system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-21 02:05:05 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

NEWS: adjust wording and reorder by category

Browse source 
Also wrap stuff to 80 columns, fix some spelling mistakes, and remove some
repetitions in phrasing.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2021-12-09 12:30:52 +01:00
parent 01081e2eab
commit dcdc652feb
1 changed files with 194 additions and 191 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

385
NEWS
View file

@ -2,44 +2,43 @@ systemd System and Service Manager
CHANGES WITH 250 in spe:
* Support for encrypted and authenticated credentials has been
added. This extends the credentials logic introduced with v247 to
support non-interactive symmetric encryption and authentication,
based on a key that is stored on the /var/ file system or in the TPM2
chip (if available), or the combination of both (by default if a TPM2
chip exists the combination is used, otherwise the /var/ key
only). The credentials are automatically decrypted at the moment a
service is started, and are made accessible to the service itself in
unencrypted form. A new tool `systemd-creds` has been added to
encrypt credentials for this purpose, and two new service file
settings LoadCredentialEncrypted= and SetCredentialEncrypted= have
been added to configure encrypted credentials prepared that way. This
feature is useful for ensuring sensitive material such as SSL
certificates, passwords and similar are stored securely when at rest
and only decrypted when needed, and in a way that can be reproduced
only on the local OS installation and hardware.
* Support for encrypted and authenticated credentials has been added.
This extends the credential logic introduced with v247 to support
non-interactive symmetric encryption and authentication, based on a
key that is stored on the /var/ file system or in the TPM2 chip (if
available), or the combination of both (by default if a TPM2 chip
exists the combination is used, otherwise the /var/ key only). The
credentials are automatically decrypted at the moment a service is
started, and are made accessible to the service itself in unencrypted
form. A new tool 'systemd-creds' encrypts credentials for this
purpose, and two new service file settings LoadCredentialEncrypted=
and SetCredentialEncrypted= configure such credentials.
This feature is useful to store sensitive material such as SSL
certificates, passwords and similar securely at rest and only decrypt
them when needed, and in a way that is tied to the local OS
installation or hardware.
* systemd-gpt-auto-generator can now automatically set up discoverable
LUKS2 encrypted swap partitions.
* The GPT Discoverable Partitions Specification has been updated
substantially to support Root and /usr/ partitions for the majority
of architectures systemd supports. This include platforms that do not
natively support UEFI. Even though GPT is specified under UEFI
umbrella its useful on other systems too. Specifically,
* The GPT Discoverable Partitions Specification has been substantially
extended with support for root and /usr/ partitions for the majority
of architectures systemd supports. This includes platforms that do
not natively support UEFI, because even though GPT is specified under
UEFI umbrella, it is useful on other systems too. Specifically,
systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
Portable Services make heavy use of the concept, none of which are
specific to UEFI.
Portable Services use the concept without requiring UEFI.
* The GPT Discoverable Partitions Specifications has learnt a new set
of partitions that may carry PKCS#7 signatures for Verity partitions,
encoded in a simple JSON format. This implements a simple mechanism
for building disk images that are fully authenticated and can be
tested against a set of cryptographic certificates. This is now
implemented for the various systemd tools that can operate with disk
images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
Portable services/RootImage=, systemd-tmpfiles, systemd-sysusers, and
so on. The PKCS#7 signatures are passed to the kernel (where they are
* The GPT Discoverable Partitions Specifications has been extended with
a new set of partitions that may carry PKCS#7 signatures for Verity
partitions, encoded in a simple JSON format. This implements a simple
mechanism for building disk images that are fully authenticated and
can be tested against a set of cryptographic certificates. This is
now implemented for the various systemd tools that can operate with
disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers.
The PKCS#7 signatures are passed to the kernel (where they are
checked against certificates from the kernel keyring), or can be
verified against certificates provided in userspace (via a simple
drop-in file mechanism).
@ -62,11 +61,11 @@ CHANGES WITH 250 in spe:
* The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
now is able to decode images for non-native architectures as well.
This enables systemd-nspawn to boot images of non-native
architectures if the corresponding user mode emulator is installed
and systemd-binfmtd is running.
This allows systemd-nspawn to boot images of non-native architectures
if the corresponding user mode emulator is installed and
systemd-binfmtd is running.
* systemd-logind gained a new settings HandlePowerKeyLongPress=,
* systemd-logind gained new settings HandlePowerKeyLongPress=,
HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
HandleHibernateKeyLongPress= which may be used to configure actions
when the relevant keys are pressed for more than 5s. This is useful
@ -81,16 +80,15 @@ CHANGES WITH 250 in spe:
is shown, the most recent sd_notify() STATUS= text is now shown as
well. Services may use this to make the boot/shutdown output easier
to understand, and to indicate what precisely a service that is slow
to start or stop is waiting for. Specifically, the per-user service
to start or stop is waiting for. In particular, the per-user service
manager instance now reports what it is doing and which service it is
waiting for this way to the system service manager.
* The service manager will now re-execute on reception of the
SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
only when running as PID 1. There was no signal to request this when
running as per-user service manager, i.e. as any other PID than
1. SIGRTMIN+25 will work in any case, i.e. both as system and user
service manager.
running as per-user service manager, i.e. as any other PID than 1.
SIGRTMIN+25 works for both system and user managers.
* The hardware watchdog logic in PID 1 gained support for operating
with the default timeout configured in the hardware, instead of
@ -111,9 +109,9 @@ CHANGES WITH 250 in spe:
system services or the managers themselves.
* A new per-service setting RestrictFileSystems= as been added that
restricts the file systems a service has access to by their
type. This is based on the new BPF LSM of the Linux kernel. This is
an effective way to make certain API file systems unavailable to
restricts the file systems a service has access to by their type.
This is based on the new BPF LSM of the Linux kernel. It provides an
effective way to make certain API file systems unavailable to
services (and thus minimizing attack surface). A new command
"systemd-analyze filesystems" has been added that lists all known
file system types (and how they are grouped together under useful
@ -122,7 +120,7 @@ CHANGES WITH 250 in spe:
* Services now support a new setting RestrictNetworkInterfaces= for
restricting access to specific network interfaces.
* New service unit files gained new settings StartupAllowedCPUs= and
* Service unit files gained new settings StartupAllowedCPUs= and
StartupAllowedMemoryNodes=. These are similar to their counterparts
without the "Startup" prefix and apply during the boot process
only. This is useful to improve boot-time behavior of the system and
@ -140,23 +138,23 @@ CHANGES WITH 250 in spe:
[Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a
unit skip/fail activation if the system's (or a slice's) memory/cpu/io
pressure is above the configured threshold, using the kernel PSI
feature. Fore more details see systemd.unit.5 and
feature. For more details see systemd.unit(5) and
https://www.kernel.org/doc/html/latest/accounting/psi.html
* The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
ProtectKernelLogs=yes can now be used.
* The default maximum number of inodes for /dev has been doubled, from
64k to 128k.
* The default maximum numbers of inodes have been raised from 64k to 1m
for /dev, and from 400k to 1m for /tmp.
* The per-user service manager learnt support for communicating with
systemd-oomd to acquire OOM kill information.
* A new service setting ExecSearchPath= has been added that allows
changing the search path for executables for services. It affects how
the binaries specified in ExecStart= and similar are searched and
also affects the $PATH environment variable passed to invoked
processes.
changing the search path for executables for services. It affects
where we look for the binaries specified in ExecStart= and similar,
and the specified directories are also added the $PATH environment
variable passed to invoked processes.
* A new setting RuntimeRandomizedExtraSec= has been added for service
and scope units that allows extending the runtime time-out as
@ -164,7 +162,7 @@ CHANGES WITH 250 in spe:
* The syntax of the service unit settings RuntimeDirectory=,
StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
if the specified string is now suffixed with a colon, followed by
if the specified value is now suffixed with a colon, followed by
another filename, the latter will be created as symbolic link to the
specified directory. This allows creating these service directories
together with alias symlinks to make them available under multiple
@ -173,28 +171,28 @@ CHANGES WITH 250 in spe:
* Service unit files gained two new settings TTYRows=/TTYColumns= for
configuring rows/columns of the TTY device passed to
stdin/stdout/stderr of the service. This is useful to propagate TTY
dimensions from another environment.
dimensions to a virtual machine.
* A new service unit file setting ExitType= has been added, that allows
configuring when precisely to assume a service has exited. By default
systemd watches the main process of a service only to determine its
lifetime. By setting ExitType=cgroup it can be told to wait for the
last process in a cgroup instead.
* A new service unit file setting ExitType= has been added that
specifies when to assume a service has exited. By default systemd
only watches the main process of a service. By setting
ExitType=cgroup it can be told to wait for the last process in a
cgroup instead.
* Automount unit files gained a new setting ExtraOptions= that can be
used to configure additional mount options to pass to the kernel when
mounting the autofs instance.
* "Urlification" (i.e. generation of ESC sequences that generate
clickable hyperlinks in modern terminals) may now be turned off
altogether during build-time.
* "Urlification" (generation of ESC sequences that generate clickable
hyperlinks in modern terminals) may now be turned off altogether
during build-time.
* The tpm2/fido2/pkcs11 support in systemd-cryptsetup is now also built
as plug-in for upstream cryptsetup. This means plain cryptsetup may
now be used to unlock volumes set up this way.
* The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built
as a plug-in for cryptsetup. This means the plain cryptsetup command
may now be used to unlock volumes set up this way.
* The TPM2 logic in cryptsetup will now automatically detect systems
where the TPM2 chip supports SHA256 PCR banks but the firmware only
where the TPM2 chip advertises SHA256 PCR banks but the firmware only
updates the SHA1 banks. In such a case PCR policies will be
automatically bound to the latter, not the former. This makes the PCR
policies reliable, but of course do not provide the same level of
@ -206,16 +204,15 @@ CHANGES WITH 250 in spe:
than ECC, and hence are only used if ECC is not available.
* /etc/crypttab gained support for a new token-timeout= setting for
encrypted volumes that allow configuration of a maximum time to wait
for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses the
logic will query the user for a regular passphrase/recovery key
encrypted volumes that allows configuration of the maximum time to
wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses
the logic will query the user for a regular passphrase/recovery key
instead.
* Support for activating dm-integrity volumes at boot via a new file
/etc/integritytab and a tool systemd-integritysetup has been
added. This behaves similar to the existing /etc/crypttab and
/etc/veritytab, but deals with dm-integrity instead of
dm-crypt/dm-verity.
/etc/integritytab and the tool systemd-integritysetup have been
added. This is similar to /etc/crypttab and /etc/veritytab, but deals
with dm-integrity instead of dm-crypt/dm-verity.
* The systemd-veritysetup-generator now understands a new usrhash=
kernel command line option for specifying the Verity root hash for
@ -233,9 +230,9 @@ CHANGES WITH 250 in spe:
* A new unit systemd-boot-update.service has been added. If enabled
(the default) and the sd-boot loader is detected to be installed, it
is automatically updated to the newest version if it's out of
date. This is useful to ensure the boot loader remains up-to-date,
and updates automatically propagate from the OS tree in /usr/.
is automatically updated to the newest version when out of date. This
is useful to ensure the boot loader remains up-to-date, and updates
automatically propagate from the OS tree in /usr/.
* sd-boot will now build with SBAT by default in order to facilitate
working with recent versions of Shim that require it to be present.
@ -302,6 +299,38 @@ CHANGES WITH 250 in spe:
an explicitly specified unit name, independently of what the filename
actually is.
* systemd-analyze verify gained a new switch --recursive-errors= which
controls whether to only fail on errors found in the specified units
or recursively any dependent units.
* systemd-analyze security now supports a new --offline mode for
analyzing unit files stored on disk instead of loaded units. It may
be combined with --root=/--image to analyze unit files under a root
directory or disk image. It also learnt a new --threshold= parameter
for specifying an exposure level threshold: if the exposure level
exceeds the specified value the call will fail. It also gained a new
--security-policy= switch for configuring security policies to
enforce on the units. A policy is a JSON file that lists which tests
shall be weighted how much to determine the overall exposure
level. Altogether these new features are useful for fully automatic
analysis and enforcement of security policies on unit files.
* systemd-analyze security gain a new --json= switch for JSON output.
* systemd-analyze learnt a new --quiet switch for reducing
non-essential output. It's honored by the "dot", "syscall-filter",
"filesystems" commands.
* systemd-analyze security gained a --profile option that can be used
to take into account a portable profile when analyzing portable
services, since a lot of the security-related settings are enabled
through them.
* systemd-analyze learnt a new inspect-elf verb that parses ELF core
files, binaries and executables and prints metadata information,
including the build-id and other info described on:
https://systemd.io/COREDUMP_PACKAGE_METADATA/
* The [IPv6AcceptRA] section of .network files gained support for a new
UseMTU= setting that may be used to control whether to apply the
announced MTU settings to the local interface.
@ -374,42 +403,11 @@ CHANGES WITH 250 in spe:
SuppressInterfaceGroup= setting.
* The IgnoreCarrierLoss= setting in the [Network] section of .network
files now accepts a duration to be specified, controlling how time to
wait before no longer ignoring carrier losses.
files now allows a duration to be specified, controlling how long to
wait before reacting to carrier loss.
* The [DHCPServer] section of .network file gained a new Router= setting
to specify the router address.
* systemd-analyze verify gained a new switch --recursive-errors= which
controls whether to only fail on errors found in the specified units
or recursively any dependent units.
* systemd-analyze security now supports a new --offline mode for
analyzing unit files stored on disk instead of loaded units. It may
be combined with --root=/--image to analyze unit files container in a
root directory or disk image. It also learnt a new --threshold=
parameter for specifying an exposure level threshold: if the exposure
level exceeds the specified value the call will fail. It also gained
a new --security-policy= switch for configuring security policies to
enforce on the units. A policy is a JSON file that lists which tests
shall be weighted how much to determine the overall exposure
level. It also gained a new --json= switch for generating JSON
output. Altogether these new features are useful for fully automatic
analysis and enforcement of security policies on unit files.
* systemd-analyze security gained a --profile option that can be used
to take into account a portable profile when analyzing portable
services, since a lot of the security-related settings are enabled
through them.
* systemd-analyze learnt a new --quiet switch for reducing
non-essential output. It's honored by the "dot", "syscall-filter",
"filesystems" commands.
* systemd-analyze learnt a new inspect-elf verb that parses ELF core
files, binaries and executables and prints metadata information,
including the build-id and other info described on:
https://systemd.io/COREDUMP_PACKAGE_METADATA/
* The [DHCPServer] section of .network file gained a new Router=
setting to specify the router address.
* systemd-nspawn's --setenv= switch now supports an additional syntax:
if only a variable name is specified (i.e. without being suffixed by
@ -426,8 +424,8 @@ CHANGES WITH 250 in spe:
not essential as all build artifacts can be regenerated any time, but
the performance win is beneficial.
* systemd-nspawn will now raise RLIMIT_NOFILE's hard limit to the same
value that PID 1 raises it for most forked off processes.
* systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the
same value that PID 1 uses for most forked off processes.
* systemd-nspawn's --bind=/--bind-ro= switches now optionally take
uidmap/nouidmap options as last parameter. If "uidmap" is used the
@ -435,28 +433,18 @@ CHANGES WITH 250 in spe:
the host's file ownerships are mapped 1:1 to container file
ownerships, even if user namespacing is used. This way
files/directories bound into containers will no longer show up as
owned by the nobody user as they typically do if no special care is
owned by the nobody user as they typically did if no special care was
taken to shift them manually.
* When discovering Windows installations sd-boot will now attempt to
extract the Windows version found.
show the Windows version.
* The color scheme to use in sd-boot may now be configured at
build-time.
* systemd-boot will now paint the input cursor on its own instead of
relying on the firmware to do so, increasing compatibility with broken
firmware that doesn't make the cursor reasonably visible.
* sd-boot gained the ability to change screen resolution during
boot-time, by hitting the "r" key. This will cycle through available
resolutions and save them.
