mirror of
https://github.com/systemd/systemd
synced 2024-07-22 10:44:58 +00:00
more additions to NEWS
This commit is contained in:
parent
8d04721507
commit
c2322b482a
283
NEWS
283
NEWS
|
@ -47,34 +47,37 @@ CHANGES WITH 255 in spe:
|
|||
|
||||
Service Manager:
|
||||
|
||||
* The way services are spawned has been overhauled. Previously, a process
|
||||
was forked that shared all of the manager's memory (via copy-on-write)
|
||||
while doing all the required set ups (e.g.: mount namespaces, CGroup
|
||||
configuration, etc.) before exec'ing the target executable. This was
|
||||
problematic for various reasons: several glibc APIs were called that
|
||||
are not supposed to be used after a fork but before an exec, copy-on-write
|
||||
meant that if either process (the manager or the child) touched a memory
|
||||
page a copy was triggered, and also the memory footprint of the child
|
||||
process was that of the manager but with the memory limits of the service.
|
||||
From this version onward, the new process is spawned using CLONE_VM and
|
||||
CLONE_VFORK semantics via posix_spawn, and it immediately execs a new
|
||||
internal binary, systemd-executor, that receives the configuration to
|
||||
apply via memfd, and sets up the process before exec'ing the target
|
||||
* The way services are spawned has been overhauled. Previously, a
|
||||
process was forked that shared all of the manager's memory (via
|
||||
copy-on-write) while doing all the required set ups (e.g.: mount
|
||||
namespaces, CGroup configuration, etc.) before exec'ing the target
|
||||
executable. This was problematic for various reasons: several glibc
|
||||
APIs were called that are not supposed to be used after a fork but
|
||||
before an exec, copy-on-write meant that if either process (the
|
||||
manager or the child) touched a memory page a copy was triggered, and
|
||||
also the memory footprint of the child process was that of the
|
||||
manager but with the memory limits of the service. From this version
|
||||
onward, the new process is spawned using CLONE_VM and CLONE_VFORK
|
||||
semantics via posix_spawn(), and it immediately execs a new internal
|
||||
binary, systemd-executor, that receives the configuration to apply
|
||||
via memfd, and sets up the process before exec'ing the target
|
||||
executable.
|
||||
|
||||
* Internal process tracking is being changed to use PIDFDs instead of PIDs
|
||||
when the kernel supports it, to improve robustness and reliability.
|
||||
* Most of the internal process tracking is being changed to use PIDFDs
|
||||
instead of PIDs when the kernel supports it, to improve robustness
|
||||
and reliability.
|
||||
|
||||
* A new option SurviveFinalKillSignal= is now supported to configure a
|
||||
unit to skip units on the final SIGTERM/SIGKILL spree on shutdown. This
|
||||
is part of the required configuration to let a unit's processes survive
|
||||
a soft-reboot operation without being interrupted.
|
||||
|
||||
* Sysext images can now set EXTENSION_RELOAD_MANAGER=1 in their
|
||||
extension-release files to automatically daemon-reload when
|
||||
merging/refreshing/unmerging on boot. This should be used only in
|
||||
exceptional circumstances, as it can cause very difficult to debug
|
||||
race conditions and lockups.
|
||||
* System extension images (sysext) can now set
|
||||
EXTENSION_RELOAD_MANAGER=1 in their extension-release files to
|
||||
automatically reload the service manager (PID 1) when
|
||||
merging/refreshing/unmerging on boot. Generally, while this can be
|
||||
used to ship services in system extension images it's recommended to
|
||||
do that via portable services instead.
|
||||
|
||||
* The ExtensionImages= and ExtensionDirectories= options now support
|
||||
confexts images/directories.
|
||||
|
@ -86,10 +89,12 @@ CHANGES WITH 255 in spe:
|
|||
use numeric cgroup IDs, which change every time a service is restarted, making
|
||||
them hard to use in a systemd environment.
|
||||
|
||||
* A new option CoredumpReceive= can be set, together with Delegate=yes, to
|
||||
make systemd-coredump on the host forward core files from processes crashed
|
||||
inside the delegated CGroup subtree to systemd-coredump running in the
|
||||
container.
|
||||
* A new option CoredumpReceive= can be set for service and scope units,
|
||||
together with Delegate=yes, to make systemd-coredump on the host
|
||||
forward core files from processes crashed inside the delegated CGroup
|
||||
subtree to systemd-coredump running in the container. This new option
|
||||
is by default used by systemd-nspawn containers that use the "--boot"
|
||||
switch, i.e. are fully booted up.
|
||||
|
||||
* A new ConditionSecurity=measured-uki option is now available, to ensure
|
||||
a unit can only run when the system has been booted from a measured UKI.
|
||||
|
@ -102,15 +107,16 @@ CHANGES WITH 255 in spe:
|
|||
SetLoginEnvironment= is now supported to determine whether to also set
|
||||
$HOME, $LOGNAME and $SHELL.
|
||||
|
||||
* Socket units now support a new PollLimit= option to configure a limit on
|
||||
how often polling events on the file descriptors backing this unit will
|
||||
be considered.
|
||||
* Socket units now support a new pair of
|
||||
PollLimitBurst=/PollLimitInterval= options to configure a limit on
|
||||
how often polling events on the file descriptors backing this unit
|
||||
will be considered within a time window.
|
||||
|
||||
* Scope units can now be created passing PIDFDs instead of PIDs to select
|
||||
the processes they should include.
|
||||
|
||||
* Sending SIGRTMIN+18 with 0x500 as value will now cause the manager to
|
||||
dump the list of currently pending jobs.
|
||||
* Sending SIGRTMIN+18 with 0x500 as sigqueue() value will now cause the
|
||||
manager to dump the list of currently pending jobs.
|
||||
|
||||
* If the kernel supports MOVE_MOUNT_BENEATH, the systemctl and machinectl
|
||||
bind and mount-image verbs will now cause the new mount to to replace
|
||||
|
@ -118,8 +124,8 @@ CHANGES WITH 255 in spe:
|
|||
|
||||
TPM2 Support + Disk Encryption & Authentication:
|
||||
|
||||
* systemd-cryptenroll now allows specifying a PCR bank and hash digest in
|
||||
the --tpm2-pcrs= option.
|
||||
* systemd-cryptenroll now allows specifying a PCR bank and explicit hash
|
||||
value in the --tpm2-pcrs= option.
|
||||
|
||||
* systemd-cryptenroll now allows specifying a TPM2 key handle to be used
|
||||
instead of the default SRK via the new --tpm2-seal-key-handle= option.
|
||||
|
@ -130,14 +136,20 @@ CHANGES WITH 255 in spe:
|
|||
* The TPM2 Storage Root Key will now be set up, if not already present,
|
||||
by a new systemd-tpm2-setup.service early boot service.
|
||||
|
||||
* The internal systemd-pcrphase executable has been renamed to systemd-pcrextend.
|
||||
* The internal systemd-pcrphase executable has been renamed to
|
||||
systemd-pcrextend.
|
||||
|
||||
* systemd-pcrextend now exposes a Varlink interface at io.systemd.PCRExtend
|
||||
that can be used to do measurements and event logging on demand.
|
||||
* The systemd-pcrextend tool gained a new --pcr= switch to override
|
||||
which PCR to measure into.
|
||||
|
||||
* systemd-pcrextend now exposes a Varlink interface at
|
||||
io.systemd.PCRExtend that can be used to do measurements and event
|
||||
logging on demand.
|
||||
|
||||
* TPM measurements are now also written to an event log at
|
||||
/run/log/systemd/tpm2-measure.log, using the TCG Canonical Event Log
|
||||
format, together with the existing journald entries.
|
||||
/run/log/systemd/tpm2-measure.log, using a derivative of the TCG
|
||||
Canonical Event Log format. Previously we'd only log them to the
|
||||
journal, where they however were subject to rotation and similar.
|
||||
|
||||
systemd-boot, systemd-stub, ukify, bootctl, kernel-install:
|
||||
|
||||
|
@ -160,25 +172,26 @@ CHANGES WITH 255 in spe:
|
|||
SecureBoot is enabled. For more details see:
|
||||
https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c
|
||||
|
||||
* systemd-boot gained new hotkeys to reboot and power off the system from
|
||||
the boot menu.
|
||||
* systemd-boot gained new hotkeys to reboot and power off the system
|
||||
from the boot menu ("B" and "O"). If the "auto-poweroff" and
|
||||
"auto-reboot" options in loader.conf are set these entries are also
|
||||
shown as menu items (which is useful on devices lacking a regular
|
||||
keyboard).
|
||||
|
||||
* systemd-boot will now show auto-generated reboot and poweroff entries in
|
||||
the boot menu.
|
||||
|
||||
* systemd-boot gained a new configuration value menu-disabled for the
|
||||
* systemd-boot gained a new configuration value "menu-disabled" for the
|
||||
set-timeout option, to allow completely disabling the boot menu,
|
||||
including the hotkey.
|
||||
|
||||
* systemd-boot will now measure the content of loader.conf in PCR5.
|
||||
* systemd-boot will now measure the content of loader.conf in TPM2 PCR
|
||||
5.
|
||||
|
||||
* systemd-stub will now concatenate the content of all kernel command-line
|
||||
addons before measuring them in PCR12, in a single measurement, instead
|
||||
of measuring them individually.
|
||||
* systemd-stub will now concatenate the content of all kernel
|
||||
command-line addons before measuring them in TPM2 PCR 12, in a single
|
||||
measurement, instead of measuring them individually.
|
||||
|
||||
* systemd-stub will now measure and load Devicetree Blob addons, which are
|
||||
searched and loaded following the same model as the existing kernel
|
||||
command-line addons.
|
||||
* systemd-stub will now measure and load Devicetree Blob addons, which
|
||||
are searched and loaded following the same model as the existing
|
||||
kernel command-line addons.
|
||||
|
||||
* systemd-stub will now ignore unauthenticated kernel command line options
|
||||
passed from systemd-boot when running inside Confidential VMs with UEFI
|
||||
|
@ -197,12 +210,13 @@ CHANGES WITH 255 in spe:
|
|||
have been added to make it easier to generate these types of DDIs,
|
||||
without having to provide repart.d definitions for them.
|
||||
|
||||
* The dm-verity salt and UUID will now be derived from the specified seed.
|
||||
* The dm-verity salt and UUID will now be derived from the specified
|
||||
seed value.
|
||||
|
||||
* New VerityDataBlockSizeBytes= and VerityHashBlockSizeBytes= can now be
|
||||
configured in repart.d configuration files.
|
||||
configured in repart.d/ configuration files.
|
||||
|
||||
* A new Subvolumes= setting is now supported in repart.d configuration
|
||||
* A new Subvolumes= setting is now supported in repart.d/ configuration
|
||||
files, to indicate which directories in the target partition should be
|
||||
btrfs subvolumes.
|
||||
|
||||
|
@ -228,7 +242,7 @@ CHANGES WITH 255 in spe:
|
|||
attaching a file to a loopback device will implicitly make a handle
|
||||
available to be found via that file's inode information.
|
||||
|
||||
* udevadm info gained support for JSON output via a new --json flag, and
|
||||
* udevadm info gained support for JSON output via a new --json= flag, and
|
||||
for filtering output using the same mechanism that udevadm trigger
|
||||
already implements.
|
||||
|
||||
|
@ -239,6 +253,18 @@ CHANGES WITH 255 in spe:
|
|||
It is now enabled by default and is part of the new "v255" naming
|
||||
scheme.
|
||||
|
||||
* A new hwdb/rules file has been added that sets the
|
||||
ID_NET_AUTO_LINK_LOCAL_ONLY=1 udev property on all network interfaces
|
||||
that should usually only be configured with link-local addressing
|
||||
(IPv4LL + IPv6LL), i.e. for PC-to-PC cables ("laplink") or
|
||||
Thunderbolt networking. systemd-networkd and NetworkManager (soon)
|
||||
will make use of this information to apply an appropriate network
|
||||
configuration by default.
|
||||
|
||||
* The ID_NET_DRIVER property on network interfaces is now set
|
||||
relatively early in the udev rule set so that other rules may rely on
|
||||
its use. This is implemented in a new "net-driver" udev built-in.
|
||||
|
||||
Network Management:
|
||||
|
||||
* The "duid-only" option for DHCPv4 client's ClientIdentifier= setting
|
||||
|
@ -315,17 +341,14 @@ CHANGES WITH 255 in spe:
|
|||
89-ethernet.network matches all Ethernet interfaces and enables both
|
||||
DHCPv4 and DHCPv6 clients.
|
||||
|
||||
Changes in systemd-analyze:
|
||||
* If a ID_NET_MANAGED_BY= udev property is set on a network device and
|
||||
it is any other string than "io.systemd.Network" then networkd will
|
||||
not manage this device. This may be used to allow multiple network
|
||||
management services to run in parallel and assign ownership of
|
||||
specific devices explicitly. NetworkManager will soon implement a
|
||||
similar logic.
|
||||
|
||||
* "systemd-analyze plot" has gained tooltips on each unit name with
|
||||
related-unit information in its svg output, such as Before=,
|
||||
Requires=, and similar properties.
|
||||
|
||||
Other:
|
||||
|
||||
* A new varlinkctl tool has been added to allow interfacing with
|
||||
Varlink services, and introspection has been added to all such
|
||||
services.
|
||||
systemctl:
|
||||
|
||||
* systemctl is-failed now checks the system state if no unit is
|
||||
specified.
|
||||
|
@ -334,8 +357,7 @@ CHANGES WITH 255 in spe:
|
|||
system has been setup in /run/nextroot/ when a reboot operation
|
||||
is invoked.
|
||||
|
||||
* systemd-sysext and systemd-confext now expose a Varlink service
|
||||
at io.systemd.sysext.
|
||||
Login management:
|
||||
|
||||
* wall messages now work even when utmp support is disabled, using
|
||||
systemd-logind to query the necessary information.
|
||||
|
@ -346,6 +368,28 @@ CHANGES WITH 255 in spe:
|
|||
the additional information is the type of operation that is about to
|
||||
be executed.
|
||||
|
||||
Hibernation & Suspend:
|
||||
|
||||
* The kernel and OS versions will no longer be checked on resume from
|
||||
hibernation.
|
||||
|
||||
* Hibernation into swap files backed by btrfs are now
|
||||
supported. (Previously this was supported only for other file
|
||||
systems.)
|
||||
|
||||
Other:
|
||||
|
||||
* "systemd-analyze plot" has gained tooltips on each unit name with
|
||||
related-unit information in its svg output, such as Before=,
|
||||
Requires=, and similar properties.
|
||||
|
||||
* A new varlinkctl tool has been added to allow interfacing with
|
||||
Varlink services, and introspection has been added to all such
|
||||
services.
|
||||
|
||||
* systemd-sysext and systemd-confext now expose a Varlink service
|
||||
at io.systemd.sysext.
|
||||
|
||||
* systemd-sysupdate now accepts directories in the MatchPattern= option.
|
||||
|
||||
* systemd-run will now output the invocation ID of the launched
|
||||
|
@ -356,9 +400,9 @@ CHANGES WITH 255 in spe:
|
|||
combination with --cat-config to suppress uninteresting configuration
|
||||
lines, such as comments.
|
||||
|
||||
* systemd-resolved gained a new DumpStatistics() Varlink method, and
|
||||
resolvectl gained a new corresponding show-server-state verb that
|
||||
calls it.
|
||||
* resolvectl gained a new "show-server-state" command that shows
|
||||
current statistics of the resolver. This is backed by a new
|
||||
DumpStatistics() Varlink method provided by systemd-resolved.
|
||||
|
||||
* systemd-timesyncd will now emit a D-Bus signal when the LinkNTPServers
|
||||
property changes.
|
||||
|
@ -366,9 +410,6 @@ CHANGES WITH 255 in spe:
|
|||
* vconsole now supports KEYMAP=@kernel for preserving the kernel keymap
|
||||
as-is.
|
||||
|
||||
* The kernel and OS versions will no longer be checked on resume from
|
||||
hibernation.
|
||||
|
||||
* seccomp now supports the LoongArch64 architecture.
|
||||
|
||||
* systemd-id128 now supports a new -P option to show only values, and
|
||||
|
@ -398,39 +439,87 @@ CHANGES WITH 255 in spe:
|
|||
quickly get access to the local disk. It's inspired by MacOS "target
|
||||
disk mode".
|
||||
|
||||
* A new component "systemd-bsod" has been added, which can show logged
|
||||
error messages full screen, if they have a log level of LOG_EMERG log
|
||||
level.
|
||||
|
||||
* The systemd-dissect tool's --with command will now set the
|
||||
$SYSTEMD_DISSECT_DEVICE environment variable to the block device it
|
||||
operates on for the invoked process.
|
||||
|
||||
* The systemd-mount tool gained a new --tmpfs switch for mounting a new
|
||||
'tmpfs' instance. This is useful since it does so via .mount units
|
||||
and thus can be executed remotely or in containers.
|
||||
|
||||
* The various tools in systemd that take "verbs" (such as systemctl,
|
||||
loginctl, machinectl, …) now will suggest a close verb name in case
|
||||
the user specified an unrecognized one.
|
||||
|
||||
* libsystemd now exports a new function sd_id128_get_app_specific()
|
||||
that generates "app-specific" 128bit IDs from any ID. It's similar to
|
||||
sd_id128_get_machine_app_specific() and
|
||||
sd_id128_get_boot_app_specific() but takes the ID to base calculation
|
||||
on as input. This new functionality is also exposed in the
|
||||
"systemd-id128" tool where you can now combine --app= with `show`.
|
||||
|
||||
* All tools that parse timestamps now can also parse RFC3339 style
|
||||
timestamps that include the "T" and Z" characters.
|
||||
|
||||
* New documentation as been added:
|
||||
|
||||
https://systemd.io/FILE_DESCRIPTOR_STORE
|
||||
https://systemd.io/TPM2_PCR_MEASUREMENTS
|
||||
https://systemd.io/MOUNT_REQUIREMENTS.md
|
||||
|
||||
* The codebase now recognizes the suffix .confext.raw and .sysext.raw
|
||||
as alternative to the .raw suffix generally accepted for DDIs. It is
|
||||
recommended to name configuration extensions and system extensions
|
||||
with such suffixes, to indicate their purpose in the name.
|
||||
|
||||
* The sd-device API gained a new function
|
||||
sd_device_enumerator_add_match_property_required() which allows
|
||||
configuring matches on properties that are strictly required. This is
|
||||
different from the existing sd_device_enumerator_add_match_property()
|
||||
matches of which one one needs to apply.
|
||||
|
||||
* The MAC adress the veth side of an nspawn container shall get
|
||||
assigned may now be controlled via the $SYSTEMD_NSPAWN_NETWORK_MAC
|
||||
environment variable.
|
||||
|
||||
* The libiptc dependency is not implemented via dlopen(), so that tools
|
||||
such as networkd and nspawn no longer have a hard dependency on the
|
||||
shared library when compiled with support for libiptc.
|
||||
|
||||
Contributions from: 김인수, Abderrahim Kitouni, Adam Williamson,
|
||||
Alexandre Peixoto Ferreira, Alex Hudspith, Alvin Alvarado,
|
||||
André Paiusco, Antonio Alvarez Feijoo, Anton Lundin,
|
||||
Arseny Maslennikov, Arthur Shau, Balázs Úr, beh_10257,
|
||||
Benjamin Peterson, Bertrand Jacquin, Brian Norris, Chris Patterson,
|
||||
Christian Hergert, Christian Hesse, Christian Kirbach,
|
||||
commondservice, Curtis Klein, cvlc12, Daan De Meyer,
|
||||
Daniel P. Berrangé, Daniel Rusek, Dan Streetman,
|
||||
David Rheinsberg, David Santamaría Rogado, David Tardon,
|
||||
Christian Hergert, Christian Hesse, Christian Kirbach, commondservice,
|
||||
Curtis Klein, cvlc12, Daan De Meyer, Daniel P. Berrangé, Daniel Rusek,
|
||||
Dan Streetman, David Rheinsberg, David Santamaría Rogado, David Tardon,
|
||||
dependabot[bot], Dmitry V. Levin, Emanuele Giuseppe Esposito,
|
||||
Emil Renner Berthing, Emil Velikov, Etienne Dechamps, Fabian Vogt,
|
||||
felixdoerre, Franck Bui, Frantisek Sumsal, G2-Games,
|
||||
Gioele Barabucci, Hugo Carvalho, huyubiao, IllusionMan1212,
|
||||
Jade Lovelace, janana, Jan Janssen, Jan Kuparinen, Jan Macku,
|
||||
Jin Liu, Joerg Behrmann, Johannes Segitz, Jordan Rome,
|
||||
Jordan Williams, Julien Malka, Juno Computers, Khem Raj, khm,
|
||||
Kingbom Dou, Kiran Vemula, Laszlo Gombos, Lennart Poettering,
|
||||
Luca Boccassi, Lucas Adriano Salles, Lukas, Maanya Goenka, Maarten,
|
||||
Malte Poll, Marc Pervaz Boocha, Martin Beneš, Martin Wilck,
|
||||
Mathieu Tortuyaux, Matthias Schiffer, Maxim Mikityanskiy,
|
||||
Max Kellermann, Michael A Cassaniti, Michael Biebl, Michael Kuhn,
|
||||
Michael Vasseur, Michal Koutný, Michal Sekletár, Mike Yuan,
|
||||
Milton D. Miller II, mordner, msizanoen, NAHO, Nandakumar Raghavan,
|
||||
Nick Rosbrook, NRK, Oğuz Ersen, Omojola Joshua, pelaufer,
|
||||
Peter Hutterer, PhylLu, Pierre GRASSER, Piotr Drąg, Priit Laes,
|
||||
Rahil Bhimjiani, Raito Bezarius, Raul Cheleguini, Reto Schneider,
|
||||
Richard Maw, Robby Red, RoepLuke, Roland Hieber, Ronan Pigott,
|
||||
Sam James, Sergey A, Susant Sahani, Sven Joachim,
|
||||
Takashi Sakamoto, Thorsten Kukuk, Tj, Tomasz Świątek,
|
||||
Topi Miettinen, Valentin David, Valentin Lefebvre,
|
||||
Victor Westerhuis, Vincent Haupert, Vishal Chillara Srinivas,
|
||||
Warren, Xiaotian Wu, xinpeng wang, Yu Watanabe,
|
||||
Zbigniew Jędrzejewski-Szmek, наб
|
||||
felixdoerre, Franck Bui, Frantisek Sumsal, G2-Games, Gioele Barabucci,
|
||||
Hugo Carvalho, huyubiao, IllusionMan1212, Jade Lovelace, janana,
|
||||
Jan Janssen, Jan Kuparinen, Jan Macku, Jin Liu, Joerg Behrmann,
|
||||
Johannes Segitz, Jordan Rome, Jordan Williams, Julien Malka,
|
||||
Juno Computers, Khem Raj, khm, Kingbom Dou, Kiran Vemula,
|
||||
Laszlo Gombos, Lennart Poettering, Luca Boccassi, Lucas Adriano Salles,
|
||||
Lukas, Maanya Goenka, Maarten, Malte Poll, Marc Pervaz Boocha,
|
||||
Martin Beneš, Martin Wilck, Mathieu Tortuyaux, Matthias Schiffer,
|
||||
Maxim Mikityanskiy, Max Kellermann, Michael A Cassaniti, Michael Biebl,
|
||||
Michael Kuhn, Michael Vasseur, Michal Koutný, Michal Sekletár,
|
||||
Mike Yuan, Milton D. Miller II, mordner, msizanoen, NAHO,
|
||||
Nandakumar Raghavan, Nick Rosbrook, NRK, Oğuz Ersen, Omojola Joshua,
|
||||
pelaufer, Peter Hutterer, PhylLu, Pierre GRASSER, Piotr Drąg,
|
||||
Priit Laes, Rahil Bhimjiani, Raito Bezarius, Raul Cheleguini,
|
||||
Reto Schneider, Richard Maw, Robby Red, RoepLuke, Roland Hieber,
|
||||
Ronan Pigott, Sam James, Sergey A, Susant Sahani, Sven Joachim,
|
||||
Takashi Sakamoto, Thorsten Kukuk, Tj, Tomasz Świątek, Topi Miettinen,
|
||||
Valentin David, Valentin Lefebvre, Victor Westerhuis, Vincent Haupert,
|
||||
Vishal Chillara Srinivas, Warren, Xiaotian Wu, xinpeng wang,
|
||||
Yu Watanabe, Zbigniew Jędrzejewski-Szmek, наб
|
||||
|
||||
CHANGES WITH 254:
|
||||
|
||||
|
|
Loading…
Reference in a new issue