update NEWS
This commit is contained in:
parent
d625e59d07
commit
dc6a31628e
98
NEWS
98
NEWS
|
@ -16,7 +16,7 @@ CHANGES WITH 247 in spe:
|
||||||
or otherwise process uevents. Please note that this incompatibility
|
or otherwise process uevents. Please note that this incompatibility
|
||||||
is not fault of systemd or udev, but caused by an incompatible kernel
|
is not fault of systemd or udev, but caused by an incompatible kernel
|
||||||
change that happened back in Linux 4.12, but is becoming more and
|
change that happened back in Linux 4.12, but is becoming more and
|
||||||
more visible as the new uvents are generated by more kernel drivers.
|
more visible as the new uevents are generated by more kernel drivers.
|
||||||
|
|
||||||
To minimize issues resulting from this kernel change (but not avoid
|
To minimize issues resulting from this kernel change (but not avoid
|
||||||
them entirely) starting with systemd-udevd 247 the udev "tags"
|
them entirely) starting with systemd-udevd 247 the udev "tags"
|
||||||
|
@ -106,29 +106,50 @@ CHANGES WITH 247 in spe:
|
||||||
desired the location to which systemd installs its PAM stack
|
desired the location to which systemd installs its PAM stack
|
||||||
configuration may be changed via the -Dpamconfdir Meson option.
|
configuration may be changed via the -Dpamconfdir Meson option.
|
||||||
|
|
||||||
* The runtime dependencies on libqrencode, libpcre2, libpwquality and
|
* The runtime dependencies on libqrencode, libpcre2, libidn/libidn2,
|
||||||
libcryptsetup have been changed to be based on dlopen(): instead of
|
libpwquality and libcryptsetup have been changed to be based on
|
||||||
regular dynamic library dependencies declared in the binary ELF
|
dlopen(): instead of regular dynamic library dependencies declared in
|
||||||
headers, these libraries are now loaded on demand only, if they are
|
the binary ELF headers, these libraries are now loaded on demand
|
||||||
available. If the libraries cannot be found the relevant operations
|
only, if they are available. If the libraries cannot be found the
|
||||||
will fail gracefully, or a suitable fallback logic is chosen. This is
|
relevant operations will fail gracefully, or a suitable fallback
|
||||||
supposed to be useful for general purpose distributions, as it allows
|
logic is chosen. This is supposed to be useful for general purpose
|
||||||
minimizing the list of dependencies the systemd packages pull in,
|
distributions, as it allows minimizing the list of dependencies the
|
||||||
permitting building of more minimal OS images, while still making use
|
systemd packages pull in, permitting building of more minimal OS
|
||||||
of these "weak" dependencies should they be installed. Since many
|
images, while still making use of these "weak" dependencies should
|
||||||
package managers automatically synthesize package dependencies from
|
they be installed. Since many package managers automatically
|
||||||
ELF shared library dependencies, some additional manual packaging
|
synthesize package dependencies from ELF shared library dependencies,
|
||||||
work has to be done now to replace those (slightly downgraded from
|
some additional manual packaging work has to be done now to replace
|
||||||
"required" to "recommended" or whatever is conceptually suitable for
|
those (slightly downgraded from "required" to "recommended" or
|
||||||
the package manager). Note that this change does not alter build-time
|
whatever is conceptually suitable for the package manager). Note that
|
||||||
behaviour: as before the build-time dependencies have to be installed
|
this change does not alter build-time behaviour: as before the
|
||||||
during build, even if they now are optional during runtime.
|
build-time dependencies have to be installed during build, even if
|
||||||
|
they now are optional during runtime.
|
||||||
|
|
||||||
* sd-event.h gained a new call sd_event_add_time_relative() for
|
* sd-event.h gained a new call sd_event_add_time_relative() for
|
||||||
installing timers relative to the current time. This is mostly a
|
installing timers relative to the current time. This is mostly a
|
||||||
convenience wrapper around the pre-existing sd_event_add_time() call
|
convenience wrapper around the pre-existing sd_event_add_time() call
|
||||||
which installs absolute timers.
|
which installs absolute timers.
|
||||||
|
|
||||||
|
* sd-event event sources may now be placed in a new "exit-on-failure"
|
||||||
|
mode, which may be controlled via the new
|
||||||
|
sd_event_source_get_exit_on_failure() and
|
||||||
|
sd_event_source_set_exit_on_failure() functions. If enabled, any
|
||||||
|
failure returned by the event source handler functions will result in
|
||||||
|
exiting the event loop (unlike the default behaviour of just
|
||||||
|
disabling the event source but continuing with the event loop). This
|
||||||
|
feature is useful to set for all event sources that define "primary"
|
||||||
|
program behaviour (where failure should be fatal) in contrast to
|
||||||
|
"auxiliary" behaviour (where failure should remain local).
|
||||||
|
|
||||||
|
* Most event source types sd-event supports now accept a NULL handler
|
||||||
|
function, in which case the event loop is exited once the event
|
||||||
|
source is to be dispatched, using the userdata pointer — converted to
|
||||||
|
a signed integer — as exit code of the event loop. Previously this
|
||||||
|
was supported for IO and signal event sources already. Exit event
|
||||||
|
sources still do not support this (simply because it makes little
|
||||||
|
sense there, as the event loop is already exiting when they are
|
||||||
|
dispatched).
|
||||||
|
|
||||||
* A new per-unit setting RootImageOptions= has been added which allows
|
* A new per-unit setting RootImageOptions= has been added which allows
|
||||||
tweaking the mount options for any file system mounted as effect of
|
tweaking the mount options for any file system mounted as effect of
|
||||||
the RootImage= setting.
|
the RootImage= setting.
|
||||||
|
@ -223,7 +244,9 @@ CHANGES WITH 247 in spe:
|
||||||
them in local timezone or UTC, or whether to show µs granularity.
|
them in local timezone or UTC, or whether to show µs granularity.
|
||||||
|
|
||||||
* Alibaba's "pouch" container manager is now detected by
|
* Alibaba's "pouch" container manager is now detected by
|
||||||
systemd-detect-virt, ConditionVirtualization= and similar constructs.
|
systemd-detect-virt, ConditionVirtualization= and similar
|
||||||
|
constructs. Similar, they now also recognize IBM PowerVM machine
|
||||||
|
virtualization.
|
||||||
|
|
||||||
* systemd-nspawn has been reworked to use the /run/host/incoming/ as
|
* systemd-nspawn has been reworked to use the /run/host/incoming/ as
|
||||||
place to use for propagating external mounts into the
|
place to use for propagating external mounts into the
|
||||||
|
@ -247,12 +270,6 @@ CHANGES WITH 247 in spe:
|
||||||
deprecated and undocumented for 6 years. systemd started to warn
|
deprecated and undocumented for 6 years. systemd started to warn
|
||||||
about its use 1.5 years ago. It has now been removed entirely.
|
about its use 1.5 years ago. It has now been removed entirely.
|
||||||
|
|
||||||
* If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
|
|
||||||
systemd-nspawn all system call filter violations will be logged by
|
|
||||||
the kernel (audit). This is useful for tracking down system calls
|
|
||||||
invoked by container payloads that are prohibited by the container's
|
|
||||||
system call filter policy.
|
|
||||||
|
|
||||||
* sd-bus.h gained a new API call sd_bus_error_has_names(), which takes
|
* sd-bus.h gained a new API call sd_bus_error_has_names(), which takes
|
||||||
a sd_bus_error struct and a list of error names, and checks if the
|
a sd_bus_error struct and a list of error names, and checks if the
|
||||||
error matches one of these names. It's a convenience wrapper that is
|
error matches one of these names. It's a convenience wrapper that is
|
||||||
|
@ -264,12 +281,24 @@ CHANGES WITH 247 in spe:
|
||||||
* Behaviour of system call filter allow lists has changed slightly:
|
* Behaviour of system call filter allow lists has changed slightly:
|
||||||
system calls that are contained in @known will result in a EPERM by
|
system calls that are contained in @known will result in a EPERM by
|
||||||
default, while those not contained in it result in ENOSYS. This
|
default, while those not contained in it result in ENOSYS. This
|
||||||
should improve compatibility because known syscalls will thus be
|
should improve compatibility because known system calls will thus be
|
||||||
communicated as prohibited, while unknown (and thus newer ones) will
|
communicated as prohibited, while unknown (and thus newer ones) will
|
||||||
be communicated as not implemented, which hopefully has the greatest
|
be communicated as not implemented, which hopefully has the greatest
|
||||||
chance of triggering the right fallback code paths in client
|
chance of triggering the right fallback code paths in client
|
||||||
applications.
|
applications.
|
||||||
|
|
||||||
|
* "systemd-analyze syscall-filter" will now show two separate sections
|
||||||
|
at the bottom of the output: system calls known during systemd build
|
||||||
|
time but not included in any of the filter groups shown above, and
|
||||||
|
system calls defined on the local kernel but known during systemd
|
||||||
|
build time.
|
||||||
|
|
||||||
|
* If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
|
||||||
|
systemd-nspawn all system call filter violations will be logged by
|
||||||
|
the kernel (audit). This is useful for tracking down system calls
|
||||||
|
invoked by container payloads that are prohibited by the container's
|
||||||
|
system call filter policy.
|
||||||
|
|
||||||
* Two new unit file settings ProtectProc= and ProcSubset= have been
|
* Two new unit file settings ProtectProc= and ProcSubset= have been
|
||||||
added that expose the hidepid= and subset= mount options of procfs.
|
added that expose the hidepid= and subset= mount options of procfs.
|
||||||
All processes of the unit will only see processes in /proc that are
|
All processes of the unit will only see processes in /proc that are
|
||||||
|
@ -419,6 +448,11 @@ CHANGES WITH 247 in spe:
|
||||||
now be marked to be independent of any underlying network interface
|
now be marked to be independent of any underlying network interface
|
||||||
via the new Independent= boolean setting.
|
via the new Independent= boolean setting.
|
||||||
|
|
||||||
|
* systemd-networkd's Gateway= setting in .network files now accepts the
|
||||||
|
special values _dhcp4 and _ipv6ra to configure additional, locally
|
||||||
|
defined, explicit routes to the gateway acquired via DHCP or IPv6
|
||||||
|
Router Advertisements.
|
||||||
|
|
||||||
* systemctl gained support for two new verbs: "service-log-level" and
|
* systemctl gained support for two new verbs: "service-log-level" and
|
||||||
"service-log-target" may be used on services that implement the
|
"service-log-target" may be used on services that implement the
|
||||||
generic org.freedesktop.LogControl1 D-Bus interface to dynamically
|
generic org.freedesktop.LogControl1 D-Bus interface to dynamically
|
||||||
|
@ -430,10 +464,10 @@ CHANGES WITH 247 in spe:
|
||||||
* The SystemCallErrorNumber= unit file setting now accepts the new
|
* The SystemCallErrorNumber= unit file setting now accepts the new
|
||||||
"kill" and "log" actions, in addition to arbitrary error number
|
"kill" and "log" actions, in addition to arbitrary error number
|
||||||
specifications as before. If "kill" the the processes are killed on
|
specifications as before. If "kill" the the processes are killed on
|
||||||
the event, if "log" the offending syscall is audit logged.
|
the event, if "log" the offending system call is audit logged.
|
||||||
|
|
||||||
* A new SystemCallLog= unit file setting has been added that accepts a
|
* A new SystemCallLog= unit file setting has been added that accepts a
|
||||||
list of syscalls that shall be logged about (audit).
|
list of system calls that shall be logged about (audit).
|
||||||
|
|
||||||
* The OS image dissection logic (as used by RootImage= in unit files or
|
* The OS image dissection logic (as used by RootImage= in unit files or
|
||||||
systemd-nspawn's --image= switch) has gained support for identifying
|
systemd-nspawn's --image= switch) has gained support for identifying
|
||||||
|
@ -456,7 +490,7 @@ CHANGES WITH 247 in spe:
|
||||||
will now log the thread ID in their log output. This is useful when
|
will now log the thread ID in their log output. This is useful when
|
||||||
working with heavily threaded programs.
|
working with heavily threaded programs.
|
||||||
|
|
||||||
* If the SYSTEMD_RDRAND enviroment variable is set to "0", systemd will
|
* If the SYSTEMD_RDRAND environment variable is set to "0", systemd will
|
||||||
not use the RDRAND CPU instruction. This is useful in environments
|
not use the RDRAND CPU instruction. This is useful in environments
|
||||||
such as replay debuggers where non-deterministic behaviour is not
|
such as replay debuggers where non-deterministic behaviour is not
|
||||||
desirable.
|
desirable.
|
||||||
|
@ -472,6 +506,12 @@ CHANGES WITH 247 in spe:
|
||||||
OS, and permits avoidable differences in deployments that create all
|
OS, and permits avoidable differences in deployments that create all
|
||||||
kinds of problems in the long run.
|
kinds of problems in the long run.
|
||||||
|
|
||||||
|
* The autopaging logic in systemd's various tools (such as systemctl)
|
||||||
|
has been updated to turn on "secure" mode in "less"
|
||||||
|
(i.e. $LESSECURE=1) if execution in a "sudo" environment is
|
||||||
|
detected. This disables invoking external programs from the pager,
|
||||||
|
via the pipe logic. This behaviour may be overridden via the new
|
||||||
|
$SYSTEMD_PAGERSECURE environment variable.
|
||||||
|
|
||||||
CHANGES WITH 246:
|
CHANGES WITH 246:
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue