Ninjatrappeur's systemd working tree
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1386 lines
65 KiB

8 years ago
* Many manager configuration settings that are only applicable to user
manager or system manager can be always set. It would be better to reject
them when parsing config.
2 years ago
* userdbctl: "Password OK: yes" is shown even when there are no passwords
or the password is locked.
9 years ago
8 years ago
9 years ago
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
9 years ago
7 years ago
Janitorial Clean-ups:
* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
4 years ago
* rework mount.c and swap.c to follow proper state enumeration/deserialization
semantics, like we do for device.c now
2 years ago
* expose MS_NOSYMFOLLOW in various places
2 years ago
* tpm2: support a PIN policy, i.e. allowing windows-style short authentication
passwords by using the TPM2 to enforce ratelimiting and such, use for
cryptsetup and homed
2 years ago
* Add concept for upgrading TPM2 enrollments, maybe a new switch
--pcrs=4:<hash> or so, i.e. select a PCR to include in the hash, and then
override its hash
* homed: store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
systemd-cryptsetup, so that it can unlock homed volumes
* cryptenroll: politely refuse enrolling new keys to homed volumes, since we
we cannot update identity info
* TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
and such
* cryptsetup: if only recovery keys are registered and no regular passphrases,
ask user for "recovery key", not "passphrase"
* cyptsetup: add option for automatically removing empty password slot on boot
2 years ago
* cryptsetup: optionally, when run during boot-up and password is never
2 years ago
entered, and we are on battery power (or so), power off machine again
* cryptsetup: when FIDO2/PKCS#11/TPM2 token/chip didn't show up after some
time, abort the attempt, fallback to asking for pw
* cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
allow plymouth to abort the waiting and enter pw instead
2 years ago
* when configuring loopback netif, and it fails due to EPERM, eat up error if
it happens to be set up alright already.
* at boot: check if battery above some threshold, if not power off again after explanation
* userdb: add field for ambient caps, so that a user can have CAP_WAKE_ALARM
for example. And add code that resets ambient caps for all services by
2 years ago
* homed: try to unmount in regular intervals when home dir was busy when we
tried because idle.
2 years ago
* sd-bus: when connecting to some dbus server socker, set originating AF_UNIX
socket name in abstract namespace to include "description" string, and pick
it up from there in sd_bus_creds logic. i.e. we can use the socket peer
address as conduit for some minimal connection metainfo, and use it to
restore the "description" logic that kdbus used to have.
* teach LoadCredential= the ability to load all files from a specified dir as
2 years ago
individual creds
2 years ago
* systemd-analyze netif that explains predictable interface (or networkctl)
2 years ago
2 years ago
* port selinux code from mallinfo() to mallinfo2() once added to glibc
2 years ago
2 years ago
* Add service setting to run a service within the specified VRF. i.e. do the
equivalent of "ip vrf exec".
2 years ago
* export action of device object on sd-device, so that monitor becomes useful
2 years ago
* add root=tmpfs that mounts a tmpfs to /sysroot (to be used in combination
with usr=…, for a similar effect as systemd.volatile=yes but without the
"hide-out" effect). Also, add root=gpt-auto-late support or so, that is like
root=gpt-auto but initially mounts a tmpfs to /sysroot, and then revisits
later after systemd-repart ran. Usecase: let's ship images with only /usr
partition, then on first boot create the root partition. In this case we want
to read the repart data from /usr before the root partition exists. Add
usr=gpt-auto that automatically finds a /usr partition.
2 years ago
* change SwitchRoot() implementation in PID 1 to use pivot_root(".", "."), as
documented in the pivot_root(2) man page, so that we can drop the /oldroot
temporary dir.
* special case some calls of chase_symlinks() to use openat2() internally, so
that the kernel does what we otherwise do.
2 years ago
* homed: keep an fd to the homedir open at all times, to keep the fs pinned
(autofs and such) while user is logged in.
2 years ago
2 years ago
* nss-systemd: also synthesize shadow records for users/groups
2 years ago
2 years ago
* make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np().
2 years ago
* when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU or
so, freeze the payload too.
2 years ago
* repart: support setting up dm-integrity with HMAC
* add /etc/integritytab, to support dm-integrity setups. In particular those
with HMAC as hash function, so that we can have a protected /home without
encryption (leaving encryption to the individual dirs/homed).
2 years ago
* complement root=, rootflags=, rootfstype= with rootsubdir= which allows
mounting a subdir of the root fs as actual root. This can be used as
fstype-agnostic version of btrfs' rootflags=subvol=foobar.
2 years ago
* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
2 years ago
* build short web pages out of each catalog entry, build them along with man
pages, and include hyperlinks to them in the journal output
2 years ago
* machined: add API to acquire UID range. add API to mount/dissect loopback
file. Both protected by PK. Then make nspawn use these APIs to run
unprivileged containers. i.e. push the truly privileged bits into machined,
so that the client side can remain entirely unprivileged, with SUID or
anything like that.
2 years ago
* journald: do journal file writing out-of-process, with one writer process per
client UID, so that synthetic hash table collisions can slow down a specific
2 years ago
user's journal stream down but not the others.
2 years ago
* nspawn: support time namespaces
2 years ago
* systemd-firstboot: make sure to always use chase_symlinks() before
reading/writing files
2 years ago
* Remove any support for booting without /usr pre-mounted in the initrd entirely.
Update accordingly.
2 years ago
* pid1: Move to tracking of main pid/control pid of units per pidfd
* pid1: support new clone3() fork-into-cgroup feature
2 years ago
* pid1: also remove PID files of a service when the service starts, not just
when it exits
2 years ago
* make us use dynamically fewer deps for containers in general purpose distros:
o turn into dlopen() deps:
- elfutils (always)
- p11-kit-trust (always)
- kmod-libs (only when called from PID 1)
2 years ago
- libblkid (only in RootImage= handling in PID 1, but not elsewhere)
2 years ago
- libpam (only when called from PID 1)
- bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
since they are so basic and our defaults)
o move into separate .so
- iptables-libs (only used by nspawn + networkd)
2 years ago
* seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
Apparently kernel performance is much better with fewer larger seccomp
filters than with more smaller seccomp filters.
2 years ago
* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
2 years ago
* All tools that support --root= should also learn --image= so that they can
2 years ago
operate on disk images directly. Specifically: bootctl, systemctl,
coredumpctl. (Already done: systemd-nspawn, systemd-firstboot,
systemd-repart, systemd-tmpfiles, systemd-sysusers, journalctl)
2 years ago
2 years ago
* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
* seccomp: don't install filters for ABIs that are masked anyway for the
specific service
* seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging.
2 years ago
* credentials system:
- maybe add AcquireCredential= for querying a cred via ask-password
- maybe try to acquire creds via keyring?
- maybe try to pass creds via keyring?
- maybe optionally pass creds via memfd
- maybe add support for decrypting creds via TPM
- maybe add support for decrypting/importing creds via pkcs11
- make systemd-cryptsetup acquire pw via creds logic
- make PAMName= acquire pw via creds logic
- make macsec/wireguard code in networkd read key via creds logic
- make gatwayd/remote read key via creds logic
- add sd_notify() command for flushing out creds not needed anymore
2 years ago
* homed: during login resize fs automatically towards size goal. Specifically,
resize to diskSize if possible, but leave a certain amount (configured by a
new value diskLeaveFreeSize) of space free on the backing fs.
2 years ago
* homed: permit multiple user record signing keys to be used locally, and pick
the right one for signing records automatically depending on a pre-existing
2 years ago
* homed: add a way to "adopt" a home directory, i.e. strip foreign signatures
and insert a local signature instead.
2 years ago
* homed: as an extension to the directory+subvolume backend: if located on
especially marked fs, then sync down password into LUKS header of that fs,
and always verify passwords against it too. Bootstrapping is a problem
though: if no one is logged in (or no other user even exists yet), how do you
2 years ago
unlock the volume in order to create the first user and add the first pw.
2 years ago
* homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
2 years ago
* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
2 years ago
* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
exists and responds.
2 years ago
* when systemd-nspawn and suchlike dissect an OS image, and there are multiple
root partitions, do an strverscmp() on the partition label and boot
first. That is inspired how sd-boot figures out which kernel to boot, and
thus allows defining OS images which can be A/B updated and we default to the
newest version automatically, both in nspawn and in sd-boot
3 years ago
* systemd-gpt-auto should probably set x-systemd.growfs on the mounts it
3 years ago
* bootctl:
- teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
- teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
- make it operate on loopback files, dissecting enough to find ESP to operate on
2 years ago
* Maybe add a separate GPT partition type to the discoverable partition spec
for "hibernate" partitions, that are exactly like swap partitions but only
activated right before hibernation and thus never used for regular swapping.
3 years ago
* by default, in systemd --user service bump the OOMAdjust to 100, as privs
allow so that systemd survives
3 years ago
* cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a
"base64:" prefix. Useful in particular for pkcs11 mode.
3 years ago
* cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use
systemd-makefs.service instead.
3 years ago
* socket units: allow creating a udev monitor socket with ListenDevices= or so,
with matches, then activate app through that passing socket over
3 years ago
2 years ago
* unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license
confusion is gone)
3 years ago
- port sd_id128_get_machine_app_specific() over from khash
- port resolved over from libgcrypt (DNSSEC code)
- port journald + fsprg over from libgcrypt
- port importd over from libgcrypt
- when that's done: kill khash.c
- when that's done: kill gnutls support in resolved
* when we resize disks (homed?) always round up to 4K sectors, not 512K
* add growvol and makevol options for /etc/crypttab, similar to
x-systemd.growfs and x-systemd-makefs.
* systemd-repart: by default generate minimized partition tables (i.e. tables
that only cover the space actually used, excluding any free space at the
3 years ago
end), in order to maximize dd'ability. Requires libfdisk work, see
* systemd-repart: MBR partition table support. Care needs to be taken regarding
Type=, so that partition definitions can sanely apply to both the GPT and the
MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
for the two partition types explicitly. And provide an internal mapping so
that "Type=linux-generic" maps to the right types for both partition tables
* systemd-repart: allow sizing partitions as factor of available RAM, so that
we can reasonably size swap partitions for hibernation.
* systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag
2 years ago
* systemd-repart: allow boolean option that ensures that if existing partition
doesn't exist within the configured size bounds the whole command fails. This
is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set
of repart files for the case where ESP is large enough and one where it isn't
and XBOOTLDR is added in instead. Then apply the former first, and if it
fails to apply use the latter.
* systemd-repart: add per-partition option to never reuse existing partition
and always create anew even if matching partition already exists.
* systemd-repart: add per-partition option to fail if partition already exist,
i.e. is not added new. Similar, add option to fail if partition does not exist yet.
* systemd-repart: allow disabling growing of specific partitions, or making
them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
* systemd-repart: make it a static checker during early boot for existence and
absence of other partitions for trusted boot environments
2 years ago
* userdb: allow username prefix searches in varlink API, allow realname and
realname substr searches in varlink API
2 years ago
* userdb: allow uid/gid range checks
* userdb: allow existence checks
2 years ago
* pid1: activation by journal search expression
3 years ago
* when switching root from initrd to host, set the machine_id env var so that
if the host has no machine ID set yet we continue to use the random one the
initrd had set.
3 years ago
* sd-event: add native support for P_ALL waitid() watching, then move PID 1 to
it for reaping assigned but unknown children. This needs to some special care
3 years ago
to operate somewhat sensibly in light of priorities: P_ALL will return
arbitrary processes, regardless of the priority we want to watch them with,
hence on each event loop iteration check all processes which we shall watch
with higher prio explicitly, and then watch the entire rest with P_ALL.
* tweak sd-event's child watching: keep a prioq of children to watch and use
waitid() only on the children with the highest priority until one is waitable
and ignore all lower-prio ones from that point on
* maybe introduce xattrs that can be set on the root dir of the root fs
partition that declare the volatility mode to use the image in. Previously I
thought marking this via GPT partition flags but that's not ideal since
that's outside of the LUKS encryption/verity verification, and we probably
shouldn't operate in a volatile mode unless we got told so from a trusted
* figure out automatic partition discovery when combining writable root dir
with immutable /usr
3 years ago
* coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that
may be used to mark a whole binary as non-coredumpable. Would fix:
3 years ago
* teach parse_timestamp() timezones like the calendar spec already knows it
* beef up hibernation to optionally do swapon/swapoff immediately before/after
the hibernation
3 years ago
* beef up s2h to implement a battery watch loop: instead of entering
hibernation unconditionally after coming back from resume make a decision
based on the battery load level: if battery level is above a specific
threshold, go to suspend again, only hibernate if below it. This means we'd
stick to suspend usually, but fall back to hibernation only when battery runs
empty (well, subject to our sampling interval). Related to this, check if we
can make ACPI _BTP (i.e. /sys/class/power_supply/*/alarm) work for us too,
i.e. see if it can wake up machines from suspend, so that we could resume
automatically when the system is low on power and move automatically to
hibernation mode. (see
section and
at the end).
3 years ago
* add an explicit "vertical" mode to format-table, so that "systemctl
status"-like outputs (i.e. with a series of field names left and values
right) become genuine first class citizens, and we gain automatic, sane JSON
output for them.
3 years ago
* We should probably replace /var/log/README, /etc/rc.d/README with symlinks
that are linked to these places instead of copied. After all they are
constant vendor data.
2 years ago
* maybe add kernel cmdline params: to force random seed crediting
3 years ago
* nspawn: on cgroupsv1 issue cgroup empty handler process based on host events,
so that we make cgroup agent logic safe
* nspawn/machined: add API to invoke binary in container, then use that as
fallback in "machinectl shell"
3 years ago
3 years ago
* logind: rework pam_logind to also do a bus call in case of invocation from
user@.service, which returns the XDG_RUNTIME_DIR value, and make this
behaviour selectable via pam module option.
3 years ago
* homed:
- when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
- rollback when resize fails mid-operation
- GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
- resize on login?
- shrink fs on logout?
- update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
- create on activate?
- properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
- communicate clearly when usb stick is safe to remove. probably involves
beefing up logind to make pam session close hook synchronous and wait until
systemd --user is shut down.
- logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
2 years ago
- maybe make automatic, read-only, time-based reflink-copies of LUKS disk
images (and btrfs snapshots of subvolumes) (think: time machine)
- distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
3 years ago
- in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
- fingerprint authentication, pattern authentication, …
- make sure "classic" user records can also be managed by homed
- make size of $XDG_RUNTIME_DIR configurable in user record
- query password from kernel keyring first
- update even if record is "absent"
- add a "access mode" + "fstype" field to the "status" section of json identity records reflecting the actually used access mode and fstype, even on non-luks backends
- move acct mgmt stuff from pam_systemd_home to pam_systemd?
- when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for
- make slice for users configurable (requires logind rework)
- logind: populate auto-login list bus property from PKCS#11 token
- when determining state of a LUKS home directory, check DM suspended sysfs file
2 years ago
- introduce API for "making room", that grows/shrinks home directory
according to elastic parameters, discards blocks, and removes additional snapshots. Call it
either from UI when disk space gets low
3 years ago
3 years ago
* introduce a new per-process uuid, similar to the boot id, the machine id, the
invocation id, that is derived from process creds, specifically a hashed
combination of AT_RANDOM + getpid() + the starttime from
/proc/self/status. Then add these ids implicitly when logging. Deriving this
uuid from these three things has the benefit that it can be derived easily
from /proc/$PID/ in a stable, and unique way that changes on both fork() and
* let's not GC a unit while its ratelimits are still pending
3 years ago
* when killing due to service watchdog timeout maybe detect whether target
process is under ptracing and then log loudly and continue instead.
3 years ago
* introduce a new group to own TPM devices
* make rfkill uaccess controllable by default, i.e. steal rule from
gnome-bluetooth and friends
3 years ago
* tweak journald context caching. In addition to caching per-process attributes
keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
keyed by cgroup path, and guarded by ctime changes. This should provide us
with a nice speed-up on services that have many processes running in the same
4 years ago
* make MAINPID= message reception checks even stricter: if service uses User=,
then check sending UID and ignore message if it doesn't match the user or
* maybe trigger a uevent "change" on a device if "systemctl reload xyz.device"
is issued.
4 years ago
* when importing an fs tree with machined, optionally apply userns-rec-chown
* when importing an fs tree with machined, complain if image is not an OS
4 years ago
* Maybe introduce a helper safe_exec() or so, which is to execve() which
safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
to 1K implicitly, unless explicitly opted-out.
4 years ago
* rework seccomp/nnp logic that even if User= is used in combination with
4 years ago
a seccomp option we don't have to set NNP. For that, change uid first whil
keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
4 years ago
* add a concept for automatically loading per-unit secrets off disk and
inserting them into the kernel keyring. Maybe SecretsDirectory= similar to
4 years ago
* when no locale is configured, default to UEFI's PlatformLang variable
4 years ago
* bootctl,sd-boot: actually honour the "architecture" key
4 years ago
4 years ago
* add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
usefaultd() and make systemd-analyze check for it.
4 years ago
* paranoia: whenever we process passwords, call mlock() on the memory
first. i.e. look for all places we use free_and_erasep() and
augment them with mlock(). Also use MADV_DONTDUMP.
4 years ago
4 years ago
* Move RestrictAddressFamily= to the new cgroup create socket
* support the bind/connect/sendmsg cgroup stuff for sandboxing, and possibly
patching around
4 years ago
* maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
log.c and sd-journal-send
4 years ago
* optionally: turn on cgroup delegation for per-session scope units
4 years ago
* introduce per-unit (i.e. per-slice, per-service) journal log size limits.
4 years ago
* sd-boot: automatically load EFI modules from some drop-in dir, so that people
can add in file system drivers and such
* sd-boot: optionally, show boot menu when previous default boot item has
non-zero "tries done" count
4 years ago
* introduce an option (or replacement) for "systemctl show" that outputs all
properties as JSON, similar to busctl's new JSON output. In contrast to that
it should skip the variant type string though.
* augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
contains some identifier for the project, which allows us to include
clickable links to source files generating these log messages. The identifier
could be some abberviated URL prefix or so (taking inspiration from Go
imports). For example, for systemd we could use or so which is
sufficient to build a link by prefixing "http://" and suffixing the
* Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
make clickable links from log messages carrying a MESSAGE_ID, that lead to
some explanatory text online.
4 years ago
* maybe extend .path units to expose fanotify() per-mount change events
4 years ago
* Add a "systemctl list-units --by-slice" mode or so, which rearranges the
output of "systemctl list-units" slightly by showing the tree structure of
the slices, and the units attached to them.
4 years ago
* the a-posteriori stopping of units bound to units that disappeared logic
should be reworked: there should be a queue of units, and we should only
enqueue stop jobs from a defer event that processes queue instead of
4 years ago
right-away when we find a unit that is bound to one that doesn't exist
anymore. (similar to how the stop-unneeded queue has been reworked the same
4 years ago
4 years ago
* nspawn: make nspawn suitable for shell pipelines: instead of triggering a
hangup when input is finished, send ^D, which synthesizes an EOF. Then wait
for hangup or ^D before passing on the EOF.
4 years ago
* When reloading configuration PID 1 should reset all its properties to the
original defaults before calling parse_config()
4 years ago
* nspawn: greater control over selinux label?
4 years ago
4 years ago
* hibernate/s2h: make this robust and safe to enable in Fedora by default.
1. add resume_offset support to the resume code (i.e. support swap files
2. check if swap is on weird storage and refuse if so
3. add auto-detection of hibernation images
4 years ago
4 years ago
* cgroups: use inotify to get notified when somebody else modifies cgroups
owned by us, then log a friendly warning.
4 years ago
* beef up log.c with support for stripping ANSI sequences from strings, so that
it is OK to include them in log strings. This would be particularly useful so
that our log messages could contain clickable links for example for unit
files and suchlike we operate on.
4 years ago
4 years ago
* add support for "portablectl attach (i.e. importd integration)
* add attach --enable and attach --now (for attach+enable+start)
* sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the
selected user is resolvable in the service even if it ships its own /etc/passwd)
4 years ago
* Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
other doesn't. What a disaster. Probably to exclude it. Also
4 years ago
DECIMAL_STR_WIDTH should probably add an extra "-" into account for negative
4 years ago
* Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
usually IN_ATTRIB is the right way to watch deleted files, as the former only
fires when a file is actually removed from disk, i.e. the link count drops to
zero and is not open anymore, while the latter happens when a file is
unlinked from any dir.
4 years ago
* port systemctl, busctl, … over to format-table.[ch]'s table formatters
4 years ago
4 years ago
* pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
* add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
4 years ago
* introduce Ephemeral= unit file switch, that creates an ephemeral copy of all
files and directories that are left writable for a unit, and which are
removed after the unit goes down again. A bit like --ephemeral for
systemd-nspawn but for system services. If used together with RootImage= this
should reflink the image file itself.
Related: add Ephemeral=<path1> <path2> … which would allow marking
specific paths only like this.
* add CopyFile= or so as unit file setting that may be used to copy files or
directory trees from the host to the services RootImage= and RootDirectory=
4 years ago
environment. Which we can use for /etc/machine-id and in particular
/etc/resolv.conf. Should be smart and do something useful on read-only
images, for example fall back to read-only bind mounting the file instead.
4 years ago
4 years ago
* show invocation ID in systemd-run output
* bypass SIGTERM state in unit files if KillSignal is SIGKILL
5 years ago
* add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
and so on, which would mean we could report errors and such.
5 years ago
* teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
project quota
5 years ago
5 years ago
* introduce DefaultSlice= or so in system.conf that allows changing where we
place our units by default, i.e. change system.slice to something
else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
be moved somewhere else too. Finally machined and logind should get similar
options so that it is possible to move user session scopes and machines to a
different slice too by default. Usecase: people who want to put resources on
the entire system, with the exception of one specific service. See:
5 years ago
* maybe rework get_user_creds() to query the user database if $SHELL is used
for root, but only then.
5 years ago
5 years ago
* be stricter with fds we receive for the fdstore: close them asynchronously
* calenderspec: add support for week numbers and day numbers within a
year. This would allow us to define "bi-weekly" triggers safely.
5 years ago
* sd-bus: add vtable flag, that may be used to request client creds implicitly
and asynchronously before dispatching the operation
* sd-bus: parse addresses given in sd_bus_set_addresses immediately and not
only when used. Add unit tests.
5 years ago
* make use of ethtool veth peer info in machined, for automatically finding out
host-side interface pointing to the container.
5 years ago
* add some special mode to LogsDirectory=/StateDirectory=… that allows
declaring these directories without necessarily pulling in deps for them, or
creating them when starting up. That way, we could declare that
systemd-journald writes to /var/log/journal, which could be useful when we
doing disk usage calculations and so on.
5 years ago
* taint systemd if there are fewer than 65536 users assigned (userns) to the system.
5 years ago
* deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char
5 years ago
5 years ago
* add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for
the runtime dir as we maintain for the fdstore: i.e. keep it around as long
as the unit is running or has a job queued.
* support projid-based quota in machinectl for containers
5 years ago
5 years ago
* add a way to lock down cgroup migration: a boolean, which when set for a unit
makes sure the processes in it can never migrate out of it
* blog about fd store and restartable services
* document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
5 years ago
* rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
magic meaning and is no longer upgraded to something else if set explicitly.
5 years ago
* in the long run: permit a system with /etc/machine-id linked to /dev/null, to
make it lose its identity, i.e. be anonymous. For this we'd have to patch
through the whole tree to make all code deal with the case where no machine
ID is available.
* optionally, collect cgroup resource data, and store it in per-unit RRD files,
suitable for processing with rrdtool. Add bus API to access this data, and
possibly implement a CPULoad property based on it.
5 years ago
* beef up pam_systemd to take unit file settings such as cgroups properties as
5 years ago
* maybe hook of xfs/ext4 quotactl() with services? i.e. automatically manage
the quota of the user indicated in User= via unit file settings, like the
5 years ago
other resource management concepts. Would mix nicely with DynamicUser=1. Or
alternatively, do this with projids, so that we can also cover services
running as root. Quota should probably cover all the special dirs such as
StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
is set, plus the whole disk space any image configured with RootImage=.
5 years ago
5 years ago
* In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
disks to see if the UID is already in use.
5 years ago
* add "systemctl wait" or so, which does what "systemd-run --wait" does, but
for all units. It should be both a way to pin units into memory as well as a
wait to retrieve their exit data.
* expose IO accounting data on the bus, show it in systemd-run --wait and log
about it in the resource log message
* show whether a service has out-of-date configuration in "systemctl status" by
using mtime data of ConfigurationDirectory=.
5 years ago
* Add AddUser= setting to unit files, similar to DynamicUser=1 which however
creates a static, persistent user rather than a dynamic, transient user. We
can leverage code from sysusers.d for this.
5 years ago
* add some optional flag to ReadWritePaths= and friends, that has the effect
that we create the dir in question when the service is started. Example:
6 years ago
* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
the sd-journal logging socket, and, if the timeout is set to 0, sets
O_NONBLOCK on it. That way people can control if and when to block for
6 years ago
* hostnamed: populate form factor data from a new hwdb database, so that old
yogas can be recognized as "convertible" too, even if they predate the DMI
"convertible" form factor
6 years ago
* Add ExecMonitor= setting. May be used multiple times. Forks off a process in
the service cgroup, which is supposed to monitor the service, and when it
exits the service is considered failed by its monitor.
6 years ago
* track the per-service PAM process properly (i.e. as an additional control
process), so that it may be queried on the bus and everything.
* add a new "debug" job mode, that is propagated to unit_start() and for
services results in two things: we raise SIGSTOP right before invoking
execve() and turn off watchdog support. Then, use that to implement
"systemd-gdb" for attaching to the start-up of any system service in its
natural habitat.
6 years ago
* gpt-auto logic: related to the above, maybe support a "secondary" root
partition, that is mounted to / and is writable, and where the actual root's
/usr is mounted into.
* gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file
6 years ago
* drop nss-myhostname in favour of nss-resolve?
6 years ago
* add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
then use that for the setting used in user@.service. It should be understood
relative to the configured default value.
6 years ago
* in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
* enable LockMLOCK to take a percentage value relative to physical memory
6 years ago
* Permit masking specific netlink APIs with RestrictAddressFamily=
6 years ago
* nspawn: support that /proc, /sys/, /dev are pre-mounted
* define gpt header bits to select volatility mode
6 years ago
* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
6 years ago
* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
6 years ago
6 years ago
* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
6 years ago
6 years ago
* ProtectKeyRing= to take keyring calls away
6 years ago
6 years ago
* RemoveKeyRing= to remove all keyring entries of the specified user
6 years ago
* ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
on PID 1 with the relevant signals, and makes relevant files in /sys and
/proc (such as the sysrq stuff) unavailable
* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
6 years ago
* journalctl: make sure -f ends when the container indicated by -M terminates
6 years ago
* mount: automatically search for "main" partition of an image has multiple
6 years ago
* in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
find a way to map the User=/Group= of the service to the right name. This way
a user/group for a service only has to exist on the host for the right
mapping to work.
6 years ago
* add bus API for creating unit files in /etc, reusing the code for transient units
* add bus API to remove unit files from /etc
* add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
6 years ago
* rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
kernel doesn't support linkat() that replaces existing files, currently)
7 years ago
* transient units: don't bother with actually setting unit properties, we
reload the unit file anyway
* journald: sigbus API via a signal-handler safe function that people may call
from the SIGBUS handler
7 years ago
* optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
7 years ago
* delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
7 years ago
* cache sd_event_now() result from before the first iteration...
7 years ago
* PID1: find a way how we can reload unit file configuration for
specific units only, without reloading the whole of systemd
6 years ago
* add an explicit parser for LimitRTPRIO= that verifies
7 years ago
the specified range and generates sane error messages for incorrect
6 years ago
7 years ago
7 years ago
* when we detect that there are waiting jobs but no running jobs, do something
* push CPUAffinity= also into the "cpuset" cgroup controller
7 years ago
7 years ago
* PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
7 years ago
* there's probably something wrong with having user mounts below /sys,
as we have for debugfs. for example, src/core/mount.c handles mounts
7 years ago
prefixed with /sys generally special.
7 years ago
* fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
7 years ago
* docs: bring up to date
7 years ago
* add a job mode that will fail if a transaction would mean stopping
running units. Use this in timedated to manage the NTP service
8 years ago
* The udev blkid built-in should expose a property that reflects
whether media was sensed in USB CF/SD card readers. This should then
be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
picked up by systemd unless they contain a medium. This would mirror
the behaviour we already have for CD drives.
8 years ago
* networkd/udev: implement SR_IOV configuration in .link files:
8 years ago
* hostnamectl: show root image uuid
8 years ago
* Find a solution for SMACK capabilities stuff:
8 years ago
8 years ago
* "systemctl preset-all" should probably order the unit files it
operates on lexicographically before starting to work, in order to
ensure deterministic behaviour if two unit files conflict (like DMs
do, for example)
8 years ago
* synchronize console access with BSD locks:
* as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
8 years ago
8 years ago
* figure out when we can use the coarse timers
8 years ago
* add "systemctl start -v foobar.service" that shows logs of a service
while the start command runs. This is non-trivial to do without
races though, since we should flush out all journal messages before
returning from the "systemctl stop".
8 years ago
* firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists
8 years ago
8 years ago
* maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment=
8 years ago
* maybe allow timer units with an empty Units= setting, so that they
can be used for resuming the system but nothing else.
* what to do about udev db binary stability for apps? (raw access is not an option)