diff --git a/NEWS b/NEWS index 86b7ba7768..53ca7d21b2 100644 --- a/NEWS +++ b/NEWS @@ -8,24 +8,25 @@ CHANGES WITH 256 in spe: dropped in a future release. * Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now - considered obsolete and systemd by default will refuse to boot under it. - To forcibly reenable cgroup v1 support, SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 - must be set on kernel command line. The meson option 'default-hierarchy=' - is also deprecated, i.e. only cgroup v2 ('unified' hierarchy) can be - selected as build-time default. + considered obsolete and systemd by default will refuse to boot under + it. To forcibly reenable cgroup v1 support, + SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must be set on kernel command + line. The meson option 'default-hierarchy=' is also deprecated, i.e. + only cgroup v2 ('unified' hierarchy) can be selected as build-time + default. - * Previously, systemd-networkd did not explicitly remove any bridge VLAN - IDs assigned on bridge master and ports. Since v256, if a .network - file for an interface has at least one valid settings in [BridgeVLAN] - section, then all assigned VLAN IDs on the interface that are not - configured in the .network file are removed. + * Previously, systemd-networkd did not explicitly remove any bridge + VLAN IDs assigned on bridge master and ports. Since version 256, if a + .network file for an interface has at least one valid setting in the + [BridgeVLAN] section, then all assigned VLAN IDs on the interface + that are not configured in the .network file are removed. * systemd-gpt-auto-generator will stop generating units for ESP or XBOOTLDR partitions if it finds mount entries in the /boot/ or /efi/ hierarchies in fstab. This is to prevent the generator from interfering with systems where ESP is explicitly configured to be mounted at some path, for example /boot/efi/ (this type of setup is - obsolete but is still commonly found). + obsolete but still commonly found). * The behavior of systemd-sleep and systemd-homed has been updated to freeze user sessions when entering the various sleep modes or when @@ -36,18 +37,431 @@ CHANGES WITH 256 in spe: and related services, and SYSTEMD_HOME_LOCK_FREEZE_SESSION=false for systemd-homed.service. + * systemd-tmpfiles and systemd-sysusers, when given a relative path + (with at least one directory separator '/'), will open the file + directly, instead of searching for the given partial path in the + standard locations. The old mode wasn't useful because tmpfiles.d and + sysusers.d configuratino has a flat structure with no subdirectories + under the standard locations and this change makes it easier to work + with local files with those tools. + + * systemd-tmpfiles now properly applies nested configuration to 'R' and + 'D' stanzas. For example, with 'R /foo; x /foo/bar', /foo/bar will + now be excluded from removal. + + General Changes and New Features: + + * Various programs will load the main configuration from under + /usr/lib/, /usr/local/lib, and /run, not just from under /etc/. For + example, systemd-logind will look for /etc/systemd/logind.conf, + /run/systemd/logind.conf, /usr/local/lib/systemd/logind.conf, and + /usr/lib/systemd/logind.conf, and use the first file that is found. + This means that the location logic for the main config file and for + drop-ins is now the same. + + ukify will look for the config files in /usr/lib/kernel/ and the + other locations, and now also supports drop-ins. + + systemd-udevd now supports drop-ins for udev.conf. + + * A new 'systemd-vpick' binary has been added. It implements the new + vpick protocol, where a .v directory may contain multiple files with + a version embedded in the name, and they may be ordered by version + and the newest one can be reliably selected. + + systemd-nspawn, systemd-dissect, and the RootDirectory=, RootImage=, + ExtensionImages=, and ExtensionDirectories= settings for units now + support the vpick protocol and allow the latest version to be + selected automatically if a "*.v/" directory is specified as the + source. + + * Credentials can now be made accessible to unprivileged users. + 'systemd-creds --user --uid=' will encrypt or decrypt a + credential for a specific user. + + * With systemd-homed, it is now possible to log in and activate an + encrypted home area over SSH. + + homectl is now installed as a multi-call binary. When invoked as + systemd-home-fallback-shell it can be used as a temporary shell which + allows the home area to interactively unlocked. When the home area + becomes available, the temporary shell executes the normal one. + + systemd-homed gained new methods + org.freedesktop.home1.Manager.RefHomeUnrestricted, + org.freedesktop.home1.Home.RefUnrestricted, + org.freedesktop.home1.Manager.ActivateHomeIfReferenced, and + org.freedesktop.home1.Home.ActivateIfReferenced to allow logging in + without activating the home area and then activating the home area + later. + + * JSON User Records have been extended with a separate storage area + called "User Record Blob Directories". This is intended to store the + user's background image, avatar picture, and other similar items + which are too large to fit into the User Record itself. + + systemd-homed, userdbctl, and homectl gained support for blob + directories. + + * New command-line tool 'importctl' is added with the following verbs: + pull-tar, pull-raw, import-tar, import-raw, import-fs, export-tar, + export-raw, list-transfers, cancel-transfer. + + Service Manager: + + * New manager setting ProtectSystem= has been added. It is analogous to + the unit setting, but applies to the whole system. It is enabled by + default in the initrd. + + * New unit setting WantsMountsFor= has been added. It is analogous to + RequiresMountsFor=, but with a Wants= dependency instead of + Requires=. This new logic is used in various places where mounts were + added as dependencies for other settings (WorkingDirectory=-…, + PrivateTmp=yes, cryptsetup lines with 'nofail'). + + * New unit setting MemoryZSwapWriteback= can be used to control the new + memory.zswap.writeback cgroup knob added in kernel 6.8. + + * The manager gained a org.freedesktop.systemd1.StartAuxiliaryScope() + method to devolve some processes from a service into a new scope. + This new scope will remain even if the original service unit is + restarted. Cgroup properties of the new scope are copied from the + service, so various limits are retained. + + * Units now expose properties EffectiveMemoryMax=, + EffectiveMemoryHigh=, and EffectiveTasksMax=, which report the + most stringent limit systemd is aware of for the given unit. + + * A new specifier %D expands to $XDG_DATA_HOME. + + * AllowedCPUs= now supports specifier expansion. + + * What= setting in .mount and .swap units now accepts an fstab-style + identifiers, for example UUID=… or LABEL=…. + + * RestrictNetworkInterfaces= now supports alternative network interface + names. + + * PAMName= now implies SetLoginEnvironment=yes. + + * homectl gained a new verb 'firstboot', and a new + systemd-homed-firstboot.service unit uses this verb to create users + in a first boot environment, either from credentials or by querying + interactively. + + * systemd.firstboot=no can be used on the kernel command-line to + disable interactive queries, but allow other first boot configuration + to happen based on credentials. + + * A new kernel command-line option systemd.default_debug_tty= can be + used to specify the TTY for the debug shell, independently of + enabling or disabling it. + + * Systemd hostname can be configured via the systemd.hostname + credential. + + The Journal: + + * systemd-journald can now forward journal entries to a socket + (AF_INET, AF_INET6, AF_UNIX, or AF_VSOCK). The socket can be + specified in journald.conf via a new option ForwardAddress= or via + the 'journald.forward_address' credential. + + * systemd-journal-remote now also accepts AF_VSOCK and AF_UNIX sockets + (so it can be used to receive entries forwarded by systemd-journald). + + * systemd-vmspawn gained a new --forward-journal= option to forward the + virtual machine's journal entries to the host. This is done over a + AF_VSOCK socket, i.e. it does not require networking in the guest. + + * journalctl gained option '-i' as a shortcut for --file=. + + * journalctl gained a new -T/--exclude-identifier= option to filter + out certain syslog identifiers. + + * journalctl gained a new --list-namespaces option. + + * systemd-journal-gatewayd allows restricting the time range of + retrieved entries with realtime=[]:[]. + + Device Management: + + * Udev now creates symlinks that combine by-path and by-{label,uuid} + information: + /dev/disk/by-path//by-/. + This allows distinguishing partitions with identical contents on + multiple storage devices. This is useful, for example, when copying + raw disk contents between devices. + + * Udev now creates persistent /dev/media/by-path symlinks for media + controllers. For example, the uvcvideo driver may create /dev/media0 + which will be linked as + /dev/media/by-path/pci-0000:04:00.3-usb-0:1:1.0-media-controller. + + * An allowlist/denylist may be specified to filter which sysfs + attributes are used when crafting network interface names. Those + lists are stored as HWDB entries + ID_NET_NAME_ALLOW_=0|1 + and + ID_NET_NAME_ALLOW=0|1. + The goal is to avoid unexpected changes to interface names when the + kernel is updated and new sysfs attributes become visible. + + * A new unit tpm2.target has been added to provide a synchronization + point for units which expect the TPM hardware to be available. + + * systemd-backlight now properly supports numbered devices which the + kernel creates to avoid collisions in the leds subsystem. + + * systemd-hwdb update operation can be disabled with environment + variable SYSTEMD_HWDB_UPDATE_BYPASS=1. + + * systemd-logind gained a new org.freedesktop.login1.Manager.Sleep() + method that automatically redirects to SuspendThenHibernate(), + Suspend(), HybridSleep(), or Hibernate(), depending on what is + supported and configured, a new configuration setting SleepOperation=, + and an accompanying helper method + org.freedesktop.login1.Manager.CanSleep() and property + org.freedesktop.login1.Manager.SleepOperation. + + 'systemctl sleep' calls the new method to automatically put the + machine to sleep in the most appropriate way. + + * systemd-hostnamed now exposes the machine ID and boot ID via D-Bus. + + * systemd-hostnamed now provides a Varlink interface. + + * systemd-hostnamed exports the data in os-release(5) and + machine-info(5) via D-Bus and Varlink. + Network Management: + * systemd-networkd now provides a Varlink interface. + * systemd-networkd's proxy support gained a new option to configure a private VLAN variant of the proxy ARP supported by the kernel under the name IPv4ProxyARPPrivateVLAN=. - * TPM 1.2 PCR measurement support has been removed from - systemd-stub. TPM 1.2 is obsolete and — due to the (by today's - standards) weak cryptographic algorithms it only supports — does not - actually provide the security benefits it's supposed to - provide. Given that the rest of systemd's codebase never supported - TPM 1.2 the support has now been removed from systemd-stub as well. + * systemd-networkd now exports the NamespaceId and NamespaceNSID + properties via D-Bus and Varlink. + + * systemd-networkd now supports IPv6RetransmissionTimeSec= and + UseRetransmissionTime= settings in .network files to configure + retransmission time for IPv6 neighbor solicitation messages. + + * networkctl gained new verbs 'mask' and 'unmask'. + + * 'networkctl edit --runtime' allows editing volatile configuration + under /run/systemd/network/. + + * The implementation behind TTLPropagate= network setting has been + removed and the setting is now ignored. + + * systemd-network-generator will now pick up .netdev/.link/.network + configuration from credentials. + + * systemd-networkd will now pick up wireguard configuration from + credentials. + + * systemd-ssh-proxy is a new SSH client plugin that allows connecting + to AF_SOCK or AF_UNIX sockets. + + * systemd-nspawn now provides a /run/systemd/nspawn/unix-export/ + directory where the container payload can expose AF_UNIX sockets to + allow them them to be accessed from outside. + + * systemd-nspawn will tint the background for container output. + This can be controller with the new --backgroup= option. + + * systemd-nspawn gained support for the 'owneridmap' option for bind + mounts to map the target directory owner from inside the container to + the owner of the directory bound from the host filesystem. + + * A sshd config drop-in to allow ssh keys acquired via userdbctl to be + used for authorization. + + * New generator systemd-ssh-generator can be used to bind a + socket-activated SSH instance to a local AF_SOCK or AF_UNIX socket. + This generator will automaticaly bind /run/host/unix-export/ssh. + + * systemd-resolved now implements RFC 8914 EDE error codes. + + * systemd-resolved and resolvectl now support RFC 9460 SVCB and HTTPS + records. + + * resolvectl gained a new option --relax-single-label= to allow + querying single-label hostnames via DNS. + + Systemd-boot and systemd-stub and Related Tools: + + * TPM 1.2 PCR measurement support has been removed from systemd-stub. + TPM 1.2 is obsolete and — due to the (by today's standards) weak + cryptographic algorithms it only supports — does not actually provide + the security benefits it's supposed to provide. Given that the rest + of systemd's codebase never supported TPM 1.2, the support has now + been removed from systemd-stub as well. + + * Confexts are loaded by systemd-stub from the ESP as well. + + * The pcrlock policy is saved in an unencrypted credential file + "pcrlock..cred" under XBOOTLDR/ESP in the + /loader/credentials/ directory. It will be picked up at boot by + systemd-stub and passed to the initrd, where it can be used to unlock + the root file system. + + * kernel-install gained support for --root= for the 'list' verb. + + * systemd-pcrlock gained an --entry-token= option to configure the + entry-token. + + * systemd-pcrlock now provides a Varlink interface and can be + run as a daemon via a template unit. + + * bootctl now provides a Varlink interface and can be run as a daemon + via a template unit. + + * ukify gained support for signing of PCR signatures via OpenSSL's + engines and providers. + + * ukify now supports zboot kernels. + + Command-line tools: + + * systemd-run is now a multi-call binary. When invoked as 'uid0', it + provides as interface similar to 'sudo', with all arguments starting + at the first non-option parameter being treated the command to + invoke. + + * systemd-run gained a new option '--ignore-failure' to suppress + command failures. + + * systemd-creds gained new options --user/--uid=. + + * 