picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update NEWS

This commit is contained in:
Lennart Poettering 2020-10-15 10:52:40 +02:00
parent d625e59d07
commit dc6a31628e
1 changed files with 69 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
NEWS
View File

@ -16,7 +16,7 @@ CHANGES WITH 247 in spe:
or otherwise process uevents. Please note that this incompatibility
is not fault of systemd or udev, but caused by an incompatible kernel
change that happened back in Linux 4.12, but is becoming more and
more visible as the new uvents are generated by more kernel drivers.
more visible as the new uevents are generated by more kernel drivers.
To minimize issues resulting from this kernel change (but not avoid
them entirely) starting with systemd-udevd 247 the udev "tags"
@ -106,29 +106,50 @@ CHANGES WITH 247 in spe:
desired the location to which systemd installs its PAM stack
configuration may be changed via the -Dpamconfdir Meson option.
* The runtime dependencies on libqrencode, libpcre2, libpwquality and
libcryptsetup have been changed to be based on dlopen(): instead of
regular dynamic library dependencies declared in the binary ELF
headers, these libraries are now loaded on demand only, if they are
available. If the libraries cannot be found the relevant operations
will fail gracefully, or a suitable fallback logic is chosen. This is
supposed to be useful for general purpose distributions, as it allows
minimizing the list of dependencies the systemd packages pull in,
permitting building of more minimal OS images, while still making use
of these "weak" dependencies should they be installed. Since many
package managers automatically synthesize package dependencies from
ELF shared library dependencies, some additional manual packaging
work has to be done now to replace those (slightly downgraded from
"required" to "recommended" or whatever is conceptually suitable for
the package manager). Note that this change does not alter build-time
behaviour: as before the build-time dependencies have to be installed
during build, even if they now are optional during runtime.
* The runtime dependencies on libqrencode, libpcre2, libidn/libidn2,
libpwquality and libcryptsetup have been changed to be based on
dlopen(): instead of regular dynamic library dependencies declared in
the binary ELF headers, these libraries are now loaded on demand
only, if they are available. If the libraries cannot be found the
relevant operations will fail gracefully, or a suitable fallback
logic is chosen. This is supposed to be useful for general purpose
distributions, as it allows minimizing the list of dependencies the
systemd packages pull in, permitting building of more minimal OS
images, while still making use of these "weak" dependencies should
they be installed. Since many package managers automatically
synthesize package dependencies from ELF shared library dependencies,
some additional manual packaging work has to be done now to replace
those (slightly downgraded from "required" to "recommended" or
whatever is conceptually suitable for the package manager). Note that
this change does not alter build-time behaviour: as before the
build-time dependencies have to be installed during build, even if
they now are optional during runtime.
* sd-event.h gained a new call sd_event_add_time_relative() for
installing timers relative to the current time. This is mostly a
convenience wrapper around the pre-existing sd_event_add_time() call
which installs absolute timers.
* sd-event event sources may now be placed in a new "exit-on-failure"
mode, which may be controlled via the new
sd_event_source_get_exit_on_failure() and
sd_event_source_set_exit_on_failure() functions. If enabled, any
failure returned by the event source handler functions will result in
exiting the event loop (unlike the default behaviour of just
disabling the event source but continuing with the event loop). This
feature is useful to set for all event sources that define "primary"
program behaviour (where failure should be fatal) in contrast to
"auxiliary" behaviour (where failure should remain local).
* Most event source types sd-event supports now accept a NULL handler
function, in which case the event loop is exited once the event
source is to be dispatched, using the userdata pointer — converted to
a signed integer — as exit code of the event loop. Previously this
was supported for IO and signal event sources already. Exit event
sources still do not support this (simply because it makes little
sense there, as the event loop is already exiting when they are
dispatched).
* A new per-unit setting RootImageOptions= has been added which allows
tweaking the mount options for any file system mounted as effect of
the RootImage= setting.
@ -223,7 +244,9 @@ CHANGES WITH 247 in spe:
them in local timezone or UTC, or whether to show µs granularity.
* Alibaba's "pouch" container manager is now detected by
systemd-detect-virt, ConditionVirtualization= and similar constructs.
systemd-detect-virt, ConditionVirtualization= and similar
constructs. Similar, they now also recognize IBM PowerVM machine
virtualization.
* systemd-nspawn has been reworked to use the /run/host/incoming/ as
place to use for propagating external mounts into the
@ -247,12 +270,6 @@ CHANGES WITH 247 in spe:
deprecated and undocumented for 6 years. systemd started to warn
about its use 1.5 years ago. It has now been removed entirely.
* If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
systemd-nspawn all system call filter violations will be logged by
the kernel (audit). This is useful for tracking down system calls
invoked by container payloads that are prohibited by the container's
system call filter policy.
* sd-bus.h gained a new API call sd_bus_error_has_names(), which takes
a sd_bus_error struct and a list of error names, and checks if the
error matches one of these names. It's a convenience wrapper that is
@ -264,12 +281,24 @@ CHANGES WITH 247 in spe:
* Behaviour of system call filter allow lists has changed slightly:
system calls that are contained in @known will result in a EPERM by
default, while those not contained in it result in ENOSYS. This
should improve compatibility because known syscalls will thus be
should improve compatibility because known system calls will thus be
communicated as prohibited, while unknown (and thus newer ones) will
be communicated as not implemented, which hopefully has the greatest
chance of triggering the right fallback code paths in client
applications.
* "systemd-analyze syscall-filter" will now show two separate sections
at the bottom of the output: system calls known during systemd build
time but not included in any of the filter groups shown above, and
system calls defined on the local kernel but known during systemd
build time.
* If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
systemd-nspawn all system call filter violations will be logged by
the kernel (audit). This is useful for tracking down system calls
invoked by container payloads that are prohibited by the container's
system call filter policy.
* Two new unit file settings ProtectProc= and ProcSubset= have been
added that expose the hidepid= and subset= mount options of procfs.
All processes of the unit will only see processes in /proc that are
@ -419,6 +448,11 @@ CHANGES WITH 247 in spe:
now be marked to be independent of any underlying network interface
via the new Independent= boolean setting.
* systemd-networkd's Gateway= setting in .network files now accepts the
special values _dhcp4 and _ipv6ra to configure additional, locally
defined, explicit routes to the gateway acquired via DHCP or IPv6
Router Advertisements.
* systemctl gained support for two new verbs: "service-log-level" and
"service-log-target" may be used on services that implement the
generic org.freedesktop.LogControl1 D-Bus interface to dynamically
@ -430,10 +464,10 @@ CHANGES WITH 247 in spe:
* The SystemCallErrorNumber= unit file setting now accepts the new
"kill" and "log" actions, in addition to arbitrary error number
specifications as before. If "kill" the the processes are killed on
the event, if "log" the offending syscall is audit logged.
the event, if "log" the offending system call is audit logged.
* A new SystemCallLog= unit file setting has been added that accepts a
list of syscalls that shall be logged about (audit).
list of system calls that shall be logged about (audit).
* The OS image dissection logic (as used by RootImage= in unit files or
systemd-nspawn's --image= switch) has gained support for identifying
@ -456,7 +490,7 @@ CHANGES WITH 247 in spe:
will now log the thread ID in their log output. This is useful when
working with heavily threaded programs.
* If the SYSTEMD_RDRAND enviroment variable is set to "0", systemd will
* If the SYSTEMD_RDRAND environment variable is set to "0", systemd will
not use the RDRAND CPU instruction. This is useful in environments
such as replay debuggers where non-deterministic behaviour is not
desirable.
@ -472,6 +506,12 @@ CHANGES WITH 247 in spe:
OS, and permits avoidable differences in deployments that create all
kinds of problems in the long run.
* The autopaging logic in systemd's various tools (such as systemctl)
has been updated to turn on "secure" mode in "less"
(i.e. $LESSECURE=1) if execution in a "sudo" environment is
detected. This disables invoking external programs from the pager,
via the pipe logic. This behaviour may be overridden via the new
$SYSTEMD_PAGERSECURE environment variable.
CHANGES WITH 246: