https://linuxunplugged.com/567 Den tis 11 juni 2024 kl 23:45 skrev systemd tag bot <donotreply-systemd-tag@xxxxxxxxxx>: > > 🎆 A new, official systemd release has just 🎉 been 🎊 tagged 🍾. Please download the tarball here: > > https://github.com/systemd/systemd/archive/v256.tar.gz > > Changes since the previous release: > > Announcements of Future Feature Removals and Incompatible Changes: > > * Support for automatic flushing of the nscd user/group database caches > will be dropped in a future release. > > * Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now > considered obsolete and systemd by default will refuse to boot under > it. To forcibly reenable cgroup v1 support, > SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must be set on kernel command > line. The meson option 'default-hierarchy=' is also deprecated, i.e. > only cgroup v2 ('unified' hierarchy) can be selected as build-time > default. > > * Support for System V service scripts is deprecated and will be > removed in a future release. Please make sure to update your software > *now* to include a native systemd unit file instead of a legacy > System V script to retain compatibility with future systemd releases. > > * Support for the SystemdOptions EFI variable is deprecated. > 'bootctl systemd-efi-options' will emit a warning when used. It seems > that this feature is little-used and it is better to use alternative > approaches like credentials and confexts. The plan is to drop support > altogether at a later point, but this might be revisited based on > user feedback. > > * systemd-run's switch --expand-environment= which currently is disabled > by default when combined with --scope, will be changed in a future > release to be enabled by default. > > * Previously, systemd-networkd did not explicitly remove any bridge > VLAN IDs assigned on bridge master and ports. Since version 256, if a > .network file for an interface has at least one valid setting in the > [BridgeVLAN] section, then all assigned VLAN IDs on the interface > that are not configured in the .network file are removed. > > * IPForward= setting in .network file is deprecated and replaced with > IPv4Forwarding= and IPv6Forwarding= settings. These new settings are > supported both in .network file and networkd.conf. If specified in a > .network file, they control corresponding per-link settings. If > specified in networkd.conf, they control corresponding global > settings. Note, previously IPv6SendRA= and IPMasquerade= implied > IPForward=, but now they imply the new per-link settings. One of the > simplest ways to migrate configurations, that worked as a router with > the previous version, is enabling both IPv4Forwarding= and > IPv6Forwarding= in networkd.conf. See systemd.network(5) and > networkd.conf(5) for more details. > > * systemd-gpt-auto-generator will stop generating units for ESP or > XBOOTLDR partitions if it finds mount entries for or below the /boot/ > or /efi/ hierarchies in /etc/fstab. This is to prevent the generator > from interfering with systems where the ESP is explicitly configured > to be mounted at some path, for example /boot/efi/ (this type of > setup is obsolete, but still commonly found). > > * The behavior of systemd-sleep and systemd-homed has been updated to > freeze user sessions when entering the various sleep modes or when > locking a homed-managed home area. This is known to cause issues with > the proprietary NVIDIA drivers. Packagers of the NVIDIA proprietary > drivers may want to add drop-in configuration files that set > SYSTEMD_SLEEP_FREEZE_USER_SESSIONS=false for systemd-suspend.service > and related services, and SYSTEMD_HOME_LOCK_FREEZE_SESSION=false for > systemd-homed.service. > > * systemd-tmpfiles and systemd-sysusers, when given a relative > configuration file path (with at least one directory separator '/'), > will open the file directly, instead of searching for the given > partial path in the standard locations. The old mode wasn't useful > because tmpfiles.d/ and sysusers.d/ configuration has a flat > structure with no subdirectories under the standard locations and > this change makes it easier to work with local files with those > tools. > > * systemd-tmpfiles now properly applies nested configuration to 'R' and > 'D' stanzas. For example, with the combination of 'R /foo' and 'x > /foo/bar', /foo/bar will now be excluded from removal. > > * systemd.crash_reboot and related settings are deprecated in favor of > systemd.crash_action=. > > General Changes and New Features: > > * Various programs will now attempt to load the main configuration file > from locations below /usr/lib/, /usr/local/lib/, and /run/, not just > below /etc/. For example, systemd-logind will look for > /etc/systemd/logind.conf, /run/systemd/logind.conf, > /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf, > and use the first file that is found. This means that the search > logic for the main config file and for drop-ins is now the same. > > Similarly, kernel-install will look for the config files in > /usr/lib/kernel/ and the other search locations, and now also > supports drop-ins. > > systemd-udevd now supports drop-ins for udev.conf. > > * A new 'systemd-vpick' binary has been added. It implements the new > vpick protocol, where a "*.v/" directory may contain multiple files > which have versions (following the UAPI version format specification) > embedded in the file name. The files are ordered by version and > the newest one is selected. > > systemd-nspawn --image=/--directory=, systemd-dissect, > systemd-portabled, and the RootDirectory=, RootImage=, > ExtensionImages=, and ExtensionDirectories= settings for units now > support the vpick protocol and allow the latest version to be > selected automatically if a "*.v/" directory is specified as the > source. > > * Encrypted service credentials can now be made accessible to > unprivileged users. systemd-creds gained new options --user/--uid= > for encrypting/decrypting a credential for a specific user. > > * New command-line tool 'importctl' to download, import, and export > disk images via systemd-importd is added with the following verbs: > pull-tar, pull-raw, import-tar, import-raw, import-fs, export-tar, > export-raw, list-transfers, and cancel-transfer. This functionality > was previously available in "machinectl", where it was used > exclusively for machine images. The new "importctl" generalizes this > for sysext, confext, and portable service images. > > * The systemd sources may now be compiled cleanly with all OpenSSL 3.0 > deprecations removed, including the OpenSSL engine logic turned off. > > Service Management: > > * New system manager setting ProtectSystem= has been added. It is > analogous to the unit setting, but applies to the whole system. It is > enabled by default in the initrd. > > Note that this means that code executed in the initrd cannot naively > expect to be able to write to /usr/ during boot. This affects > dracut <= 101, which wrote "hooks" to /lib/dracut/hooks/. See > https://github.com/dracut-ng/dracut-ng/commit/a45048b80c27ee5a45a380. > > * New unit setting WantsMountsFor= has been added. It is analogous to > RequiresMountsFor=, but creates a Wants= dependency instead of > Requires=. This new logic is now used in various places where mounts > were added as dependencies for other settings (WorkingDirectory=-…, > PrivateTmp=yes, cryptsetup lines with 'nofail'). > > * New unit setting MemoryZSwapWriteback= can be used to control the new > memory.zswap.writeback cgroup knob added in kernel 6.8. > > * The manager gained a org.freedesktop.systemd1.StartAuxiliaryScope() > D-Bus method to devolve some processes from a service into a new > scope. This new scope will remain running, even when the original > service unit is restarted or stopped. This allows a service unit to > split out some worker processes which need to continue running. > Control group properties of the new scope are copied from the > originating unit, so various limits are retained. > > * Units now expose properties EffectiveMemoryMax=, > EffectiveMemoryHigh=, and EffectiveTasksMax=, which report the > most stringent limit systemd is aware of for the given unit. > > * A new unit file specifier %D expands to $XDG_DATA_HOME (for user > services) or /usr/share/ (for system services). > > * AllowedCPUs= now supports specifier expansion. > > * What= setting in .mount and .swap units now accepts fstab-style > identifiers, for example UUID=… or LABEL=…. > > * RestrictNetworkInterfaces= now supports alternative network interface > names. > > * PAMName= now implies SetLoginEnvironment=yes. > > * systemd.firstboot=no can be used on the kernel command-line to > disable interactive queries, but allow other first boot configuration > to happen based on credentials. > > * The system's hostname can be configured via the systemd.hostname > system credential. > > * The systemd binary will no longer chainload sysvinit's "telinit" > binary when called under the init/telinit name on a system that isn't > booted with systemd. This previously has been supported to make sure > a distribution that has both init systems installed can reasonably > switch from one to the other via a simple reboot. Distributions > apparently have lost interest in this, and the functionality has not > been supported on the primary distribution this was still intended > for a long time, and hence has been removed now. > > * A new concept called "capsules" has been introduced. "Capsules" wrap > additional per-user service managers, whose users are transient and > are only defined as long as the service manager is running. (This is > implemented via DynamicUser=1), allowing a user manager to be used to > manager a group of processes without needing to create an actual user > account. These service managers run with home directories of > /var/lib/capsules/<capsule-name> and can contain regular services and > other units. A capsule is started via a simple "systemctl start > capsule@<name>.service". See the capsule@.service(5) man page for > further details. > > Various systemd tools (including, and most importantly, systemctl and > systemd-run) have been updated to interact with capsules via the new > "--capsule="/"-C" switch. > > * .socket units gained a new setting PassFileDescriptorsToExec=, taking > a boolean value. If set to true the file descriptors the socket unit > encapsulates are passed to the ExecStartPost=, ExecStopPre=, > ExecStopPost= using the usual $LISTEN_FDS interface. This may be used > for doing additional initializations on the sockets once they are > allocated. (For example, to install an additional eBPF program on > them). > > * The .socket setting MaxConnectionsPerSource= (which so far put a > limit on concurrent connections per IP in Accept=yes socket units), > now also has an effect on AF_UNIX sockets: it will put a limit on the > number of simultaneous connections from the same source UID (as > determined via SO_PEERCRED). This is useful for implementing IPC > services in a simple Accept=yes mode. > > * The service manager will now maintain a counter of soft reboot cycles > the system went through. It may be queried via the D-Bus APIs. > > * systemd's execution logic now supports the new pidfd_spawn() API > introduced by glibc 2.39, which allows us to invoke a subprocess in a > target cgroup and get a pidfd back in a single operation. > > * systemd/PID 1 will now send an additional sd_notify() message to its > supervising VMM or container manager reporting the selected hostname > ("X_SYSTEMD_HOSTNAME=") and machine ID ("X_SYSTEMD_MACHINE_ID=") at > boot. Moreover, the service manager will send additional sd_notify() > messages ("X_SYSTEMD_UNIT_ACTIVE=") whenever a target unit is > reached. This can be used by VMMs/container managers to schedule > access to the system precisely. For example, the moment a system > reports "ssh-access.target" being reached a VMM/container manager > knows it can now connect to the system via SSH. Finally, a new > sd_notify() message ("X_SYSTEMD_SIGNALS_LEVEL=2") is sent the moment > PID 1 has successfully completed installation of its various UNIX > process signal handlers (i.e. the moment where SIGRTMIN+4 sent to > PID 1 will start to have the effect of shutting down the system > cleanly). X_SYSTEMD_SHUTDOWN= is sent shortly before the system shuts > down, and carries a string identifying the type of shutdown, > i.e. "poweroff", "halt", "reboot". X_SYSTEMD_REBOOT_PARAMETER= is > sent at the same time and carries the string passed to "systemctl > --reboot-argument=" if there was one. > > * New D-Bus properties ExecMainHandoffTimestamp and > ExecMainHandoffTimestampMonotonic are now published by services > units. This timestamp is taken as the very last operation before > handing off control to invoked binaries. This information is > available for other unit types that fork off processes (i.e. mount, > swap, socket units), but currently only via "systemd-analyze dump". > > * An additional timestamp is now taken by the service manager when a > system shutdown operation is initiated. It can be queried via D-Bus > during the shutdown phase. It's passed to the following service > manager invocation on soft reboots, which will then use it to log the > overall "grey-out" time of the soft reboot operation, i.e. the time > when the shutdown began until the system is fully up again. > > * "systemctl status" will now display the invocation ID in its usual > output, i.e. the 128bit ID uniquely assigned to the current runtime > cycle of the unit. The ID has been supported for a long time, but is > now more prominently displayed, as it is a very useful handle to a > specific invocation of a service. > > * systemd now generates a new "taint" string "unmerged-bin" for systems > that have /usr/bin/ and /usr/sbin/ separate. It's generally > recommended to make the latter a symlink to the former these days. > > * A new systemd.crash_action= kernel command line option has been added > that configures what to do after the system manager (PID 1) crashes. > This can also be configured through CrashAction= in systemd.conf. > > * "systemctl kill" now supports --wait which will make the command wait > until the signalled services terminate. > > Journal: > > * systemd-journald can now forward journal entries to a socket > (AF_INET, AF_INET6, AF_UNIX, or AF_VSOCK). The socket can be > specified in journald.conf via a new option ForwardToSocket= or via > the 'journald.forward_to_socket' credential. Log records are sent in > the Journal Export Format. A related setting MaxLevelSocket= has been > added to control the maximum log levels for the messages sent to this > socket. > > * systemd-journald now also reads the journal.storage credential when > determining where to store journal files. > > * systemd-vmspawn gained a new --forward-journal= option to forward the > virtual machine's journal entries to the host. This is done over a > AF_VSOCK socket, i.e. it does not require networking in the guest. > > * journalctl gained option '-i' as a shortcut for --file=. > > * journalctl gained a new -T/--exclude-identifier= option to filter > out certain syslog identifiers. > > * journalctl gained a new --list-namespaces option. > > * systemd-journal-remote now also accepts AF_VSOCK and AF_UNIX sockets > (so it can be used to receive entries forwarded by systemd-journald). > > * systemd-journal-gatewayd allows restricting the time range of > retrieved entries with a new "realtime=[<since>]:[<until>]" URL > parameter. > > * systemd-cat gained a new option --namespace= to specify the target > journal namespace to which the output shall be connected. > > * systemd-bsod gained a new option --tty= to specify the output TTY > > Device Management: > > * /dev/ now contains symlinks that combine by-path and by-{label,uuid} > information: > > /dev/disk/by-path/<path>/by-<label|uuid|…>/<label|uuid|…> > > This allows distinguishing partitions with identical contents on > multiple storage devices. This is useful, for example, when copying > raw disk contents between devices. > > * systemd-udevd now creates persistent /dev/media/by-path/ symlinks for > media controllers. For example, the uvcvideo driver may create > /dev/media0 which will be linked as > /dev/media/by-path/pci-0000:04:00.3-usb-0:1:1.0-media-controller. > > * A new unit systemd-udev-load-credentials.service has been added > to pick up udev.conf drop-ins and udev rules from credentials. > > * An allowlist/denylist may be specified to filter which sysfs > attributes are used when crafting network interface names. Those > lists are stored as hwdb entries > ID_NET_NAME_ALLOW_<sysfsattr>=0|1 > and > ID_NET_NAME_ALLOW=0|1. > > The goal is to avoid unexpected changes to interface names when the > kernel is updated and new sysfs attributes become visible. > > * A new unit tpm2.target has been added to provide a synchronization > point for units which expect the TPM hardware to be available. A new > generator "systemd-tpm2-generator" has been added that will insert > this target whenever it detects that the firmware has initialized a > TPM, but Linux hasn't loaded a driver for it yet. > > * systemd-backlight now properly supports numbered devices which the > kernel creates to avoid collisions in the leds subsystem. > > * systemd-hwdb update operation can be disabled with a new environment > variable SYSTEMD_HWDB_UPDATE_BYPASS=1. > > systemd-hostnamed: > > * systemd-hostnamed now exposes the machine ID and boot ID via > D-Bus. It also exposes the hosts AF_VSOCK CID, if available. > > * systemd-hostnamed now provides a basic Varlink interface. > > * systemd-hostnamed exports the full data in os-release(5) and > machine-info(5) via D-Bus and Varlink. > > * hostnamectl now shows the system's product UUID and hardware serial > number if known. > > Network Management: > > * systemd-networkd now provides a basic Varlink interface. > > * systemd-networkd's ARP proxy support gained a new option to configure > a private VLAN variant of the proxy ARP supported by the kernel under > the name IPv4ProxyARPPrivateVLAN=. > > * systemd-networkd now exports the NamespaceId and NamespaceNSID > properties via D-Bus and Varlink. (which expose the inode and NSID of > the network namespace the networkd instance manages) > > * systemd-networkd now supports IPv6RetransmissionTimeSec= and > UseRetransmissionTime= settings in .network files to configure > retransmission time for IPv6 neighbor solicitation messages. > > * networkctl gained new verbs 'mask' and 'unmask' for masking networkd > configuration files such as .network files. > > * 'networkctl edit --runtime' allows editing volatile configuration > under /run/systemd/network/. > > * The implementation behind TTLPropagate= network setting has been > removed and the setting is now ignored. > > * systemd-network-generator will now pick up .netdev/.link/.network/ > networkd.conf configuration from system credentials. > > * systemd-networkd will now pick up wireguard secrets from > credentials. > > * systemd-networkd's Varlink API now supports enumerating LLDP peers. > > * .link files now support new Property=, ImportProperty=, > UnsetProperty= fields for setting udev properties on a link. > > * The various .link files that systemd ships for interfaces that are > supposed to be managed by systemd-networkd only now carry a > ID_NET_MANAGED_BY=io.systemd.Network udev property ensuring that > other network management solutions honouring this udev property do > not come into conflict with networkd, trying to manage these > interfaces. > > * .link files now support a new ReceivePacketSteeringCPUMask= setting > for configuring which CPUs to steer incoming packets to. > > * The [Network] section in .network files gained a new setting > UseDomains=, which is a single generic knob for controlling the > settings of the same name in the [DHCPv4], [DHCPv6] and > [IPv6AcceptRA]. > > * The 99-default.link file we ship by default (that defines the policy > for all network devices to which no other .link file applies) now > lists "mac" among AlternativeNamesPolicy=. This means that network > interfaces will now by default gain an additional MAC-address based > alternative device name. (i.e. enx…) > > systemd-nspawn: > > * systemd-nspawn now provides a /run/systemd/nspawn/unix-export/ > directory where the container payload can expose AF_UNIX sockets to > allow them to be accessed from outside. > > * systemd-nspawn will tint the terminal background for containers in a > blueish color. This can be controller with the new --background= > switch or the new $SYSTEMD_TINT_BACKGROUND environment variable. > > * systemd-nspawn gained support for the 'owneridmap' option for --bind= > mounts to map the target directory owner from inside the container to > the owner of the directory bound from the host filesystem. > > * systemd-nspawn now supports moving Wi-Fi network devices into a > container, just like other network interfaces. > > systemd-resolved: > > * systemd-resolved now reads RFC 8914 EDE error codes provided by > upstream DNS services. > > * systemd-resolved and resolvectl now support RFC 9460 SVCB and HTTPS > records, as well as RFC 2915 NAPTR records. > > * resolvectl gained a new option --relax-single-label= to allow > querying single-label hostnames via unicast DNS on a per-query basis. > > * systemd-resolved's Varlink IPC interface now supports resolving > DNS-SD services as well as an API for resolving raw DNS RRs. > > * systemd-resolved's .dnssd DNS_SD service description files now > support DNS-SD "subtypes" via the new SubType= setting. > > * systemd-resolved's configuration may now be reloaded without > restarting the service. (i.e. "systemctl reload systemd-resolved" is > now supported) > > SSH Integration: > > * An sshd config drop-in to allow ssh keys acquired via userdbctl (for > example expose by homed accounts) to be used for authorization of > incoming SSH connections. > > * A small new unit generator "systemd-ssh-generator" has been added. It > checks if the sshd binary is installed. If so, it binds it via > per-connection socket activation to various sockets depending on the > execution context: > > • If the system is run in a VM providing AF_VSOCK support, it > automatically binds sshd to AF_VSOCK port 22. > > • If the system is invoked as a full-OS container and the container > manager pre-mounts a directory /run/host/unix-export/, it will > bind sshd to an AF_UNIX socket /run/host/unix-export/ssh. The > idea is the container manager bind mounts the directory to an > appropriate place on the host as well, so that the AF_UNIX socket > may be used to easily connect from the host to the container. > > • sshd is also bound to an AF_UNIX socket > /run/ssh-unix-local/socket, which may be to use ssh/sftp in a > "sudo"-like fashion to access resources of other local users. > > • Via the kernel command line option "systemd.ssh_listen=" and the > system credential "ssh.listen" sshd may be bound to additional, > explicitly configured options, including AF_INET/AF_INET6 ports. > > In particular the first two mechanisms should make dealing with local > VMs and full OS containers a lot easier, as SSH connections will > *just* *work* from the host – even if no networking is available > whatsoever. > > systemd-ssh-generator optionally generates a per-connection > socket activation service file wrapping sshd. This is only done if > the distribution does not provide one on its own under the name > "sshd@.service". The generated unit only works correctly if the SSH > privilege separation ("privsep") directory exists. Unfortunately > distributions vary wildly where they place this directory. An > incomprehensive list: > > • /usr/share/empty.sshd/ (new fedora) > • /var/empty/ > • /var/empty/sshd/ > • /run/sshd/ (debian/ubuntu?) > > If the SSH privsep directory is placed below /var/ or /run/ care > needs to be taken that the directory is created automatically at boot > if needed, since these directories possibly or always come up > empty. This can be done via a tmpfiles.d/ drop-in. You may use the > "sshdprivsepdir" meson option provided by systemd to configure the > directory, in case you want systemd to create the directory as needed > automatically, if your distribution does not cover this natively. > > Recommendations to distributions, in order to make things just work: > > • Please provide a per-connection SSH service file under the name > "sshd@.service". > > • Please move the SSH privsep dir into /usr/ (so that it is truly > immutable on image-based operating systems, is strictly under > package manager control, and never requires recreation if the > system boots up with an empty /run/ or /var/). > > • As an extension of this: please consider following Fedora's lead > here, and use /usr/share/empty.sshd/ to minimize needless > differences between distributions. > > • If your distribution insists on placing the directory in /var/ or > /run/ then please at least provide a tmpfiles.d/ drop-in to > recreate it automatically at boot, so that the sshd binary just > works, regardless in which context it is called. > > * A small tool "systemd-ssh-proxy" has been added, which is supposed to > act as counterpart to "systemd-ssh-generator". It's a small plug-in > for the SSH client (via ProxyCommand/ProxyUseFdpass) to allow it to > connect to AF_VSOCK or AF_UNIX sockets. Example: "ssh vsock/4711" > connects to a local VM with cid 4711, or "ssh > unix/run/ssh-unix-local/socket" to connect to the local host via the > AF_UNIX socket /run/ssh-unix-local/socket. > > systemd-boot and systemd-stub and Related Tools: > > * TPM 1.2 PCR measurement support has been removed from systemd-stub. > TPM 1.2 is obsolete and – due to the (by today's standards) weak > cryptographic algorithms it only supports – does not actually provide > the security benefits it's supposed to provide. Given that the rest > of systemd's codebase never supported TPM 1.2, the support has now > been removed from systemd-stub as well. > > * systemd-stub will now measure its payload via the new EFI > Confidential Computing APIs (CC), in addition to the pre-existing > measurements to TPM. > > * confexts are loaded by systemd-stub from the ESP as well. > > * kernel-install gained support for --root= for the 'list' verb. > > * bootctl now provides a basic Varlink interface and can be run as a > daemon via a template unit. > > * systemd-measure gained new options --certificate=, --private-key=, > and --private-key-source= to allow using OpenSSL's "engines" or > "providers" as the signing mechanism to use when creating signed > TPM2 PCR measurement values. > > * ukify gained support for signing of PCR signatures via OpenSSL's > engines and providers. > > * ukify now supports zboot kernels. > > * systemd-boot now supports passing additional kernel command line > switches to invoked kernels via an SMBIOS Type #11 string > "io.systemd.boot.kernel-cmdline-extra". This is similar to the > pre-existing support for this in systemd-stub, but also applies to > Type #1 Boot Loader Specification Entries. > > * systemd-boot's automatic SecureBoot enrollment support gained support > for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was > supported). It also now supports UEFI "Custom" and "Audit" modes. > > * The pcrlock policy is saved in an unencrypted credential file > "pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the > /loader/credentials/ directory. It will be picked up at boot by > systemd-stub and passed to the initrd, where it can be used to unlock > the root file system. > > * systemd-pcrlock gained an --entry-token= option to configure the > entry-token. > > * systemd-pcrlock now provides a basic Varlink interface and can be run > as a daemon via a template unit. > > * systemd-pcrlock's TPM nvindex access policy has been modified, this > means that previous pcrlock policies stored in nvindexes are > invalidated. They must be removed (systemd-pcrlock remove-policy) and > recreated (systemd-pcrlock make-policy). For the time being > systemd-pcrlock remains an experimental feature, but it is expected > to become stable in the next release, i.e. v257. > > * systemd-pcrlock's --recovery-pin= switch now takes three values: > "hide", "show", "query". If "show" is selected the automatically > generated recovery PIN is shown to the user. If "query" is selected > then the PIN is queried from the user. > > * sd-stub gained support for the new ".ucode" PE section in UKIs, that > may contain CPU microcode data. When control is handed over to the > Linux kernel this data is prepended to the set of initrds passed. > > systemd-run/run0: > > * systemd-run is now a multi-call binary. When invoked as 'run0', it > provides as interface similar to 'sudo', with all arguments starting > at the first non-option parameter being treated the command to invoke > as root. Unlike 'sudo' and similar tools, it does not make use of > setuid binaries or other privilege escalation methods, but instead > runs the specified command as a transient unit, which is started by > the system service manager, so privileges are dropped, rather than > gained, thus implementing a much more robust and safe security > model. As usual, authorization is managed via Polkit. > > * systemd-run/run0 will now tint the terminal background on supported > terminals: in a reddish tone when invoking a root service, in a > yellowish tone otherwise. This may be controlled and turned off via > the new --background= switch or the new $SYSTEMD_TINT_BACKGROUND > environment variable. > > * systemd-run gained a new option '--ignore-failure' to suppress > command failures. > > Command-line tools: > > * 'systemctl edit --stdin' allows creation of unit files and drop-ins > with contents supplied via standard input. This is useful when creating > configuration programmatically; the tool takes care of figuring out > the file name, creating any directories, and reloading the manager > afterwards. > > * 'systemctl disable --now' and 'systemctl mask --now' now work > correctly with template units. > > * 'systemd-analyze architectures' lists known CPU architectures. > > * 'systemd-analyze --json=…' is supported for 'architectures', > 'capability', 'exit-status'. > > * 'systemd-tmpfiles --purge' will purge (remove) all files and > directories created via tmpfiles.d configuration. > > * systemd-id128 gained new options --no-pager, --no-legend, and > -j/--json=. > > * hostnamectl gained '-j' as shortcut for '--json=pretty' or > '--json=short'. > > * loginctl now supports -j/--json=. > > * resolvectl now supports -j/--json= for --type=. > > * systemd-tmpfiles gained a new option --dry-run to print what would be > done without actually taking action. > > * varlinkctl gained a new --collect switch to collect all responses of > a method call that supports multiple replies and turns it into a > single JSON array. > > * systemd-dissect gained a new --make-archive option to generate an > archive file (tar.gz and similar) from a disk image. > > systemd-vmspawn: > > * systemd-vmspawn gained a new --firmware= option to configure or list > firmware definitions for Qemu, a new --tpm= option to enable or > disable the use of a software TPM, a new --linux= option to specify a > kernel binary for direct kernel boot, a new --initrd= option to > specify an initrd for direct kernel boot, a new -D/--directory option > to use a plain directory as the root file system, a new > --private-users option similar to the one in systemd-nspawn, new > options --bind= and --bind-ro= to bind part of the host's file system > hierarchy into the guest, a new --extra-drive= option to attach > additional storage, and -n/--network-tap/--network-user-mode to > configure networking. > > * A new systemd-vmspawn@.service can be used to launch systemd-vmspawn > as a service. > > * systemd-vmspawn gained the new --console= and --background= switches > that control how to interact with the VM. As before, by default an > interactive terminal interface is provided, but now with a background > tinted with a greenish hue. > > * systemd-vmspawn can now register its VMs with systemd-machined, > controlled via the --register= switch. > > * machinectl's start command (and related) can now invoke images either > as containers via `systemd-nspawn` (switch is --runner=nspawn, the > default) or as VMs via `systemd-vmspawn` (switch is --runner=vmspawn, > or short -V). > > * systemd-vmspawn now supports two switches --pass-ssh-key= and > --ssh-key-type= to optionally set up transient SSH keys to pass to the > invoked VMs in order to be able to SSH into them once booted. > > * systemd-vmspawn will now enable various "HyperV enlightenments" and > the "VM Generation ID" on the VMs. > > * A new environment variable $SYSTEMD_VMSPAWN_QEMU_EXTRA may carry > additional qemu command line options to pass to qemu. > > * systemd-machined gained a new GetMachineSSHInfo() D-Bus method that is > used by systemd-vmspawn to fetch the information needed to ssh into the > machine. > > * systemd-machined gained a new Varlink interface that is used by > systemd-vmspawn to register machines with additional information and > metadata. > > systemd-repart: > > * systemd-repart gained new options --generate-fstab= and > --generate-crypttab= to write out fstab and crypttab files matching the > generated partitions. > > * systemd-repart gained a new option --private-key-source= to allow > using OpenSSL's "engines" or "providers" as the signing mechanism to > use when creating verity signature partitions. > > * systemd-repart gained a new DefaultSubvolume= setting in repart.d/ > drop-ins that allow configuring the default btrfs subvolume for newly > formatted btrfs file systems. > > Libraries: > > * libsystemd gained new call sd_bus_creds_new_from_pidfd() to get a > credentials object for a pidfd and sd_bus_creds_get_pidfd_dup() to > retrieve the pidfd from a credentials object. > > * sd-bus' credentials logic will now also acquire peer's UNIX group > lists and peer's pidfd if supported and requested. > > * RPM macro %_kernel_install_dir has been added with the path > to the directory for kernel-install plugins. > > * The liblz4, libzstd, liblzma, libkmod, libgcrypt dependencies have > been changed from regular shared library dependencies into dlopen() > based ones. > > Note that this means that those libraries might not be automatically > pulled in when ELF dependencies are resolved. In particular lack of > libkmod might cause problems with boot. This affects dracut <= 101, > see https://github.com/dracut-ng/dracut-ng/commit/04b362d713235459cf. > > * systemd ELF binaries that use libraries via dlopen() are now built with > a new ELF header note section, following a new specification defined at > docs/ELF_DLOPEN_METADATA.md, that provides information about which > sonames are loaded and used if found at runtime. This allows tools and > packagers to programmatically discover the list of optional > dependencies used by all systemd ELF binaries. A parser with packaging > integration tools is available at > https://github.com/systemd/package-notes > > * The sd-journal API gained a new call > sd_journal_stream_fd_with_namespace() which is just like > sd_journal_stream_fd() but creates a log stream targeted at a > specific log namespace. > > * The sd-id128 API gained a new API call > sd_id128_get_invocation_app_specific() for acquiring an app-specific > ID that is derived from the service invocation ID. > > * The sd-event API gained a new API call > sd_event_source_get_inotify_path() that returns the file system path > an inotify event source was created for. > > systemd-cryptsetup/systemd-cryptenroll: > > * The device node argument to systemd-cryptenroll is now optional. If > omitted it will be derived automatically from the backing block > device of /var/ (which quite likely is the same as the root file > system, hence effectively means if you don't specify things otherwise > the tool will now default to enrolling a key into the root file > system's LUKS device). > > * systemd-cryptenroll can now enroll directly with a PKCS11 public key > (instead of a certificate). > > * systemd-cryptsetup/systemd-cryptenroll now may lock a disk against a > PKCS#11 provided EC key (before it only supported RSA). > > * systemd-cryptsetup gained support for crypttab option > link-volume-key= to link the volume key into the kernel keyring when > the volume is opened. > > * systemd-cryptenroll will no longer enable Dictionary Attack > Protection (i.e. turn on NO_DA) for TPM enrollments that do not > involve a PIN. DA should not be necessary in that case (since key > entropy is high enough to make this unnecessary), but risks > accidental lock-out in case of unexpected PCR changes. > > * systemd-cryptenroll now supports enrolling a new slot while unlocking > the old slot via TPM2 (previously unlocking only worked via password > or FIDO2). > > Documentation: > > * The remaining documentation that was on > https://freedesktop.org/wiki/Software/systemd/ has been moved to > https://systemd.io/. > > * A new text describing the VM integration interfaces of systemd has > been added: > > https://systemd.io/VM_INTERFACE > > * The sd_notify() man page has gained examples with C and Python code > that shows how to implement the interface in those languages without > involving libsystemd. > > systemd-homed, systemd-logind, systemd-userdbd: > > * systemd-homed now supports unlocking of home directories when logging > in via SSH. Previously home directories needed to be unlocked before > an SSH login is attempted. > > * JSON User Records have been extended with a separate public storage > area called "User Record Blob Directories". This is intended to store > the user's background image, avatar picture, and other similar items > which are too large to fit into the User Record itself. > > systemd-homed, userdbctl, and homectl gained support for blob > directories. homectl gained --avatar= and --login-background= to > control two specific items of the blob directories. > > * A new "additionalLanguages" field has been added to JSON user records > (as supported by systemd-homed and systemd-userdbd), which is closely > related to the pre-existing "preferredLanguage", and allows > specifying multiple additional languages for the user account. It is > used to initialize the $LANGUAGES environment variable when used. > > * A new pair of "preferredSessionType" and "preferredSessionLauncher" > fields have been added to JSON user records, that may be used to > control which kind of desktop session to preferable activate on > logins of the user. > > * homectl gained a new verb 'firstboot', and a new > systemd-homed-firstboot.service unit uses this verb to create users > in a first boot environment, either from system credentials or by > querying interactively. > > * systemd-logind now supports a new "background-light" session class > which does not pull in the user@.service unit. This is intended in > particular for lighter weight per-user cron jobs which do require any > per-user service manager to be around. > > * The per-user service manager will now be tracked as a distinct "manager" > session type among logind sessions of each user. > > * homectl now supports an --offline mode, by which certain account > properties can be changed without unlocking the home directory. > > * systemd-logind gained a new > org.freedesktop.login1.Manager.ListSessionsEx() method that provides > additional metadata compared to ListSessions(). loginctl makes use of > this to list additional fields in list-sessions. > > * systemd-logind gained a new org.freedesktop.login1.Manager.Sleep() > method that automatically redirects to SuspendThenHibernate(), > Suspend(), HybridSleep(), or Hibernate(), depending on what is > supported and configured, a new configuration setting SleepOperation=, > and an accompanying helper method > org.freedesktop.login1.Manager.CanSleep() and property > org.freedesktop.login1.Manager.SleepOperation. > > 'systemctl sleep' calls the new method to automatically put the > machine to sleep in the most appropriate way. > > Credential Management: > > * systemd-creds now provides a Varlink IPC API for encrypting and > decrypting credentials. > > * systemd-creds' "tpm2-absent" key selection has been renamed to > "null", since that's what it actually does: "encrypt" and "sign" > with a fixed null key. --with-key=null should only be used in very > specific cases, as it provides zero integrity or confidentiality > protections. (i.e. it's only safe to use as fallback in environments > lacking both a TPM and access to the root fs to use the host > encryption key, or when integrity is provided some other way.) > > * systemd-creds gained a new switch --allow-null. If specified, the > "decrypt" verb will decode encrypted credentials that use the "null" > key (by default this is refused, since using the "null" key defeats > the authenticated encryption normally done). > > Suspend & Hibernate: > > * The sleep.conf configuration file gained a new MemorySleepMode= > setting for configuring the sleep mode in more detail. > > * A tiny new service systemd-hibernate-clear.service has been added > which clears hibernation information from the HibernateLocation EFI > variable, in case the resume device is gone. Normally, this variable > is supposed to be cleaned up by the code that initiates the resume > from hibernation image. But when the device is missing and that code > doesn't run, this service will now do the necessary work, ensuring > that no outdated hibernation image information remains on subsequent > boots. > > Unprivileged User Namespaces & Mounts: > > * A small new service systemd-nsresourced.service has been added. It > provides a Varlink IPC API that assigns a free, transiently allocated > 64K UID/GID range to an uninitialized user namespace a client > provides. It may be used to implement unprivileged container managers > and other programs that need dynamic user ID ranges. It also provides > interfaces to then delegate mount file descriptors, control groups > and network interfaces to user namespaces set up this way. > > * A small new service systemd-mountfsd.service has been added. It > provides a Varlink IPC API for mounting DDI images, and returning a set > of mount file descriptors for it. If a user namespace fd is provided > as input, then the mounts are registered with the user namespace. To > ensure trust in the image it must provide Verity information (or > alternatively interactive polkit authentication is required). > > * The systemd-dissect tool now can access DDIs fully unprivileged by > using systemd-nsresourced/systemd-mountfsd. > > * If the service manager runs unprivileged (i.e. systemd --user) it now > supports RootImage= for accessing DDI images, also implemented via > the systemd-nsresourced/systemd-mountfsd. > > * systemd-nspawn may now operate without privileges, if a suitable DDI > is provided via --image=, again implemented via > systemd-nsresourced/systemd-mountfsd. > > Other: > > * timedatectl and machinectl gained option '-P', an alias for > '--value --property=…'. > > * Various tools that pretty-print config files will now highlight > configuration directives. > > * varlinkctl gained support for the "ssh:" transport. This requires > OpenSSH 9.4 or newer. > > * systemd-sysext gained support for enabling system extensions in > mutable fashion, where a writeable upperdir is stored under > /var/lib/extensions.mutable/, and a new --mutable= option to > configure this behaviour. An "ephemeral" mode is not also supported > where the mutable layer is configured to be a tmpfs that is > automatically released when the system extensions are reattached. > > * Coredumps are now retained for two weeks by default (instead of three > days, as before). > > * portablectl --copy= parameter gained a new 'mixed' argument, that will > result in resources owned by the OS (e.g.: portable profiles) to be linked > but resources owned by the portable image (e.g.: the unit files and the > images themselves) to be copied. > > * systemd will now register MIME types for various of its file types > (e.g. journal files, DDIs, encrypted credentials …) via the XDG > shared-mime-info infrastructure. (Files of these types will thus be > recognized as their own thing in desktop file managers such as GNOME > Files.) > > * systemd-dissect will now show the detected sector size of a given DDI > in its default output. > > * systemd-portabled now generates recognizable structured log messages > whenever a portable service is attached or detached. > > * Verity signature checking in userspace (i.e. checking against > /etc/verity.d/ keys) when activating DDIs can now be turned on/off > via a kernel command line option systemd.allow_userspace_verity= and > an environment variable SYSTEMD_ALLOW_USERSPACE_VERITY=. > > * ext4/xfs file system quota handling has been reworked, so that > quotacheck and quotaon are now invoked as per-file-system templated > services (as opposed to single system-wide singletons), similar in > style to the fsck, growfs, pcrfs logic. This means file systems with > quota enabled can now be reasonably enabled at runtime of the system, > not just at boot. > > * "systemd-analyze dot" will now also show BindsTo= dependencies. > > * systemd-debug-generator gained the ability add in arbitrary units > based on them being passed in via system credentials. > > * A new kernel command-line option systemd.default_debug_tty= can be > used to specify the TTY for the debug shell, independently of > enabling or disabling it. > > * portablectl gained a new --clean switch that clears a portable > service's data (cache, logs, state, runtime, fdstore) when detaching > it. > > Contributions from: A S Alam, AKHIL KUMAR, > Abraham Samuel Adekunle, Adrian Vovk, Adrian Wannenmacher, > Alan Liang, Alberto Planas, Alexander Zavyalov, Anders Jonsson, > Andika Triwidada, Andres Beltran, Andrew Sayers, > Antonio Alvarez Feijoo, Arian van Putten, Arthur Zamarin, > Artur Pak, AtariDreams, Benjamin Franzke, Bernhard M. Wiedemann, > Black-Hole1, Bryan Jacobs, Burak Gerz, Carlos Garnacho, > Chandra Pratap, Chris Hofstaedtler, Chris Packham, Chris Simons, > Christian Göttsche, Christian Wesselhoeft, Clayton Craft, > Colin Geniet, Colin Walters, Colin Watson, Costa Tsaousis, > Cristian Rodríguez, Daan De Meyer, Damien Challet, Dan Streetman, > Daniel Winzen, Daniele Medri, David Seifert, David Tardon, > David Venhoek, Diego Viola, Dionna Amalie Glaze, > Dmitry Konishchev, Dmitry V. Levin, Edson Juliano Drosdeck, > Eisuke Kawashima, Eli Schwartz, Emanuele Giuseppe Esposito, > Eric Daigle, Evgeny Vereshchagin, Felix Riemann, > Fernando Fernandez Mancera, Florian Fainelli, Florian Schmaus, > Franck Bui, Frantisek Sumsal, Friedrich Altheide, > Gabríel Arthúr Pétursson, Gaël Donval, Georges Basile Stavracas Neto, > Gerd Hoffmann, GNOME Foundation, Guido Leenders, > Guilhem Lettron, Göran Uddeborg, Hans de Goede, Harald Brinkmann, > Heinrich Schuchardt, Helmut Grohne, Henry Li, Heran Yang, > Holger Assmann, Ivan Kruglov, Ivan Shapovalov, Jakub Sitnicki, > James Muir, Jan Engelhardt, Jan Macku, Jarne Förster, Jeff King, > Jian-Hong Pan, JmbFountain, Joakim Nohlgård, Jonathan Conder, > Julius Alexandre, Jörg Behrmann, Kai Lueke, Kamil Szczęk, > KayJay7, Keian, Kirk, Kristian Klausen, Krzesimir Nowak, > Lain "Fearyncess" Yang, Lars Ellenberg, Lennart Poettering, > Leonard, Luca Boccassi, Lucas Salles, Ludwig Nussel, > Lukáš Nykrýn, Luna Jernberg, Luxiter, Maanya Goenka, > Maciej S. Szmigiero, Mariano Giménez, Markus Merklinger, > Martin Ivicic, Martin Srebotnjak, Martin Trigaux, Martin Wilck, > Mathias Lang, Matt Layher, Matt Muggeridge, Matteo Croce, > Matthias Lisin, Max Gautier, Max Staudt, MaxHearnden, > Michael Biebl, Michal Koutný, Michal Sekletár, Michał Kopeć, > Mike Gilbert, Mike Yuan, Mikko Ylinen, MkfsSion, Moritz Sanft, > MrSmör, Nandakumar Raghavan, Nicholas Little, Nick Cao, > Nick Rosbrook, Nicolas Bouchinet, Norbert Lange, > Ole Peder Brandtzæg, Ondrej Kozina, Oğuz Ersen, > Pablo Méndez Hernández, Pierre GRASSER, Piotr Drąg, QuonXF, > Radoslav Kolev, Rafaël Kooi, Raito Bezarius, Rasmus Villemoes, > Reid Wahl, Renjaya Raga Zenta, Richard Maw, Roland Hieber, > Ronan Pigott, Rose, Ross Burton, Saliba-san, Sam Leonard, > Samuel BF, Sarvajith Adyanthaya, Scrambled 777, > Sebastian Pucilowski, Sergei Zhmylev, Sergey A, Shulhan, > SidhuRupinder, Simon Fowler, Skia, Sludge, Stuart Hayhurst, > Susant Sahani, Takashi Sakamoto, Temuri Doghonadze, Thayne McCombs, > Thilo Fromm, Thomas Blume, Tiago Rocha Cunha, Timo Rothenpieler, > TobiPeterG, Tobias Fleig, Tomáš Pecka, Topi Miettinen, > Tycho Andersen, Unique-Usman, Usman Akinyemi, Vasiliy Kovalev, > Vasiliy Stelmachenok, Victor Berchet, Vishal Chillara Srinivas, > Vitaly Kuznetsov, Vito Caputo, Vladimir Stoiakin, Werner Sembach, > Will Springer, Winterhuman, Xiaotian Wu, Yu Watanabe, > Yuri Chornoivan, Zbigniew Jędrzejewski-Szmek, Zmyeir, anphir, > aslepykh, chenjiayi, cpackham-atlnz, cunshunxia, djantti, drewbug, > hanjinpeng, hfavisado, hulkoba, hydrargyrum, ksaleem, mburucuyapy, > medusalix, mille-feuille, mkubiak, mooo, msizanoen, networkException, > nl6720, r-vdp, runiq, sam-leonard-ct, samuelvw01, sharad3001, spdfnet, > sushmbha, wangyuhang, zeroskyx, zzywysm, İ. Ensar Gülşen, > Łukasz Stelmach, Štěpán Němec, 我超厉害, 김인수 > > — Edinburgh, 2024-06-11
Re: systemd 256 released
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: systemd 256 released
- From: Luna Jernberg <droidbittin@xxxxxxxxx>
- Date: Mon, 17 Jun 2024 05:20:23 +0200
- In-reply-to: <20240611214450.82c48040cee1975b@refi64.com>
- References: <20240611214450.82c48040cee1975b@refi64.com>
- References:
- systemd 256 released
- From: systemd tag bot
- systemd 256 released
- Prev by Date: Re: Systemd, cgrupsv2, cgrulesengd, and nftables
- Next by Date: Please clarify osVersion in ELF package metadata
- Previous by thread: systemd 256 released
- Next by thread: "Failed to enable unit: Access denied"?
- Index(es):
 |