
* The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
now is able to decode images for non-native architectures as well.
This allows systemd-nspawn to boot images of non-native architectures
if the corresponding user mode emulator is installed and
systemd-binfmtd is running.
* systemd-logind gained new settings HandlePowerKeyLongPress=,
HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
HandleHibernateKeyLongPress= which may be used to configure actions
when the relevant keys are pressed for more than 5s. This is useful
on devices that only have hardware for a subset of these keys. By
default, if the reboot key is pressed long the poweroff operation is
now triggered, and when the suspend key is pressed long the hibernate
operation is triggered. Long pressing the other two keys currently
does not trigger any operation by default.
* When showing unit status updates on the console during boot and
shutdown, and a service is slow to start so that the cylon animation
is shown, the most recent sd_notify() STATUS= text is now shown as
well. Services may use this to make the boot/shutdown output easier
to understand, and to indicate what precisely a service that is slow
to start or stop is waiting for. In particular, the per-user service
manager instance now reports what it is doing and which service it is
waiting for this way to the system service manager.
* The service manager will now re-execute on reception of the
SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
only when running as PID 1. There was no signal to request this when
running as per-user service manager, i.e. as any other PID than 1.
SIGRTMIN+25 works for both system and user managers.
* The hardware watchdog logic in PID 1 gained support for operating
with the default timeout configured in the hardware, instead of
insisting on re-configuring it. Set RuntimeWatchdogSec=default to
request this behavior.
* A new kernel command line option systemd.watchdog_sec= is now
understood which may be used to override the hardware watchdog
time-out for the boot.
* A new setting DefaultOOMScoreAdjust= is now supported in
/etc/systemd/system.conf + /etc/systemd/user.conf that may be used to
set the default process OOM score adjustment value for processes
forked off the service manager. For per-user service managers this
now defaults to 100, but for per-system service managers is left as
is. This means that by default now services forked off the user
service manager are more likely to be killed by the OOM killer than
system services or the managers themselves.
* A new per-service setting RestrictFileSystems= as been added that
restricts the file systems a service has access to by their type.
This is based on the new BPF LSM of the Linux kernel. It provides an
effective way to make certain API file systems unavailable to
services (and thus minimizing attack surface). A new command
"systemd-analyze filesystems" has been added that lists all known
file system types (and how they are grouped together under useful
group handles).
* Services now support a new setting RestrictNetworkInterfaces= for
restricting access to specific network interfaces.
* Service unit files gained new settings StartupAllowedCPUs= and
StartupAllowedMemoryNodes=. These are similar to their counterparts
without the "Startup" prefix and apply during the boot process
only. This is useful to improve boot-time behavior of the system and
assign resources differently during boot than during regular
runtime. This is similar to the preexisting StartupCPUWeight=
vs. CPUWeight.
* Related to this: the various StartupXYZ= settings
(i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied
during shutdown. The settings not prefixed with "Startup" hence apply
during regular runtime, and those that are prefixed like that apply
during boot and shutdown.
* A new per-unit set of conditions/asserts
[Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a
unit skip/fail activation if the system's (or a slice's) memory/cpu/io
pressure is above the configured threshold, using the kernel PSI
feature. For more details see systemd.unit(5) and
https://www.kernel.org/doc/html/latest/accounting/psi.html
* The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
ProtectKernelLogs=yes can now be used.
* The default maximum numbers of inodes have been raised from 64k to 1M
for /dev, and from 400k to 1M for /tmp.
* The per-user service manager learnt support for communicating with
systemd-oomd to acquire OOM kill information.
* A new service setting ExecSearchPath= has been added that allows
changing the search path for executables for services. It affects
where we look for the binaries specified in ExecStart= and similar,
and the specified directories are also added the $PATH environment
variable passed to invoked processes.
* A new setting RuntimeRandomizedExtraSec= has been added for service
and scope units that allows extending the runtime time-out as
configured by RuntimeMaxSec= with a randomized amount.
* The syntax of the service unit settings RuntimeDirectory=,
StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
if the specified value is now suffixed with a colon, followed by
another filename, the latter will be created as symbolic link to the
specified directory. This allows creating these service directories
together with alias symlinks to make them available under multiple
names.
* Service unit files gained two new settings TTYRows=/TTYColumns= for
configuring rows/columns of the TTY device passed to
stdin/stdout/stderr of the service. This is useful to propagate TTY
dimensions to a virtual machine.
* A new service unit file setting ExitType= has been added that
specifies when to assume a service has exited. By default systemd
only watches the main process of a service. By setting
ExitType=cgroup it can be told to wait for the last process in a
cgroup instead.
* Automount unit files gained a new setting ExtraOptions= that can be
used to configure additional mount options to pass to the kernel when
mounting the autofs instance.
* "Urlification" (generation of ESC sequences that generate clickable
hyperlinks in modern terminals) may now be turned off altogether
during build-time.
* Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec=
settings that default to 200 and 2 s respectively. The ratelimit
ensures that a path unit cannot cause PID1 to busy-loop when it is
trying to trigger a service that is skipped because of a Condition*=
not being satisfied. This matches the configuration and behaviour of
socket units.
* The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built
as a plug-in for cryptsetup. This means the plain cryptsetup command
may now be used to unlock volumes set up this way.
* The TPM2 logic in cryptsetup will now automatically detect systems
where the TPM2 chip advertises SHA256 PCR banks but the firmware only
updates the SHA1 banks. In such a case PCR policies will be
automatically bound to the latter, not the former. This makes the PCR
policies reliable, but of course do not provide the same level of
trust as SHA256 banks.
* The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports
RSA primary keys in addition to ECC, improving compatibility with
TPM2 chips that do not support ECC. RSA keys are much slower to use
than ECC, and hence are only used if ECC is not available.
* /etc/crypttab gained support for a new token-timeout= setting for
encrypted volumes that allows configuration of the maximum time to
wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses
the logic will query the user for a regular passphrase/recovery key
instead.
* Support for activating dm-integrity volumes at boot via a new file
/etc/integritytab and the tool systemd-integritysetup have been
added. This is similar to /etc/crypttab and /etc/veritytab, but deals
with dm-integrity instead of dm-crypt/dm-verity.
* The systemd-veritysetup-generator now understands a new usrhash=
kernel command line option for specifying the Verity root hash for
the partition backing the /usr/ file system. A matching set of
systemd.verity_usr_* kernel command line options has been added as
well. These all work similar to the corresponding options for the
root partition.
* The sd-device API gained a new API call sd_device_get_diskseq() to
return the DISKSEQ property of a device structure. The "disk
sequence" concept is a new feature recently introduced to the Linux
kernel that allows detecting reuse cycles of block devices, i.e. can
be used to recognize when loopback block devices are reused for a
different purpose or CD-ROM drives get their media changed.
* A new unit systemd-boot-update.service has been added. If enabled
(the default) and the sd-boot loader is detected to be installed, it
is automatically updated to the newest version when out of date. This
is useful to ensure the boot loader remains up-to-date, and updates
automatically propagate from the OS tree in /usr/.
* sd-boot will now build with SBAT by default in order to facilitate
working with recent versions of Shim that require it to be present.
* sd-boot can now parse Microsoft Windows' Boot Configuration Data.
This is used to robustly generate boot entry titles for Windows.
* A new generic target unit factory-reset.target has been added. It is
hooked into systemd-logind similar in fashion to
reboot/poweroff/suspend/hibernate, and is supposed to be used to
initiate a factory reset operation. What precisely this operation
entails is up for the implementer to decide, the primary goal of the
new unit is provide a framework where to plug in the implementation
and how to trigger it.
* A new meson build-time option 'clock-valid-range-usec-max' has been
added which takes a time in µs and defaults to 15 years. If the RTC
time is noticed to be more than the specified time ahead of the
built-in epoch of systemd (which by default is the release timestamp
of systemd) it is assumed that the RTC is not working correctly, and
the RTC is reset to the epoch. (It already is reset to the epoch when
noticed to be before it.) This should increase the chance that time
doesn't accidentally jump too far ahead due to faulty hardware or
batteries.
* A new setting SaveIntervalSec= has been added to systemd-timesyncd,
which may be used to automatically save the current system time to
disk in regular intervals. This is useful to maintain a roughly
monotonic clock even without RTC hardware and with some robustness
against abnormal system shutdown.
* .network files gained a new UplinkInterface in the [IPv6SendRA]
section, for automatically propagating DNS settings from other
interfaces.
* The static lease DHCP server logic in systemd-networkd may now serve
IP addresses outside of the configured IP pool range for the server.
* CAN support in systemd-networkd gained four new settings Loopback=,
OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN
control modes. It gained a number of further settings for tweaking
CAN timing quanta.
* The [CAN] section in .network file gained new TimeQuantaNSec=,
PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=,
SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=,
DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and
DataSyncJumpWidth= settings to control bit-timing processed by the
CAN interface.
* DHCPv4 client support in systemd-networkd learnt a new Label= option
for configuring the address label to apply to configure IPv4
addresses.
* The various systemd-udevd "ethtool" buffer settings now understand
the special value "max" to configure the buffers to the maximum the
hardware supports.
* systemd-udevd's .link files may now configure a large variety of
NIC coalescing settings, plus more hardware offload settings.
* systemd-analyze verify gained support for a pair of new --image= +
--root= switches for verifying units below a specific root
directory/image instead of on the host.
* systemd-analyze verify gained support for verifying unit files under
an explicitly specified unit name, independently of what the filename
actually is.
* systemd-analyze verify gained a new switch --recursive-errors= which
controls whether to only fail on errors found in the specified units
or recursively any dependent units.
* systemd-analyze security now supports a new --offline mode for
analyzing unit files stored on disk instead of loaded units. It may
be combined with --root=/--image to analyze unit files under a root
directory or disk image. It also learnt a new --threshold= parameter
for specifying an exposure level threshold: if the exposure level
exceeds the specified value the call will fail. It also gained a new
--security-policy= switch for configuring security policies to
enforce on the units. A policy is a JSON file that lists which tests
shall be weighted how much to determine the overall exposure
level. Altogether these new features are useful for fully automatic
analysis and enforcement of security policies on unit files.
* systemd-analyze security gain a new --json= switch for JSON output.
* systemd-analyze learnt a new --quiet switch for reducing
non-essential output. It's honored by the "dot", "syscall-filter",
"filesystems" commands.
* systemd-analyze security gained a --profile option that can be used
to take into account a portable profile when analyzing portable
services, since a lot of the security-related settings are enabled
through them.
* systemd-analyze learnt a new inspect-elf verb that parses ELF core
files, binaries and executables and prints metadata information,
including the build-id and other info described on:
https://systemd.io/COREDUMP_PACKAGE_METADATA/
* The [IPv6AcceptRA] section of .network files gained support for a new
UseMTU= setting that may be used to control whether to apply the
announced MTU settings to the local interface.
* systemd-networkd now ships with new default .network files:
80-container-vb.network which matches host-side network bridge device
created by systemd-nspawn's --network-bridge or --network-zone
switch, and 80-6rd-tunnel.network which matches automatically created
sit tunnel with 6rd prefix when the DHCP 6RD option is received.
* systemd-networkd and systemd-udevd now support IP over InfiniBand
interfaces. The Kind= setting in .netdev file accepts "ipoib". And
systemd.netdev files gained the [IPoIB] section.
* systemd-networkd and systemd-udevd now support net.ifname-policy=
option on the kernel command-line. This is implemented through the
systemd-network-generator service that automatically generates
appropriate .link, .network, and .netdev files.
* systemd-networkd's handling of Endpoint= resolution for WireGuard
interfaces has been improved.
* systemd-networkd will now automatically configure routes to addresses
specified in AllowedIPs=. This feature can be controlled via RouteTable=
and RouteMetric= settings in [WireGuard] or [WireGuardPeer] sections.
* systemd-networkd will now once again automatically generate persistent
MAC addresses for batadv and bridge interfaces. Users can disable this
by using MACAddress=none in .netdev files.
* .link files gained a new WakeOnLanPassword= setting in the [Link]
section that allows to specify a WoL "SecureOn" password on hardware
that supports this.
* The [DHCPv4] section in .network file gained a new Use6RD= boolean
setting to control whether the DHCPv4 client request and process the
DHCP 6RD option.
* The [DHCPv6PrefixDelegation] section in .network file is renamed to
[DHCPPrefixDelegation], as now the prefix delegation is also supported
with DHCPv4 protocol by enabling the Use6RD= setting.
* The [DHCPPrefixDelegation] section in .network file gained a new
setting UplinkInterface= to specify the upstream interface.
* The [DHCPv6] section in .network file gained a new setting
UseDelegatedPrefix= to control whether the delegated prefixes will be
propagated to the downstream interfaces.
* The [IPv6AcceptRA] section of .network files now understands two new
settings UseGateway=/UseRoutePrefix= for explicitly configuring
whether to use the relevant fields from the IPv6 Router Advertisement
records.
* The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section is
now deprecated. Please use the WithoutRA= and UseDelegatedPrefix=
settings in the [DHCPv6] section and the DHCPv6Client= setting in the
[IPv6AcceptRA] section to control when the DHCPv6 client is started
and how the delegated prefixes are handled by the DHCPv6 client.
* The [CAKE] section of .network files gained various new settings
AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=,
MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=,
and UseRawPacketSize= for configuring CAKE.
* The IPv6Token= section in the [Network] section is deprecated, and
the [IPv6AcceptRA] section gained the Token= setting for its
replacement. The [IPv6Prefix] section also gained the Token= setting.
The Token= setting gained 'eui64' mode to explicitly configure an
address with the EUI64 algorithm based on the interface MAC address.
The 'prefixstable' mode can now optionally take a secret key. The
Token= setting in the [DHCPPrefixDelegation] section now supports all
algorithms supported by the same settings in the other sections.
* The [RoutingPolicyRule] section of .network file gained a new
SuppressInterfaceGroup= setting.
* The IgnoreCarrierLoss= setting in the [Network] section of .network
files now allows a duration to be specified, controlling how long to
wait before reacting to carrier loss.
* The [DHCPServer] section of .network file gained a new Router=
setting to specify the router address.
* systemd-nspawn's --setenv= switch now supports an additional syntax:
if only a variable name is specified (i.e. without being suffixed by
a '=' character and a value) the current value of the environment
variable is propagated to the container. e.g. --setenv=FOO will
lookup the current value of $FOO in the environment, and pass it down
to the container. Similar behavior has been added to homectl's,
machinectl's and systemd-run's --setenv= switch.
* systemd-nspawn gained a new switch --suppress-sync= which may be used
to optionally suppress the effect of the sync()/fsync()/fdatasync()
system calls for the container payload. This is useful for build
system environments where safety against abnormal system shutdown is
not essential as all build artifacts can be regenerated any time, but
the performance win is beneficial.
* systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the
same value that PID 1 uses for most forked off processes.
* systemd-nspawn's --bind=/--bind-ro= switches now optionally take
uidmap/nouidmap options as last parameter. If "uidmap" is used the
bind mounts are created with UID mapping taking place that ensures
the host's file ownerships are mapped 1:1 to container file
ownerships, even if user namespacing is used. This way
files/directories bound into containers will no longer show up as
owned by the nobody user as they typically did if no special care was
taken to shift them manually.
* When discovering Windows installations sd-boot will now attempt to
show the Windows version.
* The color scheme to use in sd-boot may now be configured at
build-time.
* sd-boot gained the ability to change screen resolution during
boot-time, by hitting the "r" key. This will cycle through available
resolutions and save the last selection.
* sd-boot learnt a new hotkey "f". When pressed the system will enter
firmware setup. This is useful in environments where it is difficult
to hit the right keys early enough to enter the firmware, and works
on any firmware regardless which key it natively uses.
* sd-boot gained support for automatically booting into the menu item
selected on the last boot (using the "@saved" identifier for menu
items).
* sd-boot gained support for automatically loading all EFI drivers
placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
Partition (ESP). These drivers are loaded before the menu entries are
loaded. This is useful e.g. to load additional file system drivers
for the XBOOTLDR partition.
* systemd-boot will now paint the input cursor on its own instead of
relying on the firmware to do so, increasing compatibility with broken
firmware that doesn't make the cursor reasonably visible.
* sd-boot now embeds a .osrel PE section like we expect from Boot
Loader Specification Type #2 Unified Kernels. This means sd-boot
itself may be used in place of a Type #2 Unified Kernel. This is
useful for debugging purposes as it allows chain-loading one a
(development) sd-boot instance from another.
* sd-boot now supports a new "devicetree" field in Boot Loader
Specification Type #1 entries: if configured the specified device
tree file is installed before the kernel is invoked. This is useful
for installing/applying new devicetree files without updating the
kernel image.
* Similarly, sd-stub now can read devicetree data from a PE section
".dtb" and apply it before invoking the kernel.
* sd-stub (the EFI stub that can be glued in front of a Linux kernel)
gained the ability to pick up credentials and sysext files, wrap them
in a cpio archive, and pass as an additional initrd to the invoked
Linux kernel, in effect placing those files in the /.extra/ directory
of the initrd environment. This is useful to implement trusted initrd
environments which are fully authenticated but still can be extended
(via sysexts) and parameterized (via encrypted/authenticated
credentials, see above).
Credentials can be located next to the kernel image file (credentials
specific to a single boot entry), or in one of the shared directories
(credentials applicable to multiple boot entries).
* sd-stub now comes with a full man page, that explains its feature set
and how to combine a kernel image, an initrd and the stub to build a
complete EFI unified kernel image, implementing Boot Loader
Specification Type #2.
* sd-stub may now provide the initrd to the executed kernel via the
LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
non-x86 architectures.
* bootctl learnt new set-timeout and set-timeout-oneshot commands that
may be used to set the boot menu time-out of the boot loader (for all
or just the subsequent boot).
* bootctl and kernel-install will now read KERNEL_INSTALL_MACHINE_ID
and KERNEL_INSTALL_LAYOUT from kernel/install.conf. The first
variable specifies the machine-id to use for installation. It would
previously be used if set in the environment, and now it'll also be
read automatically from the config file. The second variable is new.
When set, it specifies the layout to use for installation directories
on the boot partition, so that tools don't need to guess it based on
the already-existing directories. The only value that is defined
natively is "bls", corresponding to the layout specified in
https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for
kernel-install that implement a different layout can declare other
values for this variable.
'bootctl install' will now write KERNEL_INSTALL_LAYOUT=bls, on the
assumption that if the user installed sd-boot to the ESP, they intend
to use the entry layout understood by sd-boot. It'll also write
KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID
(and it wasn't specified in the config file yet). Similarly,
kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it
wasn't specified in the config file yet). Effectively, those changes
mean that the machine-id used for boot loader entry installation is
"frozen" upon first use and becomes independent of the actual
machine-id.
Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem:
images created for distribution ("golden images") are built with no
machine-id, so that a unique machine-id can be created on the first
boot. But those images may contain boot loader entries with the
machine-id used during build included in paths. Using a "frozen"
value allows unambiguously identifying entries that match the
specific installation, while still permitting parallel installations
without conflict.
Configuring KERNEL_INSTALL_LAYOUT obviates the need for
kernel-install to guess the installation layout. This fixes the
problem where a (possibly empty) directory in the boot partition is
created from a different layout causing kernel-install plugins to
assume the wrong layout. A particular example of how this may happen
is the grub2 package in Fedora which includes directories under /boot
directly in its file list. Various other packages pull in grub2 as a
dependency, so it may be installed even if unused, breaking
installations that use the bls layout.
* bootctl and systemd-bless-boot can now be linked statically.
* systemd-sysext now optionally doesn't insist on extension-release.d/
files being placed in the image under the image's file name. If the
file system xattr user.extension-release.strict is set on the
extension release file, it is accepted regardless of its name. This
relaxes security restrictions a bit, as system extension may be
attached under a wrong name this way.
* udevadm's test-builtin command learnt a new --action= switch for
testing the built-in with the specified action (in place of the
default 'add').
* udevadm info gained new switches --property=/--value for showing only
specific udev properties/values instead of all.
* A new hwdb database has been added that contains matches for various
types of signal analyzers (protocol analyzers, logic analyzers,
oscilloscopes, multimeters, bench power supplies, etc.) that should
be accessible to regular users.
* A new hwdb database entry has been added that carries information
about types of cameras (regular or infrared), and in which direction
they point (front or back).
* A new rule to allow console users access to rfkill by default has been
added to hwdb.
* Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are
now also owned by the system group "sgx".
* A new build-time meson option "extra-net-naming-schemes=" has been
added to define additional naming schemes schemes for udev's network
interface naming logic. This is useful for enterprise distributions
and similar which want to pin the schemes of certain distribution
releases under a specific name and previously had to patch the
sources to introduce new named schemes.
* The predictable naming logic for network interfaces has been extended
to generate stable names from Xen netfront device information.
* hostnamed's chassis property can now be sourced from chassis-type
field encoded in devicetree (in addition to the existing DMI
support).
* systemd-cgls now optionally displays cgroup IDs and extended
attributes for each cgroup. (Controllable via the new --xattr= +
--cgroup-id= switches.)
* coredumpctl gained a new --all switch for operating on all
Journal files instead of just the local ones.
* systemd-coredump will now use libdw/libelf via dlopen() rather than
directly linking, allowing users to easily opt-out of backtrace/metadata
analysis of core files, and reduce image sizes when this is not needed.
* systemd-coredump will now analyze core files with libdw/libelf in a
forked, sandboxed process.
* systemd-homed will now try to unmount an activate home area in
regular intervals once the user logged out fully. Previously this was
attempted exactly once but if the home directory was busy for some
reason it was not tried again.
* systemd-homed's LUKS2 home area backend will now create a BSD file
system lock on the image file while the home area is active
(i.e. mounted). If a home area is found to be locked, logins are
politely refused. This should improve behavior when using home areas
images that are accessible via the network from multiple clients, and
reduce the chance of accidental file system corruption in that case.
* Optionally, systemd-homed will now drop the kernel buffer cache once
a user has fully logged out, configurable via the new --drop-caches=
homectl switch.
* systemd-homed now makes use of UID mapped mounts for the home areas.
If the kernel and used file system support it, files are now
internally owned by the "nobody" user (i.e. the user typically used
for indicating "this ownership is not mapped"), and dynamically
mapped to the UID used locally on the system via the UID mapping
mount logic of recent kernels. This makes migrating home areas
between different systems cheaper because recursively chown()ing file
system trees is no longer necessary.
* systemd-homed's CIFS backend now optionally supports CIFS service
names with a directory suffix, in order to place home directories in
a subdirectory of a CIFS share, instead of the top-level directory.
* systemd-homed's CIFS backend gained support for specifying additional
mount options in the JSON user record (cifsExtraMountOptions field,
and --cifs-extra-mount-options= homectl switch). This is for example
useful for configuring mount options such as "noserverino" that some
SMB3 services require (use that to run a homed home directory from a
FritzBox SMB3 share this way).
* systemd-homed will now default to btrfs' zstd compression for home
areas. This is inspired by Fedora's recent decision to switch to zstd
by default.
* Additional mount options to use when mounting the file system of
LUKS2 volumes in systemd-homed has been added. Via the
$SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4,
$SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to
systemd-homed or via the luksExtraMountOptions user record JSON
property. (Exposed via homectl --luks-extra-mount-options)
* homectl's resize command now takes the special size specifications
"min" and "max" to shrink/grow the home area to the minimum/maximum
size possible, taking disk usage/space constraints and file system
limitations into account. Resizing is now generally graceful: the
logic will try to get as close to the specified size as possible, but
not consider it a failure if the request couldn't be fulfilled
precisely.
* systemd-homed gained the ability to automatically shrink home areas
on logout to their minimal size and grow them again on next
login. This ensures that while inactive, a home area only takes up
the minimal space necessary, but once activated, it provides
sufficient space for the user's needs. This behavior is only
supported if btrfs is used as file system inside the home area
(because only for btrfs online growing/shrinking is implemented in
the kernel). This behavior is now enabled by default, but may be
controlled via the new --auto-resize-mode= setting of homectl.
* systemd-homed gained support for automatically re-balancing free disk
space among active home areas, in case the LUKS2 backends are used,
and no explicit disk size was requested. This way disk space is
automatically managed and home areas resized in regular intervals and
manual resizing when disk space becomes scarce should not be
necessary anymore. This behavior is only supported if btrfs is used
within the home areas (as only then online shrinking and growing is
supported), and may be configured via the new rebalanceWeight JSON
user record field (as exposed via the new --rebalance-weight= homectl
setting). Re-balancing is mostly automatic, but can also be requested
explicitly via "homectl rebalance", which is synchronous, and thus
may be used to wait until the rebalance run is complete.
* userdbctl gained a --json= switch for configured the JSON formatting
to use when outputting user or group records.
* userdbctl gained a new --multiplexer= switch for explicitly
configuring whether to use the systemd-userdbd server side user
record resolution logic.
* userdbctl's ssh-authorized-keys command learnt a new --chain switch,
for chaining up another command to execute after completing the
look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
configuration of a single command to invoke, this maybe used to
invoke multiple: first userdbctl's own implementation, and then any
other also configured in the command line.
* The sd-event API gained a new function sd_event_add_inotify_fd() that
is similar to sd_event_add_inotify() but accepts a file descriptor
instead of a path in the file system for referencing the inode to
watch.
* The sd-event API gained a new function
sd_event_source_set_ratelimit_expire_callback() that may be used to
define a callback function that is called whenever an event source
leaves the rate limiting phase.
* New documentation has been added explaining which steps are necessary
to port systemd to a new architecture:
https://systemd.io/PORTING_TO_NEW_ARCHITECTURES
* The x-systemd.makefs option in /etc/fstab now explicitly supports
ext2, ext3, and f2fs file systems.
* Mount units and units generated from /etc/fstab entries with 'noauto'
are now ordered the same as other units. Effectively, they will be
started earlier (if something actually pulled them in) and stopped
later, similarly to normal mount units that are part of
fs-local.target. This change should be invisible to users, but
should prevent those units from being stopped too early during
shutdown.
* The systemd-getty-generator now honors a new kernel command line
argument systemd.getty_auto= and a new environment variable
$SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
example useful to turn off gettys inside of containers or similar
environments.
* systemd-resolved now listens on a second DNS stub address: 127.0.0.54
(in addition to 127.0.0.53, as before). If DNS requests are sent to
this address they are propagated in "bypass" mode only, i.e. are
almost not processed locally, but mostly forwarded as-is to the
current upstream DNS servers. This provides a stable DNS server
address that proxies all requests dynamically to the right upstream
DNS servers even if these dynamically change. This stub does not do
mDNS/LLMNR resolution. However, it will translate look-ups to
DNS-over-TLS if necessary. This new stub is particularly useful in
container/VM environments, or for tethering setups: use DNAT to
redirect traffic to any IP address to this stub.
* systemd-importd now honors new environment variables
$SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA,
$SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume
generation, btrfs quota setup and disk synchronization.
* systemd-importd and systemd-resolved can now be optionally built with
OpenSSL instead of libgcrypt.
* systemd-repart no longer requires OpenSSL.
* systemd-sysusers will no longer create the redundant 'nobody' group
by default, as the 'nobody' user is already created with an
appropriate primary group.
* If a unit uses RuntimeMaxSec, systemctl show will now display it.
* systemctl show-environment gained support for --output=json.
* pam_systemd will now first try to use the X11 abstract socket, and
fallback to the socket file in /tmp/.X11-unix/ only if that does not
work.
* systemd-journald will no longer go back to volatile storage
regardless of configuration when its unit is restarted.
* Initial support for the LoongArch architecture has been added (system
call lists, GPT partition table UUIDs, etc).
* systemd-journald's own logging messages are now also logged to the
journal itself when systemd-journald logs to /dev/kmsg.
* systemd-journald now re-enables COW for archived journal files on
filesystems that support COW. One benefit of this change is that
archived journal files will now get compressed on btrfs filesystems
that have compression enabled.
* systemd-journald now deduplicates fields in a single log message
before adding it to the journal. In archived journal files, it will
also punch holes for unused parts and truncate the file as
appropriate, leading to reductions in disk usage.
* journalctl --verify was extended with more informative error
messages.
* More of sd-journal's functions are now resistant against journal file
corruption.
* The shutdown command learnt a new option --show, to display the
scheduled shutdown.
* A LICENSES/ directory is now included in the git tree. It contains a
README.md file that explains the licenses used by source files in
this repository. It also contains the text of all applicable
licenses as they appear on spdx.org.
Contributions from: Aakash Singh, acsfer, Adolfo Jayme Barrientos,
Adrian Vovk, Albert Brox, Alberto Mardegan, Alexander Kanavin,
alexlzhu, Alfonso Sánchez-Beato, Alvin Šipraga, Alyssa Ross,
Amir Omidi, Anatol Pomozov, Andika Triwidada, Andreas Rammhold,
Andreas Valder, Andrej Lajovic, Andrew Soutar, Andrew Stone, Andy Chi,
Anita Zhang, Anssi Hannula, Antonio Alvarez Feijoo,
Antony Deepak Thomas, Arnaud Ferraris, Arvid E. Picciani,
Bastien Nocera, Benjamin Berg, Benjamin Herrenschmidt, Ben Stockett,
Bogdan Seniuc, Boqun Feng, Carl Lei, chlorophyll-zz, Chris Packham,
Christian Brauner, Christian Göttsche, Christian Wehrli,
Christoph Anton Mitterer, Cristian Rodríguez, Daan De Meyer,
Daniel Maixner, Dann Frazier, Dan Streetman, Davide Cavalca,
David Seifert, David Tardon, dependabot[bot], Dimitri John Ledkov,
Dimitri Papadopoulos, Dimitry Ishenko, Dmitry Khlebnikov,
Dominique Martinet, duament, Egor, Egor Ignatov, Emil Renner Berthing,
Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin, Florian Klink,
Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon, GnunuX,
Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede,
Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho,
Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras,
I-dont-need-name, igo95862, Jack Dähn, James Hilliard, Jan Janssen,
Jan Kuparinen, Jan Macku, Jan Palus, Jarkko Sakkinen, Jayce Fayne,
jiangchuangang, jlempen, John Lindgren, Jonas Dreßler, Jonas Jelten,
Jonas Witschel, Joris Hartog, José Expósito, Julia Kartseva,
Kai-Heng Feng, Kai Wohlfahrt, Kay Siver Bø, KennthStailey,
Kevin Kuehler, Kevin Orr, Khem Raj, Kristian Klausen, Kyle Laker,
lainahai, LaserEyess, Lennart Poettering, Lia Lenckowski, longpanda,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Lukas Senionis,
Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi,
Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez,
Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro,
Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert,
Milo Turner, ml, monosans, Nacho Barrientos, nassir90, Nishal Kulkarni,
nl6720, Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto,
Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas,
Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Robert Scheck,
Ross Jennings, saikat0511, Scott Lamb, Scott Worley,
Sergei Trofimovich, Sho Iizuka, Slava Bacherikov, Slimane Selyan Amiri,
StefanBruens, Steven Siloti, svonohr, Taiki Sugawara, Takashi Sakamoto,
Takuro Onoue, Thomas Blume, Thomas Haller, Thomas Mühlbacher,
Tianlu Shao, Toke Høiland-Jørgensen, Tom Yan, Tony Asleson,
Topi Miettinen, Ulrich Ölmann, Urs Ritzmann, Vincent Bernat,
Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ, Wu Xiaotian,
xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei, Yao Wei (魏銘廷),
Yegor Alexeyev, Yu Watanabe, Zbigniew Jędrzejewski-Szmek,
Дамјан Георгиевски, наб
— Warsaw, 2021-12-23
Published by bluca over 3 years ago
* When operating on disk images via the --image= switch of various
tools (such as systemd-nspawn or systemd-dissect), or when udev finds
no 'root=' parameter on the kernel command line, and multiple
suitable root or /usr/ partitions exist in the image, then a simple
comparison inspired by strverscmp() is done on the GPT partition
label, and the newest partition is picked. This permits a simple and
generic whole-file-system A/B update logic where new operating system
versions are dropped into partitions whose label is then updated with
a matching version identifier.
* systemd-sysusers now supports querying the passwords to set for the
users it creates via the "credentials" logic introduced in v247: the
passwd.hashed-password.<user> and passwd.plaintext-password.<user>
credentials are consulted for the password to use (either in UNIX
hashed form, or literally). By default these credentials are inherited
down from PID1 (which in turn imports it from a container manager if
there is one). This permits easy configuration of user passwords
during first boot. Example:
# systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo
Note that systemd-sysusers operates in purely additive mode: it
executes no operation if the declared users already exist, and hence
doesn't set any passwords as effect of the command line above if the
specified root user exists already in the image. (Note that
--volatile=yes ensures it doesn't, though.)
* systemd-firstboot now also supports querying various system
parameters via the credential subsystems. Thus, as above this may be
used to initialize important system parameters on first boot of
previously unprovisioned images (i.e. images with a mostly empty
/etc/).
* PID 1 may now show both the unit name and the unit description
strings in its status output during boot. This may be configured with
StatusUnitFormat=combined in system.conf or
systemd.status-unit-format=combined on the kernel command line.
* The systemd-machine-id-setup tool now supports a --image= switch for
provisioning a machine ID file into an OS disk image, similar to how
--root= operates on an OS file tree. This matches the existing switch
of the same name for systemd-tmpfiles, systemd-firstboot, and
systemd-sysusers tools.
* Similarly, systemd-repart gained support for the --image= switch too.
In combination with the existing --size= option, this makes the tool
particularly useful for easily growing disk images in a single
invocation, following the declarative rules included in the image
itself.
* systemd-repart's partition configuration files gained support for a
new switch MakeDirectories= which may be used to create arbitrary
directories inside file systems that are created, before registering
them in the partition table. This is useful in particular for root
partitions to create mount point directories for other partitions
included in the image. For example, a disk image that contains a
root, /home/, and /var/ partitions, may set MakeDirectories=yes to
create /home/ and /var/ as empty directories in the root file system
on its creation, so that the resulting image can be mounted
immediately, even in read-only mode.
* systemd-repart's CopyBlocks= setting gained support for the special
value "auto". If used, a suitable matching partition on the booted OS
is found as source to copy blocks from. This is useful when
implementing replicating installers, that are booted from one medium
and then stream their own root partition onto the target medium.
* systemd-repart's partition configuration files gained support for a
Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these
GPT partition flags for the created partitions: this is useful for
marking newly created partitions as read-only, or as not being
subject for automatic mounting from creation on.
* The /etc/os-release file has been extended with two new (optional)
variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version
information for OS images that are updated comprehensively and
atomically as one image. Two new specifiers %M, %A now resolve to
these two fields in the various configuration options that resolve
specifiers.
* portablectl gained a new switch --extension= for enabling portable
service images with extensions that follow the extension image
concept introduced with v248, and thus allows layering multiple
images when setting up the root filesystem of the service.
* systemd-coredump will now extract ELF build-id information from
processes dumping core and include it in the coredump report.
Moreover, it will look for ELF .note.package sections with
distribution packaging meta-information about the crashing process.
This is useful to directly embed the rpm or deb (or any other)
package name and version in ELF files, making it easy to match
coredump reports with the specific package for which the software was
compiled. This is particularly useful on environments with ELF files
from multiple vendors, different distributions and versions, as is
common today in our containerized and sand-boxed world. For further
information, see:
https://systemd.io/COREDUMP_PACKAGE_METADATA
* A new udev hardware database has been added for FireWire devices
(IEEE 1394).
* The "net_id" built-in of udev has been updated with three
backwards-incompatible changes:
- PCI hotplug slot names on s390 systems are now parsed as
hexadecimal numbers. They were incorrectly parsed as decimal
previously, or ignored if the name was not a valid decimal
number.
- PCI onboard indices up to 65535 are allowed. Previously, numbers
above 16383 were rejected. This primarily impacts s390 systems,
where values up to 65535 are used.
- Invalid characters in interface names are replaced with "_".
The new version of the net naming scheme is "v249". The previous
scheme can be selected via the "net.naming-scheme=v247" kernel
command line parameter.
* sd-bus' sd_bus_is_ready() and sd_bus_is_open() calls now accept a
NULL bus object, for which they will return false. Or in other words,
an unallocated bus connection is neither ready nor open.
* The sd-device API acquired a new API function
sd_device_get_usec_initialized() that returns the monotonic time when
the udev device first appeared in the database.
* sd-device gained a new APIs sd_device_trigger_with_uuid() and
sd_device_get_trigger_uuid(). The former is similar to
sd_device_trigger() but returns a randomly generated UUID that is
associated with the synthetic uevent generated by the call. This UUID
may be read from the sd_device object a monitor eventually receives,
via the sd_device_get_trigger_uuid(). This interface requires kernel
4.13 or above to work, and allows tracking a synthetic uevent through
the entire device management stack. The "udevadm trigger --settle"
logic has been updated to make use of this concept if available to
wait precisely for the uevents it generates. "udevadm trigger" also
gained a new parameter --uuid that prints the UUID for each generated
uevent.
* sd-device also gained new APIs sd_device_new_from_ifname() and
sd_device_new_from_ifindex() for allocating an sd-device object for
the specified network interface. The former accepts an interface name
(either a primary or an alternative name), the latter an interface
index.
* The native Journal protocol has been documented. Clients may talk
this as alternative to the classic BSD syslog protocol for locally
delivering log records to the Journal. The protocol has been stable
for a long time and in fact been implemented already in a variety
of alternative client libraries. This documentation makes the support
for that official:
https://systemd.io/JOURNAL_NATIVE_PROTOCOL
* A new BPFProgram= setting has been added to service files. It may be
set to a path to a loaded kernel BPF program, i.e. a path to a bpffs
file, or a bind mount or symlink to one. This may be used to upload
and manage BPF programs externally and then hook arbitrary systemd
services into them.
* The "home.arpa" domain that has been officially declared as the
choice for domain for local home networks per RFC 8375 has been added
to the default NTA list of resolved, since DNSSEC is generally not
available on private domains.
* The CPUAffinity= setting of unit files now resolves "%" specifiers.
* A new ManageForeignRoutingPolicyRules= setting has been added to
.network files which may be used to exclude foreign-created routing
policy rules from systemd-networkd management.
* systemd-network-wait-online gained two new switches -4 and -6 that
may be used to tweak whether to wait for only IPv4 or only IPv6
connectivity.
* .network files gained a new RequiredFamilyForOnline= setting to
fine-tune whether to require an IPv4 or IPv6 address in order to
consider an interface "online".
* networkctl will now show an over-all "online" state in the per-link
information.
* In .network files a new OutgoingInterface= setting has been added to
specify the output interface in bridge FDB setups.
* In .network files the Multipath group ID may now be configured for
[NextHop] entries, via the new Group= setting.
* The DHCP server logic configured in .network files gained a new
setting RelayTarget= that turns the server into a DHCP server relay.
The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used
to further tweak the DHCP relay behaviour.
* The DHCP server logic also gained a new ServerAddress= setting in
.network files that explicitly specifies the server IP address to
use. If not specified, the address is determined automatically, as
before.
* The DHCP server logic in systemd-networkd gained support for static
DHCP leases, configurable via the [DHCPServerStaticLease]
section. This allows explicitly mapping specific MAC addresses to
fixed IP addresses and vice versa.
* The RestrictAddressFamilies= setting in service files now supports a
new special value "none". If specified sockets of all address
families will be made unavailable to services configured that way.
* systemd-fstab-generator and systemd-repart have been updated to
support booting from disks that carry only a /usr/ partition but no
root partition yet, and where systemd-repart can add it in on the
first boot. This is useful for implementing systems that ship with a
single /usr/ file system, and whose root file system shall be set up
and formatted on a LUKS-encrypted volume whose key is generated
locally (and possibly enrolled in the TPM) during the first boot.
* The [Address] section of .network files now accepts a new
RouteMetric= setting that configures the routing metric to use for
the prefix route created as effect of the address configuration.
Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections
gained matching settings for their prefix routes. (The option of the
same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since
it conceptually belongs there; the old option is still understood for
compatibility.)
* The DHCPv6 IAID and DUID are now explicitly configurable in .network
files.
* A new udev property ID_NET_DHCP_BROADCAST on network interface
devices is now honoured by systemd-networkd, controlling whether to
issue DHCP offers via broadcasting. This is used to ensure that s390
layer 3 network interfaces work out-of-the-box with systemd-networkd.
* nss-myhostname and systemd-resolved will now synthesize address
records for a new special hostname "_outbound". The name will always
resolve to the local IP addresses most likely used for outbound
connections towards the default routes. On multi-homed hosts this is
useful to have a stable handle referring to "the" local IP address
that matters most, to the point where this is defined.
* The Discoverable Partition Specification has been updated with a new
GPT partition flag "grow-file-system" defined for its partition
types. Whenever partitions with this flag set are automatically
mounted (i.e. via systemd-gpt-auto-generator or the --image= switch
of systemd-nspawn or other tools; and as opposed to explicit mounting
via /etc/fstab), the file system within the partition is
automatically grown to the full size of the partition. If the file
system size already matches the partition size this flag has no
effect. Previously, this functionality has been available via the
explicit x-systemd.growfs mount option, and this new flag extends
this to automatically discovered mounts. A new GrowFileSystem=
setting has been added to systemd-repart drop-in files that allows
configuring this partition flag. This new flag defaults to on for
partitions automatically created by systemd-repart, except if they
are marked read-only. See the specification for further details:
https://systemd.io/DISCOVERABLE_PARTITIONS
* .network files gained a new setting RoutesToNTP= in the [DHCPv4]
section. If enabled (which is the default), and an NTP server address
is acquired through a DHCP lease on this interface an explicit route
to this address is created on this interface to ensure that NTP
traffic to the NTP server acquired on an interface is also routed
through that interface. The pre-existing RoutesToDNS= setting that
implements the same for DNS servers is now enabled by default.
* A pair of service settings SocketBindAllow= + SocketBindDeny= have
been added that may be used to restrict the network interfaces
sockets created by the service may be bound to. This is implemented
via BPF.
* A new ConditionFirmware= setting has been added to unit files to
conditionalize on certain firmware features. At the moment it may
check whether running on an UEFI system, a device.tree system, or if
the system is compatible with some specified device-tree feature.
* A new ConditionOSRelease= setting has been added to unit files to
check os-release(5) fields. The "=", "!=", "<", "<=", ">=", ">"
operators may be used to check if some field has some specific value
or do an alphanumerical comparison. Equality comparisons are useful
for fields like ID, but relative comparisons for fields like
VERSION_ID or IMAGE_VERSION.
* hostnamed gained a new Describe() D-Bus method that returns a JSON
serialization of the host data it exposes. This is exposed via
"hostnamectl --json=" to acquire a host identity description in JSON.
It's our intention to add a similar features to most services and
objects systemd manages, in order to simplify integration with
program code that can consume JSON.
* Similarly, networkd gained a Describe() method on its Manager and
Link bus objects. This is exposed via "networkctl --json=".
* hostnamectl's various "get-xyz"/"set-xyz" verb pairs
(e.g. "hostnamectl get-hostname", "hostnamectl "set-hostname") have
been replaced by a single "xyz" verb (e.g. "hostnamectl hostname")
that is used both to get the value (when no argument is given), and
to set the value (when an argument is specified). The old names
continue to be supported for compatibility.
* systemd-detect-virt and ConditionVirtualization= are now able to
correctly identify Amazon EC2 environments.
* The LogLevelMax= setting of unit files now applies not only to log
messages generated *by* the service, but also to log messages
generated *about* the service by PID 1. To suppress logs concerning a
specific service comprehensively, set this option to a high log
level.
* bootctl gained support for a new --make-machine-id-directory= switch
that allows precise control on whether to create the top-level
per-machine directory in the boot partition that typically contains
Type 1 boot loader entries.
* During build SBAT data to include in the systemd-boot EFI PE binaries
may be specified now.
* /etc/crypttab learnt a new option "headless". If specified any
requests to query the user interactively for passwords or PINs will
be skipped. This is useful on systems that are headless, i.e. where
an interactive user is generally not present.
* /etc/crypttab also learnt a new option "password-echo=" that allows
configuring whether the encryption password prompt shall echo the
typed password and if so, do so literally or via asterisks. (The
default is the same behaviour as before: provide echo feedback via
asterisks.)
* FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and
systemd-homed has been updated to allow explicit configuration of the
"user presence" and "user verification" checks, as well as whether a
PIN is required for authentication, via the new switches
--fido2-with-user-presence=, --fido2-with-user-verification=,
--fido2-with-client-pin= to systemd-cryptenroll and homectl. Which
features are available, and may be enabled or disabled depends on the
used FIDO2 token.
* systemd-nspawn's --private-user= switch now accepts the special value
"identity" which configures a user namespacing environment with an
identity mapping of 65535 UIDs. This means the container UID 0 is
mapped to the host UID 0, and the UID 1 to host UID 1. On first look
this doesn't appear to be useful, however it does reduce the attack
surface a bit, since the resulting container will possess process
capabilities only within its namespace and not on the host.
* systemd-nspawn's --private-user-chown switch has been replaced by a
more generic --private-user-ownership= switch that accepts one of
three values: "chown" is equivalent to the old --private-user-chown,
and "off" is equivalent to the absence of the old switch. The value
"map" uses the new UID mapping mounts of Linux 5.12 to map ownership
of files and directories of the underlying image to the chosen UID
range for the container. "auto" is equivalent to "map" if UID mapping
mount are supported, otherwise it is equivalent to "chown". The short
-U switch systemd-nspawn now implies --private-user-ownership=auto
instead of the old --private-user-chown. Effectively this means: if
the backing file system supports UID mapping mounts the feature is
now used by default if -U is used. Generally, it's a good idea to use
UID mapping mounts instead of recursive chown()ing, since it allows
running containers off immutable images (since no modifications of
the images need to take place), and share images between multiple
instances. Moreover, the recursive chown()ing operation is slow and
can be avoided. Conceptually it's also a good thing if transient UID
range uses do not leak into persistent file ownership anymore. TLDR:
finally, the last major drawback of user namespacing has been
removed, and -U should always be used (unless you use btrfs, where
UID mapped mounts do not exist; or your container actually needs
privileges on the host).
* nss-systemd now synthesizes user and group shadow records in addition
to the main user and group records. Thus, hashed passwords managed by
systemd-homed are now accessible via the shadow database.
* The userdb logic (and thus nss-systemd, and so on) now read
additional user/group definitions in JSON format from the drop-in
directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and
/usr/lib/userdb/. This is a simple and powerful mechanism for making
additional users available to the system, with full integration into
NSS including the shadow databases. Since the full JSON user/group
record format is supported this may also be used to define users with
resource management settings and other runtime settings that
pam_systemd and systemd-logind enforce at login.
* The userdbctl tool gained two new switches --with-dropin= and
--with-varlink= which can be used to fine-tune the sources used for
user database lookups.
* systemd-nspawn gained a new switch --bind-user= for binding a host
user account into the container. This does three things: the user's
home directory is bind mounted from the host into the container,
below the /run/userdb/home/ hierarchy. A free UID is picked in the
container, and a user namespacing UID mapping to the host user's UID
installed. And finally, a minimal JSON user and group record (along
with its hashed password) is dropped into /run/host/userdb/. These
records are picked up automatically by the userdb drop-in logic
describe above, and allow the user to login with the same password as
on the host. Effectively this means: if host and container run new
enough systemd versions making a host user available to the container
is trivially simple.
* systemd-journal-gatewayd now supports the switches --user, --system,
--merge, --file= that are equivalent to the same switches of
journalctl, and permit exposing only the specified subset of the
Journal records.
* The OnFailure= dependency between units is now augmented with a
implicit reverse dependency OnFailureOf= (this new dependency cannot
be configured directly it's only created as effect of an OnFailure=
dependency in the reverse order — it's visible in "systemctl show"
however). Similar, Slice= now has an reverse dependency SliceOf=,
that is also not configurable directly, but useful to determine all
units that are members of a slice.
* A pair of new dependency types between units PropagatesStopTo= +
StopPropagatedFrom= has been added, that allows propagation of unit
stop events between two units. It operates similar to the existing
PropagatesReloadTo= + ReloadPropagatedFrom= dependencies.
* A new dependency type OnSuccess= has been added (plus the reverse
dependency OnSuccessOf=, which cannot be configured directly, but
exists only as effect of the reverse OnSuccess=). It is similar to
OnFailure=, but triggers in the opposite case: when a service exits
cleanly. This allows "chaining up" of services where one or more
services are started once another service has successfully completed.
* A new dependency type Upholds= has been added (plus the reverse
dependency UpheldBy=, which cannot be configured directly, but exists
only as effect of Upholds=). This dependency type is a stronger form
of Wants=: if a unit has an UpHolds= dependency on some other unit
and the former is active then the latter is started whenever it is
found inactive (and no job is queued for it). This is an alternative
to Restart= inside service units, but less configurable, and the
request to uphold a unit is not encoded in the unit itself but in
another unit that intends to uphold it.
* The systemd-ask-password tool now also supports reading passwords
from the credentials subsystem, via the new --credential= switch.
* The systemd-ask-password tool learnt a new switch --emoji= which may
be used to explicit control whether the lock and key emoji (🔐) is
shown in the password prompt on suitable TTYs.
* The --echo switch of systemd-ask-password now optionally takes a
parameter that controls character echo. It may either show asterisks
(default, as before), turn echo off entirely, or echo the typed
characters literally.
* The systemd-ask-password tool also gained a new -n switch for
suppressing output of a trailing newline character when writing the
acquired password to standard output, similar to /bin/echo's -n
switch.
* New documentation has been added that describes the organization of
the systemd source code tree:
https://systemd.io/ARCHITECTURE
* Units using ConditionNeedsUpdate= will no longer be activated in
the initrd.
* It is now possible to list a template unit in the WantedBy= or
RequiredBy= settings of the [Install] section of another template
unit, which will be instantiated using the same instance name.
* A new MemoryAvailable property is available for units. If the unit,
or the slice(s) it is part of, have a memory limit set via MemoryMax=/
MemoryHigh=, MemoryAvailable will indicate how much more memory the
unit can claim before hitting the limit(s).
* systemd-coredump will now try to stay below the cgroup memory limit
placed on itself or one of the slices it runs under, if the storage
area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs,
since files written on such filesystems count toward the cgroup memory
limit. If there is not enough available memory in such cases to store
the core file uncompressed, systemd-coredump will skip to compressed
storage directly (if enabled) and it will avoid analyzing the core file
to print backtrace and metadata in the journal.
* tmpfiles.d/ drop-ins gained a new '=' modifier to check if the type
of a path matches the configured expectations, and remove it if not.
* tmpfiles.d/'s 'Age' now accepts an 'age-by' argument, which allows to
specify which of the several available filesystem timestamps (access
time, birth time, change time, modification time) to look at when
deciding whether a path has aged enough to be cleaned.
* A new IPv6StableSecretAddress= setting has been added to .network
files, which takes an IPv6 address to use as secret for IPv6 address
generation.
* The [DHCPServer] logic in .network files gained support for a new
UplinkInterface= setting that permits configuration of the uplink
interface name to propagate DHCP lease information from.
* The WakeOnLan= setting in .link files now accepts a list of flags
instead of a single one, to configure multiple wake-on-LAN policies.
* User-space defined tracepoints (USDT) have been added to udev at
strategic locations. This is useful for tracing udev behaviour and
performance with bpftrace and similar tools.
* systemd-journald-upload gained a new NetworkTimeoutSec= option for
setting a network timeout time.
* If a system service is running in a new mount namespace (RootDirectory=
and friends), all file systems will be mounted with MS_NOSUID by
default, unless the system is running with SELinux enabled.
* When enumerating time zones the timedatectl tool will now consult the
'tzdata.zi' file shipped by the IANA time zone database package, in
addition to 'zone1970.tab', as before. This makes sure time zone
aliases are now correctly supported. Some distributions so far did
not install this additional file, most do however. If you
distribution does not install it yet, it might make sense to change
that.
Contributions from: Aakash Singh, adrian5, Albert Brox,
Alexander Sverdlin, Alexander Tsoy, Alexey Rubtsov, alexlzhu,
Allen Webb, Alvin Šipraga, Alyssa Ross, Anders Wenhaug,
Andrea Pappacoda, Anita Zhang, asavah, Balint Reczey, Bertrand Jacquin,
borna-blazevic, caoxia2008cxx, Carlo Teubner, Christian Göttsche,
Christian Hesse, Daniel Schaefer, Dan Streetman,
David Santamaría Rogado, David Tardon, Deepak Rawat, dgcampea,
Dimitri John Ledkov, ei-ke, Emilio Herrera, Emil Renner Berthing,
Eric Cook, Flos Lonicerae, Franck Bui, Francois Gervais,
Frantisek Sumsal, Gibeom Gwon, gitm0, Hamish Moffatt, Hans de Goede,
Harsh Barsaiyan, Henri Chain, Hristo Venev, Icenowy Zheng, Igor Zhbanov,
imayoda, Jakub Warczarek, James Buren, Jan Janssen, Jan Macku,
Jan Synacek, Jason Francis, Jayanth Ananthapadmanaban, Jeremy Szu,
Jérôme Carretero, Jesse Stricker, jiangchuangang, Joerg Behrmann,
Jóhann B. Guðmundsson, Jörg Deckert, Jörg Thalheim, Juergen Hoetzel,
Julia Kartseva, Kai-Heng Feng, Khem Raj, KoyamaSohei, laineantti,
Lennart Poettering, LetzteInstanz, Luca Adrian L, Luca Boccassi,
Lucas Magasweran, Mantas Mikulėnas, Marco Antonio Mauro, Mark Wielaard,
Masahiro Matsuya, Matt Johnston, Michael Catanzaro, Michal Koutný,
Michal Sekletár, Mike Crowe, Mike Kazantsev, Milan, milaq,
Miroslav Suchý, Morten Linderud, nerdopolis, nl6720, Noah Meyerhans,
Oleg Popov, Olle Lundberg, Ondrej Kozina, Paweł Marciniak, Perry.Yuan,
Peter Hutterer, Peter Kjellerstedt, Peter Morrow, Phaedrus Leeds,
plattrap, qhill, Raul Tambre, Roman Beranek, Roshan Shariff,
Ryan Hendrickson, Samuel BF, scootergrisen, Sebastian Blunt,
Seong-ho Cho, Sergey Bugaev, Sevan Janiyan, Sibo Dong, simmon,
Simon Watts, Srinidhi Kaushik, Štěpán Němec, Steve Bonds, Susant Sahani,
sverdlin, syyhao1994, Takashi Sakamoto, Topi Miettinen, tramsay,
Trent Piepho, Uwe Kleine-König, Viktor Mihajlovski, Vincent Dechenaux,
Vito Caputo, William A. Kennington III, Yangyang Shen, Yegor Alexeyev,
Yi Gao, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsien, наб
— Edinburgh, 2021-07-07
Published by poettering over 3 years ago