diff --git a/NEWS b/NEWS index 20b44a152f..d4afd85cf9 100644 --- a/NEWS +++ b/NEWS @@ -8,14 +8,15 @@ CHANGES WITH 247 in spe: and propagate these new event types. The introduction of these new uevents (which are typically generated for USB devices and devices needing a firmware upload before being functional) resulted in a - number of software issues, we so far didn't address (mostly because - there was hope the kernel maintainers would themselves address these - issues in some form – which did not happen). To handle them properly, - many (if not most) udev rules files shipped in various packages need - updating, and so do many programs that monitor or enumerate devices - with libudev or sd-device, or otherwise process uevents. Please note - that this incompatibility is not fault of systemd or udev, but caused - by an incompatible kernel change that happened back in Linux 4.12. + number of issues which we so far didn't address. We hoped the kernel + maintainers would themselves address these issues in some form, but + that did not happen. To handle them properly, many (if not most) udev + rules files shipped in various packages need updating, and so do many + programs that monitor or enumerate devices with libudev or sd-device, + or otherwise process uevents. Please note that this incompatibility + is not fault of systemd or udev, but caused by an incompatible kernel + change that happened back in Linux 4.12, but is becoming more and + more visible as the new uvents are generated by more kernel drivers. To minimize issues resulting from this kernel change (but not avoid them entirely) starting with systemd-udevd 247 the udev "tags" @@ -40,8 +41,8 @@ CHANGES WITH 247 in spe: device. To accommodate for this a new automatic property CURRENT_TAGS has been added that works similar to the existing TAGS property but only lists tags set by the most recent uevent/database - update. Similar, the libudev/sd-device API has been updated with new - functions to enumerate these 'current' tags, in addition to the + update. Similarly, the libudev/sd-device API has been updated with + new functions to enumerate these 'current' tags, in addition to the existing APIs that now enumerate the 'sticky' ones. To properly handle "bind"/"unbind" on Linux 4.12 and newer it is @@ -53,12 +54,12 @@ CHANGES WITH 247 in spe: ACTION=="remove",GOTO="xyz_end" instead, so that the properties/tags they add are also applied whenever "bind" (or "unbind") is seen. (This is most important for all physical device - types — as that's for which "bind" and "unbind" are currently - usually generated, for all other device types this change is still + types — those for which "bind" and "unbind" are currently + generated, for all other device types this change is still recommended but not as important — but certainly prepares for future kernel uevent type additions). - • Similar, all code monitoring devices that contains an 'if' branch + • Similarly, all code monitoring devices that contains an 'if' branch discerning the "add" + "change" uevent actions from all other uevents actions (i.e. considering devices only relevant after "add" or "change", and irrelevant on all other events) should be reworked @@ -86,10 +87,10 @@ CHANGES WITH 247 in spe: behaviour change. * The MountAPIVFS= service file setting now defaults to on if - RootImage= and RootDirectory= are used, ensuring that use of these - two settings ensures /proc/, /sys/ and /dev/ are properly set up for - services. By explicitly turning off these settings old behaviour may - be restored. + RootImage= and RootDirectory= are used, which means that with those + two settings /proc/, /sys/ and /dev/ are automatically properly set + up for services. Previous behaviour may be restored by explicitly + setting MountAPIVFS=off. * Since PAM 1.2.0 (2015) configuration snippets may be placed in /usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the @@ -103,9 +104,7 @@ CHANGES WITH 247 in spe: packages' vendor versions of their PAM stack definitions from /etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not desired the location to which systemd installs its PAM stack - configuration file may be changed via the "pamconfdir" meson variable - at build time, optionally undoing this change of default paths - introduced with systemd 247. + configuration may be changed via the -Dpamconfdir Meson option. * The runtime dependencies on libqrencode, libpcre2, libpwquality and libcryptsetup have been changed to be based on dlopen(): instead of @@ -119,12 +118,11 @@ CHANGES WITH 247 in spe: of these "weak" dependencies should they be installed. Since many package managers automatically synthesize package dependencies from ELF shared library dependencies, some additional manual packaging - work has to be done now to replace this (and the dependencies - downgraded slightly from "required" to "recommended" or whatever is - conceptually suitable for the used package manager). Note that this - change does not alter build-time behaviour: as before the build-time - dependencies have to be installed during build, even if they now are - optional during runtime. + work has to be done now to replace those (slightly downgraded from + "required" to "recommended" or whatever is conceptually suitable for + the package manager). Note that this change does not alter build-time + behaviour: as before the build-time dependencies have to be installed + during build, even if they now are optional during runtime. * sd-event.h gained a new call sd_event_add_time_relative() for installing timers relative to the current time. This is mostly a @@ -139,8 +137,8 @@ CHANGES WITH 247 in spe: mounting additional disk images into the file system tree accessible to the service. - * systemd-repart now optionally outputs what it does in JSON format, - using the new --json= switch. + * systemd-repart now generates JSON output when requested with the new + --json= switch. * systemd-machined's OpenMachineShell() bus call will now pass additional policy metadata data fields to the PolicyKit @@ -154,21 +152,21 @@ CHANGES WITH 247 in spe: created or modified, since those mount points should probably remain empty. - * systemd-tmpfiles gained a new --image= switch which is like --root= - but takes a disk image instead of a directory as argument. If - specified the disk image is mounted (inside a temporary mount - namespace) and the tmpfiles.d/ drop-ins stored in the image executed - and applied to the image. Similar, systemd-sysusers gained a new - --image= switch, that allows applying the sysusers.d/ drop-ins stored - in the image onto the image. + * systemd-tmpfiles gained a new --image= switch which is like --root=, + but takes a disk image instead of a directory as argument. The + specified disk image is mounted inside a temporary mount namespace + and the tmpfiles.d/ drop-ins stored in the image are executed and + applied to the image. systemd-sysusers similarly gained a new + --image= switch, that allows the sysusers.d/ drop-ins stored in the + image to be applied onto the image. - * Similar, the journalctl command also gained an --image= switch, which - is a quick one-step solution to look at the log data included in OS - disk images. + * Similarly, the journalctl command also gained an --image= switch, + which is a quick one-step solution to look at the log data included + in OS disk images. * journalctl's --output=cat option (which outputs the log content without any metadata, just the pure text messages) will now make use - of terminal colors when run on a suitable terminal, similar to the + of terminal colors when run on a suitable terminal, similarly to the other output modes. * JSON group records now support a "description" string that may be @@ -178,15 +176,14 @@ CHANGES WITH 247 in spe: * The "systemd-dissect" tool that may be used to inspect OS disk images and that was previously installed to /usr/lib/systemd/ has now been - moved to /usr/bin/, reflecting that it's now considered an officially + moved to /usr/bin/, reflecting its updated status of an officially supported tool with a stable interface. It gained support for a new --mkdir switch which when combined with --mount has the effect of creating the directory to mount the image to if it is missing first. It also gained two new commands --copy-from and --copy-to for copying files and directories in and out of an OS image without the need to manually mount it. It also acquired support for a new option - --json= which controls whether to generate JSON output when - inspecting an OS image. + --json= to generate JSON output when inspecting an OS image. * The cgroup2 file system is now mounted with the "memory_recursiveprot" mount option, supported since kernel 5.7. This @@ -195,28 +192,27 @@ CHANGES WITH 247 in spe: * systemd-homed now defaults to using the btrfs file system — if available — when creating home directories in LUKS volumes. This may - be changed with the DefaultFileSystemType= setting in - homed.conf. It's now the default file system in various major - distributions and has the major benefit for homed that it can be both - grown and shrunk while mounted, unlike the other contenders ext4 and - xfs, which can both be grown online, but not shrunk (in fact xfs is - the technically most limited option here, as it cannot be shrunk at - all). + be changed with the DefaultFileSystemType= setting in homed.conf. + It's now the default file system in various major distributions and + has the major benefit for homed that it can be grown and shrunk while + mounted, unlike the other contenders ext4 and xfs, which can both be + grown online, but not shrunk (in fact xfs is the technically most + limited option here, as it cannot be shrunk at all). * JSON user records managed by systemd-homed gained support for "recovery keys". These are basically secondary passphrases that can - unlock user accounts/home directories, which are computer-generated - rather than user-chosen, and typically have greater - entropy. homectl's --recovery-key= option may be used to add a - recovery key to a user account. The generated recovery key is - displayed as QR code, so that it can be scanned off screen to be kept - at a safe place. This concept is particularly useful in combination - with systemd-homed's support for FIDO2 or PKCS#11 authentication, as - a secure fallback in case the security tokens are lost. Recovery keys - may be entered wherever the system asks for a password. + unlock user accounts/home directories. They are computer-generated + rather than user-chosen, and typically have greater entropy. + homectl's --recovery-key= option may be used to add a recovery key to + a user account. The generated recovery key is displayed as a QR code, + so that it can be scanned to be kept in a safe place. This feature is + particularly useful in combination with systemd-homed's support for + FIDO2 or PKCS#11 authentication, as a secure fallback in case the + security tokens are lost. Recovery keys may be entered wherever the + system asks for a password. * systemd-homed now maintains a "dirty" flag for each LUKS encrypted - home directory that indicates whether a home directory has been + home directory which indicates that a home directory has not been deactivated cleanly when offline. This flag is useful to identify home directories for which the offline discard logic did not run when offlining, and where it would be a good idea to log in again to catch @@ -231,29 +227,28 @@ CHANGES WITH 247 in spe: * systemd-nspawn has been reworked to use the /run/host/incoming/ as place to use for propagating external mounts into the - container. Similar /run/host/notify is now used as socket path for - container payloads to communicate with the container manager using - sd_notify(). In the /run/host/inaccessible/ directory the container - manager now places "inaccessible" file nodes of all relevant types - which may be used by the container payload as bind mount source to - over-mount inodes that shall be made inaccessible - with. /run/host/container-manager will now be initialized to the same - string that the $container environment variable passed to the - container's PID 1 contains. /run/host/container-uuid will be - initialized to the same string $container_uuid is set to. This means - the /run/host/ hierarchy is now the primary way how host resources - are made available to containers. The Container Interface documents - these new files and directories: + container. Similarly /run/host/notify is now used as the socket path + for container payloads to communicate with the container manager + using sd_notify(). The container manager now uses the + /run/host/inaccessible/ directory to place "inaccessible" file nodes + of all relevant types which may be used by the container payload as + bind mount source to over-mount inodes to make them inaccessible. + /run/host/container-manager will now be initialized with the same + string as the $container environment variable passed to the + container's PID 1. /run/host/container-uuid will be initialized with + the same string as $container_uuid. This means the /run/host/ + hierarchy is now the primary way to make host resources available to + the container. The Container Interface documents these new files and + directories: https://systemd.io/CONTAINER_INTERFACE * Support for the "ConditionNull=" unit file condition has been - removed. It has been deprecated and undocumented for 6 years - now. systemd started to warn about its use 1.5 years ago. It has now - been removed entirely. + deprecated and undocumented for 6 years. systemd started to warn + about its use 1.5 years ago. It has now been removed entirely. * If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for - systemd-nspawn all system call filter collisions will be logged by + systemd-nspawn all system call filter violations will be logged by the kernel (audit). This is useful for tracking down system calls invoked by container payloads that are prohibited by the container's system call filter policy. @@ -264,7 +259,7 @@ CHANGES WITH 247 in spe: useful in cases where multiple errors shall be handled the same way. * A new system call filter list "@known" has been added, that contains - all system calls known at build-time of systemd. + all system calls known at the time systemd was built. * Behaviour of system call filter allow lists has changed slightly: system calls that are contained in @known will result in a EPERM by @@ -276,24 +271,22 @@ CHANGES WITH 247 in spe: applications. * Two new unit file settings ProtectProc= and ProcSubset= have been - added that expose the hidepid= and subset= mount options of - procfs. When used on services all processes inside it will only see - processes in /proc that are are owned by the service's user - themselves. This is an important new sandboxing option that is - recommended to be set on all system services where that's - possible. All long-running system services that are included in - systemd itself set this option now. This option is only supported on - kernel 5.8 and above, since the hidepid= option supported on older - kernels was not a per-mount option but actually applied to the whole - PID namespace. + added that expose the hidepid= and subset= mount options of procfs. + All processes of the unit will only see processes in /proc that are + are owned by the unit's user. This is an important new sandboxing + option that is recommended to be set on all system services. All + long-running system services that are included in systemd itself set + this option now. This option is only supported on kernel 5.8 and + above, since the hidepid= option supported on older kernels was not a + per-mount option but actually applied to the whole PID namespace. * Socket units gained a new boolean setting FlushPending=. If enabled all pending socket data/connections are flushed whenever the socket unit enters the "listening" state, i.e. after the associated service exited. - * The unit file setting NUMAMask= gained a new "all" value: if set, all - existing NUMA nodes are added to the NUMA mask. + * The unit file setting NUMAMask= gained a new "all" value: when used, + all existing NUMA nodes are added to the NUMA mask. * A new "credentials" logic has been added to system services. This is a simple mechanism to pass privileged data to services in a safe and @@ -302,61 +295,61 @@ CHANGES WITH 247 in spe: private information such as user names, certificates, and similar to system services. Each credential is identified by a short user-chosen name and may contain arbitrary binary data. Two new unit file - settings have been added for this: SetCredential= and - LoadCredential=. The former allows setting a credential to a literal - string, the latter sets a credential to the contents of a file (or - data read from a user-chosen AF_UNIX stream socket). Credentials are - passed to the service via a special credentials directory whose path - is passed in the new $CREDENTIALS_DIRECTORY environment variable, - which contains one file for each credential. Since the credentials + settings have been added: SetCredential= and LoadCredential=. The + former allows setting a credential to a literal string, the latter + sets a credential to the contents of a file (or data read from a + user-chosen AF_UNIX stream socket). Credentials are passed to the + service via a special credentials directory, one file for each + credential. The path to the credentials directory is passed in a new + $CREDENTIALS_DIRECTORY environment variable. Since the credentials are passed in the file system they may be easily referenced in - ExecStart= command lines too, thus not requiring any explicit support - for the credentials logic in daemons (though ideally daemons would - look for the bits they need in $CREDENTIALS_DIRECTORY themselves - automatically, if set). The $CREDENTIALS_DIRECTORY is backed by - unswappable memory (if privileges allow it), is immutable (also if - privileges allow it), is accessible only to the service's UID, and is - automatically destroyed when the service goes down. + ExecStart= command lines too, thus no explicit support for the + credentials logic in daemons is required (though ideally daemons + would look for the bits they need in $CREDENTIALS_DIRECTORY + themselves automatically, if set). The $CREDENTIALS_DIRECTORY is + backed by unswappable memory if privileges allow it, immutable if + privileges allow it, is accessible only to the service's UID, and is + automatically destroyed when the service stops. * systemd-nspawn supports the same credentials logic. It can both consume credentials passed to it via the aforementioned $CREDENTIALS_DIRECTORY protocol as well as pass these credentials on to its payload. The service manager/PID 1 has been updated to match this: it can also accept credentials from the container manager that - invokes it (in fact: any process that invokes it), and pass it on to - its services. Thus, credentials can be propagated fully down the - tree: from a system's service manager to a systemd-nspawn service, to - the service manager tat runs as container payload and to the service - it runs below. Credentials may also be added on the systemd-nspawn - command line, using the new --set-credential= and --load-credential= - command line switches, that match the aforementioned service - settings. + invokes it (in fact: any process that invokes it), and passes them on + to its services. Thus, credentials can be propagated recursively down + the tree: from a system's service manager to a systemd-nspawn + service, to the service manager that runs as container payload and to + the service it runs below. Credentials may also be added on the + systemd-nspawn command line, using new --set-credential= and + --load-credential= command line switches that match the + aforementioned service settings. * systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in the partition drop-ins which may be used to format/LUKS encrypt/populate any created partitions. The partitions are encrypted/formatted/populated before they are registered in the - partition table, so that they appear "atomically": either the - partitions do not exist yet or they exist fully - encrypted/formatted/populated — there is no time window where they - are "half-initialized". Thus the system is robust to abrupt shutdown: - if the tool is terminated half-way during its operations on next boot - it will start from the beginning. + partition table, so that they appear atomically: either the + partitions do not exist yet or they exist fully encrypted, formatted, + and populated — there is no time window where they are + "half-initialized". Thus the system is robust to abrupt shutdown: if + the tool is terminated half-way during its operations on next boot it + will start from the beginning. * systemd-repart's --size= operation gained a new "auto" value. If specified, and operating on a loopback file it is automatically sized to the minimal size the size constraints permit. This is useful to use "systemd-repart" as an image builder for minimally sized images. - * systemd-resolved now supports a third IPC interface for requesting - name resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink - interface is now supported. The nss-resolve NSS modules has been - modified to use this new interface instead of D-Bus now. Using - Varlink has a major benefit over D-Bus: it works without a broker - service, and thus already during earliest boot, before dbus-daemon is - invoked (which is a late boot service). This means name resolution - via systemd-resolved now works at the same time systemd-networkd - operates: from earliest boot on, including in the initrd. + * systemd-resolved now gained a third IPC interface for requesting name + resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink + interface is now supported. The nss-resolve NSS module has been + modified to use this new interface instead of D-Bus. Using Varlink + has a major benefit over D-Bus: it works without a broker service, + and thus already during earliest boot, before the dbus daemon has + been started. This means name resolution via systemd-resolved now + works at the same time systemd-networkd operates: from earliest boot + on, including in the initrd. * systemd-resolved gained support for a new DNSStubListenerExtra= configuration file setting which may be used to specify additional IP @@ -366,8 +359,8 @@ CHANGES WITH 247 in spe: * Name lookups issued via systemd-resolved's D-Bus and Varlink interfaces (and thus also via glibc NSS if nss-resolve is used) will now honour a trailing dot in the hostname: if specified the search - path logic is turned off. Thus "resolvectl query foo.bar." is now - equivalent to "resolvectl query --search=off foo.bar". + path logic is turned off. Thus "resolvectl query foo." is now + equivalent to "resolvectl query --search=off foo.". * systemd-resolved gained a new D-Bus property "ResolvConfMode" that exposes how /etc/resolv.conf is currently managed: by resolved (and @@ -375,14 +368,16 @@ CHANGES WITH 247 in spe: this property in its status output. * The resolv.conf snippets systemd-resolved provides will now set "." - as search domain if no other search domain is known. This turns off - behaviour in glibc that an implicit search domain is derived from the - local system's hostname if it is set to an FQDN. + as the search domain if no other search domain is known. This turns + off the derivation of an implicit search domain by nss-dns for the + hostname, when the hostname is set to an FQDN. This change is done to + make nss-dns using resolv.conf provided by systemd-resolved behave + more similarly to nss-resolve. * systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of /tmp/ and /var/tmp/ based on file timestamps) now looks at the - "birth" time (btime) of a file in addition to the atime, mtime, - ctime, to determine if it should be kept or deleted. + "birth" time (btime) of a file in addition to the atime, mtime, and + ctime. * systemd-analyze gained a new verb "capability" that lists all known capabilities by the systemd build and by the kernel. @@ -395,12 +390,12 @@ CHANGES WITH 247 in spe: having to rebuild systemd. * systemd-logind will now listen to the KEY_RESTART key from the Linux - input layer and reboot the system if it is pressed, similar to how it - already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART was - originally defined in a Multimedia context (to restart playback of a - song or film), but is now primarily used in various embedded devices - for "Reboot" buttons. Accordingly, systemd-logind will now honour it - as such. This may configured in more detail via the new + input layer and reboot the system if it is pressed, similarly to how + it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART + was originally defined in the Multimedia context (to restart playback + of a song or film), but is now primarily used in various embedded + devices for "Reboot" buttons. Accordingly, systemd-logind will now + honour it as such. This may configured in more detail via the new HandleRebootKey= and RebootKeyIgnoreInhibited=. * systemd-nspawn/systemd-machined will now reconstruct hardlinks when @@ -424,12 +419,12 @@ CHANGES WITH 247 in spe: now be marked to be independent of any underlying network interface via the new Independent= boolean setting. - * systemctl gained support for two new verbs: "log-level" and - "log-target" which may be used on services that implement the generic - org.freedesktop.LogControl1 D-Bus interface for dynamically adjusting - the log level and target. All of systemd's long-running services - support this now, but ideally any system service would implement this - interface to make the system more uniformly inspectable and + * systemctl gained support for two new verbs: "service-log-level" and + "service-log-target" may be used on services that implement the + generic org.freedesktop.LogControl1 D-Bus interface to dynamically + adjust the log level and target. All of systemd's long-running + services support this now, but ideally all system services would + implement this interface to make the system more uniformly debuggable. * The SystemCallErrorNumber= unit file setting now accepts the new @@ -441,7 +436,7 @@ CHANGES WITH 247 in spe: list of syscalls that shall be logged about (audit). * The OS image dissection logic (as used by RootImage= in unit files or - systemd-nspawn's --image= switch) has learnt support for identifying + systemd-nspawn's --image= switch) has gained support for identifying and mounting explicit /usr/ partitions, which are now defined in the discoverable partition specification. This should be useful for environments where the root file system is @@ -461,21 +456,21 @@ CHANGES WITH 247 in spe: will now log the thread ID in their log output. This is useful when working with heavily threaded programs. - * If the SYSTEMD_RDRAND enviroment variable is set to "0" systemd's use - of the RDRAND CPU instruction is disabled. This is useful in - environments such as replay debuggers where CPU level - non-deterministic behaviour is not desirable. + * If the SYSTEMD_RDRAND enviroment variable is set to "0", systemd will + not use the RDRAND CPU instruction. This is useful in environments + such as replay debuggers where non-deterministic behaviour is not + desirable. * When building systemd the Meson option - "compat-mutable-uid-boundaries" may now be specified. If so systemd - reads the system UID boundaries from /etc/login.defs, instead of using - the built-in values selected during build-time. This is an option to - improve compatibility for upgrades from old systems. It's strongly - recommended not to make use of this functionality on new systems (or - even enable it during build), as it makes something - runtime-configurable that is mostly an implementation detail of the - OS, and permits avoidable differences in deployments that create all - kinds of problems in the long run. + -Dcompat-mutable-uid-boundaries may now be specified. If enabled, + systemd reads the system UID boundaries from /etc/login.defs, instead + of using the built-in values selected during build-time. This is an + option to improve compatibility for upgrades from old systems. It's + strongly recommended not to make use of this functionality on new + systems (or even enable it during build), as it makes something + runtime-configurable that is mostly an implementation detail of the + OS, and permits avoidable differences in deployments that create all + kinds of problems in the long run. CHANGES WITH 246: