A new systemd ☠️ pre-release ☠️ has just been tagged. Please download the tarball here:
https://github.com/systemd/systemd/archive/v252-rc1.tar.gz
NOTE: This is ☠️ pre-release ☠️ software. Do not run this on production
systems, but please test this and report any issues you find to GitHub:
https://github.com/systemd/systemd/issues/new?template=Bug_report.md
Changes since the previous release:
Announcement of Future Feature Removal:
* Please note that we intend to remove cgroupsv1 support from systemd
release after EOY 2023. If you run services that make explicit use of
cgroupsv1 features, please implement compatibility with cgroupsv2
sooner rather than later, if you haven't done so yet. Most of Linux
userspace has been ported over already.
* Please note that we intend to remove support for split-usr and
unmerged-usr. This will happen in the second half of 2023, in the
first release that falls into that time window. For more details, see:
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
Compatibility Breaks:
* ConditionKernelVersion= checks that use the = or != operator will now
do simple string compares (as opposed to version compare – á la
stverscmp() — as before, which is still done for the ordering
operators <, >, <=, >=). Moreover, if no operator is specified a
shell-style glob match is now done. This creates a minor
incompatibility compared to older systemd versions, in case the *, ?,
[, ], characters have been used in such condition expressions before,
as these will now match per shell glob rules instead of
literally. Given that kernel version strings typically do not include
these characters we expect little breakage through this change.
New Features:
* systemd-measure is a new helper to precalculate PCR measurements
to make it easier to set TPM2 policies.
Changes in systemd itself, i.e. the manager, and units
* The cpu controller is delegated to user manager units, and CPUWeight=
settings are applied to the top-level user slice units (app.slice,
background.slice, session.slice). This provides a degree of resource
isolation between different user services competing for the CPU.
* Systemd can optionally do a full preset in the "first boot" condition
(instead of just enable-only). This behaviour is controlled by the
compile-time option -Dfirst-boot-full-preset=. Right now it defaults
to 'false', but the plan is to switch it to 'true' for the subsequent
release.
* Systemd will set the taint flag 'support-ended' if it detects that
the os image is past its end-of-support date.
* Two new settings ConditionCredential= and AssertCredential= can
be used to skip or fail units if a certain credential is not provided.
* ConditionMemory= accepts size suffixes.
* DefaultSmackProcessLabel= can be used in system.conf and user.conf
to specify the smack label to use when not specified in a unit file.
* DefaultDeviceTimeoutSec= can be used system.conf and user.conf
to specify the default timeout for devices.
* C.UTF-8 is used as the default locale if nothing else has been configured.
* Extend [Condition|Assert]Firmware= to conditionalize on certain SMBIOS
fields. For example
ConditionFirmware=smbios-field(board_name = "Custom Board") will
conditionalize a unit so that it is only run when
/sys/class/dmi/id/board_name contains "Custom Board" (without quotes).
* ConditionFirstBoot= now correctly evaluates as true only during the
boot phase of the first boot. A unit re-ran later, after booting has
completed, will no longer evaluate this condition as true.
* Socket units will now create sockets in the SELinuxContext= of the
associated service unit, if any.
* Boot phase transitions (start initrd -> exit initrd -> boot complete
-> shutdown) will be measured into PCR11, so that secrets can be bound
to specific runtime phases, e.g.: a LUKS encryption key could be
unsealed only in the initrd.
* Credentials will now also be provided to ExecStartPre= processes.
* Various units are now correctly ordered with initrd-switch-root.target
where previously some were just (indirectly) ordered only with
initrd-switch-root.service.
* In order to fully support the IPMI watchdog driver, which has not yet
been ported to the new numbered device interface, /dev/watchdog0 will
be tried first and systemd will silently fallback to /dev/watchdog if
it is not found.
* New watchdog-related D-Bus properties are now published by systemd:
WatchdogDevice, WatchdogLastPingTimestamp,
WatchdogLastPingTimestampMonotonic.
* At shutdown, API VFS (proc, sys, etc.) will be unmounted lazily.
* A new meson build option 'clock-valid-range-usec-max' was added to
allow disabling system time correction if rtc returns a timestamp far
in the future.
* Propagated restart jobs will no longer be discarded while a unit is
activating.
Changes in sd-boot, bootctl, and the Boot Loader Specification:
* The Boot Loader Specification has been cleaned up and clarified.
Various corner cases in version string comparisons have been fixed
(e.g. comparisons for empty strings). Boot counting is now part of
the main specification.
* New PCRs measurements are set during boot: PCR 11 for the the
kernel+initrd combo, PCR 13 for any sysext images.
* The UEFI monotonic boot counter is now included in the random seed,
providing some additional entropy.
* Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
is now supported.
* bootctl gained a bunch of new options: '--all-architectures' to
install binaries for all supported EFI architectures, '--root=' and
'--image=' options to operate on a directory or disk image,
'--install-source=' to specify the source for binaries to install, and
'--efi-boot-option-description' to control the name of the boot entry.
* The sd-boot stub exports a StubFeatures flag, which is used by
bootctl to show features supported by the stub that was used to boot.
* sd-boot will now try to detect and warn about overlapping PE sections.
* sd-stub now accepts (and passes to the initrd and then to the full OS)
new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
signatures of PCR policies, to allow sealing secrets via the TPM2
against pre-calculated PCR measurements.
Changes in the hardware database:
* 'systemd-hwdb query' now supports the '--root' option.
Changes in systemctl:
* systemctl now supports '--state' and '--type' options for the 'show'
and 'status' verbs.
* systemctl gained a new verb 'list-automounts' to list automount
points.
Changes in systemd-networkd:
* networkd can set Linux NetLabel labels for integration with the
network control in security modules via a new NetLabel= option.
* networkd gained new options NFTSet=, IPv4NFTSet=, IPv6NFTSet= that
take names of nft sets as arguments. It will automatically add rules
for the subnets configured for an interface to those sets.
* The RapidCommit= is (re-)introduced to enable faster configuration
via DHCPv6 (RFC 3315).
* networkd gained a new option TCPCongestionControlAlgorithm= that
allows setting a per-route TCP algorithm.
* networkd gained a new option KeepFileDescriptor= to allow keeping a
reference (file descriptor) open on TUN/TAP interfaces, which is
useful to avoid link flaps while the underlying service providing the
interface is being serviced.
Changes in systemd-nspawn:
* The --bind= and --overlay= options now support relative paths.
* The --bind= option now supports a 'rootidmap' value, which will
use id-mapped mounts to map the root user inside the container to the
owner of the mounted directory on the host.
Changes in libsystemd and other libraries:
* libsystemd now exports sd_bus_error_setfv (a convenience function for
setting bus errors), sd_id128_string_equal (a convenience function
for identifier comparisons), sd_bus_message_read_strv_extend (a
function to incrementally read string arrays).
* libsystemd now exports sd_device_get_child_first/next as a high-level
interface for enumerating child devices.
* libsystemd now exports sd_device_monitor_set/get_description which
allow to set a custom description that will be used in log messages by
sd_device_monitor*.
* Private shared libraries (libsystemd-shared-nnn.so,
libsystemd-core-nnn.so) are now installed into arch-specific
directories to allow multi-arch installs.
* A new sd-gpt.h header is now published, listing GUIDs from the
Discoverable Partitions specification. For more details see:
https://systemd.io/DISCOVERABLE_PARTITIONS/
Changes in other components:
* sysusers and tmpfiles configuration can now be provided via the
credential mechanism.
* tmpfiles can read file contents to write from a credential (and a new
modifier char '^' to specify that the argument is a credential name).
This mechanism is used to automatically populate /etc/motd, /etc/issue,
and /etc/hosts from credentials.
* tmpfiles will now avoid changing uid/gid/mode of an inode if the
specification is prefixed with ':' and the inode already exists.
* tmpfiles will automatically use an 'ssh.authorized_keys.root'
credential if provided to set up the authorized_keys file for the root
user.
* tmpfiles will now gracefully handle absent source of "C" copy lines.
* systemd-analyze gained a new verb 'compare-versions' that implements
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
'dpkg --compare-versions').
* The pkgconfig and rpm macros files now export the directory for user
units as 'user_tmpfiles_dir' and '_user_tmpfilesdir'.
* Detection of Parallels and KubeVirt virtualization has been improved.
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
user when their system will become unsupported.
* When performing suspend-then-hibernate, the system will estimate the
discharge rate and use that to set the delay until hibernation, and
will hibernate immediately instead of suspending when running from a
battery and the capacity is below 5%.
* systemd-sysctl gained a '--strict' option to fail when a sysctl
setting is unknown to the kernel.
* machinectl supports '--force' for the 'copy-to' and 'copy-from'
verbs.
* openssl is the default crypto backend for systemd-resolved. (gnutls
is still supported.)
* journalctl -o (and similar commands) now understands a new output mode
"short-delta". It is similar to "short-monotonic" but also shows the
time delta between two messages.
* journalctl now respects the '--quiet' flag when verifying journal files
consistency.
* systemd-journald log messages gained a new implicit field
'_RUNTIME_SCOPE=' that will indicate whether a message was logged in
the 'initrd' phase or in the 'system' phase of the boot process.
* systemd-journald gained a new compatibility flag
'HEADER_INCOMPATIBLE_COMPACT'. Journal files with this flag implement
changes to the storage format that allow reducing journal files size on
disk. As with other compatibility flags, older journalctl versions will
not be able to read journal files using this new format. The environment
variable 'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald
to disable it. It is enabled by default.
* journalctl gained a '--convert' flag that allows converting journal
files to the latest supported format.
* systemd-run's '--working-directory' now works when used together with
'--scope'.
* portablectl gained a '--force' flag (and a corresponding 0x2 flag is
now accepted by the *WithExtensions() D-Bus methods of portabled) to
skip certain sanity checks. For now, this means that on attach/detach
it will not be checked whether the unit(s) are already present and/or
running. Callers must be sure to do those checks themselves.
* systemd-portabled will now use the original filename to check
extension-release.NAME for correctness, in case it is passed a
symlink.
* systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
too.
* sysext's extension-release now support '_any' as a special value for
the ID= field, to allow distribution-independent extensions (e.g.:
fully statically compiled binaries, scripts).
* systemd-resolved now persists DNSOverTLS in its state file too. This
fixes a problem when used in combination with NetworkManager, which
sends the setting only once, causing it to be lost if resolved was
restarted at any point during runtime.
* systemd-resolved now exposes a varlink socket at
/run/systemd/resolve/io.systemd.Resolve.Monitor, which requires root
privileges to connect to.
When a varlink client connects, processed DNS requests will be
published on this monitor socket in JSON format.
resolvectl gained a 'monitor' verb to use this socket.
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
instead of returning SERVFAIL, as per RFC:
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
* systemd-repart now supports creating squashfs partitions. Requires
squashfs-tools (mksquashfs).
* systemd-repart gained a '--split' flag to make it also generate split
artifacts, i.e., a separate file for each partition. This is useful in
conjuction with systemd-sysupdate or other tools, or to generate split
dm-verity artifacts.
* systemd-repart is now able to generate dm-verity partitions, including
signatures.
* systemd-repart is now able to set a partition UUID to zero. This is
useful when we need to fill in the UUID later, such as when using
verity partitions.
* systemd-repart now supports drop-ins for its configuration files.
* Package metadata logged by systemd-coredump in the system journal are
now more compact.
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
* systemd-oomd now automatically links against libatomic, if available.
* systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
killed.
* scope units now also provide oom-kill status.
* systemd-pstore will now try to load only the efi_pstore kernel module,
instead of all possible modules that it supports.
* systemd-logind gained a new StopIdleSessionSec= option to stop an idle
session after a preconfigure timeout.
* systemd-homed will now wait up to 30 seconds for workers to terminate,
rather than indefinitely.
* homectl gained a new '--luks-sector-size=' flag that allows users to
select the preferred LUKS sector size. Must be a power of 2 between 512
and 4096. systemd-userdbd records gained a corresponding field.
* systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
variable when generating the 'sp_lstchg' field, to ensure an image
build can be reproducible.
* udevadmn 'wait' will now listen to kernel uevents too when called with
'--initialized=no'.
* systemd-udevd will now assume the system is running on AC power if no
battery can be found.
* All features and tools using the TPM2 will now communicate with it
using a bind key. Beforehand, the tpm2 support used encrypted sessions
by creating a primary key that was used to encrypt traffic. This
creates a problem as the key created for encrypting the traffic could
be faked by an active interposer on the bus. In cases when a pin is
used, a bind key will be used. The pin is used as the auth value for
the seal key, aka the disk encryption key, and that auth value will be
used in the session establishment. An attacker would need the pin
value to create the secure session and thus an active interposer
without the pin cannot interpose on TPM traffic.
* systemd-growfs no longer requires udev to run.
* systemd-backlight now will better support systems with multiple
graphic cards.
* systemd-cryptsetup's keyfile-timeout= option now also works when a
device is used as a keyfile.
* systemd-cryptenroll gained a new '--unlock-key-file=' option to get
the key from a file instead of STDIN.
* systemd-dissect gained a new '--umount' option that will safely and
synchronously unmount all partitions of a mounted image.
* When using gcrypt, all systemd tools and services will now configure
it to prefer the OS RNG if there is one.
Experimental features:
* BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
and bpftool >= 7.0).
* sd-boot can automatically enroll SecureBoot keys from files found on
the ESP. This enrollment can be either automatic ('force' mode) or
controlled by the user ('manual' mode).
Contributions from: 김인수, Adam Williamson, adrian5,
Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev,
Alexander Graf, Alexander Shopov, Alexander Wilson,
Alper Nebi Yasak, Andre Kalb, Andrew Stone, Andrey Albershteyn,
Anita Zhang, Ansgar Burchardt, Antonio Alvarez Feijoo,
Arnaud Ferraris, Aryan singh, asavah, Avamander, Avram Lubkin,
Balázs Meskó, Bastien Nocera, Benjamin Franzke, BerndAdameit,
bin456789, Chih-Hsuan Yen, Christian Brauner, Christian Göttsche,
Christian Hesse, Clyde Byrd III, codefiles, Colin Walters,
Cristian Rodríguez, Daan De Meyer, Daniel Braunwarth,
Dan Streetman, Darsey Litzenberger, David Edmundson, David Jaša,
David Rheinsberg, David Tardon, dependabot[bot], Devendra Tewari,
Dominique Martinet, drosdeck, Edson Juliano Drosdeck,
Eduard Tolosa, eggfly, Einsler Lee, Elias Probst, Eli Schwartz,
Evgeny Vereshchagin, exploide, Fei Li, Foster Snowhill, Franck Bui,
Frank Dana, Frantisek Sumsal, Gio, Goffredo Baroncelli, gtwang01,
Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt,
Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz,
Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt,
Jan Janssen, Jan Luebbe, Jan Macku, Jason A. Donenfeld,
Javkhlanbayar Khongorzul, Jeremy Soller, JeroenHD, jiangchuangang,
João Loureiro, Joaquín Ignacio Aramendía,
Johannes Schauer Marin Rodrigues, Jonas Kümmerlin,
Jonas Witschel, Jonathan Lebon, Joost Heitbrink, Jörg Thalheim,
josh-gordon-fb, Kai Lueke, lastkrick, Lennart Poettering, licunlong,
Li kunyu, LockBlock-dev, Loïc Collignon, Luca Boccassi,
Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720,
Oleg Solovyov, Pablo Ceballos, Pavel Zhukov, Phaedrus Leeds,
Philipp Gortan, Piotr Drąg, Quentin Deslandes, Rahil Bhimjiani,
Rene Hollander, Richard Huang, Richard Phibel, Rudi Heitbaum,
Sam James, Sarah Brofeldt, Sean Anderson, Sebastian Scheibner,
Shreenidhi Shedi, Sonali Srivastava, Steve Ramage, Suraj Krishnan,
Swapnil Devesh, Thomas Haller, Thomas Hebb, Tomáš Hnyk,
Tomasz Paweł Gajc, Topi Miettinen, Ulrich Ölmann, undef,
Uriel Corfa, Victor Westerhuis, Vincent Dagonneau,
Vishal Chillara Srinivas, Vito Caputo, Wenchao Hao,
William Roberts, williamsumendap, wineway, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб
– Under the Sea, 2022-10-07
systemd prerelease 252-rc1
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: systemd prerelease 252-rc1
- From: systemd tag bot <donotreply-systemd-tag@xxxxxxxxxx>
- Date: Fri, 07 Oct 2022 15:14:41 +0000
- Prev by Date: Re: Is it possible to let systemd create a listening socket and yet be able to have that socket activate nothing, at least temporarily?
- Next by Date: Re: Setting up a VPN daemon as a Portable Service
- Previous by thread: Is it possible to let systemd create a listening socket and yet be able to have that socket activate nothing, at least temporarily?
- Next by thread: systemd-networkd not sending periodic router advertisements
- Index(es):
 |