morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

NEWS: first prep for v259

Browse Source
This commit is contained in:
Lennart Poettering
2025-11-17 12:56:42 +01:00
parent b186ce49de
commit 43939a5bbe
1 changed files with 470 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

474
NEWS
View File

@@ -15,16 +15,482 @@ CHANGES WITH 259 in spe:
This means that HugeTLB memory usage is now counted towards the
cgroups overall memory usage for the memory controller.
* homectl's --recovery-key= option may now be used with the "update"
command to add recovery keys to existing user accounts. Previously,
recovery keys could only be configured during initial user creation.
* The default storage mode for the journal is now 'persistent'.
Previously, the default was 'auto', so the presence or lack of
/var/log/journal determined the default storage mode, if no
overriding configuration was provided. The default can be changed
with -Djournal-storage-default=.
* systemd-networkd and systemd-nspawn no longer support creating NAT
rules via iptables/libiptc APIs; only nftables is now supported.
* systemd-boot's and systemd-stub's support for TPM 1.2 has been
removed (only TPM 2.0 supported is retained). The security value of
TPM 1.2 support is questionable in 2025, and because we never
supported it in userspace, it was always quite incomplete to the
point of uselessness.
* The image dissection logic will now enforce the VFAT file system type
for XBOOTLDR partitions, similar to how it already does this for the
ESP. This is done for security, since both the ESP and XBOOTLDR must
be directly firmware-accessible and thus cannot by protected by
cryptographic means. Thus it is essential to not mount arbitrarily
complex file systems on them. This restriction only applies if
automatic dissection is used. If other file system types shall be
used for XBOOTLDR (not recommended) this can be achieved via explicit
/etc/fstab entries.
* systemd-machined will now expose "hidden" disk images as read-only by
default (hidden images are those whose name begins with a dot). They
have been used to retain a pristine copy of the downloaded image,
while modifications are made to a 2nd, local writable copy of the
image. Hence, effectively they have been read-only anyway already,
this change makes this official.
Service manager/PID1:
* The service manager will now show the wallclock time a service ran
for when it exits in the same log message where it previously only
showed the consumed CPU time.
* A new pair of properties OOMKills and ManagedOOMKills are now exposed
on service units (and other unit types that spawn processes) that
count the number of process kills by the kernel or systemd-oomd.
* The service manager's Varlink IPC has been extended considerably. It
now exposes service execution settings and more. Its Unit.List() call
now can filter by cgroup or invocation ID.
* The $LISTEN_FDS protocol has been extended to support pidfd inode
IDs. The $LISTEN_PID environment variable is now augmented with a new
$LISTEN_PIDFDID environment variable which contains the inode ID of
the pidfd of the indicated process. This removes any ambiguity
regarding PID recycling: a process which verified that $LISTEN_PID
points to its own PID can now also verify the pidfd inode ID, which
does not recycle IDs.
* The service manager gained support for a new
RootDirectoryFileDescriptor= property when creating transient service
units. It is similar to RootDirectory= but takes a file descriptor
rather than a path the new root directory to use.
* The service manager now supports a new UserNamespacePath= setting
which mirrors the existing IPCNamespacePath= and
NetworkNamespacePath= settings, but applies to Linux user
namespaces.
* The service manager gained a new setting ExecReloadPost= for
configuring commands to execute after reloading of the configuration
of service has completed.
* Service manager job activation transactions now get a per-system
unique 64bit numeric ID assigned. This ID is logged as additional log
fields for any log messages related to the transaction. Moreover, PID
1 will now keep track of transactions with ordering cycles and expose
them in the TransactionsWithOrderingCycle D-Bus property, lsted by
their IDs.
* The service manager now exposes Reload() and Reexecute() Varlink IPC
calls, mirroring the calls of the same name accessible via D-Bus.
systemd-sysext/systemd-confext:
* systemd-sysext and systemd-confext now have configuration files
/etc/systemd/systemd-sysext.conf /etc/systemd/systemd-confext.conf,
which can be used to configure mutability or the image policy to
apply to DDI images.
* systemd-sysext's --mutable= switch now accepts a new value "help" for
listing available mutability modes. (Similar: systemd-confext)
* systemd-sysext now supports configuring additional overlayfs mount
settings via the $SYSTEMD_SYSEXT_OVERLAYFS_MOUNT_OPTIONS environment
variable. Similar systemd-confext now supports
$SYSTEMD_CONFEXT_OVERLAYFS_MOUNT_OPTIONS.
systemd-vmspawn/systemd-nspawn:
* systemd-vmspawn will now initialize the "serial" fields of block
devices attached to VMs to the filename of the file backing them on
the host. This makes it very easy to reference the right media in
case many block devices from files are attached to the same VM via
the /dev/disk/by-id/… links in the VM.
* systemd-nspawn's .nspawn file gained support for a new NamespacePath=
setting in the [Network] section which takes a path to a network
namespace inode, and which ensures the container is run inside that
when booted. (This was previosuly only available via a command line
switch.)
* systemd-vmspawn gained two new switches
--bind-user=/--bind-user-shell= which mirror the switches of the same
name in systemd-nspawn, and allow sharing a user account from the host
inside the VM, in a simple one-step operation.
* Both systemd-vmspawn and systemd-nspawn gained a new
--bind-user-group= switch for adding a user bound via --bind-user= to
the specified group (for example the 'wheel' or 'empower' group).
systemd-repart:
* repart.d/ drop-ins gained support for a new TPM2PCRs= setting, which
can be used to configure the set of TPM2 PCRs to bind disk encryption
to, in case TPM2-bound encryption is used. This was previously only
settable via the systemd-repart command line. Similar, KeyFile= has
been added to configure a binary LUKS key file to use.
* systemd-repart's functionality is now accessible via Varlink IPC.
* systemd-repart may now be invoked with a device node path specified as
"-". If so instead of operating on a block device it will just
determine the minimum block device size required to apply the defined
partitions on, and exit.
* systemd-repart gained two new switches --defer-partitions-empty=yes
and --defer-partitions-factory-reset=yes which are similar to
--defer-partitions= but instead of expecting a list of partitions to
defer will blanket defer all partitions marked via Format=empty or
FactoryReset=yes. This funcionality is useful for installers, as
partitions marked empty or marked for factory reset should typically
be left out at install time, but in on first boot.
* The Subvolumes= values in repart.d/ drop-ins may now be suffixed with
:nodatacow, in order to create subvolumes with data Copy-on-Write
disabled.
systemd-udevd:
* systemd-udevd rules gained support for OPTIONS="dump-json" to dump
the current event status in JSON format. This generates output
similar to "udevadm test --json=short".
* The net_id builtin for systemd-udevd now can generate predictable
interface names for Wifi devices on Devicetree systems.
* systemd-udevd and systemd-repart will now reread partition tables on
block devices in a more graceful, incremental fashion. Specifically, it
no longer uses the kernel BLKRRPART ioctl() which removes all
in-memory partition objects loaded into the kernel, and then
recreates them as new objects. Instead it will use the BLKPG ioctl()
to make minimal changes, and individually add, remove or grow
modified partition objects, avoiding removal/readding where the
partitions were left unmodified on disk. This should greatly improve
behaviour on systems that make modifications to partition tables on
disk while using them.
* A new udev property ID_BLOCK_SUBSYSTEM is now exposed on block devices
reporting a short identifier for the subsystem a block device belongs
to. This only applies to block devices not connected to a regular bus,
i.e. virtual block devices such as loopback, DM, MD, zram.
* systemd-udevd will now generate /dev/gpio/by-id/… symlinks for GPIO
devices.
systemd-homed/homectl:
* homectl's --recovery-key= option may now be used with the "update"
command to add recovery keys to existing user accounts. Previously,
recovery keys could only be configured during initial user creation.
* Two new switches have been added to homectl to control whether to
query the user interactively for a login shell and supplementary
groups memberships when interactive firstboot operation is requested
(--prompt-shell= + --prompt-groups=). The invocation in
systemd-homed-firstboot.service now turns both off by default.
systemd-boot/systemd-stub:
* systemd-boot now supports a log level concept. The level may be set
via loader.conf and via the SMBIOS Type 11 field
'io.systemd.boot.loglevel='.
* systemd-boot's loader.conf file gained support for configuring the
SecureBoot key enrollment time-out.
* Boot Loader Specification Type #1 entries now support a "profile"
field which may be used to explicitly select a profile in
multi-profile UKIs invoked via the "uki" field.
* systemd-stub gained support for marking invoked kernels for W^X
("NX") memory mappings, using the new UEFI protocol for that.
sd-varlink/varlinkctl:
* sd-varlink's sd_varlink_set_relative_timeout() call will now
reset the time-out to the default if 0 is passed.
* sd-varlink's sd_varlink_server_new() call learned two new flags
SD_VARLINK_SERVER_HANDLE_SIGTERM + SD_VARLINK_SERVER_HANDLE_SIGINT,
which are honoured by sd_varlink_server_loop_auto() and will cause it
to exit processing cleanly once SIGTERM/SIGINT are received.
* varlinkctl in --more mode will now send a READY=1 sd_notify() message
once it receives the first reply. This is useful for tools or scripts
that wrap it (and implement the $NOTIFY_SOCKET protocol) to know when
a first confirmation of success is received.
* sd-varlink gained a new sd_varlink_is_connected() call which reports
whether a Varlink connection is currently connected.
Shared library dependencies:
* Linux audit support is now implemented via dlopen() rather than
regular dynamic library linking. This means the dependency is now
weak, which is useful to reduce footprint inside of containers and
such, where Linux audit doesn't really work anyway.
* Similar PAM support is now implemented via dlopen() too (except for
the PAM modules pam_systemd + pam_systemd_home + pam_systemd_loadkey,
which are loaded by PAM and hence need PAM anyway to operate).
* Similar, libacl support is now implemented via dlopen().
* Similar, libblkid support is now implemented via dlopen().
* Similar, libseccomp support is now implemented via dlopen().
* Similar, libmount support is now implemented via dlopen(). Note, that
libmount still must be installed in order to invoke the service
manager itself. However, libsystemd.so no longer requires it, and
neither do various ways to invoke the systemd service manager binary
short of using it to manage a system.
* Similar, libselinux support is now implemented via dlopen().
* systemd no longer links against libcap at all. The simple system call
wrappers and other APIs it provides have been reimplemented directly
in systemd, which reduced the codebase and the dependency tree.
systemd-machined/systemd-importd:
* systemd-machined gained support for RegisterMachineEx() +
CreateMachineEx() method calls which operate like their counterparts
without "Ex" but take a number of additional parameters, similar to
what is already supported via the equivalent functionality in the
Varlink APIs of systemd-machined.
* systemd-machined may now also run in a per-user instance, in addition
to the per-system instance. systemd-vmspawn and systemd-nspawn have
been updated to register their invocations with both the calling
user's per-user instance of systemd-machined and the per-system one,
if permission allow it. machinectl now knows --user and --system
switches that control which daemon instance to operate
on. systemd-ssh-proxy now will query both instances for the AF_VSOCK
CID.
* systemd-machined implements a resolve hook now, so that the names of
local containers and VMs can be resolved locally to their respective
IP addresses.
* systemd-importd's tar extraction logic has been reimplemented based
on libarchive, instead of shelling out to GNU tar. This completes
work begun earlier which already ported systemd-importd's tar
generation over.
* systemd-importd now may also be run as a per-user service, in
addition to the existing per-system instance. It will place the
downloaded images in ~/.local/state/machines/ and similar
directories. importctl gained --user/--system switches to control
which instance to talk to.
systemd-firstboot:
* systemd-firstboot's and homectl's interactive boot-time interface
have been updated to show a colored bar at the top and bottom of the
screen, whose color can be configured via /etc/os-release. The bar
can be disabled via the new --chrome= switches to both tools.
* systemd-firstboot's and homectl's interactive boot-time interface
will now temporarily mute the kernel's and PID1's own console output
while running, in order to not mix the tool's own output with the
kernel's or PID 1's. This logic can be controlled via the new
--mute-console= switches to both tools. This is implemented via a new
systemd-mute-console component (which provides a simple Varlink
interface).
* systemd-firstboot gained a new switch --prompt-keymap-auto. if
specified the tool will interactively query the user for a keymap
when running on a real local VT console (i.e. on a user device where
the keymap would actually be respected), but not if invoked on other
TTYs (such as a serial port, hypervisor console, SSH, …), here the
keymap setting would have no effect anyway. The invocation in
systemd-firstboot.service now defaults to this.
systemd-creds:
* systemd-creds's Varlink IPC API now supports a new "withKey"
parameter on the Encrypt() method call, for selecting what to bind
the encryption to precisely, matching the --with-key= switch on the
command line.
* systemd-creds now allow explicit control of whether to accept
encryption with a NULL key when decrypting, via the pair --allow-null
and --refuse-null switches. Previously only the former existed, but
null keys were also accepted if UEFI SecureBoot was reported
off. This automatism is retained, but only if neither of the two
switches are specified. The systemd-creds Varlink IPC API learned
similar parameters on the Decrypt() call.
systemd-networkd:
* systemd-networkd's DHCP sever support gained two settings EmitDomain=
and Domain= for controlling whether leases handed out should report a
domain, and which. It also gained a per-static lease Hostname=
setting for setting the hostname for the client.
* systemd-networkd knows exposes a Describe() method call for showing
network interface properties.
* systemd-networkd implements a resolve hook now for its internal DHCP
server, so that the hostnames tracked in DHCP leases can be resolved
locally. This is now enabled by default for the DHCP server run on
the host side of local systemd-nspawn or systemd-vmspawn networking.
systemd-resolved:
* systemd-resolved gained a new Varlink IPC method call
DumpDNSConfiguration() which returns the full DNS configuration in
one reply. This is exposed by resolvectl --json=.
* systemd-resolved now allows local, privileged services to hook into
local name resolution requests. For that a new directory
/run/systemd/resolve.hook/ has been introduced. Any privileged local
service can bind an AF_UNIX Varlink socket there, and implement the
simple io.systemd.Resolve.Hook Varlink API on it. If so it will
receive a method call on it for each name resolution request, which
it can then reply to. It can reply positively, deny the request or
let the regular request handling take place.
* DNS0 has been removed from the default fallback DNS server list of
systemd-resolved, since it ceased operation.
TPM2 infrastructure:
* systemd-pcrlock no longer locks to PCR 12 by default, since its own
policy description typically ends up in there, as it is passed into a
UKI via a credential, and such credentials are measured into PCR 12.
* The TPM2 infrastructure gained support for additional PCRs
implemented via TPM2 NV Indexes in TPM2_NT_EXTEND mode. These
additional PCRs are called "NvPCRs" in our documentation (even though
they are very much volatile, much like the value of TPM2_NT_EXTEND NV
indexes, from which we inherit the confusing nomenclature). By
introducing NvPCRs the scarcity of PCRs is addressed, which allows us
to measure more resources later without affecting the definition and
current use of the scarce regular PCRs. Note that NvPCRs have
different semantics than PCRs: they are not available pre-userspace
(i.e. initrd userspace creates them and initializes them), including
in the pre-kernel firmware world; moreover they require an explicit
"anchor" initialization of a privileged per-system secret (in order
to fight the ability of attackers to remove/recreate the backing NV
indexes to reset them). This makes them predictable only if the
result of the anchor measurement is known ahead of time, which will
differ on each installed system. Initialization of defined NvPCRs is
done in systemd-tpm2-setup.service, in the initrd. Information about
the initialization of NvPCRs is measured into PCR 9, and finalized by
a separator measurement. The NV index base handle is configurable at
build time via the "tpm2-nvpcr-base" meson setting. It currently
defaults to a value the TCG has shown intentions to assign to Linux,
but this has not officially been done. systemd-pcrextend and its
Varlink APIs have been extended to optionally measure into an NvPCR
instead of a classic PCR.
* A new service systemd-pcrproduct.service is added which is similar to
systemd-pcrmachine.service but instead of the machine ID
(i.e. /etc/machined-id) measures the product ID (as reported by SMBIOS
or Devicetree). It uses a new NvPCR called "hardware" for this.
* systemd-pcrlock has been updated to generate CEL event log data
covering NvPCRs too.
systemd-analyze:
* systemd-analyze gained a new verb "dlopen-metadata" which can show
the dlopen() weak dependency metadata of an ELF binary that declares
that.
* A new verb "nvpcrs" has been added to systemd-analyze, which lists
NvPCRs with their names and values, similar to the existing "pcrs"
operation which does the same for classic PCRs.
systemd-run/run0:
* run0 gained a new --empower switch. It will invoke a new session with
elevated privileges without switching to the root
user. Specifically, it sets the full ambient capabilities mask
(including CAP_SYS_ADMIN), which ensures that privileged system calls
will typically be permitted. Moreover it adds the session processes
to the new "empower" system group, which is respected by polkit and
allows most polkit actions to be accessed fully privileged. This
should be a much less invasive way to acquire privileges, as it will
not switch over $HOME or the UID and hence risk creation of files
owned by the wrong UID in there. (Note that --empower is not
perfect, there's still various software around that does access
checks purely based on the UID, without Linux process capabilities or
polkit policies having any effect on them.)
* systemd-run gained support for --root-directory= to invoke the service
in the specified root directory. It also gained --same-root-dir (whith
a short switch -R) for invoking the new service in the same root
directory as the caller's. --same-root-dir has also been added to run0.
sd-event:
* sd-event's sd_event_add_child() and sd_event_add_child_pidfd() calls
now support the WNOWAIT flag which tells sd-event to not reap the
child process.
* sd-event gained two new calls sd_event_set_exit_on_idle() and
sd_event_get_exit_on_idle(), which enable automatic exit from the
event loop if no enabled (non-exit) event sources remain.
Other:
* User records gained a new UUID field, and the userdbctl tool gained
the ability to search for user records by UUID, via the new --uuid=
switch. The userdb Varlink API has been extended to allow server-side
searches for UUIDs.
* systemd-sysctl gained a new --inline switch, similar to the switch of
the same name systemd-sysusers already supports.
* systemd-cryptsetup has been updated to understand a new
tpm2-measure-keyslot-nvpcr= switch which takes an NvPCR name to
measure information about the used LUKS keyslot
into. systemd-gpt-auto-generator enables this by default for a new
"cryptsetup" NvPCR.
* systemd will now ignore configuration file drop-ins suffixed with
".ignore" in most places, similar to how it already ignores files
with suffixes such as ".rpmsave". Unlike those suffixes, ".ignore" is
package manager agnostic.
* systemd-modules-load will now load configured kernel modules in
parallel.
* Incomplete support for musl libc is now available by setting the
"libc" meson option to "musl". Note that we do not recommend usage of
musl, due to various limitations. i.e. since NSS or equivalent
functionality is not available nss-systemd, nss-resolve,
DynamicUser=, systemd-homed, systemd-userdbd, the foreign UID ID,
unprivileged systemd-nspawn, systemd-nsresourced, and so on will not
work. It's also not recommended for devices with constrained
resources as the usual memory pressure behaviour of long-running
systemd services has no effect on musl.
* systemd-integrity-setup now supports HMAC-SHA256, PHMAC-SHA256, PHMAC-SHA512.
* systemd-stdio-bridge gained a new --quiet option.
* systemd-mountfsd's MountImage() call gained support for explicitly
controlling whether to share dm-verity volumes between images that
have the same root hashes. It also learned support for setting up
bare file system images with separate Verity data files and
signatures.
* journalctl learned a new short switch "-W" for the existing long
switch "--no-hostname".
Contributions from: Alan Brady, Alberto Planas, Aleksandr Mezin,
Allison Karlitskaya, Andreas Schneider, Anton Tiurin,
Antonio Alvarez Feijoo, Arian van Putten, Armin Wolf,