update TODO
This commit is contained in:
Lennart Poettering
parent
6344a7eb5c
commit
8eb7383ba8
37
TODO
37
TODO
|
|
@ -12,9 +12,6 @@ Bugfixes:
|
|||
Environment=ONE='one' "TWO='two two' too" THREE=
|
||||
ExecStart=/bin/python3 -c 'import sys;print(sys.argv)' $ONE $TWO $THREE
|
||||
|
||||
* When systemctl --host is used, underlying ssh connection can remain open.
|
||||
bus_close does not kill children?
|
||||
|
||||
External:
|
||||
|
||||
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
|
||||
|
|
@ -34,6 +31,38 @@ Features:
|
|||
* replace all canonicalize_file_name() invocations by chase_symlinks(), in
|
||||
particulr those where a rootdir is relevant.
|
||||
|
||||
* maybe introduce gpt auto discovery for /var/tmp?
|
||||
|
||||
* set ProtectSystem=strict for all our usual services.
|
||||
|
||||
* maybe add gpt-partition-based user management: each user gets his own
|
||||
LUKS-encrypted GPT partition with a new GPT type. A small nss module
|
||||
enumerates users via udev partition enumeration. UIDs are assigned in a fixed
|
||||
way: the partition index is added as offset to some fixed base uid. User name
|
||||
is stored in GPT partition name. A PAM module authenticates the user via the
|
||||
LUKS partition password. Benefits: strong per-user security, compatibility
|
||||
with stateless/read-only/verity-enabled root. (other idea: do this based on
|
||||
loopback files in /home, without GPT involvement)
|
||||
|
||||
* gpt-auto logic: introduce support for discovering /var matching an image. For
|
||||
that, use a partition type UUID that is hashed from the OS name (as encoded
|
||||
in /etc/os-release), the architecture, and 4 new bits from the gpt flags
|
||||
field of the root partition. This way can easily support multiple OS
|
||||
installations on the same GPT partition table, without problems with
|
||||
unmatched /var partitions.
|
||||
|
||||
* gpt-auto logic: related to the above, maybe support a "secondary" root
|
||||
partition, that is mounted to / and is writable, and where the actual root's
|
||||
/usr is mounted into.
|
||||
|
||||
* add dm-verity boots, and in nspawn (libcryptsetup knows this, should be relatively straight-forward)
|
||||
|
||||
* machined: add apis to query /etc/machine-info data of a container
|
||||
|
||||
* .mount and .swap units: add Format=yes|no option that formats the partition before mounting/enabling it, implicitly
|
||||
|
||||
* gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file
|
||||
|
||||
* drop nss-myhostname in favour of nss-resolve?
|
||||
|
||||
* drop internal dlopen() based nss-dns fallback in nss-resolve, and rely on the
|
||||
|
|
@ -279,8 +308,6 @@ Features:
|
|||
* For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
|
||||
they run added to the initial transaction and thus confuse Type=idle.
|
||||
|
||||
* Run most system services with cgroupfs read-only and procfs with a more secure mode (doesn't work, since the hidepid= option is per-pid-namespace, not per-mount)
|
||||
|
||||
* add bus api to query unit file's X fields.
|
||||
|
||||
* gpt-auto-generator:
|
||||
|
|
|
|||
Loading…
Reference in New Issue