system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-22 10:44:58 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

more additions to NEWS

Browse source
This commit is contained in:
Lennart Poettering 2023-11-03 17:27:33 +01:00
parent 8d04721507
commit c2322b482a
1 changed files with 186 additions and 97 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

283
NEWS
View file

@ -47,34 +47,37 @@ CHANGES WITH 255 in spe:
Service Manager:
* The way services are spawned has been overhauled. Previously, a process
was forked that shared all of the manager's memory (via copy-on-write)
while doing all the required set ups (e.g.: mount namespaces, CGroup
configuration, etc.) before exec'ing the target executable. This was
problematic for various reasons: several glibc APIs were called that
are not supposed to be used after a fork but before an exec, copy-on-write
meant that if either process (the manager or the child) touched a memory
page a copy was triggered, and also the memory footprint of the child
process was that of the manager but with the memory limits of the service.
From this version onward, the new process is spawned using CLONE_VM and
CLONE_VFORK semantics via posix_spawn, and it immediately execs a new
internal binary, systemd-executor, that receives the configuration to
apply via memfd, and sets up the process before exec'ing the target
* The way services are spawned has been overhauled. Previously, a
process was forked that shared all of the manager's memory (via
copy-on-write) while doing all the required set ups (e.g.: mount
namespaces, CGroup configuration, etc.) before exec'ing the target
executable. This was problematic for various reasons: several glibc
APIs were called that are not supposed to be used after a fork but
before an exec, copy-on-write meant that if either process (the
manager or the child) touched a memory page a copy was triggered, and
also the memory footprint of the child process was that of the
manager but with the memory limits of the service. From this version
onward, the new process is spawned using CLONE_VM and CLONE_VFORK
semantics via posix_spawn(), and it immediately execs a new internal
binary, systemd-executor, that receives the configuration to apply
via memfd, and sets up the process before exec'ing the target
executable.
* Internal process tracking is being changed to use PIDFDs instead of PIDs
when the kernel supports it, to improve robustness and reliability.
* Most of the internal process tracking is being changed to use PIDFDs
instead of PIDs when the kernel supports it, to improve robustness
and reliability.
* A new option SurviveFinalKillSignal= is now supported to configure a
unit to skip units on the final SIGTERM/SIGKILL spree on shutdown. This
is part of the required configuration to let a unit's processes survive
a soft-reboot operation without being interrupted.
* Sysext images can now set EXTENSION_RELOAD_MANAGER=1 in their
extension-release files to automatically daemon-reload when
merging/refreshing/unmerging on boot. This should be used only in
exceptional circumstances, as it can cause very difficult to debug
race conditions and lockups.
* System extension images (sysext) can now set
EXTENSION_RELOAD_MANAGER=1 in their extension-release files to
automatically reload the service manager (PID 1) when
merging/refreshing/unmerging on boot. Generally, while this can be
used to ship services in system extension images it's recommended to
do that via portable services instead.
* The ExtensionImages= and ExtensionDirectories= options now support
confexts images/directories.
@ -86,10 +89,12 @@ CHANGES WITH 255 in spe:
use numeric cgroup IDs, which change every time a service is restarted, making
them hard to use in a systemd environment.
* A new option CoredumpReceive= can be set, together with Delegate=yes, to
make systemd-coredump on the host forward core files from processes crashed
inside the delegated CGroup subtree to systemd-coredump running in the
container.
* A new option CoredumpReceive= can be set for service and scope units,
together with Delegate=yes, to make systemd-coredump on the host
forward core files from processes crashed inside the delegated CGroup
subtree to systemd-coredump running in the container. This new option
is by default used by systemd-nspawn containers that use the "--boot"
switch, i.e. are fully booted up.
* A new ConditionSecurity=measured-uki option is now available, to ensure
a unit can only run when the system has been booted from a measured UKI.
@ -102,15 +107,16 @@ CHANGES WITH 255 in spe:
SetLoginEnvironment= is now supported to determine whether to also set
$HOME, $LOGNAME and $SHELL.
* Socket units now support a new PollLimit= option to configure a limit on
how often polling events on the file descriptors backing this unit will
be considered.
* Socket units now support a new pair of
PollLimitBurst=/PollLimitInterval= options to configure a limit on
how often polling events on the file descriptors backing this unit
will be considered within a time window.
* Scope units can now be created passing PIDFDs instead of PIDs to select
the processes they should include.
* Sending SIGRTMIN+18 with 0x500 as value will now cause the manager to
dump the list of currently pending jobs.
* Sending SIGRTMIN+18 with 0x500 as sigqueue() value will now cause the
manager to dump the list of currently pending jobs.
* If the kernel supports MOVE_MOUNT_BENEATH, the systemctl and machinectl
bind and mount-image verbs will now cause the new mount to to replace
@ -118,8 +124,8 @@ CHANGES WITH 255 in spe:
TPM2 Support + Disk Encryption & Authentication:
* systemd-cryptenroll now allows specifying a PCR bank and hash digest in
the --tpm2-pcrs= option.
* systemd-cryptenroll now allows specifying a PCR bank and explicit hash
value in the --tpm2-pcrs= option.
* systemd-cryptenroll now allows specifying a TPM2 key handle to be used
instead of the default SRK via the new --tpm2-seal-key-handle= option.
@ -130,14 +136,20 @@ CHANGES WITH 255 in spe:
* The TPM2 Storage Root Key will now be set up, if not already present,
by a new systemd-tpm2-setup.service early boot service.
* The internal systemd-pcrphase executable has been renamed to systemd-pcrextend.
* The internal systemd-pcrphase executable has been renamed to
systemd-pcrextend.
* systemd-pcrextend now exposes a Varlink interface at io.systemd.PCRExtend
that can be used to do measurements and event logging on demand.
* The systemd-pcrextend tool gained a new --pcr= switch to override
which PCR to measure into.
* systemd-pcrextend now exposes a Varlink interface at
io.systemd.PCRExtend that can be used to do measurements and event
logging on demand.
* TPM measurements are now also written to an event log at
/run/log/systemd/tpm2-measure.log, using the TCG Canonical Event Log
format, together with the existing journald entries.
/run/log/systemd/tpm2-measure.log, using a derivative of the TCG
Canonical Event Log format. Previously we'd only log them to the
journal, where they however were subject to rotation and similar.
systemd-boot, systemd-stub, ukify, bootctl, kernel-install:
@ -160,25 +172,26 @@ CHANGES WITH 255 in spe:
SecureBoot is enabled. For more details see:
https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c
* systemd-boot gained new hotkeys to reboot and power off the system from
the boot menu.
* systemd-boot gained new hotkeys to reboot and power off the system
from the boot menu ("B" and "O"). If the "auto-poweroff" and
"auto-reboot" options in loader.conf are set these entries are also
shown as menu items (which is useful on devices lacking a regular
keyboard).
* systemd-boot will now show auto-generated reboot and poweroff entries in
the boot menu.
* systemd-boot gained a new configuration value menu-disabled for the
* systemd-boot gained a new configuration value "menu-disabled" for the
set-timeout option, to allow completely disabling the boot menu,
including the hotkey.
* systemd-boot will now measure the content of loader.conf in PCR5.
* systemd-boot will now measure the content of loader.conf in TPM2 PCR
5.
* systemd-stub will now concatenate the content of all kernel command-line
addons before measuring them in PCR12, in a single measurement, instead
of measuring them individually.
* systemd-stub will now concatenate the content of all kernel
command-line addons before measuring them in TPM2 PCR 12, in a single
measurement, instead of measuring them individually.
* systemd-stub will now measure and load Devicetree Blob addons, which are
searched and loaded following the same model as the existing kernel
command-line addons.
* systemd-stub will now measure and load Devicetree Blob addons, which
are searched and loaded following the same model as the existing
kernel command-line addons.
* systemd-stub will now ignore unauthenticated kernel command line options
passed from systemd-boot when running inside Confidential VMs with UEFI
@ -197,12 +210,13 @@ CHANGES WITH 255 in spe:
have been added to make it easier to generate these types of DDIs,
without having to provide repart.d definitions for them.
* The dm-verity salt and UUID will now be derived from the specified seed.
* The dm-verity salt and UUID will now be derived from the specified
seed value.
* New VerityDataBlockSizeBytes= and VerityHashBlockSizeBytes= can now be
configured in repart.d configuration files.
configured in repart.d/ configuration files.
* A new Subvolumes= setting is now supported in repart.d configuration
* A new Subvolumes= setting is now supported in repart.d/ configuration
files, to indicate which directories in the target partition should be
btrfs subvolumes.
@ -228,7 +242,7 @@ CHANGES WITH 255 in spe:
attaching a file to a loopback device will implicitly make a handle
available to be found via that file's inode information.
* udevadm info gained support for JSON output via a new --json flag, and
* udevadm info gained support for JSON output via a new --json= flag, and
for filtering output using the same mechanism that udevadm trigger
already implements.
@ -239,6 +253,18 @@ CHANGES WITH 255 in spe:
It is now enabled by default and is part of the new "v255" naming
scheme.
* A new hwdb/rules file has been added that sets the
ID_NET_AUTO_LINK_LOCAL_ONLY=1 udev property on all network interfaces
that should usually only be configured with link-local addressing
(IPv4LL + IPv6LL), i.e. for PC-to-PC cables ("laplink") or
Thunderbolt networking. systemd-networkd and NetworkManager (soon)
will make use of this information to apply an appropriate network
configuration by default.
* The ID_NET_DRIVER property on network interfaces is now set
relatively early in the udev rule set so that other rules may rely on
its use. This is implemented in a new "net-driver" udev built-in.
Network Management:
* The "duid-only" option for DHCPv4 client's ClientIdentifier= setting
@ -315,17 +341,14 @@ CHANGES WITH 255 in spe:
89-ethernet.network matches all Ethernet interfaces and enables both
DHCPv4 and DHCPv6 clients.
Changes in systemd-analyze:
* If a ID_NET_MANAGED_BY= udev property is set on a network device and
it is any other string than "io.systemd.Network" then networkd will
not manage this device. This may be used to allow multiple network
management services to run in parallel and assign ownership of
specific devices explicitly. NetworkManager will soon implement a
similar logic.
* "systemd-analyze plot" has gained tooltips on each unit name with
related-unit information in its svg output, such as Before=,
Requires=, and similar properties.
Other:
* A new varlinkctl tool has been added to allow interfacing with
Varlink services, and introspection has been added to all such
services.
systemctl:
* systemctl is-failed now checks the system state if no unit is
specified.
@ -334,8 +357,7 @@ CHANGES WITH 255 in spe:
system has been setup in /run/nextroot/ when a reboot operation
is invoked.
* systemd-sysext and systemd-confext now expose a Varlink service
at io.systemd.sysext.
Login management:
* wall messages now work even when utmp support is disabled, using
systemd-logind to query the necessary information.
@ -346,6 +368,28 @@ CHANGES WITH 255 in spe:
the additional information is the type of operation that is about to
be executed.
Hibernation & Suspend:
* The kernel and OS versions will no longer be checked on resume from
hibernation.
* Hibernation into swap files backed by btrfs are now
supported. (Previously this was supported only for other file
systems.)
Other:
* "systemd-analyze plot" has gained tooltips on each unit name with
related-unit information in its svg output, such as Before=,
Requires=, and similar properties.
* A new varlinkctl tool has been added to allow interfacing with
Varlink services, and introspection has been added to all such
services.
* systemd-sysext and systemd-confext now expose a Varlink service
at io.systemd.sysext.
* systemd-sysupdate now accepts directories in the MatchPattern= option.
* systemd-run will now output the invocation ID of the launched
@ -356,9 +400,9 @@ CHANGES WITH 255 in spe:
combination with --cat-config to suppress uninteresting configuration
lines, such as comments.
* systemd-resolved gained a new DumpStatistics() Varlink method, and
resolvectl gained a new corresponding show-server-state verb that
calls it.
* resolvectl gained a new "show-server-state" command that shows
current statistics of the resolver. This is backed by a new
DumpStatistics() Varlink method provided by systemd-resolved.
* systemd-timesyncd will now emit a D-Bus signal when the LinkNTPServers
property changes.
@ -366,9 +410,6 @@ CHANGES WITH 255 in spe:
* vconsole now supports KEYMAP=@kernel for preserving the kernel keymap
as-is.
* The kernel and OS versions will no longer be checked on resume from
hibernation.
* seccomp now supports the LoongArch64 architecture.
* systemd-id128 now supports a new -P option to show only values, and
@ -398,39 +439,87 @@ CHANGES WITH 255 in spe:
quickly get access to the local disk. It's inspired by MacOS "target
disk mode".
* A new component "systemd-bsod" has been added, which can show logged
error messages full screen, if they have a log level of LOG_EMERG log
level.
* The systemd-dissect tool's --with command will now set the
$SYSTEMD_DISSECT_DEVICE environment variable to the block device it
operates on for the invoked process.
* The systemd-mount tool gained a new --tmpfs switch for mounting a new
'tmpfs' instance. This is useful since it does so via .mount units
and thus can be executed remotely or in containers.
* The various tools in systemd that take "verbs" (such as systemctl,
loginctl, machinectl, …) now will suggest a close verb name in case
the user specified an unrecognized one.
* libsystemd now exports a new function sd_id128_get_app_specific()
that generates "app-specific" 128bit IDs from any ID. It's similar to
sd_id128_get_machine_app_specific() and
sd_id128_get_boot_app_specific() but takes the ID to base calculation
on as input. This new functionality is also exposed in the
"systemd-id128" tool where you can now combine --app= with `show`.
* All tools that parse timestamps now can also parse RFC3339 style
timestamps that include the "T" and Z" characters.
* New documentation as been added:
https://systemd.io/FILE_DESCRIPTOR_STORE
https://systemd.io/TPM2_PCR_MEASUREMENTS
https://systemd.io/MOUNT_REQUIREMENTS.md
* The codebase now recognizes the suffix .confext.raw and .sysext.raw
as alternative to the .raw suffix generally accepted for DDIs. It is
recommended to name configuration extensions and system extensions
with such suffixes, to indicate their purpose in the name.
* The sd-device API gained a new function
sd_device_enumerator_add_match_property_required() which allows
configuring matches on properties that are strictly required. This is
different from the existing sd_device_enumerator_add_match_property()
matches of which one one needs to apply.
* The MAC adress the veth side of an nspawn container shall get
assigned may now be controlled via the $SYSTEMD_NSPAWN_NETWORK_MAC
environment variable.
* The libiptc dependency is not implemented via dlopen(), so that tools
such as networkd and nspawn no longer have a hard dependency on the
shared library when compiled with support for libiptc.
Contributions from: 김인수, Abderrahim Kitouni, Adam Williamson,
Alexandre Peixoto Ferreira, Alex Hudspith, Alvin Alvarado,
André Paiusco, Antonio Alvarez Feijoo, Anton Lundin,
Arseny Maslennikov, Arthur Shau, Balázs Úr, beh_10257,
Benjamin Peterson, Bertrand Jacquin, Brian Norris, Chris Patterson,
Christian Hergert, Christian Hesse, Christian Kirbach,
commondservice, Curtis Klein, cvlc12, Daan De Meyer,
Daniel P. Berrangé, Daniel Rusek, Dan Streetman,
David Rheinsberg, David Santamaría Rogado, David Tardon,
Christian Hergert, Christian Hesse, Christian Kirbach, commondservice,
Curtis Klein, cvlc12, Daan De Meyer, Daniel P. Berrangé, Daniel Rusek,
Dan Streetman, David Rheinsberg, David Santamaría Rogado, David Tardon,
dependabot[bot], Dmitry V. Levin, Emanuele Giuseppe Esposito,
Emil Renner Berthing, Emil Velikov, Etienne Dechamps, Fabian Vogt,
felixdoerre, Franck Bui, Frantisek Sumsal, G2-Games,
Gioele Barabucci, Hugo Carvalho, huyubiao, IllusionMan1212,
Jade Lovelace, janana, Jan Janssen, Jan Kuparinen, Jan Macku,
Jin Liu, Joerg Behrmann, Johannes Segitz, Jordan Rome,
Jordan Williams, Julien Malka, Juno Computers, Khem Raj, khm,
Kingbom Dou, Kiran Vemula, Laszlo Gombos, Lennart Poettering,
Luca Boccassi, Lucas Adriano Salles, Lukas, Maanya Goenka, Maarten,
Malte Poll, Marc Pervaz Boocha, Martin Beneš, Martin Wilck,
Mathieu Tortuyaux, Matthias Schiffer, Maxim Mikityanskiy,
Max Kellermann, Michael A Cassaniti, Michael Biebl, Michael Kuhn,
Michael Vasseur, Michal Koutný, Michal Sekletár, Mike Yuan,
Milton D. Miller II, mordner, msizanoen, NAHO, Nandakumar Raghavan,
Nick Rosbrook, NRK, Oğuz Ersen, Omojola Joshua, pelaufer,
Peter Hutterer, PhylLu, Pierre GRASSER, Piotr Drąg, Priit Laes,
Rahil Bhimjiani, Raito Bezarius, Raul Cheleguini, Reto Schneider,
Richard Maw, Robby Red, RoepLuke, Roland Hieber, Ronan Pigott,
Sam James, Sergey A, Susant Sahani, Sven Joachim,
Takashi Sakamoto, Thorsten Kukuk, Tj, Tomasz Świątek,
Topi Miettinen, Valentin David, Valentin Lefebvre,
Victor Westerhuis, Vincent Haupert, Vishal Chillara Srinivas,
Warren, Xiaotian Wu, xinpeng wang, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, наб
felixdoerre, Franck Bui, Frantisek Sumsal, G2-Games, Gioele Barabucci,
Hugo Carvalho, huyubiao, IllusionMan1212, Jade Lovelace, janana,
Jan Janssen, Jan Kuparinen, Jan Macku, Jin Liu, Joerg Behrmann,
Johannes Segitz, Jordan Rome, Jordan Williams, Julien Malka,
Juno Computers, Khem Raj, khm, Kingbom Dou, Kiran Vemula,
Laszlo Gombos, Lennart Poettering, Luca Boccassi, Lucas Adriano Salles,
Lukas, Maanya Goenka, Maarten, Malte Poll, Marc Pervaz Boocha,
Martin Beneš, Martin Wilck, Mathieu Tortuyaux, Matthias Schiffer,
Maxim Mikityanskiy, Max Kellermann, Michael A Cassaniti, Michael Biebl,
Michael Kuhn, Michael Vasseur, Michal Koutný, Michal Sekletár,
Mike Yuan, Milton D. Miller II, mordner, msizanoen, NAHO,
Nandakumar Raghavan, Nick Rosbrook, NRK, Oğuz Ersen, Omojola Joshua,
pelaufer, Peter Hutterer, PhylLu, Pierre GRASSER, Piotr Drąg,
Priit Laes, Rahil Bhimjiani, Raito Bezarius, Raul Cheleguini,
Reto Schneider, Richard Maw, Robby Red, RoepLuke, Roland Hieber,
Ronan Pigott, Sam James, Sergey A, Susant Sahani, Sven Joachim,
Takashi Sakamoto, Thorsten Kukuk, Tj, Tomasz Świątek, Topi Miettinen,
Valentin David, Valentin Lefebvre, Victor Westerhuis, Vincent Haupert,
Vishal Chillara Srinivas, Warren, Xiaotian Wu, xinpeng wang,
Yu Watanabe, Zbigniew Jędrzejewski-Szmek, наб
CHANGES WITH 254: