[systemd-devel] systemd prerelease 253-rc3

systemd tag bot donotreply-systemd-tag at refi64.com
Fri Feb 10 17:14:21 UTC 2023


A new systemd ☠️ pre-release ☠️ has just been tagged. Please download the tarball here:

        https://github.com/systemd/systemd/archive/v253-rc3.tar.gz

NOTE: This is ☠️ pre-release ☠️ software. Do not run this on production
systems, but please test this and report any issues you find to GitHub:

        https://github.com/systemd/systemd/issues/new?template=Bug_report.md

Changes since the previous release:

        Announcements of Future Feature Removals and Incompatible Changes:

        * We intend to remove cgroup v1 support from systemd release after the
          end of 2023. If you run services that make explicit use of cgroup v1
          features (i.e. the "legacy hierarchy" with separate hierarchies for
          each controller), please implement compatibility with cgroup v2 (i.e.
          the "unified hierarchy") sooner rather than later. Most of Linux
          userspace has been ported over already.

        * We intend to remove support for split-usr (/usr mounted separately
          during boot) and unmerged-usr (parallel directories /bin and
          /usr/bin, /lib and /usr/lib, etc). This will happen in the second
          half of 2023, in the first release that falls into that time window.
          For more details, see:
          https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html

        * We intend to change behaviour w.r.t. units of the per-user service
          manager and sandboxing options, so that they work without having to
          manually enable PrivateUsers= as well, which is not required for
          system units. To make this work, we will implicitly enable user
          namespaces (PrivateUsers=yes) when a sandboxing option is enabled in a
          user unit. The drawback is that system users will no longer be visible
          (and appear as 'nobody') to the user unit when a sandboxing option is
          enabled. By definition a sandboxed user unit should run with reduced
          privileges, so impact should be small. This will remove a great source
          of confusion that has been reported by users over the years, due to
          how these options require an extra setting to be manually enabled when
          used in the per-user service manager, as opposed as to the system
          service manager. We plan to enable this change in the next release
          later this year. For more details, see:
          https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html

        Deprecations and incompatible changes:

        * systemctl will now warn when invoked without /proc/ mounted
          (e.g. when invoked after chroot() into an directory tree without the
          API mount points like /proc/ being set up.)  Operation in such an
          environment is not fully supported.

        * The return value of 'systemctl is-active|is-enabled|is-failed' for
          unknown units is changed: previously 1 or 3 were returned, but now 4
          (EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented.

        * 'udevadm hwdb' subcommand is deprecated and will emit a warning.
          systemd-hwdb (added in 2014) should be used instead.

        * 'bootctl --json' now outputs a single JSON array, instead of a stream
          of newline-separated JSON objects.

        * Udev rules in 60-evdev.rules have been changed to load hwdb
          properties for all modalias patterns. Previously only the first
          matching pattern was used. This could change what properties are
          assigned if the user has more and less specific patterns that could
          match the same device, but it is expected that the change will have
          no effect for most users.

        * systemd-networkd-wait-online exits successfully when all interfaces
          are ready or unmanaged. Previously, if neither '--any' nor
          '--interface=' options were used, at least one interface had to be in
          configured state. This change allows the case where systemd-networkd
          is enabled, but no interfaces are configured, to be handled
          gracefully. It may occur in particular when a different network
          manager is also enabled and used.

        * Some compatibility helpers were dropped: EmergencyAction= in the user
          manager, as well as measuring kernel command line into PCR 8 in
          systemd-stub, along with the -Defi-tpm-pcr-compat compile-time
          option.

        * The '-Dupdate-helper-user-timeout=' build-time option has been
          renamed to '-Dupdate-helper-user-timeout-sec=', and now takes an
          integer as parameter instead of a string.

        * The DDI image dissection logic (which backs RootImage= in service
          unit files, the --image= switch in various tools such as
          systemd-nspawn, as well as systemd-dissect) will now only mount file
          systems of types btrfs, ext4, xfs, erofs, squashfs, vfat. This list
          can be overridden via the $SYSTEMD_DISSECT_FILE_SYSTEMS environment
          variable. These file systems are fairly well supported and maintained
          in current kernels, while others are usually more niche, exotic or
          legacy and thus typically do not receive the same level of security
          support and fixes.

        New components:

        * A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
          (UKIs) has been added. This replaces functionality provided by
          'dracut --uefi' and extends it with automatic calculation of PE file
          offsets, insertion of signed PCR policies generated by
          systemd-measure, support for initrd concatenation, signing of the
          embedded Linux image and the combined image with sbsign, and
          heuristics to autodetect the kernel uname and verify the splash
          image.

        Changes in systemd and units:

        * A new service type Type=notify-reload is defined. When such a unit is
          reloaded a UNIX process signal (typically SIGHUP) is sent to the main
          service process. The manager will then wait until it receives a
          "RELOADING=1" followed by a "READY=1" notification from the unit as
          response (via sd_notify()). Otherwise, this type is the same as
          Type=notify. A new setting ReloadSignal= may be used to change the
          signal to send from the default of SIGHUP.

          user at .service, systemd-networkd.service, systemd-udevd.service, and
          systemd-logind have been updated to this type.

        * Initrd environments which are not on a pure memory file system (e.g.
          overlayfs combination as opposed to tmpfs) are now supported. With
          this change, during the initrd → host transition ("switch root")
          systemd will erase all files of the initrd only when the initrd is
          backed by a memory file system such as tmpfs.

        * New per-unit MemoryZSwapMax= option has been added to configure
          memory.zswap.max cgroup properties (the maximum amount of zswap
          used).

        * A new LogFilterPatterns= option has been added for units. It may be
          used to specify accept/deny regular expressions for log messages
          generated by the unit, that shall be enforced by systemd-journald.
          Rejected messages are neither stored in the journal nor forwarded.
          This option may be used to suppress noisy or uninteresting messages
          from units.

        * The manager has a new
          org.freedesktop.systemd1.Manager.GetUnitByPIDFD() D-Bus method to
          query process ownership via a PIDFD, which is more resilient against
          PID recycling issues.

        * Scope units now support OOMPolicy=. Login session scopes default to
          OOMPolicy=continue, allowing login scopes to survive the OOM killer
          terminating some processes in the scope.

        * systemd-fstab-generator now supports x-systemd.makefs option for
          /sysroot/ (in the initrd).

        * The maximum rate at which daemon reloads are executed can now be
          limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
          options. (Or the equivalent on the kernel command line:
          systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=). In
          addition, systemd now logs the originating unit and PID when a reload
          request is received over D-Bus.

        * When enabling a swap device systemd will now reinitialize the device
          when the page size of the swap space does not match the page size of
          the running kernel. Note that this requires the 'swapon' utility to
          provide the '--fixpgsz' option, as implemented by util-linux, and it
          is not supported by busybox at the time of writing.

        * systemd now executes generator programs in a mount namespace
          "sandbox" with most of the file system read-only and write access
          restricted to the output directories, and with a temporary /tmp/
          mount provided. This provides a safeguard against programming errors
          in the generators, but also fixes here-docs in shells, which
          previously didn't work in early boot when /tmp/ wasn't available
          yet. (This feature has no security implications, because the code is
          still privileged and can trivially exit the sandbox.)

        * The system manager manager will now parse a new "vmm.notify_socket"
          system credential, which may be supplied to a VM via SMBIOS. If
          found, the manager will send a "READY=1" notification on the
          specified socket after boot is complete. This allows readiness
          notification to be sent from a VM guest to the VM host over a VSOCK
          socket.

        * The sample PAM configuration file for systemd-user at .service now
          includes a call to pam_namespace. This puts children of user at .service
          in the expected namespace. (Many distributions replace their file
          with something custom, so this change has limited effect.)

        * A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST
          can can be used to override the mount units burst late limit for
          parsing '/proc/self/mountinfo', which was introduced in v249.
          Defaults to 5.

        * Drop-ins for init.scope changing control group resource limits are
          now applied, while they were previously ignored.

        * New build-time configuration options '-Ddefault-timeout-sec=' and
          '-Ddefault-user-timeout-sec=' have been added, to let distributions
          choose the default timeout for starting/stopping/aborting system and
          user units respectively.

        * Service units gained a new setting OpenFile= which may be used to
          open arbitrary files in the file system (or connect to arbitrary
          AF_UNIX sockets in the file system), and pass the open file
          descriptor to the invoked process via the usual file descriptor
          passing protocol. This is useful to give unprivileged services access
          to select files which have restrictive access modes that would
          normally not allow this. It's also useful in case RootDirectory= or
          RootImage= is used to allow access to files from the host environment
          (which is after all not visible from the service if these two options
          are used.)

        Changes in udev:

        * The new net naming scheme "v253" has been introduced. In the new
          scheme, ID_NET_NAME_PATH is also set for USB devices not connected via
          a PCI bus. This extends the coverage of predictable interface names
          in some embedded systems.

          The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
          a more informative path on some embedded systems.

        * Partition block devices will now also get symlinks in
          /dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
          block device nodes via the kernel's "diskseq" value. Previously those
          symlinks were only created for the main block device.

        * A new operator '-=' is supported for SYMLINK variables. This allows
          symlinks to be unconfigured even if an earlier rule added them.

        * 'udevadm --trigger --settle' now also works for network devices
          that are being renamed.

        Changes in sd-boot, bootctl, and the Boot Loader Specification:

        * systemd-boot now passes its random seed directly to the kernel's RNG
          via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which
          means the RNG gets seeded very early in boot before userspace has
          started.

        * systemd-boot will pass a disk-backed random seed – even when secure
          boot is enabled – if it can additionally get a random seed from EFI
          itself (via EFI's RNG protocol), or a prior seed in
          LINUX_EFI_RANDOM_SEED_TABLE_GUID from a preceding bootloader.

        * systemd-boot-system-token.service was renamed to
          systemd-boot-random-seed.service and extended to always save a random
          seed to ESP on every boot when a compatible boot loader is used. This
          allows a refreshed random seed to be used in the boot loader.

        * systemd-boot handles various seed inputs using a domain- and
          field-separated hashing scheme.

        * systemd-boot's 'random-seed-mode' option has been removed. A system
          token is now always required to be present for random seeds to be
          used.

        * systemd-boot now supports being loaded from other locations than the
          ESP, for example for direct kernel boot under QEMU or when embedded
          into the firmware.

        * systemd-boot now parses SMBIOS information to detect
          virtualization. This information is used to skip some warnings which
          are not useful in a VM and to conditionalize other aspects of
          behaviour.

        * systemd-boot now supports a new 'if-safe' mode that will perform UEFI
          Secure Boot automated certificate enrollment from the ESP only if it
          is considered 'safe' to do so. At the moment 'safe' means running in
          a virtual machine.

        * systemd-stub now processes random seeds in the same way as
          systemd-boot already does, in case a unified kernel image is being
          used from a different bootloader than systemd-boot, or without any
          boot load at all.

        * bootctl will now generate a system token on all EFI systems, even
          virtualized ones, and is activated in the case that the system token
          is missing from either sd-boot and sd-stub booted systems.

        * bootctl now implements two new verbs: 'kernel-identify' prints the
          type of a kernel image file, and 'kernel-inspect' provides
          information about the embedded command line and kernel version of
          UKIs.

        * bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
          as for kernel-install.

        * The JSON output of "bootctl list" will now contain two more fields:
          isDefault and isSelected are boolean fields set to true on the
          default and currently booted boot menu entries.

        * bootctl gained a new verb "unlink" for removing a boot loader entry
          type #1 file from disk in a safe and robust way.

        * bootctl also gained a new verb "cleanup" that automatically removes
          all files from the ESP's and XBOOTLDR's "entry-token" directory, that
          is not referenced anymore by any installed Type #1 boot loader
          specification entry. This is particularly useful in environments where
          a large number of entries reference the same or partly the same
          resources (for example, for snapshot-based setups).

        Changes in kernel-install:

        * A new "installation layout" can be configured as layout=uki. With
          this setting, a Boot Loader Specification Type#1 entry will not be
          created.  Instead, a new kernel-install plugin 90-uki-copy.install
          will copy any .efi files from the staging area into the boot
          partition. A plugin to generate the UKI .efi file must be provided
          separately.

        Changes in systemctl:

        * 'systemctl reboot' has dropped support for accepting a positional
          argument as the argument to the reboot(2) syscall. Please use the
          --reboot-argument= option instead.

        * 'systemctl disable' will now warn when called on units without
          install information. A new --no-warn option has been added that
          silences this warning.

        * New option '--drop-in=' can be used to tell 'systemctl edit' the name
          of the drop-in to edit. (Previously, 'override.conf' was always
          used.)

        * 'systemctl list-dependencies' now respects --type= and --state=.

        * 'systemctl kexec' now supports XEN VMM environments.

        * 'systemctl edit' will now tell the invoked editor to jump into the
          first line with actual unit file data, skipping over synthesized
          comments.

        Changes in systemd-networkd and related tools:

        * The [DHCPv4] section in .network file gained new SocketPriority=
          setting that assigns the Linux socket priority used by the DHCPv4 raw
          socket. This may be used in conjunction with the
          EgressQOSMaps=setting in [VLAN] section of .netdev file to send the
          desired ethernet 802.1Q frame priority for DHCPv4 initial
          packets. This cannot be achieved with netfilter mangle tables because
          of the raw socket bypass.

        * The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained a
          new QuickAck= boolean setting that enables the TCP quick ACK mode for
          the routes configured by the acquired DHCPv4 lease or received router
          advertisements (RAs).

        * The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
          routes) now accepts three values, for high, medium, and low preference
          of the router (which can be set with the RouterPreference=) setting.

        * systemd-networkd-wait-online now supports matching via alternative
          interface names.

        * The [DHCPv6] section in .network file gained new SendRelease=
          setting which enables the DHCPv6 client to send release when
          it stops. This is the analog of the [DHCPv4] SendRelease= setting.
          It is enabled by default.

        * If the Address= setting in [Network] or [Address] sections in .network
          specified without its prefix length, then now systemd-networkd assumes
          /32 for IPv4 or /128 for IPv6 addresses.

        * networkctl shows network and link file dropins in status output.

        Changes in systemd-dissect:

        * systemd-dissect gained a new option --list, to print the paths of
          all files and directories in a DDI.

        * systemd-dissect gained a new option --mtree, to generate a file
          manifest compatible with BSD mtree(5) of a DDI

        * systemd-dissect gained a new option --with, to execute a command with
          the specified DDI temporarily mounted and used as working
          directory. This is for example useful to convert a DDI to "tar"
          simply by running it within a "systemd-dissect --with" invocation.

        * systemd-dissect gained a new option --discover, to search for
          Discoverable Disk Images (DDIs) in well-known directories of the
          system. This will list machine, portable service and system extension
          disk images.

        * systemd-dissect now understands 2nd stage initrd images stored as a
          Discoverable Disk Image (DDI).

        * systemd-dissect will now display the main UUID of GPT DDIs (i.e. the
          disk UUID stored in the GPT header) among the other data it can show.

        * systemd-dissect gained a new --in-memory switch to operate on an
          in-memory copy of the specified DDI file. This is useful to access a
          DDI with write access without persisting any changes. It's also
          useful for accessing a DDI without keeping the originating file
          system busy.

        * The DDI dissection logic will now automatically detect the intended
          sector size of disk images stored in files, based on the GPT
          partition table arrangement. Loopback block devices for such DDIs
          will then be configured automatically for the right sector size. This
          is useful to make dealing with modern 4K sector size DDIs fully
          automatic. The systemd-dissect tool will now show the detected sector
          size among the other DDI information in its output.

        Changes in systemd-repart:

        * systemd-repart gained new options --include-partitions= and
          --exclude-partitions= to filter operation on partitions by type UUID.
          This allows systemd-repart to be used to build images in which the
          type of one partition is set based on the contents of another
          partition (for example when the boot partition shall include a verity
          hash of the root partition).

        * systemd-repart also gained a --defer-partitions= option that is
          similar to --exclude-partitions=, but the size of the partition is
          still taken into account when sizing partitions, but without
          populating it.

        * systemd-repart gained a new --sector-size= option to specify what
          sector size should be used when an image is created.

        * systemd-repart now supports generating erofs file systems via
          CopyFiles= (a read-only file system similar to squashfs).

        * The Minimize= option was extended to accept "best" (which means the
          most minimal image possible, but may require multiple attempts) and
          "guess" (which means a reasonably small image).

        * The systemd-growfs binary now comes with a regular unit file template
          systemd-growfs at .service which can be instantiated directly for any
          desired file system. (Previously, the unit was generated dynamically
          by various generators, but no regular unit file template was
          available.)

        Changes in journal tools:

        * Various systemd tools will append extra fields to log messages when
          in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently
          this includes information about D-Bus messages when sd-bus is used,
          e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information
          about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
          Details of what is logged and when are subject to change.

        * The systemd-journald-audit.socket can now be disabled via the usual
          "systemctl disable" mechanism to stop collection of audit
          messages. Please note that it is not enabled statically anymore and
          must be handled by the preset/enablement logic in package
          installation scripts.

        * New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
          be used to curtail disk use by systemd-journal-remote. This is
          similar to the options supported by systemd-journald.

        Changes in systemd-cryptenroll, systemd-cryptsetup, and related
        components:

        * When enrolling new keys systemd-cryptenroll now supports unlocking
          via FIDO2 tokens (option --unlock-fido2-device=). Previously, a
          password was strictly required to be specified.

        * systemd-cryptsetup now supports pre-flight requests for FIDO2 tokens
          (except for tokens with user verification, UV) to identify tokens
          before authentication. Multiple FIDO2 tokens can now be enrolled at
          the same time, and systemd-cryptsetup will automatically select one
          that corresponds to one of the available LUKS key slots.

        * systemd-cryptsetup now supports new options tpm2-measure-bank= and
          tpm2-measure-pcr= in crypttab(5). These allow specifying the TPM2 PCR
          bank and number into which the volume key should be measured. This is
          automatically enabled for the encrypted root volume discovered and
          activated by systemd-gpt-auto-generator.

        * systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partitions with
          "noexec,nosuid,nodev".

        * systemd-gpt-auto-generator will now honour the rootfstype= and
          rootflags= kernel command line switches for root file systems it
          discovers, to match behaviour in case an explicit root fs is
          specified via root=.

        * systemd-pcrphase gained new options --machine-id and --file-system=
          to measure the machine-id and mount point information into PCR 15. New
          service unit files systemd-pcrmachine.service and
          systemd-pcrfs at .service have been added that invoke the tool with
          these switches during early boot.

        * systemd-pcrphase gained a --graceful switch will make it exit cleanly
          with a success exit code even if no TPM device is detected.

        * systemd-cryptenroll now stores the user-supplied PIN with a salt,
          making it harder to brute-force.

        Changes in other tools:

        * systemd-homed gained support for luksPbkdfForceIterations (the
          intended number of iterations for the PBKDF operation on LUKS).

        * Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
          $SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
          may now be used to specify additional arguments for mkfs when
          systemd-homed formats a file system.

        * systemd-hostnamed now exports the contents of
          /sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two
          new D-Bus properties: FirmwareVendor and FirmwareDate. This allows
          unprivileged code to access those values.

          systemd-hostnamed also exports the SUPPORT_END= field from
          os-release(5) as OperatingSystemSupportEnd. hostnamectl make uses of
          this to show the status of the installed system.

        * systemd-measure gained an --append= option to sign multiple phase
          paths with different signing keys. This allows secrets to be
          accessible only in certain parts of the boot sequence. Note that
          'ukify' provides similar functionality in a more accessible form.

        * systemd-timesyncd will now write a structured log message with
          MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
          on a on-disk timestamp, similarly to what it did when reaching
          synchronization via NTP.

        * systemd-timesyncd will now update the on-disk timestamp file on each
          boot at least once, making it more likely that the system time
          increases in subsequent boots.

        * systemd-vconsole-setup gained support for system/service credentials:
          vconsole.keymap/vconsole.keymap_toggle and
          vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
          the similarly-named options in vconsole.conf.

        * systemd-localed will now save the XKB keyboard configuration to
          /etc/vconsole.conf, and also read it from there with a higher
          preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config
          file. Previously, this information was stored in the former file in
          converted form, and only in latter file in the original form. Tools
          which want to access keyboard configuration can now do so from a
          standard location.

        * systemd-resolved gained support for configuring the nameservers and
          search domains via kernel command line (nameserver=, domain=) and
          credentials (network.dns, network.search_domains).

        * systemd-resolved will now synthesize host names for the DNS stub
          addresses it supports. Specifically when "_localdnsstub" is resolved,
          127.0.0.53 is returned, and if "_localdnsproxy" is resolved
          127.0.0.54 is returned.

        * systemd-notify will now send a "RELOADING=1" notification when called
          with --reloading, and "STOPPING=1" when called with --stopping. This
          can be used to implement notifications from units where it's easier
          to call a program than to use the sd-daemon library.

        * systemd-analyze's 'plot' command can now output its information in
          JSON, controlled via the --json= switch. Also, new --table, and
          --no-legend options have been added.

        * 'machinectl enable' will now automatically enable machines.target
          unit in addition to adding the machine unit to the target.

          Similarly, 'machinectl start|stop' gained a --now option to enable or
          disable the machine unit when starting or stopping it.

        * systemd-sysusers will now create /etc/ if it is missing.

        * systemd-sleep 'HibernateDelaySec=' setting is changed back to
          pre-v252's behaviour, and a new 'SuspendEstimationSec=' setting is
          added to provide the new initial value for the new automated battery
          estimation functionality. If 'HibernateDelaySec=' is set to any value,
          the automated estimate (and thus the automated hibernation on low
          battery to avoid data loss) functionality will be disabled.

        * Default tmpfiles.d/ configuration will now automatically create
          credentials storage directory '/etc/credstore/' with the appropriate,
          secure permissions. If '/run/credstore/' exists, its permissions will
          be fixed too in case they are not correct.

        Changes in libsystemd and shared code:

        * sd-bus gained new convenience functions sd_bus_emit_signal_to(),
          sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().

        * sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
          128bit ID in files such as /etc/machine-id has an invalid
          format. They also accept NULL as output parameter in more places,
          which is useful when the caller only wants to validate the inputs and
          does not need the output value.

        * sd-login gained new functions sd_pidfd_get_session(),
          sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
          sd_pidfd_get_user_unit(), sd_pidfd_get_slice(),
          sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and
          sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(),
          but accept a PIDFD instead of a PID.

        * sd-path (and systemd-path) now export four new paths:
          SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR,
          SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR,
          SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and
          SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,

        * sd_notify() now supports AF_VSOCK as transport for notification
          messages (in addition to the existing AF_UNIX support). This is
          enabled if $NOTIFY_SOCKET is set in a "vsock:CID:port" format.

        * Detection of chroot() environments now works if /proc/ is not
          mounted.  This affects systemd-detect-virt --chroot, but also means
          that systemd tools will silently skip various operations in such an
          environment.

        * "Lockheed Martin Hardened Security for Intel Processors" (HS SRE)
          virtualization is now detected.

        Changes in the build system:

        * Standalone variants of systemd-repart and systemd-shutdown may now be
          built (if -Dstandalone=true).

        * systemd-ac-power has been moved from /usr/lib/ to /usr/bin/, to, for
          example, allow scripts to conditionalize execution on AC power
          supply.

        * The libp11kit library is now loaded through dlopen(3).

        Changes in the documentation:

        * Specifications that are not closely tied to systemd have moved to
          https://uapi-group.org/specifications/: the Boot Loader Specification
          and the Discoverable Partitions Specification.

        Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas,
        Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang,
        Antonio Alvarez Feijoo, Arsen Arsenović, asavah, Benjamin Fogle,
        Benjamin Tissoires, berenddeschouwer, BerndAdameit,
        Bernd Steinhauser, blutch112, cake03, Callum Farmer, Carlo Teubner,
        Charles Hardin, chris, Christian Brauner, Christian Göttsche,
        Cristian Rodríguez, Daan De Meyer, Dan Streetman, DaPigGuy,
        Darrell Kavanagh, David Tardon, dependabot[bot], Dirk Su,
        Dmitry V. Levin, drosdeck, Edson Juliano Drosdeck, edupont,
        Eric DeVolder, Erik Moqvist, Evgeny Vereshchagin, Fabian Gurtner,
        Felix Riemann, Franck Bui, Frantisek Sumsal, Geert Lorang,
        Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho,
        igo95862, Ilya Leoshkevich, Ivan Shapovalov, Jacek Migacz,
        Jade Lovelace, Jan Engelhardt, Jan Janssen, Jan Macku, January,
        Jason A. Donenfeld, jcg, Jelle van der Waa, Jeremy Linton,
        Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann, Jörg Thalheim,
        Joshua Goins, joshuazivkovic, Joshua Zivkovic, Kai-Chuan Hsieh,
        Khem Raj, Koba Ko, Lennart Poettering, lichao, Li kunyu,
        Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach,
        Lycowolf, marcel151, Marcus Schäfer, Marek Vasut, Mark Laws,
        Michael Biebl, Michał Kotyla, Michal Koutný, Michal Sekletár,
        Mike Yuan, MkfsSion, msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore,
        Nick Rosbrook, noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv,
        Phaedrus Leeds, Philipp Jungkamp, Quentin Deslandes, Ray Strode,
        reuben olinsky, Richard E. van der Luit, Richard Phibel,
        Ricky Tigg, Robin Humble, rogg, Rudi Heitbaum, Sam James,
        Samuel Cabrero, Samuel Thibault, Siddhesh Poyarekar, Simon Brand,
        Space Meyer, Spindle Security, Steve Ramage, Takashi Sakamoto,
        Thomas Haller, Tonći Galić, Topi Miettinen, Torsten Hilbrich,
        Tuetuopay, uerdogan, Ulrich Ölmann, Valentin David,
        Vitaly Kuznetsov, Vito Caputo, Waltibaba, Will Fancher,
        William Roberts, wouter bolsterlee, Youfu Zhang, Yu Watanabe,
        Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски,
        наб

        — Warsaw, 2023-02-10


More information about the systemd-devel mailing list