[systemd-devel] [ANNOUNCE] systemd 233

Lennart Poettering lennart at poettering.net
Wed Mar 1 22:12:03 UTC 2017


Finally, here's systemd 233. Tons of new features, even more
bugfixes. Enjoy!



        * The "hybrid" control group mode has been modified to improve
          compatibility with "legacy" cgroups-v1 setups. Specifically, the
          "hybrid" setup of /sys/fs/cgroup is now pretty much identical to
          "legacy" (including /sys/fs/cgroup/systemd as "name=systemd" named
          cgroups-v1 hierarchy), the only externally visible change being that
          the cgroups-v2 hierarchy is also mounted, to
          /sys/fs/cgroup/unified. This should provide a large degree of
          compatibility with "legacy" cgroups-v1, while taking benefit of the
          better management capabilities of cgroups-v2.

        * The default control group setup mode may be selected both a boot-time
          via a set of kernel command line parameters (specifically:
          systemd.unified_cgroup_hierarchy= and
          systemd.legacy_systemd_cgroup_controller=), as well as a compile-time
          default selected on the configure command line
          (--with-default-hierarchy=). The upstream default is "hybrid"
          (i.e. the cgroups-v1 + cgroups-v2 mixture discussed above) now, but
          this will change in a future systemd version to be "unified" (pure
          cgroups-v2 mode). The third option for the compile time option is
          "legacy", to enter pure cgroups-v1 mode. We recommend downstream
          distributions to default to "hybrid" mode for release distributions,
          starting with v233. We recommend "unified" for development
          distributions (specifically: distributions such as Fedora's rawhide)
          as that's where things are headed in the long run. Use "legacy" for
          greatest stability and compatibility only.

        * Note one current limitation of "unified" and "hybrid" control group
          setup modes: the kernel currently does not permit the systemd --user
          instance (i.e. unprivileged code) to migrate processes between two
          disconnected cgroup subtrees, even if both are managed and owned by
          the user. This effectively means "systemd-run --user --scope" doesn't
          work when invoked from outside of any "systemd --user" service or
          scope. Specifically, it is not supported from session scopes. We are
          working on fixing this in a future systemd version. (See #3388 for
          further details about this.)

        * DBus policy files are now installed into /usr rather than /etc. Make
          sure your system has dbus >= 1.9.18 running before upgrading to this
          version, or override the install path with --with-dbuspolicydir= .

        * All python scripts shipped with systemd (specifically: the various
          tests written in Python) now require Python 3.

        * systemd unit tests can now run standalone (without the source or
          build directories), and can be installed into /usr/lib/systemd/tests/
          with 'make install-tests'.

        * Note that from this version on, CONFIG_CRYPTO_USER_API_HASH,
          CONFIG_CRYPTO_HMAC and CONFIG_CRYPTO_SHA256 need to be enabled in the

        * Support for the %c, %r, %R specifiers in unit files has been
          removed. Specifiers are not supposed to be dependent on configuration
          in the unit file itself (so that they resolve the same regardless
          where used in the unit files), but these specifiers were influenced
          by the Slice= option.

        * The shell invoked by debug-shell.service now defaults to /bin/sh in
          all cases. If distributions want to use a different shell for this
          purpose (for example Fedora's /sbin/sushell) they need to specify
          this explicitly at configure time using --with-debug-shell=.

        * The confirmation spawn prompt has been reworked to offer the
          following choices:

           (c)ontinue, proceed without asking anymore
           (D)ump, show the state of the unit
           (f)ail, don't execute the command and pretend it failed
           (i)nfo, show a short summary of the unit
           (j)obs, show jobs that are in progress
           (s)kip, don't execute the command and pretend it succeeded
           (y)es, execute the command

          The 'n' choice for the confirmation spawn prompt has been removed,
          because its meaning was confusing.

          The prompt may now also be redirected to an alternative console by
          specifying the console as parameter to systemd.confirm_spawn=.

        * Services of Type=notify require a READY=1 notification to be sent
          during startup. If no such message is sent, the service now fails,
          even if the main process exited with a successful exit code.

        * Services that fail to start up correctly now always have their
          ExecStopPost= commands executed. Previously, they'd enter "failed"
          state directly, without executing these commands.

        * The option MulticastDNS= of network configuration files has acquired
          an actual implementation. With MulticastDNS=yes a host can resolve
          names of remote hosts and reply to mDNS A and AAAA requests.

        * When units are about to be started an additional check is now done to
          ensure that all dependencies of type BindsTo= (when used in
          combination with After=) have been started.

        * systemd-analyze gained a new verb "syscall-filter" which shows which
          system call groups are defined for the SystemCallFilter= unit file
          setting, and which system calls they contain.

        * A new system call filter group "@filesystem" has been added,
          consisting of various file system related system calls. Group
          "@reboot" has been added, covering reboot, kexec and shutdown related
          calls. Finally, group "@swap" has been added covering swap
          configuration related calls.

        * A new unit file option RestrictNamespaces= has been added that may be
          used to restrict access to the various process namespace types the
          Linux kernel provides. Specifically, it may be used to take away the
          right for a service unit to create additional file system, network,
          user, and other namespaces. This sandboxing option is particularly
          relevant due to the high amount of recently discovered namespacing
          related vulnerabilities in the kernel.

        * systemd-udev's .link files gained support for a new AutoNegotiation=
          setting for configuring Ethernet auto-negotiation.

        * systemd-networkd's .network files gained support for a new
          ListenPort= setting in the [DHCP] section to explicitly configure the
          UDP client port the DHCP client shall listen on.

        * .network files gained a new Unmanaged= boolean setting for explicitly
          excluding one or more interfaces from management by systemd-networkd.

        * The systemd-networkd ProxyARP= option has been renamed to
          IPV4ProxyARP=. Similarly, VXLAN-specific option ARPProxy= has been
          renamed to ReduceARPProxy=. The old names continue to be available
          for compatibility.

        * systemd-networkd gained support for configuring IPv6 Proxy NDP
          addresses via the new IPv6ProxyNDPAddress= .network file setting.

        * systemd-networkd's bonding device support gained support for two new
          configuration options ActiveSlave= and PrimarySlave=.

        * The various options in the [Match] section of .network files gained
          support for negative matching.

        * New systemd-specific mount options are now understood in /etc/fstab:

          x-systemd.mount-timeout= may be used to configure the maximum
          permitted runtime of the mount command.

          x-systemd.device-bound may be set to bind a mount point to its
          backing device unit, in order to automatically remove a mount point
          if its backing device is unplugged. This option may also be
          configured through the new SYSTEMD_MOUNT_DEVICE_BOUND udev property
          on the block device, which is now automatically set for all CDROM
          drives, so that mounted CDs are automatically unmounted when they are
          removed from the drive.

          x-systemd.after= and x-systemd.before= may be used to explicitly
          order a mount after or before another unit or mount point.

        * Enqueued start jobs for device units are now automatically garbage
          collected if there are no jobs waiting for them anymore.

        * systemctl list-jobs gained two new switches: with --after, for every
          queued job the jobs it's waiting for are shown; with --before the
          jobs which it's blocking are shown.

        * systemd-nspawn gained support for ephemeral boots from disk images
          (or in other words: --ephemeral and --image= may now be
          combined). Moreover, ephemeral boots are now supported for normal
          directories, even if the backing file system is not btrfs. Of course,
          if the file system does not support file system snapshots or
          reflinks, the initial copy operation will be relatively expensive, but
          this should still be suitable for many use cases.

        * Calendar time specifications in .timer units now support
          specifications relative to the end of a month by using "~" instead of
          "-" as separator between month and day. For example, "*-02~03" means
          "the third last day in February". In addition a new syntax for
          repeated events has been added using the "/" character. For example,
          "9..17/2:00" means "every two hours from 9am to 5pm".

        * systemd-socket-proxyd gained a new parameter --connections-max= for
          configuring the maximum number of concurrent connections.

        * sd-id128 gained a new API for generating unique IDs for the host in a
          way that does not leak the machine ID. Specifically,
          sd_id128_get_machine_app_specific() derives an ID based on the
          machine ID a in well-defined, non-reversible, stable way. This is
          useful whenever an identifier for the host is needed but where the
          identifier shall not be useful to identify the system beyond the
          scope of the application itself. (Internally this uses HMAC-SHA256 as
          keyed hash function using the machine ID as input.)

        * NotifyAccess= gained a new supported value "exec". When set
          notifications are accepted from all processes systemd itself invoked,
          including all control processes.

        * .nspawn files gained support for defining overlay mounts using the
          Overlay= and OverlayReadOnly= options. Previously this functionality
          was only available on the systemd-nspawn command line.

        * systemd-nspawn's --bind= and --overlay= options gained support for
          bind/overlay mounts whose source lies within the container tree by
          prefixing the source path with "+".

        * systemd-nspawn's --bind= and --overlay= options gained support for
          automatically allocating a temporary source directory in /var/tmp
          that is removed when the container dies. Specifically, if the source
          directory is specified as empty string this mechanism is selected. An
          example usage is --overlay=+/var::/var, which creates an overlay
          mount based on the original /var contained in the image, overlayed
          with a temporary directory in the host's /var/tmp. This way changes
          to /var are automatically flushed when the container shuts down.

        * systemd-nspawn --image= option does now permit raw file system block
          devices (in addition to images containing partition tables, as

        * The disk image dissection logic in systemd-nspawn gained support for
          automatically setting up LUKS encrypted as well as Verity protected
          partitions. When a container is booted from an encrypted image the
          passphrase is queried at start-up time. When a container with Verity
          data is started, the root hash is search in a ".roothash" file
          accompanying the disk image (alternatively, pass the root hash via
          the new --root-hash= command line option).

        * A new tool /usr/lib/systemd/systemd-dissect has been added that may
          be used to dissect disk images the same way as systemd-nspawn does
          it, following the Bootable Partition Specification. It may even be
          used to mount disk images with complex partition setups (including
          LUKS and Verity partitions) to a local host directory, in order to
          inspect them. This tool is not considered public API (yet), and is
          thus not installed into /usr/bin. Please do not rely on its
          existence, since it might go away or be changed in later systemd

        * A new generator "systemd-verity-generator" has been added, similar in
          style to "systemd-cryptsetup-generator", permitting automatic setup of
          Verity root partitions when systemd boots up. In order to make use of
          this your partition setup should follow the Discoverable Partitions
          Specification, and the GPT partition ID of the root file system
          partition should be identical to the upper 128bit of the Verity root
          hash. The GPT partition ID of the Verity partition protecting it
          should be the lower 128bit of the Verity root hash. If the partition
          image follows this model it is sufficient to specify a single
          "roothash=" kernel command line argument to both configure which root
          image and verity partition to use as well as the root hash for
          it. Note that systemd-nspawn's Verity support follows the same
          semantics, meaning that disk images with proper Verity data in place
          may be booted in containers with systemd-nspawn as well as on
          physical systems via the verity generator. Also note that the "mkosi"
          tool available at https://github.com/systemd/mkosi has been updated
          to generate Verity protected disk images following this scheme. In
          fact, it has been updated to generate disk images that optionally
          implement a complete UEFI SecureBoot trust chain, involving a signed
          kernel and initrd image that incorporates such a root hash as well as
          a Verity-enabled root partition.

        * The hardware database (hwdb) udev supports has been updated to carry
          accelerometer quirks.

        * All system services are now run with a fresh kernel keyring set up
          for them. The invocation ID is stored by default in it, thus
          providing a safe, non-overridable way to determine the invocation
          ID of each service.

        * Service unit files gained new BindPaths= and BindReadOnlyPaths=
          options for bind mounting arbitrary paths in a service-specific
          way. When these options are used, arbitrary host or service files and
          directories may be mounted to arbitrary locations in the service's

        * Documentation has been added that lists all of systemd's low-level
          environment variables:


        * sd-daemon gained a new API sd_is_socket_sockaddr() for determining
          whether a specific socket file descriptor matches a specified socket

        * systemd-firstboot has been updated to check for the
          systemd.firstboot= kernel command line option. It accepts a boolean
          and when set to false the first boot questions are skipped.

        * systemd-fstab-generator has been updated to check for the
          systemd.volatile= kernel command line option, which either takes an
          optional boolean parameter or the special value "state". If used the
          system may be booted in a "volatile" boot mode. Specifically,
          "systemd.volatile" is used, the root directory will be mounted as
          tmpfs, and only /usr is mounted from the actual root file system. If
          "systemd.volatile=state" is used, the root directory will be mounted
          as usual, but /var is mounted as tmpfs. This concept provides similar
          functionality as systemd-nspawn's --volatile= option, but provides it
          on physical boots. Use this option for implementing stateless
          systems, or testing systems with all state and/or configuration reset
          to the defaults. (Note though that many distributions are not
          prepared to boot up without a populated /etc or /var, though.)

        * systemd-gpt-auto-generator gained support for LUKS encrypted root
          partitions. Previously it only supported LUKS encrypted partitions
          for all other uses, except for the root partition itself.

        * Socket units gained support for listening on AF_VSOCK sockets for
          communication in virtualized QEMU environments.

        * The "configure" script gained a new option --with-fallback-hostname=
          for specifying the fallback hostname to use if none is configured in
          /etc/hostname. For example, by specifying
          --with-fallback-hostname=fedora it is possible to default to a
          hostname of "fedora" on pristine installations.

        * systemd-cgls gained support for a new --unit= switch for listing only
          the control groups of a specific unit. Similar --user-unit= has been
          added for listing only the control groups of a specific user unit.

        * systemd-mount gained a new --umount switch for unmounting a mount or
          automount point (and all mount/automount points below it).

        * systemd will now refuse full configuration reloads (via systemctl
          daemon-reload and related calls) unless at least 16MiB of free space
          are available in /run. This is a safety precaution in order to ensure
          that generators can safely operate after the reload completed.

        * A new unit file option RootImage= has been added, which has a similar
          effect as RootDirectory= but mounts the service's root directory from
          a disk image instead of plain directory. This logic reuses the same
          image dissection and mount logic that systemd-nspawn already uses,
          and hence supports any disk images systemd-nspawn supports, including
          those following the Discoverable Partition Specification, as well as
          Verity enabled images. This option enables systemd to run system
          services directly off disk images acting as resource bundles,
          possibly even including full integrity data.

        * A new MountAPIVFS= unit file option has been added, taking a boolean
          argument. If enabled /proc, /sys and /dev (collectively called the
          "API VFS") will be mounted for the service. This is only relevant if
          RootDirectory= or RootImage= is used for the service, as these mounts
          are of course in place in the host mount namespace anyway.

        * systemd-nspawn gained support for a new --pivot-root= switch. If
          specified the root directory within the container image is pivoted to
          the specified mount point, while the original root disk is moved to a
          different place. This option enables booting of ostree images
          directly with systemd-nspawn.

        * The systemd build scripts will no longer complain if the NTP server
          addresses are not changed from the defaults. Google now supports
          these NTP servers officially. We still recommend downstreams to
          properly register an NTP pool with the NTP pool project though.

        * coredumpctl gained new new "--reverse" option for printing the list
          of coredumps in reverse order.

        * coredumpctl will now show additional information about truncated and
          inaccessible coredumps, as well as coredumps that are still being
          processed. It also gained a new --quiet switch for suppressing
          additional informational message in its output.

        * coredumpctl gained support for only showing coredumps newer and/or
          older than specific timestamps, using the new --since= and --until=
          options, reminiscent of journalctl's options by the same name.

        * The systemd-coredump logic has been improved so that it may be reused
          to collect backtraces in non-compiled languages, for example in
          scripting languages such as Python.

        * machinectl will now show the UID shift of local containers, if user
          namespacing is enabled for them.

        * systemd will now optionally run "environment generator" binaries at
          configuration load time. They may be used to add environment
          variables to the environment block passed to services invoked. One
          user environment generator is shipped by default that sets up
          environment variables based on files dropped into /etc/environment.d
          and ~/.config/environment.d/.

        * systemd-resolved now includes the new, recently published 2017 DNSSEC
          root key (KSK).

        * hostnamed has been updated to report a new chassis type of
          "convertible" to cover "foldable" laptops that can both act as a
          tablet and as a laptop, such as various Lenovo Yoga devices.

        Contributions from: Adrián López, Alexander Galanin, Alexander
        Kochetkov, Alexandros Frantzis, Andrey Ulanov, Antoine Eiche, Baruch
        Siach, Bastien Nocera, Benjamin Robin, Björn, Brandon Philips, Cédric
        Schieli, Charles (Chas) Williams, Christian Hesse, Daniele Medri,
        Daniel Drake, Daniel Rusek, Daniel Wagner, Dan Streetman, Dave Reisner,
        David Glasser, David Herrmann, David Michael, Djalal Harouni, Dmitry
        Khlebnikov, Dmitry Rozhkov, Dongsu Park, Douglas Christman, Earnestly,
        Emil Soleyman, Eric Cook, Evgeny Vereshchagin, Felipe Sateler, Fionn
        Cleary, Florian Klink, Francesco Brozzu, Franck Bui, Gabriel Rauter,
        Gianluca Boiano, Giedrius Statkevičius, Graeme Lawes, Hans de Goede,
        Harald Hoyer, Ian Kelling, Ivan Shapovalov, Jakub Wilk, Janne Heß, Jan
        Synacek, Jason Reeder, Jonathan Boulle, Jörg Thalheim, Jouke Witteveen,
        Karl Kraus, Kees Cook, Keith Busch, Kieran Colford, kilian-k, Lennart
        Poettering, Lubomir Rintel, Lucas Werkmeister, Lukas Rusak, Maarten de
        Vries, Maks Naumov, Mantas Mikulėnas, Marc-Andre Lureau, Marcin Bachry,
        Mark Stosberg, Martin Ejdestig, Martin Pitt, Mauricio Faria de
        Oliveira, micah, Michael Biebl, Michael Shields, Michal Schmidt, Michal
        Sekletar, Michel Kraus, Mike Gilbert, Mikko Ylinen, Mirza Krak,
        Namhyung Kim, nikolaof, peoronoob, Peter Hutterer, Peter Körner, Philip
        Withnall, Piotr Drąg, Ray Strode, Reverend Homer, Rike-Benjamin
        Schuppner, Robert Kreuzer, Ronny Chevalier, Ruslan Bilovol, sammynx,
        Sergey Ptashnick, Sergiusz Urbaniak, Stefan Berger, Stefan Hajnoczi,
        Stefan Schweter, Stuart McLaren, Susant Sahani, Sylvain Plantefève,
        Taylor Smock, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tibor
        Nagy, Tobias Stoeckmann, Tom Gundersen, Torstein Husebø, Viktar
        Vaŭčkievič, Viktor Mihajlovski, Vitaly Sulimov, Waldemar Brodkorb,
        Walter Garcia-Fontes, Wim de With, Yassine Imounachen, Yi EungJun,
        YunQiang Su, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Александр

        — Berlin, 2017-03-01


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list