'systemctl edit --stdin' allows creation of unit files and drop-ins + with contents fed via standard input. This is useful when creating + configuration programatically; the tool takes care of figuring out + the file name, creating any directories, and reloading the manager + afterwards. + + * 'systemctl disable --now' and 'systemctl mask --now' now work + correctly with template units. + + * 'systemd-analyze architectures' lists known CPU architectures. + + * 'systemd-analyze --json=…' is supported for 'architectures', + 'capability', 'exit-status'. + + * 'systemd-tmpfiles --purge' will purge (remove) all files and + directories created via tmpfiles.d configuration. + + * systemd-id128 gained new options --no-pager, --no-legend, and + -j/--json=. + + * hostnamectl gained '-j' as shortcut for '--json=pretty' or + '--json=short'. + + * loginctl now supports -j/--json=. + + * resolvectl now supports -j/--json= for --type=. + + * systemd-vmspawn gained a new --firmware= option to configure or list + firmware definitions for Qemu, a new --tpm= option to enable or + disable the use of a software TPM, a new --linux= option to specify a + kernel binary for direct kernel boot, a new --initrd= option to + specify an initrd for direct kernel boot, a new -D/--directory option + to use a plain directory as the root file system, a new + --private-users option similar to the one in systemd-nspawn, new + options --bind= and --bind-ro= to bind part of the host's file system + hierarchy into the guest, a new --extra-drive= option to attach + additional storage, and -n/--network-tap/--network-user-mode to + configure networking. + + * A new systemd-vmspawn@.service can be used to launch systemd-vmspawn + as a service. + + * varlinkctl gained support for the "ssh:" transport. This requires + OpenSSH 9.4 or newer. + + * varlinkctl gained a new --collect switch to collect all responses of + a method call emitted in JSON_SEQ mode and turn them into normal + JSON. + + * systemd-sysext gained support for mutable system extensions, where a + writeable upperdir is stored under /var/lib/extensions.mutable/, and + a new --mutable option to configure this behaviour. + + * systemd-dissect gained a new --make-archive-option to generate an + archive file from a disk image. + + * systemd-repart gained new options --generate-fstab= and + --generate-crypttab= to write the fstab and crypttab files. + + * systemd-repart gained new option --private-key-source= to specify the + key for as a file, or via OpenSSL's "engine" or "provider" logic. + Configures the signing mechanism to use when creating verity + signature partitions. + + * systemd-measure gained new options --certificate=, --private-key=, + and --private-key-source= to specify the signing information for as a + path or OpenSSL engine or provider. + + * systemd-tmpfiles gained a new option --dry-run to print what would be + done without actually taking action. + + * systemd-bsod gained a new option --tty= to specify the output TTY + + * timedatectl and machinectl gained option '-P', an alias for + '--value --property=…'. + + * Various tools that pretty-print config files will now highlight + configuration directives. + + Libraries: + + * libsystemd gained new call sd_bus_creds_new_from_pidfd to get a + credentials object for a pidfd and sd_bus_creds_get_pidfd_dup() to + retrieve the pidfd from a credentials object. + + * RPM macro %_kernel_install_dir has been added with the path + to the directory for kernel-install plugins. + + Other: + + * systemd-logind now supports a new "background-light" session class + which does not pull in the user@.service unit. This is intended in + particular for cron jobs. + + systemd-logind now also supports a new "user-incomplete" session + class for a user session that does not have a running user manager, + but may be upgraded to a full "user" session later on. This has + been hooked into the PAM stack to appropriately classify sessions + while they are being started. + + systemd-logind gained a new org.freedesktop.login1.Session.SetClass() + method to change the session class. + + systemd-logind will not allow background, background-light, manager, + and manager-early session types to take control of devices or change + the session type. + + * systemd-logind gained a new + org.freedesktop.login1.Manager.ListSessionsEx() method that provides + additional metadata compared to ListSessions(). loginctl makes use of + this to list additional fields in list-sessions. + + * systemd-cryptenroll can now enroll directly with a public key + (instead of a certificate). + + * Core dumps are now retained for two weeks by default. + + * systemd-cryptsetup gained support for crypttab option + link-volume-key= to enter the volume key into the kernel keyring when + the volume is opened. + + * The remaining documentation that was on + https://freedesktop.org/wiki/Software/systemd/ has been moved to + https://systemd.io. + CHANGES WITH 255: