[systemd-devel] [ANNOUNCE] systemd v230

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Sat May 21 22:51:13 UTC 2016


systemd v230 has been tagged. Enjoy!


        * DNSSEC is now turned on by default in systemd-resolved (in
          "allow-downgrade" mode), but may be turned off during compile time by
          passing "--with-default-dnssec=no" to "configure" (and of course,
          during runtime with DNSSEC= in resolved.conf). We recommend
          downstreams to leave this on at least during development cycles and
          report any issues with the DNSSEC logic upstream. We are very
          interested in collecting feedback about the DNSSEC validator and its
          limitations in the wild. Note however, that DNSSEC support is
          probably nothing downstreams should turn on in stable distros just
          yet, as it might create incompatibilities with a few DNS servers and
          networks. We tried hard to make sure we downgrade to non-DNSSEC mode
          automatically whenever we detect such incompatible setups, but there
          might be systems we do not cover yet. Hence: please help us testing
          the DNSSEC code, leave this on where you can, report back, but then
          again don't consider turning this on in your stable, LTS or
          production release just yet. (Note that you have to enable
          nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved
          and its DNSSEC mode for host name resolution from local

        * systemd-resolve conveniently resolves DANE records with the --tlsa
          option and OPENPGPKEY records with the --openpgp option. It also
          supports dumping raw DNS record data via the new --raw= switch.

        * systemd-logind will now by default terminate user processes that are
          part of the user session scope unit (session-XX.scope) when the user
          logs out. This behavior is controlled by the KillUserProcesses=
          setting in logind.conf, and the previous default of "no" is now
          changed to "yes". This means that user sessions will be properly
          cleaned up after, but additional steps are necessary to allow
          intentionally long-running processes to survive logout.

          While the user is logged in at least once, user at .service is running,
          and any service that should survive the end of any individual login
          session can be started at a user service or scope using systemd-run.
          systemd-run(1) man page has been extended with an example which shows
          how to run screen in a scope unit underneath user at .service. The same
          command works for tmux.

          After the user logs out of all sessions, user at .service will be
          terminated too, by default, unless the user has "lingering" enabled.
          To effectively allow users to run long-term tasks even if they are
          logged out, lingering must be enabled for them. See loginctl(1) for
          details. The default polkit policy was modified to allow users to
          set lingering for themselves without authentication.

          Previous defaults can be restored at compile time by the
          --without-kill-user-processes option to "configure".

        * systemd-logind gained new configuration settings SessionsMax= and
          InhibitorsMax=, both with a default of 8192. It will not register new
          user sessions or inhibitors above this limit.

        * systemd-logind will now reload configuration on SIGHUP.

        * The unified cgroup hierarchy added in Linux 4.5 is now supported.
          Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to
          enable. Also, support for the "io" cgroup controller in the unified
          hierarchy has been added, so that the "memory", "pids" and "io" are
          now the controllers that are supported on the unified hierarchy.

          WARNING: it is not possible to use previous systemd versions with
          systemd.unified_cgroup_hierarchy=1 and the new kernel. Therefore it
          is necessary to also update systemd in the initramfs if using the
          unified hierarchy. An updated SELinux policy is also required.

        * LLDP support has been extended, and both passive (receive-only) and
          active (sender) modes are supported. Passive mode ("routers-only") is
          enabled by default in systemd-networkd. Active LLDP mode is enabled
          by default for containers on the internal network. The "networkctl
          lldp" command may be used to list information gathered. "networkctl
          status" will also show basic LLDP information on connected peers now.

        * The IAID and DUID unique identifier sent in DHCP requests may now be
          configured for the system and each .network file managed by
          systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options.

        * systemd-networkd gained support for configuring proxy ARP support for
          each interface, via the ProxyArp= setting in .network files. It also
          gained support for configuring the multicast querier feature of
          bridge devices, via the new MulticastQuerier= setting in .netdev
          files. Similarly, snooping on the IGMP traffic can be controlled
          via the new setting MulticastSnooping=.

          A new setting PreferredLifetime= has been added for addresses
          configured in .network file to configure the lifetime intended for an

          The systemd-networkd DHCP server gained the option EmitRouter=, which
          defaults to yes, to configure whether the DHCP Option 3 (Router)
          should be emitted.

        * The testing tool /usr/lib/systemd/systemd-activate is renamed to
          systemd-socket-activate and installed into /usr/bin. It is now fully

        * systemd-journald now uses separate threads to flush changes to disk
          when closing journal files, thus reducing impact of slow disk I/O on
          logging performance.

        * The sd-journal API gained two new calls
          sd_journal_open_directory_fd() and sd_journal_open_files_fd() which
          can be used to open journal files using file descriptors instead of
          file or directory paths. sd_journal_open_container() has been
          deprecated, sd_journal_open_directory_fd() should be used instead
          with the flag SD_JOURNAL_OS_ROOT.

        * journalctl learned a new output mode "-o short-unix" that outputs log
          lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970
          UTC). It also gained support for a new --no-hostname setting to
          suppress the hostname column in the family of "short" output modes.

        * systemd-ask-password now optionally skips printing of the password to
          stdout with --no-output which can be useful in scripts.

        * Framebuffer devices (/dev/fb*) and 3D printers and scanners
          (devices tagged with ID_MAKER_TOOL) are now tagged with
          "uaccess" and are available to logged in users.

        * The DeviceAllow= unit setting now supports specifiers (with "%").

        * "systemctl show" gained a new --value switch, which allows print a
          only the contents of a specific unit property, without also printing
          the property's name. Similar support was added to "show*" verbs
          of loginctl and machinectl that output "key=value" lists.

        * A new unit type "generated" was added for files dynamically generated
          by generator tools. Similarly, a new unit type "transient" is used
          for unit files created using the runtime API. "systemctl enable" will
          refuse to operate on such files.

        * A new command "systemctl revert" has been added that may be used to
          revert to the vendor version of a unit file, in case local changes
          have been made by adding drop-ins or overriding the unit file.

        * "machinectl clean" gained a new verb to automatically remove all or
          just hidden container images.

        * systemd-tmpfiles gained support for a new line type "e" for emptying
          directories, if they exist, without creating them if they don't.

        * systemd-nspawn gained support for automatically patching the UID/GIDs
          of the owners and the ACLs of all files and directories in a
          container tree to match the UID/GID user namespacing range selected
          for the container invocation. This mode is enabled via the new
          --private-user-chown switch. It also gained support for automatically
          choosing a free, previously unused UID/GID range when starting a
          container, via the new --private-users=pick setting (which implies
          --private-user-chown). Together, these options for the first time
          make user namespacing for nspawn containers fully automatic and thus
          deployable. The systemd-nspaw at .service template unit file has been
          changed to use this functionality by default.

        * systemd-nspawn gained a new --network-zone= switch, that allows
          creating ad-hoc virtual Ethernet links between multiple containers,
          that only exist as long as at least one container referencing them is
          running. This allows easy connecting of multiple containers with a
          common link that implements an Ethernet broadcast domain. Each of
          these network "zones" may be named relatively freely by the user, and
          may be referenced by any number of containers, but each container may
          only reference one of these "zones". On the lower level, this is
          implemented by an automatically managed bridge network interface for
          each zone, that is created when the first container referencing its
          zone is created and removed when the last one referencing its zone

        * The default start timeout may now be configured on the kernel command
          line via systemd.default_timeout_start_sec=. It was already
          configurable via the DefaultTimeoutStartSec= option in

        * Socket units gained a new TriggerLimitIntervalSec= and
          TriggerLimitBurst= setting to configure a limit on the activation
          rate of the socket unit.

        * The LimitNICE= setting now optionally takes normal UNIX nice values
          in addition to the raw integer limit value. If the specified
          parameter is prefixed with "+" or "-" and is in the range -20..19 the
          value is understood as UNIX nice value. If not prefixed like this it
          is understood as raw RLIMIT_NICE limit.

        * Note that the effect of the PrivateDevices= unit file setting changed
          slightly with this release: the per-device /dev file system will be
          mounted read-only from this version on, and will have "noexec"
          set. This (minor) change of behavior might cause some (exceptional)
          legacy software to break, when PrivateDevices=yes is set for its
          service. Please leave PrivateDevices= off if you run into problems
          with this.

        * systemd-bootchart has been split out to a separate repository:

        * systemd-bus-proxyd has been removed, as kdbus is unlikely to still be
          merged into the kernel in its current form.

        * The compatibility libraries libsystemd-daemon.so,
          libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so
          which have been deprecated since systemd-209 have been removed along
          with the corresponding pkg-config files. All symbols provided by
          those libraries are provided by libsystemd.so.

        * The Capabilities= unit file setting has been removed (it is ignored
          for backwards compatibility). AmbientCapabilities= and
          CapabilityBoundingSet= should be used instead.

        Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov,
        Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin
        Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens
        Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh,
        Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David
        R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny
        Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck
        Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik
        Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo
        Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth,
        John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos
        Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir
        Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt,
        Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný,
        Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin,
        mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween,
        Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern,
        Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert
        Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan
        Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain
        Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller,
        Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen,
        Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso,
        Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev,
        Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew

        — Fairfax, 2016-05-21


More information about the systemd-devel mailing list