forked from systemd/systemd
-
Notifications
You must be signed in to change notification settings - Fork 3
/
NEWS
10482 lines (8530 loc) · 546 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
systemd System and Service Manager
CHANGES WITH 245 in spe:
* A new tool "systemd-repart" has been added, that operates as an
idempotent, robust, incremental, elastic and declarative
repartitioner. It takes inspiration from
systemd-tmpfiles/systemd-sysusers but applies the algorithmic
concepts to GPT partition tables. Specifically, a set of partitions
that must or may exist can be configured via drop-in files, and
during every boot the partition table on disk is compared with these
files, creating missing partitions or growing existing ones based on
configurable relative and absolute size constraints. The tool is
strictly incremental, i.e. does not delete, shrink or move
partitions, but only adds and grows them. The primary use-case is OS
images that shall ship in minimized form, with only a minimal boot
and root partition, that on first boot is grown to the size of the
underlying block device or augmented with additional partitions. For
example, the root partition could be extended to cover the whole
disk, or a swap or /home partitions could be added implicitly on
first boot. It also has uses on systems that use an A/B update scheme
to allow shipping minimal images with just the A set of partition,
and with the B set added on first boot. The tool is primarily
intended to be run in the initrd, shortly before transitioning into
the host OS, but also can be run after the transition took place. It
automatically discovers the disk backing the root file system, and
should hence not require any additional configuration besides the
partition definition drop-ins.
* A new component "userdb" has been added, along with a small daemon
"systemd-userdb.service" and a client tool "userdbctl". The framework
allows defining rich user and group records in a JSON format,
extending on the classic "struct passwd" and "struct group"
structures. Various components in systemd have been updated to
process records in this format, including systemd-logind and
pam-systemd. The user records are intended to be extensible, and
allow setting various resource management, security and runtime
parameters that shall be applied to processes and sessions of the
user as they log in. This facility is intended to allow associating
such metadata directly with user/group records so that they can be
produced, extended and consumed in unified form. We hope that
eventually frameworks such as sssd will generate records this way, so
that for the first time resource management and various other
per-user settings can be configured in LDAP directories and then
provided to systemd (specifically to systemd-logind and pam-system)
to enforce on log-in. For further details see:
https://systemd.io/USER_RECORD
https://systemd.io/GROUP_RECORD
https://systemd.io/USER_GROUP_API
* A small new service systemd-homed.service has been added, that may be
used to securely manage home directories, with built-in encryption
and unifying the user's own home directory data together with
complete user record data in a single place, thus making home
directories naturally migratable. Its primary back-end is based on
LUKS volumes, but it also supports fscrypt, plain directories and
more. It solves a couple of problems we saw with traditional ways to
manage home directories, in particular when it comes to
encryption. For further discussion of this, see the video of
Lennart's talk at AllSystemsGo! 2019:
https://media.ccc.de/v/ASG2019-164-reinventing-home-directories
For further details about the format and expectations on home
directories this new daemon makes, see:
https://systemd.io/HOME_DIRECTORY
* systemd-journald is now multi-instantiable. In addition to the main
instance systemd-journald.service there's now a template unit
[email protected] that can be instantiated multiple times,
each time defining a new named log 'namespace' (whose name is
specified via the instance part of the instance unit name). A new
unit file setting LogNamespace= has been added, taking such a
namespace name, that allows assigning services to such log
namespaces. As each log namespace is serviced by its own, independent
journal daemon this functionality may be use to improve performance
and increase isolation of applications, at the price of losing global
message ordering. Each daemon may have a separate set of
configuration files, with possibly different disk space settings and
such. journalctl has been updated to take a new option --namespace=
which allows viewing logs from a specific log namespace. The
sd-journal.h API gained sd_journal_open_namespace() for opening the
log stream of a specific log namespace. systemd-journald also gained
the ability to exit on idle, which is useful in the context of log
namespaces, as this means log daemons for log namespaces can be
activated automatically on demand and stop automatically when no
longer used, minimizing resource usage.
* When systemd-tmpfiles copies a file tree using the 'C' line type it
will now implicitly label every copied file matching the SELinux
database.
* When systemd/PID 1 detects it is used in the initrd it will now boot
into initrd.target rather than default.target by default. This should
make it simpler to build initrds with systemd as for many cases the
only difference between a host OS image and an initrd image now is
the /etc/initrd-release file that identifies the initrd as one.
* A new kernel command line option systemd.cpu_affinity= is now
understood. It's equivalent to the CPUAffinity= option in
/etc/systemd/system.conf and allows setting the CPU mask for PID 1
itself and the default for all forked off processes.
* When systemd/PID 1 is reloaded (with systemctl daemon-reload or an
equivalent tool) the SELinux database is now reloaded, ensuring that
sockets and other file system objects are generated taking the new
database into account.
* The sd-event.h API now has native support for the new Linux "pidfd"
concept. This permits watching processes using file descriptors
instead of PID numbers, which fixes a number of races and makes
process supervision more robust and more efficient. All of systemd's
components will now use pidfds if the kernel supports it for process
watching, with the exception of PID 1 itself, unfortunately. We hope
to move PID 1 to exclusively using pidfds too eventually, but this
requires some more kernel work first. (Background: PID 1 watches
processes using waitid() with the P_ALL flag, and that does not play
together nicely with pidfds yet.)
* Closely related to this, the sd-event.h API gained two new calls
sd_event_source_send_child_signal() (for sending a signal to a
watched process) and sd_event_source_get_child_process_own() (for
marking a process so that it is killed implicitly whenever the event
source watching it is freed).
* systemd-networkd gained support for configuring Token Buffer Filter
(TBF) parameters in its qdisc configuration support. Similar, support
for Stochastic Fairness Queuing (SFQ), Controlled-Delay Active
Queue Management (CoDel), Fair Queue (FQ) has been added.
* systemd-networkd gained support for Intermediate Functional Block
(IFB) network devices.
* systemd-networkd gained support for configuring multi-path IP routes,
using the new MultiPathRoute= setting in the [Route] section.
* systemd-networkd's DHCPv4 support has been updated to support a new
SendDecline= option. If enabled duplicate address detection is done
after a DHCP offer is received from a server. If a conflict is
detected the address is declined. The DHCPv4 support also gained
support for a new RouteMTUBytes= setting that allows to configure the
MTU size to be used for routes generated from DHCPv4 leases.
* The PrefixRoute= setting in systemd-networkd's [Address] section of
.network files has been deprecated, and replaced by AddPrefixRoute=,
with it's sense inverted.
* The Gateway= setting of [Route] sections of .network files gained
support for a special new value "dhcp". If set the configured static
route uses the gateway host configured via DHCP.
* A new User= setting has been implemented for the [RoutingPolicyRule]
section of .network files for configuring source routing based on UID
ranges.
* sd-bus gained a new API call sd_bus_message_sensitive() for marking a
D-Bus message object as "sensitive". Objects that are marked that way
are erased from memory when they are freed. This concept is intended
to be used for messages that contain security sensitive data that
should be erased after use. A new flag SD_BUS_VTABLE_SENSITIVE has
been introduced as well that allows marking method calls in sd-bus
vtables like this, so that this new message flag is implicitly set
for incoming and outgoing messages of specific methods.
* sd-bus gained a new API call sd_bus_message_dump() for dumping the
contents of a message (or parts thereof) onto standard output, for
debugging purposes.
* systemd-sysusers gained support for creating users with primary
groups named differently than the user itself.
* systemd-resolved's DNS-over-TLS support gained SNI validation.
* systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
gained support for growing XFS partitions. Previously it supported
only ext4 and btrfs partitions.
* The support for /etc/crypttab gained a new x-initrd.attach option. If
set the specified encrypted volume is unlocked in the initrd
already. This concept corresponds to the x-initrd.mount option in
/etc/fstab.
* systemd-cryptsetup gained native support for unlocking encrypted
volumes utilizing PKCS#11 smartcards, i.e. for example to bind
encryption of volumes to YubiKeys.This is exposed in the new
pkcs11-uri= option in /etc/crypttab.
* The /etc/fstab support in systemd now supports two new mount options
x-systemd.{required,wanted}-by=, for explicitly configuring the units
that the specified mount shall be pulled in by, in place of
the usual local-fs.target/remote-fs.target.
* The https://systemd.io/ web site has been relaunched, directly
populated with most of the documentation included in the systemd
repository. In particular, systemd acquired a new logo, thanks to
Tobias Bernard.
* systemd-udevd gained support for managing "alternative" network
interface names, as supported by new Linux kernels. For the first
time this permits assigning multiple (and longer!) names to a network
interface. systemd-udevd will now by default assign the names
generated via all supported naming schemes to each interface in
parallel. This may be further tweaked with .link drop-in files, and
the AlternativeName= and AlternativeNamesPolicy= settings. All other
components of systemd have been updated to support the new
alternative names too, wherever that is appropriate. For example,
systemd-nspawn will now generate alternative interface names for the
host-facing side of container veth links based on the full container
name without truncation.
* systemd-nspawn interface naming logic has been updated in another way
too: if the main interface name (i.e. as opposed to new-style
"alternative" names) is the truncated result of container name a
simple hashing scheme is used that ensures that multiple containers
whose name all begin the same are likely resulting in different
interface names. Since this changes the primary interface names
pointing to containers if truncation happens the old scheme may still
be requested by selecting a different naming scheme than the v245
one, via the net.naming-scheme= kernel command line option.
* PrivateUsers= in service files now works in services run by the
systemd --user per-user instance of the service manager.
* A new per-service sandboxing option ProtectClock= has been added that
locks down write access to the system clock. It takes away device
node access to /dev/rtc as well as the system calls that allow to set
the system clock. It also removes the CAP_SYS_TIME and CAP_WAKE_ALARM
capabilities. Note that this option does not affect access to
auxiliary services that allow changing the clock, for example access
to systemd-timedated.
* The systemd-id128 tool gained a new "show" verb for listing or
resolving a number of well-known UUIDs/128bit IDs, currently mostly
GPT partition table types.
* The Discoverable Partitions Specification has been updated to support
/var and /var/tmp partition discovery. Support for this has been
added to systemd-gpt-auto-generator. For details see:
https://systemd.io/DISCOVERABLE_PARTITIONS
* "systemctl list-unit-files" has been updated to show a new column
with the suggested enablement state based on the vendor preset files
for the respective units.
* "systemctl" gained a new option "--with-dependencies". If specified
commands such as "systemctl status" or "systemctl cat" will now show
all specified units along with all units they depend on.
* networkctl gained support for showing per-interface logs in its
"status" output.
* The [Match] section of .link and .network files now supports a new
option PermanentMACAddress= which may be used to check against the
permanent MAC address of a network device even if a randomized MAC
address is used.
* systemd-logind will now validate access to the operation for changing
virtual terminals via a PolicyKit action. By default only users with
at least one session on a local VT will get access to the method call.
* When systemd sets up PAM sessions that invoked service processes shall
run in, the pam_setcred() API is now invoked, thus permitting PAM
modules to set additional credentials for the processes.
…
CHANGES WITH 244:
* Support for the cpuset cgroups v2 controller has been added.
Processes may be restricted to specific CPUs using the new
AllowedCPUs= setting, and to specific memory NUMA nodes using the new
AllowedMemoryNodes= setting.
* The signal used in restart jobs (as opposed to e.g. stop jobs) may
now be configured using a new RestartKillSignal= setting. This
allows units which signals to request termination to implement
different behaviour when stopping in preparation for a restart.
* "systemctl clean" may now be used also for socket, mount, and swap
units.
* systemd will also read configuration options from the EFI variable
SystemdOptions. This may be used to configure systemd behaviour when
modifying the kernel command line is inconvenient, but configuration
on disk is read too late, for example for the options related to
cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
set the EFI variable.
* systemd will now disable printk ratelimits in early boot. This should
allow us to capture more logs from the early boot phase where normal
storage is not available and the kernel ring buffer is used for
logging. Configuration on the kernel command line has higher priority
and overrides the systemd setting.
systemd programs which log to /dev/kmsg directly use internal
ratelimits to prevent runaway logging. (Normally this is only used
during early boot, so in practice this change has very little
effect.)
* Unit files now support top level dropin directories of the form
<unit_type>.d/ (e.g. service.d/) that may be used to add configuration
that affects all corresponding unit files.
* systemctl gained support for 'stop --job-mode=triggering' which will
stop the specified unit and any units which could trigger it.
* Unit status display now includes units triggering and triggered by
the unit being shown.
* The RuntimeMaxSec= setting is now supported by scopes, not just
.service units. This is particularly useful for PAM sessions which
create a scope unit for the user login. systemd.runtime_max_sec=
setting may used with the pam_systemd module to limit the duration
of the PAM session, for example for time-limited logins.
* A new @pkey system call group is now defined to make it easier to
whitelist memory protection syscalls for containers and services
which need to use them.
* systemd-udevd: removed the 30s timeout for killing stale workers on
exit. systemd-udevd now waits for workers to finish. The hard-coded
exit timeout of 30s was too short for some large installations, where
driver initialization could be prematurely interrupted during initrd
processing if the root file system had been mounted and init was
preparing to switch root. If udevd is run without systemd and workers
are hanging while udevd receives an exit signal, udevd will now exit
when udev.event_timeout is reached for the last hanging worker. With
systemd, the exit timeout can additionally be configured using
TimeoutStopSec= in systemd-udevd.service.
* udev now provides a program (fido_id) that identifies FIDO CTAP1
("U2F")/CTAP2 security tokens based on the usage declared in their
report and descriptor and outputs suitable environment variables.
This replaces the externally maintained whitelists of all known
security tokens that were used previously.
* Automatically generated autosuspend udev rules for whitelisted
devices have been imported from the Chromium OS project. This should
improve power saving with many more devices.
* udev gained a new "CONST{key}=value" setting that allows matching
against system-wide constants without forking a helper binary.
Currently "arch" and "virt" keys are supported.
* udev now opens CDROMs in non-exclusive mode when querying their
capabilities. This should fix issues where other programs trying to
use the CDROM cannot gain access to it, but carries a risk of
interfering with programs writing to the disk, if they did not open
the device in exclusive mode as they should.
* systemd-networkd does not create a default route for IPv4 link local
addressing anymore. The creation of the route was unexpected and was
breaking routing in various cases, but people who rely on it being
created implicitly will need to adjust. Such a route may be requested
with DefaultRouteOnDevice=yes.
Similarly, systemd-networkd will not assign a link-local IPv6 address
when IPv6 link-local routing is not enabled.
* Receive and transmit buffers may now be configured on links with
the new RxBufferSize= and TxBufferSize= settings.
* systemd-networkd may now advertise additional IPv6 routes. A new
[IPv6RoutePrefix] section with Route= and LifetimeSec= options is
now supported.
* systemd-networkd may now configure "next hop" routes using the
[NextHop] section and Gateway= and Id= settings.
* systemd-networkd will now retain DHCP config on restarts by default
(but this may be overridden using the KeepConfiguration= setting).
The default for SendRelease= has been changed to true.
* The DHCPv4 client now uses the OPTION_INFORMATION_REFRESH_TIME option
received from the server.
The client will use the received SIP server list if UseSIP=yes is
set.
The client may be configured to request specific options from the
server using a new RequestOptions= setting.
The client may be configured to send arbitrary options to the server
using a new SendOption= setting.
A new IPServiceType= setting has been added to configure the "IP
service type" value used by the client.
* The DHCPv6 client learnt a new PrefixDelegationHint= option to
request prefix hints in the DHCPv6 solicitation.
* The DHCPv4 server may be configured to send arbitrary options using
a new SendOption= setting.
* The DHCPv4 server may now be configured to emit SIP server list using
the new EmitSIP= and SIP= settings.
* systemd-networkd and networkctl may now renew DHCP leases on demand.
networkctl has a new 'networkctl renew' verb.
* systemd-networkd may now reconfigure links on demand. networkctl
gained two new verbs: "reload" will reload the configuration, and
"reconfigure DEVICE…" will reconfigure one or more devices.
* .network files may now match on SSID and BSSID of a wireless network,
i.e. the access point name and hardware address using the new SSID=
and BSSID= options. networkctl will display the current SSID and
BSSID for wireless links.
.network files may also match on the wireless network type using the
new WLANInterfaceType= option.
* systemd-networkd now includes default configuration that enables
link-local addressing when connected to an ad-hoc wireless network.
* systemd-networkd may configure the Traffic Control queueing
disciplines in the kernel using the new
[TrafficControlQueueingDiscipline] section and Parent=,
NetworkEmulatorDelaySec=, NetworkEmulatorDelayJitterSec=,
NetworkEmulatorPacketLimit=, NetworkEmulatorLossRate=,
NetworkEmulatorDuplicateRate= settings.
* systemd-tmpfiles gained a new w+ setting to append to files.
* systemd-analyze dump will now report when the memory configuration in
the kernel does not match what systemd has configured (usually,
because some external program has modified the kernel configuration
on its own).
* systemd-analyze gained a new --base-time= switch instructs the
'calendar' verb to resolve times relative to that timestamp instead
of the present time.
* journalctl --update-catalog now produces deterministic output (making
reproducible image builds easier).
* A new devicetree-overlay setting is now documented in the Boot Loader
Specification.
* The default value of the WatchdogSec= setting used in systemd
services (the ones bundled with the project itself) may be set at
configuration time using the -Dservice-watchdog= setting. If set to
empty, the watchdogs will be disabled.
* systemd-resolved validates IP addresses in certificates now when GnuTLS
is being used.
* libcryptsetup >= 2.0.1 is now required.
* A configuration option -Duser-path= may be used to override the $PATH
used by the user service manager. The default is again to use the same
path as the system manager.
* The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
outputting the 128bit IDs in UUID format (i.e. in the "canonical
representation").
* Service units gained a new sandboxing option ProtectKernelLogs= which
makes sure the program cannot get direct access to the kernel log
buffer anymore, i.e. the syslog() system call (not to be confused
with the API of the same name in libc, which is not affected), the
/proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
inaccessible to the service. It's recommended to enable this setting
for all services that should not be able to read from or write to the
kernel log buffer, which are probably almost all.
Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey,
Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, Carlo
Teubner, cbzxt, Chen Qi, Chris Down, Christian Rebischke, Claudio
Zumbo, ClydeByrdIII, crashfistfight, Cyprien Laplace, Daniel Edgecumbe,
Daniel Gorbea, Daniel Rusek, Daniel Stuart, Dan Streetman, David
Pedersen, David Tardon, Dimitri John Ledkov, Dominique Martinet, Donald
A. Cupp Jr, Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger,
Franck Bui, Frantisek Sumsal, Georg Müller, Hans de Goede, Haochen
Tong, HATAYAMA Daisuke, Iwan Timmer, Jan Janssen, Jan Kundrát, Jan
Synacek, Jan Tojnar, Jay Strict, Jérémy Rosen, Jóhann B. Guðmundsson,
Jonas Jelten, Jonas Thelemann, Justin Trudell, J. Xing, Kai-Heng Feng,
Kenneth D'souza, Kevin Becker, Kevin Kuehler, Lennart Poettering,
Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej Stanczew, Mario
Limonciello, Marko Myllynen, Mark Stosberg, Martin Wilck, matthiasroos,
Michael Biebl, Michael Olbrich, Michael Tretter, Michal Sekletar,
Michal Sekletár, Michal Suchanek, Mike Gilbert, Mike Kazantsev, Nicolas
Douma, nikolas, Norbert Lange, pan93412, Pascal de Bruijn, Paul Menzel,
Pavel Hrdina, Peter Wu, Philip Withnall, Piotr Drąg, Rafael Fontenelle,
Renaud Métrich, Riccardo Schirone, RoadrunnerWMC, Ronan Pigott, Ryan
Attard, Sebastian Wick, Serge, Siddharth Chandrasekara, Steve Ramage,
Steve Traylen, Susant Sahani, Thibault Nélis, Tim Teichmann, Tom
Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo, ypf791, Yu Watanabe,
Zach Smith, Zbigniew Jędrzejewski-Szmek
– Warsaw, 2019-11-29
CHANGES WITH 243:
* This release enables unprivileged programs (i.e. requiring neither
setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
kernel for the whole UNIX group range, i.e. all processes. This
change should be reasonably safe, as the kernel support for it was
specifically implemented to allow safe access to ICMP Echo for
processes lacking any privileges. If this is not desirable, it can be
disabled again by setting the parameter to "1 0".
* Previously, filters defined with SystemCallFilter= would have the
effect that any calling of an offending system call would terminate
the calling thread. This behaviour never made much sense, since
killing individual threads of unsuspecting processes is likely to
create more problems than it solves. With this release the default
action changed from killing the thread to killing the whole
process. For this to work correctly both a kernel version (>= 4.14)
and a libseccomp version (>= 2.4.0) supporting this new seccomp
action is required. If an older kernel or libseccomp is used the old
behaviour continues to be used. This change does not affect any
services that have no system call filters defined, or that use
SystemCallErrorNumber= (and thus see EPERM or another error instead
of being killed when calling an offending system call). Note that
systemd documentation always claimed that the whole process is
killed. With this change behaviour is thus adjusted to match the
documentation.
* On 64 bit systems, the "kernel.pid_max" sysctl is now bumped to
4194304 by default, i.e. the full 22bit range the kernel allows, up
from the old 16bit range. This should improve security and
robustness, as PID collisions are made less likely (though certainly
still possible). There are rumours this might create compatibility
problems, though at this moment no practical ones are known to
us. Downstream distributions are hence advised to undo this change in
their builds if they are concerned about maximum compatibility, but
for everybody else we recommend leaving the value bumped. Besides
improving security and robustness this should also simplify things as
the maximum number of allowed concurrent tasks was previously bounded
by both "kernel.pid_max" and "kernel.threads-max" and now effectively
only a single knob is left ("kernel.threads-max"). There have been
concerns that usability is affected by this change because larger PID
numbers are harder to type, but we believe the change from 5 digits
to 7 digits doesn't hamper usability.
* MemoryLow= and MemoryMin= gained hierarchy-aware counterparts,
DefaultMemoryLow= and DefaultMemoryMin=, which can be used to
hierarchically set default memory protection values for a particular
subtree of the unit hierarchy.
* Memory protection directives can now take a value of zero, allowing
explicit opting out of a default value propagated by an ancestor.
* systemd now defaults to the "unified" cgroup hierarchy setup during
build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
default. Previously, -Ddefault-hierarchy=hybrid was the default. This
change reflects the fact that cgroupsv2 support has matured
substantially in both systemd and in the kernel, and is clearly the
way forward. Downstream production distributions might want to
continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for
their builds as unfortunately the popular container managers have not
caught up with the kernel API changes.
* Man pages are not built by default anymore (html pages were already
disabled by default), to make development builds quicker. When
building systemd for a full installation with documentation, meson
should be called with -Dman=true and/or -Dhtml=true as appropriate.
The default was changed based on the assumption that quick one-off or
repeated development builds are much more common than full optimized
builds for installation, and people need to pass various other
options to when doing "proper" builds anyway, so the gain from making
development builds quicker is bigger than the one time disruption for
packagers.
Two scripts are created in the *build* directory to generate and
preview man and html pages on demand, e.g.:
build/man/man systemctl
build/man/html systemd.index
* libidn2 is used by default if both libidn2 and libidn are installed.
Please use -Dlibidn=true if libidn is preferred.
* The D-Bus "wire format" of the CPUAffinity= attribute is changed on
big-endian machines. Before, bytes were written and read in native
machine order as exposed by the native libc __cpu_mask interface.
Now, little-endian order is always used (CPUs 0–7 are described by
bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on).
This change fixes D-Bus calls that cross endianness boundary.
The presentation format used for CPUAffinity= by "systemctl show" and
"systemd-analyze dump" is changed to present CPU indices instead of
the raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be
shown as CPUAffinity=03000000000000000000000000000… (on
little-endian) or CPUAffinity=00000000000000300000000000000… (on
64-bit big-endian), and is now shown as CPUAffinity=0-1, matching the
input format. The maximum integer that will be printed in the new
format is 8191 (four digits), while the old format always used a very
long number (with the length varying by architecture), so they can be
unambiguously distinguished.
* /usr/sbin/halt.local is no longer supported. Implementation in
distributions was inconsistent and it seems this functionality was
very rarely used.
To replace this functionality, users should:
- either define a new unit and make it a dependency of final.target
(systemctl add-wants final.target my-halt-local.service)
- or move the shutdown script to /usr/lib/systemd/system-shutdown/
and ensure that it accepts "halt", "poweroff", "reboot", and
"kexec" as an argument, see the description in systemd-shutdown(8).
* When a [Match] section in .link or .network file is empty (contains
no match patterns), a warning will be emitted. Please add any "match
all" pattern instead, e.g. OriginalName=* or Name=* in case all
interfaces should really be matched.
* A new setting NUMAPolicy= may be used to set process memory
allocation policy. This setting can be specified in
/etc/systemd/system.conf and hence will set the default policy for
PID1. The default policy can be overridden on a per-service
basis. The related setting NUMAMask= is used to specify NUMA node
mask that should be associated with the selected policy.
* PID 1 will now listen to Out-Of-Memory (OOM) events the kernel
generates when processes it manages are reaching their memory limits,
and will place their units in a special state, and optionally kill or
stop the whole unit.
* The service manager will now expose bus properties for the IO
resources used by units. This information is also shown in "systemctl
status" now (for services that have IOAccounting=yes set). Moreover,
the IO accounting data is included in the resource log message
generated whenever a unit stops.
* Units may now configure an explicit time-out to wait for when killed
with SIGABRT, for example when a service watchdog is hit. Previously,
the regular TimeoutStopSec= time-out was applied in this case too —
now a separate time-out may be set using TimeoutAbortSec=.
* Services may now send a special WATCHDOG=trigger message with
sd_notify() to trigger an immediate "watchdog missed" event, and thus
trigger service termination. This is useful both for testing watchdog
handling, but also for defining error paths in services, that shall
be handled the same way as watchdog events.
* There are two new per-unit settings IPIngressFilterPath= and
IPEgressFilterPath= which allow configuration of a BPF program
(usually by specifying a path to a program uploaded to /sys/fs/bpf/)
to apply to the IP packet ingress/egress path of all processes of a
unit. This is useful to allow running systemd services with BPF
programs set up externally.
* systemctl gained a new "clean" verb for removing the state, cache,
runtime or logs directories of a service while it is terminated. The
new verb may also be used to remove the state maintained on disk for
timer units that have Persistent= configured.
* During the last phase of shutdown systemd will now automatically
increase the log level configured in the "kernel.printk" sysctl so
that any relevant loggable events happening during late shutdown are
made visible. Previously, loggable events happening so late during
shutdown were generally lost if the "kernel.printk" sysctl was set to
high thresholds, as regular logging daemons are terminated at that
time and thus nothing is written to disk.
* If processes terminated during the last phase of shutdown do not exit
quickly systemd will now show their names after a short time, to make
debugging easier. After a longer time-out they are forcibly killed,
as before.
* journalctl (and the other tools that display logs) will now highlight
warnings in yellow (previously, both LOG_NOTICE and LOG_WARNING where
shown in bright bold, now only LOG_NOTICE is). Moreover, audit logs
are now shown in blue color, to separate them visually from regular
logs. References to configuration files are now turned into clickable
links on terminals that support that.
* systemd-journald will now stop logging to /var/log/journal during
shutdown when /var/ is on a separate mount, so that it can be
unmounted safely during shutdown.
* systemd-resolved gained support for a new 'strict' DNS-over-TLS mode.
* systemd-resolved "Cache=" configuration option in resolved.conf has
been extended to also accept the 'no-negative' value. Previously,
only a boolean option was allowed (yes/no), having yes as the
default. If this option is set to 'no-negative', negative answers are
not cached while the old cache heuristics are used positive answers.
The default remains unchanged.
* The predictable naming scheme for network devices now supports
generating predictable names for "netdevsim" devices.
Moreover, the "en" prefix was dropped from the ID_NET_NAME_ONBOARD
udev property.
Those two changes form a new net.naming-policy-scheme= entry.
Distributions which want to preserve naming stability may want to set
the -Ddefault-net-naming-scheme= configuration option.
* systemd-networkd now supports MACsec, nlmon, IPVTAP and Xfrm
interfaces natively.
* systemd-networkd's bridge FDB support now allows configuration of a
destination address for each entry (Destination=), as well as the
VXLAN VNI (VNI=), as well as an option to declare what an entry is
associated with (AssociatedWith=).
* systemd-networkd's DHCPv4 support now understands a new MaxAttempts=
option for configuring the maximum number of DHCP lease requests. It
also learnt a new BlackList= option for blacklisting DHCP servers (a
similar setting has also been added to the IPv6 RA client), as well
as a SendRelease= option for configuring whether to send a DHCP
RELEASE message when terminating.
* systemd-networkd's DHCPv4 and DHCPv6 stacks can now be configured
separately in the [DHCPv4] and [DHCPv6] sections.
* systemd-networkd's DHCP support will now optionally create an
implicit host route to the DNS server specified in the DHCP lease, in
addition to the routes listed explicitly in the lease. This should
ensure that in multi-homed systems DNS traffic leaves the systems on
the interface that acquired the DNS server information even if other
routes such as default routes exist. This behaviour may be turned on
with the new RoutesToDNS= option.
* systemd-networkd's VXLAN support gained a new option
GenericProtocolExtension= for enabling VXLAN Generic Protocol
Extension support, as well as IPDoNotFragment= for setting the IP
"Don't fragment" bit on outgoing packets. A similar option has been
added to the GENEVE support.
* In systemd-networkd's [Route] section you may now configure
FastOpenNoCookie= for configuring per-route TCP fast-open support, as
well as TTLPropagate= for configuring Label Switched Path (LSP) TTL
propagation. The Type= setting now supports local, broadcast,
anycast, multicast, any, xresolve routes, too.
* systemd-networkd's [Network] section learnt a new option
DefaultRouteOnDevice= for automatically configuring a default route
onto the network device.
* systemd-networkd's bridging support gained two new options ProxyARP=
and ProxyARPWifi= for configuring proxy ARP behaviour as well as
MulticastRouter= for configuring multicast routing behaviour. A new
option MulticastIGMPVersion= may be used to change bridge's multicast
Internet Group Management Protocol (IGMP) version.
* systemd-networkd's FooOverUDP support gained the ability to configure
local and peer IP addresses via Local= and Peer=. A new option
PeerPort= may be used to configure the peer's IP port.
* systemd-networkd's TUN support gained a new setting VnetHeader= for
tweaking Generic Segment Offload support.
* networkctl gained a new "delete" command for removing virtual network
devices, as well as a new "--stats" switch for showing device
statistics.
* networkd.conf gained a new setting SpeedMeter= and
SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The
measured speed may be shown by 'networkctl status'.
* "networkctl status" now displays MTU and queue lengths, and more
detailed information about VXLAN and bridge devices.
* systemd-networkd's .network and .link files gained a new Property=
setting in the [Match] section, to match against devices with
specific udev properties.
* systemd-networkd's tunnel support gained a new option
AssignToLoopback= for selecting whether to use the loopback device
"lo" as underlying device.
* systemd-networkd's MACAddress= setting in the [Neighbor] section has
been renamed to LinkLayerAddress=, and it now allows configuration of
IP addresses, too.
* systemd-networkd's handling of the kernel's disable_ipv6 sysctl is
simplified: systemd-networkd will disable the sysctl (enable IPv6) if
IPv6 configuration (static or DHCPv6) was found for a given
interface. It will not touch the sysctl otherwise.
* The order of entries is $PATH used by the user manager instance was
changed to put bin/ entries before the corresponding sbin/ entries.
It is recommended to not rely on this order, and only ever have one
binary with a given name in the system paths under /usr.
* A new tool systemd-network-generator has been added that may generate
.network, .netdev and .link files from IP configuration specified on
the kernel command line in the format used by Dracut.
* The CriticalConnection= setting in .network files is now deprecated,
and replaced by a new KeepConfiguration= setting which allows more
detailed configuration of the IP configuration to keep in place.
* systemd-analyze gained a few new verbs:
- "systemd-analyze timestamp" parses and converts timestamps. This is
similar to the existing "systemd-analyze calendar" command which
does the same for recurring calendar events.
- "systemd-analyze timespan" parses and converts timespans (i.e.
durations as opposed to points in time).
- "systemd-analyze condition" will parse and test ConditionXYZ=
expressions.
- "systemd-analyze exit-status" will parse and convert exit status
codes to their names and back.
- "systemd-analyze unit-files" will print a list of all unit
file paths and unit aliases.
* SuccessExitStatus=, RestartPreventExitStatus=, and
RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
is equivalent to "65"). Those exit status name mappings may be
displayed with the systemd-analyze exit-status verb describe above.
* systemd-logind now exposes a per-session SetBrightness() bus call,
which may be used to securely change the brightness of a kernel
brightness device, if it belongs to the session's seat. By using this
call unprivileged clients can make changes to "backlight" and "leds"
devices securely with strict requirements on session membership.
Desktop environments may use this to generically make brightness
changes to such devices without shipping private SUID binaries or
udev rules for that purpose.
* "udevadm info" gained a --wait-for-initialization switch to wait for
a device to be initialized.
* systemd-hibernate-resume-generator will now look for resumeflags= on
the kernel command line, which is similar to rootflags= and may be
used to configure device timeout for the hibernation device.
* sd-event learnt a new API call sd_event_source_disable_unref() for
disabling and unref'ing an event source in a single function. A
related call sd_event_source_disable_unrefp() has been added for use
with gcc's cleanup extension.
* The sd-id128.h public API gained a new definition
SD_ID128_UUID_FORMAT_STR for formatting a 128bit ID in UUID format
with printf().
* "busctl introspect" gained a new switch --xml-interface for dumping
XML introspection data unmodified.
* PID 1 may now show the unit name instead of the unit description
string in its status output during boot. This may be configured in
the StatusUnitFormat= setting in /etc/systemd/system.conf or the
kernel command line option systemd.status_unit_format=.
* PID 1 now understands a new option KExecWatchdogSec= in
/etc/systemd/system.conf to set a watchdog timeout for kexec reboots.
Previously watchdog functionality was only available for regular
reboots. The new setting defaults to off, because we don't know in
the general case if the watchdog will be reset after kexec (some
drivers do reset it, but not all), and the new userspace might not be
configured to handle the watchdog.
Moreover, the old ShutdownWatchdogSec= setting has been renamed to
RebootWatchdogSec= to more clearly communicate what it is about. The
old name is still accepted for compatibility.
* The systemd.debug_shell kernel command line option now optionally
takes a tty name to spawn the debug shell on, which allows a
different tty to be selected than the built-in default.
* Service units gained a new ExecCondition= setting which will run
before ExecStartPre= and either continue execution of the unit (for
clean exit codes), stop execution without marking the unit failed
(for exit codes 1 through 254), or stop execution and fail the unit
(for exit code 255 or abnormal termination).
* A new service systemd-pstore.service has been added that pulls data
from /sys/fs/pstore/ and saves it to /var/lib/pstore for later
review.
* timedatectl gained new verbs for configuring per-interface NTP
service configuration for systemd-timesyncd.
* "localectl list-locales" won't list non-UTF-8 locales anymore. It's
2019. (You can set non-UTF-8 locales though, if you know their name.)
* If variable assignments in sysctl.d/ files are prefixed with "-" any
failures to apply them are now ignored.
* systemd-random-seed.service now optionally credits entropy when
applying the seed to the system. Set $SYSTEMD_RANDOM_SEED_CREDIT to
true for the service to enable this behaviour, but please consult the
documentation first, since this comes with a couple of caveats.
* systemd-random-seed.service is now a synchronization point for full
initialization of the kernel's entropy pool. Services that require
/dev/urandom to be correctly initialized should be ordered after this
service.
* The systemd-boot boot loader has been updated to optionally maintain
a random seed file in the EFI System Partition (ESP). During the boot
phase, this random seed is read and updated with a new seed
cryptographically derived from it. Another derived seed is passed to
the OS. The latter seed is then credited to the kernel's entropy pool
very early during userspace initialization (from PID 1). This allows
systems to boot up with a fully initialized kernel entropy pool from
earliest boot on, and thus entirely removes all entropy pool
initialization delays from systems using systemd-boot. Special care
is taken to ensure different seeds are derived on system images
replicated to multiple systems. "bootctl status" will show whether
a seed was received from the boot loader.
* bootctl gained two new verbs:
- "bootctl random-seed" will generate the file in ESP and an EFI
variable to allow a random seed to be passed to the OS as described
above.
- "bootctl is-installed" checks whether systemd-boot is currently
installed.
* bootctl will warn if it detects that boot entries are misconfigured
(for example if the kernel image was removed without purging the
bootloader entry).
* A new document has been added describing systemd's use and support
for the kernel's entropy pool subsystem:
https://systemd.io/RANDOM_SEEDS
* When the system is hibernated the swap device to write the
hibernation image to is now automatically picked from all available
swap devices, preferring the swap device with the highest configured
priority over all others, and picking the device with the most free
space if there are multiple devices with the highest priority.
* /etc/crypttab support has learnt a new keyfile-timeout= per-device
option that permits selecting the timout how long to wait for a
device with an encryption key before asking for the password.
* IOWeight= has learnt to properly set the IO weight when using the
BFQ scheduler officially found in kernels 5.0+.
* A new mailing list has been created for reporting of security issues:
[email protected]. For mode details, see
https://systemd.io/CONTRIBUTING#security-vulnerability-reports.
Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht
Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey,
Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris
Chiu, Chris Down, Christian Kellner, Clinton Roy, Connor Reeder, Daniel
Black, Daniele Medri, Dan Streetman, Dave Reisner, Dave Ross, David
Art, David Tardon, Debarshi Ray, Dimitri John Ledkov, Dominick Grift,
Donald Buczek, Douglas Christman, Eric DeVolder, EtherGraf, Evgeny
Vereshchagin, Feldwor, Felix Riemann, Florian Dollinger, Francesco
Pennica, Franck Bui, Frantisek Sumsal, Franz Pletz, frederik, Hans
de Goede, Iago López Galeiras, Insun Pyo, Ivan Shapovalov, Iwan Timmer,
Jack, Jakob Unterwurzacher, Jan Chren, Jan Klötzke, Jan Losinski, Jan
Pokorný, Jan Synacek, Jan-Michael Brummer, Jeka Pats, Jeremy Soller,
Jérémy Rosen, Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann
B. Guðmundsson, Johannes Christ, Johannes Schmitz, Jonathan Rouleau,
Jorge Niedbalski, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy,
Krayushkin Konstantin, Lennart Poettering, Lubomir Rintel, Luca
Boccassi, Luís Ferreira, Marc-André Lureau, Markus Felten, Martin Pitt,
Matthew Leeds, Mattias Jernberg, Michael Biebl, Michael Olbrich,
Michael Prokop, Michael Stapelberg, Michael Zhivich, Michal Koutný,
Michal Sekletar, Mike Gilbert, Milan Broz, Miroslav Lichvar, mpe85,
Mr-Foo, Network Silence, Oliver Harley, pan93412, Paul Menzel, pEJipE,
Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Roberto
Santalla, Ronan Pigott, root, RussianNeuroMancer, Sebastian Jennen,
shinygold, Shreyas Behera, Simon Schricker, Susant Sahani, Thadeu Lima
de Souza Cascardo, Theo Ouzhinski, Thiebaud Weksteen, Thomas Haller,
Thomas Weißschuh, Tomas Mraz, Tommi Rantala, Topi Miettinen, VD-Lycos,
ven, Wieland Hoffmann, William A. Kennington III, William Wold, Xi
Ruoyao, Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew
Jędrzejewski-Szmek, Zhang Xianwei
– Camerino, 2019-09-03
CHANGES WITH 242:
* In .link files, MACAddressPolicy=persistent (the default) is changed
to cover more devices. For devices like bridges, tun, tap, bond, and
similar interfaces that do not have other identifying information,
the interface name is used as the basis for persistent seed for MAC
and IPv4LL addresses. The way that devices that were handled
previously is not changed, and this change is about covering more
devices then previously by the "persistent" policy.
MACAddressPolicy=random may be used to force randomized MACs and
IPv4LL addresses for a device if desired.
Hint: the log output from udev (at debug level) was enhanced to
clarify what policy is followed and which attributes are used.
`SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>`
may be used to view this.
Hint: if a bridge interface is created without any slaves, and gains
a slave later, then now the bridge does not inherit slave's MAC.
To inherit slave's MAC, for example, create the following file:
```
# /etc/systemd/network/98-bridge-inherit-mac.link
[Match]
Type=bridge
[Link]