[systemd-devel] systemd 256 released
Luna Jernberg
droidbittin at gmail.com
Mon Jun 17 03:20:23 UTC 2024
https://linuxunplugged.com/567
Den tis 11 juni 2024 kl 23:45 skrev systemd tag bot
<donotreply-systemd-tag at refi64.com>:
>
> 🎆 A new, official systemd release has just 🎉 been 🎊 tagged 🍾. Please download the tarball here:
>
> https://github.com/systemd/systemd/archive/v256.tar.gz
>
> Changes since the previous release:
>
> Announcements of Future Feature Removals and Incompatible Changes:
>
> * Support for automatic flushing of the nscd user/group database caches
> will be dropped in a future release.
>
> * Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now
> considered obsolete and systemd by default will refuse to boot under
> it. To forcibly reenable cgroup v1 support,
> SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must be set on kernel command
> line. The meson option 'default-hierarchy=' is also deprecated, i.e.
> only cgroup v2 ('unified' hierarchy) can be selected as build-time
> default.
>
> * Support for System V service scripts is deprecated and will be
> removed in a future release. Please make sure to update your software
> *now* to include a native systemd unit file instead of a legacy
> System V script to retain compatibility with future systemd releases.
>
> * Support for the SystemdOptions EFI variable is deprecated.
> 'bootctl systemd-efi-options' will emit a warning when used. It seems
> that this feature is little-used and it is better to use alternative
> approaches like credentials and confexts. The plan is to drop support
> altogether at a later point, but this might be revisited based on
> user feedback.
>
> * systemd-run's switch --expand-environment= which currently is disabled
> by default when combined with --scope, will be changed in a future
> release to be enabled by default.
>
> * Previously, systemd-networkd did not explicitly remove any bridge
> VLAN IDs assigned on bridge master and ports. Since version 256, if a
> .network file for an interface has at least one valid setting in the
> [BridgeVLAN] section, then all assigned VLAN IDs on the interface
> that are not configured in the .network file are removed.
>
> * IPForward= setting in .network file is deprecated and replaced with
> IPv4Forwarding= and IPv6Forwarding= settings. These new settings are
> supported both in .network file and networkd.conf. If specified in a
> .network file, they control corresponding per-link settings. If
> specified in networkd.conf, they control corresponding global
> settings. Note, previously IPv6SendRA= and IPMasquerade= implied
> IPForward=, but now they imply the new per-link settings. One of the
> simplest ways to migrate configurations, that worked as a router with
> the previous version, is enabling both IPv4Forwarding= and
> IPv6Forwarding= in networkd.conf. See systemd.network(5) and
> networkd.conf(5) for more details.
>
> * systemd-gpt-auto-generator will stop generating units for ESP or
> XBOOTLDR partitions if it finds mount entries for or below the /boot/
> or /efi/ hierarchies in /etc/fstab. This is to prevent the generator
> from interfering with systems where the ESP is explicitly configured
> to be mounted at some path, for example /boot/efi/ (this type of
> setup is obsolete, but still commonly found).
>
> * The behavior of systemd-sleep and systemd-homed has been updated to
> freeze user sessions when entering the various sleep modes or when
> locking a homed-managed home area. This is known to cause issues with
> the proprietary NVIDIA drivers. Packagers of the NVIDIA proprietary
> drivers may want to add drop-in configuration files that set
> SYSTEMD_SLEEP_FREEZE_USER_SESSIONS=false for systemd-suspend.service
> and related services, and SYSTEMD_HOME_LOCK_FREEZE_SESSION=false for
> systemd-homed.service.
>
> * systemd-tmpfiles and systemd-sysusers, when given a relative
> configuration file path (with at least one directory separator '/'),
> will open the file directly, instead of searching for the given
> partial path in the standard locations. The old mode wasn't useful
> because tmpfiles.d/ and sysusers.d/ configuration has a flat
> structure with no subdirectories under the standard locations and
> this change makes it easier to work with local files with those
> tools.
>
> * systemd-tmpfiles now properly applies nested configuration to 'R' and
> 'D' stanzas. For example, with the combination of 'R /foo' and 'x
> /foo/bar', /foo/bar will now be excluded from removal.
>
> * systemd.crash_reboot and related settings are deprecated in favor of
> systemd.crash_action=.
>
> General Changes and New Features:
>
> * Various programs will now attempt to load the main configuration file
> from locations below /usr/lib/, /usr/local/lib/, and /run/, not just
> below /etc/. For example, systemd-logind will look for
> /etc/systemd/logind.conf, /run/systemd/logind.conf,
> /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf,
> and use the first file that is found. This means that the search
> logic for the main config file and for drop-ins is now the same.
>
> Similarly, kernel-install will look for the config files in
> /usr/lib/kernel/ and the other search locations, and now also
> supports drop-ins.
>
> systemd-udevd now supports drop-ins for udev.conf.
>
> * A new 'systemd-vpick' binary has been added. It implements the new
> vpick protocol, where a "*.v/" directory may contain multiple files
> which have versions (following the UAPI version format specification)
> embedded in the file name. The files are ordered by version and
> the newest one is selected.
>
> systemd-nspawn --image=/--directory=, systemd-dissect,
> systemd-portabled, and the RootDirectory=, RootImage=,
> ExtensionImages=, and ExtensionDirectories= settings for units now
> support the vpick protocol and allow the latest version to be
> selected automatically if a "*.v/" directory is specified as the
> source.
>
> * Encrypted service credentials can now be made accessible to
> unprivileged users. systemd-creds gained new options --user/--uid=
> for encrypting/decrypting a credential for a specific user.
>
> * New command-line tool 'importctl' to download, import, and export
> disk images via systemd-importd is added with the following verbs:
> pull-tar, pull-raw, import-tar, import-raw, import-fs, export-tar,
> export-raw, list-transfers, and cancel-transfer. This functionality
> was previously available in "machinectl", where it was used
> exclusively for machine images. The new "importctl" generalizes this
> for sysext, confext, and portable service images.
>
> * The systemd sources may now be compiled cleanly with all OpenSSL 3.0
> deprecations removed, including the OpenSSL engine logic turned off.
>
> Service Management:
>
> * New system manager setting ProtectSystem= has been added. It is
> analogous to the unit setting, but applies to the whole system. It is
> enabled by default in the initrd.
>
> Note that this means that code executed in the initrd cannot naively
> expect to be able to write to /usr/ during boot. This affects
> dracut <= 101, which wrote "hooks" to /lib/dracut/hooks/. See
> https://github.com/dracut-ng/dracut-ng/commit/a45048b80c27ee5a45a380.
>
> * New unit setting WantsMountsFor= has been added. It is analogous to
> RequiresMountsFor=, but creates a Wants= dependency instead of
> Requires=. This new logic is now used in various places where mounts
> were added as dependencies for other settings (WorkingDirectory=-…,
> PrivateTmp=yes, cryptsetup lines with 'nofail').
>
> * New unit setting MemoryZSwapWriteback= can be used to control the new
> memory.zswap.writeback cgroup knob added in kernel 6.8.
>
> * The manager gained a org.freedesktop.systemd1.StartAuxiliaryScope()
> D-Bus method to devolve some processes from a service into a new
> scope. This new scope will remain running, even when the original
> service unit is restarted or stopped. This allows a service unit to
> split out some worker processes which need to continue running.
> Control group properties of the new scope are copied from the
> originating unit, so various limits are retained.
>
> * Units now expose properties EffectiveMemoryMax=,
> EffectiveMemoryHigh=, and EffectiveTasksMax=, which report the
> most stringent limit systemd is aware of for the given unit.
>
> * A new unit file specifier %D expands to $XDG_DATA_HOME (for user
> services) or /usr/share/ (for system services).
>
> * AllowedCPUs= now supports specifier expansion.
>
> * What= setting in .mount and .swap units now accepts fstab-style
> identifiers, for example UUID=… or LABEL=….
>
> * RestrictNetworkInterfaces= now supports alternative network interface
> names.
>
> * PAMName= now implies SetLoginEnvironment=yes.
>
> * systemd.firstboot=no can be used on the kernel command-line to
> disable interactive queries, but allow other first boot configuration
> to happen based on credentials.
>
> * The system's hostname can be configured via the systemd.hostname
> system credential.
>
> * The systemd binary will no longer chainload sysvinit's "telinit"
> binary when called under the init/telinit name on a system that isn't
> booted with systemd. This previously has been supported to make sure
> a distribution that has both init systems installed can reasonably
> switch from one to the other via a simple reboot. Distributions
> apparently have lost interest in this, and the functionality has not
> been supported on the primary distribution this was still intended
> for a long time, and hence has been removed now.
>
> * A new concept called "capsules" has been introduced. "Capsules" wrap
> additional per-user service managers, whose users are transient and
> are only defined as long as the service manager is running. (This is
> implemented via DynamicUser=1), allowing a user manager to be used to
> manager a group of processes without needing to create an actual user
> account. These service managers run with home directories of
> /var/lib/capsules/<capsule-name> and can contain regular services and
> other units. A capsule is started via a simple "systemctl start
> capsule@<name>.service". See the capsule at .service(5) man page for
> further details.
>
> Various systemd tools (including, and most importantly, systemctl and
> systemd-run) have been updated to interact with capsules via the new
> "--capsule="/"-C" switch.
>
> * .socket units gained a new setting PassFileDescriptorsToExec=, taking
> a boolean value. If set to true the file descriptors the socket unit
> encapsulates are passed to the ExecStartPost=, ExecStopPre=,
> ExecStopPost= using the usual $LISTEN_FDS interface. This may be used
> for doing additional initializations on the sockets once they are
> allocated. (For example, to install an additional eBPF program on
> them).
>
> * The .socket setting MaxConnectionsPerSource= (which so far put a
> limit on concurrent connections per IP in Accept=yes socket units),
> now also has an effect on AF_UNIX sockets: it will put a limit on the
> number of simultaneous connections from the same source UID (as
> determined via SO_PEERCRED). This is useful for implementing IPC
> services in a simple Accept=yes mode.
>
> * The service manager will now maintain a counter of soft reboot cycles
> the system went through. It may be queried via the D-Bus APIs.
>
> * systemd's execution logic now supports the new pidfd_spawn() API
> introduced by glibc 2.39, which allows us to invoke a subprocess in a
> target cgroup and get a pidfd back in a single operation.
>
> * systemd/PID 1 will now send an additional sd_notify() message to its
> supervising VMM or container manager reporting the selected hostname
> ("X_SYSTEMD_HOSTNAME=") and machine ID ("X_SYSTEMD_MACHINE_ID=") at
> boot. Moreover, the service manager will send additional sd_notify()
> messages ("X_SYSTEMD_UNIT_ACTIVE=") whenever a target unit is
> reached. This can be used by VMMs/container managers to schedule
> access to the system precisely. For example, the moment a system
> reports "ssh-access.target" being reached a VMM/container manager
> knows it can now connect to the system via SSH. Finally, a new
> sd_notify() message ("X_SYSTEMD_SIGNALS_LEVEL=2") is sent the moment
> PID 1 has successfully completed installation of its various UNIX
> process signal handlers (i.e. the moment where SIGRTMIN+4 sent to
> PID 1 will start to have the effect of shutting down the system
> cleanly). X_SYSTEMD_SHUTDOWN= is sent shortly before the system shuts
> down, and carries a string identifying the type of shutdown,
> i.e. "poweroff", "halt", "reboot". X_SYSTEMD_REBOOT_PARAMETER= is
> sent at the same time and carries the string passed to "systemctl
> --reboot-argument=" if there was one.
>
> * New D-Bus properties ExecMainHandoffTimestamp and
> ExecMainHandoffTimestampMonotonic are now published by services
> units. This timestamp is taken as the very last operation before
> handing off control to invoked binaries. This information is
> available for other unit types that fork off processes (i.e. mount,
> swap, socket units), but currently only via "systemd-analyze dump".
>
> * An additional timestamp is now taken by the service manager when a
> system shutdown operation is initiated. It can be queried via D-Bus
> during the shutdown phase. It's passed to the following service
> manager invocation on soft reboots, which will then use it to log the
> overall "grey-out" time of the soft reboot operation, i.e. the time
> when the shutdown began until the system is fully up again.
>
> * "systemctl status" will now display the invocation ID in its usual
> output, i.e. the 128bit ID uniquely assigned to the current runtime
> cycle of the unit. The ID has been supported for a long time, but is
> now more prominently displayed, as it is a very useful handle to a
> specific invocation of a service.
>
> * systemd now generates a new "taint" string "unmerged-bin" for systems
> that have /usr/bin/ and /usr/sbin/ separate. It's generally
> recommended to make the latter a symlink to the former these days.
>
> * A new systemd.crash_action= kernel command line option has been added
> that configures what to do after the system manager (PID 1) crashes.
> This can also be configured through CrashAction= in systemd.conf.
>
> * "systemctl kill" now supports --wait which will make the command wait
> until the signalled services terminate.
>
> Journal:
>
> * systemd-journald can now forward journal entries to a socket
> (AF_INET, AF_INET6, AF_UNIX, or AF_VSOCK). The socket can be
> specified in journald.conf via a new option ForwardToSocket= or via
> the 'journald.forward_to_socket' credential. Log records are sent in
> the Journal Export Format. A related setting MaxLevelSocket= has been
> added to control the maximum log levels for the messages sent to this
> socket.
>
> * systemd-journald now also reads the journal.storage credential when
> determining where to store journal files.
>
> * systemd-vmspawn gained a new --forward-journal= option to forward the
> virtual machine's journal entries to the host. This is done over a
> AF_VSOCK socket, i.e. it does not require networking in the guest.
>
> * journalctl gained option '-i' as a shortcut for --file=.
>
> * journalctl gained a new -T/--exclude-identifier= option to filter
> out certain syslog identifiers.
>
> * journalctl gained a new --list-namespaces option.
>
> * systemd-journal-remote now also accepts AF_VSOCK and AF_UNIX sockets
> (so it can be used to receive entries forwarded by systemd-journald).
>
> * systemd-journal-gatewayd allows restricting the time range of
> retrieved entries with a new "realtime=[<since>]:[<until>]" URL
> parameter.
>
> * systemd-cat gained a new option --namespace= to specify the target
> journal namespace to which the output shall be connected.
>
> * systemd-bsod gained a new option --tty= to specify the output TTY
>
> Device Management:
>
> * /dev/ now contains symlinks that combine by-path and by-{label,uuid}
> information:
>
> /dev/disk/by-path/<path>/by-<label|uuid|…>/<label|uuid|…>
>
> This allows distinguishing partitions with identical contents on
> multiple storage devices. This is useful, for example, when copying
> raw disk contents between devices.
>
> * systemd-udevd now creates persistent /dev/media/by-path/ symlinks for
> media controllers. For example, the uvcvideo driver may create
> /dev/media0 which will be linked as
> /dev/media/by-path/pci-0000:04:00.3-usb-0:1:1.0-media-controller.
>
> * A new unit systemd-udev-load-credentials.service has been added
> to pick up udev.conf drop-ins and udev rules from credentials.
>
> * An allowlist/denylist may be specified to filter which sysfs
> attributes are used when crafting network interface names. Those
> lists are stored as hwdb entries
> ID_NET_NAME_ALLOW_<sysfsattr>=0|1
> and
> ID_NET_NAME_ALLOW=0|1.
>
> The goal is to avoid unexpected changes to interface names when the
> kernel is updated and new sysfs attributes become visible.
>
> * A new unit tpm2.target has been added to provide a synchronization
> point for units which expect the TPM hardware to be available. A new
> generator "systemd-tpm2-generator" has been added that will insert
> this target whenever it detects that the firmware has initialized a
> TPM, but Linux hasn't loaded a driver for it yet.
>
> * systemd-backlight now properly supports numbered devices which the
> kernel creates to avoid collisions in the leds subsystem.
>
> * systemd-hwdb update operation can be disabled with a new environment
> variable SYSTEMD_HWDB_UPDATE_BYPASS=1.
>
> systemd-hostnamed:
>
> * systemd-hostnamed now exposes the machine ID and boot ID via
> D-Bus. It also exposes the hosts AF_VSOCK CID, if available.
>
> * systemd-hostnamed now provides a basic Varlink interface.
>
> * systemd-hostnamed exports the full data in os-release(5) and
> machine-info(5) via D-Bus and Varlink.
>
> * hostnamectl now shows the system's product UUID and hardware serial
> number if known.
>
> Network Management:
>
> * systemd-networkd now provides a basic Varlink interface.
>
> * systemd-networkd's ARP proxy support gained a new option to configure
> a private VLAN variant of the proxy ARP supported by the kernel under
> the name IPv4ProxyARPPrivateVLAN=.
>
> * systemd-networkd now exports the NamespaceId and NamespaceNSID
> properties via D-Bus and Varlink. (which expose the inode and NSID of
> the network namespace the networkd instance manages)
>
> * systemd-networkd now supports IPv6RetransmissionTimeSec= and
> UseRetransmissionTime= settings in .network files to configure
> retransmission time for IPv6 neighbor solicitation messages.
>
> * networkctl gained new verbs 'mask' and 'unmask' for masking networkd
> configuration files such as .network files.
>
> * 'networkctl edit --runtime' allows editing volatile configuration
> under /run/systemd/network/.
>
> * The implementation behind TTLPropagate= network setting has been
> removed and the setting is now ignored.
>
> * systemd-network-generator will now pick up .netdev/.link/.network/
> networkd.conf configuration from system credentials.
>
> * systemd-networkd will now pick up wireguard secrets from
> credentials.
>
> * systemd-networkd's Varlink API now supports enumerating LLDP peers.
>
> * .link files now support new Property=, ImportProperty=,
> UnsetProperty= fields for setting udev properties on a link.
>
> * The various .link files that systemd ships for interfaces that are
> supposed to be managed by systemd-networkd only now carry a
> ID_NET_MANAGED_BY=io.systemd.Network udev property ensuring that
> other network management solutions honouring this udev property do
> not come into conflict with networkd, trying to manage these
> interfaces.
>
> * .link files now support a new ReceivePacketSteeringCPUMask= setting
> for configuring which CPUs to steer incoming packets to.
>
> * The [Network] section in .network files gained a new setting
> UseDomains=, which is a single generic knob for controlling the
> settings of the same name in the [DHCPv4], [DHCPv6] and
> [IPv6AcceptRA].
>
> * The 99-default.link file we ship by default (that defines the policy
> for all network devices to which no other .link file applies) now
> lists "mac" among AlternativeNamesPolicy=. This means that network
> interfaces will now by default gain an additional MAC-address based
> alternative device name. (i.e. enx…)
>
> systemd-nspawn:
>
> * systemd-nspawn now provides a /run/systemd/nspawn/unix-export/
> directory where the container payload can expose AF_UNIX sockets to
> allow them to be accessed from outside.
>
> * systemd-nspawn will tint the terminal background for containers in a
> blueish color. This can be controller with the new --background=
> switch or the new $SYSTEMD_TINT_BACKGROUND environment variable.
>
> * systemd-nspawn gained support for the 'owneridmap' option for --bind=
> mounts to map the target directory owner from inside the container to
> the owner of the directory bound from the host filesystem.
>
> * systemd-nspawn now supports moving Wi-Fi network devices into a
> container, just like other network interfaces.
>
> systemd-resolved:
>
> * systemd-resolved now reads RFC 8914 EDE error codes provided by
> upstream DNS services.
>
> * systemd-resolved and resolvectl now support RFC 9460 SVCB and HTTPS
> records, as well as RFC 2915 NAPTR records.
>
> * resolvectl gained a new option --relax-single-label= to allow
> querying single-label hostnames via unicast DNS on a per-query basis.
>
> * systemd-resolved's Varlink IPC interface now supports resolving
> DNS-SD services as well as an API for resolving raw DNS RRs.
>
> * systemd-resolved's .dnssd DNS_SD service description files now
> support DNS-SD "subtypes" via the new SubType= setting.
>
> * systemd-resolved's configuration may now be reloaded without
> restarting the service. (i.e. "systemctl reload systemd-resolved" is
> now supported)
>
> SSH Integration:
>
> * An sshd config drop-in to allow ssh keys acquired via userdbctl (for
> example expose by homed accounts) to be used for authorization of
> incoming SSH connections.
>
> * A small new unit generator "systemd-ssh-generator" has been added. It
> checks if the sshd binary is installed. If so, it binds it via
> per-connection socket activation to various sockets depending on the
> execution context:
>
> • If the system is run in a VM providing AF_VSOCK support, it
> automatically binds sshd to AF_VSOCK port 22.
>
> • If the system is invoked as a full-OS container and the container
> manager pre-mounts a directory /run/host/unix-export/, it will
> bind sshd to an AF_UNIX socket /run/host/unix-export/ssh. The
> idea is the container manager bind mounts the directory to an
> appropriate place on the host as well, so that the AF_UNIX socket
> may be used to easily connect from the host to the container.
>
> • sshd is also bound to an AF_UNIX socket
> /run/ssh-unix-local/socket, which may be to use ssh/sftp in a
> "sudo"-like fashion to access resources of other local users.
>
> • Via the kernel command line option "systemd.ssh_listen=" and the
> system credential "ssh.listen" sshd may be bound to additional,
> explicitly configured options, including AF_INET/AF_INET6 ports.
>
> In particular the first two mechanisms should make dealing with local
> VMs and full OS containers a lot easier, as SSH connections will
> *just* *work* from the host – even if no networking is available
> whatsoever.
>
> systemd-ssh-generator optionally generates a per-connection
> socket activation service file wrapping sshd. This is only done if
> the distribution does not provide one on its own under the name
> "sshd at .service". The generated unit only works correctly if the SSH
> privilege separation ("privsep") directory exists. Unfortunately
> distributions vary wildly where they place this directory. An
> incomprehensive list:
>
> • /usr/share/empty.sshd/ (new fedora)
> • /var/empty/
> • /var/empty/sshd/
> • /run/sshd/ (debian/ubuntu?)
>
> If the SSH privsep directory is placed below /var/ or /run/ care
> needs to be taken that the directory is created automatically at boot
> if needed, since these directories possibly or always come up
> empty. This can be done via a tmpfiles.d/ drop-in. You may use the
> "sshdprivsepdir" meson option provided by systemd to configure the
> directory, in case you want systemd to create the directory as needed
> automatically, if your distribution does not cover this natively.
>
> Recommendations to distributions, in order to make things just work:
>
> • Please provide a per-connection SSH service file under the name
> "sshd at .service".
>
> • Please move the SSH privsep dir into /usr/ (so that it is truly
> immutable on image-based operating systems, is strictly under
> package manager control, and never requires recreation if the
> system boots up with an empty /run/ or /var/).
>
> • As an extension of this: please consider following Fedora's lead
> here, and use /usr/share/empty.sshd/ to minimize needless
> differences between distributions.
>
> • If your distribution insists on placing the directory in /var/ or
> /run/ then please at least provide a tmpfiles.d/ drop-in to
> recreate it automatically at boot, so that the sshd binary just
> works, regardless in which context it is called.
>
> * A small tool "systemd-ssh-proxy" has been added, which is supposed to
> act as counterpart to "systemd-ssh-generator". It's a small plug-in
> for the SSH client (via ProxyCommand/ProxyUseFdpass) to allow it to
> connect to AF_VSOCK or AF_UNIX sockets. Example: "ssh vsock/4711"
> connects to a local VM with cid 4711, or "ssh
> unix/run/ssh-unix-local/socket" to connect to the local host via the
> AF_UNIX socket /run/ssh-unix-local/socket.
>
> systemd-boot and systemd-stub and Related Tools:
>
> * TPM 1.2 PCR measurement support has been removed from systemd-stub.
> TPM 1.2 is obsolete and – due to the (by today's standards) weak
> cryptographic algorithms it only supports – does not actually provide
> the security benefits it's supposed to provide. Given that the rest
> of systemd's codebase never supported TPM 1.2, the support has now
> been removed from systemd-stub as well.
>
> * systemd-stub will now measure its payload via the new EFI
> Confidential Computing APIs (CC), in addition to the pre-existing
> measurements to TPM.
>
> * confexts are loaded by systemd-stub from the ESP as well.
>
> * kernel-install gained support for --root= for the 'list' verb.
>
> * bootctl now provides a basic Varlink interface and can be run as a
> daemon via a template unit.
>
> * systemd-measure gained new options --certificate=, --private-key=,
> and --private-key-source= to allow using OpenSSL's "engines" or
> "providers" as the signing mechanism to use when creating signed
> TPM2 PCR measurement values.
>
> * ukify gained support for signing of PCR signatures via OpenSSL's
> engines and providers.
>
> * ukify now supports zboot kernels.
>
> * systemd-boot now supports passing additional kernel command line
> switches to invoked kernels via an SMBIOS Type #11 string
> "io.systemd.boot.kernel-cmdline-extra". This is similar to the
> pre-existing support for this in systemd-stub, but also applies to
> Type #1 Boot Loader Specification Entries.
>
> * systemd-boot's automatic SecureBoot enrollment support gained support
> for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was
> supported). It also now supports UEFI "Custom" and "Audit" modes.
>
> * The pcrlock policy is saved in an unencrypted credential file
> "pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the
> /loader/credentials/ directory. It will be picked up at boot by
> systemd-stub and passed to the initrd, where it can be used to unlock
> the root file system.
>
> * systemd-pcrlock gained an --entry-token= option to configure the
> entry-token.
>
> * systemd-pcrlock now provides a basic Varlink interface and can be run
> as a daemon via a template unit.
>
> * systemd-pcrlock's TPM nvindex access policy has been modified, this
> means that previous pcrlock policies stored in nvindexes are
> invalidated. They must be removed (systemd-pcrlock remove-policy) and
> recreated (systemd-pcrlock make-policy). For the time being
> systemd-pcrlock remains an experimental feature, but it is expected
> to become stable in the next release, i.e. v257.
>
> * systemd-pcrlock's --recovery-pin= switch now takes three values:
> "hide", "show", "query". If "show" is selected the automatically
> generated recovery PIN is shown to the user. If "query" is selected
> then the PIN is queried from the user.
>
> * sd-stub gained support for the new ".ucode" PE section in UKIs, that
> may contain CPU microcode data. When control is handed over to the
> Linux kernel this data is prepended to the set of initrds passed.
>
> systemd-run/run0:
>
> * systemd-run is now a multi-call binary. When invoked as 'run0', it
> provides as interface similar to 'sudo', with all arguments starting
> at the first non-option parameter being treated the command to invoke
> as root. Unlike 'sudo' and similar tools, it does not make use of
> setuid binaries or other privilege escalation methods, but instead
> runs the specified command as a transient unit, which is started by
> the system service manager, so privileges are dropped, rather than
> gained, thus implementing a much more robust and safe security
> model. As usual, authorization is managed via Polkit.
>
> * systemd-run/run0 will now tint the terminal background on supported
> terminals: in a reddish tone when invoking a root service, in a
> yellowish tone otherwise. This may be controlled and turned off via
> the new --background= switch or the new $SYSTEMD_TINT_BACKGROUND
> environment variable.
>
> * systemd-run gained a new option '--ignore-failure' to suppress
> command failures.
>
> Command-line tools:
>
> * 'systemctl edit --stdin' allows creation of unit files and drop-ins
> with contents supplied via standard input. This is useful when creating
> configuration programmatically; the tool takes care of figuring out
> the file name, creating any directories, and reloading the manager
> afterwards.
>
> * 'systemctl disable --now' and 'systemctl mask --now' now work
> correctly with template units.
>
> * 'systemd-analyze architectures' lists known CPU architectures.
>
> * 'systemd-analyze --json=…' is supported for 'architectures',
> 'capability', 'exit-status'.
>
> * 'systemd-tmpfiles --purge' will purge (remove) all files and
> directories created via tmpfiles.d configuration.
>
> * systemd-id128 gained new options --no-pager, --no-legend, and
> -j/--json=.
>
> * hostnamectl gained '-j' as shortcut for '--json=pretty' or
> '--json=short'.
>
> * loginctl now supports -j/--json=.
>
> * resolvectl now supports -j/--json= for --type=.
>
> * systemd-tmpfiles gained a new option --dry-run to print what would be
> done without actually taking action.
>
> * varlinkctl gained a new --collect switch to collect all responses of
> a method call that supports multiple replies and turns it into a
> single JSON array.
>
> * systemd-dissect gained a new --make-archive option to generate an
> archive file (tar.gz and similar) from a disk image.
>
> systemd-vmspawn:
>
> * systemd-vmspawn gained a new --firmware= option to configure or list
> firmware definitions for Qemu, a new --tpm= option to enable or
> disable the use of a software TPM, a new --linux= option to specify a
> kernel binary for direct kernel boot, a new --initrd= option to
> specify an initrd for direct kernel boot, a new -D/--directory option
> to use a plain directory as the root file system, a new
> --private-users option similar to the one in systemd-nspawn, new
> options --bind= and --bind-ro= to bind part of the host's file system
> hierarchy into the guest, a new --extra-drive= option to attach
> additional storage, and -n/--network-tap/--network-user-mode to
> configure networking.
>
> * A new systemd-vmspawn at .service can be used to launch systemd-vmspawn
> as a service.
>
> * systemd-vmspawn gained the new --console= and --background= switches
> that control how to interact with the VM. As before, by default an
> interactive terminal interface is provided, but now with a background
> tinted with a greenish hue.
>
> * systemd-vmspawn can now register its VMs with systemd-machined,
> controlled via the --register= switch.
>
> * machinectl's start command (and related) can now invoke images either
> as containers via `systemd-nspawn` (switch is --runner=nspawn, the
> default) or as VMs via `systemd-vmspawn` (switch is --runner=vmspawn,
> or short -V).
>
> * systemd-vmspawn now supports two switches --pass-ssh-key= and
> --ssh-key-type= to optionally set up transient SSH keys to pass to the
> invoked VMs in order to be able to SSH into them once booted.
>
> * systemd-vmspawn will now enable various "HyperV enlightenments" and
> the "VM Generation ID" on the VMs.
>
> * A new environment variable $SYSTEMD_VMSPAWN_QEMU_EXTRA may carry
> additional qemu command line options to pass to qemu.
>
> * systemd-machined gained a new GetMachineSSHInfo() D-Bus method that is
> used by systemd-vmspawn to fetch the information needed to ssh into the
> machine.
>
> * systemd-machined gained a new Varlink interface that is used by
> systemd-vmspawn to register machines with additional information and
> metadata.
>
> systemd-repart:
>
> * systemd-repart gained new options --generate-fstab= and
> --generate-crypttab= to write out fstab and crypttab files matching the
> generated partitions.
>
> * systemd-repart gained a new option --private-key-source= to allow
> using OpenSSL's "engines" or "providers" as the signing mechanism to
> use when creating verity signature partitions.
>
> * systemd-repart gained a new DefaultSubvolume= setting in repart.d/
> drop-ins that allow configuring the default btrfs subvolume for newly
> formatted btrfs file systems.
>
> Libraries:
>
> * libsystemd gained new call sd_bus_creds_new_from_pidfd() to get a
> credentials object for a pidfd and sd_bus_creds_get_pidfd_dup() to
> retrieve the pidfd from a credentials object.
>
> * sd-bus' credentials logic will now also acquire peer's UNIX group
> lists and peer's pidfd if supported and requested.
>
> * RPM macro %_kernel_install_dir has been added with the path
> to the directory for kernel-install plugins.
>
> * The liblz4, libzstd, liblzma, libkmod, libgcrypt dependencies have
> been changed from regular shared library dependencies into dlopen()
> based ones.
>
> Note that this means that those libraries might not be automatically
> pulled in when ELF dependencies are resolved. In particular lack of
> libkmod might cause problems with boot. This affects dracut <= 101,
> see https://github.com/dracut-ng/dracut-ng/commit/04b362d713235459cf.
>
> * systemd ELF binaries that use libraries via dlopen() are now built with
> a new ELF header note section, following a new specification defined at
> docs/ELF_DLOPEN_METADATA.md, that provides information about which
> sonames are loaded and used if found at runtime. This allows tools and
> packagers to programmatically discover the list of optional
> dependencies used by all systemd ELF binaries. A parser with packaging
> integration tools is available at
> https://github.com/systemd/package-notes
>
> * The sd-journal API gained a new call
> sd_journal_stream_fd_with_namespace() which is just like
> sd_journal_stream_fd() but creates a log stream targeted at a
> specific log namespace.
>
> * The sd-id128 API gained a new API call
> sd_id128_get_invocation_app_specific() for acquiring an app-specific
> ID that is derived from the service invocation ID.
>
> * The sd-event API gained a new API call
> sd_event_source_get_inotify_path() that returns the file system path
> an inotify event source was created for.
>
> systemd-cryptsetup/systemd-cryptenroll:
>
> * The device node argument to systemd-cryptenroll is now optional. If
> omitted it will be derived automatically from the backing block
> device of /var/ (which quite likely is the same as the root file
> system, hence effectively means if you don't specify things otherwise
> the tool will now default to enrolling a key into the root file
> system's LUKS device).
>
> * systemd-cryptenroll can now enroll directly with a PKCS11 public key
> (instead of a certificate).
>
> * systemd-cryptsetup/systemd-cryptenroll now may lock a disk against a
> PKCS#11 provided EC key (before it only supported RSA).
>
> * systemd-cryptsetup gained support for crypttab option
> link-volume-key= to link the volume key into the kernel keyring when
> the volume is opened.
>
> * systemd-cryptenroll will no longer enable Dictionary Attack
> Protection (i.e. turn on NO_DA) for TPM enrollments that do not
> involve a PIN. DA should not be necessary in that case (since key
> entropy is high enough to make this unnecessary), but risks
> accidental lock-out in case of unexpected PCR changes.
>
> * systemd-cryptenroll now supports enrolling a new slot while unlocking
> the old slot via TPM2 (previously unlocking only worked via password
> or FIDO2).
>
> Documentation:
>
> * The remaining documentation that was on
> https://freedesktop.org/wiki/Software/systemd/ has been moved to
> https://systemd.io/.
>
> * A new text describing the VM integration interfaces of systemd has
> been added:
>
> https://systemd.io/VM_INTERFACE
>
> * The sd_notify() man page has gained examples with C and Python code
> that shows how to implement the interface in those languages without
> involving libsystemd.
>
> systemd-homed, systemd-logind, systemd-userdbd:
>
> * systemd-homed now supports unlocking of home directories when logging
> in via SSH. Previously home directories needed to be unlocked before
> an SSH login is attempted.
>
> * JSON User Records have been extended with a separate public storage
> area called "User Record Blob Directories". This is intended to store
> the user's background image, avatar picture, and other similar items
> which are too large to fit into the User Record itself.
>
> systemd-homed, userdbctl, and homectl gained support for blob
> directories. homectl gained --avatar= and --login-background= to
> control two specific items of the blob directories.
>
> * A new "additionalLanguages" field has been added to JSON user records
> (as supported by systemd-homed and systemd-userdbd), which is closely
> related to the pre-existing "preferredLanguage", and allows
> specifying multiple additional languages for the user account. It is
> used to initialize the $LANGUAGES environment variable when used.
>
> * A new pair of "preferredSessionType" and "preferredSessionLauncher"
> fields have been added to JSON user records, that may be used to
> control which kind of desktop session to preferable activate on
> logins of the user.
>
> * homectl gained a new verb 'firstboot', and a new
> systemd-homed-firstboot.service unit uses this verb to create users
> in a first boot environment, either from system credentials or by
> querying interactively.
>
> * systemd-logind now supports a new "background-light" session class
> which does not pull in the user at .service unit. This is intended in
> particular for lighter weight per-user cron jobs which do require any
> per-user service manager to be around.
>
> * The per-user service manager will now be tracked as a distinct "manager"
> session type among logind sessions of each user.
>
> * homectl now supports an --offline mode, by which certain account
> properties can be changed without unlocking the home directory.
>
> * systemd-logind gained a new
> org.freedesktop.login1.Manager.ListSessionsEx() method that provides
> additional metadata compared to ListSessions(). loginctl makes use of
> this to list additional fields in list-sessions.
>
> * systemd-logind gained a new org.freedesktop.login1.Manager.Sleep()
> method that automatically redirects to SuspendThenHibernate(),
> Suspend(), HybridSleep(), or Hibernate(), depending on what is
> supported and configured, a new configuration setting SleepOperation=,
> and an accompanying helper method
> org.freedesktop.login1.Manager.CanSleep() and property
> org.freedesktop.login1.Manager.SleepOperation.
>
> 'systemctl sleep' calls the new method to automatically put the
> machine to sleep in the most appropriate way.
>
> Credential Management:
>
> * systemd-creds now provides a Varlink IPC API for encrypting and
> decrypting credentials.
>
> * systemd-creds' "tpm2-absent" key selection has been renamed to
> "null", since that's what it actually does: "encrypt" and "sign"
> with a fixed null key. --with-key=null should only be used in very
> specific cases, as it provides zero integrity or confidentiality
> protections. (i.e. it's only safe to use as fallback in environments
> lacking both a TPM and access to the root fs to use the host
> encryption key, or when integrity is provided some other way.)
>
> * systemd-creds gained a new switch --allow-null. If specified, the
> "decrypt" verb will decode encrypted credentials that use the "null"
> key (by default this is refused, since using the "null" key defeats
> the authenticated encryption normally done).
>
> Suspend & Hibernate:
>
> * The sleep.conf configuration file gained a new MemorySleepMode=
> setting for configuring the sleep mode in more detail.
>
> * A tiny new service systemd-hibernate-clear.service has been added
> which clears hibernation information from the HibernateLocation EFI
> variable, in case the resume device is gone. Normally, this variable
> is supposed to be cleaned up by the code that initiates the resume
> from hibernation image. But when the device is missing and that code
> doesn't run, this service will now do the necessary work, ensuring
> that no outdated hibernation image information remains on subsequent
> boots.
>
> Unprivileged User Namespaces & Mounts:
>
> * A small new service systemd-nsresourced.service has been added. It
> provides a Varlink IPC API that assigns a free, transiently allocated
> 64K UID/GID range to an uninitialized user namespace a client
> provides. It may be used to implement unprivileged container managers
> and other programs that need dynamic user ID ranges. It also provides
> interfaces to then delegate mount file descriptors, control groups
> and network interfaces to user namespaces set up this way.
>
> * A small new service systemd-mountfsd.service has been added. It
> provides a Varlink IPC API for mounting DDI images, and returning a set
> of mount file descriptors for it. If a user namespace fd is provided
> as input, then the mounts are registered with the user namespace. To
> ensure trust in the image it must provide Verity information (or
> alternatively interactive polkit authentication is required).
>
> * The systemd-dissect tool now can access DDIs fully unprivileged by
> using systemd-nsresourced/systemd-mountfsd.
>
> * If the service manager runs unprivileged (i.e. systemd --user) it now
> supports RootImage= for accessing DDI images, also implemented via
> the systemd-nsresourced/systemd-mountfsd.
>
> * systemd-nspawn may now operate without privileges, if a suitable DDI
> is provided via --image=, again implemented via
> systemd-nsresourced/systemd-mountfsd.
>
> Other:
>
> * timedatectl and machinectl gained option '-P', an alias for
> '--value --property=…'.
>
> * Various tools that pretty-print config files will now highlight
> configuration directives.
>
> * varlinkctl gained support for the "ssh:" transport. This requires
> OpenSSH 9.4 or newer.
>
> * systemd-sysext gained support for enabling system extensions in
> mutable fashion, where a writeable upperdir is stored under
> /var/lib/extensions.mutable/, and a new --mutable= option to
> configure this behaviour. An "ephemeral" mode is not also supported
> where the mutable layer is configured to be a tmpfs that is
> automatically released when the system extensions are reattached.
>
> * Coredumps are now retained for two weeks by default (instead of three
> days, as before).
>
> * portablectl --copy= parameter gained a new 'mixed' argument, that will
> result in resources owned by the OS (e.g.: portable profiles) to be linked
> but resources owned by the portable image (e.g.: the unit files and the
> images themselves) to be copied.
>
> * systemd will now register MIME types for various of its file types
> (e.g. journal files, DDIs, encrypted credentials …) via the XDG
> shared-mime-info infrastructure. (Files of these types will thus be
> recognized as their own thing in desktop file managers such as GNOME
> Files.)
>
> * systemd-dissect will now show the detected sector size of a given DDI
> in its default output.
>
> * systemd-portabled now generates recognizable structured log messages
> whenever a portable service is attached or detached.
>
> * Verity signature checking in userspace (i.e. checking against
> /etc/verity.d/ keys) when activating DDIs can now be turned on/off
> via a kernel command line option systemd.allow_userspace_verity= and
> an environment variable SYSTEMD_ALLOW_USERSPACE_VERITY=.
>
> * ext4/xfs file system quota handling has been reworked, so that
> quotacheck and quotaon are now invoked as per-file-system templated
> services (as opposed to single system-wide singletons), similar in
> style to the fsck, growfs, pcrfs logic. This means file systems with
> quota enabled can now be reasonably enabled at runtime of the system,
> not just at boot.
>
> * "systemd-analyze dot" will now also show BindsTo= dependencies.
>
> * systemd-debug-generator gained the ability add in arbitrary units
> based on them being passed in via system credentials.
>
> * A new kernel command-line option systemd.default_debug_tty= can be
> used to specify the TTY for the debug shell, independently of
> enabling or disabling it.
>
> * portablectl gained a new --clean switch that clears a portable
> service's data (cache, logs, state, runtime, fdstore) when detaching
> it.
>
> Contributions from: A S Alam, AKHIL KUMAR,
> Abraham Samuel Adekunle, Adrian Vovk, Adrian Wannenmacher,
> Alan Liang, Alberto Planas, Alexander Zavyalov, Anders Jonsson,
> Andika Triwidada, Andres Beltran, Andrew Sayers,
> Antonio Alvarez Feijoo, Arian van Putten, Arthur Zamarin,
> Artur Pak, AtariDreams, Benjamin Franzke, Bernhard M. Wiedemann,
> Black-Hole1, Bryan Jacobs, Burak Gerz, Carlos Garnacho,
> Chandra Pratap, Chris Hofstaedtler, Chris Packham, Chris Simons,
> Christian Göttsche, Christian Wesselhoeft, Clayton Craft,
> Colin Geniet, Colin Walters, Colin Watson, Costa Tsaousis,
> Cristian Rodríguez, Daan De Meyer, Damien Challet, Dan Streetman,
> Daniel Winzen, Daniele Medri, David Seifert, David Tardon,
> David Venhoek, Diego Viola, Dionna Amalie Glaze,
> Dmitry Konishchev, Dmitry V. Levin, Edson Juliano Drosdeck,
> Eisuke Kawashima, Eli Schwartz, Emanuele Giuseppe Esposito,
> Eric Daigle, Evgeny Vereshchagin, Felix Riemann,
> Fernando Fernandez Mancera, Florian Fainelli, Florian Schmaus,
> Franck Bui, Frantisek Sumsal, Friedrich Altheide,
> Gabríel Arthúr Pétursson, Gaël Donval, Georges Basile Stavracas Neto,
> Gerd Hoffmann, GNOME Foundation, Guido Leenders,
> Guilhem Lettron, Göran Uddeborg, Hans de Goede, Harald Brinkmann,
> Heinrich Schuchardt, Helmut Grohne, Henry Li, Heran Yang,
> Holger Assmann, Ivan Kruglov, Ivan Shapovalov, Jakub Sitnicki,
> James Muir, Jan Engelhardt, Jan Macku, Jarne Förster, Jeff King,
> Jian-Hong Pan, JmbFountain, Joakim Nohlgård, Jonathan Conder,
> Julius Alexandre, Jörg Behrmann, Kai Lueke, Kamil Szczęk,
> KayJay7, Keian, Kirk, Kristian Klausen, Krzesimir Nowak,
> Lain "Fearyncess" Yang, Lars Ellenberg, Lennart Poettering,
> Leonard, Luca Boccassi, Lucas Salles, Ludwig Nussel,
> Lukáš Nykrýn, Luna Jernberg, Luxiter, Maanya Goenka,
> Maciej S. Szmigiero, Mariano Giménez, Markus Merklinger,
> Martin Ivicic, Martin Srebotnjak, Martin Trigaux, Martin Wilck,
> Mathias Lang, Matt Layher, Matt Muggeridge, Matteo Croce,
> Matthias Lisin, Max Gautier, Max Staudt, MaxHearnden,
> Michael Biebl, Michal Koutný, Michal Sekletár, Michał Kopeć,
> Mike Gilbert, Mike Yuan, Mikko Ylinen, MkfsSion, Moritz Sanft,
> MrSmör, Nandakumar Raghavan, Nicholas Little, Nick Cao,
> Nick Rosbrook, Nicolas Bouchinet, Norbert Lange,
> Ole Peder Brandtzæg, Ondrej Kozina, Oğuz Ersen,
> Pablo Méndez Hernández, Pierre GRASSER, Piotr Drąg, QuonXF,
> Radoslav Kolev, Rafaël Kooi, Raito Bezarius, Rasmus Villemoes,
> Reid Wahl, Renjaya Raga Zenta, Richard Maw, Roland Hieber,
> Ronan Pigott, Rose, Ross Burton, Saliba-san, Sam Leonard,
> Samuel BF, Sarvajith Adyanthaya, Scrambled 777,
> Sebastian Pucilowski, Sergei Zhmylev, Sergey A, Shulhan,
> SidhuRupinder, Simon Fowler, Skia, Sludge, Stuart Hayhurst,
> Susant Sahani, Takashi Sakamoto, Temuri Doghonadze, Thayne McCombs,
> Thilo Fromm, Thomas Blume, Tiago Rocha Cunha, Timo Rothenpieler,
> TobiPeterG, Tobias Fleig, Tomáš Pecka, Topi Miettinen,
> Tycho Andersen, Unique-Usman, Usman Akinyemi, Vasiliy Kovalev,
> Vasiliy Stelmachenok, Victor Berchet, Vishal Chillara Srinivas,
> Vitaly Kuznetsov, Vito Caputo, Vladimir Stoiakin, Werner Sembach,
> Will Springer, Winterhuman, Xiaotian Wu, Yu Watanabe,
> Yuri Chornoivan, Zbigniew Jędrzejewski-Szmek, Zmyeir, anphir,
> aslepykh, chenjiayi, cpackham-atlnz, cunshunxia, djantti, drewbug,
> hanjinpeng, hfavisado, hulkoba, hydrargyrum, ksaleem, mburucuyapy,
> medusalix, mille-feuille, mkubiak, mooo, msizanoen, networkException,
> nl6720, r-vdp, runiq, sam-leonard-ct, samuelvw01, sharad3001, spdfnet,
> sushmbha, wangyuhang, zeroskyx, zzywysm, İ. Ensar Gülşen,
> Łukasz Stelmach, Štěpán Němec, 我超厉害, 김인수
>
> — Edinburgh, 2024-06-11
More information about the systemd-devel
mailing list