forked from systemd/systemd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
14728 lines (11980 loc) · 781 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
systemd System and Service Manager
CHANGES WITH 252 in spe:
Announcement of Future Feature Removal:
* Please note that we intend to remove cgroupsv1 support from systemd
release after EOY 2023. If you run services that make explicit use of
cgroupsv1 features, please implement compatibility with cgroupsv2
sooner rather than later, if you haven't done so yet. Most of Linux
userspace has been ported over already.
* Please note that we intend to remove support for split-usr and
unmerged-usr. This will happen in the second half of 2023, in the
first release that falls into that time window. For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
Compatibility Breaks:
* ConditionKernelVersion= checks that use the = or != operator will now
do simple string compares (as opposed to version compare – á la
stverscmp() — as before, which is still done for the ordering
operators <, >, <=, >=). Moreover, if no operator is specified a
shell-style glob match is now done. This creates a minor
incompatibility compared to older systemd versions, in case the *, ?,
[, ], characters have been used in such condition expressions before,
as these will now match per shell glob rules instead of
literally. Given that kernel version strings typically do not include
these characters we expect little breakage through this change.
New Features:
* systemd-measure is a new helper to precalculate PCR measurements
to make it easier to set TPM2 policies.
Changes in systemd itself, i.e. the manager, and units
* The cpu controller is delegated to user manager units, and CPUWeight=
settings are applied to the top-level user slice units (app.slice,
background.slice, session.slice). This provides a degree of resource
isolation between different user services competing for the CPU.
* Systemd can optionally do a full preset in the "first boot" condition
(instead of just enable-only). This behaviour is controlled by the
compile-time option -Dfirst-boot-full-preset=. Right now it defaults
to 'false', but the plan is to switch it to 'true' for the subsequent
release.
* Systemd will set the taint flag 'support-ended' if it detects that
the os image is past its end-of-support date.
* Two new settings ConditionCredential= and AssertCredential= can
be used to skip or fail units if a certain credential is not provided.
* ConditionMemory= accepts size suffixes.
* DefaultSmackProcessLabel= can be used in system.conf and user.conf
to specify the smack label to use when not specified in a unit file.
* DefaultDeviceTimeoutSec= can be used system.conf and user.conf
to specify the default timeout for devices.
* C.UTF-8 is used as the default locale if nothing else has been configured.
* Extend [Condition|Assert]Firmware= to conditionalize on certain SMBIOS
fields. For example
ConditionFirmware=smbios-field(board_name = "Custom Board") will
conditionalize a unit so that it is only run when
/sys/class/dmi/id/board_name contains "Custom Board" (without quotes).
* ConditionFirstBoot= now correctly evaluates as true only during the
boot phase of the first boot. A unit re-ran later, after booting has
completed, will no longer evaluate this condition as true.
* Socket units will now create sockets in the SELinuxContext= of the
associated service unit, if any.
* Boot phase transitions (start initrd -> exit initrd -> boot complete
-> shutdown) will be measured into PCR11, so that secrets can be bound
to specific runtime phases. E.g.: a LUKS encryption key can be
unsealed only in the initrd.
* Credentials will now also be provided to ExecStartPre= processes.
* Various units are now correctly ordered with initrd-switch-root.target
where previously some were just (indirectly) ordered only with
initrd-switch-root.service.
* In order to fully support the IPMI watchdog driver, which has not yet
been ported to the new numbered device interface, /dev/watchdog0 will
be tried first and systemd will silently fallback to /dev/watchdog if
it is not found.
* New watchdog-related D-Bus properties are now published by systemd:
WatchdogDevice, WatchdogLastPingTimestamp,
WatchdogLastPingTimestampMonotonic.
* At shutdown, API VFS (proc, sys, etc.) will be umounted lazily.
* A new meson build option 'clock-valid-range-usec-max' was added to
allow disabling system time correction if rtc returns a timestamp far
in the future.
* Don't discard propagated restart jobs will no longer be discarded when
a unit is activating.
Changes in sd-boot, bootctl, and the Boot Loader Specification:
* The Boot Loader Specification has been cleaned up and clarified.
Various corner cases in version string comparisons have been fixed
(e.g. comparisons for empty strings). Boot counting is now part of
the main specification.
* New PCRs measurements are set during boot: PCR 11 for the the
kernel+initrd combo, PCR 13 for any sysext images.
* The UEFI monotonic boot counter is now included in the random seed,
providing some additional entropy.
* Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
is now supported.
* bootctl gained a bunch of new options: '--all-architectures' to
install binaries for all supported EFI architectures, '--root=' and
'--image=' options to operate on a directory or disk image, and
'--install-source=' to specify the source for binaries to install,
'--efi-boot-option-description' to control the name of the boot entry.
* The sd-boot stub exports a StubFeatures flag, which is used by
bootctl to show features supported by the stub that was used to boot.
* sd-boot will now try to detect and warn about overlapping PE sections.
* sd-stub now accepts (and passes to the initrd and then to the full OS)
new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
signatures of PCR policies, to allow sealing secrets via the TPM2
against pre-calculated PCR measurements.
Changes in the hardware database:
* 'systemd-hwdb query' now supports the '--root' option.
Changes in systemctl:
* systemctl now supports '--state' and '--type' options for the 'show'
and 'status' verbs.
* systemctl gained a new verb 'list-automounts' to list automount
points.
Changes in systemd-networkd:
* networkd can set Linux NetLabel labels for integration with the
network control in security modules via a new NetLabel= option.
* networkd gained new options NFTSet=, IPv4NFTSet=, IPv6NFTSet= that
take names of nft sets as arguments. It will automatically add rules
for the subnets configured for an interface to those sets.
* The RapidCommit= is (re-)introduced to enable faster configuration
via DHCPv6 (RFC 3315).
* networkd gained a new option TCPCongestionControlAlgorithm= that
allows setting a per-route TCP algorithm.
* networkd gained a new option KeepFileDescriptor= to allow keeping a
reference (file descriptor) open on TUN/TAP interfaces, which is
useful to avoid link flaps while the underlying service providing the
interface is being serviced.
Changes in systemd-nspawn:
* The --bind= and --overlay= options now support relative paths.
* The --bind= option now supports a 'rootidmap' value, which will
use id-mapped mounts to map the root user inside the container to the
owner of the mounted directory on the host.
Changes in libsystemd and other libraries:
* libsystemd now exports sd_bus_error_setfv (a convenience function for
setting bus errors), sd_id128_string_equal (a convenience function
for identifier comparisons), sd_bus_message_read_strv_extend (a
function to incrementally read string arrays).
* libsystemd now exports sd_device_get_child_first/next as a high-level
interface for enumerating child devices.
* libsystemd now exports sd_device_monitor_set/get_description which
allow to set a custom description that will be used in log messages by
sd_device_monitor*.
* Private shared libraries (libsystemd-shared-nnn.so,
libsystemd-core-nnn.so) are now installed into arch-specific
directories to allow multi-arch installs.
* A new sd-gpt.h header is now published, listing GUIDs from the
Discoverable Partitions specification. For more details see:
https://systemd.io/DISCOVERABLE_PARTITIONS/
Changes in other components:
* sysusers and tmpfiles configuration can now be provided via the
credential mechanism.
* tmpfiles can read file contents to write from a credential (and a new
modifier char '^' to specify that the argument is a credential name).
This mechanism is used to automatically populate /etc/motd, /etc/issue,
and /etc/hosts from credentials.
* tmpfiles will now avoid changing uid/gid/mode of an inode if the
specification is prefixed with ':' and the inode already exists.
* tmpfiles will automatically use an 'ssh.authorized_keys.root'
credential if provided to set up the authorized_keys file for the root
user.
* tmpfiles will now gracefully handle absent source of "C" copy lines.
* systemd-analyze gained a new verb 'compare-versions' that implements
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
'dpkg --compare-versions').
* The pkgconfig and rpm macros files now export the directory for user
units as 'user_tmpfiles_dir' and '_user_tmpfilesdir'.
* Detection of Parallels and KubeVirt virtualization has been improved.
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
user when their system will become unsupported.
* When performing suspend-then-hibernate, the system will estimate the
discharge rate and use that to set the delay until hibernation, and
will hibernate immediately instead of suspending when running from a
battery and the capacity is below 5%.
* systemd-sysctl gained a '--strict' option to fail when a sysctl
setting is unknown to the kernel.
* machinectl supports '--force' for the 'copy-to' and 'copy-from'
verbs.
* openssl is the default crypto backend for systemd-resolved. (gnutls
is still supported.)
* journalctl -o (and similar commands) now understands a new output mode
"short-delta". It is similar to "short-monotonic" but also shows the
time delta between two messages.
* journalctl now respects the '--quiet' flag when verifying journal files
consistency.
* systemd-journald log messages gained a new implicit field
'_RUNTIME_SCOPE=' that will indicate whether a message was logged in
the 'initrd' phase or in the 'system' phase of the boot process.
* systemd-run's '--working-directory' now works when used together with
'--scope'.
* portablectl gained a '--force' flag (and a corresponding 0x2 flag is
now accepted by the *WithExtensions() D-Bus methods of portabled) to
skip certain sanity checks. For now, this means that on attach/detach
it will not be checked whether the unit(s) are already present and/or
running. Callers must be sure to do those checks themselves.
* systemd-portabled will now use the original filename to check
extension-release.NAME for correctness, in case it is passed a
symlink.
* systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
too.
* sysext's extension-release now support '_any' as a special value for
the ID= field, to allow distribution-independent extensions (e.g.:
fully statically compiled binaries, scripts).
* systemd-resolved now persists DNSOverTLS in its state file too. This
fixes a problem when used in combination with NetworkManager, which
sends the setting only once, causing it to be lost if resolved was
restarted at any point during runtime.
* systemd-resolved now exposes a varlink socket, which requires root to
connect to, at /run/systemd/resolve/io.systemd.Resolve.Monitor
When a varlink client connects, processed DNS requests will be
published on this monitor socket in JSON format.
resolvectl gained a 'monitor' verb to use this socket.
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
instead of returning SERVFAIL, as per RFC:
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
* systemd-repart now supports creating squashfs partitions. Requires
squashfs-tools (mksquashfs).
* systemd-repart gained a '--split' flag to make it also generate split
artifacts, ie, a separate file for each partition. This is useful in
conjuction with systemd-sysupdate or other tools, or to generate split
dm-verity artifacts.
* systemd-repart is now able to generate dm-verity partitions, including
signatures.
* systemd-repart is now able to set a partition UUID to zero. This is
useful when we need to fill in the UUID later, such as when using
verity partitions.
* systemd-repart now supports drop-ins for its configuration files.
* Package metadata logged by systemd-coredump in the system journal are
now more compact.
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
* systemd-oomd now automatically links against libatomic, if available.
* systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
killed.
* scope units now also provide oom-kill status.
* systemd-pstore will now try to load only the efi_pstore kernel module,
instead of all possible modules that it supports.
* systemd-logind gained a new StopIdleSessionSec= option to stop an idle
session after a preconfigure timeout.
* systemd-homed will now wait up to 30 seconds for workers to terminate,
rather than indefinitely.
* systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
variable when generating the 'sp_lstchg' field, to ensure an image
build can be reproducible.
* udevadmn 'wait' will now listen to kernel uevents too when called with
'--initialized=no'.
* systemd-udevd will now assume the system is running on AC power if no
battery can be found.
* All features and tools using the TPM2 will now communicate with it
using a bind key. Beforehand, the tpm2 support used encrypted sessions
by creating a primary key that was used to encrypt traffic. This
creates a problem as the key created for encrypting the traffic could
be faked by an active interposer on the bus. In cases when a pin is
used, a bind key will be used. The pin is used as the auth value for
the seal key, aka the disk encryption key, and that auth value will be
used in the session establishment. An attacker would need the pin
value to create the secure session and thus an active interposer
without the pin cannot interpose on TPM traffic.
* systemd-growfs no longer requires udev to run.
* systemd-backlight now will better support systems with multiple
graphic cards.
* systemd-cryptsetup's keyfile-timeout= option now also works when a
device is used as a keyfile.
* systemd-cryptenroll gained a new '--unlock-key-file=' option to get
the key from a file instead of STDIN.
* systemd-dissect gained a new '--umount' option that will safely and
synchronously umount all partitions of a mounted image.
* When using gcrypt, all systemd tools and services will now configure
it to prefer the OS RNG if there is one.
Experimental features:
* BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
and bpftool >= 7.0).
* sd-boot can automatically enroll SecureBoot keys from files found on
the ESP. This enrollment can be either automatic ('force' mode) or
controlled by the user ('manual' mode).
– Somewhere, sometime
CHANGES WITH 251:
Backwards-incompatible changes:
* The minimum kernel version required has been bumped from 3.13 to 4.15,
and CLOCK_BOOTTIME is now assumed to always exist.
* C11 with GNU extensions (aka "gnu11") is now used to build our
components. Public API headers are still restricted to ISO C89.
* In v250, a systemd-networkd feature that automatically configures
routes to addresses specified in AllowedIPs= was added and enabled by
default. However, this causes network connectivity issues in many
existing setups. Hence, it has been disabled by default since
systemd-stable 250.3. The feature can still be used by explicitly
configuring RouteTable= setting in .netdev files.
* Jobs started via StartUnitWithFlags() will no longer return 'skipped'
when a Condition*= check does not succeed, restoring the JobRemoved
signal to the behaviour it had before v250.
* The org.freedesktop.portable1 methods GetMetadataWithExtensions() and
GetImageMetadataWithExtensions() have been fixed to provide an extra
return parameter, containing the actual extension release metadata.
The current implementation was judged to be broken and unusable, and
thus the usual procedure of adding a new set of methods was skipped,
and backward compatibility broken instead on the assumption that
nobody can be affected given the current state of this interface.
* All kernels supported by systemd mix bytes returned by RDRAND (or
similar) into the entropy pool at early boot. This means that on
those systems, even if /dev/urandom is not yet initialized, it still
returns bytes that are of at least RDRAND quality. For that reason,
we no longer have reason to invoke RDRAND from systemd itself, which
has historically been a source of bugs. Furthermore, kernels ≥5.6
provide the getrandom(GRND_INSECURE) interface for returning random
bytes before the entropy pool is initialized without warning into
kmsg, which is what we attempt to use if available. systemd's direct
usage of RDRAND has been removed. x86 systems ≥Broadwell that are
running an older kernel may experience kmsg warnings that were not
seen with 250. For newer kernels, non-x86 systems, or older x86
systems, there should be no visible changes.
* sd-boot will now measure the kernel command line into TPM PCR 12
rather than PCR 8. This improves usefulness of the measurements on
systems where sd-boot is chainloaded from Grub. Grub measures all
commands its executes into PCR 8, which makes it very hard to use
reasonably, hence separate ourselves from that and use PCR 12
instead, which is what certain Ubuntu editions already do. To retain
compatibility with systems running older systemd systems a new meson
option 'efi-tpm-pcr-compat' has been added (which defaults to false).
If enabled, the measurement is done twice: into the new-style PCR 12
*and* the old-style PCR 8. It's strongly advised to migrate all users
to PCR 12 for this purpose in the long run, as we intend to remove
this compatibility feature in two years' time.
* busctl capture now writes output in the newer pcapng format instead
of pcap.
* A udev rule that imported hwdb matches for USB devices with lowercase
hexadecimal vendor/product ID digits was added in systemd 250. This
has been reverted, since uppercase hexadecimal digits are supposed to
be used, and we already had a rule with the appropriate match.
Users might need to adjust their local hwdb entries.
* arch_prctl(2) has been moved to the @default set in the syscall filters
(as exposed via the SystemCallFilter= setting in service unit files).
It is apparently used by the linker now.
* The tmpfiles entries that create the /run/systemd/netif directory and
its subdirectories were moved from tmpfiles.d/systemd.conf to
tmpfiles.d/systemd-network.conf.
Users might need to adjust their files that override tmpfiles.d/systemd.conf
to account for this change.
* The requirement for Portable Services images to contain a well-formed
os-release file (i.e.: contain at least an ID field) is now enforced.
This applies to base images and extensions, and also to systemd-sysext.
Changes in the Boot Loader Specification, kernel-install and sd-boot:
* kernel-install's and bootctl's Boot Loader Specification Type #1
entry generation logic has been reworked. The user may now pick
explicitly by which "token" string to name the installation's boot
entries, via the new /etc/kernel/entry-token file or the new
--entry-token= switch to bootctl. By default — as before — the
entries are named after the local machine ID. However, in "golden
image" environments, where the machine ID shall be initialized on
first boot (as opposed to at installation time before first boot) the
machine ID will not be available at build time. In this case the
--entry-token= switch to bootctl (or the /etc/kernel/entry-token
file) may be used to override the "token" for the entries, for
example the IMAGE_ID= or ID= fields from /etc/os-release. This will
make the OS images independent of any machine ID, and ensure that the
images will not carry any identifiable information before first boot,
but on the other hand means that multiple parallel installations of
the very same image on the same disk cannot be supported.
Summary: if you are building golden images that shall acquire
identity information exclusively on first boot, make sure to both
remove /etc/machine-id *and* to write /etc/kernel/entry-token to the
value of the IMAGE_ID= or ID= field of /etc/os-release or another
suitable identifier before deploying the image.
* The Boot Loader Specification has been extended with
/loader/entries.srel file located in the EFI System Partition (ESP)
that disambiguates the format of the entries in the /loader/entries/
directory (in order to discern them from incompatible uses of this
directory by other projects). For entries that follow the
Specification, the string "type1" is stored in this file.
bootctl will now write this file automatically when installing the
systemd-boot boot loader.
* kernel-install supports a new initrd_generator= setting in
/etc/kernel/install.conf, that is exported as
$KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This
allows choosing different initrd generators.
* kernel-install will now create a "staging area" (an initially-empty
directory to gather files for a Boot Loader Specification Type #1
entry). The path to this directory is exported as
$KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should
drop files there instead of writing them directly to the final
location. kernel-install will move them when all files have been
prepared successfully.
* New option sort-key= has been added to the Boot Loader Specification
to override the sorting order of the entries in the boot menu. It is
read by sd-boot and bootctl, and will be written by kernel-install,
with the default value of IMAGE_ID= or ID= fields from
os-release. Together, this means that on multiboot installations,
entries should be grouped and sorted in a predictable way.
* The sort order of boot entries has been updated: entries which have
the new field sort-key= are sorted by it first, and all entries
without it are ordered later. After that, entries are sorted by
version so that newest entries are towards the beginning of the list.
* The kernel-install tool gained a new 'inspect' verb which shows the
paths and other settings used.
* sd-boot can now optionally beep when the menu is shown and menu
entries are selected, which can be useful on machines without a
working display. (Controllable via a loader.conf setting.)
* The --make-machine-id-directory= switch to bootctl has been replaced
by --make-entry-directory=, given that the entry directory is not
necessarily named after the machine ID, but after some other suitable
ID as selected via --entry-token= described above. The old name of
the option is still understood to maximize compatibility.
* 'bootctl list' gained support for a new --json= switch to output boot
menu entries in JSON format.
* 'bootctl is-installed' now supports the --graceful, and various verbs
omit output with the new option --quiet.
Changes in systemd-homed:
* Starting with v250 systemd-homed uses UID/GID mapping on the mounts
of activated home directories it manages (if the kernel and selected
file systems support it). So far it mapped three UID ranges: the
range from 0…60000, the user's own UID, and the range 60514…65534,
leaving everything else unmapped (in other words, the 16bit UID range
is mapped almost fully, with the exception of the UID subrange used
for systemd-homed users, with one exception: the user's own UID).
Unmapped UIDs may not be used for file ownership in the home
directory — any chown() attempts with them will fail. With this
release a fourth range is added to these mappings:
524288…1879048191. This range is the UID range intended for container
uses, see:
https://systemd.io/UIDS-GIDS
This range may be used for container managers that place container OS
trees in the home directory (which is a questionable approach, for
quota, permission, SUID handling and network file system
compatibility reasons, but nonetheless apparently commonplace). Note
that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
UID assignments from the range are not managed or mapped by
`systemd-homed`, and must be managed with other mechanisms, in the
context of the local system.
Typically, a better approach to user namespacing in relevant
container managers would be to leave container OS trees on disk at
UID offset 0, but then map them to a dynamically allocated runtime
UID range via another UID mount map at container invocation
time. That way user namespace UID ranges become strictly a runtime
concept, and do not leak into persistent file systems, persistent
user databases or persistent configuration, thus greatly simplifying
handling, and improving compatibility with home directories intended
to be portable like the ones managed by systemd-homed.
Changes in shared libraries:
* A new libsystemd-core-<version>.so private shared library is
installed under /usr/lib/systemd/system, mirroring the existing
libsystemd-shared-<version>.so library. This allows the total
installation size to be reduced by binary code reuse.
* The <version> tag used in the name of libsystemd-shared.so and
libsystemd-core.so can be configured via the meson option
'shared-lib-tag'. Distributions may build subsequent versions of the
systemd package with unique tags (e.g. the full package version),
thus allowing multiple installations of those shared libraries to be
available at the same time. This is intended to fix an issue where
programs that link to those libraries would fail to execute because
they were installed earlier or later than the appropriate version of
the library.
* The sd-id128 API gained a new call sd_id128_to_uuid_string() that is
similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID
format instead of as a simple series of hex characters.
* The sd-device API gained two new calls sd_device_new_from_devname()
and sd_device_new_from_path() which permit allocating an sd_device
object from a device node name or file system path.
* sd-device also gained a new call sd_device_open() which will open the
device node associated with a device for which an sd_device object
has been allocated. The call is supposed to address races around
device nodes being removed/recycled due to hotplug events, or media
change events: the call checks internally whether the major/minor of
the device node and the "diskseq" (in case of block devices) match
with the metadata loaded in the sd_device object, thus ensuring that
the device once opened really matches the provided sd_device object.
Changes in PID1, systemctl, and systemd-oomd:
* A new set of service monitor environment variables will be passed to
OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the
handler unit as OnFailure=/OnSuccess=. The variables are:
$MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
$MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single
handler needs to watch multiple units, use a templated handler.
* A new ExtensionDirectories= setting in service unit files allows
system extensions to be loaded from a directory. (It is similar to
ExtensionImages=, but takes paths to directories, instead of
disk image files.)
'portablectl attach --extension=' now also accepts directory paths.
* The user.delegate and user.invocation_id extended attributes on
cgroups are used in addition to trusted.delegate and
trusted.invocation_id. The latter pair requires privileges to set,
but the former doesn't and can be also set by the unprivileged user
manager.
(Only supported on kernels ≥5.6.)
* Units that were killed by systemd-oomd will now have a service result
of 'oom-kill'. The number of times a service was killed is tallied
in the 'user.oomd_ooms' extended attribute.
The OOMPolicy= unit file setting is now also honoured by
systemd-oomd.
* In unit files the new %y/%Y specifiers can be used to refer to
normalized unit file path, which is particularly useful for symlinked
unit files.
The new %q specifier resolves to the pretty hostname
(i.e. PRETTY_HOSTNAME= from /etc/machine-info).
The new %d specifier resolves to the credentials directory of a
service (same as $CREDENTIALS_DIRECTORY).
* The RootDirectory=, MountAPIVFS=, ExtensionDirectories=,
*Capabilities*=, ProtectHome=, *Directory=, TemporaryFileSystem=,
PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=,
PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=,
ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=,
MountFlags= service settings now also work in unprivileged user
services, i.e. those run by the user's --user service manager, as long
as user namespaces are enabled on the system.
* Services with Restart=always and a failing ExecCondition= will no
longer be restarted, to bring ExecCondition= behaviour in line with
Condition*= settings.
* LoadCredential= now accepts a directory as the argument; all files
from the directory will be loaded as credentials.
* A new D-Bus property ControlGroupId is now exposed on service units,
that encapsulates the service's numeric cgroup ID that newer kernels
assign to each cgroup.
* PID 1 gained support for configuring the "pre-timeout" of watchdog
devices and the associated governor, via the new
RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration
options in /etc/systemd/system.conf.
* systemctl's --timestamp= option gained a new choice "unix", to show
timestamp as unix times, i.e. seconds since 1970, Jan 1st.
* A new "taint" flag named "old-kernel" is introduced which is set when
the kernel systemd runs on is older then the current baseline version
(see above). The flag is shown in "systemctl status" output.
* Two additional taint flags "short-uid-range" and "short-gid-range"
have been added as well, which are set when systemd notices it is run
within a userns namespace that does not define the full 0…65535 UID
range
* A new "unmerged-usr" taint flag has been added that is set whenever
running on systems where /bin/ + /sbin/ are *not* symlinks to their
counterparts in /usr/, i.e. on systems where the /usr/-merge has not
been completed.
* Generators invoked by PID 1 will now have a couple of useful
environment variables set describing the execution context a
bit. $SYSTEMD_SCOPE encodes whether the generator is called from the
system service manager, or from the per-user service
manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked
in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether
systemd considers the current boot to be a "first"
boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is
detected and which type of hypervisor/container
manager. $SYSTEMD_ARCHITECTURE indicates which architecture the
kernel is built for.
* PID 1 will now automatically pick up system credentials from qemu's
fw_cfg interface, thus allowing passing arbitrary data into VM
systems similar to how this is already supported for passing them
into `systemd-nspawn` containers. Credentials may now also be passed
in via the new kernel command line option `systemd.set_credential=`
(note that kernel command line options are world-readable during
runtime, and only useful for credentials that require no
confidentiality). The credentials that can be passed to unified
kernels that use the `systemd-stub` UEFI stub are now similarly
picked up automatically. Automatic importing of system credentials
this way can be turned off via the new
`systemd.import_credentials=no` kernel command line option.
* LoadCredential= will now automatically look for credentials in the
/etc/credstore/, /run/credstore/, /usr/lib/credstore/ directories if
the argument is not an absolute path. Similarly,
LoadCredentialEncrypted= will check the same directories plus
/etc/credstore.encrypted/, /run/credstore.encrypted/ and
/usr/lib/credstore.encrypted/. The idea is to use those directories
as the system-wide location for credentials that services should pick
up automatically.
* System and service credentials are described in great detail in a new
document:
https://systemd.io/CREDENTIALS
Changes in systemd-journald:
* The journal JSON export format has been added to listed of stable
interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/).
* journalctl --list-boots now supports JSON output and the --reverse option.
* Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and
updated, BUILDING_IMAGES is new:
https://systemd.io/JOURNAL_EXPORT_FORMATS
https://systemd.io/BUILDING_IMAGES
Changes in udev:
* Two new hwdb files have been added. One lists "handhelds" (PDAs,
calculators, etc.), the other AV production devices (DJ tables,
keypads, etc.) that should accessible to the seat owner user by
default.
* udevadm trigger gained a new --prioritized-subsystem= option to
process certain subsystems (and all their parent devices) earlier.
systemd-udev-trigger.service now uses this new option to trigger
block and TPM devices first, hopefully making the boot a bit faster.
* udevadm trigger now implements --type=all, --initialized-match,
--initialized-nomatch to trigger both subsystems and devices, only
already-initialized devices, and only devices which haven't been
initialized yet, respectively.
* udevadm gained a new "wait" command for safely waiting for a specific
device to show up in the udev device database. This is useful in
scripts that asynchronously allocate a block device (e.g. through
repartitioning, or allocating a loopback device or similar) and need
to synchronize on the creation to complete.
* udevadm gained a new "lock" command for locking one or more block
devices while formatting it or writing a partition table to it. It is
an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and
usable in scripts dealing with block devices.
* udevadm info will show a couple of additional device fields in its
output, and will not apply a limited set of coloring to line types.
* udevadm info --tree will now show a tree of objects (i.e. devices and
suchlike) in the /sys/ hierarchy.
* Block devices will now get a new set of device symlinks in
/dev/disk/by-diskseq/<nr>, which may be used to reference block
device nodes via the kernel's "diskseq" value. Note that this does
not guarantee that opening a device by a symlink like this will
guarantee that the opened device actually matches the specified
diskseq value. To be safe against races, the actual diskseq value of
the opened device (BLKGETDISKSEQ ioctl()) must still be compred with
the one in the symlink path.
* .link files gained support for setting MDI/MID-X on a link.
* .link files gained support for [Match] Firmware= setting to match on
the device firmware description string. By mistake, it was previously
only supported in .network files.
* .link files gained support for [Link] SR-IOVVirtualFunctions= setting
and [SR-IOV] section to configure SR-IOV virtual functions.
Changes in systemd-networkd:
* The default scope for unicast routes configured through [Route]
section is changed to "link", to make the behavior consistent with
"ip route" command. The manual configuration of [Route] Scope= is
still honored.
* A new unit systemd-networkd-wait-online@<interface>.service has been
added that can be used to wait for a specific network interface to be
up.
* systemd-networkd gained a new [Bridge] Isolated=true|false setting
that configures the eponymous kernel attribute on the bridge.
* .netdev files now can be used to create virtual WLAN devices, and
configure various settings on them, via the [WLAN] section.
* .link/.network files gained support for [Match] Kind= setting to match
on device kind ("bond", "bridge", "gre", "tun", "veth", etc.)
This value is also shown by 'networkctl status'.
* The Local= setting in .netdev files for various virtual network
devices gained support for specifying, in addition to the network
address, the name of a local interface which must have the specified
address.
* systemd-networkd gained a new [Tunnel] External= setting in .netdev
files, to configure tunnels in external mode (a.k.a. collect metadata
mode).
* [Network] L2TP= setting was removed. Please use interface specifier in
Local= setting in .netdev files of corresponding L2TP interface.
* New [DHCPServer] BootServerName=, BootServerAddress=, and
BootFilename= settings can be used to configure the server address,
server name, and file name sent in the DHCP packet (e.g. to configure
PXE boot).
Changes in systemd-resolved:
* systemd-resolved is started earlier (in sysinit.target), so it
available earlier and will also be started in the initrd if installed
there.
Changes in disk encryption:
* systemd-cryptenroll can now control whether to require the user to
enter a PIN when using TPM-based unlocking of a volume via the new
--tpm2-with-pin= option.
Option tpm2-pin= can be used in /etc/crypttab.
* When unlocking devices via TPM, TPM2 parameter encryption is now
used, to ensure that communication between CPU and discrete TPM chips
cannot be eavesdropped to acquire disk encryption keys.
* A new switch --fido2-credential-algorithm= has been added to
systemd-cryptenroll allowing selection of the credential algorithm to
use when binding encryption to FIDO2 tokens.
Changes in systemd-hostnamed:
* HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info
to override the values gleaned from the hwdb.
* A ID_CHASSIS property can be set in the hwdb (for the DMI device
/sys/class/dmi/id) to override the chassis that is reported by
hostnamed.
* hostnamed's D-Bus interface gained a new method GetHardwareSerial()
for reading the hardware serial number, as reportd by DMI. It also
exposes a new method D-Bus property FirmwareVersion that encode the
firmware version of the system.
Changes in other components:
* /etc/locale.conf is now populated through tmpfiles.d factory /etc/
handling with the values that were configured during systemd build
(if /etc/locale.conf has not been created through some other
mechanism). This means that /etc/locale.conf should always have
reasonable contents and we avoid a potential mismatch in defaults.
* The userdbctl tool will now show UID range information as part of the
list of known users.
* A new build-time configuration setting default-user-shell= can be
used to set the default shell for user records and nspawn shell
invocations (instead of of the default /bin/bash).
* systemd-timesyncd now provides a D-Bus API for receiving NTP server
information dynamically at runtime via IPC.
* The systemd-creds tool gained a new "has-tpm2" verb, which reports
whether a functioning TPM2 infrastructure is available, i.e. if
firmware, kernel driver and systemd all have TPM2 support enabled and
a device found.
* The systemd-creds tool gained support for generating encrypted
credentials that are using an empty encryption key. While this
provides no integrity nor confidentiality it's useful to implement
codeflows that work the same on TPM-ful and TPM2-less systems. The
service manager will only accept credentials "encrypted" that way if
a TPM2 device cannot be detected, to ensure that credentials
"encrypted" like that cannot be used to trick TPM2 systems.
* When deciding whether to colorize output, all systemd programs now
also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and
$TERM).
* Meson's new install_tag feature is now in use for several components,
allowing to build and install select binaries only: pam, nss, devel
(pkg-config files), systemd-boot, libsystemd, libudev. Example:
$ meson build systemd-boot
$ meson install --tags systemd-boot --no-rebuild
https://mesonbuild.com/Installing.html#installation-tags
* A new build configuration option has been added, to allow selecting the
default compression algorithm used by systemd-journald and systemd-coredump.
This allows to build-in support for decompressing all supported formats,
but choose a specific one for compression. E.g.:
$ meson -Ddefault-compression=xz
Experimental features:
* sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
loader.conf that implements booting Microsoft Windows from the
sd-boot in a way that first reboots the system, to reset the TPM
PCRs. This improves compatibility with BitLocker's TPM use, as the
PCRs will only record the Windows boot process, and not sd-boot
itself, thus retaining the PCR measurements not involving sd-boot.
Note that this feature is experimental for now, and is likely going
to be generalized and renamed in a future release, without retaining
compatibility with the current implementation.
* A new systemd-sysupdate component has been added that automatically
discovers, downloads, and installs A/B-style updates for the host
installation itself, or container images, portable service images,
and other assets. See the new systemd-sysupdate man page for updates.
Contributions from: 4piu, Adam Williamson, adrian5, Albert Brox,
AlexCatze, Alex Henrie, Alfonso Sánchez-Beato, Alice S,
Alvin Šipraga, amarjargal, Amarjargal, Andrea Pappacoda,
Andreas Rammhold, Andy Chi, Anita Zhang, Antonio Alvarez Feijoo,
Arfrever Frehtes Taifersar Arahesis, ash, Bastien Nocera, Be,
bearhoney, Ben Efros, Benjamin Berg, Benjamin Franzke,
Brett Holman, Christian Brauner, Clyde Byrd III, Curtis Klein,
Daan De Meyer, Daniele Medri, Daniel Mack, Danilo Krummrich,
David, David Bond, Davide Cavalca, David Tardon, davijosw,
dependabot[bot], Donald Chan, Dorian Clay, Eduard Tolosa,
Elias Probst, Eli Schwartz, Erik Sjölund, Evgeny Vereshchagin,
Federico Ceratto, Franck Bui, Frantisek Sumsal, Gaël PORTAY,
Georges Basile Stavracas Neto, Gibeom Gwon, Goffredo Baroncelli,
Grigori Goronzy, Hans de Goede, Heiko Becker, Hugo Carvalho,
Jakob Lell, James Hilliard, Jan Janssen, Jason A. Donenfeld,
Joan Bruguera, Joerie de Gram, Josh Triplett, Julia Kartseva,
Kazuo Moriwaka, Khem Raj, ksa678491784, Lance, Lan Tian,
Laura Barcziova, Lennart Poettering, Leviticoh, licunlong,
Lidong Zhong, lincoln auster, Lubomir Rintel, Luca Boccassi,
Luca BRUNO, lucagoc, Ludwig Nussel, Marcel Hellwig, march1993,
Marco Scardovi, Mario Limonciello, Mariusz Tkaczyk,
Markus Weippert, Martin, Martin Liska, Martin Wilck, Matija Skala,
Matthew Blythe, Matthias Lisin, Matthijs van Duin, Matt Walton,
Max Gautier, Michael Biebl, Michael Olbrich, Michal Koutný,
Michal Sekletár, Mike Gilbert, MkfsSion, Morten Linderud,
Nick Rosbrook, Nikolai Grigoriev, Nikolai Kostrigin,
Nishal Kulkarni, Noel Kuntze, Pablo Ceballos, Peter Hutterer,
Peter Morrow, Pigmy-penguin, Piotr Drąg, prumian, Richard Neill,
Rike-Benjamin Schuppner, rodin-ia, Romain Naour, Ruben Kerkhof,
Ryan Hendrickson, Santa Wiryaman, Sebastian Pucilowski, Seth Falco,
Simon Ellmann, Sonali Srivastava, Stefan Seering,
Stephen Hemminger, tawefogo, techtino, Temuri Doghonadze,
Thomas Batten, Thomas Haller, Thomas Weißschuh, Tobias Stoeckmann,
Tomasz Pala, Tyson Whitehead, Vishal Chillara Srinivas,
Vivien Didelot, w30023233, wangyuhang, Weblate, Xiaotian Wu,
yangmingtai, YmrDtnJu, Yonathan Randolph, Yutsuten, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, наб
— Edinburgh, 2022-05-21
CHANGES WITH 250:
* Support for encrypted and authenticated credentials has been added.
This extends the credential logic introduced with v247 to support
non-interactive symmetric encryption and authentication, based on a
key that is stored on the /var/ file system or in the TPM2 chip (if
available), or the combination of both (by default if a TPM2 chip
exists the combination is used, otherwise the /var/ key only). The
credentials are automatically decrypted at the moment a service is
started, and are made accessible to the service itself in unencrypted
form. A new tool 'systemd-creds' encrypts credentials for this
purpose, and two new service file settings LoadCredentialEncrypted=
and SetCredentialEncrypted= configure such credentials.
This feature is useful to store sensitive material such as SSL
certificates, passwords and similar securely at rest and only decrypt
them when needed, and in a way that is tied to the local OS
installation or hardware.
* systemd-gpt-auto-generator can now automatically set up discoverable
LUKS2 encrypted swap partitions.
* The GPT Discoverable Partitions Specification has been substantially