Update TODO

2016-08-24 20:53:56 +02:00 · 2016-08-24 20:53:56 +02:00 · 0439746492
parent ba128bb809
commit 0439746492
1 changed files with 11 additions and 27 deletions
--- a/38
+++ b/38
@ -32,6 +32,8 @@ Janitorial Clean-ups:
 Features:
 * switch to ProtectSystem=strict for all our long-running services where that's possible
 * introduce an "invocation ID" for units, that is randomly generated, and
  identifies each runtime-cycle of a unit. It should be set freshly each time
  we traverse inactive → activating/active, and should be the primary key to
@ -40,8 +42,9 @@ Features:
  the cgroup of a services. The former is accessible without privileges, the
  latter ensures the ID cannot be faked.
-* Introduce ProtectSystem=strict for making the entire OS hierarchy read-only
+* If RootDirectory= is used, mount /proc, /sys, /dev into it, if not mounted yet
-  except for a select few
+
 * Permit masking specific netlink APIs with RestrictAddressFamily=
 * nspawn: start UID allocation loop from hash of container name
@ -55,16 +58,14 @@ Features:
 * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
 * ProtectKernelModules= (drops CAP_SYS_MODULE and filters the kmod syscalls)
 * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
 * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
 * ProtectDevices= should also take iopl/ioperm/pciaccess away
 * ProtectKeyRing= to take keyring calls away
 * ProtectControlGroups= which mounts all of /sys/fs/cgroup read-only
 * ProtectKernelTunables= which mounts /sys and /proc/sys read-only
 * RemoveKeyRing= to remove all keyring entries of the specified user
 * Add DataDirectory=, CacheDirectory= and LogDirectory= to match
@ -72,9 +73,6 @@ Features:
 * Add BindDirectory= for allowing arbitrary, private bind mounts for services
 * Beef up RootDirectory= to use namespacing/bind mounts as soon as fs
  namespaces are enabled by the service
 * Add RootImage= for mounting a disk image or file as root directory
 * RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone)
@ -180,7 +178,7 @@ Features:
 * implement a per-service firewall based on net_cls
 * Port various tools to make use of verbs.[ch], where applicable: busctl,
-  bootctl, coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl
+  coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl
 * hostnamectl: show root image uuid
@ -293,9 +291,6 @@ Features:
 * MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
 * "busctl status" works only as root on dbus1, since we cannot read
  /proc/$PID/exe
 * implement Distribute= in socket units to allow running multiple
  service instances processing the listening socket, and open this up
  for ReusePort=
@ -306,8 +301,6 @@ Features:
  and passes this back to PID1 via SCM_RIGHTS. This also could be used
  to allow Chown/chgrp on sockets without requiring NSS in PID 1.
 * New service property: maximum CPU runtime for a service
 * introduce bus call FreezeUnit(s, b), as well as "systemctl freeze
  $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls
  should SIGSTOP all unit processes in a loop until all processes of
@ -344,12 +337,10 @@ Features:
  error. Currently, we just ignore it and read the unit from the search
  path anyway.
-* refuse boot if /etc/os-release is missing or /etc/machine-id cannot be set up
+* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
 * btrfs raid assembly: some .device jobs stay stuck in the queue
 * make sure gdm does not use multi-user-x but the new default X configuration file, and then remove multi-user-x from systemd
 * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
 * load .d/*.conf dropins for device units
@ -606,9 +597,6 @@ Features:
 * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
 * nspawn:
  - to allow "linking" of nspawn containers, extend --network-bridge= so
    that it can dynamically create bridge interfaces that are refcounted
    by the containers on them. For each group of containers to link together
  - nspawn -x should support ephemeral instances of gpt images
  - emulate /dev/kmsg using CUSE and turn off the syslog syscall
    with seccomp. That should provide us with a useful log buffer that
@ -617,8 +605,6 @@ Features:
  - as soon as networkd has a bus interface, hook up --network-interface=,
    --network-bridge= with networkd, to trigger netdev creation should an
    interface be missing
  - don't copy /etc/resolv.conf from host into container unless we are in
    shared-network mode
  - a nice way to boot up without machine id set, so that it is set at boot
    automatically for supporting --ephemeral. Maybe hash the host machine id
    together with the machine name to generate the machine id for the container
@ -684,7 +670,6 @@ Features:
 * coredump:
  - save coredump in Windows/Mozilla minidump format
  - move PID 1 segfaults to /var/lib/systemd/coredump?
 * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
@ -751,7 +736,6 @@ Features:
  - GC unreferenced jobs (such as .device jobs)
  - move PAM code into its own binary
  - when we automatically restart a service, ensure we restart its rdeps, too.
  - for services: do not set $HOME in services unless requested
  - hide PAM options in fragment parser when compile time disabled
  - Support --test based on current system state
  - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().