A new systemd ☠️ pre-release ☠️ has just been tagged. Please download the tarball here:
https://github.com/systemd/systemd/archive/v253-rc1.tar.gz
NOTE: This is ☠️ pre-release ☠️ software. Do not run this on production
systems, but please test this and report any issues you find to GitHub:
https://github.com/systemd/systemd/issues/new?template=Bug_report.md
Changes since the previous release:
Deprecations and incompatible changes
* systemctl will now warn when invoked without /proc mounted (e.g. when
invoked after chroot into an image without the API mount points like
/proc being set up.) Operation in such an environment is not fully
supported.
* The return value of 'systemctl is-active|is-enabled|is-failed' for
unknown units is changed: previously 1 or 3 were returned, but now 4
(EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented.
* 'udevadm hwdb' subcommand is deprecated and will emit a warning.
systemd-hwdb (added in 2014) should be used instead.
* 'bootctl --json' now outputs well-formed JSON, instead of a stream
of newline-separated JSON objects.
* Udev rules in 60-evdev.rules have been changed to load hwdb properties
for all modalias patterns. Previously only the first matching pattern
was used. This could change what properties are assigned if the user
has more and less specific patterns that could match the same device,
but it is expected that the change will have no effect for most users.
* systemd-networkd-wait-online exits successfully when all interfaces
are ready or unmanaged. Previously, if neither '--any' nor
'--interface=' options were used, at least one interface had to be in
configured state. This change allows the case, where systemd-networkd
is enabled but no interfaces are configured, to be handled
gracefully. It may occur in particular when a different network
manager is also enabled and used.
* Some compatibility helpers were dropped: EmergencyAction= in the user
manager, measuring kernel command line into PCR 8 along with the
-Defi-tpm-pcr-compat compile-time option.
New components:
* A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
(UKIs) has been added. This replaces functionality provided by
'dracut --uefi' and extends it with automatic calculation of offsets,
insertion of signed PCR policies generated by systemd-measure,
support for initrd concatenation, signing of the embedded Linux image
and the combined image with sbsign, and heuristics to autodetect the
kernel uname and verify the splash image.
Changes in systemd and units:
* A new unit type Type=notify-reload is defined. When such a unit is
reloaded via a signal, the manager will wait until it receives a
"READY=1" notification from the unit. Otherwise, this type is the
same as Type=notify.
user@.service, systemd-networkd.service, systemd-udevd.service, and
systemd-logind have been updated to this type; their reloads are now
synchronuous.
* Initrd environments which are not on a temporary file system (for
example an overlayfs combination) are now supported. Systemd will only
skip removal of the files in the initrd if it doesn't detect a
temporary file system.
* New MemoryZSwapMax= option has been added to configure
memory.zswap.max cgroup properties (the maximum amount of zswap used).
* New LogFilterPatterns= option can be used to specify regexp
accept/deny patterns for log entries generated by the unit. Based on
the option value, the manager sets the
user.journald_log_filter_patterns extended attribute on the unit
cgroup. systemd-journald checks for this attribute when receiving
messages, and will filter messages by matching the MESSAGE= part.
Rejected messages are neither stored in the journal nor forwarded.
This option can be used to filter noisy or uninteresting messages
from units.
* The manager has a new
org.freedesktop.systemd1.Manager.GetUnitByPIDFD() method to query
process ownership via a PIDFD, which is more resilient against PID
recycling issues.
* Scope units now support OOMPolicy=. Login session scopes default to
OOMPolicy=continue, allowing login scopes to survive the OOM killer
terminating some processes in the scope.
* systemd-fstab-generator now supports x-systemd.makefs option for
/sysroot (in the initrd).
* The maximum rate at which daemon reloads are executed can now be
limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
options. (Or the equivalent on the kernel command line:
systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=).
In addition, systemd now logs the originating unit and PID when
a reload request is received over D-Bus.
* When enabling a swap device, instead of failing, systemd will now
reinitialize the device when the page size of the swap space does not
match the page size of the running kernel.
* Systemd now executes generators in a mount namespace "sandbox" with
most of the file system read-only, but with write access to the
output directories, and with a temporary /tmp/ mount provided. This
provides a safeguard against programming errors in the generators,
but also fixes here-docs in shells, which previously didn't work in
early boot when /tmp/ wasn't available yet. (This feature has no
security implications, because the code is still privileged and can
trivially exit the sandbox.)
* The manager will load the vmm.notify_socket credential. If found,
it will send a "READY=1" notification on the specified socket after
boot is complete. This allows readiness notification to be sent
from a VM guest to the host over a VSOCK socket.
* The sample PAM configuration file for systemd-user@.service now
includes a call to pam_namespace. This puts children of user@.service
in the expected namespace. (Many distributions replace their file
with something custom, so this change has limited effect.)
* A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST can
can be used to override the mount units burst late limit for parsing
'/proc/self/mountinfo', which was introduced in v249. Defaults to 5.
* Drop-ins for init.scope changing control cgroup resource limits are
now applied, while they were previously ignored.
Changes in udev:
* The new net naming scheme "v253" has been introduced. In the new
scheme, ID_NET_NAME_PATH is also set for USB devices not connected via
a PCI bus. This extends the coverage of predictable interface names
in some embedded systems.
The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
a more informative path on some embedded systems.
* Block partitions will now also get symlinks in
/dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
block device nodes via the kernel's "diskseq" value. Previously those
symlinks were only created for the main block device.
* A new operator '-=' is supported for SYMLINK variables. This allows
symlinks to be unconfigured even if an earlier rule added them.
* 'udevadm --trigger --settle' now also works for network devices
that are being renamed.
Changes in sd-boot, bootctl, and the Boot Loader Specification:
* systemd-boot now passes its random seed directly to the kernel's RNG
via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which
means the RNG gets seeded very early in boot before userspace has
started.
* systemd-boot will pass a random seed when secure boot is enabled if
it can additionally get a random seed from EFI itself, via EFI's RNG
protocol or a prior seed in LINUX_EFI_RANDOM_SEED_TABLE_GUID from a
preceding bootloader.
* systemd-boot-system-token.service was renamed to
systemd-boot-random-seed.service and extended to always save the
random seed to ESP on every boot when a compatible boot loader is
used. This allows a refreshed random seed to be used in the boot
loader.
* systemd-boot handles various seed inputs using a domain- and
field-separated hashing scheme.
* systemd-boot's 'random-seed-mode' option has been removed. A system
token is now always required to be present for random seeds to be
used.
* systemd-boot now supports being loaded not from the ESP, for example
for direct kernel boot under QEMU or when embedded into the firmware.
* systemd-boot now parses SMBIOS info to detect virtualization. This
information is used to skip some warnings which are not useful in a
VM and to conditionalize other aspects of behaviour.
* systemd-stub now processes random seeds in the same way as
systemd-boot, in case a unified kernel image is being used from a
different bootloader than systemd-boot.
* bootctl will now generate a system token on all EFI systems, even
virtualized ones, and is activated in the case that the system token
is missing from either sd-boot and sd-stub booted systems.
* bootctl now implements two new verbs: 'kernel-identify' prints the
type of a kernel image, and 'kernel-inspect' provides information
about the embedded command line and kernel version.
* bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
as for kernel-install.
Changes in kernel-install:
* A new "installation layout" can be configured as layout=uki. With this
setting, a Boot Loader Specification Type#1 entry will not be created.
Instead, a new kernel-install plugin 90-uki-copy.install will copy any
.efi files from the staging area into the boot partition. A plugin to
generate the UKI .efi file must be provided separately.
Changes in systemctl:
* 'systemctl reboot' has dropped support for accepting a positional
argument as the argument to the reboot(2) syscall. Please use the
--reboot-argument option instead.
* 'systemctl disable' will now warn when called on units without install
information. A new --no-warn option has been added that silences this
warning.
* New option '--drop-in=' can be used to tell 'systemctl edit' the name
of the drop-in to edit. (Previously, 'override.conf' was always used.
* 'systemctl list-dependencies' now respects --type= and --state=.
* 'systemctl kexec' now supports XEN.
Changes in systemd-networkd and related tools:
* The [DHCPv4] section in .network file gained new SocketPriority=
setting that assigns the Linux socket priority used by the DHCPv4
raw socket. Can be used in conjunction with the EgressQOSMaps=setting
in [VLAN] section of .netdev file to send the desired ethernet 802.1Q
frame priority for DHCPv4 initial packets. This cannot be achieved
with netfilter mangle tables because of the raw socket bypass.
* The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained new
QuickAck= boolean setting that enables the TCP quick ACK mode for the
routes configured by the acquired DHCPv4 lease or received router
advertisements (RAs).
* The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
routes) now accepts three values, for high, medium, and low preference
of the router (which can be set with the RouterPreference=) setting.
* systemd-networkd-wait-online now supports alternative interface names.
* The [DHCPv6] section in .network file gained new SendRelease=
setting which enables the DHCPv6 client to send release when
it stops. This is the analog of the [DHCPv4] SendRelease= setting.
It is enabled by default.
* If the Address= setting in [Network] or [Address] sections in .network
specified without its prefix length, then now systemd-networkd assumes
/32 for IPv4 or /128 for IPv6 addresses.
* networkctl shows network and link file dropins in status output.
Changes in systemd-dissect:
* systemd-dissect gained a new option --list, to print the paths fo the
files and directories in the image.
* systemd-dissect gained a new option --mtree, to generate output
compatible with BSD mtree(5).
* systemd-dissect gained a new option --with, to execute a command in
the image temporarily mounted.
* systemd-dissect gained a new option --discover, to search for
Discoverable Disk Images (DDIs) in well-known directories. This will
list machine, portable service and system extension disk images.
* systemd-dissect now understands 2nd stage initrd images stored as a
Discoverable Disk Image (DDI).
Changes in systemd-repart:
* systemd-repart gained new options --include-partitions= and
--exclude-partitions= to filter operation on partitions by type UUID.
This allows systemd-repart to be used to build images in which the
type of one partition is set based on the contents of another
partition (for example when the boot partition shall include a verity
hash of the root partition).
* systemd-repart also gained a --defer-partitions= option that is
similar to --exclude-partitions=, but the size of the partition is
taken into account without populating it.
* systemd-repart gained a new --sector-size= option to specify what
sector size should be used when an image is created.
* systemd-repart now supports erofs (a read-only file system similar to
squashfs).
* The Minimize= option was extended to accept "best" (which means the
most minimal image possible, but may require multiple attempts) and
"guess" (which means a reasonably small image).
Changes in journal tools:
* Various systemd tools will append extra fields to log messages when
in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently
this includes information about D-Bus messages when sd-bus is used,
e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information
about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
Details of what is logged and when are subject to change.
* The systemd-journald-audit.socket can now be normally disabled
to stop collection of audit messages.
* New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
be used to curtail disk use by systemd-journal-remote. This is
similar to the options supported by systemd-journald.
Changes in systemd-cryptenroll, systemd-cryptsetup, and related
components
* systemd-cryptenroll now supports unlocking via FIDO2 tokens (option
--unlock-fido2-device=).
* systemd-cryptsetup now supports new options tpm2-measure-pcr= and
tpm2-measure-bank= in crypttab(5). These allow specifying the
PCR bank and number into which the volume key should be measured.
* When measuring data into a PCR, an authenticated hash (HMAC) is used
on the CPU, to further protect the data before it leaves the CPU.
* systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partions with
"noexec,nosuid,nodev".
* systemd-pcrphase gained new options --machine-id and --file-system=
to measure the machine-id and mount point information into a PCR.
* The machine-id is measured into PCR 15 during early boot.
* For the root and /var/ volumes, the mount point information and
options, and volume encryption keys in case encryption is used, will
be measured into PCR 15.
* systemd-cryptenroll now stores the user-supplied PIN with a salt,
making it harder to brute-force.
Changes in other tools:
* systemd-homed gained support for luksPbkdfForceIterations (the
intended number of iterations for the PBKDF operation on LUKS).
* Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
$SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
can be used to specify additional arguments for mkfs when
systemd-homed formats a file system.
* systemd-hostnamed now exports the contents of
/sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two
new D-Bus properties: FirmwareVendor and FirmwareDate. This allows
unprivileged code to access those values.
systemd-hostnamed also exports the SUPPORT_END= field from
os-release(5) as OperatingSystemSupportEnd. timedatectl make uses of
this to show the status of the installed system.
* systemd-measure gained an --append= option to sign multiple phase
paths with different signing keys. This allows secrets to be
accessible only in certain parts of the boot sequence. Note that
'ukify' provides similar functionality in a more accessible form.
* systemd-timesyncd will now write a structured log message with
MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
on a disk timestamp, similarly to what it did when reaching
synchronization via NTP.
systemd-timesyncd will now also update the timestamp file on each
boot, making it more likely that the system time increases in
subsequent boots.
* systemd-vconsole-setup gained support for credentials:
vconsole.keymap/vconsole.keymap_toggle and
vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
the similarly-named options in vconsole.conf.
* systemd-localed will now save the XKB keyboard configuration to
/etc/vconsole.conf, and also read it from there with a higher
preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config
file. Previously, this information was stored in the former file in
converted form, and only in latter file in the original form. Tools
which want to access keyboard configuration can now do so from a
standard location.
* systemd-resolved gained support for configuring the nameservers and
search domains via kernel command line (nameserver=, domain=) and
credentials (network.dns, network.search_domains).
* systemd-notify will now send a "RELOADING=1" notification when called
with --reloading, and "STOPPING=1" when called with --stopping. This
can be used to implement notifications from units where it's easier
to call a program than to use the sd-daemon library.
* systemd-analyze gained new --json=, --table, and --no-legend options
that affect the output of 'plot'.
* 'machinectl enable' will now automatically enable machines.target
unit in addition to adding the machine unit to the target.
Similarly, 'machinectl start|stop' gained a --now option to enable or
disable the machine unit when starting or stopping it.
Changes in libsystemd and shared code:
* sd-bus gained new convenience functions sd_bus_emit_signal_to(),
sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().
* sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
id128_t parameter has an invalid format. They also accept NULL as
output parameter in more places, which is useful when the caller only
wants to check the inputs and does not need the output value.
* sd-login gained new functions sd_pidfd_get_session(),
sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
sd_pidfd_get_user_unit(), sd_pidfd_get_slice(),
sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and
sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(),
but accept a PIDFD instead of a PID.
* sd-path (and systemd-path) now export four new paths:
SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR,
SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and
SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,
* sd-notify now supports AF_VSOCK, in the "vsock:CID:port" format, for
the notify_socket parameter/environment variable/credential.
* Detection of chroot environments now works if /proc/ is not mounted.
This affects systemd-detect-virt --chroot, but also means that systemd
tools will silently skip various operations in such an environment.
* "Lockheed Matrin Hardened Security for Intel Processors" (HS SRE)
virtualization is now detected.
Changes in the build system:
* Standalone variant of systemd-repart is built (if -Dstandalone=true).
* systemd-ac-power has been moved to /usr/bin/, to, for example, allow
scripts to conditionalize execution on AC power supply.
* The libp11kit library is now loaded through dlopen(3).
Changes in the documentation:
* Specifications that are not closely tied to systemd have moved to
https://uapi-group.org/specifications/: the Boot Loader Specification
and the Discoverable Partitions Specification.
Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas,
Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang,
Antonio Alvarez Feijoo, asavah, Benjamin Fogle, Benjamin Tissoires,
berenddeschouwer, BerndAdameit, Bernd Steinhauser, blutch112,
Callum Farmer, Carlo Teubner, Charles Hardin, chris,
Christian Brauner, Christian Göttsche, Cristian Rodríguez,
Daan De Meyer, Dan Streetman, DaPigGuy, David Tardon,
dependabot[bot], Dirk Su, Dmitry V. Levin, drosdeck,
Edson Juliano Drosdeck, edupont, Eric DeVolder, Erik Moqvist,
Evgeny Vereshchagin, Felix Riemann, Franck Bui, Frantisek Sumsal,
Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho,
igo95862, Ivan Shapovalov, Jacek Migacz, Jade Lovelace,
Jan Engelhardt, Jan Janssen, Jan Macku, January,
Jason A. Donenfeld, jcg, Jelle van der Waa, Jeremy Linton,
Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann, Jörg Thalheim,
Joshua Goins, joshuazivkovic, Joshua Zivkovic, Kai-Chuan Hsieh,
Khem Raj, Koba Ko, Lennart Poettering, lichao, Li kunyu,
Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach,
Lycowolf, marcel151, Marcus Schäfer, Marek Vasut, Mark Laws,
Michael Biebl, Michał Kotyla, Michal Koutný, Michal Sekletár,
Mike Yuan, MkfsSion, msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore,
Nick Rosbrook, noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv,
Phaedrus Leeds, Philipp Jungkamp, Quentin Deslandes, Ray Strode,
reuben olinsky, Richard E. van der Luit, Richard Phibel,
Ricky Tigg, rogg, Sam James, Samuel Thibault, Siddhesh Poyarekar,
Space Meyer, Spindle Security, Steve Ramage, Thomas Haller,
Tonći Galić, Torsten Hilbrich, uerdogan, Ulrich Ölmann,
Valentin David, Vitaly Kuznetsov, Vito Caputo, Waltibaba,
Will Fancher, William Roberts, Youfu Zhang, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски,
наб
— Warsaw, 2023-01-25
systemd prerelease 253-rc1
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: systemd prerelease 253-rc1
- From: systemd tag bot <donotreply-systemd-tag@xxxxxxxxxx>
- Date: Tue, 24 Jan 2023 23:11:33 +0000
- Prev by Date: Re: networkd: Link local static IP address behind NAT
- Next by Date: Troubleshooting systemd shutdown problems - systemctl hangs in debug shell
- Previous by thread: systemd-homed: Change group membership without root and user passwords
- Next by thread: Troubleshooting systemd shutdown problems - systemctl hangs in debug shell
- Index(es):
 |