[systemd-devel] [ANNOUNCE] systemd v230
zbyszek at in.waw.pl
Sat May 21 22:51:13 UTC 2016
systemd v230 has been tagged. Enjoy!
CHANGES WITH 230:
* DNSSEC is now turned on by default in systemd-resolved (in
"allow-downgrade" mode), but may be turned off during compile time by
passing "--with-default-dnssec=no" to "configure" (and of course,
during runtime with DNSSEC= in resolved.conf). We recommend
downstreams to leave this on at least during development cycles and
report any issues with the DNSSEC logic upstream. We are very
interested in collecting feedback about the DNSSEC validator and its
limitations in the wild. Note however, that DNSSEC support is
probably nothing downstreams should turn on in stable distros just
yet, as it might create incompatibilities with a few DNS servers and
networks. We tried hard to make sure we downgrade to non-DNSSEC mode
automatically whenever we detect such incompatible setups, but there
might be systems we do not cover yet. Hence: please help us testing
the DNSSEC code, leave this on where you can, report back, but then
again don't consider turning this on in your stable, LTS or
production release just yet. (Note that you have to enable
nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved
and its DNSSEC mode for host name resolution from local
* systemd-resolve conveniently resolves DANE records with the --tlsa
option and OPENPGPKEY records with the --openpgp option. It also
supports dumping raw DNS record data via the new --raw= switch.
* systemd-logind will now by default terminate user processes that are
part of the user session scope unit (session-XX.scope) when the user
logs out. This behavior is controlled by the KillUserProcesses=
setting in logind.conf, and the previous default of "no" is now
changed to "yes". This means that user sessions will be properly
cleaned up after, but additional steps are necessary to allow
intentionally long-running processes to survive logout.
While the user is logged in at least once, user at .service is running,
and any service that should survive the end of any individual login
session can be started at a user service or scope using systemd-run.
systemd-run(1) man page has been extended with an example which shows
how to run screen in a scope unit underneath user at .service. The same
command works for tmux.
After the user logs out of all sessions, user at .service will be
terminated too, by default, unless the user has "lingering" enabled.
To effectively allow users to run long-term tasks even if they are
logged out, lingering must be enabled for them. See loginctl(1) for
details. The default polkit policy was modified to allow users to
set lingering for themselves without authentication.
Previous defaults can be restored at compile time by the
--without-kill-user-processes option to "configure".
* systemd-logind gained new configuration settings SessionsMax= and
InhibitorsMax=, both with a default of 8192. It will not register new
user sessions or inhibitors above this limit.
* systemd-logind will now reload configuration on SIGHUP.
* The unified cgroup hierarchy added in Linux 4.5 is now supported.
Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to
enable. Also, support for the "io" cgroup controller in the unified
hierarchy has been added, so that the "memory", "pids" and "io" are
now the controllers that are supported on the unified hierarchy.
WARNING: it is not possible to use previous systemd versions with
systemd.unified_cgroup_hierarchy=1 and the new kernel. Therefore it
is necessary to also update systemd in the initramfs if using the
unified hierarchy. An updated SELinux policy is also required.
* LLDP support has been extended, and both passive (receive-only) and
active (sender) modes are supported. Passive mode ("routers-only") is
enabled by default in systemd-networkd. Active LLDP mode is enabled
by default for containers on the internal network. The "networkctl
lldp" command may be used to list information gathered. "networkctl
status" will also show basic LLDP information on connected peers now.
* The IAID and DUID unique identifier sent in DHCP requests may now be
configured for the system and each .network file managed by
systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options.
* systemd-networkd gained support for configuring proxy ARP support for
each interface, via the ProxyArp= setting in .network files. It also
gained support for configuring the multicast querier feature of
bridge devices, via the new MulticastQuerier= setting in .netdev
files. Similarly, snooping on the IGMP traffic can be controlled
via the new setting MulticastSnooping=.
A new setting PreferredLifetime= has been added for addresses
configured in .network file to configure the lifetime intended for an
The systemd-networkd DHCP server gained the option EmitRouter=, which
defaults to yes, to configure whether the DHCP Option 3 (Router)
should be emitted.
* The testing tool /usr/lib/systemd/systemd-activate is renamed to
systemd-socket-activate and installed into /usr/bin. It is now fully
* systemd-journald now uses separate threads to flush changes to disk
when closing journal files, thus reducing impact of slow disk I/O on
* The sd-journal API gained two new calls
sd_journal_open_directory_fd() and sd_journal_open_files_fd() which
can be used to open journal files using file descriptors instead of
file or directory paths. sd_journal_open_container() has been
deprecated, sd_journal_open_directory_fd() should be used instead
with the flag SD_JOURNAL_OS_ROOT.
* journalctl learned a new output mode "-o short-unix" that outputs log
lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970
UTC). It also gained support for a new --no-hostname setting to
suppress the hostname column in the family of "short" output modes.
* systemd-ask-password now optionally skips printing of the password to
stdout with --no-output which can be useful in scripts.
* Framebuffer devices (/dev/fb*) and 3D printers and scanners
(devices tagged with ID_MAKER_TOOL) are now tagged with
"uaccess" and are available to logged in users.
* The DeviceAllow= unit setting now supports specifiers (with "%").
* "systemctl show" gained a new --value switch, which allows print a
only the contents of a specific unit property, without also printing
the property's name. Similar support was added to "show*" verbs
of loginctl and machinectl that output "key=value" lists.
* A new unit type "generated" was added for files dynamically generated
by generator tools. Similarly, a new unit type "transient" is used
for unit files created using the runtime API. "systemctl enable" will
refuse to operate on such files.
* A new command "systemctl revert" has been added that may be used to
revert to the vendor version of a unit file, in case local changes
have been made by adding drop-ins or overriding the unit file.
* "machinectl clean" gained a new verb to automatically remove all or
just hidden container images.
* systemd-tmpfiles gained support for a new line type "e" for emptying
directories, if they exist, without creating them if they don't.
* systemd-nspawn gained support for automatically patching the UID/GIDs
of the owners and the ACLs of all files and directories in a
container tree to match the UID/GID user namespacing range selected
for the container invocation. This mode is enabled via the new
--private-user-chown switch. It also gained support for automatically
choosing a free, previously unused UID/GID range when starting a
container, via the new --private-users=pick setting (which implies
--private-user-chown). Together, these options for the first time
make user namespacing for nspawn containers fully automatic and thus
deployable. The systemd-nspaw at .service template unit file has been
changed to use this functionality by default.
* systemd-nspawn gained a new --network-zone= switch, that allows
creating ad-hoc virtual Ethernet links between multiple containers,
that only exist as long as at least one container referencing them is
running. This allows easy connecting of multiple containers with a
common link that implements an Ethernet broadcast domain. Each of
these network "zones" may be named relatively freely by the user, and
may be referenced by any number of containers, but each container may
only reference one of these "zones". On the lower level, this is
implemented by an automatically managed bridge network interface for
each zone, that is created when the first container referencing its
zone is created and removed when the last one referencing its zone
* The default start timeout may now be configured on the kernel command
line via systemd.default_timeout_start_sec=. It was already
configurable via the DefaultTimeoutStartSec= option in
* Socket units gained a new TriggerLimitIntervalSec= and
TriggerLimitBurst= setting to configure a limit on the activation
rate of the socket unit.
* The LimitNICE= setting now optionally takes normal UNIX nice values
in addition to the raw integer limit value. If the specified
parameter is prefixed with "+" or "-" and is in the range -20..19 the
value is understood as UNIX nice value. If not prefixed like this it
is understood as raw RLIMIT_NICE limit.
* Note that the effect of the PrivateDevices= unit file setting changed
slightly with this release: the per-device /dev file system will be
mounted read-only from this version on, and will have "noexec"
set. This (minor) change of behavior might cause some (exceptional)
legacy software to break, when PrivateDevices=yes is set for its
service. Please leave PrivateDevices= off if you run into problems
* systemd-bootchart has been split out to a separate repository:
* systemd-bus-proxyd has been removed, as kdbus is unlikely to still be
merged into the kernel in its current form.
* The compatibility libraries libsystemd-daemon.so,
libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so
which have been deprecated since systemd-209 have been removed along
with the corresponding pkg-config files. All symbols provided by
those libraries are provided by libsystemd.so.
* The Capabilities= unit file setting has been removed (it is ignored
for backwards compatibility). AmbientCapabilities= and
CapabilityBoundingSet= should be used instead.
Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov,
Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin
Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens
Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh,
Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David
R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny
Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck
Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik
Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo
Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth,
John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos
Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir
Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt,
Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný,
Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin,
mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween,
Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern,
Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert
Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan
Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain
Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller,
Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen,
Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso,
Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev,
Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew
— Fairfax, 2016-05-21
More information about the systemd-devel