From 195d181ca4d765f394b89ae5f2511381b224ba1d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 26 Nov 2021 09:06:23 +0100 Subject: [PATCH] NEWS: start with an entry for v250 --- NEWS | 606 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 605 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 7dbf2bdeb09..a0f8c8be4c5 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,609 @@ systemd System and Service Manager +CHANGES WITH 250 in spe: + + * Support for encrypted and authenticated credentials has been + added. This extends the credentials logic introduced with v247 to + support non-interactive symmetric encryption and authentication, + based on a key that is stored on the /var/ file system or in the TPM2 + chip (if available), or the combination of both (by default if a TPM2 + chip exists the combination is used, otherwise the /var/ key + only). The credentials are automatically decrypted at the moment a + service is started, and are made accessible to the service itself in + unencrypted form. A new tool `systemd-creds` has been added to + encrypt credentials for this purpose, and two new service file + settings LoadCredentialEncrypted= and SetCredentialEncrypted= have + been added to configure encrypted credentials prepared that way. This + feature is useful for ensuring sensitive material such as SSL + certificates, passwords and similar are stored securely when at rest + and only decrypted when needed, and in a way that can be reproduced + only on the local OS installation and hardware. + + * systemd-gpt-auto-generator can now automatically set up discoverable + LUKS2 encrypted swap partitions. + + * The GPT Discoverable Partitions Specification has been updated + substantially to support Root and /usr/ partitions for the majority + of architectures systemd supports. This include platforms that do not + natively support UEFI. Even though GPT is specified under UEFI + umbrella its useful on other systems too. Specifically, + systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and + Portable Services make heavy use of the concept, none of which are + specific to UEFI. + + * The GPT Discoverable Partitions Specifications has learnt a new set + of partitions that may carry PKCS#7 signatures for Verity partitions, + encoded in a simple JSON format. This implements a simple mechanism + for building disk images that are fully authenticated and can be + tested against a set of cryptographic certificates. This is now + implemented for the various systemd tools that can operate with disk + images, such as systemd-nspawn, systemd-sysext, systemd-dissect, + Portable services/RootImage=, systemd-tmpfiles, systemd-sysusers, and + so on. The PKCS#7 signatures are passed to the kernel (where they are + checked against certificates from the kernel keyring), or can be + verified against certificates provided in userspace (via a simple + drop-in file mechanism). + + * systemd-dissect's inspection logic will now report for which uses a + disk image is intended. Specifically, it will display whether an + image is suitable for booting on UEFI or in a container (using + systemd-nspawn's --image= switch), whether it can be used as portable + service, or attached as system extension. + + * The system-extension.d/ drop-in files now support a new field + SYSEXT_SCOPE= that may encode which purpose a system extension image + is for: one of "initrd", "system" or "portable". This is useful to + make images more self-descriptive, and to ensure system extensions + cannot be attached in the wrong contexts. + + * The os-release file learnt a new PORTABLE_PREFIXES= field which may + be used in portable service images to indicate which unit prefixes + are supported. + + * The GPT image dissection logic in systemd-nspawn/systemd-dissect/… + now is able to decode images for non-native architectures as well. + + * systemd-logind gained a new settings HandlePowerKeyLongPress=, + HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and + HandleHibernateKeyLongPress= which may be used to configure actions + when the relevant keys are pressed for more than 5s. This is useful + on devices that only have hardware for a subset of these keys. By + default, if the reboot key is pressed long the poweroff operation is + now triggered, and when the suspend key is pressed long the hibernate + operation is triggered. Long pressing the other two keys currently + does not trigger any operation by default. + + * When showing unit status updates on the console during boot and + shutdown, and a service is slow to start so that the KITT animation + is shown, the most recent sd_notify() STATUS= text is now shown as + well. Services may use this to make the boot/shutdown output easier + to understand, and to indicate what precisely a service that is slow + to start or stop is waiting for. Specifically, the per-user service + manager instance now reports what it is doing and which service it is + waiting for this way to the system service manager. + + * The service manager will now re-execute on reception of the + SIGRTMIN+25 signal. It previously already did that on SIGTERM — but + only when running as PID 1. There was no signal to request this when + running as per-user service manager, i.e. as any other PID than + 1. SIGRTMIN+25 will work in any case, i.e. both as system and user + service manager. + + * The hardware watchdog logic in PID 1 gained support for operating + with the default timeout configured in the hardware, instead of + insisting on re-configuring it. Set RuntimeWatchdogSec=default to + request this behavior. + + * A new kernel command line option systemd.watchdog_sec= is now + understood which may be used to override the hardware watchdog + time-out for the boot. + + * A new setting DefaultOOMScoreAdjust= is now supported in + /etc/systemd/system.conf + /etc/systemd/user.conf that may be used to + set the default process OOM score adjustment value for processes + forked off the service manager. For per-user service managers this + now defaults to 100, but for per-system service managers is left as + is. This means that by default now services forked off the user + service manager are more likely to be killed by the OOM killer than + system services or the managers themselves. + + * A new per-service setting RestrictFileSystems= as been added that + restricts the file systems a service has access to by their + type. This is based on the new BPF LSM of the Linux kernel. This is + an effective way to make certain API file systems unavailable to + services (and thus minimizing attack surface). A new command + "systemd-analyze filesystems" has been added that lists all known + file system types (and how they are grouped together under useful + group handles). + + * Services now support a new setting RestrictNetworkInterfaces= for + restricting access to specific network interfaces. + + * New service unit files gained new settings StartupAllowedCPUs= and + StartupAllowedMemoryNodes=. These are similar to their counterparts + without the "Startup" prefix and apply during the boot process + only. This is useful to improve boot-time behavior of the system and + assign resources differently during boot than during regular + runtime. This is similar to the preexisting StartupCPUWeight= + vs. CPUWeight. + + * Related to this: the various StartupXYZ= settings + (i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied + during shutdown. The settings not prefixed with "Startup" hence apply + during regular runtime, and those that are prefixed like that apply + during boot and shutdown. + + * The per-user service manager learnt support for communicating with + systemd-oomd to acquire OOM kill information. + + * A new service setting ExecSearchPath= has been added that allows + changing the search path for executables for services. It affects how + the binaries specified in ExecStart= and similar are searched and + also affects the $PATH environment variable passed to invoked + processes. + + * A new setting RuntimeRandomizedExtraSec= has been added for service + and scope units that allows extending the runtime time-out as + configured by RuntimeMaxSec= with a randomized amount. + + * The syntax of the service unit settings RuntimeDirectory=, + StateDirectory=, CacheDirectory=, LogsDirectory= has been extended: + if the specified string is now suffixed with a colon, followed by + another filename, the latter will be created as symbolic link to the + specified directory. This allows creating these service directories + together with alias symlinks to make them available under multiple + names. + + * Service unit files gained two new settings TTYRows=/TTYColumns= for + configuring rows/columns of the TTY device passed to + stdin/stdout/stderr of the service. This is useful to propagate TTY + dimensions from another environment. + + * A new service unit file setting ExitType= has been added, that allows + configuring when precisely to assume a service has exited. By default + systemd watches the main process of a service only to determine its + lifetime. By setting ExitType=cgroup it can be told to wait for the + last process in a cgroup instead. + + * Automount unit files gained a new setting ExtraOptions= that can be + used to configure additional mount options to pass to the kernel when + mounting the autofs instance. + + * "Urlification" (i.e. generation of ESC sequences that generate + clickable hyperlinks in modern terminals) may now be turned off + altogether during build-time. + + * The tpm2/fido2/pkcs11 support in systemd-cryptsetup is now also built + as plug-in for upstream cryptsetup. This means plain cryptsetup may + now be used to unlock volumes set up this way. + + * The TPM2 logic in cryptsetup will now automatically detect systems + where the TPM2 chip supports SHA256 PCR banks but the firmware only + updates the SHA1 banks. In such a case PCR policies will be + automatically bound to the latter, not the former. This makes the PCR + policies reliable, but of course do not provide the same level of + trust as SHA256 banks. + + * The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports + RSA primary keys in addition to ECC, improving compatibility with + TPM2 chips that do not support ECC. RSA keys are much slower to use + than ECC, and hence are only used if ECC is not available. + + * /etc/crypttab gained support for a new token-timeout= setting for + encrypted volumes that allow configuration of a maximum time to wait + for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses the + logic will query the user for a regular passphrase/recovery key + instead. + + * Support for activating dm-integrity volumes at boot via a new file + /etc/integritytab and a tool systemd-integritysetup has been + added. This behaves similar to the existing /etc/crypttab and + /etc/veritytab, but deals with dm-integrity instead of + dm-crypt/dm-verity. + + * The systemd-veritysetup-generator now understands a new usrhash= + kernel command line option for specifying the Verity root hash for + the partition backing the /usr/ file system. A matching set of + systemd.verity_usr_* kernel command line options has been added as + well. These all work similar to the corresponding options for the + root partition. + + * The sd-device API gained a new API call sd_device_get_diskseq() to + return the DISKSEQ property of a device structure. The "disk + sequence" concept is a new feature recently introduced to the Linux + kernel that allows detecting reuse cycles of block devices, i.e. can + be used to recognize when loopback block devices are reused for a + different purpose or CD-ROM drives get their media changed. + + * A new unit systemd-boot-update.service has been added. If enabled + (the default) and the sd-boot loader is detected to be installed, it + is automatically updated to the newest version if it's out of + date. This is useful to ensure the boot loader remains up-to-date, + and updates automatically propagate from the OS tree in /usr/. + + * A new generic target unit factory-reset.target has been added. It is + hooked into systemd-logind similar in fashion to + reboot/poweroff/suspend/hibernate, and is supposed to be used to + initiate a factory reset operation. What precisely this operation + entails is up for the implementer to decide, the primary goal of the + new unit is provide a framework where to plug in the implementation + and how to trigger it. + + * A new meson build-time option 'clock-valid-range-usec-max' has been + added which takes a time in µs and defaults to 15 years. If the RTC + time is noticed to be more than the specified time ahead of the + built-in epoch of systemd (which by default is the release timestamp + of systemd) it is assumed that the RTC is not working correctly, and + the RTC is reset to the epoch. (It already is reset to the epoch when + noticed to be before it.) This should increase the chance that time + doesn't accidentally jump too far ahead due to faulty hardware or + batteries. + + * .network files gained a new UplinkInterface in the [IPv6SendRA] + section, for automatically propagating DNS settings from other + interfaces. + + * The static lease DHCP server logic in systemd-networkd may now serve + IP addresses outside of the configured IP pool range for the server. + + * A new setting SaveIntervalSec= has been added to systemd-timesyncd, + which may be used to automatically save the current system time to + disk in regular intervals. This is useful to maintain a roughly + monotonic clock even without RTC hardware and with some robustness + against abnormal system shutdown. + + * CAN support in systemd-networkd gained four new settings Loopback=, + OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN + control modes. It gained a number of further settings for tweaking + CAN timing quanta. + + * DHCPv4 client support in systemd-networkd learnt a new Label= option + for configuring the address label to apply to configure IPv4 + addresses. + + * The various systemd-networkd "ethtool" buffer settings now understand + the special value "max" to configure the buffers to the maximum the + hardware supports. + + * systemd-networkd's .link files may now configure a large variety of + NIC coalescing settings, plus more hardware offload settings. + + * systemd-analyze verify gained support for a pair of new --image= + + --root= switches for verifying units below a specific root + directory/image instead of on the host. + + * systemd-analyze verify gained support for verifying unit files under + an explicitly specified unit name, independently of what the filename + actually is. + + * The [IPv6AcceptRA] section of .network files gained support for a new + UseMTU= setting that may be used to control whether to apply the + announced MTU settings to the local interface. + + * systemd-networkd now ships with another default .network file: + 80-container-vb.network. It matches host-side network bridge device + created by systemd-nspawn's --network-bridge or --network-zone + switch. + + * .link files gained a new WakeOnLanPassword= setting in the [Link] + section that allows to specify a WoL "SecureOn" password on hardware + that supports this. + + * DHCPv6 Prefix Delegation gained new settings UplinkInterface= and + UseDelegatedPrefix= for configuring how to propagate delegated + prefixes between uplink and downlink interfaces. + + * The [IPv6AcceptRA] section of .network files now understands two new + settings UseGateway=/UseRoutePrefix= for explicitly configuring + whether to use the relevant fields from the IPv6 Router Advertisement + records. + + * The [CAKE] section of .network files gained a new setting + AutoRateIngress= for controlling automatic capacity estimation for + CAKE. + + * IPv6 tokens configured in .network files may now optionally take a + secret key (i.e. Token=prefixstable:…) + + * A new SuppressInterfaceGroup= setting has been added to the + [RoutingPolicyRule] section of .network files. + + * The IgnoreCarrierLoss= setting in the [Network] section of .network + files now accepts a duration to be specified, controlling how time to + wait before no longer ignoring carrier losses. + + * systemd-analyze verify gained a new switch --recursive-errors= which + controls whether to only fail on errors found in the specified units + or recursively any dependent units. + + * systemd-analyze security now supports a new --offline mode for + analyzing unit files stored on disk instead of loaded units. It may + be combined with --root=/--image to analyze unit files container in a + root directory or disk image. It also learnt a new --threshold= + parameter for specifying an exposure level threshold: if the exposure + level exceeds the specified value the call will fail. It also gained + a new --security-policy= switch for configuring security policies to + enforce on the units. A policy is a JSON file that lists which tests + shall be weighted how much to determine the overall exposure + level. It also gained a new --json= switch for generating JSON + output. Altogether these new features are useful for fully automatic + analysis and enforcement of security policies on unit files. + + * systemd-analyze learnt a new --quiet switch for reducing + non-essential output. It's honored by the "dot", "syscall-filter", + "filesystems" commands. + + * systemd-nspawn's --setenv= switch now supports an additional syntax: + if only a variable name is specified (i.e. without being suffixed by + a '=' character and a value) the current value of the environment + variable is propagated to the container. e.g. --setenv=FOO will + lookup the current value of $FOO in the environment, and pass it down + to the container. Similar behavior has been added to homectl's, + machinectl's and systemd-run's --setenv= switch. + + * systemd-nspawn gained a new switch --suppress-sync= which may be used + to optionally suppress the effect of the sync()/fsync()/fdatasync() + system calls for the container payload. This is useful for build + system environments where safety against abnormal system shutdown is + not essential as all build artifacts can be regenerated any time, but + the performance win is beneficial. + + * systemd-nspawn will now raise RLIMIT_NOFILE's hard limit to the same + value that PID 1 raises it for most forked off processes. + + * systemd-nspawn's --bind=/--bind-ro= switches now optionally take + uidmap/nouidmap options as last parameter. If "uidmap" is used the + bind mounts are created with UID mapping taking place that ensures + the host's file ownerships are mapped 1:1 to container file + ownerships, even if user namespacing is used. This way + files/directories bound into containers will no longer show up as + owned by the nobody user as they typically do if no special care is + taken to shift them manually. + + * When discovering Windows installations sd-boot will now attempt to + extract the Windows version found. + + * The color scheme to use in sd-boot may now be configured at + build-time. + + * systemd-boot will now paint the input cursor on its own instead of + relying on the firmware to do so, increasing compatibility with broken + firmware that doesn't make the cursor reasonably visible. + + * sd-boot gained the ability to change screen resolution during + boot-time, by hitting the "r" key. This will cycle through available + resolutions and save them. + + * sd-boot gained support for automatically loading all EFI drivers + placed in the /EFI/systemd/drivers/ subdirectory of the EFI System + Partition (ESP). These drivers are loaded before the menu entries are + searched and loaded. This is useful for easily loading additional + file system drivers for the XBOOTLDR partition or similar. + + * sd-boot learnt a new hotkey "f". When pressed the system will enter + firmware setup. This is useful in environments where it is difficult + to hit the right keys early enough to enter the firmware, and works + on any firmware regardless which key it natively uses. + + * sd-boot gained support for automatically booting into the menu item + selected on the last boot (using the "@saved" identifier for menu + items). + + * sd-boot now embeds a .osrel PE section like we expect from Boot + Loader Specification Type #2 Unified Kernels. This means sd-boot + itself may be used in place of a Type #2 Unified Kernel. This is + useful for debugging purposes as it allows chain-loading one a + (development) sd-boot instance from another. + + * sd-boot now supports a new "devicetree" field in Boot Loader + Specification Type #1 entries: if configured the specified device + tree file is installed before the kernel is invoked. This is useful + for installing/applying new devicetree files without updating the + kernel image. + + * Similar, sd-stub now can read devicetree data from a PE section + ".dtb" and apply it before invoking the kernel. + + * sd-stub (the EFI stub that can be glued in front of a Linux kernel) + gained the ability to pick up credentials and sysext files placed + next to the kernel image file during initialization, wrap them in a + cpio archive and pass them as additional initrd to the invoked Linux + kernel, placing them in the /.extra/ directory of the initrd + environment. This is useful to implement trusted initrd environments + which are fully authenticated but still can be extended (via sysexts) + and parameterized (via encrypted/authenticated credentials, see + above). + + * sd-stub now comes with a full man page, that explains its feature set + and how to combine a kernel image, an initrd and the stub to build a + complete EFI unified kernel image, implementing Boot Loader + Specification Type #2. + + * sd-stub may now provide the initrd to the execute kernel via the + LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for + non-x86 architectures. + + * bootctl learnt the new set-timeout and set-timeout-oneshot that may + be used to set the boot menu time-out of the boot loader (for all or + just the subsequent boot). + + * systemd-importd now honors new environment variables + $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA, + $SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume + generation, btrfs quota setup and disk synchronization. + + * systemd-sysext now optionally doesn't insist on extension-release.d/ + files to be placed in the image under the image's right name. If the + file system xattr user.extension-release.strict is set on the + extension release file it is accepted regardless of its name. This + relaxes security restrictions a bit, as system extension may be + attached under a wrong name this way. + + * udevadm's test-builtin command learnt a new --action= switch for + testing the built-in with the specified action (in place of the + default of 'add'. + + * udevadm info gained new switches --property=/--value for showing only + specific udev properties/values instead of all. + + * A new hwdb database has been added that contains matches for various + types of signal analyzers (protocol analyzers, logic analyzers, + oscilloscopes, multimeters, bench power supplies, etc.) that should + be accessible to regular users. + + * A new hwdb database entry has been added that carries information + about what type of camera discovered cameras are (regular or + infrared), and in which direction they point (front or back). + + * A new build-time meson option "extra-net-naming-schemes=" has been + added for defining additional naming schemes schemes definitions for + udev's network interface naming logic. This is useful for enterprise + distributions and similar which want to pin the schemes of certain + distribution releases under a specific name and previously had to + patched our sources to introduce new named schemes. + + * The predictable naming logic for network interfaces has been extended + to generate stable names from Xen netfront device information. + + * hostnamed's chassis property can now be sourced from chassis-type + field encoded in devicetree (in addition to the preexisting DMI + support). + + * systemd-cgls now optionally display cgroup IDs and extended + attributes for each cgroup. (Controllable via the new --xattr= + + --cgroup-id= switches.) + + * coredumpctl gained a new --all switch for operating on all + Journal files instead of just the local ones. + + * systemd-homed will now try to unmount an activate home area in + regular intervals once the user logged out fully. Previously this was + attempted exactly once but if the home directory was busy for some + reason it was not tried again. + + * systemd-homed's LUKS2 home area backend will now issue a BSD file + system lock on the image file while the home area is active + (i.e. mounted). If a home area is found to be locked logins are + politely refused. This should improve behavior when using home areas + images that are accessible via the network from multiple clients, and + reduce the chance of accidental file system corruption in that case. + + * Optionally, systemd-homed will now drop the kernel buffer cache once + a user fully logged out, configurable via the new --drop-caches= + homectl switch. + + * systemd-homed now makes use of UID mapped mounts for the home + areas. If the kernel and used file system support it, files are now + internally owned by the "nobody" user (i.e. the user typically used + for indicating "this ownership is not mapped"), and dynamically + mapped to the UID used locally on the system via the UID mapping + mount logic of recent kernels. This makes migrating home areas + between different systems cheap as recursively chown()ing file system + trees is no longer necessary. + + * systemd-homed's CIFS backend now optionally supports CIFS service + names with a directory suffix, in order to place home directories in + a subdirectory of a CIFS share, instead of the top-level directory. + + * systemd-homed's CIFS backend gained support for specifying additional + mount options in the JSON user record (cifsExtraMountOptions field, + and --cifs-extra-mount-options= homectl switch). This is for example + useful for configuring mount options such as "noserverino" that some + SMB3 services require (for example: use that to run a homed home + directory from a FritzBox SMB3 share this way). + + * systemd-homed will now default to btrfs' zstd compression for home + areas. This is inspired by Fedora's recent decision to enable this by + default. + + * Additional mount options to use when mounting the file system of + LUKS2 volumes in systemd-homed has been added. Via the + $SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4, + $SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to + systemd-homed or via the luksExtraMountOptions user record JSON + property. (Exposed via homectl --luks-extra-mount-options) + + * homectl's resize command now takes the special size specifications + "min" and "max" to shrink/grow the home area to the minimum/maximum + size possible, taking disk usage/space constraints and file system + limitations into account. Resizing is now generally graceful: the + logic will try to get as close to the specified size as possible, but + not consider it a failure if the request couldn't be fulfilled + precisely. + + * systemd-homed gained the ability to automatically shrink home areas + on logout to their minimal size and grow them again on next + login. This ensures that while inactive a home area only takes up the + minimal space necessary, but once activated provides sufficient space + for the user's needs. This behavior is only supported if btrfs is + used as file system inside the home area (because only for btrfs + online growing/shrinking is implemented in the kernel). This + behavior is now enabled by default, but may be controlled via the + new --auto-resize-mode= setting of homectl. + + * systemd-homed gained support for automatically re-balancing free disk + space among active home areas, in case the LUKS2 backends are used, + and no explicit disk size was requested. This way disk space is + automatically managed and home areas resized in regular intervals and + manual resizing when disk space becomes scarce should not be + necessary anymore. This behavior is only supported if btrfs is used + within the home areas (as only then online shrinking and growing is + supported), and may be configured via the new rebalanceWeight JSON + user record field (as exposed via the new --rebalance-weight= homectl + setting). Re-balancing is mostly automatic, but can also be requested + explicitly via "homectl rebalance", which is synchronous, and thus + may be used to wait until a rebalance run is complete. + + * userdbctl gained a --json= switch for configured the JSON formatting + to use when outputting user or group records. + + * userdbctl gained a new --multiplexer= switch for explicitly + configuring whether to use the systemd-userdbd server side user + record resolution logic. + + * userdbctl's ssh-authorized-keys command learnt a new --chain switch, + for chaining up another command to execute after completing the + look-up. Since the OpenSSH's AuthorizedKeysCommand only allows + configuration of a single command to invoke this maybe used to invoke + multiple: first userdbctl's own implementation, and then any other + also configured in the command line. + + * The sd-event API gained a new function sd_event_add_inotify_fd() that + is similar to sd_event_add_inotify() but accepts a file descriptor + instead of a path in the file system for referencing the inode to + watch. + + * The sd-event API gained a new function + sd_event_source_set_ratelimit_expire_callback() that may be used to + define a callback function that is called whenever an event source + leaves the rate limiting phase. + + * New documentation has been added explaining which steps are necessary + to port systemd to a new architecture: + + https://systemd.io/PORTING_TO_NEW_ARCHITECTURES + + * The x-systemd.makefs option in /etc/fstab now explicitly supports + f2fs file systems. + + * The systemd-getty-generator now honors a new kernel command line + argument systemd.getty_auto= and a new environment variable + $SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for + example useful for turning off gettys inside of containers or similar + environments. + + * systemd-resolved now listens on a second DNS stub address: 127.0.0.54 + (in addition to 127.0.0.53, as before). If DNS requests are sent to + this address they are propagated in "bypass" mode only, i.e. are + almost not processed locally, but mostly forwarded as-is to the + current upstream DNS servers. This provides a stable DNS server + address that proxies all requests dynamically to the right upstream + DNS servers even if these dynamically change. This stub does not do + mDNS/LLMNR resolution. However, it will translate look-ups to + DNS-over-TLS if necessary. This new stub is particularly useful in + container/VM environments, or for tethering setups: use DNAT to + redirect traffic to any IP address to this stub. + CHANGES WITH 249: * When operating on disk images via the --image= switch of various @@ -3872,7 +4476,7 @@ CHANGES WITH 240: Consult the kernel documentation for details on this sysctl: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt - + * The v239 change to turn on "net.ipv4.tcp_ecn" by default has been reverted.