forked from actions-private-playground/systemd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNEWS
15437 lines (12538 loc) · 818 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
systemd System and Service Manager
CHANGES WITH 253 in spe:
Deprecations and incompatible changes
* systemctl will now warn when invoked without /proc mounted (e.g. when
invoked after chroot into an image without the API mount points like
/proc being set up.) Operation in such an environment is not fully
supported.
* The return value of 'systemctl is-active|is-enabled|is-failed' for
unknown units is changed: previously 1 or 3 were returned, but now 4
(EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented.
* 'udevadm hwdb' subcommand is deprecated and will emit a warning.
systemd-hwdb (added in 2014) should be used instead.
* 'bootctl --json' now outputs well-formed JSON, instead of a stream
of newline-separated JSON objects.
* Udev rules in 60-evdev.rules have been changed to load hwdb properties
for all modalias patterns. Previously only the first matching pattern
was used. This could change what properties are assigned if the user
has more and less specific patterns that could match the same device,
but it is expected that the change will have no effect for most users.
* systemd-networkd-wait-online exits successfully when all interfaces
are ready or unmanaged. Previously, if neither '--any' nor
'--interface=' options were used, at least one interface had to be in
configured state. This change allows the case, where systemd-networkd
is enabled but no interfaces are configured, to be handled
gracefully. It may occur in particular when a different network
manager is also enabled and used.
* Some compatibility helpers were dropped: EmergencyAction= in the user
manager, measuring kernel command line into PCR 8 along with the
-Defi-tpm-pcr-compat compile-time option.
New components:
* A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
(UKIs) has been added. This replaces functionality provided by
'dracut --uefi' and extends it with automatic calculation of offsets,
insertion of signed PCR policies generated by systemd-measure,
support for initrd concatenation, signing of the embedded Linux image
and the combined image with sbsign, and heuristics to autodetect the
kernel uname and verify the splash image.
Changes in systemd and units:
* A new unit type Type=notify-reload is defined. When such a unit is
reloaded via a signal, the manager will wait until it receives a
"READY=1" notification from the unit. Otherwise, this type is the
same as Type=notify.
[email protected], systemd-networkd.service, systemd-udevd.service, and
systemd-logind have been updated to this type; their reloads are now
synchronuous.
* Initrd environments which are not on a temporary file system (for
example an overlayfs combination) are now supported. Systemd will only
skip removal of the files in the initrd if it doesn't detect a
temporary file system.
* New MemoryZSwapMax= option has been added to configure
memory.zswap.max cgroup properties (the maximum amount of zswap used).
* New LogFilterPatterns= option can be used to specify regexp
accept/deny patterns for log entries generated by the unit. Based on
the option value, the manager sets the
user.journald_log_filter_patterns extended attribute on the unit
cgroup. systemd-journald checks for this attribute when receiving
messages, and will filter messages by matching the MESSAGE= part.
Rejected messages are neither stored in the journal nor forwarded.
This option can be used to filter noisy or uninteresting messages
from units.
* The manager has a new
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() method to query
process ownership via a PIDFD, which is more resilient against PID
recycling issues.
* Scope units now support OOMPolicy=. Login session scopes default to
OOMPolicy=continue, allowing login scopes to survive the OOM killer
terminating some processes in the scope.
* systemd-fstab-generator now supports x-systemd.makefs option for
/sysroot (in the initrd).
* The maximum rate at which daemon reloads are executed can now be
limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
options. (Or the equivalent on the kernel command line:
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=).
In addition, systemd now logs the originating unit and PID when
a reload request is received over D-Bus.
* When enabling a swap device, instead of failing, systemd will now
reinitialize the device when the page size of the swap space does not
match the page size of the running kernel.
* Systemd now executes generators in a mount namespace "sandbox" with
most of the file system read-only, but with write access to the
output directories, and with a temporary /tmp/ mount provided. This
provides a safeguard against programming errors in the generators,
but also fixes here-docs in shells, which previously didn't work in
early boot when /tmp/ wasn't available yet. (This feature has no
security implications, because the code is still privileged and can
trivially exit the sandbox.)
* The manager will load the vmm.notify_socket credential. If found,
it will send a "READY=1" notification on the specified socket after
boot is complete. This allows readiness notification to be sent
from a VM guest to the host over a VSOCK socket.
* The sample PAM configuration file for [email protected] now
includes a call to pam_namespace. This puts children of [email protected]
in the expected namespace. (Many distributions replace their file
with something custom, so this change has limited effect.)
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST can
can be used to override the mount units burst late limit for parsing
'/proc/self/mountinfo', which was introduced in v249. Defaults to 5.
* Drop-ins for init.scope changing control cgroup resource limits are
now applied, while they were previously ignored.
Changes in udev:
* The new net naming scheme "v253" has been introduced. In the new
scheme, ID_NET_NAME_PATH is also set for USB devices not connected via
a PCI bus. This extends the coverage of predictable interface names
in some embedded systems.
The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
a more informative path on some embedded systems.
* Block partitions will now also get symlinks in
/dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
block device nodes via the kernel's "diskseq" value. Previously those
symlinks were only created for the main block device.
* A new operator '-=' is supported for SYMLINK variables. This allows
symlinks to be unconfigured even if an earlier rule added them.
* 'udevadm --trigger --settle' now also works for network devices
that are being renamed.
Changes in sd-boot, bootctl, and the Boot Loader Specification:
* systemd-boot now passes its random seed directly to the kernel's RNG
via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which
means the RNG gets seeded very early in boot before userspace has
started.
* systemd-boot will pass a random seed when secure boot is enabled if
it can additionally get a random seed from EFI itself, via EFI's RNG
protocol or a prior seed in LINUX_EFI_RANDOM_SEED_TABLE_GUID from a
preceding bootloader.
* systemd-boot-system-token.service was renamed to
systemd-boot-random-seed.service and extended to always save the
random seed to ESP on every boot when a compatible boot loader is
used. This allows a refreshed random seed to be used in the boot
loader.
* systemd-boot handles various seed inputs using a domain- and
field-separated hashing scheme.
* systemd-boot's 'random-seed-mode' option has been removed. A system
token is now always required to be present for random seeds to be
used.
* systemd-boot now supports being loaded not from the ESP, for example
for direct kernel boot under QEMU or when embedded into the firmware.
* systemd-boot now parses SMBIOS info to detect virtualization. This
information is used to skip some warnings which are not useful in a
VM and to conditionalize other aspects of behaviour.
* systemd-stub now processes random seeds in the same way as
systemd-boot, in case a unified kernel image is being used from a
different bootloader than systemd-boot.
* bootctl will now generate a system token on all EFI systems, even
virtualized ones, and is activated in the case that the system token
is missing from either sd-boot and sd-stub booted systems.
* bootctl now implements two new verbs: 'kernel-identify' prints the
type of a kernel image, and 'kernel-inspect' provides information
about the embedded command line and kernel version.
* bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
as for kernel-install.
Changes in kernel-install:
* A new "installation layout" can be configured as layout=uki. With this
setting, a Boot Loader Specification Type#1 entry will not be created.
Instead, a new kernel-install plugin 90-uki-copy.install will copy any
.efi files from the staging area into the boot partition. A plugin to
generate the UKI .efi file must be provided separately.
Changes in systemctl:
* 'systemctl reboot' has dropped support for accepting a positional
argument as the argument to the reboot(2) syscall. Please use the
--reboot-argument option instead.
* 'systemctl disable' will now warn when called on units without install
information. A new --no-warn option has been added that silences this
warning.
* New option '--drop-in=' can be used to tell 'systemctl edit' the name
of the drop-in to edit. (Previously, 'override.conf' was always used.
* 'systemctl list-dependencies' now respects --type= and --state=.
* 'systemctl kexec' now supports XEN.
Changes in systemd-networkd and related tools:
* The [DHCPv4] section in .network file gained new SocketPriority=
setting that assigns the Linux socket priority used by the DHCPv4
raw socket. Can be used in conjunction with the EgressQOSMaps=setting
in [VLAN] section of .netdev file to send the desired ethernet 802.1Q
frame priority for DHCPv4 initial packets. This cannot be achieved
with netfilter mangle tables because of the raw socket bypass.
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained new
QuickAck= boolean setting that enables the TCP quick ACK mode for the
routes configured by the acquired DHCPv4 lease or received router
advertisements (RAs).
* The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
routes) now accepts three values, for high, medium, and low preference
of the router (which can be set with the RouterPreference=) setting.
* systemd-networkd-wait-online now supports alternative interface names.
* The [DHCPv6] section in .network file gained new SendRelease=
setting which enables the DHCPv6 client to send release when
it stops. This is the analog of the [DHCPv4] SendRelease= setting.
It is enabled by default.
* If the Address= setting in [Network] or [Address] sections in .network
specified without its prefix length, then now systemd-networkd assumes
/32 for IPv4 or /128 for IPv6 addresses.
* networkctl shows network and link file dropins in status output.
Changes in systemd-dissect:
* systemd-dissect gained a new option --list, to print the paths fo the
files and directories in the image.
* systemd-dissect gained a new option --mtree, to generate output
compatible with BSD mtree(5).
* systemd-dissect gained a new option --with, to execute a command in
the image temporarily mounted.
* systemd-dissect gained a new option --discover, to search for
Discoverable Disk Images (DDIs) in well-known directories. This will
list machine, portable service and system extension disk images.
* systemd-dissect now understands 2nd stage initrd images stored as a
Discoverable Disk Image (DDI).
Changes in systemd-repart:
* systemd-repart gained new options --include-partitions= and
--exclude-partitions= to filter operation on partitions by type UUID.
This allows systemd-repart to be used to build images in which the
type of one partition is set based on the contents of another
partition (for example when the boot partition shall include a verity
hash of the root partition).
* systemd-repart also gained a --defer-partitions= option that is
similar to --exclude-partitions=, but the size of the partition is
taken into account without populating it.
* systemd-repart gained a new --sector-size= option to specify what
sector size should be used when an image is created.
* systemd-repart now supports erofs (a read-only file system similar to
squashfs).
* The Minimize= option was extended to accept "best" (which means the
most minimal image possible, but may require multiple attempts) and
"guess" (which means a reasonably small image).
Changes in journal tools:
* Various systemd tools will append extra fields to log messages when
in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently
this includes information about D-Bus messages when sd-bus is used,
e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information
about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
Details of what is logged and when are subject to change.
* The systemd-journald-audit.socket can now be normally disabled
to stop collection of audit messages.
* New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
be used to curtail disk use by systemd-journal-remote. This is
similar to the options supported by systemd-journald.
Changes in systemd-cryptenroll, systemd-cryptsetup, and related
components
* systemd-cryptenroll now supports unlocking via FIDO2 tokens (option
--unlock-fido2-device=).
* systemd-cryptsetup now supports new options tpm2-measure-pcr= and
tpm2-measure-bank= in crypttab(5). These allow specifying the
PCR bank and number into which the volume key should be measured.
* When measuring data into a PCR, an authenticated hash (HMAC) is used
on the CPU, to further protect the data before it leaves the CPU.
* systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partions with
"noexec,nosuid,nodev".
* systemd-pcrphase gained new options --machine-id and --file-system=
to measure the machine-id and mount point information into a PCR.
* The machine-id is measured into PCR 15 during early boot.
* For the root and /var/ volumes, the mount point information and
options, and volume encryption keys in case encryption is used, will
be measured into PCR 15.
* systemd-cryptenroll now stores the user-supplied PIN with a salt,
making it harder to brute-force.
Changes in other tools:
* systemd-homed gained support for luksPbkdfForceIterations (the
intended number of iterations for the PBKDF operation on LUKS).
* Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
$SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
can be used to specify additional arguments for mkfs when
systemd-homed formats a file system.
* systemd-hostnamed now exports the contents of
/sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two
new D-Bus properties: FirmwareVendor and FirmwareDate. This allows
unprivileged code to access those values.
systemd-hostnamed also exports the SUPPORT_END= field from
os-release(5) as OperatingSystemSupportEnd. timedatectl make uses of
this to show the status of the installed system.
* systemd-measure gained an --append= option to sign multiple phase
paths with different signing keys. This allows secrets to be
accessible only in certain parts of the boot sequence. Note that
'ukify' provides similar functionality in a more accessible form.
* systemd-timesyncd will now write a structured log message with
MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
on a disk timestamp, similarly to what it did when reaching
synchronization via NTP.
systemd-timesyncd will now also update the timestamp file on each
boot, making it more likely that the system time increases in
subsequent boots.
* systemd-vconsole-setup gained support for credentials:
vconsole.keymap/vconsole.keymap_toggle and
vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
the similarly-named options in vconsole.conf.
* systemd-localed will now save the XKB keyboard configuration to
/etc/vconsole.conf, and also read it from there with a higher
preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config
file. Previously, this information was stored in the former file in
converted form, and only in latter file in the original form. Tools
which want to access keyboard configuration can now do so from a
standard location.
* systemd-resolved gained support for configuring the nameservers and
search domains via kernel command line (nameserver=, domain=) and
credentials (network.dns, network.search_domains).
* systemd-notify will now send a "RELOADING=1" notification when called
with --reloading, and "STOPPING=1" when called with --stopping. This
can be used to implement notifications from units where it's easier
to call a program than to use the sd-daemon library.
* systemd-analyze gained new --json=, --table, and --no-legend options
that affect the output of 'plot'.
* 'machinectl enable' will now automatically enable machines.target
unit in addition to adding the machine unit to the target.
Similarly, 'machinectl start|stop' gained a --now option to enable or
disable the machine unit when starting or stopping it.
Changes in libsystemd and shared code:
* sd-bus gained new convenience functions sd_bus_emit_signal_to(),
sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().
* sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
id128_t parameter has an invalid format. They also accept NULL as
output parameter in more places, which is useful when the caller only
wants to check the inputs and does not need the output value.
* sd-login gained new functions sd_pidfd_get_session(),
sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
sd_pidfd_get_user_unit(), sd_pidfd_get_slice(),
sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and
sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(),
but accept a PIDFD instead of a PID.
* sd-path (and systemd-path) now export four new paths:
SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and
SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,
* sd-notify now supports AF_VSOCK, in the "vsock:CID:port" format, for
the notify_socket parameter/environment variable/credential.
* Detection of chroot environments now works if /proc/ is not mounted.
This affects systemd-detect-virt --chroot, but also means that systemd
tools will silently skip various operations in such an environment.
* "Lockheed Matrin Hardened Security for Intel Processors" (HS SRE)
virtualization is now detected.
Changes in the build system:
* Standalone variant of systemd-repart is built (if -Dstandalone=true).
* systemd-ac-power has been moved to /usr/bin/, to, for example, allow
scripts to conditionalize execution on AC power supply.
* The libp11kit library is now loaded through dlopen(3).
Changes in the documentation:
* Specifications that are not closely tied to systemd have moved to
https://uapi-group.org/specifications/: the Boot Loader Specification
and the Discoverable Partitions Specification.
Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas,
Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang,
Antonio Alvarez Feijoo, asavah, Benjamin Fogle, Benjamin Tissoires,
berenddeschouwer, BerndAdameit, Bernd Steinhauser, blutch112,
Callum Farmer, Carlo Teubner, Charles Hardin, chris,
Christian Brauner, Christian Göttsche, Cristian Rodríguez,
Daan De Meyer, Dan Streetman, DaPigGuy, David Tardon,
dependabot[bot], Dirk Su, Dmitry V. Levin, drosdeck,
Edson Juliano Drosdeck, edupont, Eric DeVolder, Erik Moqvist,
Evgeny Vereshchagin, Felix Riemann, Franck Bui, Frantisek Sumsal,
Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho,
igo95862, Ivan Shapovalov, Jacek Migacz, Jade Lovelace,
Jan Engelhardt, Jan Janssen, Jan Macku, January,
Jason A. Donenfeld, jcg, Jelle van der Waa, Jeremy Linton,
Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann, Jörg Thalheim,
Joshua Goins, joshuazivkovic, Joshua Zivkovic, Kai-Chuan Hsieh,
Khem Raj, Koba Ko, Lennart Poettering, lichao, Li kunyu,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach,
Lycowolf, marcel151, Marcus Schäfer, Marek Vasut, Mark Laws,
Michael Biebl, Michał Kotyla, Michal Koutný, Michal Sekletár,
Mike Yuan, MkfsSion, msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore,
Nick Rosbrook, noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv,
Phaedrus Leeds, Philipp Jungkamp, Quentin Deslandes, Ray Strode,
reuben olinsky, Richard E. van der Luit, Richard Phibel,
Ricky Tigg, rogg, Sam James, Samuel Thibault, Siddhesh Poyarekar,
Space Meyer, Spindle Security, Steve Ramage, Thomas Haller,
Tonći Galić, Torsten Hilbrich, uerdogan, Ulrich Ölmann,
Valentin David, Vitaly Kuznetsov, Vito Caputo, Waltibaba,
Will Fancher, William Roberts, Youfu Zhang, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски,
наб
— Warsaw, 2023-01-25
CHANGES WITH 252 🎃:
Announcements of Future Feature Removals:
* We intend to remove cgroup v1 support from systemd release after the
end of 2023. If you run services that make explicit use of cgroup v1
features (i.e. the "legacy hierarchy" with separate hierarchies for
each controller), please implement compatibility with cgroup v2 (i.e.
the "unified hierarchy") sooner rather than later. Most of Linux
userspace has been ported over already.
* We intend to remove support for split-usr (/usr mounted separately
during boot) and unmerged-usr (parallel directories /bin and
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
half of 2023, in the first release that falls into that time window.
For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
Compatibility Breaks:
* ConditionKernelVersion= checks that use the '=' or '!=' operators
will now do simple string comparisons (instead of version comparisons
á la stverscmp()). Version comparisons are still done for the
ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
specified, a shell-style glob match is now done. This creates a minor
incompatibility compared to older systemd versions when the '*', '?',
'[', ']' characters are used, as these will now match as shell globs
instead of literally. Given that kernel version strings typically do
not include these characters we expect little breakage through this
change.
* The service manager will now read the SELinux label used for SELinux
access checks from the unit file at the time it loads the file.
Previously, the label would be read at the moment of the access
check, which was problematic since at that time the unit file might
already have been updated or removed.
New Features:
* systemd-measure is a new tool for calculating and signing expected
TPM2 PCR values for a given unified kernel image (UKI) booted via
sd-stub. The public key used for the signature and the signed
expected PCR information can be embedded inside the UKI. This
information can be extracted from the UKI by external tools and code
in the image itself and is made available to userspace in the booted
kernel.
systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been
updated to make use of this information if available in the booted
kernel: when locking an encrypted volume/credential to the TPM
systemd-cryptenroll/systemd-creds will use the public key to bind the
volume/credential to any kernel that carries PCR information signed
by the same key pair. When unlocking such volumes/credentials
systemd-cryptsetup/systemd-creds will use the signature embedded in
the booted UKI to gain access.
Binding TPM-based disk encryption to public keys/signatures of PCR
values — instead of literal PCR values — addresses the inherent
"brittleness" of traditional PCR-bound TPM disk encryption schemes:
disks remain accessible even if the UKI is updated, without any TPM
specific preparation during the OS update — as long as each UKI
carries the necessary PCR signature information.
Net effect: if you boot a properly prepared kernel, TPM-bound disk
encryption now defaults to be locked to kernels which carry PCR
signatures from the same key pair. Example: if a hypothetical distro
FooOS prepares its UKIs like this, TPM-based disk encryption is now –
by default – bound to only FooOS kernels, and encrypted volumes bound
to the TPM cannot be unlocked on kernels from other sources. (But do
note this behaviour requires preparation/enabling in the UKI, and of
course users can always enroll non-TPM ways to unlock the volume.)
* systemd-pcrphase is a new tool that is invoked at six places during
system runtime, and measures additional words into TPM2 PCR 11, to
mark milestones of the boot process. This allows binding access to
specific TPM2-encrypted secrets to specific phases of the boot
process. (Example: LUKS2 disk encryption key only accessible in the
initrd, but not later.)
Changes in systemd itself, i.e. the manager and units
* The cpu controller is delegated to user manager units by default, and
CPUWeight= settings are applied to the top-level user slice units
(app.slice, background.slice, session.slice). This provides a degree
of resource isolation between different user services competing for
the CPU.
* Systemd can optionally do a full preset in the "first boot" condition
(instead of just enable-only). This behaviour is controlled by the
compile-time option -Dfirst-boot-full-preset. Right now it defaults
to 'false', but the plan is to switch it to 'true' for the subsequent
release.
* Drop-ins are now allowed for transient units too.
* Systemd will set the taint flag 'support-ended' if it detects that
the OS image is past its end-of-support date. This date is declared
in a new /etc/os-release field SUPPORT_END= described below.
* Two new settings ConditionCredential= and AssertCredential= can be
used to skip or fail units if a certain system credential is not
provided.
* ConditionMemory= accepts size suffixes (K, M, G, T, …).
* DefaultSmackProcessLabel= can be used in system.conf and user.conf to
specify the SMACK security label to use when not specified in a unit
file.
* DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
specify the default timeout when waiting for device units to
activate.
* C.UTF-8 is used as the default locale if nothing else has been
configured.
* [Condition|Assert]Firmware= have been extended to support certain
SMBIOS fields. For example
ConditionFirmware=smbios-field(board_name = "Custom Board")
conditionalizes the unit to run only when
/sys/class/dmi/id/board_name contains "Custom Board" (without the
quotes).
* ConditionFirstBoot= now correctly evaluates as true only during the
boot phase of the first boot. A unit executed later, after booting
has completed, will no longer evaluate this condition as true.
* Socket units will now create sockets in the SELinuxContext= of the
associated service unit, if any.
* Boot phase transitions (start initrd → exit initrd → boot complete →
shutdown) will be measured into TPM2 PCR 11, so that secrets can be
bound to a specific runtime phase. E.g.: a LUKS encryption key can be
unsealed only in the initrd.
* Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
also be provided to ExecStartPre= processes.
* Various units are now correctly ordered against
initrd-switch-root.target where previously a conflict without
ordering was configured. A stop job for those units would be queued,
but without the ordering it could be executed only after
initrd-switch-root.service, leading to units not being restarted in
the host system as expected.
* In order to fully support the IPMI watchdog driver, which has not yet
been ported to the new common watchdog device interface,
/dev/watchdog0 will be tried first and systemd will silently fallback
to /dev/watchdog if it is not found.
* New watchdog-related D-Bus properties are now published by systemd:
WatchdogDevice, WatchdogLastPingTimestamp,
WatchdogLastPingTimestampMonotonic.
* At shutdown, API virtual files systems (proc, sys, etc.) will be
unmounted lazily.
* At shutdown, systemd will now log about processes blocking unmounting
of file systems.
* A new meson build option 'clock-valid-range-usec-max' was added to
allow disabling system time correction if RTC returns a timestamp far
in the future.
* Propagated restart jobs will no longer be discarded while a unit is
activating.
* PID 1 will now import system credentials from SMBIOS Type 11 fields
("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
simple, fast and generic path for supplying credentials to a VM,
without involving external tools such as cloud-init/ignition.
* The CPUWeight= setting of unit files now accepts a new special value
"idle", which configures "idle" level scheduling for the unit.
* Service processes that are activated due to a .timer or .path unit
triggering will now receive information about this via environment
variables. Note that this is information is lossy, as activation
might be coalesced and only one of the activating triggers will be
reported. This is hence more suited for debugging or tracing rather
than for behaviour decisions.
* The riscv_flush_icache(2) system call has been added to the list of
system calls allowed by default when SystemCallFilter= is used.
* The selinux context derived from the target executable, instead of
'init_t' used for the manager itself, is now used when creating
listening sockets for units that specify SELinuxContextFromNet=yes.
Changes in sd-boot, bootctl, and the Boot Loader Specification:
* The Boot Loader Specification has been cleaned up and clarified.
Various corner cases in version string comparisons have been fixed
(e.g. comparisons for empty strings). Boot counting is now part of
the main specification.
* New PCRs measurements are performed during boot: PCR 11 for the the
kernel+initrd combo, PCR 13 for any sysext images. If a measurement
took place this is now reported to userspace via the new
StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
* As before, systemd-stub will measure kernel parameters and system
credentials into PCR 12. It will now report this fact via the
StubPcrKernelParameters EFI variable to userspace.
* The UEFI monotonic boot counter is now included in the updated random
seed file maintained by sd-boot, providing some additional entropy.
* sd-stub will use LoadImage/StartImage to execute the kernel, instead
of arranging the image manually and jumping to the kernel entry
point. sd-stub also installs a temporary UEFI SecurityOverride to
allow the (unsigned) nested image to be booted. This is safe because
the outer (signed) stub+kernel binary must have been verified before
the stub was executed.
* Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
is now supported by sd-boot.
* bootctl gained a bunch of new options: --all-architectures to install
binaries for all supported EFI architectures, --root= and --image=
options to operate on a directory or disk image, and
--install-source= to specify the source for binaries to install,
--efi-boot-option-description= to control the name of the boot entry.
* The sd-boot stub exports a StubFeatures flag, which is used by
bootctl to show features supported by the stub that was used to boot.
* The PE section offsets that are used by tools that assemble unified
kernel images have historically been hard-coded. This may lead to
overlapping PE sections which may break on boot. The UKI will now try
to detect and warn about this.
Any tools that assemble UKIs must update to calculate these offsets
dynamically. Future sd-stub versions may use offsets that will not
work with the currently used set of hard-coded offsets!
* sd-stub now accepts (and passes to the initrd and then to the full
OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
signatures of expected PCR values, to allow sealing secrets via the
TPM2 against pre-calculated PCR measurements.
Changes in the hardware database:
* 'systemd-hwdb query' now supports the --root= option.
Changes in systemctl:
* systemctl now supports --state= and --type= options for the 'show'
and 'status' verbs.
* systemctl gained a new verb 'list-automounts' to list automount
points.
* systemctl gained support for a new --image= switch to be able to
operate on the specified disk image (similar to the existing --root=
which operates relative to some directory).
Changes in systemd-networkd:
* networkd can set Linux NetLabel labels for integration with the
network control in security modules via a new NetLabel= option.
* The RapidCommit= is (re-)introduced to enable faster configuration
via DHCPv6 (RFC 3315).
* networkd gained a new option TCPCongestionControlAlgorithm= that
allows setting a per-route TCP algorithm.
* networkd gained a new option KeepFileDescriptor= to allow keeping a
reference (file descriptor) open on TUN/TAP interfaces, which is
useful to avoid link flaps while the underlying service providing the
interface is being serviced.
* RouteTable= now also accepts route table names.
Changes in systemd-nspawn:
* The --bind= and --overlay= options now support relative paths.
* The --bind= option now supports a 'rootidmap' value, which will
use id-mapped mounts to map the root user inside the container to the
owner of the mounted directory on the host.
Changes in systemd-resolved:
* systemd-resolved now persists DNSOverTLS in its state file too. This
fixes a problem when used in combination with NetworkManager, which
sends the setting only once, causing it to be lost if resolved was
restarted at any point.
* systemd-resolved now exposes a varlink socket at
/run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
root. Processed DNS requests in a JSON format will be published to
any clients connected to this socket.
resolvectl gained a 'monitor' verb to make use of this.
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
instead of returning SERVFAIL, as per RFC:
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
* OpenSSL is the default crypto backend for systemd-resolved. (gnutls
is still supported.)
Changes in libsystemd and other libraries:
* libsystemd now exports sd_bus_error_setfv() (a convenience function
for setting bus errors), sd_id128_string_equal (a convenience
function for 128bit ID string comparisons), and
sd_bus_message_read_strv_extend() (a function to incrementally read
string arrays).
* libsystemd now exports sd_device_get_child_first()/_next() as a
high-level interface for enumerating child devices. It also supports
sd_device_new_child() for opening a child device given a device
object.
* libsystemd now exports sd_device_monitor_set()/get_description()
which allow setting a custom description that will be used in log
messages by sd_device_monitor*.
* Private shared libraries (libsystemd-shared-nnn.so,
libsystemd-core-nnn.so) are now installed into arch-specific
directories to allow multi-arch installs.
* A new sd-gpt.h header is now published, listing GUIDs from the
Discoverable Partitions specification. For more details see:
https://systemd.io/DISCOVERABLE_PARTITIONS/
* A new function sd_hwdb_new_from_path() has been added to open a hwdb
database given an explicit path to the file.
* The signal number argument to sd_event_add_signal() now can now be
ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
be automatically invoked to block the specified signal. This is
useful to simplify invocations as the caller doesn't have to do this
manually.
* A new convenience call sd_event_set_signal_exit() has been added to
sd-event to set up signal handling so that the event loop
automatically terminates cleanly on SIGTERM/SIGINT.
Changes in other components:
* systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
can now be provided via the credential mechanism.
* systemd-analyze gained a new verb 'compare-versions' that implements
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
'dpkg --compare-versions').
* 'systemd-analyze dump' is extended to accept glob patterns for unit
names to limit the output to matching units.
* tmpfiles.d/ lines can read file contents to write from a credential.
The new modifier char '^' is used to specify that the argument is a
credential name. This mechanism is used to automatically populate
/etc/motd, /etc/issue, and /etc/hosts from credentials.
* tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
an inode if the specification is prefixed with ':' and the inode
already exists.
* Default tmpfiles.d/ configuration now carries a line to automatically
use an 'ssh.authorized_keys.root' credential if provided to set up
the SSH authorized_keys file for the root user.
* systemd-tmpfiles will now gracefully handle absent source of "C" copy
lines.
* tmpfiles.d/ F/w lines now optionally permit encoding of the payload
in base64. This is useful to write arbitrary binary data into files.
* The pkgconfig and rpm macros files now export the directory for user
units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.
* Detection of Apple Virtualization and detection of Parallels and
KubeVirt virtualization on non-x86 archs have been added.
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
user when their system will become unsupported.
* When performing suspend-then-hibernate, the system will estimate the
discharge rate and use that to set the delay until hibernation and
hibernate immediately instead of suspending when running from a
battery and the capacity is below 5%.
* systemd-sysctl gained a --strict option to fail when a sysctl
setting is unknown to the kernel.
* machinectl supports --force for the 'copy-to' and 'copy-from'
verbs.
* coredumpctl gained the --root and --image options to look for journal
files under the specified root directory, image, or block device.
* 'journalctl -o' and similar commands now implement a new output mode
"short-delta". It is similar to "short-monotonic", but also shows the
time delta between subsequent messages.
* journalctl now respects the --quiet flag when verifying consistency
of journal files.
* Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
will indicate whether a message was logged in the 'initrd' phase or
in the 'system' phase of the boot process.
* Journal files gained a new compatibility flag
'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
to the storage format that allow reducing size on disk. As with other
compatibility flags, older journalctl versions will not be able to
read journal files using this new format. The environment variable
'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
disable this functionality. It is enabled by default.
* systemd-run's --working-directory= switch now works when used in
combination with --scope.
* portablectl gained a --force flag to skip certain sanity checks. This
is implemented using new flags accepted by systemd-portabled for the
*WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH
flag now means that the attach/detach checks whether the units are
already present and running will be skipped. Similarly,
SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether
image name matches the name declared inside of the image will be
skipped. Callers must be sure to do those checks themselves if
appropriate.
* systemd-portabled will now use the original filename to check
extension-release.NAME for correctness, in case it is passed a
symlink.
* systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
too.
* sysext's extension-release files now support '_any' as a special
value for the ID= field, to allow distribution-independent extensions
(e.g.: fully statically compiled binaries, scripts). It also gained
support for a new ARCHITECTURE= field that may be used to explicitly
restrict an image to hosts of a specific architecture.
* systemd-repart now supports creating squashfs partitions. This
requires mksquashfs from squashfs-tools.
* systemd-repart gained a --split flag to also generate split
artifacts, i.e. a separate file for each partition. This is useful in
conjunction with systemd-sysupdate or other tools, or to generate
split dm-verity artifacts.
* systemd-repart is now able to generate dm-verity partitions, including
signatures.
* systemd-repart can now set a partition UUID to zero, allowing it to
be filled in later, such as when using verity partitions.
* systemd-repart now supports drop-ins for its configuration files.
* Package metadata logged by systemd-coredump in the system journal is
now more compact.
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
* systemd-oomd now automatically links against libatomic, if available.
* systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
killed.
* scope units now also provide oom-kill status.
* systemd-pstore will now try to load only the efi_pstore kernel module
before running, ensuring that pstore can be used.
* systemd-logind gained a new StopIdleSessionSec= option to stop an idle
session after a preconfigure timeout.
* systemd-homed will now wait up to 30 seconds for workers to terminate,
rather than indefinitely.
* homectl gained a new '--luks-sector-size=' flag that allows users to
select the preferred LUKS sector size. Must be a power of 2 between 512
and 4096. systemd-userdbd records gained a corresponding field.
* systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
variable when generating the 'sp_lstchg' field, to ensure an image
build can be reproducible.
* 'udevadm wait' will now listen to kernel uevents too when called with
--initialized=no.
* When naming network devices udev will now consult the Devicetree
"alias" fields for the device.
* systemd-udev will now create infiniband/by-path and
infiniband/by-ibdev links for Infiniband verbs devices.
* systemd-udev-trigger.service will now also prioritize input devices.
* ConditionACPower= and systemd-ac-power will now assume the system is
running on AC power if no battery can be found.
* All features and tools using the TPM2 will now communicate with it
using a bind key. Beforehand, the tpm2 support used encrypted sessions
by creating a primary key that was used to encrypt traffic. This
creates a problem as the key created for encrypting the traffic could
be faked by an active interposer on the bus. In cases when a pin is
used, a bind key will be used. The pin is used as the auth value for
the seal key, aka the disk encryption key, and that auth value will be
used in the session establishment. An attacker would need the pin
value to create the secure session and thus an active interposer
without the pin cannot interpose on TPM2 traffic.
* systemd-growfs no longer requires udev to run.
* systemd-backlight now will better support systems with multiple
graphic cards.