NEWS: shorten/reword some things
This commit is contained in:
parent
5a8d00e8ca
commit
b182195acc
313
NEWS
313
NEWS
|
@ -8,14 +8,15 @@ CHANGES WITH 247 in spe:
|
||||||
and propagate these new event types. The introduction of these new
|
and propagate these new event types. The introduction of these new
|
||||||
uevents (which are typically generated for USB devices and devices
|
uevents (which are typically generated for USB devices and devices
|
||||||
needing a firmware upload before being functional) resulted in a
|
needing a firmware upload before being functional) resulted in a
|
||||||
number of software issues, we so far didn't address (mostly because
|
number of issues which we so far didn't address. We hoped the kernel
|
||||||
there was hope the kernel maintainers would themselves address these
|
maintainers would themselves address these issues in some form, but
|
||||||
issues in some form – which did not happen). To handle them properly,
|
that did not happen. To handle them properly, many (if not most) udev
|
||||||
many (if not most) udev rules files shipped in various packages need
|
rules files shipped in various packages need updating, and so do many
|
||||||
updating, and so do many programs that monitor or enumerate devices
|
programs that monitor or enumerate devices with libudev or sd-device,
|
||||||
with libudev or sd-device, or otherwise process uevents. Please note
|
or otherwise process uevents. Please note that this incompatibility
|
||||||
that this incompatibility is not fault of systemd or udev, but caused
|
is not fault of systemd or udev, but caused by an incompatible kernel
|
||||||
by an incompatible kernel change that happened back in Linux 4.12.
|
change that happened back in Linux 4.12, but is becoming more and
|
||||||
|
more visible as the new uvents are generated by more kernel drivers.
|
||||||
|
|
||||||
To minimize issues resulting from this kernel change (but not avoid
|
To minimize issues resulting from this kernel change (but not avoid
|
||||||
them entirely) starting with systemd-udevd 247 the udev "tags"
|
them entirely) starting with systemd-udevd 247 the udev "tags"
|
||||||
|
@ -40,8 +41,8 @@ CHANGES WITH 247 in spe:
|
||||||
device. To accommodate for this a new automatic property CURRENT_TAGS
|
device. To accommodate for this a new automatic property CURRENT_TAGS
|
||||||
has been added that works similar to the existing TAGS property but
|
has been added that works similar to the existing TAGS property but
|
||||||
only lists tags set by the most recent uevent/database
|
only lists tags set by the most recent uevent/database
|
||||||
update. Similar, the libudev/sd-device API has been updated with new
|
update. Similarly, the libudev/sd-device API has been updated with
|
||||||
functions to enumerate these 'current' tags, in addition to the
|
new functions to enumerate these 'current' tags, in addition to the
|
||||||
existing APIs that now enumerate the 'sticky' ones.
|
existing APIs that now enumerate the 'sticky' ones.
|
||||||
|
|
||||||
To properly handle "bind"/"unbind" on Linux 4.12 and newer it is
|
To properly handle "bind"/"unbind" on Linux 4.12 and newer it is
|
||||||
|
@ -53,12 +54,12 @@ CHANGES WITH 247 in spe:
|
||||||
ACTION=="remove",GOTO="xyz_end" instead, so that the
|
ACTION=="remove",GOTO="xyz_end" instead, so that the
|
||||||
properties/tags they add are also applied whenever "bind" (or
|
properties/tags they add are also applied whenever "bind" (or
|
||||||
"unbind") is seen. (This is most important for all physical device
|
"unbind") is seen. (This is most important for all physical device
|
||||||
types — as that's for which "bind" and "unbind" are currently
|
types — those for which "bind" and "unbind" are currently
|
||||||
usually generated, for all other device types this change is still
|
generated, for all other device types this change is still
|
||||||
recommended but not as important — but certainly prepares for
|
recommended but not as important — but certainly prepares for
|
||||||
future kernel uevent type additions).
|
future kernel uevent type additions).
|
||||||
|
|
||||||
• Similar, all code monitoring devices that contains an 'if' branch
|
• Similarly, all code monitoring devices that contains an 'if' branch
|
||||||
discerning the "add" + "change" uevent actions from all other
|
discerning the "add" + "change" uevent actions from all other
|
||||||
uevents actions (i.e. considering devices only relevant after "add"
|
uevents actions (i.e. considering devices only relevant after "add"
|
||||||
or "change", and irrelevant on all other events) should be reworked
|
or "change", and irrelevant on all other events) should be reworked
|
||||||
|
@ -86,10 +87,10 @@ CHANGES WITH 247 in spe:
|
||||||
behaviour change.
|
behaviour change.
|
||||||
|
|
||||||
* The MountAPIVFS= service file setting now defaults to on if
|
* The MountAPIVFS= service file setting now defaults to on if
|
||||||
RootImage= and RootDirectory= are used, ensuring that use of these
|
RootImage= and RootDirectory= are used, which means that with those
|
||||||
two settings ensures /proc/, /sys/ and /dev/ are properly set up for
|
two settings /proc/, /sys/ and /dev/ are automatically properly set
|
||||||
services. By explicitly turning off these settings old behaviour may
|
up for services. Previous behaviour may be restored by explicitly
|
||||||
be restored.
|
setting MountAPIVFS=off.
|
||||||
|
|
||||||
* Since PAM 1.2.0 (2015) configuration snippets may be placed in
|
* Since PAM 1.2.0 (2015) configuration snippets may be placed in
|
||||||
/usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the
|
/usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the
|
||||||
|
@ -103,9 +104,7 @@ CHANGES WITH 247 in spe:
|
||||||
packages' vendor versions of their PAM stack definitions from
|
packages' vendor versions of their PAM stack definitions from
|
||||||
/etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not
|
/etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not
|
||||||
desired the location to which systemd installs its PAM stack
|
desired the location to which systemd installs its PAM stack
|
||||||
configuration file may be changed via the "pamconfdir" meson variable
|
configuration may be changed via the -Dpamconfdir Meson option.
|
||||||
at build time, optionally undoing this change of default paths
|
|
||||||
introduced with systemd 247.
|
|
||||||
|
|
||||||
* The runtime dependencies on libqrencode, libpcre2, libpwquality and
|
* The runtime dependencies on libqrencode, libpcre2, libpwquality and
|
||||||
libcryptsetup have been changed to be based on dlopen(): instead of
|
libcryptsetup have been changed to be based on dlopen(): instead of
|
||||||
|
@ -119,12 +118,11 @@ CHANGES WITH 247 in spe:
|
||||||
of these "weak" dependencies should they be installed. Since many
|
of these "weak" dependencies should they be installed. Since many
|
||||||
package managers automatically synthesize package dependencies from
|
package managers automatically synthesize package dependencies from
|
||||||
ELF shared library dependencies, some additional manual packaging
|
ELF shared library dependencies, some additional manual packaging
|
||||||
work has to be done now to replace this (and the dependencies
|
work has to be done now to replace those (slightly downgraded from
|
||||||
downgraded slightly from "required" to "recommended" or whatever is
|
"required" to "recommended" or whatever is conceptually suitable for
|
||||||
conceptually suitable for the used package manager). Note that this
|
the package manager). Note that this change does not alter build-time
|
||||||
change does not alter build-time behaviour: as before the build-time
|
behaviour: as before the build-time dependencies have to be installed
|
||||||
dependencies have to be installed during build, even if they now are
|
during build, even if they now are optional during runtime.
|
||||||
optional during runtime.
|
|
||||||
|
|
||||||
* sd-event.h gained a new call sd_event_add_time_relative() for
|
* sd-event.h gained a new call sd_event_add_time_relative() for
|
||||||
installing timers relative to the current time. This is mostly a
|
installing timers relative to the current time. This is mostly a
|
||||||
|
@ -139,8 +137,8 @@ CHANGES WITH 247 in spe:
|
||||||
mounting additional disk images into the file system tree accessible
|
mounting additional disk images into the file system tree accessible
|
||||||
to the service.
|
to the service.
|
||||||
|
|
||||||
* systemd-repart now optionally outputs what it does in JSON format,
|
* systemd-repart now generates JSON output when requested with the new
|
||||||
using the new --json= switch.
|
--json= switch.
|
||||||
|
|
||||||
* systemd-machined's OpenMachineShell() bus call will now pass
|
* systemd-machined's OpenMachineShell() bus call will now pass
|
||||||
additional policy metadata data fields to the PolicyKit
|
additional policy metadata data fields to the PolicyKit
|
||||||
|
@ -154,21 +152,21 @@ CHANGES WITH 247 in spe:
|
||||||
created or modified, since those mount points should probably remain
|
created or modified, since those mount points should probably remain
|
||||||
empty.
|
empty.
|
||||||
|
|
||||||
* systemd-tmpfiles gained a new --image= switch which is like --root=
|
* systemd-tmpfiles gained a new --image= switch which is like --root=,
|
||||||
but takes a disk image instead of a directory as argument. If
|
but takes a disk image instead of a directory as argument. The
|
||||||
specified the disk image is mounted (inside a temporary mount
|
specified disk image is mounted inside a temporary mount namespace
|
||||||
namespace) and the tmpfiles.d/ drop-ins stored in the image executed
|
and the tmpfiles.d/ drop-ins stored in the image are executed and
|
||||||
and applied to the image. Similar, systemd-sysusers gained a new
|
applied to the image. systemd-sysusers similarly gained a new
|
||||||
--image= switch, that allows applying the sysusers.d/ drop-ins stored
|
--image= switch, that allows the sysusers.d/ drop-ins stored in the
|
||||||
in the image onto the image.
|
image to be applied onto the image.
|
||||||
|
|
||||||
* Similar, the journalctl command also gained an --image= switch, which
|
* Similarly, the journalctl command also gained an --image= switch,
|
||||||
is a quick one-step solution to look at the log data included in OS
|
which is a quick one-step solution to look at the log data included
|
||||||
disk images.
|
in OS disk images.
|
||||||
|
|
||||||
* journalctl's --output=cat option (which outputs the log content
|
* journalctl's --output=cat option (which outputs the log content
|
||||||
without any metadata, just the pure text messages) will now make use
|
without any metadata, just the pure text messages) will now make use
|
||||||
of terminal colors when run on a suitable terminal, similar to the
|
of terminal colors when run on a suitable terminal, similarly to the
|
||||||
other output modes.
|
other output modes.
|
||||||
|
|
||||||
* JSON group records now support a "description" string that may be
|
* JSON group records now support a "description" string that may be
|
||||||
|
@ -178,15 +176,14 @@ CHANGES WITH 247 in spe:
|
||||||
|
|
||||||
* The "systemd-dissect" tool that may be used to inspect OS disk images
|
* The "systemd-dissect" tool that may be used to inspect OS disk images
|
||||||
and that was previously installed to /usr/lib/systemd/ has now been
|
and that was previously installed to /usr/lib/systemd/ has now been
|
||||||
moved to /usr/bin/, reflecting that it's now considered an officially
|
moved to /usr/bin/, reflecting its updated status of an officially
|
||||||
supported tool with a stable interface. It gained support for a new
|
supported tool with a stable interface. It gained support for a new
|
||||||
--mkdir switch which when combined with --mount has the effect of
|
--mkdir switch which when combined with --mount has the effect of
|
||||||
creating the directory to mount the image to if it is missing
|
creating the directory to mount the image to if it is missing
|
||||||
first. It also gained two new commands --copy-from and --copy-to for
|
first. It also gained two new commands --copy-from and --copy-to for
|
||||||
copying files and directories in and out of an OS image without the
|
copying files and directories in and out of an OS image without the
|
||||||
need to manually mount it. It also acquired support for a new option
|
need to manually mount it. It also acquired support for a new option
|
||||||
--json= which controls whether to generate JSON output when
|
--json= to generate JSON output when inspecting an OS image.
|
||||||
inspecting an OS image.
|
|
||||||
|
|
||||||
* The cgroup2 file system is now mounted with the
|
* The cgroup2 file system is now mounted with the
|
||||||
"memory_recursiveprot" mount option, supported since kernel 5.7. This
|
"memory_recursiveprot" mount option, supported since kernel 5.7. This
|
||||||
|
@ -195,28 +192,27 @@ CHANGES WITH 247 in spe:
|
||||||
|
|
||||||
* systemd-homed now defaults to using the btrfs file system — if
|
* systemd-homed now defaults to using the btrfs file system — if
|
||||||
available — when creating home directories in LUKS volumes. This may
|
available — when creating home directories in LUKS volumes. This may
|
||||||
be changed with the DefaultFileSystemType= setting in
|
be changed with the DefaultFileSystemType= setting in homed.conf.
|
||||||
homed.conf. It's now the default file system in various major
|
It's now the default file system in various major distributions and
|
||||||
distributions and has the major benefit for homed that it can be both
|
has the major benefit for homed that it can be grown and shrunk while
|
||||||
grown and shrunk while mounted, unlike the other contenders ext4 and
|
mounted, unlike the other contenders ext4 and xfs, which can both be
|
||||||
xfs, which can both be grown online, but not shrunk (in fact xfs is
|
grown online, but not shrunk (in fact xfs is the technically most
|
||||||
the technically most limited option here, as it cannot be shrunk at
|
limited option here, as it cannot be shrunk at all).
|
||||||
all).
|
|
||||||
|
|
||||||
* JSON user records managed by systemd-homed gained support for
|
* JSON user records managed by systemd-homed gained support for
|
||||||
"recovery keys". These are basically secondary passphrases that can
|
"recovery keys". These are basically secondary passphrases that can
|
||||||
unlock user accounts/home directories, which are computer-generated
|
unlock user accounts/home directories. They are computer-generated
|
||||||
rather than user-chosen, and typically have greater
|
rather than user-chosen, and typically have greater entropy.
|
||||||
entropy. homectl's --recovery-key= option may be used to add a
|
homectl's --recovery-key= option may be used to add a recovery key to
|
||||||
recovery key to a user account. The generated recovery key is
|
a user account. The generated recovery key is displayed as a QR code,
|
||||||
displayed as QR code, so that it can be scanned off screen to be kept
|
so that it can be scanned to be kept in a safe place. This feature is
|
||||||
at a safe place. This concept is particularly useful in combination
|
particularly useful in combination with systemd-homed's support for
|
||||||
with systemd-homed's support for FIDO2 or PKCS#11 authentication, as
|
FIDO2 or PKCS#11 authentication, as a secure fallback in case the
|
||||||
a secure fallback in case the security tokens are lost. Recovery keys
|
security tokens are lost. Recovery keys may be entered wherever the
|
||||||
may be entered wherever the system asks for a password.
|
system asks for a password.
|
||||||
|
|
||||||
* systemd-homed now maintains a "dirty" flag for each LUKS encrypted
|
* systemd-homed now maintains a "dirty" flag for each LUKS encrypted
|
||||||
home directory that indicates whether a home directory has been
|
home directory which indicates that a home directory has not been
|
||||||
deactivated cleanly when offline. This flag is useful to identify
|
deactivated cleanly when offline. This flag is useful to identify
|
||||||
home directories for which the offline discard logic did not run when
|
home directories for which the offline discard logic did not run when
|
||||||
offlining, and where it would be a good idea to log in again to catch
|
offlining, and where it would be a good idea to log in again to catch
|
||||||
|
@ -231,29 +227,28 @@ CHANGES WITH 247 in spe:
|
||||||
|
|
||||||
* systemd-nspawn has been reworked to use the /run/host/incoming/ as
|
* systemd-nspawn has been reworked to use the /run/host/incoming/ as
|
||||||
place to use for propagating external mounts into the
|
place to use for propagating external mounts into the
|
||||||
container. Similar /run/host/notify is now used as socket path for
|
container. Similarly /run/host/notify is now used as the socket path
|
||||||
container payloads to communicate with the container manager using
|
for container payloads to communicate with the container manager
|
||||||
sd_notify(). In the /run/host/inaccessible/ directory the container
|
using sd_notify(). The container manager now uses the
|
||||||
manager now places "inaccessible" file nodes of all relevant types
|
/run/host/inaccessible/ directory to place "inaccessible" file nodes
|
||||||
which may be used by the container payload as bind mount source to
|
of all relevant types which may be used by the container payload as
|
||||||
over-mount inodes that shall be made inaccessible
|
bind mount source to over-mount inodes to make them inaccessible.
|
||||||
with. /run/host/container-manager will now be initialized to the same
|
/run/host/container-manager will now be initialized with the same
|
||||||
string that the $container environment variable passed to the
|
string as the $container environment variable passed to the
|
||||||
container's PID 1 contains. /run/host/container-uuid will be
|
container's PID 1. /run/host/container-uuid will be initialized with
|
||||||
initialized to the same string $container_uuid is set to. This means
|
the same string as $container_uuid. This means the /run/host/
|
||||||
the /run/host/ hierarchy is now the primary way how host resources
|
hierarchy is now the primary way to make host resources available to
|
||||||
are made available to containers. The Container Interface documents
|
the container. The Container Interface documents these new files and
|
||||||
these new files and directories:
|
directories:
|
||||||
|
|
||||||
https://systemd.io/CONTAINER_INTERFACE
|
https://systemd.io/CONTAINER_INTERFACE
|
||||||
|
|
||||||
* Support for the "ConditionNull=" unit file condition has been
|
* Support for the "ConditionNull=" unit file condition has been
|
||||||
removed. It has been deprecated and undocumented for 6 years
|
deprecated and undocumented for 6 years. systemd started to warn
|
||||||
now. systemd started to warn about its use 1.5 years ago. It has now
|
about its use 1.5 years ago. It has now been removed entirely.
|
||||||
been removed entirely.
|
|
||||||
|
|
||||||
* If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
|
* If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
|
||||||
systemd-nspawn all system call filter collisions will be logged by
|
systemd-nspawn all system call filter violations will be logged by
|
||||||
the kernel (audit). This is useful for tracking down system calls
|
the kernel (audit). This is useful for tracking down system calls
|
||||||
invoked by container payloads that are prohibited by the container's
|
invoked by container payloads that are prohibited by the container's
|
||||||
system call filter policy.
|
system call filter policy.
|
||||||
|
@ -264,7 +259,7 @@ CHANGES WITH 247 in spe:
|
||||||
useful in cases where multiple errors shall be handled the same way.
|
useful in cases where multiple errors shall be handled the same way.
|
||||||
|
|
||||||
* A new system call filter list "@known" has been added, that contains
|
* A new system call filter list "@known" has been added, that contains
|
||||||
all system calls known at build-time of systemd.
|
all system calls known at the time systemd was built.
|
||||||
|
|
||||||
* Behaviour of system call filter allow lists has changed slightly:
|
* Behaviour of system call filter allow lists has changed slightly:
|
||||||
system calls that are contained in @known will result in a EPERM by
|
system calls that are contained in @known will result in a EPERM by
|
||||||
|
@ -276,24 +271,22 @@ CHANGES WITH 247 in spe:
|
||||||
applications.
|
applications.
|
||||||
|
|
||||||
* Two new unit file settings ProtectProc= and ProcSubset= have been
|
* Two new unit file settings ProtectProc= and ProcSubset= have been
|
||||||
added that expose the hidepid= and subset= mount options of
|
added that expose the hidepid= and subset= mount options of procfs.
|
||||||
procfs. When used on services all processes inside it will only see
|
All processes of the unit will only see processes in /proc that are
|
||||||
processes in /proc that are are owned by the service's user
|
are owned by the unit's user. This is an important new sandboxing
|
||||||
themselves. This is an important new sandboxing option that is
|
option that is recommended to be set on all system services. All
|
||||||
recommended to be set on all system services where that's
|
long-running system services that are included in systemd itself set
|
||||||
possible. All long-running system services that are included in
|
this option now. This option is only supported on kernel 5.8 and
|
||||||
systemd itself set this option now. This option is only supported on
|
above, since the hidepid= option supported on older kernels was not a
|
||||||
kernel 5.8 and above, since the hidepid= option supported on older
|
per-mount option but actually applied to the whole PID namespace.
|
||||||
kernels was not a per-mount option but actually applied to the whole
|
|
||||||
PID namespace.
|
|
||||||
|
|
||||||
* Socket units gained a new boolean setting FlushPending=. If enabled
|
* Socket units gained a new boolean setting FlushPending=. If enabled
|
||||||
all pending socket data/connections are flushed whenever the socket
|
all pending socket data/connections are flushed whenever the socket
|
||||||
unit enters the "listening" state, i.e. after the associated service
|
unit enters the "listening" state, i.e. after the associated service
|
||||||
exited.
|
exited.
|
||||||
|
|
||||||
* The unit file setting NUMAMask= gained a new "all" value: if set, all
|
* The unit file setting NUMAMask= gained a new "all" value: when used,
|
||||||
existing NUMA nodes are added to the NUMA mask.
|
all existing NUMA nodes are added to the NUMA mask.
|
||||||
|
|
||||||
* A new "credentials" logic has been added to system services. This is
|
* A new "credentials" logic has been added to system services. This is
|
||||||
a simple mechanism to pass privileged data to services in a safe and
|
a simple mechanism to pass privileged data to services in a safe and
|
||||||
|
@ -302,61 +295,61 @@ CHANGES WITH 247 in spe:
|
||||||
private information such as user names, certificates, and similar to
|
private information such as user names, certificates, and similar to
|
||||||
system services. Each credential is identified by a short user-chosen
|
system services. Each credential is identified by a short user-chosen
|
||||||
name and may contain arbitrary binary data. Two new unit file
|
name and may contain arbitrary binary data. Two new unit file
|
||||||
settings have been added for this: SetCredential= and
|
settings have been added: SetCredential= and LoadCredential=. The
|
||||||
LoadCredential=. The former allows setting a credential to a literal
|
former allows setting a credential to a literal string, the latter
|
||||||
string, the latter sets a credential to the contents of a file (or
|
sets a credential to the contents of a file (or data read from a
|
||||||
data read from a user-chosen AF_UNIX stream socket). Credentials are
|
user-chosen AF_UNIX stream socket). Credentials are passed to the
|
||||||
passed to the service via a special credentials directory whose path
|
service via a special credentials directory, one file for each
|
||||||
is passed in the new $CREDENTIALS_DIRECTORY environment variable,
|
credential. The path to the credentials directory is passed in a new
|
||||||
which contains one file for each credential. Since the credentials
|
$CREDENTIALS_DIRECTORY environment variable. Since the credentials
|
||||||
are passed in the file system they may be easily referenced in
|
are passed in the file system they may be easily referenced in
|
||||||
ExecStart= command lines too, thus not requiring any explicit support
|
ExecStart= command lines too, thus no explicit support for the
|
||||||
for the credentials logic in daemons (though ideally daemons would
|
credentials logic in daemons is required (though ideally daemons
|
||||||
look for the bits they need in $CREDENTIALS_DIRECTORY themselves
|
would look for the bits they need in $CREDENTIALS_DIRECTORY
|
||||||
automatically, if set). The $CREDENTIALS_DIRECTORY is backed by
|
themselves automatically, if set). The $CREDENTIALS_DIRECTORY is
|
||||||
unswappable memory (if privileges allow it), is immutable (also if
|
backed by unswappable memory if privileges allow it, immutable if
|
||||||
privileges allow it), is accessible only to the service's UID, and is
|
privileges allow it, is accessible only to the service's UID, and is
|
||||||
automatically destroyed when the service goes down.
|
automatically destroyed when the service stops.
|
||||||
|
|
||||||
* systemd-nspawn supports the same credentials logic. It can both
|
* systemd-nspawn supports the same credentials logic. It can both
|
||||||
consume credentials passed to it via the aforementioned
|
consume credentials passed to it via the aforementioned
|
||||||
$CREDENTIALS_DIRECTORY protocol as well as pass these credentials on
|
$CREDENTIALS_DIRECTORY protocol as well as pass these credentials on
|
||||||
to its payload. The service manager/PID 1 has been updated to match
|
to its payload. The service manager/PID 1 has been updated to match
|
||||||
this: it can also accept credentials from the container manager that
|
this: it can also accept credentials from the container manager that
|
||||||
invokes it (in fact: any process that invokes it), and pass it on to
|
invokes it (in fact: any process that invokes it), and passes them on
|
||||||
its services. Thus, credentials can be propagated fully down the
|
to its services. Thus, credentials can be propagated recursively down
|
||||||
tree: from a system's service manager to a systemd-nspawn service, to
|
the tree: from a system's service manager to a systemd-nspawn
|
||||||
the service manager tat runs as container payload and to the service
|
service, to the service manager that runs as container payload and to
|
||||||
it runs below. Credentials may also be added on the systemd-nspawn
|
the service it runs below. Credentials may also be added on the
|
||||||
command line, using the new --set-credential= and --load-credential=
|
systemd-nspawn command line, using new --set-credential= and
|
||||||
command line switches, that match the aforementioned service
|
--load-credential= command line switches that match the
|
||||||
settings.
|
aforementioned service settings.
|
||||||
|
|
||||||
* systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in
|
* systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in
|
||||||
the partition drop-ins which may be used to format/LUKS
|
the partition drop-ins which may be used to format/LUKS
|
||||||
encrypt/populate any created partitions. The partitions are
|
encrypt/populate any created partitions. The partitions are
|
||||||
encrypted/formatted/populated before they are registered in the
|
encrypted/formatted/populated before they are registered in the
|
||||||
partition table, so that they appear "atomically": either the
|
partition table, so that they appear atomically: either the
|
||||||
partitions do not exist yet or they exist fully
|
partitions do not exist yet or they exist fully encrypted, formatted,
|
||||||
encrypted/formatted/populated — there is no time window where they
|
and populated — there is no time window where they are
|
||||||
are "half-initialized". Thus the system is robust to abrupt shutdown:
|
"half-initialized". Thus the system is robust to abrupt shutdown: if
|
||||||
if the tool is terminated half-way during its operations on next boot
|
the tool is terminated half-way during its operations on next boot it
|
||||||
it will start from the beginning.
|
will start from the beginning.
|
||||||
|
|
||||||
* systemd-repart's --size= operation gained a new "auto" value. If
|
* systemd-repart's --size= operation gained a new "auto" value. If
|
||||||
specified, and operating on a loopback file it is automatically sized
|
specified, and operating on a loopback file it is automatically sized
|
||||||
to the minimal size the size constraints permit. This is useful to
|
to the minimal size the size constraints permit. This is useful to
|
||||||
use "systemd-repart" as an image builder for minimally sized images.
|
use "systemd-repart" as an image builder for minimally sized images.
|
||||||
|
|
||||||
* systemd-resolved now supports a third IPC interface for requesting
|
* systemd-resolved now gained a third IPC interface for requesting name
|
||||||
name resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink
|
resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink
|
||||||
interface is now supported. The nss-resolve NSS modules has been
|
interface is now supported. The nss-resolve NSS module has been
|
||||||
modified to use this new interface instead of D-Bus now. Using
|
modified to use this new interface instead of D-Bus. Using Varlink
|
||||||
Varlink has a major benefit over D-Bus: it works without a broker
|
has a major benefit over D-Bus: it works without a broker service,
|
||||||
service, and thus already during earliest boot, before dbus-daemon is
|
and thus already during earliest boot, before the dbus daemon has
|
||||||
invoked (which is a late boot service). This means name resolution
|
been started. This means name resolution via systemd-resolved now
|
||||||
via systemd-resolved now works at the same time systemd-networkd
|
works at the same time systemd-networkd operates: from earliest boot
|
||||||
operates: from earliest boot on, including in the initrd.
|
on, including in the initrd.
|
||||||
|
|
||||||
* systemd-resolved gained support for a new DNSStubListenerExtra=
|
* systemd-resolved gained support for a new DNSStubListenerExtra=
|
||||||
configuration file setting which may be used to specify additional IP
|
configuration file setting which may be used to specify additional IP
|
||||||
|
@ -366,8 +359,8 @@ CHANGES WITH 247 in spe:
|
||||||
* Name lookups issued via systemd-resolved's D-Bus and Varlink
|
* Name lookups issued via systemd-resolved's D-Bus and Varlink
|
||||||
interfaces (and thus also via glibc NSS if nss-resolve is used) will
|
interfaces (and thus also via glibc NSS if nss-resolve is used) will
|
||||||
now honour a trailing dot in the hostname: if specified the search
|
now honour a trailing dot in the hostname: if specified the search
|
||||||
path logic is turned off. Thus "resolvectl query foo.bar." is now
|
path logic is turned off. Thus "resolvectl query foo." is now
|
||||||
equivalent to "resolvectl query --search=off foo.bar".
|
equivalent to "resolvectl query --search=off foo.".
|
||||||
|
|
||||||
* systemd-resolved gained a new D-Bus property "ResolvConfMode" that
|
* systemd-resolved gained a new D-Bus property "ResolvConfMode" that
|
||||||
exposes how /etc/resolv.conf is currently managed: by resolved (and
|
exposes how /etc/resolv.conf is currently managed: by resolved (and
|
||||||
|
@ -375,14 +368,16 @@ CHANGES WITH 247 in spe:
|
||||||
this property in its status output.
|
this property in its status output.
|
||||||
|
|
||||||
* The resolv.conf snippets systemd-resolved provides will now set "."
|
* The resolv.conf snippets systemd-resolved provides will now set "."
|
||||||
as search domain if no other search domain is known. This turns off
|
as the search domain if no other search domain is known. This turns
|
||||||
behaviour in glibc that an implicit search domain is derived from the
|
off the derivation of an implicit search domain by nss-dns for the
|
||||||
local system's hostname if it is set to an FQDN.
|
hostname, when the hostname is set to an FQDN. This change is done to
|
||||||
|
make nss-dns using resolv.conf provided by systemd-resolved behave
|
||||||
|
more similarly to nss-resolve.
|
||||||
|
|
||||||
* systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of
|
* systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of
|
||||||
/tmp/ and /var/tmp/ based on file timestamps) now looks at the
|
/tmp/ and /var/tmp/ based on file timestamps) now looks at the
|
||||||
"birth" time (btime) of a file in addition to the atime, mtime,
|
"birth" time (btime) of a file in addition to the atime, mtime, and
|
||||||
ctime, to determine if it should be kept or deleted.
|
ctime.
|
||||||
|
|
||||||
* systemd-analyze gained a new verb "capability" that lists all known
|
* systemd-analyze gained a new verb "capability" that lists all known
|
||||||
capabilities by the systemd build and by the kernel.
|
capabilities by the systemd build and by the kernel.
|
||||||
|
@ -395,12 +390,12 @@ CHANGES WITH 247 in spe:
|
||||||
having to rebuild systemd.
|
having to rebuild systemd.
|
||||||
|
|
||||||
* systemd-logind will now listen to the KEY_RESTART key from the Linux
|
* systemd-logind will now listen to the KEY_RESTART key from the Linux
|
||||||
input layer and reboot the system if it is pressed, similar to how it
|
input layer and reboot the system if it is pressed, similarly to how
|
||||||
already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART was
|
it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART
|
||||||
originally defined in a Multimedia context (to restart playback of a
|
was originally defined in the Multimedia context (to restart playback
|
||||||
song or film), but is now primarily used in various embedded devices
|
of a song or film), but is now primarily used in various embedded
|
||||||
for "Reboot" buttons. Accordingly, systemd-logind will now honour it
|
devices for "Reboot" buttons. Accordingly, systemd-logind will now
|
||||||
as such. This may configured in more detail via the new
|
honour it as such. This may configured in more detail via the new
|
||||||
HandleRebootKey= and RebootKeyIgnoreInhibited=.
|
HandleRebootKey= and RebootKeyIgnoreInhibited=.
|
||||||
|
|
||||||
* systemd-nspawn/systemd-machined will now reconstruct hardlinks when
|
* systemd-nspawn/systemd-machined will now reconstruct hardlinks when
|
||||||
|
@ -424,12 +419,12 @@ CHANGES WITH 247 in spe:
|
||||||
now be marked to be independent of any underlying network interface
|
now be marked to be independent of any underlying network interface
|
||||||
via the new Independent= boolean setting.
|
via the new Independent= boolean setting.
|
||||||
|
|
||||||
* systemctl gained support for two new verbs: "log-level" and
|
* systemctl gained support for two new verbs: "service-log-level" and
|
||||||
"log-target" which may be used on services that implement the generic
|
"service-log-target" may be used on services that implement the
|
||||||
org.freedesktop.LogControl1 D-Bus interface for dynamically adjusting
|
generic org.freedesktop.LogControl1 D-Bus interface to dynamically
|
||||||
the log level and target. All of systemd's long-running services
|
adjust the log level and target. All of systemd's long-running
|
||||||
support this now, but ideally any system service would implement this
|
services support this now, but ideally all system services would
|
||||||
interface to make the system more uniformly inspectable and
|
implement this interface to make the system more uniformly
|
||||||
debuggable.
|
debuggable.
|
||||||
|
|
||||||
* The SystemCallErrorNumber= unit file setting now accepts the new
|
* The SystemCallErrorNumber= unit file setting now accepts the new
|
||||||
|
@ -441,7 +436,7 @@ CHANGES WITH 247 in spe:
|
||||||
list of syscalls that shall be logged about (audit).
|
list of syscalls that shall be logged about (audit).
|
||||||
|
|
||||||
* The OS image dissection logic (as used by RootImage= in unit files or
|
* The OS image dissection logic (as used by RootImage= in unit files or
|
||||||
systemd-nspawn's --image= switch) has learnt support for identifying
|
systemd-nspawn's --image= switch) has gained support for identifying
|
||||||
and mounting explicit /usr/ partitions, which are now defined in the
|
and mounting explicit /usr/ partitions, which are now defined in the
|
||||||
discoverable partition specification. This should be useful for
|
discoverable partition specification. This should be useful for
|
||||||
environments where the root file system is
|
environments where the root file system is
|
||||||
|
@ -461,21 +456,21 @@ CHANGES WITH 247 in spe:
|
||||||
will now log the thread ID in their log output. This is useful when
|
will now log the thread ID in their log output. This is useful when
|
||||||
working with heavily threaded programs.
|
working with heavily threaded programs.
|
||||||
|
|
||||||
* If the SYSTEMD_RDRAND enviroment variable is set to "0" systemd's use
|
* If the SYSTEMD_RDRAND enviroment variable is set to "0", systemd will
|
||||||
of the RDRAND CPU instruction is disabled. This is useful in
|
not use the RDRAND CPU instruction. This is useful in environments
|
||||||
environments such as replay debuggers where CPU level
|
such as replay debuggers where non-deterministic behaviour is not
|
||||||
non-deterministic behaviour is not desirable.
|
desirable.
|
||||||
|
|
||||||
* When building systemd the Meson option
|
* When building systemd the Meson option
|
||||||
"compat-mutable-uid-boundaries" may now be specified. If so systemd
|
-Dcompat-mutable-uid-boundaries may now be specified. If enabled,
|
||||||
reads the system UID boundaries from /etc/login.defs, instead of using
|
systemd reads the system UID boundaries from /etc/login.defs, instead
|
||||||
the built-in values selected during build-time. This is an option to
|
of using the built-in values selected during build-time. This is an
|
||||||
improve compatibility for upgrades from old systems. It's strongly
|
option to improve compatibility for upgrades from old systems. It's
|
||||||
recommended not to make use of this functionality on new systems (or
|
strongly recommended not to make use of this functionality on new
|
||||||
even enable it during build), as it makes something
|
systems (or even enable it during build), as it makes something
|
||||||
runtime-configurable that is mostly an implementation detail of the
|
runtime-configurable that is mostly an implementation detail of the
|
||||||
OS, and permits avoidable differences in deployments that create all
|
OS, and permits avoidable differences in deployments that create all
|
||||||
kinds of problems in the long run.
|
kinds of problems in the long run.
|
||||||
|
|
||||||
|
|
||||||
CHANGES WITH 246:
|
CHANGES WITH 246:
|
||||||
|
|
Loading…
Reference in New Issue