* sd-boot gained support for automatically loading all EFI drivers
placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
Partition (ESP). These drivers are loaded before the menu entries are
searched and loaded. This is useful for easily loading additional
file system drivers for the XBOOTLDR partition or similar.
resolutions and save the last selection.
* sd-boot learnt a new hotkey "f". When pressed the system will enter
firmware setup. This is useful in environments where it is difficult
@ -467,6 +455,16 @@ CHANGES WITH 250 in spe:
selected on the last boot (using the "@saved" identifier for menu
items).
* sd-boot gained support for automatically loading all EFI drivers
placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
Partition (ESP). These drivers are loaded before the menu entries are
loaded. This is useful e.g. to load additional file system drivers
for the XBOOTLDR partition.
* systemd-boot will now paint the input cursor on its own instead of
relying on the firmware to do so, increasing compatibility with broken
firmware that doesn't make the cursor reasonably visible.
* sd-boot now embeds a .osrel PE section like we expect from Boot
Loader Specification Type #2 Unified Kernels. This means sd-boot
itself may be used in place of a Type #2 Unified Kernel. This is
@ -479,14 +477,14 @@ CHANGES WITH 250 in spe:
for installing/applying new devicetree files without updating the
kernel image.
* Similar, sd-stub now can read devicetree data from a PE section
* Similarly, sd-stub now can read devicetree data from a PE section
".dtb" and apply it before invoking the kernel.
* sd-stub (the EFI stub that can be glued in front of a Linux kernel)
gained the ability to pick up credentials and sysext files placed
next to the kernel image file during initialization, wrap them in a
cpio archive and pass them as additional initrd to the invoked Linux
kernel, placing them in the /.extra/ directory of the initrd
next to the kernel image file, wrap them in a cpio archive and pass
as an additional initrd to the invoked Linux kernel, in effect
placing those files in the /.extra/ directory of the initrd
environment. This is useful to implement trusted initrd environments
which are fully authenticated but still can be extended (via sysexts)
and parameterized (via encrypted/authenticated credentials, see
@ -497,24 +495,24 @@ CHANGES WITH 250 in spe:
complete EFI unified kernel image, implementing Boot Loader
Specification Type #2.
* sd-stub may now provide the initrd to the execute kernel via the
* sd-stub may now provide the initrd to the executed kernel via the
LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
non-x86 architectures.
* bootctl learnt the new set-timeout and set-timeout-oneshot that may
be used to set the boot menu time-out of the boot loader (for all or
just the subsequent boot).
* bootctl learnt new set-timeout and set-timeout-oneshot commands that
may be used to set the boot menu time-out of the boot loader (for all
or just the subsequent boot).
* systemd-sysext now optionally doesn't insist on extension-release.d/
files to be placed in the image under the image's right name. If the
files being placed in the image under the image's file name. If the
file system xattr user.extension-release.strict is set on the
extension release file it is accepted regardless of its name. This
extension release file, it is accepted regardless of its name. This
relaxes security restrictions a bit, as system extension may be
attached under a wrong name this way.
* udevadm's test-builtin command learnt a new --action= switch for
testing the built-in with the specified action (in place of the
default of 'add'.
default 'add').
* udevadm info gained new switches --property=/--value for showing only
specific udev properties/values instead of all.
@ -525,27 +523,27 @@ CHANGES WITH 250 in spe:
be accessible to regular users.
* A new hwdb database entry has been added that carries information
about what type of camera discovered cameras are (regular or
infrared), and in which direction they point (front or back).
about types of cameras (regular or infrared), and in which direction
they point (front or back).
* A new rule to allow console users access to rfkill by default has been
added to hwdb.
* A new build-time meson option "extra-net-naming-schemes=" has been
added for defining additional naming schemes schemes definitions for
udev's network interface naming logic. This is useful for enterprise
distributions and similar which want to pin the schemes of certain
distribution releases under a specific name and previously had to
patched our sources to introduce new named schemes.
added to define additional naming schemes schemes for udev's network
interface naming logic. This is useful for enterprise distributions
and similar which want to pin the schemes of certain distribution
releases under a specific name and previously had to patch the
sources to introduce new named schemes.
* The predictable naming logic for network interfaces has been extended
to generate stable names from Xen netfront device information.
* hostnamed's chassis property can now be sourced from chassis-type
field encoded in devicetree (in addition to the preexisting DMI
field encoded in devicetree (in addition to the existing DMI
support).
* systemd-cgls now optionally display cgroup IDs and extended
* systemd-cgls now optionally displays cgroup IDs and extended
attributes for each cgroup. (Controllable via the new --xattr= +
--cgroup-id= switches.)
@ -564,25 +562,25 @@ CHANGES WITH 250 in spe:
attempted exactly once but if the home directory was busy for some
reason it was not tried again.
* systemd-homed's LUKS2 home area backend will now issue a BSD file
* systemd-homed's LUKS2 home area backend will now create a BSD file
system lock on the image file while the home area is active
(i.e. mounted). If a home area is found to be locked logins are
(i.e. mounted). If a home area is found to be locked, logins are
politely refused. This should improve behavior when using home areas
images that are accessible via the network from multiple clients, and
reduce the chance of accidental file system corruption in that case.
* Optionally, systemd-homed will now drop the kernel buffer cache once
a user fully logged out, configurable via the new --drop-caches=
a user has fully logged out, configurable via the new --drop-caches=
homectl switch.
* systemd-homed now makes use of UID mapped mounts for the home
areas. If the kernel and used file system support it, files are now
* systemd-homed now makes use of UID mapped mounts for the home areas.
If the kernel and used file system support it, files are now
internally owned by the "nobody" user (i.e. the user typically used
for indicating "this ownership is not mapped"), and dynamically
mapped to the UID used locally on the system via the UID mapping
mount logic of recent kernels. This makes migrating home areas
between different systems cheap as recursively chown()ing file system
trees is no longer necessary.
between different systems cheaper because recursively chown()ing file
system trees is no longer necessary.
* systemd-homed's CIFS backend now optionally supports CIFS service
names with a directory suffix, in order to place home directories in
@ -592,12 +590,12 @@ CHANGES WITH 250 in spe:
mount options in the JSON user record (cifsExtraMountOptions field,
and --cifs-extra-mount-options= homectl switch). This is for example
useful for configuring mount options such as "noserverino" that some
SMB3 services require (for example: use that to run a homed home
directory from a FritzBox SMB3 share this way).
SMB3 services require (use that to run a homed home directory from a
FritzBox SMB3 share this way).
* systemd-homed will now default to btrfs' zstd compression for home
areas. This is inspired by Fedora's recent decision to enable this by
default.
areas. This is inspired by Fedora's recent decision to switch to zstd
by default.
* Additional mount options to use when mounting the file system of
LUKS2 volumes in systemd-homed has been added. Via the
@ -616,13 +614,13 @@ CHANGES WITH 250 in spe:
* systemd-homed gained the ability to automatically shrink home areas
on logout to their minimal size and grow them again on next
login. This ensures that while inactive a home area only takes up the
minimal space necessary, but once activated provides sufficient space
for the user's needs. This behavior is only supported if btrfs is
used as file system inside the home area (because only for btrfs
online growing/shrinking is implemented in the kernel). This
behavior is now enabled by default, but may be controlled via the
new --auto-resize-mode= setting of homectl.
login. This ensures that while inactive, a home area only takes up
the minimal space necessary, but once activated, it provides
sufficient space for the user's needs. This behavior is only
supported if btrfs is used as file system inside the home area
(because only for btrfs online growing/shrinking is implemented in
the kernel). This behavior is now enabled by default, but may be
controlled via the new --auto-resize-mode= setting of homectl.
* systemd-homed gained support for automatically re-balancing free disk
space among active home areas, in case the LUKS2 backends are used,
@ -635,7 +633,7 @@ CHANGES WITH 250 in spe:
user record field (as exposed via the new --rebalance-weight= homectl
setting). Re-balancing is mostly automatic, but can also be requested
explicitly via "homectl rebalance", which is synchronous, and thus
may be used to wait until a rebalance run is complete.
may be used to wait until the rebalance run is complete.
* userdbctl gained a --json= switch for configured the JSON formatting
to use when outputting user or group records.
@ -647,9 +645,9 @@ CHANGES WITH 250 in spe:
* userdbctl's ssh-authorized-keys command learnt a new --chain switch,
for chaining up another command to execute after completing the
look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
configuration of a single command to invoke this maybe used to invoke
multiple: first userdbctl's own implementation, and then any other
also configured in the command line.
configuration of a single command to invoke, this maybe used to
invoke multiple: first userdbctl's own implementation, and then any
other also configured in the command line.
* The sd-event API gained a new function sd_event_add_inotify_fd() that
is similar to sd_event_add_inotify() but accepts a file descriptor
@ -667,12 +665,12 @@ CHANGES WITH 250 in spe:
https://systemd.io/PORTING_TO_NEW_ARCHITECTURES
* The x-systemd.makefs option in /etc/fstab now explicitly supports
f2fs file systems.
ext2, ext3, and f2fs file systems.
* The systemd-getty-generator now honors a new kernel command line
argument systemd.getty_auto= and a new environment variable
$SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
example useful for turning off gettys inside of containers or similar
example useful to turn off gettys inside of containers or similar
environments.
* systemd-resolved now listens on a second DNS stub address: 127.0.0.54
@ -697,42 +695,47 @@ CHANGES WITH 250 in spe:
* systemd-repart no longer requires OpenSSL.
* systemd-sysusers will no longer create the redundant 'nobody' group by default,
as the 'nobody' user is already created with an appropriate primary group.
* systemd-sysusers will no longer create the redundant 'nobody' group
by default, as the 'nobody' user is already created with an
appropriate primary group.
* If a unit uses RuntimeMaxSec, systemctl show will now display it.
* systemctl show-environment gained support for --output=json.
* pam_systemd will now first try to use the X11 abstract socket, and
fallback to the socket file in /tmp/.X11-unix/ only if that does not work.
fallback to the socket file in /tmp/.X11-unix/ only if that does not
work.
* systemd-journald will no longer go back to volatile storage regardless of
configuration when its unit is restarted.
* systemd-journald will no longer go back to volatile storage
regardless of configuration when its unit is restarted.
* Initial support for the LoongArch architecture has been added
(system calls, defines, etc).
* Initial support for the LoongArch architecture has been added (system
call lists, GPT partition table UUIDs, etc).
* A LICENSES/ directory is now included in the git tree. It contains a README.md
file that explains the licenses used by source files in this repository.
It also contains the text of all applicable licenses as they appear on spdx.org.
* systemd-journald's own logging messages are now also logged to the
journal itself when systemd-journald logs to /dev/kmsg.
* systemd-journald now re-enables COW for archived journal files on filesystems
that support COW. One benefit of this change is that archived journal files will
now get compressed on btrfs filesystems that have compression enabled.
* systemd-journald now re-enables COW for archived journal files on
filesystems that support COW. One benefit of this change is that
archived journal files will now get compressed on btrfs filesystems
that have compression enabled.
* systemd-journald now truncates archived journal files and punches holes in unused
parts of archived journal files, leading to some minor reductions in disk usage.
* systemd-journald now deduplicates fields in a single log message
before adding it to the journal. In archived journal files, it will
also punch holes for unused parts and truncate the file as
appropriate, leading to reductions in disk usage.
* systemd-journald now deduplicates fields in a single log message before adding
it to the journal.
* journalctl --verify was extended with more informative error
messages.
* journalctl --verify was extended with more informative error messages.
* More of sd-journal's functions are now resistant against journal file
corruption.
* More of sd-journal's functions are now resistant against journal file corruption.
* systemd-journald's own logging messages are now also logged to the journal itself
when systemd-journald logs to /dev/kmsg.
* A LICENSES/ directory is now included in the git tree. It contains a
README.md file that explains the licenses used by source files in
this repository. It also contains the text of all applicable
licenses as they appear on spdx.org.
CHANGES WITH 249: